DNVGL-SE-0474 Risk based verification

The electronic pdf version of this document, available free of chargefrom http://www.dnvgl.com, is the officially binding version.

DNV GL AS

SERVICE SPECIFICATION

DNVGL-SE-0474 Edition July 2017

Risk based verification

FOREWORD

DNV GL service specifications contain procedural requirements for obtaining and retainingcertificates and other conformity statements to the objects, personnel, organisations and/oroperations in question.

© DNV GL AS July 2017

Any comments may be sent by e-mail to [email protected]

This service document has been prepared based on available knowledge, technology and/or information at the time of issuance of thisdocument. The use of this document by others than DNV GL is at the user's sole risk. DNV GL does not accept any liability or responsibilityfor loss or damages resulting from any use of this document.

Cha

nges

- c

urre

nt

Service specification — DNVGL-SE-0474. Edition July 2017 Page 3Risk based verification

DNV GL AS

CHANGES – CURRENT

GeneralThis document supersedes the April 2004 edition of DNV-OSS-300.The purpose of the revision of this service document is to comply with the new DNV GL document reference code system and profile requirements following the merger between DNV and GL in 2013. Changes mainly consist of updated company name and references to other documents within the DNV GL portfolio.

Some references in this service document may refer to documents in the DNV GL portfolio not yet published (planned published within 2017). In such cases please see the relevant legacy DNV or GL document. References to external documents (non-DNV GL) have not been updated.

Editorial correctionsIn addition to the above stated changes, editorial corrections may have been made.

Con

tent

s


DNV GL AS

CONTENTS

Changes – current.................................................................................................. 3

Section 1 General....................................................................................................51.1 General............................................................................................. 51.2 Definitions and abbreviations........................................................... 71.3 References...................................................................................... 10

Section 2 Principles of risk based verification...................................................... 112.1 General........................................................................................... 112.2 General verification principles........................................................ 112.3 Risk Based verification concept...................................................... 122.4 Risk-differentiated levels of verification......................................... 162.5 Defining a verification plan.............................................................182.6 Simplified verification planning...................................................... 222.7 Detailed verification planning......................................................... 222.8 Risk based verification and national regulations.............................23

Appendix A Benefits of DNV GL risk based verification......................................... 24A.1 General........................................................................................... 24

Appendix B Verification and certification documents............................................ 29B.1 Verification documents................................................................... 29B.2 Certification documents..................................................................30

Appendix C Example list of typical high risk elements.......................................... 33C.1 High risk elements..........................................................................33

Appendix D Detailed performance requirements and verification activitydescriptions.......................................................................................................... 36

D.1 Performance requirements............................................................. 36D.2 Verification activities......................................................................37

Changes – historic................................................................................................38


DNV GL AS

SECTION 1 GENERAL

1.1 General

1.1.1 Introduction

1.1.1.1 This DNV GL service specification (DNVGL-SE) gives an overview of DNV GL verification services.

— This general document gives the common framework and an overview of processes in risk basedverification.

— It introduces a levelled description of verification involvement during all phases of an asset’s life.— The document facilitates a categorisation into risk levels high, medium and low, assisting in an evaluation

of the risk level.— The document assists in planning the verification through the making of a verification plan.— Providing an international standard allowing a transparent and predictable verification scope, as well as

defining terminology for verification involvement.

1.1.2 Objectives

1.1.2.1 The main objectives of this document are to:

— describe DNV GL’s risk based verification services— provide a common communication platform for describing the extent of verification activities, i.e. how to

define a verification scope— give guidance to owners and other parties for selecting the level of involvement of the verifier— provide an opportunity to establish efficient, cost effective, predictable and transparent verification plans.

1.1.3 Scope of application

1.1.3.1 This specification applies to verification during the asset owner’s control of the process leading up tothe completion of a physical asset, and further during the lifetime of the asset until abandonment.

1.1.3.2 This specification is primarily aimed at oil and gas related facilities and installations located onshoreor offshore. The principles may also be applied to general industrial developments.

1.1.3.3 This specification may be adopted for full field development, particular phases of an asset realisationprocess or for particular elements. The owner may chose to utilise DNV GL’s resources for all or selectedparts of the scope.

1.1.3.4 DNV GL’s risk based verification services may be carried out on assets specified in:

— DNV GL's standards,— international or national standards, or— owner’s specification.

1.1.4 Structure of DNV GL service specifications related to verification

1.1.4.1 The DNV GL service specifications related to verification are organised according to the pyramidalprinciples in Figure 1-1.


DNV GL AS

Figure 1-1 Hierarchy of DNV GL’s service specifications for verification

1.1.4.2 The top level document DNVGL-SE, describes the overall philosophy and services. The object-specificdocuments describe the principles and give detailed information regarding the potential scope of work for theverification of each object.

1.1.4.3 An object-specific DNVGL-SE provides a basis for the development of scope of work for verificationactivities. Sec.2 gives the service overview and principles for scope of work descriptions. Detailed examplesof scope of work tables are found in appendices to the object specific documents.

1.1.4.4 Some of the object-specific documents also give requirements to achieve and maintain a DNV GLcertificate of conformity (see App.B).

1.1.5 Structure of this document

1.1.5.1 This document contains two sections and four appendices:This section gives the scope of the document, definitions and references.Sec.2 explains the philosophy and principles of risk based verification. It explains the risk-differentiatedlevels of involvement, the elements in the RBV chain and the different methodologies within risk assessmentto develop a verification plan.App.A gives the benefits of a targeted and planned verification.App.B gives an overview of the main verification and certification documents issued by DNV GL, including theDNV GL certificate of conformity and the DNV GL statement of conformity, see DMSO-5-4.App.C is an example list of typical high risk elements for the main types of offshore installationsApp.D gives information on how to develop detailed performance requirements and verification activities.


DNV GL AS

1.1.6 Structure of related DNV GL documents

1.1.6.1 The DNV GL document systems consist of a three-level hierarchy with these main features:

— Principles and procedures related to DNV GL’s services are separate from technical requirements and arepresented in DNV GL service specifications (SE). The documents described in Figure 1-1 belong here.

— Technical requirements are issued as self-contained DNV GL standards (ST).— Associated product documents are issued as DNV GL recommended practices (RP).

1.1.6.2 The hierarchy is designed with these objectives:

— Service specifications present the scope and extent of DNV GL’s services.— Standards are issued as neutral technical standards to enable their use by national authorities, as

international codes and as company or project specifications without reference to DNV GL’s services.— The recommended practices give DNV GL’s interpretation of safe engineering practice for general use by

industry.Guidance note:The latest revision of all DNV GL documents may be found in the publications list on the DNV GL web site www.dnvgl.com.

---e-n-d---o-f---g-u-i-d-a-n-c-e---n-o-t-e---

1.2 Definitions and abbreviations

1.2.1 General

1.2.1.1 The following definitions should be applied only in the context of this document, and may notnecessarily be appropriate for services outside the risk based verification approach as described.

1.2.2 TermsTable 1-1 Definition of terms

Term Definition

asset loose term used to describe the item to be made or maintainedCan refer to a full field development, a topside facility, a pipeline system, a compressorstation etc. or a part of these. It is interchangeable with the term object.

certificate of conformity a document signed by a qualified party affirming that, at the time of assessment, the productor service met the stated requirements (BS 4778: Part 2)

Guidance note:For this service specification a certificate is a short document (often a single page) statingconformity with specified requirements. The results from associated verification shall be containedin a separate (single or multiple volume) report.


www.dnv.com


DNV GL AS

Term Definition

certification used in this document to mean all the activities associated with the process leading up to thecertificate

Guidance note:In the service specification when certification is used it designates the overall scope of work ormultiple activities for the issue of a certificate, whilst verification is also used for single activitiesassociated with the work. This in essence means that certification is verification for which thedeliverable includes the issue of a certificate.Other (related) definitions are:BS 4778: Part 2: certification: the authoritative act of documenting compliance withrequirements.EN 45011: certification of conformity: action by a third party, demonstrating that adequateconfidence is provided that a duly identified product, process or service is in conformity with aspecific standard or other normative document.ISO 8402: 1994: verification: confirmation by examination and provision of objective evidencethat specified requirements have been fulfilled.


element loose term which can mean anything from a drilling rig to a system or a component, the levelof detail will depend on the situationIn a hierarchic structure elements are below asset.

hazard a deviation (departure from the design and operating intention) which could cause damage,injury or other form of loss (chemical industries association HAZOP guide)

hazard and operabilitystudy (HAZOP)

the application of a formal systematic critical examination to the process and engineeringintentions of new or existing facilities to assess the hazard potential of mal-operation or mal-function of individual items of equipment and their consequential effects on the facility as awhole (chemical industries association HAZOP guide)

hazard identification(HAZID)

a technique for the identification of all significant hazards associated with the particularactivity under consideration (ISO-17776)

life cycle loose term which includes all phases of an asset: concept studies, front end engineeringdesign (FEED), design, procurement, fabrication, hook-up, commissioning, operation/production, maintenance, inspection and abandonment

object loose term used to describe the item to be made or maintainedCan refer to a full field development, a topside facility, a pipeline system, a compressorstation etc. or a part of these. It is interchangeable with the term asset.

owner in the document used not just to describe the actual owner, but also used to reflect DNV GL’scontractual partnerIn many projects the owner authorises the contractor to act on his behalf and it shall thenmean the contractual partner.

performance requirement a description of the essential requirements to be met, maintained or provide on demand byan elementApp.D may be used for guidance.


DNV GL AS

Term Definition

risk the qualitative or quantitative likelihood of an accident or unplanned event occurring,considered in conjunction with the potential consequences of such a failure

Guidance note:In quantitative terms, risk is the quantified probability of a defined failure mode times itsquantified consequence.


risk reduction measures those measures taken to reduce the risks to the operation of the system and to the healthand safety of personnel associated with it or in its vicinity by:

— reduction in the probability of failure— mitigation of the consequences of failure.

Guidance note:The usual order of preference of risk reduction measures is:

a) inherent safety

b) prevention

c) detection

d) control

e) mitigation

f) emergency response.


safety objectives the safety goals for the construction, operation and decommissioning of the asset includingacceptance criteria for the level of risk acceptable to the owner

statement of conformity a statement or report signed by a qualified party affirming that, at the time of assessment,the defined asset phase, or collection of activities, met the requirements stated by the owner

verification is confirmation by examination and provision of objective evidence that specifiedrequirements have been fulfilled (ISO 8402: 1994).

Guidance note:The examination shall be based on information, which can be proved true, based on factsobtained through observation, measurement, test or other means.See also certification.


1.2.3 AbbreviationsTable 1-2 Abbreviations

Abbreviation Description

ST DNV GL standard, used in the form DNVGL-ST

SE DNV GL service specification, used in the form DNVGL-SE

QRA quantitative risk analysis

RBV risk based verification


DNV GL AS

1.3 ReferencesTable 1-3 References

Reference Title

Chemical IndustriesAssociation Limited

A guide to Hazard and Operability studies, 1979, London

ISO 8402 Quality – Vocabulary, 1994, International Organization for Standardization, Geneva

BS4778 Quality Vocabulary, Part 2 Quality concepts and Related Definitions, 1991, British StandardInstitute, London

EN 45011 General Criteria for Certification Bodies Operating Product Certification, 1998, EuropeanCommittee for Standardization, Brussels

ISO 17776 Petroleum and natural gas industries – Offshore production installations - Guidelines onTools and Techniques for Hazard Identification and Risk Assessment, 2000, InternationalOrganization for Standardization, Geneva.


DNV GL AS

SECTION 2 PRINCIPLES OF RISK BASED VERIFICATION

2.1 General

2.1.1 Objectives

2.1.1.1 The objectives of this section are to provide:

— an introduction to the DNV GL risk based verification concept and the elements of the risk basedverification chain

— an introduction to the principles of risk differentiated levels of verification activities— guidelines on the selection of levels of verification.

2.2 General verification principles

2.2.1 Purpose of verification

2.2.1.1 Verification constitutes a systematic and independent examination of the various lifecycle phasesof an asset to determine whether it is (or continues to be) in compliance with some or all of the assetspecifications.

2.2.1.2 Verification activities are expected to identify errors or failures in the work associated with the assetand to contribute to reducing the risks to the operation of the asset and to the health and safety of personnelassociated with it or in its vicinity or other unwanted situations.

2.2.2 Verification as a complementary activity

2.2.2.1 Verification shall be complementary to routine design, construction and operations activities and nota substitute for them. Therefore, although verification will take into account the work, and the assurance ofthat work, carried out by the owner and its contractors, it is inevitable that verification will duplicate somework that has been carried out previously by other parties involved in the asset or system.

2.2.3 Verification based on risk

2.2.3.1 Verification based on risk is founded on the premise that the risk of failure can be assessed inrelation to a level that is acceptable and that the verification process can be used to manage that risk. Theverification process is therefore a tool to maintain the risk below the acceptance limit.

2.2.3.2 Verification based on risk aims to be developed and implemented in such a way as to minimiseadditional work, and cost, but to maximise its effectiveness. The development of a risk based verificationplan shall depend on a risk assessment and the findings from the examination of quality managementsystems, documents and production activities.

2.2.4 Verification management

2.2.4.1 The philosophy and verification methods used shall be described in a Verification Plan to ensuresatisfactory completion of verification.The philosophy and these methods should ensure that verification:

— has a consistent and constructive approach to the satisfactory completion and operation of the asset


DNV GL AS

— is available world-wide wherever the owner or his contractors operate— uses up-to-date methods, tools and procedures— uses qualified and experienced personnel.

2.2.4.2 All verification activities shall be carried out by competent personnel. Competence includes having the necessary theoretical and practical knowledge and experience of the activity being examined. An adequate verification of some activities may require access to specialised technical knowledge.

2.2.4.3 As well as demonstrating competence of individuals, the verification organisation shall also be able to show competence and experience in verification work for relevant assets.

2.3 Risk based verification concept

2.3.1 Elements of the service

2.3.1.1 The risk based verification concept can be visualised to involve the elements in Figure 2-1. It is a chain with iterative loops.


DNV GL AS

Figure 2-1 The DNV GL risk based verification chain

2.3.1.2 Asset is used collectively. It is an onshore or offshore installation or part thereof, a system orprocess, or a development phase such as feasibility, design, construction, commissioning, operation anddecommissioning.

2.3.1.3 The asset planned and asset decommissioned are the boundaries of the risk based verificationprocess.

2.3.1.4 Asset specification, risk assessment and definition of verification involvement are inputs into theverification plan, while verification execution is the implementation of the verification plan.The risk based verification service comprises of one, some or all of these main elements.


DNV GL AS

2.3.2 Asset planned

2.3.2.1 Asset planned is the starting point for any project or project phase and is the decision of the owner.It comprises a general description of the project in the form of functionality, safety, capacity, economics etc.

2.3.3 Asset specification

2.3.3.1 Asset specification has been identified as a separate element to focus on the need to addressobjectives, acceptance criteria and performance requirements to the asset.

2.3.3.2 This element in the chain comprises:

— detailing of the description at the system level of the project in the form of functionality, safety, capacity,economics etc.

— identification or definition of verification philosophy, safety objectives etc., including selection of safetyand/or business and/or environmental focus and goals

— identification of codes and technical specifications (e.g. standard company material specifications) to beadopted

— definition of high level performance requirements for the asset and identification of main elements andspecific performance requirements thereof.

2.3.3.3 The detailing of elements and requirements will vary from project to project. The timing for detailingwill also vary and is affected by matters like contract type and philosophy, owners involvement in theprocess, level of innovative elements in the project, life time business philosophy etc.

2.3.4 Risk assessment

2.3.4.1 Risk assessment is the identification of hazards, frequencies of occurrence, consequences and riskdrivers. The risk can be defined on a general level for the project, for different phases of a project or fordetailed elements of the asset.

2.3.4.2 The risk can be evaluated based on safety, environmental impact, economics, schedule, publicrelations, reputation or other criteria set by the owner.

2.3.4.3 Risk assessment can be based on engineering judgement (pragmatic) or on analytical processes. In[2.5] different methods have been described to arrive at the conclusions necessary to formulate a risk basedverification plan.

2.3.4.4 Once the risks have been identified their extent can be reduced to a level as low as reasonablypracticable or as low as corporately required, by means of one or both of:

— reduction in the probability of failure— mitigation of the consequences of failure.


DNV GL AS

Guidance note:Reasonable practicabilityThe term as low as reasonably practicable (ALARP) has come into use through the United Kingdom’s The Health and Safety atWork etc. Act 1974. Reasonable practicability is not defined in the act but has acquired meaning by interpretations in the courts.It has been interpreted to mean that the degree of risk from any particular activity can be balanced against the cost, time andtrouble of the measures to be taken to reduce the risk.It follows, therefore, that the greater the risk the more reasonable it would be to incur substantial cost, time and effort in reducingthat risk. Similarly, if the risk was very small it would not be reasonable to expect great expense or effort to be incurred inreducing it.


2.3.4.5 The systematic assessment of risks and the implementation of measures to reduce these, results in arelative ranking of the risk level of the elements and /or sub-elements of the asset.

2.3.4.6 The ranking of the elements will differ depending on the acceptance criteria; safety, environmentalimpact, economics, schedule, public relations, reputation or others. Different criteria may be applied to factorthe importance of these.

2.3.5 Definition of verification involvement

2.3.5.1 Definition of verification involvement or level(s) includes defining the cut-off level under which noverification activity shall be performed and to define the appropriate level of involvement for the others.

2.3.5.2 Based on the relative risk level of the elements the verification intensity should increase towards thehighest risk elements.

Guidance note:Verification of risk reducing measures e.g. in the form of risk reducing barriers, should be directed towards the risk reducingmeasures (barriers) which claims to have the highest risk reducing effects.


2.3.5.3 In this process the overall acceptance criteria from the asset specification should be cascaded downto more detailed performance requirements for individual elements or groups of elements.

2.3.5.4 The risk ranking is used in the selection of the appropriate verification activity level and type to bedescribed in the verification plan.

2.3.6 Verification plan

2.3.6.1 The verification plan is the pivot element in the DNV GL risk based verification systematics.

2.3.6.2 The verification plan is the scope of work (SOW) for verification. It should be revisited, re-evaluatedand possibly revised as the project progresses and new information becomes available.

2.3.6.3 The more specific the verification plan, the more predictable the verification activities will be.

2.3.6.4 The verification plan repeats the verification objective and the criteria for selecting the highest riskelements and the verification involvement, as given by the owner. It includes the findings from the riskassessment step, defines which asset specifications shall be verified, and also the level of involvement byparty and type of verification activity.

2.3.6.5 The verification plan further consists of listing the elements and their performance requirementstogether with the type and depth of scrutiny to which each shall be subjected.


DNV GL AS

2.3.6.6 The verification involvement level can be described using the tables in section 2 of the relevantobject specific DNVGL-SE.

2.3.6.7 Detailed scope of work tables listing all the sub-elements of an asset, can either be developed fromthe tables in this section of the relevant object specific DNVGL-SE or they can be based on the exampletables included in the appendices.

2.3.6.8 For information typical high risk elements with respect to safety of personnel, often termed safetycritical elements, are presented in App.C.

2.3.7 Verification execution

2.3.7.1 Verification execution is document review, independent analyses, inspection, monitoring, site visits,process audits, technical audits, testing, etc. according to the verification plan.

2.3.7.2 Information arising from execution should be used to identify continuous improvements to theverification plan. E.g. evidence of good systematic control may be used to reduce the verification activities.

2.3.7.3 The purpose of verification activities is to confirm compliance or identify non-compliance with theasset specification.

2.3.8 Asset completed

2.3.8.1 Asset completed is the end point of any lifecycle phase or phases, which complies with the relevantplanned asset and the asset specification.

2.4 Risk-differentiated levels of verification

2.4.1 Levels of verification

2.4.1.1 The level of verification activity should be differentiated according to the risk to the asset or elementor phases thereof. If the risk to the asset is higher, the level of verification involvement is higher. Conversely,if the risk to the asset is lower, the level of verification activities can be reduced, without any reduction intheir effectiveness.

2.4.1.2 It is emphasised that the activity level describes the depth of the verification involvement. Itfollows, therefore, that an increase in the level of involvement above that considered necessary, based on anevaluation of the risks, involves minimal extra risk reduction for increased cost. This practice is unlikely to becost-effective.

2.4.1.3 Verification of assets or elements thereof are typically categorised into low, medium and high.Low is the level of verification applied where the risks to the asset are lower than average. For example,it has benign contents, it is located in congenial environmental conditions, or the contractors are wellexperienced in the design and construction of similar assets. This level may also be appropriate when theowner (or other parties) performs a large degree of verification and/or quality assurance work.Medium is the customary level of verification activity and is applied to the majority of assets.High is the level of verification applied where the risks to the asset is higher than average. For example, ithas highly corrosive contents, it is in adverse environmental conditions, it is technically innovative or thecontractors are not well experienced in the design and construction of similar assets. This level may also beappropriate when the owner chooses to have a small technical involvement or performs little own verification.


DNV GL AS

Guidance note:The terms basic, regular and special are sometimes used to describe the level of involvement. If these are used in connection withDNV GL risk based verification, then basic shall mean low, regular shall mean medium and special shall mean high.


2.4.1.4 Illustrations of the levels of involvement are given in Figures 2-2 and Figure 2-3. Figure 2-2illustrates the levels as a function of probability and consequence of failure. Figure 2-3 illustrates howincreasing depth of scrutiny is assigned to elements with increasing risk levels.

Guidance note:An element can be everything from a drilling rig to an important component or system, depending on the detailing level of the riskassessment being carried out.


Figure 2-2 Levels of verification

Figure 2-3 Increasing verification scrutiny as a function of increasing risk level for each element

2.4.1.5 It is the prerogative of the owner of the asset system to choose the level of verification. Theselection should be documented.


DNV GL AS

2.4.1.6 Different levels of verification can be chosen for different lifecycle phases of the asset, or even withinthe same phase if necessary. For example, asset design may be innovative and considered high risk whereasthe installation method is well known and considered low risk. The converse might be true also.

2.4.1.7 The level of verification can be reduced or increased during a phase if the originally chosen level isconsidered too rigorous or too lenient, as new information on the risks to the asset becomes available. Careshould be taken to ensure that short term gains do not influence the reduction of verification, which couldlead to a long term detriment.

2.4.1.8 Verification should be planned in close co-operation with the owner and each of the contractors,to provide a scope of work that is adjusted to the schedule of each lifecycle element, i.e. to make theverification activities, surveillance and hold points, an integrated activity and not a delaying activity.

Guidance note:Many Contractors have adequate quality control systems and quality control departments, with competent personnel to perform,for example, inspection at plants and specialist engineers competent to review and verify the performance of plants.In that case, all verification work need not be done by DNV GL personnel. Where applicable, the various inspections may be carriedout by competent persons other than DNV GL personnel.In that situation a substantial part of DNV GL’s verification activities may be encompassed by:

— reviewing the competence of the contractor’s personnel,

— auditing their working methods and their performance of that work, and

— reviewing the documents produced by them.


2.4.1.9 Verification should direct greatest effort at those elements of the asset or system whose failure orreduced performance will have the most significant impact on safety or the other defined project risks. Theseelements are termed high risk elements or sometimes critical elements.

2.4.1.10 The degree of confidence placed in verification reports depends on the degree of confidence in theverification activities carried out. Therefore, the verification plan shall be transparent and give clear details ofthe level of verification for both elements and phases.

2.5 Defining a verification plan

2.5.1 Risk based verification planning

2.5.1.1 The selection of the level of verification shall depend on the risk level of each element having animpact on the management of hazards and associated risk levels of the asset.

2.5.1.2 The effort spent to select the overall level of verification and the detailing and differentiationbetween different elements will vary from project to project. It is a business decision on how to balance theeffort of up-front planning with that of some additional effort during verification execution.

2.5.1.3 The tools used to arrive at a verification plan range from engineering judgement risk assessment toanalytical risk assessments. The former generally reflects less effort in the up-front planning stage while thelatter directs more efforts into the particulars of a specific project.

2.5.1.4 The span in the method is illustrated in Figure 2-4. Most projects will utilise a combination of tools.Guidance note:Typically, for a tender phase it may be useful to utilise engineering judgement to make an initial verification plan. When updatingthe verification plan the appropriate analytical tools can be utilised.



DNV GL AS

2.5.2 Selection of level of verification

2.5.2.1 Suitable selection factors include:

— overall asset specification— assessment of the risks associated with the asset and the measures taken to reduce these risks— degree of technical innovation in the asset system— experience of the contractors in carrying out similar work— quality management systems of the owner and their contractors.

2.5.2.2 To facilitate the selection of the level of verification a set of trigger questions based on the above listof selection factors, has been prepared and is included in the object specific DNVGL-SE.

2.5.2.3 To further assist in the selection of general level of verification Table 2-1 can give some guidance.

2.5.2.4 The level of verification is selected for each individual element and should reflect the risk level aswell as the type of performance requirements.

Guidance note:To achieve a consistent verification involvement relative to risk level a practical and visual approach can be to plot the elementsand relative risk levels as in Figure 2-3. Decide on the maximum level of involvement (L, M or H) and draw the line to the left ofwhich no verification shall be made. The area enveloping the elements to be verified can then be split in to areas with uniformverification involvement.


2.5.3 Acceptance criteria

2.5.3.1 Defined acceptance criteria are essential to confirm compliance and identify non-compliance.

2.5.3.2 The format and detailing may differ. Assets, elements or lifecycle phases for which technicalstandards or company specifications exist, may have relatively short and simple acceptance criteria. Forassets, elements or lifecycle phases not readily covered by prescriptive standards, greater effort is directedinto the particulars of the specific project and this often results in more detailed performance requirements.

Table 2-1 Levels of verification and guidance on typical involvement at system level

Level Typical system characteristics Description of typical verification involvement

Low — Proven designs with relatively harmlesscontent and/or installed in benignenvironmental conditions.

— State of the art design, manufacturing andinstallation by experienced contractors.

— Low consequences of failure from acommercial, safety or environmental point ofview.

— Relaxed to normal completion schedule.

— Review of general principles and productionsystems during design and construction.

— Review of principal design documents,construction procedures and qualification reports.

— Site attendance only during system testing.— Less comprehensive involvement than level

medium.


DNV GL AS

Level Typical system characteristics Description of typical verification involvement

Medium — Asset in moderate or well controlledenvironmental conditions.

— Plants with a moderate degree of novelty— Medium consequences of failure from a

commercial, safety or environmental point ofview.

— Ordinary completion schedule.


— Detailed review of principal and other selecteddesign document with support of simplifiedindependent analyses.

— Full time attendance during (procedure)qualification and review of the resulting reports.

— Audit based or intermittent presence at site.

High — Innovative designs.— Extreme environmental conditions.— Plants with a high degree of novelty or large

leaps in technology.— Contractors with limited experience or

exceptionally tight completion schedule.— Very high consequences of failure from a

commercial, safety or environmental point ofview.


— Detailed review of most design document withsupport of simplified and advanced independentanalyses.

— Full time attendance during (procedure)qualification and review of the resulting reports.

— Full time presence at site for most activities.— More comprehensive involvement than level

medium.


DNV GL AS

Figure 2-4 Verificaton planning


DNV GL AS

2.6 Simplified verification planning

2.6.1 General

2.6.1.1 Simplified verification planning is mainly based on engineering judgment and reflects DNV GL's in-house experience as well as the industry experience as reflected in a number of technical standards. Bothhave been used to make up the object specific DNVGL-SEs.

2.6.1.2 The steps in the simplified verification planning are as follows:

— Use trigger questions to assess the overall risk level of the project (or manageable elements thereof).— Evaluate the risk against the relevant owner or project acceptance criteria (often this can be directly tied

to the owner core values or a sub-set of these) and decide whether the general verification involvementshall be low, medium or high.

— Use the detailed scope of work tables in the object DNVGL-SE to make a first draft of a verification plan.— Generate the project specific verification plan by include a project specific engineering judgment to adjust

the table to suit the project— Perform the verification execution according to the verification plan, making revision to the plan if and

when necessary.

2.6.1.3 Care shall be taken not to use this process without sufficient attention to its built-in simplifications.Particularly the use of example tables in the appendices can never replace the need for project specificassessments. They can, however, be very useful starting and reference points.

2.7 Detailed verification planning

2.7.1 General

2.7.1.1 The analytical verification planning is based on the use of (quantitative) risk methods to establishproject specific identification of the relative risk level of the project elements.

2.7.1.2 Depending on the project size and type the risk assessment will often include an initial qualitativerisk assessment screening prior to a full quantitative risk analysis, QRA.

2.7.1.3 A description on how to carry out HAZID, HAZOPD and QRA in general is not given in this DNVGL-SE.The methodology is described in numerous books and publications on the subject.

2.7.1.4 Particularly for projects or project elements were there are limited or inadequate prescriptivetechnical standards or if the performance requirements are of a nature that make available prescriptivestandards inadequate, it is advisable to invest more time and effort in the planning stages.

2.7.1.5 With limited prescriptive standards the need and also the effort required to define the acceptancecriteria for individual or groups of elements will normally increase. App.D addresses how to formulatedetailed performance requirements and also how these and the risk elements are developed into verificationactivity lists, which are finally included in the verification plan


DNV GL AS

2.8 Risk based verification and national regulations

2.8.1 General

2.8.1.1 Many national authorities have specific requirements to the verification activities. These can be in theform of minimum requirements to documentation of risk and risk reducing measures, which documents shallbe presented to the authorities, mandatory use of standards etc. The authorities may also have requirementsto roles and responsibility, independence of verifier, content and form of verification activities, terminologyetc.

2.8.1.2 The particulars of the relevant national requirements shall be observed when planning andperforming risk based verification.

Guidance note:The offshore installations (safety case) regulations in UK can be an example of particular National Authority requirements. Therisk based verification approach fits very well with these regulations, but one needs to ensure that the correct documents andterminology are used and understood e.g. major accidents hazards, safety-critical elements, performance standards etc.



DNV GL AS

APPENDIX A BENEFITS OF DNV GL RISK BASED VERIFICATION

A.1 General

A.1.1 Background information

A.1.1.1 This appendix gives background information on verification and the possible benefits thereof.

A.1.2 Verification trends

A.1.2.1 Verification has historically been carried out with a variety of scope and depth of involvement. Thedepth of involvement, or level of verification, has not always been very transparent.

A.1.2.2 There are national authorities requiring verification or even certification of offshore or onshoreinstallations (assets) and have appointed specific organisations qualified for this work.

A.1.2.3 Some of these national authorities may have detailed requirements to the verification or certificationactivity, while others leave the definition of the necessary work up to the appointed organisation. Othernational authorities require specific documents to be verified and approved by them, some hold the ownerresponsible for the verification activities, others again may not have any specific requirements.

A.1.2.4 The trend is that authorities remove themselves from the prescriptive regimes and convert tofunctional requirements and safety and risk approaches. It is therefore believed that there will be a strongerdemand for measurable objectives to be presented by the owners. The objectives are linked, as a minimum,to the expectations from the authorities on safety to the work force, the public and the environment.Economics may be an additional minimum requirement from the owner and his partners.

A.1.2.5 As a means to fulfilling these expectations business today is often characterised by a defined desireto systematically balance expected costs and benefits. The aim is an optimum control of the uncertainties (orrisks) related to the objectives.

A.1.2.6 Even where national authorities do not require verification of installations (assets), verification (orcertification) is a convenient tool for the owner to get an independent evaluation of the contractor(s) work orto show financiers, partners, insurers and the public that the asset complies with relevant safety levels andother requirements in the asset specification.

A.1.2.7 It is good business practice to subject important work to a third-party check as this reduces thepossibility of errors remaining undetected. Third-party verification will ensure that the verifier has anindependent view and perspective when performing this activity. Furthermore, it will avoid the situationwhere errors could be overlooked by engineers or others because of their closeness to the work with theasset.

A.1.2.8 Systematic risk based assessment methods are more often used to identify the risk associated withthe elements. Based on this identified risk, focus is put on the relevant acceptance criteria pertaining tointegrity, functionality, survivability, availability, reliability, maintainability, and environmental impact of anasset throughout its lifecycle.

A.1.2.9 The result of the systematic identification of risk can be utilised in the design and construction by thecontractor and by the owner or a 3rd party to optimise the verification activities through a well defined andtransparent verification plan.

A.1.2.10 Not all projects nor all high risk elements have great degrees of novelty or innovation requiringa large degree of sophistication when predicting risk. The high risk elements or phases can often be


DNV GL AS

determined by what is addressed in international technical standards and from general experience. Forthese projects the ability to communicate the correct or desired level of verification may be the most timeconsuming exercise.

A.1.2.11 At the other end of the scale are the projects that have greater uncertainty, and often appearsto be high risk, but which need to be systematically addressed to be able to identify the hazards, theprobability and consequences of occurrence and the risk levels of the elements. For these projects the correctidentification and ranking of the risk of the elements is essential for the project optimisation process andplanning of the verification activities. However, it is also for these necessary to be able to communicate thelevel of verification and link it to the associated risk.

A.1.2.12 For almost all projects, interface activities are important and many have experienced thatinadequate interface management can be very costly and time consuming.

A.1.3 Benefits of DNV GL risk based verification

A.1.3.1 Business today is characterised by the need to balance cost and benefits through a betterunderstanding and mastering of the assets and their associated risks. Risk based verification aims atbalancing the efforts to control the operational and technological risks and for an optimum control of risksand uncertainties from the concept stage to decommissioning or abandonment of any asset. It may providecost and time savings compared with prescriptive verification or certification by focusing on risk and byprioritising verification efforts.

A.1.3.2 The use of a more elaborate analytical method to plan the verification may give substantial costbenefits during the verification execution. Particularly for projects characterised by the following:

— a high degree of complexity— significant elements of new or unproven technology— proven elements being introduced to new operating conditions or applications— participants having limited experience in a type of asset or development— challenging development programmes.

A.1.3.3 DNV GL aims through risk based verification, to instil confidence in our customers. Throughindependent and competent scrutiny the intent is to confirm that the asset is designed, constructed and/oroperated so that:

— it is fit for its intended purpose,— its level of integrity is as high as reasonably practicable— the associated risk to health, life, property and environment is as low as reasonably practicable.

A.1.3.4 Such confidence arising from risk based verification is not necessarily limited to DNV GL’s traditionalcustomers – it can be extended to contractors or other project participants, owners, financiers, partners,insurers etc. that an asset complies with a relevant basis, even in areas where formal references may bemissing or are under development.

A.1.3.5 The advantages for DNV GL’s customers in applying a risk based verification approach may include:

— reduced probability of undesirable events— improved availability and reliability— cost and time savings through avoiding undue attention to areas and activities that are low contributors to

risk— contributing to optimised expenditure (CAPEX, OPEX and RISKEX) in high risk areas— early involvement in projects to ensure correct decisions and minimal rework— a demonstrable and auditable case for safety or other owner or project core values— active support to, and demonstration of achievement of, these core values


DNV GL AS

— confirmation, and increased visibility, of the above to (project) partners and other stakeholders and toregulatory bodies.

A.1.3.6 For a new asset development risk based verification services should seek to reduce any uncertaintyin the design as early as possible, and if any weaknesses are revealed allow for effective management ofnecessary changes, see Figure A-1 Effects of early involvement. DNV GL’s verification experience reinforcesthe important message of early involvement and the need for in-depth knowledge of the activities requiredto obtain optimal resource allocation for the verification process. A proactive approach is required and placesparticular emphasis on roles and responsibilities.

Figure A-1 Effect of early involvement

A.1.3.7 The above processes should consider all phases of the asset lifecycle. For example during theoffshore commissioning phase of a new asset there may be temporary items of equipment provided whichshould be identified as high risk elements (e.g. temporary fire/gas detection).

A.1.3.8 DNV GL believes that a strong focus on the development of the verification plan will support acommon interpretation of verification philosophies and requirements (which may differ from one projectto another), and this should facilitate a more cost effective verification execution and provide for greaterpotential value to be obtained from the overall verification process.

A.1.3.9 Database applications (for example DNV GL’s verifier software) can be implemented to assist withdevelopment and execution of verification plans, including the capability to record the status of all verificationactivities, and provide reports on their status. Such database applications can assist co-ordination by makingthe status available to all involved in verification, including the customer, simultaneously.


DNV GL AS

Figure A-2 The asset realisation process

A.1.3.10 The optimisation can be regarded as the process to shrink the total volume of the circle in FigureA-1 and to find the ideal balance between contractor and 3rd party volumes within that circle.

A.1.3.11 Alternatively, the volume of the ball can be used to indicate the cost of the process. The correctbalance between the two sides may reduce the total volume of the whole process and at the same timeachieve the optimum asset. By optimum asset we mean one that through its lifecycle is suitable for theoperation and has the correct balance between the quality, cost, environmental impact, safety, schedule andany other elements defined by owner.

A.1.4 Other DNV GL services related to risk based verification

A.1.4.1 Any of the areas of risk based verification involvement can be integrated with other DNV GL services,potentially with enhanced effectiveness, such as:

— project risk management— assisting with development of project HSE philosophy— conducting, or participating in, hazid— risk studies or assessments (e.g. QRA)— reviewing the customer’s formal safety assessment (safety case) to confirm the adequacy and robustness

of the process— providing a suitable computer application to manage verification requirements and findings— managing other legislative compliance requirements on behalf of the customer or asset owner


DNV GL AS

— developing or reviewing reliability centred maintenance (RCM) and risk based inspection (RBI)philosophies and procedures.


DNV GL AS

APPENDIX B VERIFICATION AND CERTIFICATION DOCUMENTS

B.1 Verification documents

B.1.1 Purpose of verification documents

B.1.1.1 Verification documents are issued by DNV GL. The purpose of these documents is to providedocumentation that objective evidence has been presented to confirm compliance with the requirements andto document the work performed by DNV GL.

Guidance note:Examples of document forms are found in the objects specific DNVGL-SE.


B.1.1.2 Intermediate verification documents act as a form of progress reporting showing satisfactorycompletion of complete life cycle verification activities for various issues, items or phases of the asset.

B.1.1.3 The verification documents follow the hierarchy shown below and in Figure B-1:

— statement of conformity— verification report— intermediate documents

— audit reports— verification comments— visit reports.

B.1.1.4 A description of each of these is given in the respective object specific DNVGL-SE.

Figure B-1 Document hierarchy for verification


DNV GL AS

B.1.2 Validity of verification documents

B.1.2.1 Verification documents are, in principle, documents confirming that an examination has been carriedout, and are valid only at the time of issue.

B.1.3 Verification documents provided

B.1.3.1 The types of documents issued by DNV GL relative to the different stages of the verification processare illustrated by Table B-1.

Table B-1 Asset verification – documents provided by DNV GL

Reference standardfor verification DNV GL standard or other agreed technical standard

Design Construction Operation

Project phases

Con

cept

ual

desi

gn

Det

ail d

esig

n

Man

ufac

turing

of co

mpo

nent

s

Man

ufac

turing

of

equi

pmen

t an

d as

sem

blie

s

Inst

alla

tion

Proj

ect

com

plet

ion

Ope

ratio

n,

mai

nten

ance

and

repa

ir

Types of

verification

documents

provided

Statement of confirmity for individual phase or natural part thereof

B.2 Certification documents

B.2.1 General

B.2.1.1 DNV GL certification is a special form of verification where the total scope is defined by DNV GL.Reference is given to the section on definitions. For statutory certification the scope should in principle bedefined by the regulating body.

B.2.1.2 The certification documents consist of the verification documents described above with an overlyingcertificate of conformity. Hence, the hierarchy of documents are as illustrated in Figure B-2. In relation to theproject phases, reference is given to Table B-2.

B.2.2 Validity of certification documents

B.2.2.1 In general the same validity, i.e. the time of issue, applies as for verification documents.


DNV GL AS

B.2.2.2 However, for certificates of conformity, a specified period of validity and maintenance conditions forensuring this validity may be given in the certificate.

Figure B-2 Document hierarchy for certification


DNV GL AS

Table B-2 Asset certification – documents provided by DNV GL

Referencestandard forcertification

DNV GL standard

Design Construction Operation

Project phases

Con

cept

ual

desi

gn

Det

ail d

esig

n

Man

ufac

turing

of co

mpo

nent

s

Man

ufac

turing

of eq

uipm

ent

and

asse

mbl

ies

Inst

alla

tion

proj

ect

com

plet

ion

Ope

ratio

n,

mai

nten

ance

and

repa

ir

Types of

certification

documents

provided

Statement of conformity for individualphase or natural part thereof

Cer

tific

ate

of

conf

orm

ity

Cer

tific

ate

ofco

nfor

mity

(re

tent

ion)

Certification phasePre -

certificationCertification

Maintenance ofcertification


DNV GL AS

APPENDIX C EXAMPLE LIST OF TYPICAL HIGH RISK ELEMENTS

C.1 High risk elements

C.1.1 Offshore installations

C.1.1.1 The following table presents typical high risk elements with respect to safety of personnel for themain types of offshore installation. These are often called safety critical elements (ref e.g. UK Safety Caseregime). This list is intended as a tool to help to ensure that key systems identified as high(est) risk are notomitted. However, the list can never be guaranteed to be exhaustive and shall never be used without dueconsiderations.

Table C-1 Examples of typical high risk elements

TYPICAL HIGH RISK ELEMENTS MODU FLOTEL FPSO/FPU FOI

STRUCTURE

Jackets and piles - - - X

Gravity based structure - - - X

Jack-up legs and associated jacking and locking systems X X - -

Hull (including watertight closures) X X X -

Drilling derrick X - - X

Firewater caisson and supports - - - X

Topsides primary structure including bridge and flare tower X X X X

Helideck X X X X

Lifting (cranes) and hoisting (drilling equipment) X X X X

Crane pedestal X X X X

Foundations X X X X

Blast protection including blast venting provisions X - X X

Dropped object protection incl. subsea protective structures X X X X

Turret - - X -

DRILLING

Mud systems X - - X

Blowout preventer system X - - X

Choke and kill (including emergency blowdown) X - - X

Cement system X - - X

Marine riser system X - - X

Well control instrumentation X - - X

Diverter system X - - X


DNV GL AS


POWER

Emergency power X X X X

Battery systems X X X X

Protection of electrical equipment X X X X

IGNITION PREVENTION

Electrical earthing continuity X X X X

Electrical equipment in hazardous areas X X X X

Protection of hot surfaces X X X X

Natural ventilation X X X X

FIRE AND GAS

Gas (flammable and toxic) detection system X X X X

Fire detection system X X X X

Deluge X X X X

Sprinklers X X X X

Fire pumps X X X X

Firewater ring main X X X X

Foam system X X X X

Gaseous systems (e.g. halon, CO2) X X X X

Passive fire protection (including doors, walls and penetrations) X X X X

Ventilation systems X X X X

EMERGENCY RESPONSE AND EVACUATION

Temporary refuge X X X X

Escape routes X X X X

Helideck systems (markings, nets, obstacle marking/lighting etc.) X X X X

Escape (battery-backed) lighting X X X X

Internal communications (e.g. public address/general alarm, manual alarmcall points, telephones)

X X X X

External communications (including marine and aviation) X X X X

TEMPSC X X X X

PPE (incl. lifejackets, survival/immersion suits, helideck crash equip.) X X X X

ESCAPE SYSTEMS

Descent to sea systems (personal descent devices, knotted ropes, nets) X X X X

Ladders to sea X X X X


DNV GL AS


Life rafts X X X X

Standby vessel and associated fast rescue craft X X X X

HYDROCARBON CONTAINMENT

Hydrocarbon piping and equipment (including valves and instrumentation) - - X X

Emergency shutdown system including software, process shutdown, highintegrity protection systems, overpressure protection systems etc.

X X X X

Relief and blowdown system X X X X

High speed machinery trips X - X X

Local atmospheric vents X - X X

Drains (open and closed hazardous) X X X X

Risers and riser emergency shutdown valves - - X X

Pipelines - - X X

Pipeline subsea isolation valves - - X X

MARINE

Mooring (including move-off) X X X -

Navaids (including lights, foghorns, marine/weather monitoring systems) X X X X

Radar early warning system X X X X

Ballast and bilge (stability) X X X -

Inert gas system - - X -

Dynamic positioning system X X X -

Thrusters X X X -

TEMPORARY EQUIPMENT

Bridge connections to support vessels X X X X

Gas cylinders and attachments X X X X

Power generators X X X X

Temporary public address/general alarm systems X X X X

Well test equipment X - - X

Radioactive source store X - X X

Explosives store X - - X

SAFETY MANAGEMENT SYSTEM X X X X


DNV GL AS

APPENDIX D DETAILED PERFORMANCE REQUIREMENTS ANDVERIFICATION ACTIVITY DESCRIPTIONS

D.1 Performance requirements

D.1.1 Setting performance requirements

D.1.1.1 Performance requirements should describe the essential requirements that a high risk element shallmeet, maintain, or provide on demand. Ideally it is a statement, which can be expressed in qualitative orquantitative terms, of the performance required of a system, item of equipment or procedure and which isused as the basis for managing a risk and any events requiring emergency response, through the lifecycle ofthe asset.

D.1.1.2 The most suitable performance requirement should ideally satisfy all of the following conditions:

— it requires measurement of the performance/capability of a parameter of the component/system— the measured parameter provides evidence of the ability of the component/system to prevent, or limit the

effect of, an unplanned event— acceptance criteria/range are defined for the parameter in question— the parameter can be monitored/measured.

Guidance note:DNV GL’s experience is that performance requirements should be at a level that sets an objective for the element in question, theyshould not describe how that objective is to be achieved, or how it is to be demonstrated (verified), this is part of the verificationplan.


D.1.1.3 As a minimum the following characteristics should be considered in generating performancerequirements:

— functionality – what the element shall achieve— reliability – how often it will be required to operate satisfactorily— availability – how often it will be required to operate on demand— survivability – the conditions under which it will be required to operate, e.g. if exposed to fire, blast,

vibration, ship impact, dropped objects, adverse weather etc.

D.1.1.4 The consequence of a performance requirement not being met (demonstrated) should also beconsidered. If the consequences are such that an unplanned event cannot result, or a significant reductionin the effectiveness to prevent, detect, control, mitigate, or monitor a major unplanned event cannot result,then the performance requirement should not be considered as necessary.

D.1.1.5 In the same way that parts of an asset may be considered as high risk for certain periods of itslifecycle it is possible for performance requirements to be applicable during specific phases of an asset’slifecycle only. At all times that a part of an asset is high risk, there shall be at least one performancerequirement.

Guidance note:Quantitative performance requirements for reliability or availability of an element are essential for high risk elements containinginstrument-based protective systems. Where such performance requirements are specified, it is recommended that the preciserequirements are fully defined (i.e. not just “reliability to be ....”), that there is a clear means of verifying the requirement, andthat verification can provide positive demonstration of the element’s suitability. DNV GL’s preferred style of such performancerequirements is to specify the maximum probability of failure on demand for each safety function (complete loop), consistent withthe concept of safety integrity level (SIL) as described in IEC 61508.



DNV GL AS

D.2 Verification activities

D.2.1 Developing verification activity lists

D.2.1.1 The objective of an activity is to confirm that the performance requirements are achieved. Theverification activity list constitutes the main part of the verification plan and corresponds to the exampletables included as appendix to the object specific DNVGL-SE.

D.2.1.2 The list should give details of what needs to be done, by whom and when. For each performancerequirement there should be at least one examination activity. The activity list should include:

— what shall be done – a description of the examination activity to be performed to verify that the criteriaspecified in each performance requirement is met

— type of examination activity to be performed, e.g. inspection, witness, review, monitoring— extent of involvement in activity, where applicable (e.g. percentage of sample)— how often it shall be repeated (if at all, e.g. for initial suitability only)— unique identifier for each activity, for control and reporting purposes (ideally aligned to high risk element

and performance requirement identifier)— a clear reference to a specific performance requirement and high risk element for each activity— note of specific documents or processes (e.g. planned maintenance activities, rolling inspection

programmes) which will be used as a basis for verification or for reference as part of the examinationactivity.

D.2.1.3 The activity list should state which examinations shall only be performed prior to the high riskelement being put into service (examination for initial suitability). No further activities of this type will beperformed during operation, unless modifications are made to the element. Other examination activities(examination for continued suitability), especially during the operational phase, should be repeated atintervals specified to ensure that the high risk element to which it refers maintains its suitability andadequacy.

D.2.1.4 The following may contribute to the specification of interval or frequency of examination:

— requirements of recognised codes and standards,— risk assessments— assumptions and conclusions of risk and/or reliability studies on relevant systems— extent of installation maintenance routines and inspection plans— interval between the asset operator’s assurance activities,— manufacturer’s recommendations for the equipment— findings of previous examination activities (including those for related high risk elements or performance

requirements).

D.2.1.5 The activity list may often (but optionally) be contained in a database application in order tofacilitate the dynamic process of modifications and updates, and also provides for a powerful managementand reporting tool.

Cha

nges

– h

isto

ric


DNV GL AS

CHANGES – HISTORICThere are currently no historical changes for this document.

About DNV GLDriven by our purpose of safeguarding life, property and the environment, DNV GL enablesorganizations to advance the safety and sustainability of their business. We provide classification,technical assurance, software and independent expert advisory services to the maritime, oil & gasand energy industries. We also provide certification services to customers across a wide rangeof industries. Operating in more than 100 countries, our experts are dedicated to helping ourcustomers make the world safer, smarter and greener.

SAFER, SMARTER, GREENER

Documents

DNVGL-SE-0474 Risk based verification