“The key is not to prioritize what’s on your schedule, but to schedule your priorities.” Stephen R Covey

An important part of managing process safety is deciding what equipment is critical to the process and its safety. Of course, it is important to carefully maintain all equipment, but not all equipment is safety critical. An “include it all” mentality can needlessly overwhelm maintenance personnel. When equipment of lesser importance makes the list of high priority assets, the designation as “safety critical” cheapens and eventually loses all meaning. Workers don’t treat non-critical equipment with more importance; instead, they begin to treat safety critical equipment with less importance. If everything is safety critical, then nothing is safety critical.

We know we need to determine which components are truly safety critical, but how do we start?

What Does Safety Critical Mean?

When I began working in process safety, terminology was one of the very first obstacles I undertook.  When I first heard the term “safety critical”, my initial thought was “Isn’t all equipment safety critical if it’s a part of the process?”  It made sense to me that, if the equipment played any kind of role in a process, its failure or underperformance meant a safety disaster.

As it turns out, the definition of safety critical depends on who you ask. According to the Federal Aviation Administration, “Safety critical means essential to safe performance or operation.”  If you refer to the Center for Chemical Process Safety, critical equipment is “equipment, instrumentation, controls, or systems whose malfunction of failure would likely result in a catastrophic release of highly hazardous chemicals, or whose proper operation is required to mitigate the consequences of such a release.”  The Occupational Safety and Health Administration (OSHA) doesn’t define safety critical at all, nor do they use a similar term in the Process Safety Management Standard. The inconsistencies don’t exactly help to nail down a concrete definition. Yet, although the concept is one of much debate, deciding what equipment is safety critical doesn’t have to be overly complicated.

What Can Be Acknowledged as Safety Critical?

The term “safety critical equipment” can be misleading.  Obviously, in any process there are pieces of equipment and devices that are essential to the safety of the process.  There are some whose sole purpose is to prevent a hazardous event from occurring.  While that doesn’t necessarily mean that these equipment and devices are easy to identify as safety critical, it at least forces us to acknowledge that equipment and devices can be safety critical.  What is less obvious, however, is that administrative controls and procedures can also be considered safety critical. These are any procedural safety measure, relying on human action, that is routinely done to prevent a hazard, not those done in response to a hazardous condition.  Examples include valve car sealing programs, operating procedures, and checklists to double check execution. With so many items to consider, how to we begin to identify those that are truly safety critical?

Identifying Safety Critical Components

The way most organizations identify safety critical components is to hand a process engineer a set of P&IDs and a highlighter and tell them “mark everything that is safety critical.” Then the process engineer relies on their gut and does the best they can. Typically, too many things will be marked as “safety critical”, which is still no guarantee that everything that is safety critical will be identified.

OSHA’s Process Safety Management standard (29 CFR 1910.119) takes a different approach. The section on process safety information includes all equipment in a covered process, meaning either that OSHA considers all equipment as safety critical, or that it doesn’t care whether it is safety critical or not. The section on mechanical integrity (MI) is a little more specific. It lists the six types of “process equipment that the Agency considers critical”:

  • Pressure vessels and storage tanks
  • Piping systems (including piping components such as valves)
  • Relief and vent systems and devices
  • Emergency shutdown systems
  • Controls (including monitoring devices and sensors, alarms, and interlocks) and
  • Pumps

When OSHA published its explanation of the PSM standard in the Federal Register (p. 6389), it makes a point of saying that “the Agency did not propose that the employer determine the equipment ‘critical’ to the process.” But in the next paragraph, it states, “However, if an employer deems additional equipment to be critical to a particular process, the employer should consider that equipment to be covered by [the mechanical integrity element of PSM] and treat it accordingly.” The only other hint from OSHA about what is safety critical is a 2010 letter of interpretation where they declare that blast-resistant buildings that contain MI listed equipment are also subject to the MI requirements. OSHA, however, does not say how to determine whether equipment is safety critical.

There must be a better way.

Using LOPA

A Layer of Protection Analysis (LOPA) is a linking of initiating events, enabling conditions, layers of protections and final outcomes in a manner that outlines all the safeguards and conditional requirements that help protect a process from hazardous or dangerous events based on the opportunities or failures that initiate them.  In a LOPA, organizations take “credit” for the safeguards they have in place in order to reduce risk to an acceptable level per their risk tolerance criteria.  If current safeguards are not enough to reduce risk to an acceptable level, the LOPA is also an opportunity to acknowledge the need for further safeguards.    Safeguards can be equipment, devices or administrative controls – all of which are components that may be named as safety critical.

After reviewing various definitions of “safety critical”, some similarities are evident.  First, safety critical is limited to scenarios involving catastrophic events (fires, explosions, or toxic releases). Second, and most significantly, safety critical applies to safeguards that are relied upon to reduce the risk of a major hazard to a tolerable level. This means that safety critical equipment can be derived from LOPA scenarios conducted on high severity hazard events.  If you need to take credit for a component in a LOPA scenario to reduce the risk to an acceptable level, that component is critical to the safety of the process.  In a LOPA scenario, an Independent Layer of Protection (IPL) is a safeguard that is relied upon to reduce the risk of a hazardous event to a tolerable level.  Any safeguard not identified as an IPL is not relied upon to reduce the risk of a hazardous event to a tolerable level.  This leads to the conclusion that identifying safety critical components can be as simple as identifying your IPLs.

This method is not flawless.  For instance, organizations are often left to define what constitutes a catastrophic event for themselves which means what is considered catastrophic at one organization may not be at another.  Also, it is not uncommon for a LOPA scenario to list more IPLs than are necessary to reduce risk to a tolerable level.  While this means you may have to choose the best IPLs that satisfy the scenario and that can be easily audited, it’s better than a stack of fully highlighted P&IDs.

Safety Critical Functions Manuals

Identifying safety critical components is important, but it’s just as important to ensure that the components listed as safety critical are given the attention they deserve.  Since safety critical components are relied upon to reduce the risk of a major hazard, it’s important that information regarding the operation of these safety critical components and the measures necessary to maintain the integrity of these safety critical components is readily available to aid the technical, operating, and maintenance staff responsible for the operation of the units including the components.  Safety Critical Functions Manuals consolidate this information into a single manual.  The manual can be physical or electronic, whatever is most practical to the organization utilizing it.  The manual gives employees a quick and easily accessible reference should they have a question or concern about a particular safety critical function.

Since a process is always evolving, the Safety Critical Functions Manual should be a living document.  It should be updated and reviewed as necessary to ensure that the information is correct and up-to-date.

The Fault in Overenthusiasm

While there is not a consensus on the formal definition for the term “safety critical” in the process industry, a general theory can be gathered from the review of various definitions.  Identifying these safety critical components can be an intimidating task considering OSHA’s lack of concrete guidance on the matter.  It’s easy to get carried away and “include it all” because no engineer wants to be the engineer responsible for overlooking a critical safety component.  However, don’t be overzealous.  When equipment of lesser importance makes the safety critical list, it results in a misallocation of resources and a cheapening of the term “safety critical.”  Use the tools you have available to you. The LOPA already lists the safeguards necessary to reduce the risk of catastrophic events.  Using the LOPSA as guidance, identifying safety critical equipment doesn’t have to be as complicated as it seems.


  • Kayla Whelehon

    Kayla began her career with Bluefield Process Safety in 2016. Her interest in the field began with the commencement of her husband’s career as a process safety consultant.