Criticality classification decides how much maintenance effort an asset deserves. NORSOK Z-008:2024 asks you to rate the consequence of failure in four independent categories — Safety & Health, Environment, Production, and Other / Cost — and pick the worst as the dominant class. That dominant class, combined with redundancy (RED-A/B/C), containment risk, and whether the item is an ISO 17776 barrier, sets the maintenance programme intensity and the corrective-maintenance priority window (5, 30, or 180 days).
The 2024 edition split Environment out of the old HSE category, renumbered the clauses, and added Annex E for climate and greenhouse-gas screening. Otherwise the Annex C consequence matrix and the dominant-class rule are unchanged from 2017.
What criticality classification is
Criticality classification is a structured answer to a resource-allocation question: given thousands of tags on a facility, which ones need rigorous maintenance analysis and which can survive on minimum cost-based care? The answer has to be defensible — auditable against a recognised standard, consistent across assessors, and coarse enough to be practical but sharp enough to drive real decisions.
The output of classification is a dominant consequence class per asset, usually one of three bands: C3 high, C2 medium, C1 low. That single code then governs what the rest of the maintenance programme looks like for that asset — whether FMECA is mandatory, whether RCM is required, which corrective-maintenance response time applies, and whether a Generic Maintenance Concept is acceptable or a full reliability study is needed.
Classification is not risk assessment. Risk = probability × consequence. Classification looks at consequence only. The probability dimension enters later, in FMECA (Tool 2), where each failure mode gets its own probability rating. That separation keeps the classification work tractable: four questions per asset, not four questions per failure mode.
Why it matters — it drives everything downstream
Classification is the leverage point. Every downstream decision on the asset — depth of analysis, frequency of inspection, response time when something breaks, whether spares are stocked, whether redesign is mandatory — anchors to the dominant class. Getting it wrong cascades.
Classify a safety-critical pump as C1 and you under-maintain a barrier. Classify a simple service pump as C3 and you burn engineering hours on FMECA and RCM for an asset where run-to-failure would have been acceptable. Neither error is recoverable downstream — the RCM tool assumes the criticality input is correct; it doesn't re-examine the classification.
Concretely, the dominant class from Z-008:2024 governs:
- FMECA mandatory or optional (§9.2.1)
- RCM depth — full analysis, Generic Maintenance Concept, or minimal concept (§9.4)
- Inspection interval ceilings (§9.2.2, §9.3)
- Corrective-maintenance response time (Annex C, Table C.3: 5, 30, or 180 days)
- Whether run-to-failure is acceptable as a final task (§9.2.1)
- Spare-parts strategy — stocked locally, regionally, or pooled
The Z-008:2024 framework
Z-008:2024 is the current edition of the Norwegian standard for risk-based maintenance. It replaced Z-008:2017 on 20 December 2024. For classification, the 2024 edition keeps the same core logic as 2017 with one substantive change and some clause renumbering.
What changed in 2024: Environment became a separate consequence category (previously it was bundled inside HSE). Consequence section moved §7→§8. Maintenance-programme section moved §8→§9. A new §8.5 Quality check was added. Annex E was added for climate and greenhouse-gas screening. Your 2017-trained muscle memory still works — you just need to evaluate one extra category per asset.
The four consequence categories
For every asset, the assessor rates the consequence of failure in each of four categories independently:
- Safety & Health — consequence to personnel from a failure. Previously called "Safety" inside the HSE bundle.
- Environment — consequence to external environment (discharges, emissions). New as a standalone category in 2024.
- Production — consequence to throughput, availability, or downstream service.
- Other / Cost — operational or asset cost not already captured above (unplanned repair cost, loss of capital value, reputational).
Each category is rated C1 (low), C2 (medium), or C3 (high) against thresholds the company has defined in its own Annex C customisation. Z-008 provides the guidance matrix in its own Annex C, but company-specific thresholds are expected to apply per §5.4.
Dominant class — the "C3 wins" rule
Once each category has a rating, the dominant class is the worst rating across all four categories. Not the average, not the most frequent — the worst. An asset rated C1/C1/C1/C3 is C3 overall, and is handled at C3 intensity for the rest of the programme. This is §8.3 in the 2024 edition (§7.1 in 2017).
The four categories, one at a time
Safety & Health (was "Safety" in HSE)
Consequence to personnel from a failure of the function. Z-008:2024 uses these thresholds as informative guidance (your company-specific criteria per §5.4 may be more or less strict):
C3— Fatality or serious personnel injury. Rendering safety-critical systems inoperable.C2— Injury requiring medical treatment. Limited effect on safety systems.C1— No potential for injury. No effect on safety systems.
Two failure scenarios are relevant: direct injury from the failure itself (rotating equipment releasing a projectile, pressure boundary rupture), and indirect injury from the loss of function (emergency shutdown valve fails to close, firewater pump fails to start on demand). Both count.
Rating safety-critical assets
Any item realising a safety or environmental barrier function per ISO 17776 is typically C3 in this category by default. The barrier element flag on the Bluestream tool doesn't change the classification itself — it records the Performance Standard reference (PS-ESD-001, SIL rating, etc.) and tightens the corrective-maintenance response time to ≤2 days for C3 barriers.
Environment (new separate category in 2024)
Consequence to the external environment — spills, discharges, atmospheric emissions, noise, greenhouse-gas releases. In the 2017 edition this was bundled under HSE; the 2024 edition split it out because the drivers are different (a toxic spill and a personnel injury have different mitigation paths, different reporting regimes, and different remediation costs).
C3— Major discharge or emissions. Significant GHG release.C2— Medium discharge or emissions.C1— No or minor spill, no emissions.
"Significant GHG release" is new in 2024 and ties into Annex E, which introduces climate and greenhouse-gas screening to the risk framework. For operators with public emissions commitments, this category can drive an asset to C3 even where safety and production consequences are modest — for example, vent systems with high methane slip, or seal systems where fugitive emissions are the dominant concern.
Production
Consequence to throughput or availability. Typically measured in days of production loss, but some operators use cost of lost production directly.
C3— Downtime exceeding the company-specific threshold (often >7 days).C2— Delayed or reduced production within the threshold.C1— No production loss.
Production classification is where redundancy most directly reduces the dominant class. A single 100% pump with no backup is typically C3 if its failure stops production. The same pump in a 2×100% arrangement is often C1 or C2 for Production — losing one unit doesn't lose production. The classification documents this by recording the redundancy class separately (RED-A/B/C), and the downstream analysis uses both pieces of information.
Other / Cost
Operational or asset cost consequence not already captured above. Typical drivers: unplanned repair cost exceeds a threshold; long lead-time spares at risk of obsolescence; reputational exposure; cost of mobilisation for offshore or remote assets.
C3— Significant operational impact or asset cost.C2— Moderate operational impact or asset cost.C1— No operational issue or asset cost consequence.
This category is easy to under-weight. Assets with long procurement lead times — large-bore subsea valves, custom-forged items, OEM-proprietary components — often deserve C2 or C3 in Other/Cost even when their safety and production consequences look modest, because the cost of a wrong call is carried for months.
Redundancy — RED-A / RED-B / RED-C
Once the dominant class is set, the redundancy class is recorded separately. Z-008 Annex C Table C.2 defines three levels:
| Class | Definition | Example |
|---|---|---|
| RED-A | No redundancy — single point of failure. | One 100% pump with no spare. Failure stops the function. |
| RED-B | One parallel unit can fail without loss of function. | 2×100% or 3×50% arrangement. One unit can be lost; function continues. |
| RED-C | Two or more parallel units can fail simultaneously. | 3×100% or 4×50%. High redundancy — rare outside dedicated safety systems. |
The redundancy class carries forward through the whole programme as the RED-A/B/C suffix on the dominant class (for example, "C3/A" or "C1/C"). It influences FMECA probability ratings (a hidden failure of a standby unit has different consequences from an evident failure of a duty unit) and directly drives the response-time window for corrective maintenance per Table C.3.
Redundancy is not a get-out-of-jail card. Common-cause failures defeat redundant arrangements — shared power supply, shared instrument air, shared software, shared maintenance crew error. Before claiming RED-B, confirm the redundancy is truly independent. If all three pumps share a single suction header that was last inspected in 2019, you have RED-A with three failure modes, not RED-C.
Containment — hydrocarbons, toxics, high P/T
Containment classification captures the inherent hazard of the fluid or medium the asset handles, independent of its specific failure scenario. It is recorded alongside the dominant class because it influences the type of maintenance required — not just how often.
C3— Flammable above flashpoint · Highly toxic · Extreme pressure or temperature.C2— Below flashpoint · Moderate toxicity · High pressure or temperature.C1— Non-flammable · Non-toxic · Normal pressure and temperature.N/A— No containment function (instruments, rotating equipment without process fluid boundary, structural items).
A C3 containment rating triggers specific maintenance programme requirements even when the consequence categories are lower — integrity management of the pressure boundary (thickness measurements, corrosion-under-insulation inspection, fitness-for-service evaluations), and typically mandates inclusion in the operator's process safety management scope.
Barrier elements (ISO 17776)
A barrier element is any item — technical, operational, or organisational — whose function is to prevent, control, or mitigate an accidental event. ISO 17776:2016 formalises the concept in the offshore context; IEC 61511 handles safety-instrumented function barriers specifically; the Norwegian Petroleum Safety Authority (Havtil) regulations require barrier management as an explicit obligation.
For classification, the barrier flag does two things:
- It records the Performance Standard — the PS reference number, SIL rating, required response time, and acceptance criteria. Every barrier element must have a PS reference; if it doesn't exist, classification is incomplete.
- It tightens the CM priority window — a C3 barrier element has a corrective-maintenance response target of ≤2 days in the Bluestream default (Annex C Table C.3), rather than the normal ≤5 days for C3.
What qualifies as a barrier element?
Typical examples: emergency shutdown valves, fire and gas detectors, firewater pumps, blowdown valves, deluge systems, HIPPS final elements, pressure-relief valves acting as a last line of defence, and process alarms meeting IEC 61511 requirements. Structural items providing passive fire protection also qualify. The common factor: failure of the barrier element removes an independent layer of protection against a defined major accident hazard.
CM priority windows — 5 / 30 / 180 days
The corrective-maintenance priority window is the response-time target for unplanned work arising from a failure on the asset. Bluestream applies the Annex C Table C.3 defaults from Z-008:2024, which the operator is free to override per company-specific criteria:
| Dominant class | CM response target | Barrier variant |
|---|---|---|
| C3 — High | ≤ 5 days | ≤ 2 days if barrier element |
| C2 — Medium | ≤ 30 days | n/a |
| C1 — Low | ≤ 180 days | n/a |
These are response-time ceilings, not work-order durations. A C3 asset failure must be responded to within 5 days — the work must commence, not necessarily finish, within that window. The barrier variant (≤2 days) reflects that a degraded barrier leaves the facility with one fewer independent layer of protection, which is not acceptable for long.
Annex C reference tables
Z-008:2024 Annex C is informative (not normative) — it provides suggested thresholds for the consequence categories and the redundancy definitions. Company-specific risk decision criteria per §5.4 take precedence where they exist. The Bluestream tool reproduces the Annex C defaults inline so assessors have them at hand during classification.
Table C.1 — Consequence classification matrix
| Category | C1 — Low | C2 — Medium | C3 — High |
|---|---|---|---|
| Safety & Health | No potential for injury. No effect on safety systems. | Potential for injury requiring medical treatment. Limited effect on safety systems. | Fatality or serious personnel injury. Renders safety-critical systems inoperable. |
| Environment | No or minor spill or emissions. | Medium discharge or emissions. | Major discharge or emissions. Significant GHG release. |
| Production | No production loss. | Delayed effect on production or reduced production. | Downtime exceeding company-specific threshold. |
| Other / Cost | No operational issue or asset cost consequence. | Moderate operational impact or asset cost consequence. | Significant operational impact or asset cost consequence. |
| Containment | Non-flammable, non-toxic, normal P/T. | Below flashpoint, moderate toxicity, high P/T. | Above flashpoint, highly toxic, extreme P/T. |
Table C.2 — Redundancy definitions
| RED class | Definition |
|---|---|
| A | No redundancy — single point of failure. |
| B | One parallel unit can fail without loss of function. |
| C | Two or more parallel units can fail simultaneously. |
Table C.3 — CM priority windows (Bluestream default)
| Dominant class | Standard response | Barrier response |
|---|---|---|
| C3 — High | ≤ 5 days | ≤ 2 days |
| C2 — Medium | ≤ 30 days | n/a |
| C1 — Low | ≤ 180 days | n/a |
How the Bluestream tool implements Z-008:2024
The Criticality Classification tool in Bluestream Develop is a single-page workflow that walks through the Z-008:2024 classification and produces an auditable record. The left sidebar captures the inputs; the right panel renders the classification output and the maintenance-programme implications.
The standard selector at the top of the sidebar lets you switch between Z-008:2017 (retired) and Z-008:2024 (current). The page remembers your last choice across refreshes via local storage. Switching to 2024 reveals the Environment category; switching back to 2017 hides it and re-labels the Safety & Health section as "HSE" for consistency with that edition's terminology.
Required inputs:
- Asset information — name, tag number, equipment type, system function.
- Consequence ratings — one per category (Safety & Health, Environment for 2024, Production, Other/Cost).
- Redundancy class — RED-A, RED-B, or RED-C.
- Containment class — C1/C2/C3 or N/A.
- Barrier element flag — if set, prompts for Performance Standard reference.
- Assessment record — assessor name, reviewer name, date, revision.
Each consequence category has a free-text assessor rationale field. This is mandatory by discipline even though the tool doesn't enforce it — the rationale is what makes the classification auditable six months later when someone questions a C3 rating.
Click Classify Criticality to consume 1 token and produce the output. The output panel shows the full classification record — asset header, per-category ratings, redundancy badge, dominant class, CM priority, maintenance-programme implications keyed to Z-008:2024 clauses, and a decision path listing every input so the classification is fully traceable.
Worked examples
Three examples showing how a single asset moves through the framework to its final dominant class. Each includes the assessor trace so you can follow the logic end to end.
Example 1 — Offshore firewater pump, diesel-driven
C3/A · BarrierA skid-mounted diesel firewater pump on an offshore production platform. Single unit; no installed redundant pump on the same fire zone. Listed in the facility's Safety Case as an active barrier against major fire events, with Performance Standard PS-FW-002 requiring 100% starts on demand and ≥30 minutes runtime at rated flow.
Environment: C2 — diesel fuel inventory ~2000 L; a containment failure of the fuel skid would be medium discharge, not major.
Production: C1 — no production impact; facility operates whether firewater pump is available or not.
Other/Cost: C2 — moderate repair cost; long-lead-time diesel-engine spares.
Redundancy: A — no parallel pump serving the same fire zone.
Containment: C2 — diesel fuel, below flashpoint at ambient.
Barrier element: Yes — Performance Standard PS-FW-002.
Dominant class: C3 — driven by Safety & Health.
CM priority: ≤ 2 days (barrier variant).
Classification implications: full FMECA mandatory; RCM analysis (not a Generic Maintenance Concept); scheduled function test programme required; PS-FW-002 compliance evidenced at every assessment; any unavailability is a reportable barrier impairment under Havtil regulations.
Example 2 — Office HVAC supply fan, admin building
C1/CA direct-drive supply fan in the office block HVAC plant, one of four fans serving the administrative building. Failure causes a localised comfort issue in one wing; no process, safety, or environmental consequence.
Environment: C1 — no emissions, no discharges.
Production: C1 — no production impact.
Other/Cost: C1 — moderate repair cost only; commercially available spares.
Redundancy: C — three other fans can cover the zone at reduced efficiency; two further fans can fail before the space becomes uncomfortable.
Containment: N/A — no process-fluid boundary.
Barrier element: No.
Dominant class: C1.
CM priority: ≤ 180 days.
Classification implications: run-to-failure acceptable; minimum maintenance requirements apply; dummy or minimal Generic Maintenance Concept acceptable; no FMECA or RCM needed. Cost-benefit governs any preventive task.
Example 3 — Seawater lift pump in 2×100% arrangement
C2/BA centrifugal seawater lift pump feeding the cooling-water header on an offshore platform. Two 100% pumps installed; one duty, one standby. The cooling-water system serves both process and utility consumers. Loss of both pumps simultaneously would cause a platform-wide production shutdown. Loss of one pump reduces the system to a single point of failure but continues to supply cooling.
Environment: C1 — seawater service, no discharge hazard.
Production: C2 — single-pump operation is acceptable for weeks; reduced production only if both pumps fail.
Other/Cost: C2 — moderate repair cost; spares stocked regionally.
Redundancy: B — one pump can fail without loss of function.
Containment: C1 — seawater, non-flammable, non-toxic, normal pressure.
Barrier element: No.
Dominant class: C2.
CM priority: ≤ 30 days.
Classification implications: PM programme recommended; Generic Maintenance Concept preferred approach; periodic scheduled inspection. Redundancy (RED-B) means a single-pump failure is not a barrier-impairment event but does trigger inspection of the remaining duty pump to confirm availability while the failed unit is being repaired.
Note: had the same pump been installed as a single 100% unit (RED-A), the Production rating would likely rise to C3, taking the dominant class to C3 with a ≤5 day CM response — a materially different programme intensity from the same asset in a different configuration.
Video walkthrough
A screen-recorded walkthrough of the Criticality Classification tool, covering the Z-008 standard selector, each consequence category with assessor rationale, redundancy and containment classes, the barrier flag, and reading the classification output.
Common pitfalls
Six classification errors that recur across projects. Most of them come from shortcuts that look reasonable in the moment but produce downstream problems that cost more to fix than the original careful assessment would have cost.
1. Averaging instead of taking the max
The dominant class is the worst rating across categories, not the average. An asset rated C1/C1/C1/C3 is C3, full stop. Averaging it to "C1.5, let's call it C2" is the single most common classification error and always under-protects safety-critical assets.
2. Skipping the assessor rationale
The rationale fields look like admin overhead. They aren't — they're the audit trail. Six months after classification, someone will ask "why is this pump C3?" and without a rationale you have no defensible answer. Enforce it at review time even if the tool doesn't enforce it at entry time.
3. Confusing redundancy with reduced consequence
Redundancy doesn't reduce the consequence — it reduces the probability that the consequence is realised. A standby pump still has a consequence rating; it just has a redundancy class that reflects the availability of backup. Don't rate a standby fire pump C1 because there's another one; rate it C3 and record RED-B.
4. Treating barrier flag as optional
If the item is on the facility Safety Case as a barrier, it must have the barrier flag set and a Performance Standard reference. Omitting the flag because "it's obviously a barrier" produces a non-auditable record and a missing PS link. The Performance Standard is what connects the classification to the safety analysis, not the other way around.
5. Over-classifying utility assets
Not every pump is C3. Office HVAC, coffee-machine circulation, plant-room sump pumps — these are often C1. Classifying them higher produces a bloated maintenance programme that dilutes attention away from the assets that actually matter. C1 is a valid classification; use it when it applies.
6. Classifying once and never revisiting
Classification should be reviewed when the operating context changes — modifications, capacity changes, regulatory updates, new SIL studies, post-incident learning. The Z-008:2017 → 2024 transition itself (Environment split from HSE) is a trigger for reclassification of assets with non-trivial environmental consequences, because they may have been C2 under the combined HSE rating and should now be C3 under the Environment rating.
References
- NORSOK Z-008:2024 — Risk based maintenance and consequence classification (current edition, effective from 20 December 2024).
- NORSOK Z-008:2017 — Risk based maintenance and consequence classification (superseded by 2024 edition).
- ISO 17776:2016 — Petroleum and natural gas industries — Offshore production installations — Major accident hazard management during the design of new installations. The standard reference for the barrier element concept.
- IEC 61511:2016 — Functional safety — Safety instrumented systems for the process industry sector. Performance Standard basis for SIL-rated barriers.
- ISO 55001:2014 — Asset management — Management systems — Requirements. Parent standard for the asset-management framework into which classification fits.
- Norwegian Petroleum Safety Authority (Havtil) — Barrier memorandum and Framework Regulations §5 on barrier management.