“People give us credit only for what we ourselves believe.” — Karl Gutzkow
Several years ago, in a paper and presentation to the Global Congress on Process Safety (GCPS), PSM experts from OSHA observed that while it is common to see a mechanical integrity (MI) program listed as a safeguard in a PHA, this is a mistake.
They argued that in a PHA, MI is a control, a mechanism to regulate or guide operation of a process, rather than a safeguard, a device, system, or action that would likely interrupt the chain of events following an initiating cause or that would mitigate loss event impacts.
It is hard to argue with that characterization. The question, however, should not be whether MI is a control or a safeguard. Instead, the question is should be about whether any credit should be taken for risk reduction provided by MI especially in Layer of Protection Analysis (LOPA).
Layer of Protection Analysis
During a LOPA, a team considers a scenario where a process deviation leads to a hazardous event. The LOPA team determines whether the risk of the scenario is low enough to be tolerated, and if not, recommends risk reduction measures that bring the risk down to something that is tolerable.
Risk is the product of consequence severity and likelihood. A typical risk reduction measure does little to affect consequence severity. When the hazardous event happens, it is going to be as bad as it is going to be. Instead, risk reduction measures usually make the hazardous event less likely. More precisely, a typical risk reduction measure makes hazardous events occur less frequently.
The frequency of a hazardous event, fE, depends first on the frequency of the initiating cause, fC. It also depends on the product of probabilities associated with each of the risk reduction measures. For each independent layer of protection (IPL), the associated probability is known as the average probability of failure, PFDAVG. The lower the PFDAVG, the more risk reduction the IPL provides.
One of the most common causes identified in a LOPA scenario is some type of equipment failure. Most facilities do not have a large enough installed base of equipment to develop a statistically valid estimate of the fC – the failure rate – of any specific type of equipment based solely on their own experience. To compensate, LOPAs rely on industry-wide databases to establish consensus failure rates for equipment.
The values in these industry-wide databases assume that the equipment is designed and installed correctly, and that it is operated and maintained properly. The failure rates in the databases address failures that occur despite correct design and installation, and proper operation and maintenance.
The American Petroleum Institute defines MI as “the management of critical process equipment to ensure it is designed and installed correctly and that it is operated and maintained properly.” In other words, the equipment failure rates in the databases already take credit for mechanical integrity. Therefore, it is not appropriate to take credit for mechanical integrity again as an IPL.
OSHA requires an MI program as one of the elements of their Process Safety Management (PSM) standard, 29 CFR 1910.119(j). It addresses design, installation, operation, and maintenance. Of greatest interest in a LOPA, however, is maintenance. Some people think of MI as just another way of saying preventative maintenance.
That is not true.
The PSM standard requires in 1910.119(j)(5) that the “employer shall correct deficiencies in equipment that are outside acceptable limits…before further use…” Any one of the three maintenance strategies – Corrective Maintenance, Preventative Maintenance, and Predictive Maintenance – can be consistent with this requirement.
However, correcting deficiencies is not the heart of the MI element. In 1910.119(j)(4), the standard requires
(i) Inspections and tests shall be performed on process equipment.
(ii) Inspection and testing procedures shall follow recognized and generally accepted good engineering practices.
(iii) The frequency of inspections and tests of process equipment shall be consistent with applicable manufacturers’ recommendations and good engineering practices, and more frequently if determined to be necessary by prior operating experience.
Inspections and tests are part of all three maintenance strategies.
The key phrases in these three clauses are “follow recognized and generally accepted good engineering practices” and “consistent with applicable manufacturers’ recommendations and good engineering practices”. This means that to comply with the PSM standard, employers should test and inspect equipment as recommended by the manufacturer at the frequency recommended by the manufacturer. The equipment failure rates that appear in LOPA databases are based on compliance with the PSM standard, which means following equipment manufacturer’s recommendations for maintaining the equipment they manufacture.
There will be occasions when the hazardous event frequency resulting from the failure of a piece of equipment is too high to be considered tolerable. One approach to improve this is to perform an extraordinary level of maintenance – something well beyond that recommended by the manufacturer – that decreases the likelihood of equipment failure.
In their paper to the GCPS, the PSM experts from OSHA gave an example of how redundancy in a process could result in both a control and an independent safeguard when they talked about instrumentation. “Instruments that operators use to respond to normal process variations and keep a process inside its normal operating range are not safeguards. An example of a safeguard, in this case, might be redundant instrumentation with a separate and independent alarm.”
Redundant measures reduce likelihood, and so reduce risk.
In the context of LOPA, the distinction between controls and safeguards is semantics. The point of LOPA is to understand, given a fC for an initiating event, what the fE will be for the resulting hazardous event. Because LOPA tools are calibrated with failure rates taken from databases, any credit for an extraordinary MI measure will be expressed as an IPL. And to be an IPL, as with any IPL, the extraordinary MI measure must be effective, independent, and auditable.
Extraordinary Mechanical Integrity as an IPL
The most common extraordinary MI measure is increased inspection and test frequency. Increasing the frequency increases the probability that a problem with the equipment will be observed and addressed before it manifests as a failure. That demonstrates effectiveness.
Each inspection and test is separate from the inspections and tests that came before and that come after. That demonstrates independence.
Finally, the PSM standards require that inspections and test be documented, which makes them auditable.
As long as the extraordinary MI measure is effective, independent, and auditable, then it is appropriate to consider it as an IPL. The question, that remains is about how much credit to take.
Taking Credit for Mechanical Integrity in LOPA
The amount of credit to take for an extraordinary MI measure in LOPA depends on the measure. LOPA is a “semi-quantitative” estimating tool, so values are reported to an order of magnitude: PFDAVG = 1, 0.1, 0.01, 0.001, and so on.
A PFDAVG of 1 means that no credit is taken. If the frequency of inspection and testing is increased from once every 10 years to once every 9 years, the PFDAVG = 1. On the other hand, if the frequency of inspection and testing is increased from once every 10 years to once every year, it is easy to argue that PFDAVG ≤ 0.1, which is at least an order-of-magnitude improvement. Generally, increasing the frequency of inspection and testing by at least √10 can be rounded to an order of magnitude for the purpose of LOPA.
So, go ahead. If you have an MI measure that you can believe in, take credit for it. As long as it qualifies as an IPL, and it goes above and beyond the ordinary recommendations from the manufacturer, a credit of 0.1 is appropriate.