Risk Based Verification

Transcription

1 OFFSHORE SERVICE SPECIFICATION DNV-OSS-300 Risk Based Verification APRIL 2004 This document has been amended since the main revision (April 2004), most recently in April See Changes on page 3. The electronic pdf version of this document found through is the officially binding version

2 FOREWORD DET NORSKE VERITAS (DNV) is an autonomous and independent foundation with the objectives of safeguarding life, property and the environment, at sea and onshore. DNV undertakes classification, certification, and other verification and consultancy services relating to quality of ships, offshore units and installations, and onshore industries worldwide, and carries out research in relation to these functions. DNV service documents consist of amongst other the following types of documents: Service Specifications. Procedual requirements. Standards. Technical requirements. Recommended Practices. Guidance. The Standards and Recommended Practices are offered within the following areas: A) Qualification, Quality and Safety Methodology B) Materials Technology C) Structures D) Systems E) Special Facilities F) Pipelines and Risers G) Asset Operation H) Marine Operations J) Cleaner Energy O) Subsea Systems Det Norske Veritas AS April 2004 Any comments may be sent by to For subscription orders or information about subscription terms, please use Computer Typesetting (Adobe Frame Maker) by Det Norske Veritas This service document has been prepared based on available knowledge, technology and/or information at the time of issuance of this document, and is believed to reflect the best of contemporary technology. The use of this document by others than DNV is at the user's sole risk. DNV does not accept any liability or responsibility for loss or damages resulting from any use of this document.

3 Amended April 2012 Offshore Service Specification DNV-OSS-300, April 2004 see note on front cover Changes Page 3 CHANGES INTRODUCTION This Service Specification was approved by the Director of Technology in April Publication of this Service Specification will make the Service Specification DNV-OSS-303 obsolete. This general document gives the common framework and an overview of processes in risk based verification. It introduces a levelled description of verification involvement during all phases of an asset s life. The document facilitates a categorisation into risk levels High, Medium and Low, assisting in an evaluation of the risk level. The document assists in planning the verification through the making of a Verification Plan. Providing an international standard allowing a transparent and predictable verification scope, as well as defining terminology for verification involvement. Amendments April 2012 The restricted use legal clause has been deleted from the front page. Amendments October 2011 A restricted use legal clause has been added on the front page.

4 Offshore Service Specification DNV-OSS-300, April 2004 Amended April 2012 Page 4 Contents see note on front cover CONTENTS Sec. 1 General... 6 A. General... 6 A 100 Introduction... 6 A 200 Objectives... 6 A 300 Scope of application... 6 A 400 Structure of DNV Offshore Service Specifications related to verification... 6 A 500 Structure of this document... 6 A 600 Structure of related DNV documents... 7 B. Definitions and Abbreviations... 7 B 100 General... 7 B 200 Definitions... 7 B 300 Abbreviations... 9 C. References... 9 C 100 General... 9 Sec. 2 Principles of Risk Based Verification A. General A 100 Objectives B. General Verification Principles B 100 Purpose of Verification B 200 Verification as a Complementary Activity B 300 Verification Based on Risk B 400 Verification Management C. Risk Based Verification Concept C 100 Elements of the service C 200 Asset Planned C 300 Asset Specification C 400 Risk Assessment C 500 Definition of Verification Involvement C 600 Verification Plan C 700 Verification Execution C 800 Asset Completed D. Risk-Differentiated Levels of Verification D 100 Levels of verification E. Defining a Verification Plan E 100 Risk based verification planning E 200 Selection of Level of Verification E 300 Acceptance criteria F. Simplified Verification Planning F 100 General G. Detailed Verification Planning G 100 General H. Risk Based Verification and National Regulations H 100 General App. A Benefits of DNV Risk Based Verification A. General A 100 Background information A 200 Verification trends A 300 Benefits of DNV Risk Based Verification A 400 Other DNV services related to Risk Based Verification App. B Verification and Certification Documents A. Verification Documents A 100 Purpose of Verification Documents A 200 Validity of Verification Documents A 300 Verification Documents Provided B. Certification documents B 100 General B 200 Validity of Certification documents... 23

5 Amended April 2012 Offshore Service Specification DNV-OSS-300, April 2004 see note on front cover Contents Page 5 App. C Example List of Typical High Risk Elements A. High Risk Elements A 100 Offshore installations App. D Detailed Performance Requirements and Verification Activity Descriptions 27 A. Performance Requirements A 100 Setting performance requirements B. Verification Activities B 100 Developing Verification Activity Lists... 27

6 Offshore Service Specification DNV-OSS-300, April 2004 Amended April 2012 Page 6 Sec.1 see note on front cover SECTION 1 GENERAL A. General A 100 Introduction 101 This DNV Offshore Service Specification (DNV-OSS) gives an overview of DNV Verification Services. A 200 Objectives 201 The main objectives of this document are to: describe DNV s Risk Based Verification services provide a common communication platform for describing the extent of verification activities, i.e. how to define a verification scope give guidance to owners and other parties for selecting the level of involvement of the verifier provide an opportunity to establish efficient, cost effective, predictable and transparent verification plans. A 300 Scope of application 301 This specification applies to verification during the asset owner s control of the process leading up to the completion of a physical asset, and further during the lifetime of the asset until abandonment. 302 This specification is primarily aimed at oil and gas related facilities and installations located onshore or offshore. The principles may also be applied to general industrial developments. 303 This specification may be adopted for full field development, particular phases of an asset realisation process or for particular elements. The owner may chose to utilise DNV s resources for all or selected parts of the scope. 304 DNV s Risk Based Verification services may be carried out on assets specified in: DNV s Offshore Standards, International or national standards, or Owner s specification A 400 Structure of DNV Offshore Service Specifications related to verification 401 The DNV Offshore Service Specifications related to verification are organised according to the pyramidal principles in Figure 1. DNV- OSS-300 General service overview DNV-OSS-3nn Object specific detailed specifications Figure 1 Hierarchy of DNV s offshore service specifications for verification 402 The top level document DNV-OSS-300, describes the overall philosophy and services. The objectspecific documents describe the principles and give detailed information regarding the potential scope of work for the verification of each object. 403 An object-specific DNV-OSS provides a basis for the development of scope of work for verification activities. Section 2 gives the service overview and principles for scope of work descriptions. Detailed examples of scope of work tables are found in appendices to the object specific documents. 404 Some of the object-specific documents also give requirements to achieve and maintain a DNV Certificate of Conformity (Ref. Appendix B). A 500 Structure of this document 501 This document contains two sections and four appendices: Section 1 gives the scope of the document, definitions and references.

7 Amended April 2012 Offshore Service Specification DNV-OSS-300, April 2004 see note on front cover Sec.1 Page 7 Section 2 explains the philosophy and principles of Risk Based Verification. It explains the risk-differentiated levels of involvement, the elements in the RBV chain and the different methodologies within risk assessment to develop a Verification Plan. Appendix A gives the benefits of a targeted and planned verification. Appendix B gives an overview of the main verification and certification documents issued by DNV, including the DNV Certificate of Conformity and the DNV Statement of Compliance. Appendix C is an example list of typical high risk elements for the main types offshore installations Appendix D gives information on how to develop detailed performance requirements and verification activities. A 600 Structure of related DNV documents 601 The DNV document systems consist of a three-level hierarchy with these main features: Principles and procedures related to DNV s services are separate from technical requirements and are presented in DNV Offshore Service Specifications. The documents described in Figure 1 belong here. Technical requirements are issued as self-contained DNV Offshore Standards. Associated product documents are issued as DNV Recommended Practices. 602 The hierarchy is designed with these objectives: Offshore Service Specifications present the scope and extent of DNV s services. Offshore Standards are issued as neutral technical standards to enable their use by national authorities, as international codes and as company or project specifications without reference to DNV s services. The Recommended Practices give DNV s interpretation of safe engineering practice for general use by industry. The latest revision of all DNV documents may be found in the publications list on the DNV web site B. Definitions and Abbreviations B 100 General 101 The following definitions should be applied only in the context of this document, and may not necessarily be appropriate for services outside the Risk Based Verification approach as described. B 200 Definitions 201 Asset: Loose term used to describe the item to be made or maintained. Can refer to a full field development, a topside facility, a pipeline system, a compressor station etc. or a part of these. It is interchangeable with the term Object. 202 Certificate of Conformity: A document signed by a qualified party affirming that, at the time of assessment, the product or service met the stated requirements (BS 4778: Part 2). For this OSS, a Certificate is a short document (often a single page) stating conformity with specified requirements. The results from associated verification shall be contained in a separate (single or multiple volume) report. 203 Certification: Used in this document to mean all the activities associated with the process leading up to the Certificate. In the DNV- OSS when Certification is used it designates the overall scope of work or multiple activities for the issue of a Certificate, whilst Verification is also used for single activities associated with the work. This in essence means that Certification is Verification for which the deliverable includes the issue of a Certificate. Other (related) definitions are: BS 4778: Part 2: Certification: The authoritative act of documenting compliance with requirements. EN 45011: Certification of Conformity: Action by a third party, demonstrating that adequate confidence is provided that a duly identified product, process or service is in conformity with a specific standard or other normative document. ISO 8402: 1994: Verification: Confirmation by examination and provision of objective evidence that specified requirements have been fulfilled.

8 Offshore Service Specification DNV-OSS-300, April 2004 Amended April 2012 Page 8 Sec.1 see note on front cover 204 Element: Loose term which can mean anything from a drilling rig to a system or a component. the level of detail will depend on the situation. In a hierarchic structure elements are below asset. 205 Hazard: A deviation (departure from the design and operating intention) which could cause damage, injury or other form of loss (Chemical Industries Association HAZOP Guide). 206 HAZOP (HAZard and OPerability study): The application of a formal systematic critical examination to the process and engineering intentions of new or existing facilities to assess the hazard potential of maloperation or mal-function of individual items of equipment and their consequential effects on the facility as a whole (Chemical Industries Association HAZOP Guide). 207 HAZID, (HAZard IDentification): A technique for the identification of all significant hazards associated with the particular activity under consideration. (ISO-17776) 208 Life cycle: Loose term which includes all phases of an asset; concept studies, front end engineering design (FEED), design, procurement, fabrication, hook-up, commissioning, operation/ production, maintenance, inspection and abandonment. 209 Object: Loose term used to describe the item to be made or maintained. Can refer to a full field development, a topside facility, a pipeline system, a compressor station etc. or a part of these. It is interchangeable with the term Asset. 210 Owner: In the document used not just to describe the actual owner, but also to used to reflect DNV s contractual partner. In many projects the owner authorises the contractor to act on his behalf and it shall then mean the contractual partner. 211 Performance requirement: A description of the essential requirements to be met, maintained or provide on demand by an element. Appendix D may be used for guidance. 212 Risk: The qualitative or quantitative likelihood of an accident or unplanned event occurring, considered in conjunction with the potential consequences of such a failure. In quantitative terms, risk is the quantified probability of a defined failure mode times its quantified consequence. Risk is not only related to physical failure modes, but also to operational errors, human errors and so on. For some risks the functional failures or physical failure modes contribute less than 20% while more than 80% of the risk relates to other devices. 213 Risk Reduction Measures: Those measures taken to reduce the risks to the operation of the system and to the health and safety of personnel associated with it or in its vicinity by: Reduction in the probability of failure. Mitigation of the consequences of failure The usual order of preference of risk reduction measures is: a) Inherent Safety. b) Prevention. c) Detection. d) Control. e) Mitigation. f) Emergency Response. 214 Safety Objectives: The safety goals for the construction, operation and decommissioning of the asset including acceptance criteria for the level of risk acceptable to the Owner. 215 Statement of Compliance: A statement or report signed by a qualified party affirming that, at the time of assessment, the defined asset phase, or collection of activities, met the requirements stated by the Owner. 216 Verification is confirmation by examination and provision of objective evidence that specified requirements have been fulfilled (ISO 8402: 1994). The examination shall be based on information, which can be proved true, based on facts obtained through observation, measurement, test or other means. See also Certification.

9 Amended April 2012 Offshore Service Specification DNV-OSS-300, April 2004 see note on front cover Sec.1 Page 9 B 300 Abbreviations 301 DNV OS OSS QRA RBV Det Norske Veritas Offshore Standard, used in the form DNV-OS Offshore Service Specification, used in the form DNV-OSS Quantitative Risk Analysis Risk Based Verification C. References C 100 General 101 A guide to Hazard and Operability studies, 1979, Chemical Industries Association Limited. London 102 ISO 8402 Quality Vocabulary, 1994, International Organization for Standardization, Geneva 103 BS4778 Quality Vocabulary, Part 2 Quality concepts and Related Definitions, 1991, British Standard Institute, London 104 EN General Criteria for Certification Bodies Operating Product Certification, 1998, European Committee for Standardization, Brussels 105 ISO Petroleum and natural gas industries Offshore production installations - Guidelines on Tools and Techniques for Hazard Identification and Risk Assessment, 2000, International Organization for Standardization, Geneva.

10 Offshore Service Specification DNV-OSS-300, April 2004 Amended April 2012 Page 10 Sec.2 see note on front cover SECTION 2 PRINCIPLES OF RISK BASED VERIFICATION A 100 Objectives 101 The objectives of this section are to provide: A. General an introduction to the DNV Risk Based Verification Concept and the elements of the Risk Based Verification Chain an introduction to the principles of risk differentiated levels of verification activities guidelines on the selection of levels of verification. B. General Verification Principles B 100 Purpose of Verification 101 Verification constitutes a systematic and independent examination of the various lifecycle phases of an asset to determine whether it is (or continues to be) in compliance with some or all of the asset specifications. 102 Verification activities are expected to identify errors or failures in the work associated with the asset and to contribute to reducing the risks to the operation of the asset and to the health and safety of personnel associated with it or in its vicinity or other unwanted situations. B 200 Verification as a Complementary Activity 201 Verification shall be complementary to routine design, construction and operations activities and not a substitute for them. Therefore, although verification will take into account the work, and the assurance of that work, carried out by the owner and its contractors, it is inevitable that verification will duplicate some work that has been carried out previously by other parties involved in the asset or system. B 300 Verification Based on Risk 301 Verification based on risk is founded on the premise that the risk of failure can be assessed in relation to a level that is acceptable and that the verification process can be used to manage that risk. The verification process is therefore a tool to maintain the risk below the acceptance limit. 302 Verification based on risk aims to be developed and implemented in such a way as to minimise additional work, and cost, but to maximise its effectiveness. The development of a risk based verification plan shall depend on a risk assessment and the findings from the examination of quality management systems, documents and production activities. B 400 Verification Management 401 The philosophy and verification methods used shall be described in a Verification Plan to ensure satisfactory completion of verification. The philosophy and these methods should ensure that verification: has a consistent and constructive approach to the satisfactory completion and operation of the asset is available world-wide wherever the owner or his contractors operate uses up-to-date methods, tools and procedures uses qualified and experienced personnel. 402 All verification activities shall be carried out by competent personnel. Competence includes having the necessary theoretical and practical knowledge and experience of the activity being examined. An adequate verification of some activities may require access to specialised technical knowledge. 403 As well as demonstrating competence of individuals, the verification organisation shall also be able to show competence and experience in verification work for relevant assets. C. Risk Based Verification Concept C 100 Elements of the service 101 The risk based verification concept can be visualised to involve the elements in Figure 1. It is a chain with iterative loops.

11 Amended April 2012 Offshore Service Specification DNV-OSS-300, April 2004 see note on front cover Sec.2 Page 11 Asset Planned Asset Specification including overall Owner acceptance criteria, performance requirements and verification objectives Risk Assessment including identification of hazards and ranking of hazards based on risk evaluation Definition of Verification Involvement including detailing of acceptance criteria and performance requirements Verification Plan including list of verification activities Figure 1 The DNV Risk Based Verification Chain Verification Execution including reporting of compliance or noncompliance Asset Completed 102 Asset is used collectively. It is an onshore or offshore installation or part thereof, a system or process, or a development phase such as feasibility, design, construction, commissioning, operation and decommissioning. 103 The Asset Planned and Asset Decommissioned are the boundaries of the Risk Based Verification process. 104 Asset Specification, Risk Assessment and Definition of Verification Involvement are inputs into the Verification Plan, while Verification Execution is the implementation of the Verification Plan. The Risk Based Verification service comprises of one, some or all of these main elements. C 200 Asset Planned 201 Asset Planned is the starting point for any project or project phase and is the decision of the owner. It comprises a general description of the project in the form of functionality, safety, capacity, economics etc. C 300 Asset Specification 301 Asset Specification has been identified as a separate element to focus on the need to address objectives, acceptance criteria and performance requirements to the asset. 302 This element in the chain comprises: detailing of the description at the system level of the project in the form of functionality, safety, capacity, economics etc. identification or definition of verification philosophy, safety objectives etc., including selection of safety and/or business and/or environmental focus and goals identification of codes and technical specifications (e.g. standard company material specifications) to be adopted definition of high level performance requirements for the asset and identification of main elements and specific performance requirements thereof.

12 Offshore Service Specification DNV-OSS-300, April 2004 Amended April 2012 Page 12 Sec.2 see note on front cover 303 The detailing of elements and requirements will vary from project to project. The timing for detailing will also vary and is affected by matters like contract type and philosophy, owners involvement in the process, level of innovative elements in the project, life time business philosophy etc. C 400 Risk Assessment 401 Risk Assessment is the identification of hazards, frequencies of occurrence, consequences and risk drivers. The risk can be defined on a general level for the project, for different phases of a project or for detailed elements of the asset. 402 The risk can be evaluated based on safety, environmental impact, economics, schedule, Public Relations, reputation or other criteria set by the owner. 403 Risk Assessment can be based on engineering judgement (pragmatic) or on analytical processes. In section E different methods have been described to arrive at the conclusions necessary to formulate a risk based verification plan. 404 Once the risks have been identified their extent can be reduced to a level as low as reasonably practicable or as low as corporately required, by means of one or both of: reduction in the probability of failure mitigation of the consequences of failure. Reasonable Practicability The term as low as reasonably practicable (ALARP) has come into use through the United Kingdom s The Health and Safety at Work etc. Act Reasonable Practicability is not defined in the Act but has acquired meaning by interpretations in the courts. It has been interpreted to mean that the degree of risk from any particular activity can be balanced against the cost, time and trouble of the measures to be taken to reduce the risk. It follows, therefore, that the greater the risk the more reasonable it would be to incur substantial cost, time and effort in reducing that risk. Similarly, if the risk was very small it would not be reasonable to expect great expense or effort to be incurred in reducing it. 405 The systematic assessment of risks and the implementation of measures to reduce these, results in a relative ranking of the risk level of the elements and /or sub-elements of the asset. 406 The ranking of the elements will differ depending on the acceptance criteria; safety, environmental impact, economics, schedule, public relations, reputation or others. Different criteria may be applied to factor the importance of these. C 500 Definition of Verification Involvement 501 Definition of verification involvement or level(s) includes defining the cut-off level under which no verification activity shall be performed and to define the appropriate level of involvement for the others. 502 Based on the relative risk level of the elements the verification intensity should increase towards the highest risk elements. Verification of risk reducing measures e.g. in the form of risk reducing barriers, should be directed towards the risk reducing measures (barriers) which claims to have the highest risk reducing effects. 503 In this process the overall acceptance criteria from the Asset Specification should be cascaded down to more detailed performance requirements for individual elements or groups of elements. 504 The risk ranking is used in the selection of the appropriate verification activity level and type to be described in the verification plan. C 600 Verification Plan 601 The Verification Plan is the pivot element in the DNV Risk Based Verification systematics. 602 The Verification Plan is the scope of work (SOW) for verification. It should be revisited, re-evaluated and possibly revised as the project progresses and new information becomes available. 603 The more specific the Verification Plan, the more predictable the verification activities will be. 604 The Verification Plan repeats the verification objective and the criteria for selecting the highest risk elements and the verification involvement, as given by the Owner. It includes the findings from the risk assessment step, defines which asset specifications shall be verified, and also the level of involvement by party and type of verification activity.

13 Amended April 2012 Offshore Service Specification DNV-OSS-300, April 2004 see note on front cover Sec.2 Page The Verification Plan further consists of listing the elements and their performance requirements together with the type and depth of scrutiny to which each shall be subjected. 606 The verification involvement level can be described using the tables in Sect.2 of the relevant object specific DNV-OSS. 607 Detailed scope of work tables listing all the sub-elements of an asset, can either be developed from the tables in Sec. 2 of the relevant object specific DNV-OSS or they can be based on the example tables included in the appendices. 608 For information typical high risk elements with respect to safety of personnel, often termed Safety Critical Elements, are presented in Appendix C. C 700 Verification Execution 701 Verification Execution is document review, independent analyses, inspection, monitoring, site visits, process audits, technical audits, testing, etc. according to the Verification Plan. 702 Information arising from execution should be used to identify continuous improvements to the Verification Plan. E.g. evidence of good systematic control may be used to reduce the verification activities. 703 The purpose of verification activities is to confirm compliance or identify non-compliance with the asset specification. C 800 Asset Completed 801 Asset Completed is the end point of any lifecycle phase or phases, which complies with the relevant planned asset and the asset specification. D. Risk-Differentiated Levels of Verification D 100 Levels of verification 101 The level of verification activity should be differentiated according to the risk to the asset or element or phases thereof. If the risk to the asset is higher, the level of verification involvement is higher. Conversely, if the risk to the asset is lower, the level of verification activities can be reduced, without any reduction in their effectiveness. 102 It is emphasised that the activity level describes the depth of the verification involvement. It follows, therefore, that an increase in the level of involvement above that considered necessary, based on an evaluation of the risks, involves minimal extra risk reduction for increased cost. This practice is unlikely to be costeffective. 103 Verification of assets or elements thereof are typically categorised into Low, Medium and High. Low is the level of verification applied where the risks to the asset are lower than average. For example, it has benign contents, it is located in congenial environmental conditions, or the contractors are well experienced in the design and construction of similar assets. This level may also be appropriate when the Owner (or other parties) performs a large degree of verification and/or quality assurance work. Medium is the customary level of verification activity and is applied to the majority of assets. High is the level of verification applied where the risks to the asset is higher than average. For example, it has highly corrosive contents, it is in adverse environmental conditions, it is technically innovative or the contractors are not well experienced in the design and construction of similar assets. This level may also be appropriate when the Owner chooses to have a small technical involvement or performs little own verification. The terms Basic, Regular and Special are sometimes used to describe the level of involvement. If these are used in connection with DNV Risk Based Verification, then Basic shall mean Low, Regular shall mean Medium and Special shall mean High. 104 Illustrations of the levels of involvement are given in Figures 2 and 3. Figure 2 illustrates the levels as a function of probability and consequence of failure. Figure 3 illustrates how increasing depth of scrutiny is assigned to elements with increasing risk levels. An element can be everything from a drilling rig to an important component or system, depending on the detailing level of the risk assessment being carried out.

14 Offshore Service Specification DNV-OSS-300, April 2004 Amended April 2012 Page 14 Sec.2 see note on front cover Figure 2 Levels of verification Probability of Failure Low High Low MEDIUM LOW Consequence of Failure Increasing Risk HIGH High Elements A B C D E F G H I Axis of increasing risk and depth of scrutiny Figure 3 Increasing verification scrutiny as a function of increasing risk level for each element 105 It is the prerogative of the owner of the asset system to choose the level of verification. The selection should be documented. 106 Different levels of verification can be chosen for different lifecycle phases of the asset, or even within the same phase if necessary. For example, asset design may be innovative and considered high risk whereas the installation method is well known and considered low risk. The converse might be true also. 107 The level of verification can be reduced or increased during a phase if the originally chosen level is considered too rigorous or too lenient, as new information on the risks to the asset becomes available. Care should be taken to ensure that short term gains do not influence the reduction of verification, which could lead to a long term detriment. 108 Verification should be planned in close co-operation with the Owner and each of the contractors, to provide a scope of work that is adjusted to the schedule of each lifecycle element, i.e. to make the verification activities, surveillance and hold points, an integrated activity and not a delaying activity. Many Contractors have adequate quality control systems and quality control departments, with competent personnel to perform, for example, inspection at plants and specialist engineers competent to review and verify the performance of plants. In that case, all verification work need not be done by DNV personnel. Where applicable, the various inspections may be carried out by competent persons other than DNV personnel. In that situation a substantial part of DNV s verification activities may be encompassed by: - reviewing the competence of the Contractor s personnel, - auditing their working methods and their performance of that work, and - reviewing the documents produced by them. 109 Verification should direct greatest effort at those elements of the asset or system whose failure or reduced performance will have the most significant impact on safety or the other defined project risks. These elements are termed high risk elements or sometimes Critical Elements.

15 Amended April 2012 Offshore Service Specification DNV-OSS-300, April 2004 see note on front cover Sec.2 Page The degree of confidence placed in verification reports depends on the degree of confidence in the verification activities carried out. Therefore, the verification plan must be transparent and give clear details of the level of verification for both elements and phases. E. Defining a Verification Plan E 100 Risk based verification planning 101 The selection of the level of verification shall depend on the risk level of each element having an impact on the management of hazards and associated risk levels of the asset. 102 The effort spent to select the overall level of verification and the detailing and differentiation between different elements will vary from project to project. It is a business decision on how to balance the effort of upfront planning with that of some additional effort during verification execution. 103 The tools used to arrive at a Verification Plan range from engineering judgement risk assessment to analytical risk assessments. The former generally reflects less effort in the up-front planning stage while the latter directs more efforts into the particulars of a specific project. 104 The span in the method is illustrated in Figure 4. Most projects will utilise a combination of tools. Typically, for a tender phase it may be useful to utilise engineering judgement to make an initial Verification Plan. When updating the Verification Plan the appropriate analytical tools can be utilised. E 200 Selection of Level of Verification 201 Suitable selection factors include: overall asset specification assessment of the risks associated with the asset and the measures taken to reduce these risks degree of technical innovation in the asset system experience of the contractors in carrying out similar work quality management systems of the Owner and their contractors. 202 To facilitate the selection of the level of verification a set of trigger questions based on the above list of selection factors, has been prepared and is included in the object specific DNV-OSS. 203 To further assist in the selection of general level of verification Table E1 can give some guidance. 204 The level of verification is selected for each individual element and should reflect the risk level as well as the type of performance requirements. To achieve a consistent verification involvement relative to risk level a practical and visual approach can be to plot the elements and relative risk levels as in Figure 3. Decide on the maximum level of involvement (L, M or H) and draw the line to the left of which no verification shall be made. The area enveloping the elements to be verified can then be split in to areas with uniform verification involvement. E 300 Acceptance criteria 301 Defined acceptance criteria are essential to confirm compliance and identify non-compliance.

16 Offshore Service Specification DNV-OSS-300, April 2004 Amended April 2012 Page 16 Sec.2 see note on front cover 302 The format and detailing may differ. Assets, elements or lifecycle phases for which technical standards or company specifications exist, may have relatively short and simple acceptance criteria. For assets, elements or lifecycle phases not readily covered by prescriptive standards, greater effort is directed into the particulars of the specific project and this often results in more detailed performance requirements. Table E1 Levels of verification and guidance on typical involvement at system level Level Typical System Characteristics Description of typical verification involvement Low Proven designs with relatively harmless content and/or installed in benign environmental conditions. State of the art design, manufacturing and installation by experienced contractors. Low consequences of failure from a commercial, safety or environmental point of view. Relaxed to normal completion schedule. Review of General Principles and production systems during design and construction. Review of principal design documents, construction procedures and qualification reports. Site attendance only during system testing. Less comprehensive involvement than level Medium. Medium High Asset in moderate or well controlled environmental conditions. Plants with a moderate degree of novelty Medium consequences of failure from a commercial, safety or environmental point of view. Ordinary completion schedule. Innovative designs. Extreme environmental conditions. Plants with a high degree of novelty or large leaps in technology. Contractors with limited experience or exceptionally tight completion schedule. Very high consequences of failure from a commercial, safety or environmental point of view. Review of General Principles and production systems during design and construction. Detailed review of principal and other selected design document with support of simplified independent analyses. Full time attendance during (procedure) qualification and review of the resulting reports. Audit based or intermittent presence at site. Review of General Principles and production systems during design and construction. Detailed review of most design document with support of simplified and advanced independent analyses. Full time attendance during (procedure) qualification and review of the resulting reports. Full time presence at site for most activities. More comprehensive involvement than level Medium.

17 Amended April 2012 Offshore Service Specification DNV-OSS-300, April 2004 see note on front cover Sec.2 Page 17 Asset Specification Simplified verification planning, based on Engineering judgement Combined verification planning Detailed verification planning, based on Analytical risk assessment: Risk assessment based on trigger questions. HAZID for the asset. This may be done stepwise with increasing detailing on the more complex components/processes. Risk Assessment Definition of Verification Level Conclude on overall verification involvement; H, M or L Prepare Verification Plan based on predefined tables. Include adjustments to tailor for the particular asset. Confirm acceptance criteria to be sufficient. Identify elements for verification and prepare verification plan based on any combination of the simplified and detained verification planning. The predefined tables may be useful references Frequency of occurrence Analytical assessment of risk and identification of relative risk levels. The relative risk may be grouped into Low, Medium or High Consequence Define acceptance criteria or performance requirements in more detail Prepare Verification Plan based on the assessed risks, risk drivers and acceptance criteria as defined above. The type and depth of verification is described using the same terminology as used in the predefined tables. Verification Plan Figure 4 Verificaton planning

18 Offshore Service Specification DNV-OSS-300, April 2004 Amended April 2012 Page 18 Sec.2 see note on front cover F. Simplified Verification Planning F 100 General 101 Simplified verification planning is mainly based on engineering judgment and reflects DNV's in-house experience as well as the industry experience as reflected in a number of technical standards. Both have been used to make up the object specific DNV-OSS s. 102 The steps in the simplified verification planning are as follows: Use trigger questions to assess the overall risk level of the project (or manageable elements thereof). Evaluate the risk against the relevant owner or project acceptance criteria (often this can be directly tied to the owner core values or a sub-set of these) and decide whether the general verification involvement shall be Low, Medium or High. Use the detailed scope of work tables in the object DNV-OSS to make a first draft of a Verification Plan Generate the project specific Verification Plan by include a project specific engineering judgment to adjust the table to suit the project Perform the verification execution according to the Verification Plan, making revision to the plan if and when necessary. 103 Care shall be taken not to use this process without sufficient attention to its built-in simplifications. Particularly the use of example tables in the appendices can never replace the need for project specific assessments. They can, however, be very useful starting and reference points. G. Detailed Verification Planning G 100 General 101 The analytical verification planning is based on the use of (quantitative) risk methods to establish project specific identification of the relative risk level of the project elements. 102 Depending on the project size and type the risk assessment will often include an initial qualitative risk assessment screening prior to a full quantitative risk analysis, QRA. 103 A description on how to carry out HAZID, HAZOPD and QRA in general is not given in this DNV-OSS. The methodology is described in numerous books and publications on the subject. 104 Particularly for projects or project elements were there are limited or inadequate prescriptive technical standards or if the performance requirements are of a nature that make available prescriptive standards inadequate, it is advisable to invest more time and effort in the planning stages. 105 With limited prescriptive standards the need and also the effort required to define the acceptance criteria for individual or groups of elements will normally increase. Appendix D addresses how to formulate detailed performance requirements and also how these and the risk elements are developed into verification activity lists, which are finally included in the Verification Plan H. Risk Based Verification and National Regulations H 100 General 101 Many national authorities have specific requirements to the verification activities. These can be in the form of minimum requirements to documentation of risk and risk reducing measures, which documents shall be presented to the authorities, mandatory use of standards etc. The authorities may also have requirements to roles and responsibility, independence of verifier, content and form of verification activities, terminology etc. 102 The particulars of the relevant national requirements shall be observed when planning and performing Risk Based Verification. The Offshore Installations (Safety Case) Regulations in UK can be an example of particular National Authority requirements. The risk based verification approach fits very well with these regulations, but one needs to ensure that the correct documents and terminology are used and understood e.g. Major Accidents Hazards, Safety-Critical Elements, Performance Standards etc.

19 Amended April 2012 Offshore Service Specification DNV-OSS-300, April 2004 see note on front cover App.A Page 19 APPENDIX A BENEFITS OF DNV RISK BASED VERIFICATION A. General A 100 Background information 101 This appendix gives background information on verification and the possible benefits thereof. A 200 Verification trends 201 Verification has historically been carried out with a variety of scope and depth of involvement. The depth of involvement, or level of verification, has not always been very transparent. 202 There are national authorities requiring verification or even certification of offshore or onshore installations (assets) and have appointed specific organisations qualified for this work. 203 Some of these national authorities may have detailed requirements to the verification or certification activity, while others leave the definition of the necessary work up to the appointed organisation. Other national authorities require specific documents to be verified and approved by them, some hold the owner responsible for the verification activities, others again may not have any specific requirements. 204 The trend is that authorities remove themselves from the prescriptive regimes and convert to functional requirements and safety and risk approaches. It is therefore believed that there will be a stronger demand for measurable objectives to be presented by the owners. The objectives are linked, as a minimum, to the expectations from the authorities on safety to the work force, the public and the environment. Economics may be an additional minimum requirement from the owner and his partners. 205 As a means to fulfilling these expectations business today is often characterised by a defined desire to systematically balance expected costs and benefits. The aim is an optimum control of the uncertainties (or risks) related to the objectives. 206 Even where national authorities do not require verification of installations (assets), verification (or certification) is a convenient tool for the owner to get an independent evaluation of the contractor(s) work or to show financiers, partners, insurers and the public that the asset complies with relevant safety levels and other requirements in the asset specification. 207 It is good business practice to subject important work to a third-party check as this reduces the possibility of errors remaining undetected. Third-party verification will ensure that the verifier has an independent view and perspective when performing this activity. Furthermore, it will avoid the situation where errors could be overlooked by engineers or others because of their closeness to the work with the asset. 208 Systematic risk based assessment methods are more often used to identify the risk associated with the elements. Based on this identified risk, focus is put on the relevant acceptance criteria pertaining to integrity, functionality, survivability, availability, reliability, maintainability, and environmental impact of an asset throughout its lifecycle. 209 The result of the systematic identification of risk can be utilised in the design and construction by the Contractor and by the Owner or a 3 rd party to optimise the verification activities through a well defined and transparent verification plan. 210 Not all projects nor all high risk elements have great degrees of novelty or innovation requiring a large degree of sophistication when predicting risk. The high risk elements or phases can often be determined by what is addressed in international technical standards and from general experience. For these projects the ability to communicate the correct or desired level of verification may be the most time consuming exercise. 211 At the other end of the scale are the projects that have greater uncertainty, and often appears to be high risk, but which need to be systematically addressed to be able to identify the hazards, the probability and consequences of occurrence and the risk levels of the elements. For these projects the correct identification and ranking of the risk of the elements is essential for the project optimisation process and planning of the verification activities. However, it is also for these necessary to be able to communicate the level of verification and link it to the associated risk. 212 For almost all projects, interface activities are important and many have experienced that inadequate interface management can be very costly and time consuming. A 300 Benefits of DNV Risk Based Verification 301 Business today is characterised by the need to balance cost and benefits through a better understanding and mastering of the assets and their associated risks. Risk Based Verification aims at balancing the efforts to control the operational and technological risks and for an optimum control of risks and uncertainties from the concept stage to decommissioning or abandonment of any asset. It may provide cost and time savings compared with prescriptive verification or certification by focusing on risk and by prioritising verification efforts.

20 Offshore Service Specification DNV-OSS-300, April 2004 Amended April 2012 Page 20 App.A see note on front cover 302 The use of a more elaborate analytical method to plan the verification may give substantial cost benefits during the verification execution. Particularly for projects characterised by the following: a high degree of complexity significant elements of new or unproven technology proven elements being introduced to new operating conditions or applications participants having limited experience in a type of asset or development challenging development programmes. 303 DNV aims through Risk Based Verification, to instil confidence in our customers. Through independent and competent scrutiny the intent is to confirm that the asset is designed, constructed and/or operated so that: it is fit for its intended purpose, its level of integrity is as high as reasonably practicable the associated risk to health, life, property and environment is as low as reasonably practicable. 304 Such confidence arising from Risk Based Verification is not necessarily limited to DNV s traditional customers it can be extended to contractors or other project participants, owners, financiers, partners, insurers etc. that an asset complies with a relevant basis, even in areas where formal references may be missing or are under development. 305 The advantages for DNV s customers in applying a Risk Based Verification approach may include: reduced probability of undesirable events improved availability and reliability cost and time savings through avoiding undue attention to areas and activities that are low contributors to risk contributing to optimised expenditure (CAPEX, OPEX and RISKEX) in high risk areas early involvement in projects to ensure correct decisions and minimal rework a demonstrable and auditable case for safety or other owner or project core values active support to, and demonstration of achievement of, these core values confirmation, and increased visibility, of the above to (project) partners and other stakeholders and to Regulatory Bodies. 306 For a new asset development Risk Based Verification services should seek to reduce any uncertainty in the design as early as possible, and if any weaknesses are revealed allow for effective management of necessary changes, ref. Figure 2 Effects of Early Involvement. DNV s verification experience reinforces the important message of early involvement and the need for in-depth knowledge of the activities required to obtain optimal resource allocation for the verification process. A proactive approach is required and places particular emphasis on roles and responsibilities. Increase Ability to Influence Cost of Change Concept Time Commissioning Figure 1 Effect of early involvement 307 The above processes should consider all phases of the asset lifecycle. For example during the offshore commissioning phase of a new asset there may be temporary items of equipment provided which should be identified as high risk elements (e.g. temporary fire/gas detection). 308 DNV believes that a strong focus on the development of the Verification Plan will support a common interpretation of verification philosophies and requirements (which may differ from one project to another), and this should facilitate a more cost effective verification execution and provide for greater potential value to be obtained from the overall verification process. 309 Database applications (for example DNV s Verifier software) can be implemented to assist with development and execution of Verification Plans, including the capability to record the status of all verification