TRAINING MANUAL

TECHNICAL INTEGRITY & ENGINEERED SAFETY IN

PETROCHEMICAL PLANTS, REFINERIES, AND
OIL/GAS PLANTS
HARVARD T ECHNOLOGY M IDDLE EAST
OCTOBER 4 – 8, 2003

Presenter – Stephen A Anderson

Harvard Technology Middle East

2nd Floor, GIPCA Tower
Khalifa Street
PO Box 26608
Abu Dhabi
United Arab Emirates
The course notes are intended as an aid in following lectures and for
review in conjunction with your own notes; however they are not
intended to be a complete textbook. If you spot any inaccuracy, kindly
report it by completing this form and dispatching it to the following
address, so that we can take the necessary action to rectify the matter.

HARVARD TECHNOLOGY MIDDLE EAST

P.O.BOX: 26608
ABU DHABI, U.A.E.
Tel. No.: +971-2-6277881
Fax No.: +971-2-6277883
Email: info@harvard.tc

Name: …………………………………………………

Address: …………………………………………………

Email: …………………………………………………

Course Title: …………………………………………………

Course date: …………………………………………………

Course Location: …………………………………………………

Description of
inaccuracy: …………………………………………………
…………………………………………………
…………………………………………………
The information contained in these course notes has been compiled
from various sources and is believed to be reliable and to represent the
best current knowledge and opinion relative to the subject.

The seminar organizers and the course director offer no warranty,

guarantee, or representation as to its absolute correctness or
sufficiency.

The mentioned parties have no responsibility in connection therewith;

nor should it be assumed that all acceptable safety and regulatory
measures are contained herein, or that other or additional information
may be required under particular or exceptional circumstances.

******************************************
 TABLE OF CONTENTS

Section 1 Page

1 Development of an Asset Integrity Management System..........................................1-1

2 Regulations and Legislation ...........................................................................................2-1

3 Management Systems and PSM Implementation.......................................................3-1

4 Industry Standards ...........................................................................................................4-1

5 Failure Statistics ...............................................................................................................5-1

6 Acceptable and Tolerable Risk ......................................................................................6-1

7 Probability and Consequence of Failure.......................................................................7-1

8 Plant Design......................................................................................................................8-1

9 Equipment Design............................................................................................................9-1

10 Materials Selection.........................................................................................................10-1

11 Pressure Vessel Design................................................................................................11-1

12 Piping Systems ...............................................................................................................12-1

13 Pressure Relieving Devices..........................................................................................13-1

14 Safety Systems ...............................................................................................................14-1

15 Fabrication and Welding ...............................................................................................15-1

16 Fabrication Quality Assurance .....................................................................................16-1

17 Bolted Joint Maintenance..............................................................................................17-1

18 Process Hazard Analysis ..............................................................................................18-1

19 Metallurgy, Corrosion, and Prevention of Failures....................................................19-1

20 Mechanical Integrity.......................................................................................................20-1

Training Manual Page i

 Section 1 Page

21 Maintenance....................................................................................................................21-1

22 Nondestructive Examination.........................................................................................22-1

23 Risk Based Inspection ...................................................................................................23-1

24 Equipment Condition Assessment, Fitness for Service, and .................................24-1

Deficiency Resolution

25 Root Cause Analysis Handbook ..................................................................................25-1

26 Management of Change................................................................................................26-1

27 Safety Audits ...................................................................................................................27-1

28 Human Factors ...............................................................................................................28-1

ALL RIGHTS RESERVED TO APTECH ENGINEERING SERVICES, INC. .

Material contained herein may not be copied by hand, mechanical, or electronic means,
either wholly or in part, without express written consent.

(DLN: 03M125R0 )

Training Manual Page ii

 Chapter 1
DEVELOPMENT OF AN ASSEST
INTEGRITY MANAGEMENT SYSTEM

INTRODUCTION

Many process facilities are searching for new methodologies and systems to inspect and manage
the integrity of their pressure equipment. The driving forces for such programs are reduced
margins, increased competition, new standards, and more stringent environmental regulations.

In order for a facility to extend the operating lifetime of equipment, safely and cost effectively, it
is necessary to implement the latest inspectio n and maintenance strategies. Risk Based
Inspection (RBI) has its roots in Process Safety Management (PSM) and Mechanical Integrity
(MI) programs and is gradually becoming accepted as good engineering practice for the
implementation of inspection and maintenance programs. This paper describes the
methodologies and practices that may be used to implement a Plant Integrity Management
System (PIMS) in order to be in compliance with existing regulations and assist with inspection,
maintenance, and turnaround planning.

Some or all of these sections discussed may be applicable to any existing facility. It would be up
to the owner/operator to decide which sections and elements are applicable in order to achieve
particular goals and objectives.

Typical goals of such programs would be:

§ Maximize Reliability, Availability, Maintainability (RAM) of Equipment

§ Enhance Plant Performance (maximize profits)
§ Improve safety and reduce risk
§ Reduce Maintenance and Inspection Expenses
§ Improve personnel safety and performance
§ Optimize Sparing
§ Comply with company and local rules and regulations

SCOPE

The scope of such projects can be applicable to any production company’s infrastructure and
assets.

Infrastructure may include:

§ Platforms
§ Ships

Training Manual Page 1-1

 § Pipelines
§ Terminals
§ Tank farms
§ Loading docks
§ Compressor stations
§ Gas processing plants
§ Process plants

On a production facility, assets may include:

§ Structures
§ Pressure vessels
§ Piping
§ Rotating equipment
§ Tanks
§ Relief valves
§ Instrumentation and Control

BACKGROUND

In the past, the majorit y of plant maintenance staff operate in a reactive mode. This means that
the largest expenditure of maintenance resources in plants typically occurred in the area of
corrective maintenance i.e., when problems or failures occur, they are corrected. Most facilities
have been operating for extended periods in a reactive maintenance mode. Maintenance
resources have been almost totally committed to responding to unexpected equipment failures
and very little is done in the preventative arena. Corrective, not preventative, is frequently the
operational mode of the day, and this tends to blur how many people view what is preventative
and what is corrective. Some plants actually foster pride in how quickly they can fix things or
correct failures under pressure. However, it has been proven that this type of operation is not cost
effective in terms of safety, downtime, and efficient use of resources.

Some common maintenance problems include:

§ Insufficient proactive maintenance

§ Frequent problem repetition
§ Erroneous maintenance work
§ Not using sound maintenance practices
§ Unnecessary and conservative preventative and predictive maintenance (PM)
§ Poor rationale for conducting PM actions
§ Program lacks traceability and visibility
§ Blind acceptance of original equipment manufacture’s (OEM) input
§ PM variability between like units
§ Exclusion of new technologies, such as predictive applications, reliability, and risk

By addressing these problems and moving towards a preventative and predictive program, a
facility can achieve the following:

Training Manual Page1-2

 1. Prevent failures
2. Detect the onset of failures
3. Discover hidden failures

Creating a new PM program or updating an existing one involves essentially the same process.
One needs to determine what is to be achieved with the PM program and how the program can
be built into a new or existing infrastructure. This should be the starting point for the Facility
program

There are a host of supporting technologies that can be included in a PM program. Some of these
include:

§ Failure Analysis Technology

§ Incipient Failure Detection
§ Information Management – Maintenance Management Information System (MMIS) or
Computerized Maintenance Management System (CMMS)
§ Reliability/Availability/Maintainability (RAM) technology
§ Risk Technology

Some or all of these technologies should be considered in the Facility program.

A useful philosophy to incorporate into a PM program is the concept of reliability. Reliability

Centered Maintenance (RCM) has been so named to emphasize the role that reliability theory
and practice play in properly focusing (or centering) preventative maintenance activities on the
retention of the equipment’s inherent design reliability. As the name implies, reliability
technology is at the very center of the maintenance philosophy and planning process.

Finally, the latest concept in maintenance and inspection activities is the incorporation of risk to
prioritize maintenance tasks and schedules. It is no longer practical to choose systems for RCM
analysis based on subjective risk importance. The primary systems on refineries and
petrochemical plants are not as obvious as in the aircraft and nuclear industries (where RCM was
born). Risk-centered maintenance uses the identical functional description of systems,
subsystems functional failures, and failure modes that RCM employs. However, it is different
from the RCM method in that the criticality class is replaced with an explicit risk calculation.
Using quantitative values, instead of coarse assignments, allows a more complete description of
the actual hazards that exist in a facility and help to properly focus and prioritize maintenance
activities.

All of these concepts and tools should be considered in the development of a “worlds best
practice” maintenance and inspection program for a Facility.

Training Manual Page1-3

PROCESS SAFETY MANAGEMENT

PSM is the proactive identification, evaluation, and mitigation or prevention of hazardous

chemical releases that could occur as a result of failures in process, procedures, or equipment.
The major objective of PSM is to prevent unwanted releases of hazardous chemicals, especially
into locations that could expose employees and others to serious hazards.

The key to successful implementation of PSM requirements is the understanding that the
program is a true management system, which incorporates the four basic steps of a management
system.

BASIC STEPS OF A MANAGEMENT SYSTEM

1. Plan
2. Organize
3. Implement
4. Control

An effective PSM program requires a systematic approach to evaluating the whole process.
Using this approach, the process design, process technology, operational and maintenance
activities and procedures, non-routine activities and procedures, emergency preparedness plans
and procedures, training programs, and other elements that impact the process are all considered
in the evaluation. The various lines of defense that have been incorporated into the design and
operation of the process to prevent or mitigate the release of hazardous chemicals need to be
evaluated and strengthened to assure their effectiveness at each level.

IMPORTAN T PRINCIPLES OF A
PSM PROGRAM

Participation
Performance Based
Quantification
Auditing
Thoroughness
On Going
Documentation

All these principles need to be addressed in order to have a successful program.

Training Manual Page1-4

PSM Elements

PSM programs typically include about a dozen major elements. The Occupational Safety and
Health Administration (OSHA) standard, the one that most companies in the United States
follow, contains 14 elements.

1. Employer Participation
2. Process Safety Information
3. Process Hazard Analysis
4. Operating Procedures
5. Employee Training
6. Contractors
7. Pre-startup Safety Review
8. Mechanical Integrity
9. Non-routine Work Authorizations
10. Managing Change
11. Investigation of Incidents
12. Emergency Preparedness
13. Compliance Audits
14. Trade Secrets

Catastrophic failures in industry are usually caused if one or more of the PSM elements are not
adhered to. Violations of the PSM elements, most often cited by OSHA, include breaching the
MI clause followed by Process Hazards Analysis (PHA) and Process Safety Information. The
link between PSM, MI, and a PIMS is shown in Figure 1

Consultants have developed state-of-the-art PSM programs. Some of these programs have been
prepared in close cooperation with company legal advisors and have been thoroughly scrutinized
by government agencies concerned with safety. These programs have received very favorable
comments.

Key elements of these programs include:

§ A carefully managed tracking program that ensures no recommendations or audit

findings are overlooked
§ An intense PHA program
§ Ongoing reports to management describing progress
§ Development of a high-quality Operating Procedures and Training program
§ The use of a practical Management of Change (MOC) program
§ A system for filing all documents and references so the program is ready for an audit at
any time

Training Manual Page1-5

MECHANICAL INTEGRITY

Paragraph (j) of OSHA 29 CFR 1919.119, which is concerned with MI, states that a MI program
shall be in place to assure the continued integrity of process equipment. Equipment used to
process, store, or handle highly hazardous chemicals needs to be designed, constructed, installed,
and maintained to minimize the risk of releases of such chemicals.

The following key positions are frequently involved in the development of the MI program. For
each position, the appropriate responsibility, authority, and accountability for implementation of
MI programs should be documented. (Note: The name of the position may vary depending on
local nomenclature.)

KEY POSITIONS
§ Plant Manager
§ Maintenance Department Supervisor
§ Inspection Department Supervisor
§ Purchasing Department Supervisor
§ Warehousing Department Supervisor
§ Operations Department Supervisor
§ Quality Assurance/Control Department Supervisor

Some of the key assignments that are typically made for the MI program include, but are not
limited to:

§ Overall MI Program responsibility – This typically resides at the senior management

level. Senior management delegates responsibility for development and implementation
of all program phases.
§ Project Coordinator – This assignment provides a central point of contact for revisions,
updates, and interpretations of documented procedures.
§ Inspection.
§ Testing.
§ Maintenance.
§ Quality Assurance.
§ Training.

While most facilities focus risk-based resources on pressure vessels and piping, the concept of
risk management can be applied to any piece of equipment. This includes structures, tanks,
safety relief devices, rotating equipment (pumps, compressors, etc.), and instrumentation and

Training Manual Page1-6

controls. Even such processes as documentation control, MOC, and other issues can be
prioritized and managed using risk assessment techniques.

INTEGRITY MANAGEMENT SYSTEM

An important aspect of an asset technical integrity program is an integrity management system.

Many companies are searching for a truly integrated PIMS. Such a program would combine and
embrace PSM and MI elements, as well as the latest technologies in software, nondestructive
examination (NDE) techniques, inspection and maintenance planning, risk assessments, and
deficiency resolution.

There may be six basic steps in implementing a PIMS. Such a program would meet the
requirements of the OSHA Process Safety Management of Highly Hazardous Chemical,
29 CFR 1910.119, paragraph (j) and the Environmental Protection Agency (EPA) Risk
Management Program 40 CFR 67.32. For a medium sized facility, these steps are as follows:

1. A Written Plant Integrity Program

This is a written document that states what is to be done, similar to a Tier 1 document in a
quality program, or an umbrella document, which provides overall guidance on
identifying process safety critical equipment; what written procedures are required; and
the training requirements for maintaining the MI of critical equipment, inspection and
testing program standards, correction of deficiencies, and quality assurance.

2. Gap Analysis

Review the plant’s existing documentation, procedures, inspection and training records.
This review will highlight deficient areas and procedures that need to be developed and
implemented.

3. Identification of Process Safety Critical Equipment

A Technical Analysis is a systematic, technically defensible procedure that identifies

which equipment (including piping systems, instrument and controls, and mitigating
devices) is critical to process safety and which can be excluded. This procedure also
defines which equipment is critical and which is not, and provides an easily understood
method of documentation, which has been well received by independent auditors and
inspectors. Spreadsheets can be prepared for each individual type of process equipment
(including piping, controls, pumps, vessels, etc.), which exactly reflects the results of the
Technical Analysis.

Training Manual Page1-7

 4. Inspection, Maintenance and Testing Program

The testing and inspection program, specific for each piece of equipment, must be
established using piping isometrics (or other documented methods) or equipment
sketches that show the number and locations of positions where inspections are to be
conducted using the specified NDE method. The development of such programs can now
be based on risk i.e., RBI. The inspection program should therefore incorporate a
systematic evaluation of both the likelihood and consequence of failure for each item and
result in the risk ranking of equipment. This analysis and risk ranking should result in the
development of a critical equipment list and a detailed inspection plan for each item or
subcomponent.

The critical equipment list is usually the first item an auditor or inspector wants to review
when initiating an audit of the Integrity Program. The results from the technical analysis
and RBI program provides a management control document defining the frequency of the
test and inspections for each type of equipment, type of inspection or test, qualification
requirements for those performing the tests or inspections, tools or techniques to be used
(NDE, calibrations, visual inspections, etc.). It also provides the risk drivers for each
equipment item, which will then allow the facility to manage the risk of each item
effectively and efficiently.

5. Management of Risk – The Inspection Program and Deficiency Resolution

This is a key step in establishing an active and ongoing testing and inspection program,
which drives many of the remaining requirements of the Integrity Management system,
i.e., correction of deficiencies and quality assurance.

Management of this element of the program is critical and requires that inspection results
are carefully reviewed and new frequencies established based on results, or, in some
cases, replacement of equipment needs to be evaluated or temporary repairs specified.

If failures occur or problems are found during turnarounds and routine inspections, these
deficiencies need to be resolved timely, efficiently, safely, and cost effectively.

6. Integration of all Key Elements and Tools

A major hurdle to the successful implementation of a PIMS is the integration of all

elements. Different departments and individuals manage many of the key elements of a
PSM and MI program. In addition to this, different skill levels, technologies, and tools
are needed for each element. Because of this, such programs are often fragmented and not
as efficient as they might be.

In order for such a program to be successful, all elements, departments, and individuals
need to function cohesively and as a team. The development of an integrated program
requires experts that understand all facets of the program and that can recognize
deficiencies and problem areas. The elimination of such deficiencies may require

Training Manual Page1-8

 training, additional procedures, work instructions, and responsibilities, as well as
commitment and dedication from facility personnel.

BENCHMARKING

Benchmarking is the comparison of a facilities performance (operations, production, profit,

safety, reliability) with other similar industry operations and industries best practices. A
determination is made as to the overall performance of the facility. This is reported as better,
equal, or worse than other similar industry operations. Benchmarking can be achieved in a
variety of ways:

§ Industry reviews
§ Surveys
§ Industry Databases

Benchmarking can focus on three key areas:

§ Management system and personnel performance – training and expertise

§ Operational performance – reliability, performance and product quality
§ Equipment condition assessment – inspection and maintenance systems

The review can be based on accepted industry regulations and good engineering practices. The
Occupational Safety and Health Administration (OSHA) standard, OSHA’s 29 CFR 1910.119
document, Process Safety Management of Highly Haza rdous Chemicals, and the EPA Risk
Management Plan Rule (RMP Rule) may be used as guidance for an audit.

Equipment used to process, store, or handle highly hazardous chemicals needs to be designed,
constructed, installed, and maintained to minimize the risk of releases of such chemicals.

Industry Reviews

Compliance with good engineering practices and industry standards should also be evaluated.
These standards and practices could include:

§ America Petroleum Institute (API)

§ American Society of Mechanical Engineers (ASME)
§ National Association of Corrosion Engineers (NACE)
§ Chemical Manufactures Association (CMA)
§ American Society for Nondestructive Testing (ASNT)
§ National Board of Boiler and Pressure Vessel Inspectors (NBIC)

The benchmarking and failure rates of static equipment on a facility should be compared with
industry databases such as NERC, DOT, OREDA and proprietary Risk Directed Mechanical

Training Manual Page1-9

Integrity Program (RDMIP™) database, as well as the API database, on the frequency of failure
of static equipment.

Based on experience, as well as the experience gained from industry surveys and mechanical-
integrity-related projects a company should be well acquainted with state-of-the-art industry
programs in:

§ Predictive maintenance (PM)

§ Proactive maintenance
§ Reliability-centered maintenance (RCM)/life cycle management (LCM)

This should include tools such as UNIRAM and BALIFE used in developing programs in PM,
RCM/LCM, etc., to aging industrial facilities.

Working for refineries and power plants, we are frequently asked to compare the current practice
with what we would consider best practices for the industry. Examples of this comparison
include:

§ Use of fuel (expressed as thermal efficiency or heat rate) or feed (expressed as selectivity
and yield):

• How does the furnace or power plant efficiency compare with industry practice?
• How does the yield structure compare to similar units operating at the same severity?

§ Budgets:

• Are the budget figures (manpower, equipment, etc.) over the next 10 to 20 years
adequate to provide the target reliability goals for the plant?

§ Value:

• At what level of budgeted expenditure are improvements in reliability best evaluated

using probabilistic methods, rather than deterministic methods?

In part, we do this through a series of structured interviews with operating, maintenance,

engineering, and management personnel at a plant. Frequently, we are asked to form databases
using questionnaires or other means. We present our experience below.

Surveys

Some projects involving the preparation, administration, and reporting of surveys are presented
below.

§ For EPRI under RP1865-1, "Boiler Nondestructive Inspection System," A utility

questionnaire was prepared to clarify the current use, capability, and shortcomings of

Training Manual Page1-10

 methods used to inspect tubes for damage in fossil boilers. This work pre-dated the
creation and publication by EPRI of the "Boiler Tube Failure Manual," CS 3945.

§ For EPRI under RP1872-1, "Component Failure Data for FGD," A literature survey and
state-of-the-art review of flue gas desulphurization (FGD) systems and databases was
prepared. The public (e.g., EPA), industry (e.g., GADS), and private (e.g., individual
company and OEM) databases were consulted and also included several plant visits for
this effort. A principal objective of the work for EPRI was to develop a method to collect,
monitor, and report FGD component failure rate data, including root cause of failure data,
which could be used to create a reliability model of the FGD system.

§ For EPRI under TPS 81-824, "Creep and Creep-Fatigue Damage in Steam- Turbine
Rotors and Casings," A questionnaire of possible operational factors and material
variables was created. Mailed 199 questionnaires to 130 utilities and received 77
responses representing 71 utilities. Many responses were incomplete; to maximize the
value of the information received, statistical methods to analyze some of the responses
were invoked.

Other surveys:

§ For the Materials Technology Institute (MTI), a survey of 100% of MTI's membership
regarding the experience in using non-asbestos gasket materials was prepared. The
objective is to provide an organized and comprehensive experience record by the
chemical process industry of the use of gasket materials primarily intended to replace
asbestos-containing gaskets. A computerized database will be developing for this
information.

§ For EPRI under RP1890-9, "Boiler Tube Failure Metallurgical Guide," numerous
domestic and international organizations were contacted for metallurgical information
related to boiler tube failures. Such organizations include, but are not limited to:

• Boiler manufacturers: B&W, CE, FW, Riley

• Research organizations: SWRI, Battelle
• Utilities with metallurgical facilities (HL&P, PG&E, Commonwealth Edison)
• International organizations (CEGB, VGB, KEMA, CRIEPI, Japan SME, Steinmuller,
Deutsche Babcock, International Combustion, John Thompson, Clark Chapman,
Simon Engineering, Stein et Rubeier, CKTI, VTI, SKODA, Institut for Energie)

§ For a private client, a survey was conducted on the worldwide capacity to reprocess
nuclear fuel and is surveying world nuclear power prospects.

Databases

Most current and prior projects involve the formation and use of technical data regarding
material properties, chemical properties, etc. Only several of these projects will be reviewed
here.

Training Manual Page1-11

 § Ongoing work in the prediction of life remaining in carbon and low alloy steels involves
the creation and maintenance of a large in-house database of material properties. This
database contains information on spheroidization, from which inferences on tube metal
operating temperatures can be obtained.

§ Ongoing work in turbine stress analyses involves the creation and maintenance of a
materials database of those materials commonly used for turbine rotors, stators, and
blades.

§ Ongoing work in Remaining Useful Life (RUL7) analysis of superheater and reheater
tubing involves the creation and maintenance of a proprietary database for ferritic
materials. This empirical data is used to statistically analyze material behavior.

EPRI Report NP-3528, "Requirements and Guidelines for Evaluating Component Support
Materials Under Unresolved Safety Issue A12"

§ Appendix III of this report represents an original compilation and review of toughness
data for component support materials, including plate, rolled shapes, bolting materials,
and weld metals. The methodology for data collection and review is described.

EPRI Report NP-3477, "PWR Steam Generator Chemical Cleaning Data Base"

§ A computerized database was created from the results of a three-year program aimed at
developing a chemical cleaning process for PWR steam generators fouled from sludges
from corrosion products. To identify the significant variables affecting the rates of
corrosion and sludge dissolution, a multiple regression analysis was applied to a portion
of the corrosion results for certain steels.

§ For its work on the fracture control and risk analysis of a 6,000 psi natural gas pipeline, a
probability encoding of data from interviewing of experts to prepare its risk database and
predictive models was conducted.

Solomon Reports

The first Comparative Performance Analysis of Fuels Products refineries was conducted in 1980.
At that time there were many “rules of thumb” which appeared to rationalize differences in
refinery performance, but there was little real data available against which to test performance
theories. Broadly supported theories held that:

§ Larger facilities held an inevitable performance advantage,

§ Newer plants were more efficient,
§ More complex facilities were more profitable, and
§ The most efficient facilities were on the US Gulf Coast.

Training Manual Page1-12

The first project aimed simply to collect consistent data to confirm these views and to quantify
the performance disadvantages that might accrue to smaller, older inland refineries. Remember,
the US industry was about to emerge from eight years of government regulation, many small
refineries had been constructed under the aegis of the regulations and the industry was about to
return to a fully competitive business environment. It needed Benchmarks, a new concept at the
time, upon which to base its future strategy.

The very first report raised doubts about some of the prevailing theories. Some smaller refineries
appeared to be very efficient. Conversely, some of the larger and newer plants fell below average
in performance. These conclusions were advanced cautiously at first. But, as the methodology
was improved and industry participation grew, the prospect that refinery efficiency depended
upon much more than size, age and location became more acceptable. When US deregulation
was followed by a sharp reduction in petroleum demand in 1981 and widespread industry labor
disputes in 1982, many in the industry became avid supporters of the benefits of these
confidential benchmarking studies. The concept was expanded to cover Europe in 1982, and
Canada and the Asia/Pacific in 1983. Subsequently, the technique was applied to Lube Refining,
Petroleum Product Marketing, Olefins Manufacturing, Butadiene, Pipeline and Terminalling,
Styrene Monomer Manufacturing and Fossil Fuel Electric Power Production.

Over the past twenty-one years, the fuels refinery studies have chronicled the impacts of new
product regulations, environmental initiatives, conversions to heavy crude, the impact of
widespread investment in cogeneration facilities, quality programs, downsizing, right-sizing, and
many ownership changes. Participants still can see that the variance in performance among
refineries of similar size and technology has not disappeared after twenty-one years of study.
Many improvements in the average industry results have been noted of course, but the range of
performance continues to be surprisingly large for every measurement that we employ in the
study. Since each refining venture has now come to the realization that this is a mature industry
with high exit costs and continuing investment demands, the requirement to understand the basis
for these variations in performance levels continues unabated. Such an understanding calls for
consistent, validated information from a current and historical worldwide database that describes
the basis for commercial success in the petroleum refining business.

Comparative Performance Philosophy

A guiding philosophy has been to construct a database of actual performance and study it for
insight. All issues which impact commercial success: raw material selection, product yield
patterns, plant utilization levels, principal operating parameters and each major element of
operating cost are identified, and some basic benchmarking techniques to assist in the
comparative analysis have been developed.

§ Limited focus to those elements which most affect the commercial success of the
business,
§ Defined each element in generic terms which are not too closely identified with any one
subscriber,
§ Provided detailed definition of terms to promote a consistent submission by each
participant, and

Training Manual Page1-13

 § Required all performance data to be based upon the same time frame.

Validation of Client Data Submissions

The validation effort is not simply a check of arithmetic. The quality of the database is
substantially enhanced if an experienced industry analyst reviews each submission for
reasonableness and consistency. Clients base their most important business decisions on the
results of these studies. There is a constant demand (and interest on our part) to research the
database for clues to improved performance. It is not sufficient to simply produce good
“average” values as the need to insure that the subsets of data for the best performers, those who
appear to be recording relatively rapid improvement in their indices, are reliable.

Search for Relationships that Explain Industry Performance Variations

Begin the process of researching the database to find relationships that explain, or at least
document, the variation in industry results. In examining the data, in- house experts analyze that
area related to his or her specialty. During this process, findings are shared with each member of
the analysis team and discuss the results in order to focus our efforts. In-depth investigations in
those areas of highest interest are conducted. The final work is then reviewed by a team and
incorporated in the final report. When the available data seem to be inadequate to resolve an
important issue, additional data and refine the Input Forms for subsequent studies is requested.

Rank Each Participant on a Variety of Indicators

Each participant receives their comparative ranking in more than twenty different areas of
performance that impact commercial success. While some may assume that top-ranked
performers are uniformly excellent, this isn’t always true. Better performers are rarely content in
maintaining the status quo, and their business focus is one of constant improvement. They use
the ranking data to focus their improvement efforts on the most profitable and highest value-
added areas.

Provide Multi-Level Discussions of Study Results

The final study product must meet the needs of a variety of client interests. The overall rankings
offer a quick measure of competitive stance that meets the needs of senior management, but they
do little to define the best approach to improvement. The detailed data may interest planners or
operating managers who are accountable for immediate improvement in results, but often
provide too much detail to contribute to strategic goals. The presentation of results is to address
the interests of craftsmen, technical analysts, mid-managers and administrative staff as well as
senior management.

Training Manual Page1-14

Value of Study Results

The comparisons of your performance results with peer refiners in the same geographic area and
with those within the same refinery processing group provide a sound basis for evaluating both
the efficiency and effectiveness of your current operations and operating philosophy. You may
find that your facility is at the extreme of one of the peer ranges. Or, you may conclude that your
supply of products to proprietary markets relieves you of a need to be measured against regional
competitors. However, the overriding consideration is this: the data clearly illustrate the actual
performance of competitive refineries during the same time period. The question then becomes,
“Can you be comfortable with an unfavorable comparison on this basis?” Study results continue
to indicate that the consistently better performers are never content with their current position,
but are continuously moving towards improved performance levels.

IMPLEMENTATION OF AN ASSET INTEGRITY MANAGEMENT PROGRAM

A Facility project can be divided into five separate phases. The following phases be applicable to
the implementation of a world class asset management program:

§ Phase 1 – Industry Review and Audit of existing current practices (Benchmarking)

§ Phase 2 – Development of Project Roadmap
§ Phase 3 – Implementation of program
§ Phase 4 – Technology Transfer and Training
§ Phase 5 – Project Control and QA

The tasks for the successful development and implementation of an asset management program
are discussed below.

PHASE 1 – INDUSTRY REVIEW AND AUDIT

Task 1 – Industry Review and Benchmarking

Industry review of current best practices in design, safety, materials, software, process operations
inspection and maintenance fields sho uld be conducted. Review of applicable industry databases
will provide a basis for evaluating the facilities performance and allow it to be benchmarked
against industry best practices.

Task 2 – Assessment of Existing Facilities and Practices

Engineering and management structures, currently in place at the Facility, need to be reviewed.
Such a review should focus on operational set-up, operating strategies, contracting schemes,
organizational structures, and management culture.

In addition to this, a review of the facility histories, procedures, and inspection and maintenance
records should be conducted to determine the current mechanical status of plant assets. This
review could include plant walkdowns and comparison with industry practices and general plant

Training Manual Page1-15

conditions. This “gap analysis” should highlight deficient areas that need correcting in the PM
program.

During this task the current plant inspection program and practices is reviewed. The review will
cover:

§ Equipment files
§ Inspection reports and results
§ Inspection procedures
§ Training records for inspectors
§ Inspection plans
§ Inspection schedules
§ Existing local rules and regulations
§ Existing inspection program organizational charts
§ Personnel job duties and responsibilities
§ Interviews with key inspection personnel, including inspectors, inspector supervisors,
maintenance manager, and others, as deemed necessary.

The purpose of the review can be considered to be three- fold:

§ Determining whether the current inspection program and its practices meets what would
be considered generally and accepted good engineering practices
§ Determining whether the current inspection program meets local rules and regulations
§ Determining whether the current inspection program provides sufficient and clear
information for deciding whether or not equipment is fit for service

Identify any gaps in the integrity program in reference to local rules and regulations, as well as
what is considered good and generally accepted engineering practices. A key aspect of the report
will be a work plan for implementation of the proposed management system, including the
identification of key positions and their roles and responsibilities in the form of organization
charts, mission statements, and job descriptions.

PHASE 2 – DEVELOPMENT OF PROJECT ROADMAP

Task 1 – Information Database

The management and implementation of such a PM program requires that much data be
collected, analyzed, and stored. Many software programs exist for these tasks, however, many of
them are standalone and communication between different disciplines is rare. For the PM
program to work effectively, all data should be stored, analyzed, managed, and acted upon from
a single source. This source could be a program, portal, or methodology. An example of a
computerized maintenance management system is shown in the figure below. Following the
industry review, a system should be agreed upon and incorporated into the PM plan.

Software systems may include reliability tools such as:

Training Manual Page1-16

 § UNIRAM- Availability Modeling
§ ACOM – Cost Optimization
§ UNISAM – Spares Analysis
§ OVERT – Overhaul, Replacement Decision analysis
§ BALIFE – Bayesian Life Prediction
§ RBI – Risk Based Inspection Tools

Failure PM Tasks/ PM work

Work Orders Frequencie Orders
s

Root Cause Management PdM work

failure System Orders
analysis

Risk Based PdM PdM

Inspection Tasks/ Repair
DB Frequencie Work
PdM – Predictive Maintenance PM – Preventative Maintenance
Maintenance Information Management System.

Task 2 – Report and Development of Project Roadmap

An initial report should be provided with details of the facility observations. Identify any gaps in
the Facility program in reference to local rules and regulations, as well as what is considered
good and generally accepted engineering practices. The report should include conclusions and
recommendations for improving the program. A key aspect of the report should be a work plan
for the implementation of the proposed management system, including the identification of key
positions and their roles and responsibilities in the form of organization charts, mission
statements, and job descriptions.

The principle deliverable from this task will be to provide a clear and concise guide to improving
the performance of the Facility by improving reliability and inspection and maintenance
practices. This roadmap will allow management to clearly identify realistic steps that when
implemented will significantly improve the performance of the facility assets within a set time
frame.

The roadmap should inc lude the Facility objectives in implementing such a program, and how
these objectives will be met, measured, and in what period (milestones). The reliability
improvement program plan should identify changes or improvements to the following:

Training Manual Page1-17

 § Physical assets
§ Operational strategy
§ Maintenance and inspection practices
§ Asset management systems (including software)
§ Organizational set up and management philosophy

Such a roadmap or plan should be developed by the Facility and consulting personnel.

PHASE 3 – IMPLEMENTATION OF PROGRAM

Such a program may take time to implement, but should follow the project roadmap as described
in Phase 2. Milestones and reliability improvement achievements should be carefully tracked and
reported on. Within a year, the program should be showing overall improvements and benefits
for the facility, which should be reported to management and personnel. This will ensure
continued development and implementation of the plan.

Task 1 – Plant Integrity Manual and Procedures

Develop a generic MI manual and set of procedures. This manual and procedures could be
provided for early review and would then be customized, as necessary, to meet the site-specific
needs. Normally this is done in on-site meetings with management, engineers and consultants. A
copy of the manual and procedures should be provided on disk so the company’s logo, name, and
other particulars can be inserted where desired.

Task 2 – Technical Analysis and Risk Assessments

Conduct a Technical Analysis in accordance with the procedures contained in the MI manual.
Typically, the deliverables will include one set of color-coded plot plans and process and
instrument diagrams (P&IDs), which will define what equipment (including piping, instrument
and controls, etc.) is to be included in the program. This will also indicate what equipment can be
excluded, with notations on each item of equipment as to why an item is to be included or
excluded. The resource information required to implement this procedure is as follows:

§ Plot plans for the plant and individual plan units/areas

§ P&IDs for each of the units/areas
§ List of chemicals in the plant and locations
§ Process hazards analysis for the units/areas
§ Emergency operating instructions
§ Equipment lists, line lists, instrument lists, etc.
§ Process flow diagrams for process units/areas
§ Electrical equipment lists and one line electrical drawings

Training Manual Page1-18

Task 3 – Inspection and Testing Program

An important aspect of any inspection or testing program is the practical application of the
methodology in a facility. Inspection programs are slowly moving away from traditional
time-based programs to integrity or condition-based programs. Inspection departments need to
know how and when to inspect specific pieces of equipment and how to track inspections over a
relatively long period of time. Typically 5, 10, and 15-year plans are useful for a facility when
planning scheduled maintenance and turnaround activities. The frequency and scope of
inspections, as well as appropriate NDE techniques, needs to be described in comprehensive
inspection plans for each equipment item. By conducting the correct inspections, using the
correct inspection techniques, and carefully documenting the inspection findings, facilities can
reduce the overall risk associated with equipment items and improve plant reliability.

The results from the RBI study will provide a facility with guidelines to develop a
comprehensive risk directed inspection program, thus reducing potential turnaround scope and
corresponding downtime during future plant maintenance turnarounds. A RBI study will identify
potential equipment candidates for fitness-for-service studies, if any are needed. Safety will be
enhanced through better understanding of possible corrosion mechanisms and how to inspect for
them. The inspection program will identify likely damage mechanisms for each equipment item,
the NDE techniques necessary to inspect for these damage mechanisms, and the scope and
frequency of inspections. Risk ranking the equipment will provide the basis for an Integrity
Management Program, where maintenance and inspection resources (time and money) can be
optimized.

Develop a streamlined approach towards the risk ranking of equipment items and the
development of critical equipment lists and inspection plans. Using experienced analysts allows
one to quickly and accurately perform RBI or evaluate a RBI analysis, regardless of the software
or methodology selected.

The outputs or deliverables from such a program may include:

§ Simplified Process Diagrams/Marked-Up P&IDs (Corrosion Maps and Inventory

Groups)
§ Risk Matrix
§ Risk Ranking Summary
§ Specific Equipment Inspection Plans (describe how, where, and when to inspect) and will
include:
• Predicted Damage Mechanisms
• Predicted Damage Locations
• Inspection Techniques
• Scope and Frequency of Inspection
§ Risk Drivers and Risk Management Plan
§ Software/Database

Training Manual Page1-19

Task 4 – Implementation of RCM Program

Using RCM database, track reliability of equipment and integrate with management software for
issue of work orders and activity tracking.

Task 5 – Management of Risk – Inspection Program and Deficiency Resolution

The results from a RBI study allow a facility to manage the risk of each equipment item. Risk
can be maintained at the same level or mitigated by implementing certain maintenance and
inspection strategies. In addition to this, a procedure will be developed to maintain the entire
program in an evergreen state. As inspections and turnarounds are completed (or changes in
process/operational conditions occur) a system will be in place to reevaluate the current risk and
condition of the equipment.

It is useful to incorporate fitness-for-service evaluations from the results of a RBI study. The two
methodologies are intimately linked, since the RBI study should highlight and ident ify
equipment deficiencies. These deficiencies then need to be evaluated using a fitness- for-service
methodology, such as the one described in API 579. Figures 2 through 4 identify the workflow
and relationships between the different methodologies.

The following discusses requirements for fitness-for-service assessments on identified

equipment:

§ Fitness- for-service assessments will be in accordance with the API 579 Recommended
Practice. The methodologies used in the practice are common to the industry, and the
approach presented in API 579 provides the structure and discipline to assure continued
reliable and safe operation of equipment.
§ Equipment inspection to support fitness- for-service assessments shall be performed by
qualified inspectors, preferably API authorized inspectors. API 579 is intended to
supplement requirements in the API inspection codes (API 510, API 570, and API 653).
§ API 579 fitness-for-service assessments and rerating of equipment assumes that
equipment is designed and constructed in accordance with recognized codes and
standards.
§ API 579 provides a structured approach to evaluations of damage and fitness- for-service.
There are three levels of assessments established to guide the evaluation. The
fitness-for-service analysis will proceed sequentially from Level 1 to Level 3, as
necessary, to support the criticality and complexity of the equipment.
§ Fitness- for-service evaluation will establish a remaining life prediction for included
equipment.

As needed, fitness- for-service evaluations will prescribe in-service monitoring to assure the
effectiveness of judgements made in the assessment. Numerous software tools are available for
fitness-for-service evaluations, including proprietary software.

Training Manual Page1-20

Task 6 – Integration of all Elements and Tools

It is important to integrate all PSM, MI and RBI elements. These systems may include
maintenance management tools, inspection planning tools (such as Ultra –Pipe and PCMS), RBI
software, and plant management systems (such as SAP). An example of such a system is shown
in Figure 5, 6 and 7.

PHASE 4 – TECHNOLOGY TRANSFER AND TRAINING

For such a program to be successful and sustainable in the long term, Facility personnel will
require training. This training may cover the following issues:

Damage mechanisms affecting equipment

Appropriate means of identifying such damage mechanisms
Risk based inspection theory
Plant life assessment theory
Preventative, predictive, and reliability theory
Engineering materials selection

Reviews and ongoing support should focus on quality assurance (QA), as well as best practice
issues and methodologies.

PHASE 5 – PROJECT CONTROL AND QA

In order to implement a successful plant integrity program, a comprehensive project control

philosophy must be used. This will ensure that all aspects of the project are managed correctly
and cost effectively.

The project control process is based upon the principle of baseline management, which
specifically includes the following:

§ Integrated technical, schedule, and budget baselines are established at the beginning of
each phase.
§ Technical, schedule, and cost performance are periodically measured and evaluated
against the baselines, and project status is reported to the appropriate levels management.
§ Corrective actions are initiated when planned progress and the actual results diverge
significantly; revisions to the baselines are controlled throughout the life of the project.

The programs control function will be an active process consisting of analysis and evaluation of
the following elements:

§ Accumulation of actual expenditures

§ Progress measurement

Training Manual Page1-21

 § Performance evaluation
§ Change control

The system will incorporate a work breakdown structure (WBS) to facilitate the division of the
work scope into work packages. The work packages are definable and measurable segments of
work that will be monitored in the program. The work scope will be budgeted and scheduled
based upon this hierarchy of work packages. The tools used in the control of the program will
consist of CPM software, cost and budgeting systems, and spreadsheets.

The goal for the program's control is to provide management with accurate and timely
information so the best decisions possible can be made in directing the effort and cost of the
program.

Project Baselines

The project baselines provide the initial plan of the program, which will accomplish the goals of
the program within the budget and time period allowed. These baselines will be set when the
program plan is approved and initiated. This plan will be stored as the original or baseline
schedule and budget. Subsequent progress will be measured against the baselines during the
monitoring to assure that the schedule is being maintained. Comparisons of work to the baseline
budget will identify variances to the base work scope and will begin the variance process.

The purpose of project baselines is to establish a frame of reference against which project
performance can be measured. The term "baseline" refers to the original scope, schedule, and
budget established by management at the beginning of the project. These original baselines, plus
approved changes, are referred to as the project baselines. A brief description of these baselines
is as follows:

§ The technical baseline is a complete definition of all technical aspects of the project,
which is divided by scope and technical documents. The scope is divided into primary
manageable activities.
§ The project milestone schedule is a summary- level schedule intended to give senior
project management a brief but clear picture of the project status. Its characteristics
include:
• Encompasses the entire scope of the project
• Structured under primary headings defining major phases and tasks
• Provide a basic time-phased plan of major work efforts within each broad heading
• Monthly updates for inclusion in the monthly progress report

The program managers must approve all changes to this schedule.

§ The budget baseline is a complete definition of all cost-related aspects of the project. It is
the contract dollar amount converted into workdays that include a management reserve to
be used by the program manager. The workdays are spread in accordance with the

Training Manual Page1-22

 schedule and the WBS. From this, resource utilization curves are produced showing the
workdays that will be expended monthly, based upon the milestone schedule.

CONCLUSIONS

Many companies are searching for a truly integrated PIMS. Such a program would combine and
embrace PSM and MI elements, as well as the latest technologies in software, NDE techniques,
inspection and maintenance planning, risk assessments, and deficiency resolution

APTECH maintains a staff of recognized experts in metallurgy, fitness for service, RBI, plant
inspection programs and PSM. APTECH developed the "Mechanical Integrity Supplement to the
Maintenance Excellence Guide" under contract to CMA for the Responsible Care Program.
APTECH can therefore provide a full range of consulting services to create, execute, and
evaluate a PIMS. For additional information, visit APTECH’s website at www.aptecheng.com
and www.aptechtexas.com or e-mail info@aptechtexas.com.

Training Manual Page1-23

 INTEGRITY ELEMENTS
PSM (OSHA 1910.119)
(d) Process Safety Information
(e) Process Hazards Analysis
(f) Operating Procedures Risk Based Inspection
(g) Training MI (OSHA 1910.119) Software (API & AE) Turnaround Planning
(h) Contractors Documentation LOF, COF, Risk Ranking Prioritization
(i) Pre-Start Up Safety Written Procedures/Training Damage Mechanisms SOW
(j) Mechanical Integrity Process Maintenance Inspection/Maintenance Planning
(k) Hot Work Permits Inspection and Testing Operation, Inspection, Corrosion
(l) Management of Change Equipment Deficiencies Recommendations
(m) Incident Investigation Quality Assurance NDE Technology
(n) Emergency Planning and Response
Fitness for Service Evaluation
RUL Calculations Failure Analysis
Flaw Monitoring Metallurgical Analysis
Acceptability for Service Root Cause Analysis
Related PSM Programs Industry Guidelines Metallurgical Studies
PSM Regulations API 580, 581 Materials Selection
EPA Risk Management Planning Rule API 510, 570, 653
API 750 Management of Process Hazards API 579
CMA Responsible Care Program ASME, ASNT
ASME Risk Based Inspection EPRI, NRC
Reliability Centered Maintenance NACE

PSM Services MI Services RBI/FFS Services Other Services

PSM Training MI Training Corrosion/RBI Training Turnaround Planning
Review/Audit Review/Audit Engineering Evaluations Metallurgical Analysis
Gap Analysis Gap Analysis Safety/Inspection Audits Expert Witness/Legal

Figure 1 – Plant Integrity Elements.

Training Manual Page 1-24

 Project Initiation Goal/Ojectives

Assemble DetermineTechnical
Resources Approach/Software

Initial Screen (Scope)

Identify
Hazards

Data
Collection

COF LOF

Quality InitialRisk DeficiencyIdentified

Assurance Ranks
(QA)

RiskManagement Others

MOC, Operational,
ProcessChanges
RiskReduction
(Mitigation)
No
Deficiencies Inspection Deficiencies
Others
Plans

FromFigure2
Evergreen FitnessFor
Implementation Services
FromFigure3 To Figure2

Remedial
Actions

Figure 2 – Plant Integrity Implementation Work Flow.

Training Manual Page 1-25

 Inspection, Engineering,
Equipment Organize Team with
From Safety, Environmental,
Deficiency Appropriate Representation to
Figure 1 Health, Operations &
Identified conduct FFS Analysis
Technical

Continued Operation No To
Approved Figure 3

Yes

Define Special Operating or On-line Monitoring

Programs as Appropriate

Appropriate Management
Approval

Inspection Program
Identify Long Term Repairs or
Recommendations
Other Recommendations

Document
Results

Figure 1
Evergreen Procedure

Figure 3 – Deficiency Resolution.

Training Manual Page 1-26

 From Figure 2 Obtain Equipment and
Preliminary Inspection
Data

Evalute Resulting Can the

Groove Using The Section Yes Crack-Like Flaw be
5.0 Removed by Blend
Assessment Criteria Grinding?

No

Characterize the Shape and

Size of the Flaw

Perform a Level 1
Assessment

Equipment is
Yes Acceptable Per Level 1
Screening Criteria?

No

No Perfrom a Level 2
Assessment

Yes

Equipment
Yes
Acceptable per Level 2
Assessment?

No

No Perform a Level 3 No
Rerate Equipment?
Assessment?

Yes Yes

Equipment Perform Rerate per Level 2

Yes Criteria to Modify Pressure
Acceptable per Level 3
Assessment? and/or Temperature

No

Repair or
Rerate No Replace
Figure 1
Equipment?
Equipment Evergreen Procedure
Yes

Perform Rerate per Level 3

Criteria to Modify Pressure
and/or Temperature

Potential for Return the

Crack-Like Flaw to Grow In-
No
Component to Figure 1
Service Service Evergreen Procedure

Yes

Evaluate Using the

Assessment Procedures
in Paragraph 9.5

Figure 4 – Fitness- for-Service Flowchart (Example API 579).

Training Manual Page 1-27

 Field
Inspection
Data

COF LOF

Pressure Ultra-Pipe
Vessel Risk Maintenance
Rank Management Database
Database System

Inspection Inspection Inspection

Plans Schedules Reports

Workorders

Figure 5 – Integration of Plant Inspection Tools.

Training Manual Page 1-28

 Business Operational Regulatory Current Plant
Design Data
Objective Imperatives Compliance Condition

Plant Risk Analysis

Concepts
- Identify Critical Plant
- Identify Highest Priority Components
- Assess Safety Risks

Risk Based Best Practice

Condition
Inspection Maintenance
Monitoring
Program Management

Performance Performance
Plant Inspection Testing Improvement

Integrity Remaining Life

Assessment Optimization

Fitness for Purpose

(Run / Repair / Replace)

Repair Procedures
Maintenance
Requirements
Operational
Design
Charges
Modification

Figure 6 – Asset Management Program.

Training Manual Page 1-29

 Define Objectives, Goals,
Deliverables
Vessels
Piping
RV's
Pumps
Define Scope
I&C
Tanks

Risk Analysis

Risk Management Others

COF Reduction
+Emergency Isolation

+Emergency Depressurizing
+Modify Process
+Reduce Inventory
LOF Reduction
+Water Spray/Deluge
+Water Curtain
+Blast Resistant Construction
+Others

Material Operational Vessel Piping

Online Inspections
Modifications Monitoring Control
or Changes +Corrosion Probes +Maintain Correct
+Hydrogen Probes Flow Velocity
+Changes in
Metallurgy
+Retractable +Contaminants Specific Inspection Plans Define Circuits and Draw
Corrosion Coupon Control
+Addition of Linings Detailed Inspection Plans Isometrics. Mark up TML's
+Acoustic Emission +Temperature and
or Coatings
+UT Measurements Pressure Controls
+Removal of
+Radiographic
Deadlegs
Inspection
+Increasing the
+Stream Samples
Corrosion Allowance
+Infrared Interface with Current Develop Inspection Plans
Thermography Maintenance and Planning
+Thermocouples
Programs (ASP, Meridian,
RCM, etc)
Inspections

Inspection Schedules UT RT Visual

No
Deficiencies Deficiencies
Inspections Data Management
Program

Reports FFS

Work Orders

Figure 7 – Equipment Risk Management Program.

Training Manual Page 1-30

 Unusual Case Studies

Aerosol Hair Spray Fire

A 70-year old woman Judge was preparing herself for the day in her bathroom at her home. She
either dropped or knocked over a large aerosol hair spray. When the aerosol fell, it impacted on
something that punctured it. The puncture released the contents of the aerosol including the
isobutane propellant and the ethanol solvent, both of which are highly flammable. A propane-
fired hot water heater was inside the bathroom and the pilot light ignited the flammable
propellant and solvent from the hairspray, causing severe burns to the woman. While in recovery
from her burns, the woman suffered a stroke. The aerosol hairspray was manufactured in an
aluminum monobloc aerosol container. The issues in the case addressed by Chemaxx were the
impact/puncture resistance of the aluminum monobloc aerosol container and its
advantages/disadvantages compared to three-piece steel aerosol containers. The case was settled
prior to trial

More Hair Spray

A woman had sprayed her hair early in the morning with a hair spray product consisting mostly
of mineral oils. The instructions on the container were to leave the product on the hair (soak) for
a period of time (30 minutes). The woman gathered her children, put them in her car, and then
drove them to day care. When she got out of the car at the day care center, she lit a cigarette and
her hair burst into flames. The issues in the case involved labeling, the flammability of hair after
a period of time following application of the product, and the inherent danger in the product. The
case settled prior to trial.

Spray Paint

A gentleman and his wife had decided it was a good day to touch up some of the wheels on their
RV with spray paint, and to also paint a small table and chairs used by their grandchildren. This
work was to be done outside, but the tools and spray paints were inside a (non-attached)
workshop. The gentleman went into his workshop and gathered up sanding tools, sand paper and
the can of paint. As he was walking toward the door of his workshop he began shaking the can of
paint. The next thing he knew, the can exploded and he was engulfed in a ball of fire. The
remains of the can indicate that the bottom of the can suddenly separated (completely) from the
can, which in turn caused the explosion and ball of fire as well as a rocketing aerosol container.
The top of the evidence container was found lodged in the workshop ceiling. The technical issues
in the case include labeling, the nature of the propellants, alternative propellants, storage location
within the garage, the design of the container, and the metallurgical nature of the can itself.

Training Manual Page 1-31

Gasoline Safety Can

A highway construction worker was moving equipment from the back of a flatbed truck. In the
process of moving the equipment, he also moved a 3-gallon gasoline safety can which spilled
gasoline onto his pants. A propane- fired tar furnace is believed to have ignited the spilled
gasoline and set the construction worker on fire. The primary issue in the case is whether or not
the gasoline safety can was defective. It was determined that an internal (non-visible) valve
closure disk had come loose which allowed the gasoline to spill out of the can. Other issues
involved labeling, warnings, and DOT and OSHA Regulations. The case went to jury trial in
March 99 and the verdict was close to one million dollars in favor of the plaintiff.

Tire Repair Can

A retired gentleman had just filled a flat tire on a riding lawn mower using a non-explosive, non-
flammable aerosol tire repair product. He set the aerosol product down on a concrete patio and
before he could completely straighten up, the bottom of the aerosol container exploded off and
the body of the container rocketed directly into his stomach. He required extensive surgery.
Issues in the case included whether or not the DOT 2Q aerosol container was defective, whether
or not the aerosol formulation was defective, and whether or not the container was dropped by
the plaintiff, and whether or not the warning label was adequate.

Training Manual Page 1-32

 CASE STUDY
BHOPAL

INTRODUCTION

On the night of December 23, 1984, a dangerous chemical reaction occurred in the Union
Carbide factory when a large amount of water got into the Methyl Isocyanate (MIC) Storage
Tank 610. The leak was first detected by workers at approximately 11:30 p.m. when their eyes
began to tear and burn. They informed their supervisor who failed to take action until it was too
late. In that time, a large amount, about 40 tons of Methyl Isocyanate (MIC), poured out of the
tank for nearly two hours and escaped into the air, spreading within eight kilometers downwind,
over the city of nearly 900,000. Thousands of people were killed (estimates ranging as high as
4,000) in their sleep or as they fled in terror, and hundreds of thousands remain injured or
affected (estimates range as high as 400,000) to this day.

Scenario:

Causes:

Remedies:

Training Manual Page 1-33

 CHAPTER 2
REGULATIONS AND LEGISLATION

Process safety and risk management programs, safety audits, and similar activities are being
increasingly used in the industrial sector, and are leading to a safer work place. The incidence of
workplace injuries and illnesses in the manufacturing sector of private industry has dropped each
year from 9.9/100 full time workers in 1997 to 7.9 in 2001 (USA).

The benefits these programs bring is possibly even more significant considering industry’s
increasingly severe processing conditions and increasingly complex operations of new facilities
and the aging of existing ones. Many safety related problems can be avoided by fully complying
with the provisions of appropriate codes and standards, that have been developed and are widely
available and adopted requirements by private and governmental organizations. Full compliance
is usually required to obtain the necessary construction and operating permits as well as adequate
insurance coverage (1). Understanding basic engineering codes, HW Cooper, Hydrocarbon
processing August 2003

In this section we will discuss regulations from:

§ UK Health and Safety Commission (HSC) and Executive (HSE) – OMAH

§ European Community – Seveso II (directive 96/82/EC), PED (97/23/EC)
§ DOT, EPA (RMP rule) and OSHA 1910.119
§ Other institutions

UK HEALTH AND SAFETY COMMISSION (HSC) AND EXECUTIVE (HSE)

http://www.hse.gov.uk/

The UK Health and Safety Commission (HSC) and the Health and Safety Executive (HSE) are
responsible for the regulation of almost all the risks to health and safety arising from work
activity in Britain. Their mission is to protect people's health and safety by ensuring risks in the
changing workplace are properly controlled.

The HSC looks after health and safety in nuclear installations and mines, factories, farms,
hospitals and schools, offshore gas and oil installations, the safety of the gas grid and the
movement of dangerous goods and substances, railway safety, and many other aspects of the
protection both of workers and the public. Local authorities are responsible to HSC for
enforcement in offices, shops and other parts of the services sector.

Training Manual Page 2-1

Website provides details of where you can find out about the health and safety system in Great
Britain, the work of HSC and HSE; the people involved, how we are organized; our plans and
annual reports; HSC/E Framework of Accountabilities; and our current position on important
issues (openness, enforcement etc.).

Construction, Design and Management Regulations 1994 (CDM)

These Regulatio ns are intended to protect the health and safety of people working in
construction, and others who may be affected by their activities, by ensuring good management
of construction projects, from concept to completion and eventual demolition. Everyone in the
construction supply chain is included.

Control of Industrial Major Accident Hazards Regulations 1984 (CIMAH)

The CIMAH Regulations applied to the Complex prior to being superseded by the COMAH
Regulations and were designed to prevent or mitigate the effects of major accidents both on
people and the environment.

Control of Major Accident Hazards Regulations 1999 (COMAH)

These Regulations superseded the CIMAH Regulations in 1999 and extended the scope and
requirements in line with the Seveso II Directive. Major accident hazard sites as defined under
the COMAH Regulations (COMAH sites) are required to prepare and submit a safety report to
the Competent Authority for assessment, which should contain certain information as specified
by the regulations in order to allow the Competent Authority to assess the overall safety of the
site.

Control of Major Accident Hazards Regulations 1999 (COMAH) – Regulation 4

Regulation 4 requires that “Every operator shall take all measures necessary to prevent major
accidents and limit their consequences to persons and the environment”.

Control of Major Accident Hazards Regulations 1999 (COMAH) – Regulation 18

Regulation 18 requires the Competent Authority to prohibit operation if serious deficiencies with
major accident potential are found.

“The competent authority shall prohibit the operation or bringing into operation of any
establishment or installation or any part thereof where the measures taken by the operator for the
prevention and mitigation of major accidents are seriously deficient”.

Training Manual Page 2-2

Control of Major Accident Hazards Regulations 1999 (COMAH) – Regulation 19

Regulation 19 of the COMAH Regulations clearly identifies the inspection and investigation
duties of the Competent Authority and states:
1. “The competent authority shall organize an adequate system of inspections of
establishments or other measures of control appropriate to the type of establishment
concerned.
2. The inspections or control measures referred to in paragraph (1) shall not be dependent
upon the receipt of any report submitted by the operator and they shall be sufficient for a
planned and systematic examination of the systems being employed at the establishment,
whether of a technical, organizational or managerial nature
a) That the operator can demonstrate that he has taken appropriate measures to prevent
major accidents
b) That the operator can demonstrate that he has provided appropriate means for limiting
the consequences of major accidents both inside and outside the establishment
c) That the informatio n contained in any report sent to the competent authority by the
operator of the establishment adequately reflects the conditions in the establishment
d) That the information has been supplied to the public pursuant to Regulation 14.
3. A system of inspection referred to in paragraph (1) shall meet the following conditions:
a) There shall be a program of inspections for all establishments.
b) Unless such a program is based upon a systematic appraisal of major accident hazards
of the particular establishment concerned, the program shall, in the case of
establishments to which Regulations 7 to 14 apply, entail at least one on-site
inspection made on behalf of the competent authority every 12 months.
c) Following each inspection, a report shall be prepared by the competent authority.
d) Where necessary, matters shall be pursued with the operator within a reasonable
period following the inspection.
4. Where the competent authority or the Executive has been informed of a major accident at
an establishment the competent authority shall:
a) Obtain from the operator of the establishment:
I. Information as respects the circumstances of the accident, the dangerous
substances involved, the data available for assessing the effects of the accident
on persons and the environment, the emergency measures taken and the steps
envisaged to alleviate the medium and long-term effects of the accident and to
prevent any recurrence of it.
II. Such other information in the operator’s possession as will enable the competent
authority to notify the European Commissio n pursuant to Regulation 21(1).
b) Ensure that any urgent, medium and long-term measures, which may prove necessary,
are taken.

Training Manual Page 2-3

 c) Make a full analysis of the technical, organizational and managerial aspects of the
major accident and collect, by inspection, investigation or other appropriate means,
the information necessary for that purpose.
d) Take appropriate action to ensure that the operator takes any necessary remedial
measures.
e) Make recommendations on future preventative measures.”

Training Manual Page 2-4

 CASE STUD
GRANGEMOUTH

INTRODUCTION

During the period between May 29 and June 10, 2000, three incidents occurred at the Complex.
These incidents were subsequently investigated, as required under COMAH Regulation 19, by
the Competent Authority and by BP in order to determine the underlying root causes of the
incidents and to identify any lessons that needed to be learned.

The power distribution failure (May 29, 2000), the medium pressure (MP) steam main rupture
(June 7, 2000), and the Fluidized Catalytic Cracker Unit (FCCU) fire (June 10, 2000) each had
the potential to cause fatal injury and environmental impact, although no serious injury occurred
and there was only a short-term impact on the environment. BP was prosecuted on indictment in
Falkirk Sheriff Court on January 18, 2002 and pleaded guilty to two charges relating to the
FCCU fire and the MP steam main rupture incidents.

Scenario:

Causes:

Remedies:

Training Manual Page 2-5

 EUROPEAN COMMUNITY DIRECTIVES

The "Seveso II" Directive (96/82/EC) is aimed at the prevention of the major accident hazards
involving dangerous substances, and the limitation of their consequences for man and the
environment. The Directive wants to ensure high levels of protection throughout the Community,
consistently and effectively.

COUNCIL DIRECTIVE 96/82/EC, of 9 December 1996, on the control of major-accident

hazards involving dangerous substances

Article 1
Aim

This Directive is aimed at the prevention of major accidents, which involve dangerous substances, and
the limitation of their consequences for man and the environment, with a view to ensuring high levels of
protection throughout the Community in a consistent and effective manner.

Article 2
Scope

1. The Directive shall apply to establishments where dangerous substances are present in quantities
equal to or in excess of the quantities listed in Annex I, Parts 1 and 2, column 2, with the exception of
Articles 9, 11 and 13 which shall apply to any establishment where dangerous substances are present in
quantities equal to or in excess of the quantities listed in Annex I, Parts 1 and 2, column 3.

For the purposes of this Directive, the 'presence of dangerous substances' shall mean the actual or
anticipated presence of such substances in the establishment, or the presence of those which it is
believed may be generated during loss of control of an industrial chemical process, in quantities equal to
or in excess of the thresholds in Parts I and 2 of Annex I.

2. The provisions of this Directive shall apply without prejudice to Community provisions concerning the
working environment, and, in particular, without prejudice to Council Directive 89/391/EEC of 12 June
1989 on the introduction of measures to encourage improvements in the safety and health of workers at
1
work( ).

Training Manual Page 2-6

 Article 3
Definitions

For the purposes of this Directive:

1. 'Establishment' shall mean the whole area under the control of an operator where dangerous
substances are present in one or more installations, including common or related infrastructures
or activities;
2. 'Installation' shall mean a technical unit within an establishment in which dangerous substances
are produced, used, handled or stored. It shall include all the equipment, structures, pipework,
machinery, tools, private railway sidings, docks, unloading quays serving the installation, jetties,
warehouses or similar structures, floating or otherwise, necessary for the operation of the
installation;
3. 'Operator' shall mean any individual or corporate body who operates or holds an establishment or
installation or, if provided for by national legislation, has been given decisive economic power in
the technical operation thereof;
4. 'Dangerous substance' shall mean a substance, mixture or preparation listed in Annex 1, Part 1,
or fulfilling the criteria laid down in Annex 1, Part 2, and present as a raw material, product, by-
product, residue or intermediate, including those substances which it is reasonable to suppose
may be generated in the event of accident;
5. 'Major accident' shall mean an occurrence such as a major emission, fire, or explosion resulting
from uncontrolled developments in the course of the operation of any establishment covered by
this Directive, and leading to serious danger to human health and/or the environment, immediate
or delayed, inside or outside the establishment, and involving one or more dangerous
substances;
6. 'Hazard' shall mean the intrinsic property of a dangerous substance or physical situation, with a
potential for creating damage to human health and/or the environment;
7. 'Risk' shall mean the likelihood of a specific effect occurring within a specified period or in
specified circumstances;
8. 'Storage' shall mean the presence of a quantity of dangerous substances for the purposes of
warehousing, depositing in safe custody or keeping in stock.

Article 4
Exclusions

This Directive shall not apply to the following:

a. Military establishments, installations or storage facilities;

b. Hazards created by ionizing radiation;
c. The transport of dangerous substances and intermediate temporary storage by road, rail, internal
waterways, sea or air, outside the establishments covered by this Directive, including loading and
unloading and transport to and from another means of transport at docks, wharves or mashalling
yards;
d. The transport of dangerous substances in pipelines, including pumping stations, outside
establishments covered by this Directive;
e. The activities of the extractive industries concerned with exploration for, and the exploitation of,
minerals in mines and quarries or by means of boreholes;
f. Waste land-fill sites.

Training Manual Page 2-7

 Article 5
General obligations of the operator

1. Member States shall ensure that the operator is obliged to take all measures necessary to prevent
major accidents and to limit their consequences for man and the environment.

a. Member States shall ensure that the operator is required to prove to the competent authority
referred to in Article 16, hereinafter referred to as the 'competent authority', at any time, in
particular for the purposes of the inspections and controls referred to in Article 18, that he has
taken all the measures necessary as specified in this Directive.

Article 6
Notification

1. Member States shall require the operator to send the competent authority a notification within the
following time-limits:

• For new establishments, a reasonable period of time prior to the start of construction or operation,
• For existing establishments, one year from the date laid down in Article 24 (1).

2. The notification required by paragraph 1 shall contain the following details:

a. The name or trade name of the operator and the full address of the establishment concerned;
b. The registered place of business of the operator, with the full address;
c. The name or position of the person in charge of the establishment, if different from (a);
d. Information sufficient to identify the dangerous substances or category of substances involved;
e. The quantity and physical form of the dangerous substance or substances involved;
f. The activity or proposed activity of the installation or storage facility,
g. The immediate environment of the establishment (elements liable to cause a major accident or to
aggravate the consequences thereof).

3. In the case of existing establishments for which the operator has already provided all the information
under paragraph 2 to the competent authority under the requirements of national law at the date of entry
into force of this Directive, notification under paragraph 1 is not required.

4. In the event of:

• Any significant increase in the quantity or significant change in the nature or physical form of the
dangerous substance present, as indicated in the notification provided by the operator pursuant
to paragraph 2, or any change in the processes employing it, or
• Permanent closure of the installation.

The operator shall immediately inform the competent authority of the change in the situation.

Article 7
Major-accident prevention policy

1. Member States shall require the operator to draw up a document setting out his major-accident
prevention policy and to ensure that it is properly implemented. The major-accident prevention policy

Training Manual Page 2-8

established by the operator shall be designed to guarantee a high level of protection for man and the
environment by appropriate means, structures and management systems.

2. The document must take account of the principles contained in Annex III and be made available to the
competent authorities for the purposes of, amongst other things, implementation of Articles 5 (2) and 18.

3. This Article shall not apply to the establishments referred to in Article 9.

Article 8
Domino effect

1. Member States shall ensure that the competent authority, using the information received from the
operators in compliance with Articles 6 and 9, identifies establishments or groups of establishments
where the likelihood and the possibility or consequences of a major accident may be increased because
of the location and the proximity of such establishments, and their inventories of dangerous substances.

2. Member States must ensure that in the case of the establishments thus identified:

a. Suitable information is exchanged in an appropriate manner to enable these establishments to

take account of the nature and extent of the overall hazard of a major accident in their major
accident prevention policies, safety management systems, safety reports and internal emergency
plans;
b. Provision is made for cooperation in informing the public and in supplying information to the
competent authority for the preparation of external emergency plans.

Article 9
Safety report

1. Member States shall require the operator to produce a safety report for the purposes of:

a. Demonstrating that a major-accident prevention policy and a safety management system for
implementing it have been put into effect in accordance with the information set out in Annex III;
b. Demonstrating that major-accident hazards have been identified and that the necessary
measures have been taken to prevent such accidents and to limit their consequences for man
and the environment;
c. Demonstrating that adequate safety and reliability have been incorporated into the design,
construction, operation and maintenance of any installation, storage facility, equipment and
infrastructure connected with its operation which are linked to major-accident hazards inside the
establishment;
d. Demonstrating that internal emergency plans have been drawn up and supplying information to
enable the external plan to be drawn up in order to take the necessary measures in the event of a
major accident;
e. Providing sufficient information to the competent authorities to enable decisions to be made in
terms of the siting of new activities or developments around existing establishments.

2. The safety report shall contain at least the data and information listed in Annex II. It shall also contain
an updated inventory of the dangerous substances present in the establishment.

Safety reports, or parts of reports, or any other equivalent reports produced in response to other
legislation, may be combined to form a single safety report for the purposes of this Article, where such a

Training Manual Page 2-9

format obviates the unnecessary duplication of information and the repetition of work by the operator or
competent authority, on condition that all the requirements of this Article are complied with.

3. The safety report provided for in paragraph 1 shall be sent to the competent authority within the
following time limits:

• For new establishments, a reasonable period of time prior to the start of construction or of
operation,
• For existing establishments not previously covered by Directive 82/501/EEC, three years from the
date laid down in Article 24 (1),
• For other establishments, two years from the date laid down in Article 24 (1),
• In the case of the periodic reviews provided for in paragraph 5, without delay.

4. Before the operator commences construction or operation, or in the cases referred to in the second,
third and fourth indents of paragraph 3, the competent authority shall within a reasonable period of receipt
of the report:

• Communicate the conclusions of its examination of the safety report to the operator, if necessary
after requesting further information, or
• Prohibit the bringing into use, or the continued use, of the establishment concerned, in
accordance with the powers and procedures laid down in Article 17.

5. The safety report shall be periodically reviewed and where necessary updated:

• At least every five years,

• At any other time at the initiative of the operator or the request of the competent authority, where
justified by new facts or to take account of new technical knowledge about safety matters, for
example arising from analysis of accidents or, as far as possible, 'near misses', and of
developments in knowledge concerning the assessment of hazards.

6.

a. Where it is demonstrated to the satisfaction of the competent authority that particular substances
present at the establishment, or any part thereof, are in a state incapable of creating a major-
accident hazard, then the Member State may, in accordance with the criteria referred to in
subparagraph (b), limit the information required in safety reports to those matters which are
relevant to the prevention of residual major-accident hazards and the limitation of their
consequences for man and the environment.
b. Before this Directive is brought into application, the Commission, acting in accordance with the
procedure laid down in Article 16 of Directive 82/501/EEC, shall establish harmonized criteria for
the decision by the competent authority that an establishment is in a state incapable of creating a
major accident hazard within the meaning of subparagraph (a). Subparagraph (a) shall not be
applicable until those criteria have been established.
c. Member States shall ensure that the competent authority communicates a list of the
establishments concerned to the Commission, giving reasons. The Commission shall forward the
lists annually to the Committee referred to in Article 22.

Article 10
Modification of an installation, an establishment or a storage facility

Training Manual Page 2-10

In the event of the modification of an installation, establishment, storage facility, or process or of the
nature or quantity of dangerous substances which could have significant repercussions on major-accident
hazards, the Member States shall ensure that the operator:

• Reviews and where necessary revises the major-accident prevention policy, and the
management systems and procedures referred to in Articles 7 and 9,
• Reviews, and where necessary revises, the safety report and informs the competent authority
referred to in Article 16 of the details of such revision in advance of such modification.

Article 11
Emergency plans

1. Member States shall ensure that, for all establishments to which Article 9 applies:

a. The operator draws up an internal emergency plan for the measures to be taken inside the
establishment,
• For new establishments, prior to commencing operation,
• For existing establishments not previously covered by Directive 82/501/EEC, three years
from the date laid down in Article 24 (1),
• For other establishments, two years from the date laid down in Article 24 (1);

b. The operator supplies to the competent authorities, to enable the latter to draw up external
emergency plans, the necessary information with in the following periods of time:
§ For new establishments, prior to the start of operation,
§ For existing establishments not previously covered by Directive 82/501/EEC, three years
from the date laid down in Article 24 (1),
§ For other establishments, two years from the date laid down in Article 24 (1);

c. The authorities designated for that purpose by the Member State draw up an external emergency
plan for the measures to be taken outside the establishment.

2. The emergency plans must be established with the objectives of:

• Containing and controlling incidents so as to minimize the effects, and to limit damage to man,
the environment and property,
• Implementing the measures necessary to protect man and the environment from the effects of
major accidents,
• Communicating the necessary information to the public and to the services or authorities
concerned in the area,
• Providing for the restoration and clean-up of the environment following a major accident.

Emergency plans shall contain the information set out in Annex IV.

3. Without prejudice to the obligations of the competent authorities, Member States shall ensure that the
internal emergency plans provided for in this Directive are drawn up in consultation with personnel
employed, inside the establishment and that the public is consulted on external emergency plans.

4. Member States shall ensure that internal and external emergency plans are reviewed, tested, and
where necessary revised and updated by the operators and designated authorities at suitable intervals of
no longer than three years. The review shall take into account changes occurring in the establishments

Training Manual Page 2-11

concerned or within the emergency services concerned, new technical knowledge and knowledge
concerning the response to major accidents.

5.Member States shall ensure that emergency plans are put into effect without delay by the operator and,
if necessary by the competent authority designated for this purpose:

• When a major accident occurs, or

• When an uncontrolled event occurs which by its nature could reasonably be expected to lead to a
major accident.

6. The competent authority may decide, giving reasons for its decision, in view of the information
contained in the safety report, that the requirement to produce an external emergency plan under
paragraph 1 shall not apply.

Article 12
Land-use planning

1. Member States shall ensure that the objectives of preventing major accidents and limiting the
consequences of such accidents are taken into account in their land use policies and/or other relevant
policies. They shall pursue those objectives through controls on :

a. The siting of new establishments,

b. Modifications to existing establishments covered by Article 10,
c. New developments such as transport links, locations frequented by the public and residential
areas in the vicinity of existing establishments, where the siting or developments are such as to
increase the risk or consequences of a major accident.

Member States shall ensure that their land-use and/or other relevant policies and the procedures for
implementing those policies take account of the need, in the long term, to maintain appropriate distances
between establishments covered by this Directive and residential areas, areas of public use and areas of
particular natural sensitivity or interest, and, in the case of existing establishments, of the need for
additional technical measures in accordance with Article 5 so as not to increase the risks to people.

2. Member States shall ensure that all competent authorities and planning authorities responsible for
decisions in this area set up appropriate consultation procedures to facilitate implementation of the
policies established under paragraph 1. The procedures shall be designed to ensure that technical advice
on the risks arising from the establishment is available, either on a case-by-case or on a generic basis,
when decisions are taken.

Article 13
Information on safety measures

1. Member States shall ensure that information on safety measures and on the requisite behavior in the
event of an accident is supplied, without their having to request it, to persons liable to be affected by a
major accident originating in an establishment covered by Article 9.

The information shall be reviewed every three years and, where necessary, repeated and updated, at
least if there is any modification within the meaning of Article 10. It shall also be made permanently
available to the public. The maximum period between the repetition of the information to the public shall,
in any case, be no longer than five years.

Training Manual Page 2-12

Such information shall contain, at least, the information listed in Annex V.

2. Member States shall, with respect to the possibility of a major accident with transboundary effects
originating in an establishment under Article 9, provide sufficient information to the potentially affected
Member States so that all relevant provisions contained in Articles 11, 12 and this Article can be applied,
where applicable, by the affected Member State.

3. Where the Member State concerned has decided that an establishment close to the territory of another
Member State is incapable of creating a major-accident hazard beyond its boundary for the purposes of
Article 11 (6) and is not therefore required to produce an external emergency plan under Article 11 (1), it
shall so inform the other Member State.

4. Member States shall ensure that the safety report is made available to the public. Th e operator may
ask the competent authority not to disclose to the public certain parts of the report, for reasons of
industrial, commercial or personal confidentiality, public security or national defense. In such cases, on
the approval of the competent authority, the operator shall supply to the authority, and make available to
the public, an amended report excluding those matters.

5.Member States shall ensure that the public is able to give its opinion in the following cases:

• Planning for new establishments covered by Article 9,

• Modifications to existing establishments under Article 10, where such modifications are subject to
obligations provided for in this Directive as to planning,
• Developments around such existing establishments.

6. In the case of establishments subject to the provisions of Article 9, Member States shall ensure that the
inventory of dangerous substances provided for in Article 9 (2) is made available to the public.

Article 14
Information to be supplied by the operator following a major accident

1. Member States shall ensure that, as soon as practicable following a major accident, the operator shall
be required, using the most appropriate means:

a. To inform the competent authorities;

b. To provide them with the following information as soon as it becomes available:

• The circumstances of the accident,

• The dangerous substances involved,
• The data available for assessing the effects of the accident on man and the environment, and
• The emergency measures taken;

c. To inform them of the steps envisaged:

• To alleviate the medium- and long-term effects of the accident,

• To prevent any recurrence of such an accident;

d. To update the information provided if further investigation reveals additional facts, which alter that
information or the conclusions drawn.

Training Manual Page 2-13

2. Member States shall require the competent authority:

a. To ensure that any urgent, medium- and long-term measures which may prove necessary are
taken;
b. To collect, by inspection, investigation or other appropriate means, the information necessary for
a full analysis of the technical, organizational and managerial aspects of the major accident;
c. To take appropriate action to ensure that the operator takes any necessary remedial measures;
and
d. To make recommendations on future preventive measures.

Article 15
Information to be supplied by the Member States to the Commission

1. For the purpose of prevention and mitigation of major accidents, Member States shall inform the
Commission as soon as practicable of major accidents meeting the criteria of Annex VI which have
occurred within their territory. They shall provide it with the following details:

a. The Member State, the name and address of the authority responsible for the report;
b. The date, time and place of the major accident, including the full name of the operat or and the
address of the establishment involved;
c. A brief description of the circumstances of the accident, including the dangerous substances
involved, and the immediate effects on man and the environment;
d. A brief description of the emergency measures taken and of the immediate precautions
necessary to prevent recurrence.

2. Member States shall, as soon as the information provided for in Article 14 is collected, inform the
Commission of the result of their analysis and recommendations using a report form established and kept
under review through the procedure referred to in Article 22.

Reporting of this information by Member States may be delayed only to allow for the completion of legal
proceedings where such reporting is liable to affect those proceedings.

3. Member States shall inform the Commission of the name and address of any body which might have
relevant information on major accidents and which is able to advise the competent authorities of other
Member States which have to intervene in the event of such an accident.

Article 16
Competent authority

Without prejudice to the operator's responsibilities, Member States shall set up or appoint the competent
authority or authorities responsible for carrying out the duties laid down in this Directive and, if necessary,
bodies to assist the competent authority or authorities at technical level.

Article 17
Prohibition of use

1. Member States shall prohibit the use or bringing into use of any establishment, installation or storage
facility, or any part thereof where the measures taken by the operator for the prevention and mitigation of
major accidents are seriously deficient.

Training Manual Page 2-14

Member States may prohibit the use or bringing into use of any establishment, installation or storage
facility, or any part thereof if the operator has not submitted the notification, reports or other information
required by this Directive within the specified period.

2. Member States shall ensure that operators may appeal against a prohibition order by a competent
authority under paragraph 1 to an appropriate body determined by national law and procedures.

Article 18
Inspections

1. Member States shall ensure that the competent authorities organize a system of inspections, or other
measures of control appropriate to the type of establishment concerned. Those inspections or control
measures shall not be dependent upon receipt of the safety report or any other report submitted. Such
inspections or other control measures shall be sufficient for a planned and systematic examination of the
systems being employed at the establishment, whether of a technical, organizational or managerial
nature, so as to ensure in particular:

• That the operator can demonstrate that he has taken appropriate measures, in connection with
the various activities involved in the establishment, to prevent major accidents,
• That the operator can demonstrate that he has provided appropriate means for limiting the
consequences of major accidents, on site and off site,
• That the data and information contained in the safety report, or any other report submitted,
adequately reflects the conditions in the establishment,
• That information has been supplied to the public pursuant to Article 13 (1).

2. The system of inspection specified in paragraph 1 shall comply with the following conditions:

a. There shall be a program of inspections for all establishments. Unless the competent authority
has established a program of inspections based upon a systematic appraisal of major-accident
hazards of the particular establishment concerned, the program shall entail at least one on-site
inspection made by the competent authority every twelve months of each establishment covered
by Article 9;
b. Following each inspection, a report shall be prepared by the competent authority,
c. Where necessary, every inspection carried out by the competent authority shall be followed up
with the management of the establishment, within a reasonable period following the inspection.

3. The competent authority may require the operator to provide any additional information necessary to
allow the authority fully to assess the possibility of a major accident and to determine the scope of
possible increased probability and/or aggravation of major accidents, to permit the preparation of an
external emergency plan, and to take substances into account which, due to their physical form, particular
conditions or location, may require additional consideration.

Article 19
Information system and exchanges

1. Member States and the Commission shall exchange information on the experience acquired with
regard to the prevention of major accidents and the limitation of their consequences. This information
shall concern, in particular, the functioning of the measures provided for in this Directive.

Training Manual Page 2-15

2. The Commission shall set up and keep at the disposal of Member States a register and information
system containing, in particular, details of the major accidents, which have occurred within the territory of
Member States, for the purpose of:

a. The rapid dissemination of the information supplied by Member States pursuant to Article 15 (1)
among all competent authorities;
b. Distribution to competent authorities of an analysis of the causes of major accidents and the
lessons learned from them;
c. Supply of information to competent authorities on preventive measures;
d. Provision of information on organizations able to provide advice or relevant information on the
occurrence, prevention and mitigation of major accidents.

The register and information system shall contain, at least:

a. The information supplied by Member States in compliance with Article 15 (1);

b. An analysis of the causes of the accidents;
c. The lessons learned from the accidents;
d. The preventive measures necessary to prevent a recurrence.

3. Without prejudice to Article 20, access to the register and information system shall be open to
government departments of the Member States, industry or trade associations, trade unions, non-
governmental organizations in the field of the protection of the environment and other international or
research organizations working in the field.

4. Member States shall provide the Commission with a three-yearly report in accordance with the
procedure laid down in Council Directive 91/692/EEC of 23 December 1991 standardizing and
1
rationalizing reports on the implementation of certain Directives relating to the environment ( ) for
establishments covered by Articles 6 and 9. The Commission shall publish a summary of this information
every three years.

Article 20
Confidentiality

1. Member States shall ensure, in the interests of transparency, that the competent authorities are
required to make information received pursuant to this Directive available to any natural or legal person
who so requests.

Information obtained by the competent authorities or the Commission may, where national provisions so
require, be kept confidential if it calls into question:

• The confidentiality of the deliberations of the competent authorities and the Commission,
• The confidentiality of international relations and national defense,
• Public security,
• The confidentiality of preliminary investigation proceedings or of current legal proceedings,
• Commercial and industrial secrets, including intellectual property,
• Personal data and/or files,
• Data supplied by a third party if that party asks for them to be kept confidential.

2. This Directive shall not preclude the conclusion by a Member State of agreements with third countries
on the exchange of information to which it is privy at internal level.

Article 21

Training Manual Page 2-16

 Terms of reference of the Committee
The measures required to adapt the criteria referred to in Article 9 (6) (b) and Annexes II to VI to technical
progress and to draw up the report form referred to in Article 15 (2) shall be adopted in accordance with
the procedure laid down in Article 22.

Committee

The Commission shall be assisted by a committee composed of the representatives of the Member
States and chaired by the representative of the Commission.

The representative of the Commission shall submit to the committee a draft of the measures to be taken.
The committee shall deliver its opinion on the draft within a time limit, which the chairman may lay down
according to the urgency of the matter. The opinion shall be delivered by the majority laid down in Article
148 (2) of the Treaty in the case of decisions, which the Council is required to adopt on a proposal from
the Commission. The votes of the representatives of the Member States within the committee shall be
weighted in the manner set out in that Article. The chairman shall not vote.

The Commission shall adopt the measures envisaged if they are in accordance with the opinion of the
committee.

If the measures envisaged are not in accordance with the opinion of the committee, or if no opinion is
delivered, the Commission shall, without delay, submit to the Council a proposal relating to the measures
to be taken. The Council shall act by a qualified majority.

If, on the expiry of a period of three months from the date of referral to the Council, the Council has not
acted, the proposed measures shall be adopted by the Commission.

Article 23
Repeal of Directive 82/501/EEC

1. Directive 82/501/EEC shall be repealed 24 months after the entry into force of this Directive.

2. Notifications, emergency plans and information for the public presented or drawn up pursuant to
Directive 82/501/EEC shall remain in force until such time as they are replaced under the corresponding
provisions of this Directive.

Article 24
Implementation

1. Member States shall bring into force the laws, regulations and administrative provisions necessary to
comply with this Directive not later than 24 months after its entry into force. They shall forthwith inform the
Commission thereof.

When Member States adopt these measures, they shall contain a reference to this Directive or shall be
accompanied by such reference on the occasion of their official publication. The methods of making such
reference shall be laid down by Member States.

2. Member States shall communicate to the Commission the main provisions of domestic law which they
adopt in the fi eld governed by this Directive.

Training Manual Page 2-17

 List of Annexes
Annex I Application of the Directive
Minimum data and information to be considered in the safety report specified in
Annex II
Article 9
Principles referred to in Article 7 and information referred to in Article 9 on the
Annex III management system and the organization of the establishment with a view to the
prevention of major accidents
Data and information to be included in the emergency plans specified under Article
Annex IV
11
Items of information to be communicated to the public as provided for in Article 13
Annex V
(1)
Criteria for the notification of an accident to the Commission as provided for in
Annex VI
Article 15 (1)

ANNEX II

MINIMUM DATA AND INFORMATION TO BE CONSIDERED IN THE SAFETY REPORT SPECIFIED IN

ARTICLE 9

I. Information on the management system and on the organization of the establishment with a
view to major accident prevention

This information shall contain the elements given in Annex III.

II. Presentation of the environment of the establishment

A. Description of the site and its environment including the geographical location, meteorological,
geological, hydrographic conditions and, if necessary, its history;
B. Identification of installations and other activities of the establishment which could present a major-
accident hazard;
C. Description of areas where a major accident may occur.

III. Description of the Installation

A. Description of the main activities and products of the parts of the establishment which are
important from the point of view of safety, sources of major-accident risks and conditions under
which such a major accident could happen, together with a description of proposed preventive
measures;
B. Description of processes, in particular the operating methods;
C. Description of dangerous substances:

1. Inventory of dangerous substances including

Training Manual Page 2-18

 • The identification of dangerous substances: chemical name, CAS number, name
according to IUPAC nomenclature,
• The maximum quantity of dangerous substances present or likely to be present;
2. Physical, chemical, toxicological characteristics and indication of the hazards, both immediate
and delayed for man and the environment;
3. Physical and chemical behavior under normal conditions of use or under foreseeable
accidental conditions.

IV. Identification and accidental risks analysis and prevention methods

A. Detailed description of the possible major-accident scenarios and their probability or the
conditions under which they occur including a summary of the events which may play a role in
triggering each of these scenarios, the causes being internal or external to the installation;
B. Assessment of the extent and severity of the consequences of identified major accidents;
C. Description of technical parameters and equipment used for the safety of installations.

V. Measures of protection and intervention to limit the consequences of an accident

A. Description of the equipment installed in the plant to limit the consequences of major accidents;
B. Organization of alert and intervention;
C. Description of mobilizable resources, internal or external;
D. Summary of elements described in A, B, and C above necessary for drawing up the internal
emergency plan prepared in compliance with Article 11.

ANNEX III

PRINCIPLES REFERRED TO IN ARTICLE 7 AND INFORMATION REFERRED TO IN ARTICLE 9 ON

THE MANAGEMENT SYSTEM AND THE ORGANIZATION OF THE ESTABLISHMENT WITH A VIEW
TO THE PREVENTION OF MAJOR ACCIDENTS

For the purpose of implementing the operator's major-accident prevention policy and safety management
system account shall be taken of the following elements. The requirements laid down in the document
referred to in Article 7 should be proportionate to the major-accident hazards presented by the
establishment:

a. The major accident prevention policy should be established in writing and should include the
operator's overall aims and principles of action with respect to the control of major-accident
hazards;
b. The safety management system should include the part of the general management system
which includes the organizational structure, responsibilities, practices, procedures, processes and
resources for determining and implementing the major-accident prevention policy;
c. The following issues shall be addressed by the safety management system:
i. Organization and personnel - the roles and responsibilities of personnel involved in the
management of major hazards at all levels in the organization. The identification of training
needs of such personnel and the provision of the training so identified. The involvement of
employees and, where appropriate, subcontractors;
ii. Identification and evaluation of major hazards - adoption and implementation of procedures
for systematically identifying major hazards arising from normal and abnormal operation
and the assessment of their likelihood and severity;

Training Manual Page 2-19

 iii. Operational control - adoption and implementation of procedures and instructions for safe
operation, including maintenance, of plant, processes, equipment and temporary
stoppages;
iv. Management of change - adoption and implementation of procedures for planning
modifications to, or the design of new installations, processes or storage facilities;
v. Planning for emergencies - adoption and implementation of procedures to identify
foreseeable emergencies by systematic analysis and to prepare, test and review
emergency plans to respond to such emergencies;
vi. Monitoring performance - adoption and implementation of procedures for the ongoing
assessment of compliance with the objectives set by the operator's major-accident
prevention policy and safety management system, and the mechanisms for investigation
and taking corrective action in case of non-compliance. The procedures should cover the
operator's system for reporting major accidents of near misses, particularly those involving
failure of protective measures, and their investigation and follow-up on the basis of lessons
learnt;
vii. Audit and review - adoption and implementation of procedures for periodic systematic
assessment of the major-accident prevention policy and the effectiveness and suitability of
the safety management system; the documented review of performance of the policy and
safety management system and its updating by senior management.

ANNEX IV

DATA AND INFORMATION TO BE INCLUDED IN THE EMERGENCY PLANS SPECIFIED UNDER

ARTICLE 11

1. Internal emergency plans

a. Names or positions of persons authorized to set emergency procedures in motion and the person
in charge of and coordinating the on-site mitigatory action.
b. Name or position of the person with responsibility for liaising with the authority responsible for the
external emergency plan.
c. For foreseeable conditions or events which could be significant in bringing about a major
accident, a description of the action which should be taken to control the conditions or events and
to limit their consequences, including a description of the safety equipment and the resources
available.
d. Arrangements for limiting the risks to persons on site including how warnings are to be given and
the actions persons are expected to take on receipt of a warning.
e. Arrangements for providing early warning of the incident to the authority responsible for setting
the external emergency plan in motion, the type of information, which should be contained in an
initial warning and the arrangements for the provision of more detailed information as it becomes
available.
f. Arrangements for training staff in the duties they will be expected to perform, and where
necessary coordinating this with off-site emergency services.
g. Arrangements for providing assistance with off-site mitigatory action.

2. External emergency plans

a. Names or positions of persons authorized to set emergency procedures in motion and of persons
authorized to take charge of and coordinate off-site action.
b. Arrangements for receiving early warning of incidents, and alert and call-out procedures.
c. Arrangements for coordinating resources necessary to implement the external emergency plan.

Training Manual Page 2-20

 d. Arrangements for providing assistance with on-site mitigatory action.
e. Arrangements for off-site mitigatory action.
f. Arrangements for providing the public with specific information relating to the accident and the
behavior which it should adopt.
g. Arrangements for the provision of information to the emergency services of other Member States
in the event of a major accident with possible transboundary consequences.

Training Manual Page 2-21

 THE PRESSURE EQUIPMENT DIRECTIVE (97/23/EC)

The Pressure Equipment Directive (97/23/EC) was adopted by the European Parliament and the
European Council in May 1997. It initially came into force on November 29, 1999. From May
29, 2002 the PED became obligatory throughout the EU.

http://ped.eurodyn.com/

Containing essential reference information in order to design, produce, market, and put into
service Pressure Equipment and Pressure Assemblies in Europe including: practical hints to the
application of the directive and information about on- going research projects and studies.

What is It For?

The directive provides, together with the directives related to simple pressure vessels
(87/404/EC), transportable pressure equipment (99/36/EC) and Aerosol Dispensers
(75/324/EEC), for an adequate legislative framework on European level for equipment subject to
a pressure hazard.

Why is It Here?

The Directive concerns manufacturers of items such as vessels pressurized storage containers,
heat exchangers, steam generators, boilers, industrial piping, safety devices and pressure
accessories. Such pressure equipment is widely used in the process industries (oil & gas,
chemical, pharmaceutical, plastics and rubber and the food and beverage industry), high
temperature process industry (glass, paper and board), energy production and in the supply of
utilities, heating, air conditioning and gas storage and transportation.

Under the Community regime of the Directive, pressure equipment and assemblies above
specified pressure and/or volume thresholds must:

§ Be safe;
§ Meet essential safety requirements covering design, manufacture and testing;
§ Satisfy appropriate conformity assessment procedures; and
§ Carry the CE marking and other information.

Training Manual Page 2-22

What Does It Cover?

The Directive affects manufacturers of items such as vessels pressurized storage containers, heat
exchangers, steam generators, boilers, industrial piping, safety devices and pressure accessories.
Such pressure equipment is widely used in the process industries (oil and gas, chemical,
pharmaceutical, plastics and rubber and the food and beverage industry), high temperature
process industry (glass, paper and board), energy production and in the supply of utilities,
heating, air conditioning and gas storage and transportation.

It covers pressure equipment and assemblies with a maximum allowable gauge pressure PS
greater than 0.5 bar. Pressure equipment means vessels, pip ing, safety accessories and pressure
accessories. Assemblies means several pieces of pressure equipment assembled to form an
integrated, functional whole.

It does not deal with in-use requirements, which may be necessary to ensure the continued safe
use of pressure equipment.

What Will It Do For Me?

The introduction of the new legislation related to pressure equipment concerns a large number of
industries ranging from small and middle-sized manufacturers to the big chemical industries.
Their total European market is estimated at more than 65 billion Euros per year. Both
manufacturers and users will benefit from the new regulatory environment as it will open up
markets and, at the same time, facilitate the application of new technologies.

Why Do I Have to Comply?

The UK adoption of the PED is known as the Pressure Equipment Regulations 1999 (SI
1999/2001) or the PER . This piece of legislation came into force on 29 May 2002. If you are
manufacturing any item that comes under the PER and do NOT have the CE mark correctly
applied you'll be breaking the law and could be fined up to £5,000 for each non-compliant
product.

How Can Using Standards Help Me?

A large and growing number of British Standards have been "harmonized" under European
regulations to allow users a "presumption of conformity" to the Directive. This means that in
many cases, using a relevant Standard satisfies most or all of the conformity requirement.
However, there are times where third party testing and/or certification is still required but in
those cases, using a harmonized standard as your starting point can save time, effort and money.

Using standards can also help you work better with suppliers and customers, reduce your R&D
costs, reduce the risk of liability and improve company performance.

Training Manual Page 2-23

So What Standards Exist at the Moment?

Four primary standards have been released with others on the way. The major ones are listed
below.

BS EN 12952 Water-tube boilers and auxiliary installations

BS EN 12953 Shell boilers
BS EN 13445 Unfired pressure vessels
BS EN 13480 Metallic industrial piping

BRITISH STANDARDS INSTITUTION

http://www.bsi.org.uk/bsi/welcome.html

BSI was the first national standards body in the world. There are now more than 100 similar
organizations which are members of the International Organization for Standardization (ISO)
and the International Electrotechnical Commission (IEC). These bodies produce harmonized
world standards. BSI ensures the views of British industry are represented in this area

GUIDE TO THE SIMPLE PRESSURE VESSEL DIRECTIVE 87/404/EEC

This Directive applies to simple pressure vessels manufactured in series.

For the purposes of this Directive, 'simple pressure vessel' means any welded vessel subjected to
an internal gauge pressure greater than 0,5 bar which is intended to contain air or nitrogen and
which is not intended to be fired.

Moreover, the parts and assemblies contributing to the strength of the vessel under pressure shall
be made either of non-alloy quality steel or of non-alloy aluminum or non-age hardening
aluminum alloys, the vessel shall be made of:

§ Either a cylindrical part of circular cross-section closed by outwardly dished and/or flat
ends which revolve around the same axis as the cylindrical part
§ Two dished ends revolving around the same axis
§ The maximum working pressure of the vessel shall not exceed 30 bar and the product of
that pressure and the capacity of the vessel (PS· V) shall not exceed 10 000 bar· litre
§ The minimum working temperature must be no lower than minus 50 °C and the
maximum working temperature shall not be higher than 300 °C for steel and 100 °C for
aluminum or aluminum alloy vessels.

Member States shall take all necessary steps to ensure that the vessels may be placed on the
market and taken into service only if they do not compromise the safety of persons, domestic

Training Manual Page 2-24

animals or property when properly installed and maintained and when used for the purposes for
which they are intended.

EUROPEAN AGENCY FOR SAFETY AND HEALTH AT WORK

http://europe.osha.eu.int/

Creating a safer and healthier working environment in Europe lies beyond the resources and
expertise of a single country or institution. That's why the European Agency for Safety and
Health at Work was set up by the European Union: to bring together and share the region's vast
reservoir of knowledge and information on OSH-related issues and preventive measures.

Since its start- up in 1997, the Agency's information network has grown to include not only 15
EU Member States, but also the EU candidate countries and the four EFTA countries. At the
same time international organizations including the International Labour Organization and the
World Health Organization, as well as leading OSH organizations in the USA, Canada and
Australia have joined the network.

UNITED STATES AGENCIES AND LEGISLATION

On a federal level in the USA, congress passes an act whose text is a public statute. Certain
governmental agencies are authorized to create regulations. These are specific rules necessary to
put the law into practice and define what is legal and what is illegal. While each state and local
municipality may promulgate its own regulations, minimum technical requirements that have
major impacts on the industrial sector, generally arise from three US agencies, namely:

§ Department of Transport
§ Environmental Protection Agency
§ Occupational Safety and Health Administration

DEPARTMENT OF TRANSPORT
http://dot.gov/

DOT is a large government organization with approximately 61,000 employees. Top priorities at
DOT are to keep the traveling public safe and secure, increase their mobility, and have our
transportation system contribute to the nation’s economic growth. The DOT is responsible for
the safety of interstate transportation, including aviation, highways and pipelines. CFR 49
contains Transportation regulations. Requirements for transporting hazardous materials are
detailed in 49 CFR 179. These include considerations of thermal protection, venting, relief
systems, materials of construction and insulation. The DOT office of pipeline safety (OPS) has
issued regulations pertaining to the design, testing and operating the pipelines that transport
liquids and gases throughout the US.
DOT contains many operating administrations and bureaus: each with its own management and
organizational structure:

Training Manual Page 2-25

 § Office of the Secretary of Transportation (OST)
§ Bureau of Transportation Statistics (BTS)
§ Federal Aviation Administration (FAA)
§ Federal Highway Administration (FHWA)
§ Federal Railroad Ad ministration (FRA)
§ Federal Transit Administration (FTA)
§ Maritime Administration (MARAD)
§ National Highway Traffic Safety Administration (NHTSA)
§ Office of the Inspector General (OIG)
§ Saint Lawrence Seaway Development Corporation (SLSDC)
§ Surface Transportation Board (STB)
§ Research and Special Programs Administration (RSPA)

The Department of Transportation's (DOT) Research and Special Programs Administration

(RSPA), acting through the Office of Pipeline Safety (OPS - http://ops.dot.gov/), administers the
Department's national regulatory program to assure the safe transportation of natural gas,
petroleum, and other haza rdous materials by pipeline. OPS develops regulations and other
approaches to risk management to assure safety in design, construction, testing, operation,
maintenance, and emergency response of pipeline facilities. Since 1986, the entire pipeline safety
program has been funded by a user fee assessed on a per- mile basis on each pipeline operator
OPS regulates.

ENVIRONMENTAL PROTECTION AGENCY

http://www.epa.gov/

In July of 1970, the White House and Congress worked together to establish the EPA in response
to the growing public demand for cleaner water, air and land. Prior to the establishment of the
EPA, the federal government was not structured to make a coordinated attack on the pollutants
that harm human health and degrade the environment. The EPA was assigned the daunting task
of repairing the damage already done to the natural environment and to establish new criteria to
guide Americans in making a cleaner environment a reality.

EPA works with industry to reduce the amount of pollutants entering the environment by issuing
permits that specify the levels of emissions allowed from each industrial process. A number of
EPA programs provide guidance to small businesses on how to comply with federal regulations
designed to reduce the amount of pollution the y generate. EPA has a number of programs that
help industry voluntarily reduce pollutants entering the air, land, and water in a cost-effective
manner, and in some cases allow industry to design and test entirely new approaches for
reducing pollution that go beyond existing environmental regulations.

EPA employs 18,000 people across the country, including headquarters offices in Washington,
DC, 10 regional offices, and more than a dozen labs. Staff are highly educated and technically
trained; more than half are engineers, scientists, and policy analysts. In addition, a large number
of employees are legal, public affairs, financial, information management and computer

Training Manual Page 2-26

specialists. EPA is led by the Administrator, who is appointed by the President of the United
States. EPA leads the nation's environmental science, research, educatio n and assessment efforts.

EPA regulations can be found in the code of federal regulations (CFR) Title 40, Protection of
Environment.

Develop and enforce regulations: EPA works to develop and enforce regulations that
implement environmental laws enacted by Congress. EPA is responsible for researching and
setting national standards for a variety of environmental programs, and delegates to states and
tribes the responsibility for issuing permits and for monitoring and enforcing compliance.

Perform environmental research: At laboratories located throughout the nation, the Agency
works to assess environmental conditions and to identify, understand, and solve current and
future environmental problems; integrate the work of scientific partners such as nations, private
sector organizations, academia and other agencies; and provide leadership in addressing
emerging environmental issues and in advancing the science and technology of risk assessment
and risk management.

Sponsor voluntary partnerships and programs: The Agency works through its headquarters
and regional offices with over 10,000 industries, businesses, non-profit organizations, and state
and local governments, on over 40 voluntary pollution prevention programs and energy
conservation efforts. Partners set voluntary pollution- management goals; examples include
conserving water and energy, minimizing greenhouse gases, slashing toxic emissions, re-using
solid waste, controlling indoor air pollution, and getting a handle on pesticide risks. In return,
EPA provides incentives like vital public recognition and access to emerging information

RMP RULE

The Environmental Protection Agency (EPA) maintains the RMP*Info database under the
agency's Risk Management Program. The RMP*Info database includes five- year incident
histories for covered facilities. About 14,500 facilities filed reports with the agency for the initial
period from 1994 to 1999. Only facilities meeting certain thresholds for listed chemicals are
covered under this program,

Congress enacted Section 112(r) of the Clean Air Act (CAA) to address the threat of catastrophic
releases of chemicals that might cause immediate deaths or injuries in communities. It requires
owners and operators of covered facilities to submit to the Environmental Protection Agency
(EPA) Risk Management Plans (RMPs) no later than June 21, 1999. RMPs must summarize the
potential threat of sudden, large releases of certain dangerous chemicals and facilities' plans to
prevent such releases and mitigate any damage.

Training Manual Page 2-27

OCCUPATIONAL, SAFETY, and HEALTH ADMINISTRATION
http://www.osha.gov/

The agency's vision is that "Every employer and employee in the nation recognizes that safety
and health adds value to the American businesses, workplaces, and worker’s lives." OSHA's new
five-year Strategic Management Plan sets goals and strategies to build on a base of success.

Faced with both new challenges and persistent safety and health issues, OSHA is committed to
focusing its resources on achieving three overarching goals:

1. Reduce occupational hazards through direct intervention

2. Promote a safety and health culture through compliance assistance, cooperative programs
and strong leadership; and
3. Maximize OSHA's effectiveness and efficiency by strengthening its capabilities and
infrastructure.

OSHA's mission is to ensure safe and healthful workplaces in America. Since the agency was
created in 1971, workplace fatalities have been cut in half and occupational injury and illness
rates have declined 40 percent. At the same time, U.S. employment has doubled from 56 million
workers at 3.5 million worksites to 111 million workers at 7 million sites.

OSHA began Fiscal Year 2003 with a staff of 2,303 including 1,123 inspectors. The agency's
budget request is $454 million.

Strong, Fair, and Effective Enforcement

OSHA's efforts to protect workers' safety and health are built on the foundation of a strong, fair,
and effective enforcement program. OSHA seeks to assist the majority of employers who want to
do the right thing while focusing its enforcement resources on sites in high hazard industries -
especially tho se with high injury and illness rates.

Outreach, Education, and Compliance Assistance

OSHA plays a vital role in preventing on-the-job injuries and illnesses through outreach,
education, and compliance assistance OSHA offers an extensive website at www.osha.gov. It
includes a special section devoted to assisting small business as well as interactive eTools to help
employers and employees. For example, the agency provides a broad array of training and
information materials on its recordkeeping standard as well as materials to assist employers and
workers in understanding and complying with its current steel erection standard. In 2002,
OSHA's website received 561 million hits from more than 16 million visitors.

OSHA provides a variety of publications in print and on CD Rom, which are available from
OSHA's regional or national offices or the Government Printing Office at

Training Manual Page 2-28

http://bookstore.gpo.gov. OSHA strives to reach all employers and employees, including those
who do not speak English as a first language.

Cooperative Programs

OSHA's Alliance Program enables trade or professional organizations, bus inesses, labor
organizations, educational institutions, and government agencies that share an interest in
workplace safety and health to collaborate with OSHA to prevent injuries and illnesses in the
workplace. OSHA and the organization sign a formal agreement with goals that address training
and education, outreach and communication, and promoting the national dialogue on workplace
safety and health.

APPLICABLE OSHA REGULATIONS

OSHA regulations can be found in CFR Title 29 – Labor. Plant design engineers and operating
staff are strongly affected by OSHA rules covering exposure to workplace hazards. Some of
these documents include:

Process Safety Management of Highly Hazardous Chemicals, Explosives

and Blasting Agents (29 CFR 1910.119)

Hot Work Fire Prevention and Protection (29 CFR 1910.252)

Emergency Action Planning (29 CFR 1910.38)

Alarm Systems (29 CFR 1910.165)

Hazardous Waste Operations, Emergency Response (29 CFR 1910.120)

Hazard Communication (29 CFR 1910.1200)

Confined Space Entry (29 CFR 1910.146)

Control of Hazardous Energy (29 CFR 1910.147)

Respiratory Protection (19 CFR 1910.134)

CFR Title 29 1910 – Relates to Occupational Safety and Health Standards.

1910.119 – relates to process safety management of highly hazardous chemicals (1996).
This document contains requirements for preventing or minimizing the consequences of
catastrophic releases of toxic, reactive, flammable, or explosive chemicals. These releases may
result in toxic, fire or explosion hazards.

Training Manual Page 2-29

OSHA CFR 29. 1910.119 – PROCESS SAFETY MANAGEMENT OF HIGHLY
HAZARDOUS CHEMICALS

Covered Equipment. A process that involves a chemical at or above the specified

threshold quantities.

A process which involves a flammable liquid or gas (as defined in 1910.1200(c) of this
part) on site in one location, in a quantity of 10,000 pounds (4535.9 kg) or more except
for:

§ Hydrocarbon fuels used solely for workplace consumption as a fuel (e.g., propane
used for comfort heating, gasoline for vehicle refueling), if such fuels are not a
part of a process containing another highly hazardous chemical covered by this
standard;
§ Flammable liquids stored in atmospheric tanks or transferred which are kept
below their normal boiling point without benefit of chilling or refrigeration.

1. Employee Participation.

Employers shall develop a written plan of action regarding the implementation of the
employee participation required by this paragraph.

Employers shall consult with employees and their representatives on the conduct and
development of process hazards analyses and on the development of the other elements
of process safety management in this standard.

Employers shall provide to employees and their representatives access to process hazard
analyses and to all other information required to be developed under this standard.

2. Process Safety Information

In accordance with the schedule set forth in paragraph (e)(1) of this section, the employer
shall complete a compilation of written process safety information before conducting any
process hazard analysis required by the standard. The compilation of written process
safety information is to enable the employer and the employees involved in operating the
process to identify and understand the hazards posed by those processes involving highly
hazardous chemicals. This process safety information shall include information
pertaining to the hazards of the highly hazardous chemicals used or produced by the
process, information pertaining to the technology of the process, and information
pertaining to the equipment in the process.

3. Process Hazard Analysis

The employer shall perform an initial process hazard analysis (hazard evaluation) on
processes covered by this standard. The process hazard analysis shall be appropriate to
the complexity of the process and shall identify, evaluate, and control the hazards

Training Manual Page 2-30

involved in the process. Employers shall determine and document the priority order for
conducting process hazard analyses based on a rationale which includes such
considerations as extent of the process hazards, number of potentially affected
employees, age of the process, and operating history of the process. The process hazard
analysis shall be conducted as soon as possible

The employer shall use one or more of the following methodologies that are appropriate
to determine and evaluate the hazards of the process being analyzed.

§ What-If
§ Checklist
§ What-If/Checklist
§ Hazard and Operability Study (HAZOP)
§ Failure Mode and Effects Analysis (FMEA)
§ Fault Tree Analysis
§ An Appropriate Equivalent Methodology

4. Operating Procedures

The employer shall develop and implement written operating procedures that provide
clear instructions for safely conducting activities involved in each covered process
consistent with the process safety information and shall address at least the following
elements.

Steps for each operating phase:

§ Initial startup
§ Normal operations
§ Temporary operations

Emergency shutdown including the conditions under which emergency shutdown is

required, and the assignment of shutdown responsibility to qualified operators to ensure
that emergency shutdown is executed in a safe and timely manner.

The employer shall develop and implement safe work practices to provide for the control
of hazards during operations such as lockout/tagout; confined space entry; opening
process equipment or piping; and control over entrance into a facility by maintenance,
contractor, laboratory, or other support personnel. These safe work practices shall apply
to employees and contractor employees.

5. Employee Training

Each employee presently involved in operating a process, and each employee before
being involved in operating a newly assigned process, shall be trained in an overview of
the process and in the operating procedures as specified in paragraph (f) of this section.
The training sha ll include emphasis on the specific safety and health hazards, emergency

Training Manual Page 2-31

operations including shutdown, and safe work practices applicable to the employee's job
tasks.

6. Contractors

This paragraph applies to contractors performing maintenance or repair, turnaround,

major renovation, or specialty work on or adjacent to a covered process. It does not apply
to contractors providing incidental services which do not influence process safety, such
as janitorial work, food and drink services, laundry, delivery or other supply services.

7. Pre -Startup Safety Review

The employer shall perform a pre-startup safety review for new facilities and for
modified facilities when the modification is significant enough to require a change in the
process safety information.

8. Mechanical Integrity

Application. Paragraphs (j)(2) through (j)(6) of this section apply to the following process
equipment:

§ Pressure vessels and storage tanks

§ Piping systems (including piping components such as valves)
§ Relief and vent systems and devices
§ Emergency shutdown systems
§ Controls (including monitoring devices and sensors, alarms, and interlocks)
§ Pumps

Written procedures. The employer shall establish and implement written procedures to
maintain the on-going integrity of process equipment.
Training for process maintenance activities. The employer shall train each employee
involved in maintaining the on-going integrity of process equipment in an overview of
that process and its hazards and in the procedures applicable to the employee's job tasks
to assure that the employee can perform the job tasks in a safe manner.

Inspection and testing. Inspections and tests shall be performed on process equipment.
Inspection and testing procedures shall follow recognized and generally accepted good
engineering practices.

The frequency of inspections and tests of process equipment shall be consistent with
applicable manufacturers' recommendations and good engineering practices, and more
frequently if determined to be necessary by prior operating experience.

The employer shall document each inspection and test that has been performed on
process equipment. The documentation shall identify the date of the inspection or test, the
name of the person who performed the inspection or test, the serial number or other

Training Manual Page 2-32

identifier of the equipment on which the inspection or test was performed, a description
of the inspection or test performed, and the results of the inspection or test.

Equipment deficiencies. The employer shall correct deficiencies in equipment that are
outside acceptable limits (defined by the process safety information in paragraph (d) of
this section) before further use or in a safe and timely manner when necessary means are
taken to assure safe operation.

Quality assurance.

9. Hot Work Permit

The employer shall issue a hot work permit for hot work operations conducted on or near
a covered process.

The permit shall document that the fire prevention and protection requirements in 29
CFR 1910.252(a) have been implemented prior to beginning the hot work operations; it
shall indicate the date(s) authorized for hot work; and identify the object on which hot
work is to be performed. The permit shall be kept on file until completion of the hot work
operations.

10. Management of Change

The employer shall establish and implement written procedures to manage changes
(except for "replacements in kind") to process chemicals, technology, equipment, and
procedures; and, changes to facilities that affect a covered process.

11. Incident Investigation

The employer sha ll investigate each incident, which resulted in, or could reasonably have
resulted in a catastrophic release of highly hazardous chemical in the workplace.

12. Emergency Planning and Response

The employer shall establish and implement an emergency action plan for the entire plant
in accordance with the provisions of 29 CFR 1910.38.

13. Compliance Audits

Employers shall certify that they have evaluated compliance with the provisions of this
section at least every three years to verify that the procedures and practices developed
under the standard are adequate and are being followed.

Training Manual Page 2-33

14. Trade Secrets

Employers shall make all information necessary to comply with the section available to
those persons responsible for compiling the process safety information (required by
paragraph (d) of this section), those assisting in the development of the process hazard
analysis (required by paragraph (e) of this section), those responsible for developing the
operating procedures (required by paragraph (f) of this section), and those involved in
incident investigations (required by paragraph (m) of this section), emergency planning
and response (paragraph (n) of this section) and compliance audits (paragraph (o) of this
section) without regard to possible trade secret status of such information.

SAFETY AND ENVIRONMENTAL COMPLIANCE (Certification)

Aside from the regulatory agencies, discussed above, companies are under little pressure to act
responsibly in regard to safety and the environment. However when used responsibly, these
measures equate to a safer workplace, reduce environmental pollution and create cost saving
measures. But, without outside verification, how can outside parties be assured that safety and
environmental performance is being achieved?

Illustrated in the table below are some commonly used certification programs, both voluntary
and regulatory.

Program Certification Standard

OSHA 1910.119 Audit every 3 years Regulatory
OSHA SHARP Compliance and audit Voluntary
certification by OSHA
ISO 14000 (EMS) Independent audit and Voluntary
certification
EPA 40 CFR Part 68 Certification by facility Regulatory
management
ACC RC-14001 Mandatory third-party Voluntary
certification
OHSAS 18000 Certification by outside Voluntary
organization

OSHA’s PSM program has enhanced workplace safety within process industries. It includes a
provision for auditing program performance but stops short of mandating independent third party
audits. So while companies may realize some benefits from an internal audit, it is in essence, a
self examination.

Independent audits include SHARP (performed by OSHA personnel), ISO 14000 EMS
(registered environmental program), EPA risk management rule (companies must submit a
formal registration with a certification letter), ACC RC-14001 (third party review of responsible
care program) and OSHAS 18000 (attempt to incorporate ISO, RC, PSM and RMP programs.

Training Manual Page 2-34

The new Responsible Care (ACC RC-14001) establishes a set of uniform industry wide metrics
to measure individual company and industry performance through Responsible Care. The
measures will enable member companies to identify areas for continuous improvement and
provide a means for the public to track individual company and industry performance in an
accessible and transparent way. The measures address performance across a broad range of
issues including economics, environment, health, safety, security and products. A table of
performance metrics is shown below.

Training Manual Page 2-35

 Performance Metric Collection of Information to Public Reporting
Information be Reported on Begins
by Company Company or
or ACC Industry Basis
METRICS REFLECTING RESPONSIBLE CARE ENVIRONMENT, HEALTH, SAFETY AND
SECURITY PERFORMANCE
1. Pounds of TRI - air, land and Company Company 2004
water releases (reported
separately)
2. Nu mber of reportable Company Company 2004
distribution incidents
3. Number of process safety Company Company 2004
incidents
4.a. OSHA recordable incident rate – Company Company 2004
employees
4.b. OSHA recordable incident rate – Company Company 2005
contractors
5.a. Percent facilities completing security Company Industry 2004
assessments based on Security Code
schedule
5.b. Percent facilities completing security Company Industry 2005
enhancements/verification based on
Security Code schedule
6. Certification of Responsible Company Company 2004
Care® Management System (companies will have
(“yes”/”no”) from 2004 to 2007 to
complete certification)
METRICS REFLECTING REPUTATION, SUSTAINABLE DEVELOPMENT, PRODUCTS
AND OTHER INITIATIVES
7. Greenhouse gas emissions Company Industry 2005
(pounds of CO2 equivalent net
emissions per pound of
production) indexed to base year
8. Energy efficiency (BTUs Company Industry 2005
consumed per pound of
production) indexed to base year
9. Industry economic performance: ACC Industry 2004
a. Total industry R&D investment
b. Total number of industry employees
c. Total value of industry payroll
d. Total value of U.S. industry net
exports
10. Company has in place a documented Company Company 2005
process for characterizing and managing
product risk, and a summary of the
process is available to the public. (“yes”/
“no”)
11. Company has in place a process to Company Company 2005
communicate results of the risk
characterization and management process
in an effort to facilitate public
knowledge. (“yes”/“no”)

Training Manual Page 2-36

Other programs include safety instrumented systems (SIS or safety integral level (SIL). The
approaching ANSI acceptance of the European IEC 61508/6155 standards for process safety
instrumented systems contains third party audit language not contained in the US equivalent.

The hydrocarbon industry can achieve credibility and good public perception by continuously
improving workplace safety and being sensitive to environmental issues. This can be achieved by
adhering to certification programs that contain safety and environmental standards (2) Safety and
Environmental management and compliance – M. Sawyer, Hydrocarbon processing August
2003.

Training Manual Page 2-37

 Chapter 3
MANAGEMENT SYSTEMS AND
PSM IMPLEMENTATION

A review of worldwide chemical and petroleum industry safety performance (losses) between
1957 and 1986) suggests the need for improved approaches to the handling of hazardous
materials. A majority of the 100 largest property losses of these industries (on an adjusted,
constant dollar basis) occurred during the last 10 years. Reversing this trend toward increasing
numbers of larger losses will require new initiatives.

12 ELEMENTS OF CHEMICAL PROCESS SAFETY MANAGEMENT

§ Accountability: Objectives and Goals

§ Process Knowledge and Documentation
§ Capital Project Review and Design Procedures
(for new or existing plants, expansions, and acquisitions)
§ Process Risk Management
§ Management of Change
§ Process and Equipment Integrity
§ Incident Investigation
§ Training and Performance
§ Human Factors
§ Standards, Codes, and Laws
§ Audits and Corrective Actions
§ Enhancement of Process Safety Knowledge

Indeed, during the last 15 years we have seen the occurrence of a number of major chemical or
chemical-related incidents that have had major impacts on surrounding communities. A few of
these incidents, which have become “household words” as symbols of the potential downside of
technologies, are summarized in the table below:

SELECTED MAJOR INCIDENTS

Incident Impact
Flixborough (1974) 28 fatalities on-site; $232 million damage; damage
Vapor cloud explosion to homes off-site
Seveso (1976) Widespread contamination on-site and off-site
Toxic material release

Training Manual Page 3-1

 Incident Impact
Mexico City LPG (1984) 300 fatalities, mostly off-site; $20 million damage
LPG explosion
Bhopal (1984) 2500 fatalities off-site; many others injured off-site
Toxic material release
Chernobyl (1986) 31 fatalities; 300 square miles evacuated;
Fire and radiation release widespread contamination
Sandoz warehouse (1986) Major impact on ecology of Rhine River
Toxic material release
Shell Norco refinery (1988) 7 fatalities on-site; neighboring town evacuated;
Vapor cloud explosion widespread damage to homes of f-site; damage
exceeded $50 million

MANAGEMENT SYSTEMS

The Importance of Leadership

At every level, the critical ingredient in any management system is leadership. Leadership is
what drives a management system. For chemical process safety management, leadership is
essential to provide visibility, momentum, a sense of organizational commitment and direction,
and ultimately reinforcement, through the distribution of rewards and punishments for variable
levels of performance. Leadership is needed at every level – from the CEO to the first- line
supervisor. In the absence of strong, effective, continuing leadership, the desired level of safety
performance will not be achieved.

MANAGEMENT SYSTEMS: AN OVERVIEW

Management systems consist of explicit sets of arrangements for planning, organizing,
implementing, and controlling work within complex organizations. They are established by
managers to assist in achieving their organizations’ goals and objectives in an efficient and
effective manner.

Management system may be formal or informal; they may employ extensive written
documentation, or use very little of it. For a management system to be effective, its design
should consider both the culture, and “style,” of the organization within which it will be
implemented, and the criticality of the issue(s) being managed.

The process safety management approach should be consistent with the systems used for
managing other functions. Process safety management must be integrated with operating
management, not segregated from it.

Training Manual Page 3-2

MANAGEMENT SYSTEMS FOR CHEMICAL PROCESS SAFETY

Chemical process safety requires management systems to provide sound facility design,
construction, operation, and maintenance. The management systems serve to assure that
appropriate organizational resources are made ava ilable and used productively and efficiently.
They also assure the establishment of overall process safety goals and the integration of these
goals with business and other strategic organizational goals. In addition, process safety
management systems provide appropriate checks and balances to ensure that the various tactical
and task- level functions are carried out as intended.

At the strategic level, process safety management systems are concerned with establishing and
reviewing the overall process safety goals and policies of the organization. For example, process
safety management systems would involve consideration of the acceptability of the risks
associated with major corporate acquisitions, new products, and new processes.

At the tactical level, the process safety management systems are focused on providing
information and decision support for assuring that process operations are conducted in a safe
manner. A system for verifying that a process safety review has been performed in conjunction
with a capital expenditure is an example of a tactical level system.

At the task level, process safety management systems aim to control the regular, ongoing
activities. At this level, they attempt to create routine mechanisms for actions and to identify any
exceptions for individual attention. An example is the use of a checklist for performing a capital
project safety review.

PLANNING
Explicit Goals and Objectives. Managing any element of chemical process safety should start
with a clear statement of goals and objectives. Goals establish the desired outcome of the activity
– the end state the company wants to achieve. Goal statements can be qualitative (e.g., manage
operating risks so as to reduce potential future liability) or quantitative (e.g., accept no eve nt with
an expected value greater than 10-6 per year). Objectives then translate the goal into more
specific statements of purpose – what it is the company is trying to gain from the activity. For
example, an objective might be reduced downtime from unplanned maintenance.

ORGANIZING
Internal Coordination and Communication. Well-designed management systems seek to
eliminate organizational barriers to the coordination of process safety-related activities across
functional specialty lines, and to actively promote close working relationships among operating,
maintenance, engineering, research and development, medical, legal, safety, and environmental
personnel within the firm. Organizations characterized by strong formal and informal networks
of professionals sharing a process safety consensus are frequently better able to identify potential
new sources of hazards, and to respond to them more quickly and efficiently. Organizations that

Training Manual Page 3-3

provide mechanisms for the feed back of process safety-related information are more likely to
foster strong programs.

IMPLEMENTING

Initiating Mechanisms. A management system for chemical process safety should identify and
provide for specific mechanisms that trigger appropriate actions as needed. For example, safety
reviews should be triggered at appropriate stages of the capital project design process.

CONTROLLING
Variance Procedure. Special circumstances sometimes necessitate departures from established
operating procedures, which should be considered and approved through established
mechanisms. For example, operation with an interlock mechanism disconnected (e.g., while
troubleshooting a problem) should be reviewed in advance through a variance procedure.

When a deviation from normal procedures is to be made, the management system should assure
that the risk implications of the deviation will be considered, that special risk controls will be
adopted if appropriate, that the extent and duration of the departure from normal procedure will
be limited, and that the appropriate manager(s) will approve the deviation.

SUMMARY

In developing a process safety management system, design parameters will be imposed by the
organization within which one is working. For example, the overall company organizational
structure, existing systems for policy and procedure development and approval, resource
availability for process safety management system development, timeframes available for system
development, and existing data bases all influence management system design. However, while
working within these design parameters, the special needs of process safety management must be
reflected as well.

INTRODUCTION TO OCCUPATIONAL SAFETY AND HEALTH ADMINISTRATION

(OSHA) AND ENVIRONMENTAL PROTECTION AGENCY (EPA) REGULATIONS

In the United States, two federal regulations cover process safety: OSHA 29 CFR 1910.119 and
EPA 40 CFR 68. OSHA’s mandate is to protect the safety and health of workers, while the EPA
is more concerned with protection of the public and the environment. There is a good deal of
overlap between the two because an accident that injures a worker could also affect the general
public and vice versa. Because of these similarities, both agencies involved have worked to
minimize duplication between their respective standards. The differences that remain between
them tend to reflect the distinct goals of the two organizations. For example, EPA is more
concerned about the consequences of catastrophic releases of toxic materials into the community.

Training Manual Page 3-4

OSHA focuses more on a wider range of accident scenarios in the plant.

In addition to these federal regulations, state and local regulations also cover process safety.
With respect to process safety, any state has the right to promulgate its own standards, as long as
these standards are at least as stringent as the federal regulation. There are also industry process
safety standards, which may not have the force of law, but nevertheless provide important
guidance and can possess considerable authority, especially when regulations recommend using
good engineering practice.

OSHA’s 29CFR1910.119, “Process Safety Management of Highly Hazardous Chemicals” was

adopted in response to a series of plant process incidents that occurred in the 1970s and 1980s.
The standard required companies to develop a comprehensive integrated approach to identify
process hazards and control their actions to the plant and environment. Task force participation
by chemical manufacturing facilities was the necessary element in developing a PSM standard.
The document that this task force provided became the basis for the following regulations and
standards:

Regulations & Standards

§ OSHA’s PSM Regulation, 29 CFR 1910.119

§ EPA’s Risk Management Program, 40 CFR 68 (similar to OSHA’s
regulation technically, but with a different list of listed chemicals, and
threshold quantities)
§ American Petroleum Institute’s (API) Recommended Practice 750

One of the most important consequences of having a standard developed by industry was that the
resulting regulations were non-prescriptive and performance based. The task team who drafted
the standard tried to avoid the problem of having a large number of lengthy, highly prescriptive,
detailed regulations such as are found in the environmental and nuclear power businesses. This is
important because there is such a wide variety of processes and technologies, and the
development of detailed standards for all of them would have been very time consuming and
inefficient.

Although there are differences between the OSHA and EPA regulatory programs, the technical
requirements are generally similar. If a company develops a PSM program to meet one standard,
it is likely that it has gone most of the way toward meeting the requirements of the others. The
general approach to organizing a process safety program is to make it part of the Risk
Management Program (RMP) that has been developed by the EPA. Since the RMP rule is
broader in scope and has more requirements, the OSHA standard can be incorporated within it,
using the following three-step approach:

Training Manual Page 3-5

 3-Step Approach

1. Identify hazards associated with process. Determine their consequences.

2 Implement management system to control hazards.
3. Prepare communications plan with the public, so emergencies are handled
properly.

The second of these three steps is very similar to the OSHA PSM program.

Both OSHA and EPA statutes contain general duty clauses that can be used to cover situations
not explicitly identified by the regulations, but nevertheless, in the judgment of the agency, fall
within its purview.

One of the biggest differences between the RMP rule and a PSM program is that EPA requires
that a formal, written program be prepared and placed in the public domain. OSHA does not
require this. EPA is concerned with off-site issues and the long-range impact of an accident.
With this in mind one of the requirements of the first draft of the RMP rule was to prepare an
absolute worst-case scenario, which could then be viewed by the public. OSHA does not require
a worst-case analysis, but some companies choose to conduct them anyway.

Many international companies have chosen to meet the requirements of the OSHA and EPA
standards worldwide as an expression of their global commitment to worker safety and the
environment. Even when a company does not have to comply with the OSHA standard, it still
makes sense to use its structure for the design and implementation of a process safety program
because most other industry guidelines and protocols are very similar to it. In addition to this,
many countries outside the United States use OSHA and EPA regulations as a basis for their own
regulations and industry guidelines. It makes sense that companies in these countries use these
regulations as guidance for their own specific programs and commitment to safety and the
environment.

PROCESS SAFETY MANAGEMENT

PSM is the proactive identification, evaluation, and mitigation or prevention of hazardous

chemical releases that could occur as a result of failures in process, procedures, or equipment.
The major objective of PSM is to prevent unwanted releases of hazardous chemicals, especially
into locations that could expose employees and others to serious hazards.

We find the following triangle occurring in the industry:

Training Manual Page 3-6

 1
DEATH
30
INJURIES

300
NEAR MISS

3000
HAZARDS

The key to successful implementation of PSM requirements is the understanding that the
program is a true management system, which incorporates the four basic steps of a management
system.

Basic Steps of a
Management System

1. Plan
2. Organize
3. Implement
4. Control

An effective PSM program requires a systematic approach to evaluating the whole process.
Using this approach, the process design, process technology, operational and maintenance
activities and procedures, non-routine activities and procedures, emergency preparedness plans
and procedures, training programs, and other elements that impact the process are all considered
in the evaluation. The various lines of defense that have been incorporated into the design and
operation of the process to prevent or mitigate the release of hazardous chemicals need to be
evaluated and strengthened to assure their effectiveness at each level.

Training Manual Page 3-7

 Important Principles of a
PSM Program

Participation
Performance Based
Quantification
Auditing
Thoroughness
On Going
Documentation

All these principles need to be addressed in order to have a successful program.

Scope

The following processes are covered by 29 CFR 1910.119, “Process Safety Management”.

§ A process which involves a chemical at or above the specified threshold quantities listed
in Appendix A of 29 CFR 1910.119.
§ A process which involves a flammable liquid or gas (as defined in 1910.1200(c) of this
part) on site in one location, in a quantity of 10,000 pounds (4535.9 kg) or more, except
for the following:
• Hydrocarbon fuels used solely for workplace consumption as a fuel (e.g., propane
used for comfort heating, gasoline for vehicle refueling), if such fuels are not a part of
a process containing another highly hazardous chemical covered by this standard.
• Flammable liquids stored in atmospheric tanks or transferred that are kept below their
normal boiling point without benefit of chilling or refrigeration.

Processes not covered by 29 CFR 1910.119 include:

§ Retail facilities
§ Oil or gas well drilling or servicing operations
§ Normally unoccupied remote facilities

PSM Elements

PSM programs typically include about a dozen major elements. The OSHA standard, the one that
most companies in the United States follow, contains14 elements. These elements are discussed
below and are explained in detail in Appendix C.

Training Manual Page 3-8

 1. Employer Participation
2. Process Safety Information
3. Process Hazard Analysis
4. Operating Procedures
5. Employee Training
6. Contractors
7. Pre-startup Safety Review
8. Mechanical Integrity
9. Non-routine Work Authorizations
10. Managing Change
11. Investigation of Incidents
12. Emergency Preparedness
13. Compliance Audits
14. Trade Secrets

Catastrophic failures in industry are usually caused if one or more of the PSM elements are not
adhered to. Violations of the PSM elements, most often cited by OSHA, include breaching the
MI clause followed by Process Hazards Analysis (PHA) and Process Safety Information. MI is
discussed in more detail below.

MECHANICAL INTEGRITY

Paragraph (j) of OSHA 29 CFR 1919.119, which is concerned with MI, states that a MI program
shall be in place to assure the continued integrity of process equipment. Equipment used to
process, store, or handle highly hazardous chemicals needs to be designed, constructed, installed,
and maintained to minimize the risk of releases of such chemicals.

The following key positions are frequently involved in the development of the MI program. For
each position, the appropriate responsibility, authority, and accountability for implementation of
MI programs should be documented. (Note: The name of the positio n may vary depending on
local nomenclature.)

Training Manual Page 3-9

 Key Positions

§ Plant Manager
§ Maintenance Department Supervisor
§ Inspection Department Supervisor
§ Purchasing Department Supervisor
§ Warehousing Department Supervisor
§ Operations Department Supervisor
§ Quality Assurance/Control Department Supervisor

Some of the key assignments that are typically made for the MI program include, but are not
limited to:

§ Overall MI Program responsibility – This typically resides at the senior management

level. Senior management delegates responsibility for development and implementation
of all program phases.
§ Project Coordinator – This assignment provides a central point of contact for revisions,
§ updates, and interpretations of documented procedures.
§ Inspection
§ Testing
§ Maintenance
§ Quality Assurance
§ Training

If contract employees are used to assist in the development and implementation of MI programs,
care should be taken to clearly establish the role of the contractor. This should include
documenting the contract responsibility, authority, and accountability in the MI programs.

The employer shall:

§ Establish and implement written procedures to maintain the ongoing integrity of process
equipment.
§ Train each employee involved in maintaining the ongoing integrity of process equipment.
§ Provide an overview of all covered process equipment and its hazards.
§ Provide all employees with procedures applicable to the employee's job tasks to assure
that the employee can perform these tasks in a safe manner.

Training Manual Page 3-10

The first line of defense an employer has available is to operate and maintain the process as
designed, and to keep the chemicals contained. This line of defense is backed up by the next line
of defense, which is the controlled release of chemicals through venting to scrubbers or flares or
to surge or overflow tanks that are designed to receive such chemicals, etc. These lines of
defense are the primary lines of defense or means to prevent unwanted releases. The secondary
lines of defense would include fixed fire protection systems like sprinklers, water spray, or
deluge systems, monitor guns, dikes, designed drainage systems, and other systems that would
control or mitigate hazardous chemicals once an unwanted release occurs.

Scope

The following process equipment is covered by OSHA 29 CFR 1919.119:

§ Pressure vessels and storage tanks

§ Piping systems (including piping components such as valves) ! Relief and vent systems
and devices
§ Emergency shutdown systems
§ Controls (including monitoring devices and sensors, alarms, and interlocks) ! Pumps

Mechanical Integrity Elements

Paragraph (j) of OSHA 29 CFR 1919.119 lists six elements for the successful implementation of
a MI program. These elements are discussed below:

1. Identification and Categorization of Process Equipment

The first step of an effective MI program is to compile and categorize a list of process
equipment and instrumentation for inclusion in the program. This list would include
pressure vessels, storage tanks, process piping, relief and vent systems, fire protection
system components, emergency shutdown systems and alarms, and interlocks and pumps.
For the categorization of instrumentation and the listed equipment, the employer should
prioritize which pieces of equipment require more detailed inspections and analysis. One
way of prioritizing equipment is to use a risk-based approach, as discussed in the next
section.

2. Written Procedures

The employer shall establish and implement written procedures in order to maintain the
ongoing integrity of all process equipment.

Training Manual Page 3-11

 3. Training

Appropriate training is to be provided to maintenance personnel to ensure they

understand the preventive maintenance program procedures, safe practices, and the
proper use and application of special equipment or unique tools that may be required.
This training is part of the overall training program required by the standard.

4. Inspection and Testing

Inspections and tests shall be performed on process equipment.

§ Inspection and testing procedures shall follow recognized and generally accepted
good engineering practices.
§ The frequency of inspections and tests of process equipment shall be consistent with
applicable manufacturers' recommendations and good engineering practices, and
more frequently, if determined to be necessary by prior operating experience.

The employer shall document each inspection and test that has been performed on
process equipment. The documentation shall identify the following:

§ The date of the inspection or test

§ The name of the person who performed the inspection or test
§ The serial number or other identifier of the equipment on which the inspection or
test was performed
§ A description of the inspection or test performed
§ The results of the inspection or test

Meantime failure of various instrumentation and equipment parts would be known

from the manufacturers’ data or the employer's experience with the parts, which
would then influence the inspection and testing frequency and associated
procedures. Also, applicable codes and standards, such as the National Board
Inspection Code or those from the American Society for Testing and Material,
API, National Fire Protection Association, American National Standards Institute,
American Society of Mechanical Engineers (ASME), and other groups provide
information to help establish an effective testing and inspection frequency, as well
as appropriate methodologies.

The applicable codes and standards provide criteria for external inspections for
such items as foundation and supports, anchor bolts, concrete or steel supports,
guy wires, nozzles and sprinklers, pipe hangers, grounding connections,
protective coatings and insulation, and external metal surfaces of piping and
vessels, etc. These codes and standards also provide information on
methodologies for internal inspection, and a frequency formula based on the
corrosion rate of the materials of construction. Also, both internal and external

Training Manual Page 3-12

 erosion need to be considered, along with corrosion effects for piping and valves.
Where the corrosion rate is not known, a maximum inspection frequency is
recommended and methods of developing the corrosion rate are available in the
codes.

Internal inspections need to cover items such as vessel shell, bottom, and head;
metallic linings; nonmetallic linings; thickness measurements for vessels and
piping; inspection for erosion, corrosion, cracking, and bulges; and, internal
equipment like trays, baffles, sensors, and screens for erosion, corrosion, or
cracking and other deficiencies. State or local government inspectors under state
and local statutes may perform some of these inspections. However, each
employer needs to develop procedures to ensure that tests and inspections are
conducted properly and that consistency is maintained even where different
employees may be involved.

5. Equipment Deficiencies

The employer shall correct deficiencies in equipment that are outside acceptable
limits (defined by the process safety information in paragraph (d) of 29 CFR
1910.119) before further use or in a safe and timely manner when necessary
means are taken to assure safe operation.

6. Quality Assurance

A quality assurance system is needed to help ensure the following:

§ Proper materials of construction are used

§ Fabrication and inspection procedures are proper
§ Installation procedures recognize field installation concerns

"As-built" drawings, together with certifications of coded vessels and other equipment, and
materials of construction need to be verified and retained in the quality assurance documentation.
Equipment installation jobs need to be properly inspected in the field for use of proper materials
and procedures and to assure that qualified craftsmen are used to do the job.

The use of appropriate gaskets, packing, bolts, valves, lubricants, and welding rods needs to be
verified in the field. Also, procedures for installation of safety devices need to be verified, such
as the torque on the bolts on ruptured disc installations, uniform torque on flange bolts, proper
installation of pump seals, etc.

The quality assurance program is an essential part of the MI program and will help to maintain
the primary and secondary lines of defense, which have been designed into the process to prevent
unwanted chemical releases or those which control or mitigate a release.

A MI paragraph is devoted to the inspection and testing of process equipment. Since it is not
economically viable to conduct comprehensive inspections and tests on each piece of equipment

Training Manual Page 3-13

in a facility, a methodology is needed to prioritize equipment inspections. Over the last couple of
years, it has become accepted that a risk-based approach is a sound methodology for prioritizing
maintenance and inspection programs. RBI is now accepted in many industry codes and
standards and is discussed in detail below.

BIBILIOGRAPHY

Center for Chemical Process Safety of the American Institute of Chemical Engineers,
Technical Management of Chemical Process Safety, American Institute of Chemical Engineers,
1989

Training Manual Page 3-14

 CASE STUDY
MARATHON OIL

INTRODUCTION

In March 20, 1992, an explosion occurred at Marathon Oil, Ill, in which seven workers were
burned (See Chemical Process Safety Report, December 1992, p. 11). Citations were issued
Nov.2, 1992, and Marathon formally contested them before the Occupational Safety and Health
Review commission. Marathon was cited for 11 willful violations. Subsequent inspections
revealed deficiencies in various elements of the refinery’s process safety management (PSM)
program, hazardous waste and emergency response operations, and its health and safety program
to protect workers potentially exposed to benzene and other hazardous materials.

Scenario:

Causes:

Remedies:

Training Manual Page 3-15

 Chapter 4
INDUSTRY STANDARDS

While government rules and regulations tell companies they need to institute certain programs,
they do not explain exactly how these programs should be implemented. Generally, facilities
have a choice of options when it comes to implementing safety, reliability, and integrity
programs. Important criteria when selecting a particular program would be:

§ Is it good engineering practice?

§ Does it follow industry codes and standards?
§ Has it been benchmarked by the industry?
§ Is it auditable?

STANDARD PRODUCERS

Non-governmental agencies have historically had a major role in developing standards. Many
non-profit bodies have committees that focus on detailed design, inspection installation, and
operating requirements for equipment and process situations. These bodies frequently have
experience and expertise not present in governmental agencies.

Their standards are generally accepted since they follow procedural requirements of the
American National Standards Institute (ANSI). All affected parties may provide input and
decisions are arrived at transparently by consensus. The following represents a sample of major
industrial standards-writing groups, but there are hundreds of others.

American National Standards Institute - http://web.ansi.org/

The American National Standards Institute (ANSI) has served in its capacity as administrator
and coordinator of the United States private sector, voluntary standardization system for 80
years. Founded in 1918 by five engineering societies and three government agencies, the
Institute remains a private, non-profit membership organization supported by a diverse
constituency of private and public sector organizations.

International Code Council (ICC) - http://www.icc.org

The mission of the International Code Council (ICC) is to promulgate a comprehensive and
compatible regulatory system for the built environment, through consistent, performance-based
regulations that are effective, efficient, and meet government, industry and public needs. The

Training Manual Page 4-1

ICC is the secretariat for several significant international codes including the International
Building Code and International Fire Code.

International Organization for Standardization (ISO) -

http://www.iso.ch/welcome.html

The International Organization for Standardization (ISO) is a worldwide federation of national

standards bodies from some 100 countries, one from each country. ISO is a non-governmental
organization, established in 1947. The mission of ISO is to promote the development of
standardization and related activities in the world with a view to facilitating the international
exchange of goods and services, and to developing cooperation in the spheres of intellectual,
scientific, technological and economic activity. ISO's work results in international agreements,
which are published as International Standards.

National Resource for Global Standards (NSSN) - http://www.nssn.org/

NSSN BASIC is a free online information service providing access to bibliographic information
for more than 225,000 approved standards. Search this online catalog for title words or document
numbers to find out if the standard you need exists, and, if so, where to find it.

British Standards Institute (BSI) - http://www.bsi.org.uk/

BSI was the first national standards body in the world. There are now more than 100 similar
organizations that are members of the International Organization for Standardization (ISO) and
the International Electrotechnical Commission (IEC). These bodies produce harmonized world
standards. BSI ensures the views of British industry are represented in this area.

American Petroleum Institute (API) – http://www.api.org

As the primary trade association of that industry, API represents more than 400 members
involved in all aspects of the oil and natural gas industry. This association draws on the
experience and expertise of its members and staff to support a strong and viable oil and natural
gas industry.

Process Industry Practices (PIP) - http://www.pip.org/

Process Industry Practices (PIP) is a consortium of process industry owners and engineering
construction contractors who serve the industry. PIP was organized in 1993 and is a separately
funded initiative of the Construction Industry Institute (CII), at The University of Texas at
Austin. PIP publishes documents called “Practices." These Practices reflect a harmonization of
company engineering standards in many engineering disciplines.

Training Manual Page 4-2

Board of Certified Safety Professionals (BCSP) - http://www.bcsp.com/

The Board of Certified Safety Professionals (BCSP) was organized as a peer certification board
with the purpose of certifying practitioners in the safety profession. The specific functions of the
Board, as outlined in its Charter, are to evaluate the academic and professional experience
qualifications of safety professionals, to administer examinations, and to issue certificates of
qualification to those professionals who meet the Board's criteria and successfully pass its
examinations.

American Society of Heating, Refrigeration and Air Conditioning Engineers

(ASHRAE) - http://www.ashrae.org/

ASHRAE will advance the arts and sciences of heating, ventilation, air conditioning,
refrigeration, and related human factors to serve the evolving needs of the public and ASHRAE
members.

American Society of Mechanical Engineers (ASME) - http://www.asme.org/

Founded in 1880 as the American Society of Mechanical Engineers, today ASME International
is a non-profit educational and technical organization serving a worldwide membership of
125,000. Its mission is to promote and enhance the technical competency and professional well
being of its members, and through quality programs and activities in mechanical engineering,
better enable its practitioners to contribute to the well being of humankind.

ASTM International (ASTM) - http://www.astm.org/

ASTM is a not-for-profit organization that provides a forum for producers, users, ultimate
consumers, and those having a general interest (representatives of government and academia) to
meet on common ground and write standards for materials, products, systems, and services.

American Institute of Chemical Engineers (AICHe) - http://www.aiche.org/industry/

The American Institute of Chemical Engineers, AIChE, was founded in 1908. AIChE is a
professional association of more than 50,000 members that provides leadership in advancing the
chemical engineering profession. Its members are creative problem-solvers who use their
scientific and technical knowledge to develop processes and design and operate plants to make
useful products at a reasonable cost. Chemical engineers are also at the forefront of research to
assure the safe and environmentally-sound manufacture, use, and disposal of chemical products.
AIChE fosters and disseminates chemical engineering knowledge, supports the professional and

Training Manual Page 4-3

personal growth of its members, and applies the expertise of its members to address societal
needs throughout the world.

Center for Chemical Process Safety (CCPS) - http://www.aiche.org/ccps/

Founded in 1985, The Center for Chemical Process Safety (CCPS) brings together
manufacturers, insurers, government, academia, and expert consultants to lead the way in
improving manufacturing process safety. CCPS and its sponsors are committed to protecting
employees, communities, and the environment by developing engineering and management
practices to prevent or mitigate catastrophic releases of chemicals, hydrocarbons, and other
hazardous materials.

Design Institute for Emergency Relief Systems (DIERS) - http://www.aiche.org/diers/

Formed in 1976, the Design Institute for Emergency Relief Systems (DIERS) was a consortium
of 29 companies to develop methods for the design of emergency relief systems to handle
runaway reactions. DIERS became a users group in 1985. Presently, over 120 companies have
formed the DIERS Users Group to cooperatively assimilate, implement, maintain and upgrade
the DIERS methodology. The purpose of the group is: to reduce the frequency, severity, and
consequences of pressure producing accidents, and to develop new techniques that will improve
the design of emergency relief systems.

American Society of Metals - http://www.asm-intl.org/

Since its founding in 1913, ASM International has existed to provide a means for exchanging
information and professional interaction. Today, its role has expanded to serve the technical
interests of metals and materials professionals all over the world, but providing information and
interaction remains its main purpose.

Chlorine Institute - http://www.cl2.com/

The Chlorine Institute, Inc., founded in 1924, is a trade association of companies and other
entities that are involved or interested in the safe production, distribution and use of chlorine,
sodium and potassium hydroxides, and sodium hypochlorite, and the distribution and use of
hydrogen chloride. Because of chlorine's nature and its widespread and varied use, the promotion
of its safe handling has long been an accepted responsibility of its producers, packagers,
distributors and users.

Training Manual Page 4-4

Compressed Gas Association - http://www.cganet.com/

CGA develops & publishes technical information, standards, and recommendations for safe and
environmentally responsible practices in the manufacture, storage, transportation, distribution,
and use of industrial gases.

American Chemistry Council (ACC) - http://www.americanchemistry.com/

The American Chemistry Council represents the leading companies engaged in the business of
chemistry. Council members apply the science of chemistry to make innovative products and
services that make people's lives better, healthier and safer. The Council is committed to
improved environmental, health and safety performance through Responsible Care, common
sense advocacy designed to address major public policy issues, and health and environmental
research and product testing.

National Association of Corrosion Engineers (NACE) - http://nace.org/

NACE offers education programs for both members and nonmembers in the US, Canada, and a
variety of international locations. NACE’s mission is to reduce the impact of corrosion

National Fire Protection Association (NFPA) - http://www.nfpa.org/

The mission of the international nonprofit NFPA is to reduce the worldwide burden of fire and
other hazards on the quality of life by providing and advocating scientifically-based consensus
codes and standards, research, training and education.
NFPA membership totals more than 75,000 individuals from around the world and more than 80
national trade and professional organizations.

Fire Research Station (UK) - http://www.bre.co.uk/

The Fire Research Station is a division of the Building Research Establishment (BRE), a non-
profit construction research institute located in the United Kingdom. It is the UK's leading centre
for fire research and consultancy on all aspects of fire and fire safety. Its contribution to the
understanding of fire and the development of an engineered approach to fire safety spans 50
years.

Petroleum Equipment Institute (PEI) - http://www.pei.org/

The Petroleum Equipment Institute is a non-profit corporation. PEI is a trade association whose
members manufacture, distribute, and service petroleum marketing and liquid handling
equipment.

Training Manual Page 4-5

Steel Tank Institute (STI) - http://www.steeltank.com/

Recognized as a leader in the storage tank industry today, STI members fabricate safe, and
environmentally friendly storage alternatives for petroleum products, which exceed all current
Environmental Protection Agency standards.

Underwriters Laboratories (UL) - http://www.ul.com

Underwriters Laboratories Inc. provides global conformity assessment; product testing and
certification services: ISO9000, QS-9000 and ISO 14001 registrations. Find out information
about these UL services and our UL Marks, standards and product directories on our web site.
Some of the specific testing services covered here include alarm systems, EMC, EPH, fire, ITE,
hazardous locations equipment, and medical devices testing. Information for jurisdictional
authorities and safety tips for consumers can also be found here.

The standards produced by these non-governmental agencies are not legal documents and have
no legal standing until they are adopted by governmental agencies. Many industrial standards are
incorporated by reference in laws. They thus take on a legal status and become codes.

Codes and standards contain an effective date and the edition. All codes contain a Scope, which
may be a few simple sentences or a paragraph. Scope defines what is covered and what is
specifically excluded. Officials (authorities having jurisdiction) must have the discretion to
approve systems, methods or devices that are equivalent to superior to those described in the
codes. They also have the discretion to impose more stringent requirements to meet situations
where appropriate.

Definitions are important for avoiding ambiguity and confusion. For example in NFPA 30, a
container and storage tank are precisely distinguished from one another.

The bulk of any code is its Requirements. These are often very prescriptive. Finally codes often
contain Appendices (or Annexes) that present explanatory material. An appendix may be part of
the requirements, or may be included as information. Codes may also include a referenced list of
applicable publications.

APPLICABLE CODES

The following table lists codes that are commonly encountered in the Hydrocarbon Processing
industries. Many associations such as ASME, API, NFPA, and NACE offer training seminars on
using their codes. The best way to master a code is to join and actively participate in the
committee responsible for its development and support.

Training Manual Page 4-6

 FREQUENTLY USED CODES

Organization Number Code title

ASHRAE 15 Safety Standard for Refrigeration Systems—2001
ANSI B31.1 Power Piping—2001
ANSI B31.3 Process Piping—2002
A N SI B31.4 Pipeline Transportation Systems for Liquid Hydrocarbons and
Other Liquids —2001
A N SI B31.5 Refrigeration Piping and Heat Transfer Components —2001
A N SI B31.8 Gas Transmission and Distribution Piping Systems— 2000
API API 620 Recommended Rules for the Design and Construction of
Large Welded, Low Pressure Storage Tanks —2002
API API 650 Welded Steel Tanks for Oil Storage—1998
API API 653 Tank Inspection, Repair, alteration and Reconstruction—2003
API RP-520 Sizing, Selection and Installation of Pressure Relieving
Devices in Refineries —2000
ASME International Boiler and Pressure Vessel Code—2001
Section VIII—Pressure Vessels
Section X—FRP Pressure Vessels
NACE RP 0169 Recommended Practice, Control of External Corrosion on
Underground or Submerged Metallic Piping Systems—2002
NACE RP 0285 Recommended Practice, Corrosion Control of Underground
Storage Tank Systems by Cathodic Protection—2002
NFPA NFPA 30 Flammable and Combustible Liquids Code—2002
NFPA NFPA 31 Standard for the Installation of Oil-Burning Equipment—2001
NFPA NFPA 37 Standard for the Installation and Use of Stationary
Combustion Engines and Gas Turbines —1998
NFPA NFPA 54 National Fuel Gas Code—1999
NFPA NFPA 58 LP-Gas Code—1998
NFPA NFPA 68 Guide for Venting of Deflagrations —1998
NFPA NFPA 69 Standard on Explosion Prevention Systems—1997
NFPA NFPA 70 National Electric Code—2002
NFPA NFPA 85 Boiler and Combustion Systems Hazards Code—200i
PEI RP100 Recommended Practices for Installation of Underground
Liquid Storage Systems—2000
STI F841.01 Standard for Dual Wall Underground Steel Storage Tanks —
2001
UL UL 58 Standard for Steel Underground Tanks for Flammable and
Combustible Liquids —1996
UL UL 142 Standard for Steel Aboveground Tanks for Flammable and
Combustible Liquids —2002
UL UL 2080 Standard for Fire Resistant Tanks for Flammable and
Combustible Liquids —2000
UL UL 2085 Standard for Protected Aboveground Tanks for Flammable
and Combustible Liquids —1997
UL UL 2244 Standard for Aboveground Flammable Liquid Tank Systems—
1999

Training Manual Page 4-7

RESPONSIBILITIES

When you review a situation for safety, or for compliance with a particular regulation or code,
you have both legal and ethical responsibilities to fulfill. Because of legal responsibilities it
serves yourself and your employer best by bringing any design, testing, installation or
operational deficiencies to your supervisor or manager.

If you are not satisfied with their response, you must go further. In fact the National Society of
Professional Engineers makes it explicit in their Code of Ethics for Engineers.
Part II, 1a states “If an engineers judgement is overruled under circumstances that endanger life
or property, they shall notify their employer, or client and such authority that may be
appropriate.”

Once a deficiency is detected, it is important to carefully and clearly document it together with
the course of action you proposed, to whom it was proposed and on what date. If the situation
warrants it, try and create an audit trail for future reference.

As long as you have a basic understanding of codes that apply to your facility and operations,
you will probably not be placed in a compromising position, and have the satisfaction of
contributing to the safety of your co-workers, your community and society at large. (1)
Understanding basic engineering codes HW Cooper, Hydrocarbon Processing, August 2003.

SPECIFICATIONS AND STANDARDS

There are many codes and standards of interest. Historically, incidents of pressure vessel failures,
notably of steam boilers, led to the development of regulatory codes. These codes relate to the
design and inspection in the public interest.

American National Standards Institute (ANSI) and American Society of Mechanical Engineers
(ASME) are the governing organization for many documents relating to material selection,
especially pipe. American Society for Testing and Materials (ASTM) is the primary source of
specifications relating to corrosion-resistant materials and various kinds of corrosion tests.

Specifications are documents legally prescribing certain requirements as to composition, mode of

manufacture, physical and mechanical properties, etc. ASME and ANSI codes refer to ASTM
specifications. Standards are documents representing a voluntary consensus.

The National Association of Corrosion Engineers (NACE) has committees that write standards
and exchange information in specific industries or particular areas of concern. NACE standards
consist of recommended practices, materials requirements, test methods for a variety of corrosion
control or material selection problems.

Training Manual Page 4-8

AMERICAN SOCIETY OF MECHANICAL ENGINEERS

Under the sponsorship of the American Society of Mechanical Engineers (ASME) the Boiler and
Pressure Vessel Committee established rules of safety governing the design, fabrication, and
inspection during construction of boilers and pressure vessels. ASME committees are made up of
volunteers comprised of fabricators, owners, users, regulatory agencies and Authorized
Inspection Agencies. They issue and maintain Codes of safety standards for design, material
selection, fabrication, testing and documentation of pressure vessels and boilers.

ASME is made up of various committees. There are several Codes and sub-committees develop
these Codes. The fabrication codes include:

1. Section I, Power Boilers

2. Section III, Nuclear Codes
3. Section IV, Heating Boilers
4. Section VIII, Division 1 and 2, Pressure Vessels
5. Section X, Fiberglass Reinforced Vessels.

There are also reference codes issued to support the construction codes. These include:

1. Section II, Materials

Part A, Ferrous Materials
Part B, Non Ferrous Materials
Part C, Welding Materials
Part D, Materials Properties
2. Section V, NDE
3. Section IX, Welding Qualifications

The ASME B&PV Code apply to both fired (Section I) and unfired (Section VIII) pressure
vessels.

ASME Section VIII, Division 1 (Pressure Vessels)

The organization of Section VIII, Division 1 is as follows:

1. Subsection A General requirements

Part UG General requirements for all methods of construction and all
requirements
2. Subsection B Methods of Fabrication
Part UW Fabricated by welding
Part UF Fabricated by forging
Part UB Fabricated by brazing

3. Subsection C Materials
Part UNC Carbon steel

Training Manual Page 4-9

 Part UNF Nonferrous
Part UHA High alloy steel
Part UCI Cast iron
Part UCL Cladding and weld overlay
Part UCD Cast ductile iron
Part UHT Heat-treated ferritic steels
Part ULW Layered construction
Part ULT Low-temperature materials

4. Mandatory Appendices (Indicated by numbers)

5. Non-mandatory Appendices (Indicated by letters)

Division 2

Allows users more latitude in engineering calculations by changing allowables in formulas. Can
incorporate mechanisms such as fatigue and creep into engineering design analysis.

ASME Code for Pressure Piping

ASME Code committees have developed codes for pressure piping, B31.The following piping
standards are recognized:

B31.1 Power Piping

B31.2 Fuel Gas Piping
B31.3 Chemical Plant and Petroleum Refinery Piping
B31.4 Liquid Transportation System for Hydrocarbons, LPG, Anhydrous Ammonia
and Alcohols
B31.5 Refrigeration Piping
B31.8 Gas Transmission and Distribution Piping Systems
B31.9 Building Service Piping
B31.11 Slurry Transportation Piping Systems

In addition to this, the B31 committee publishes a supplement on corrosion, B31G, entitled
“Manual for Determining the Remaining Strength of Corroded Pipelines.”

ASME Code for Nondestructive Examination

The ASME Code Section V is the reference Code that contains requirements for nondestructive
examinations that are Code requirements and are referenced and required by other Code
Sections.

Section V contains two Subsections:

Training Manual Page 4-10

 1. Subsection A describes the methods of no ndestructive examinations to be used if
referenced by other Code Sections.
2. Subsection B lists the Standards covering nondestructive examination methods that have
been accepted as standards.

THE NATIONAL BOARD

The National Board (NB) is an organization made up of law enforcement officials in the United
States and Canada. They administer and enforce boiler and pressure vessel laws in their
jurisdiction. The NB also standardized inspector qualifications and issue Commissions to
Authorized Inspectors who successfully pass the examinations.

Authorized Inspection Agencies are the organizations that employ Authorized Inspectors. The
Agency may be either the jurisdiction charged with the enforcement of the boiler or pressure
vessel laws or an insurance company authorized to write boiler and pressure vessel insurance
within a jurisdiction.

The National Board of Boiler and Pressure Vessel Inspectors is an organization comprised of
Chief Inspectors, for the states, cities and territories of the United States; provinces and
territories of Canada; and Mexico. It is organized for the purpose of promoting greater safety to
life and property by securing concerted action and maintaining uniformity in the construction,
installation, inspection, repair and alteration of pressure retaining items. This assures acceptance
and interchangeability among jurisdictional authorities responsible for the administration and
enforcement of various codes and standards.

The National Board Inspection Code (NBIC)

The purpose of the National Board Inspection Code (NBIC) is to maintain the integrity of
pressure-retaining items after they have been placed in service by providing rules for inspection,
repair and alteration. This ensures that these equipment items may continue to be safely used.

The NBIC is intended to provide guidance to jurisdictional authorities, Inspectors, users and
organizations performing repairs and alterations. This encourages the uniform administration of
rules to pressure-retaining items.

AMERICAN PETROLEUM INSTITUTE

The American Petroleum Institute (API) is a trade association representing the entire
petrochemical industry. The chemical process industry adopted the API standards for chemical
process tanks and vessels. API began in 1919 forming from the need to standardize engineering
specifications for drilling and production equipment. API has developed more than 500 standards

Training Manual Page 4-11

related to the oil and gas industry. API requires certification of technical personnel involved in
the inspection in the chemical and petrochemical industries.

In-Service Inspection, Repair, Alteration, and Rerating

The American Petroleum Institute (API) standards provide guidance to users and organizations
performing inspections, repairs, alterations and re-rating of vessels, piping and tanks.

API 510 (Pressure Vessels)

The API 510 “Pressure Vessel Inspection Code: Maintenance Inspection, Rating, Repair, and
Alteration” is the pressure vessel inspection code for the petroleum and chemical process
industries.

API 570 (Pressure Piping)

The API 570 “Inspection, Repair, Alteration, and Rerating of In-Service Piping Systems” is the
piping inspection code for the petroleum and chemical process industries.

API 653 (Aboveground Storage Tanks)

The API 653 “Tank Inspection, Repair, Alteration and Reconstruction” is the inspection code for
welded or riveted, non-refrigerated, atmospheric pressure, aboveground storage tanks for the
petroleum and chemical process industries.

API RP 579 (Fitness for Service)

The API RP 579 “Fitness for Service” is a recommended practice (RP). The purpose of the
recommended practice is to provide guidance as to the methods applicable to assessments that
are specific to the type of flaw or damage encountered in refinery and chemical process plant
equipment.

API RP 580 (Risk Based Inspection)

The API RP 580 “Risk Based Inspection” is a recommended practice (RP). The purpose of the
recommended practice is to provide guidance as to the development of a risk based inspection
program with the methodology presented in a step by step manner for users in refinery and
chemical process plants.

Training Manual Page 4-12

RERATING

There occasionally have been some misunderstandings about the ASME Boiler & Pressure
Vessel Code Requirements and operating pressures or temperatures. The Code is very explicit in
regard to how design pressures and temperatures are used in the construction of pressure vessels.
No provisions are given in the Code for allowing an operating pressure or temperature that is
higher than the design pressure or temperature, which is shown on the vessel nameplate and U-1
form (Manufacturer’s Data Report). What this means is that if either or both of the operating
temperature and pressure are greater than the design temperature and pressure (as shown
on the U-1 form), the vessel is not in compliance with the Code.

Differences between operating and design conditions usually result from changes in process
conditions or reusing equipment that was designed for other applications. In most cases,
the changes are not detrimental to a safe operating environment for the plant, but Code
requirements are not met. Re-rating as an alteration in accordance with API 510 is the
required course of action.

“When a pressure vessel is built to the ASME Boiler and Pressure Vessel Code,
Section VIII, Div. 1, it has been designed to operate up to a specific pressure and
temperature. These restrictions will not prevent the vessel from safe operation at a
higher maximum allowable operating pressure (MAOP), if rerating requirements
are met. Until then the vessel may not be operated at pressures or temperatures
greater than the design allowable values as recorded on the vessel nameplate and
U-1 form.”

The design pressure-temperature relationship that becomes a permanent part of the pressure
vessels nameplate and U-1 Form (Manufacturer’s Data Report) has an important impact on
piping, flanges, and flanged- fittings design. ANSI B16.5 gives Pressure-Temperature Ratings for
Steel Pipe Flanges and Flanged Fittings. An increase in operating temperature above design
temperature can result in a higher flange rating that is required for the pressure at that
temperature. For example, assume a reactor (Equipment Number 123) has with a design
temperature of 250°F and a design pressure of 650 psig. A 300-pound flange rating class is
required for this installation. If the operating temperature is raised to 400°F with the pressure
remaining at 650 psig, a 400-pound flange rating class is necessary for this pressure-temperature
relationship.

In the worst case scenario, we may end up with a flange rating that is not adequate for the
temperature-pressure relationship. This argument is the primary reason for the careful control on
design temperatures in pressure vessel code work.

API 510, Pressure Vessel Inspection Code: Maintenance Inspection, Rating, Repair, and
Alteration covers repairs, alterations and re-rating of pressure vessels. A re-rating is defined in
Section 3, Subsection 3.16 as follows:

“Re-rating: A change in either the temperature ratings or the maximum allowable

working pressure rating of a vessel, or a change in both. The maximum allowable

Training Manual Page 4-13

 working temperature and pressure of a vessel may be increased or deceased
because of a re-rating, and sometimes a re-rating requires a combination of
changes. De-rating below original design conditions is a permissible way to
provide for corrosion. When a re-rating is conducted in which the maximum
allowable working pressure or temperature is increased or the minimum
temperature is decreased so that additional mechanical tests are required, it shall
be considered an alteration.”

The requirements are covered in Section 7, Subsection 7.1.1 Authorization as follows:

“All repair and alteration work must be authorized by the authorized pressure
vessel inspector before the work is started by a repair organization (see 3.13).
Authorization for alterations to pressure vessels that comply with Section VIII,
Divisions 1 and 2, of the ASME Code and for repairs to pressure vessels that
comply with Section VIII, Division 2, of the ASME Code may not be given until
a pressure vessel engineer experienced in pressure vessel design has been
consulted about the alterations and repairs and has approved them. The authorized
pressure vessel inspector will designate the fabrication approvals that are
required. The authorized pressure vessel inspector may give prior general
authorization for limited or routine repairs as long as the inspector is sure that the
repairs are the kind that will not require pressure tests.”

Information regarding approva l requirements is contained in Section 7, Subsection 7.1.2.

“The authorized pressure vessel inspector shall approve all specified repair and
alteration work after an inspection of the work has proven the work to be
satisfactory and any required pressure test has been witnessed.”

If a vessel is not operating in compliance with the ASME Boiler & Pressure Vessel Code the
vessel should be brought into compliance, by reduced operating conditions, re-rating or alteration
according to the applicable Code requirements. The information on the alteration of these vessels
should be gathered, the re-rating calculations performed, and the documentation that the vessels
are suitable for the new service conditions should be presented to the authorized pressure vessel
inspector for their approval. A new nameplate will be required with the new pressure and
temperature information, per API 510 requirements.

Rerating of a pressure vessels should be straight- forward, but the following procedure from API
510 should be followed in accordance with paragraph 7.3, “Rerating”:

“Rerating a pressure vessel by changing its temperature ratings or its maximum allowable
working pressure may be done only after all of the following requirements have been
met:

Training Manual Page 4-14

 a. Calculations from either the manufacturer or an owner-user pressure vessel engineer
(or his designated representative) experienced in pressure vessel design, fabrication,
or inspection shall justify rerating.
b. A rerating shall be established in accordance with the requirements of the
construction code to which the pressure vessel was built or by computations that are
determined using the appropriate formulas in the latest edition of the ASME Code if
all of the essential details comply with the applicable requirements of the code being
used.
c. Current inspection records verify that the pressure vessel is satisfactory for the
proposed service conditions and that the corrosion allowance provided is appropriate.
An increase in allowable working pressure or temperature shall be based on thickness
data obtained from a recent internal or on-stream inspection.
d. The pressure vessel has at some time been pressure tested in accordance with the new
service conditions, or the vessel integrity is maintained by special nondestructive
evaluation inspectio n techniques in lieu of testing.
e. The pressure vessel inspection and rerating is acceptable to the authorized pressure
vessel inspector.
f. The pressure vessel rerating will be considered complete when the authorized
pressure vessel inspector oversees the attachment of an additional nameplate or
additional stamping that carries the following information:
1. Rerated by
2. Maximum Allowable Working Pressure, psi, at °F (°C)
3. Date
4. API 510 Inspector”

BIBLIOGRAPHY

Dillon, C.P, Corrosion Control in the Chemical Process Industries, McGraw-Hill Book
Company, 1986.

Training Manual Page 4-15

 Chapter 5
FAILURE STATISTICS

ACCIDENT STATISTICS

It is natural to associate the word ‘catastrophe’ with some large-scale event such as the collision
of two passenger aircraft, or the destruction by fire of a major offshore oil platform like Piper
Alpha. In the case of fatal accidents, however, it is not so simple. Where does one draw the line?
Must there be a hundred deaths, or fifty or twenty? There is no good answer to this question.
Indeed, the premature accidental death of a single person is a tragedy for family and friends, and
may have dire financial consequences. So far as material loss is concerned, there has to be a
lower limit that is dictated by the nature of the record concerned. The annual statistical summary
produced for shipping losses by Lloyd’s Register, for example, covers vessels having a
displacement of 100 tons or more.

Accident statistics are dull things, entirely stripped of the drama surrounding the incidents to
which they pertain. Nevertheless, there are good reasons why those concerned with the safety of
workers and travelers should study them. For one thing, the historical record shows whether
safety is improving or not, and where there is an improvement at what rate this is taking place.
Secondly, they maybe used to make comparisons, and from these it may be possible to determine
the level of safety that is achievable. Thirdly, accident statistics may in some circumstances
relate to human behavior; they may, for example, point to different levels of skill, to greater or
less diligence at work, or (particularly in the case of road traffic accidents), to a degree of caution
in one instance and a degree of recklessness in another.

The Loss Curve

In many cases, and notably among the older industries and modes of transport, the number of
losses or casualties decreases exponentially with time. However, in all such cases there was a
time when the industry in question did not exist, and when the associated losses must have been
zero. It follows that if losses were plotted for a partic ular vehicle or industry from the day of its
introduction, the resulting curve would rise to a peak and then fall gradually downwards. Such a
rise and fall is to be seen in the case of road traffic accidents; in fact, this diagram has two peaks,
but the central depression is due to the effects of the 1939—45 war. This trend is also to be seen
in the record for annual fatalities in British manufacturing industry, as will be seen later.
It may reasonably be surmised that the initial rise in the number of losses is due to an increase in
the number of units (vehicles for example) or in the number of persons at risk. The losses would
be expected initially to be more or less proportional to such numbers. Then at some stage
improvements in reliability and better safety measures begin to take effect, and the number of
losses reaches a maximum and begins to fall. – Engineering Catastrophes, John Lancaster CRC
Press.

Training Manual Page 5-1

INDUSTRY STATISTICS

Since the start of the industrial revolution injuries and deaths due to equipment failures have
occurred. Tracking the statistics of these failures enable us to prevent future occurrences.
Reviewing statistics enables us to:

§ Prevent failures, injuries and deaths

§ Understand why failures occur
§ Understand different modes of failure
§ Incorporate lessons learnt into codes and standards
§ Monitor success of safety programs, changes, rates and recommendations

Power Boilers

Boiler catastrophes and explosions in the later part of the last century prompted government
intervention. Statistics enable us to view the success of these regulations.

Annual Rate of Injuries and Deaths Due to Boiler Explosives in UK.

The following graph shows the loss curve for fatal injuries due to accidents in the British
manufacturing industry. It can be seen that there has been a steady downward trend since the
1920s.

Training Manual Page 5-2

Aircraft Industry

The aircraft industry has kept records and statistics on failures in the industry for decades. These
statistics give us insight into types and modes of failures in the industry. The number of aircraft
lost over the past 40 years is shown below.

However, this does not mean that aircraft are failing at an increasing rate. If we look at the
number of aircraft in service, there is an exponential growth. This is shown in the figure below:

Training Manual Page 5-3

If we finally compare the number of aircraft to the numbers of failures, we see a decrease over
the past years. This is shown below:

The causes of these failures is shown in the following graph:

Training Manual Page 5-4

 0 5 10 15 20 25 30 35

Powerplant or
31
thrust reversers

Landing gear,
29
brakes and types

Electricals,
15.6
instruments

Flight controls 13.3

Passenger cabin
4.4
problems

Auxiliary power
2.2
units

Fuel systems 2.2

Hydraulics 2.2

Type of mechanical failure leading to total loss of jet aircraft as a percentage of total failure.
(Boeing survey).

Failures modes in aircraft are shown below.

0 10 20 30 40 50

Fatigue 46

Corrosion 27

Stress corrosion 16

Corrosion Fatigue 11

Percentage incidence of major failure mechanisms in aircraft.

Training Manual Page 5-5

The Oil Industry: Oil and Gas Exploration and Production

The second half of the twentieth century saw a major technological revolution in that oil and
natural gas replaced coal as a source of energy for industry and transport generally, and as a
feedstock for the chemical industry. This, combined with industrial growth in the developed
countries, resulted in a rapid increase in oil consumption and a corresponding expansion of oil
exploration and production.

Looking at oil companies and contractors, all operations, world-wide, 1988 to 1997, the causes
of fatal accidents are shown below:

0 20

Vehicle accident 19

Struck by moving object 17

Explosion or fire 15

Drowning 11

Aircraft accident 10

Other 9

Falls 8

Caught between moving objects 6

Electrocution 5

The cost of such losses and accidents is enormous to the industry. The following graph shows
losses to the industry over the last 50 years.

2.5
Financial loss, $ billions

1.5

0.5

0
1967-71 1972-76 1977-81 1982-86 1987-91 1992-96
Period

Training Manual Page 5-6

Looking at a specific sector of the industry, the table below shows the initial events leading to
total loss of offshore units, between 1970 and 1987

% of
Number
Total
(a) Mobile Units
Capsize, etc* 31 42
Blowout 16 22
Structure failure 10 14
Towing accident 6 8
Explosion, fire 2 3
Other 9 11

(b) Fixed Units

Blowout 8 38
Structure failure 6 29
Capsize, etc* 4 19
Explosion, fire 2 10
Other 1 4
* Includes capsize, collision, contact, foundering,
grounding, leakage and list

The table below shows types of process units in which major losses occurred: worldwide survey,
1962 to 1991

Average Capital Loss

Type of Plant % of Total
(US$ Million)
Refineries 46 73.7
Petrochemical plant 35 80.8
Terminals 7 39.1
Gas processing plant 7 117.8
Other 5 40.2

The following table shows the type of incident causing major losses in process plant: worldwide
survey

Training Manual Page 5-7

 (a) Cause of Loss
Average Loss
%
(US$ Million)
Fire 31 51.5
Vapor cloud explosion 36 110.9
Internal and other explosions 29 61.0
Other 4 40.5
(b) Cause of Loss by Type of Plant: Percentage of Total
Vapor Cloud Internal
Fire Other
Explosion Explosion
Refineries 48 31 15 6
Petrochemical plant 17 37 46 0
Terminals 44 28 22 6
Gas processing plant 40 60 0 0
Other 50 36 7 7

The table below shows equipment in which failures leading to large losses in process plant
occurred: world-wide survey, all losses

Equipment % of Total Number of Average Financial Loss

Losses (US$ Million)
Piping systems 33 76.9
Tanks 15 61.9
Reactors 10 51.8
Process drums 7 8.9
Marine vessels 2 2.4
Pumps/compressors 8 8.1
Heat exchangers 5 9.6
Towers 8 86.9
Heaters/boilers 2 16.3
Miscellaneous 5 4.6
Unknown 5 60.6

Training Manual Page 5-8

The causes of these losses are shown below:

39
Mechanical failure
43

17
Operational error
21
EC survey
World survey
13
Process upset
11

3
Natural hazard
5

28
Other/unknown
20

0 10 20 30 40 50
Percentage of all losses

The table below shows the type of failure and equipment in which failure occurred: disruptive
failures in European countries: mechanical and corrosion failures only

% of Total Number of
Losses
Mechanical failure
Piping 25
Instruments and control systems 9
Valves 6
Machinery 6
Welds 5
Total, mechanical 51
Corrosion
Internal 11
External 7
Total, corrosion 18

Training Manual Page 5-9

Failure modes of specific equipment components can also be represented. Boilers and water
tubes have been well studied and categorized over the years. The table below provides a
summary of the types of failures in water-tube boilers

Percentage
(a) Mechanical (81% of total)
Overheating 75
Graphitization 5
Fatigue 4
Erosion 4
Weld failures 3
Swages 3
Tube ties, legs 3
Other 3
(b) Corrosion (19% of total)
Impure boiler feedwater 37
Hydrogen damage 20
Fuel ash corrosion 19
Oxygen pitting 11
Stress corrosion cracking 8
Caustic attack 5

SOURCES OF FAILURE STATISTICS

1. Oil and gas producers have set up an association known as the International Exploration and
Production Forum (the E and P Forum, for short). This organization operates world-wide,
and one of its activities is the accumulation of data on safety in the operations of member
companies and their contractors. The results are published annually in a report entitled E and
P Industry Safety Performance Accident Data. The data are relevant to all company and
contractors’ work relating to exploration and primary production, both onshore and offshore.
Data gathering started in 1984, and sufficient material is now available for trends to be
established.

2. The Worldwide Offshore Accident Database (WOAD) published biennially by Det Norske
Veritas, Oslo, gives much greater detail for offshore operations. Norske Veritas gathers
information from official (governmental) reports, newspapers, periodicals, oil companies and
from offices of the Veritas group of companies. These are classification societies, like
Lloyd’s Register. The WOAD records go back to 1970.

3. The OREDA-92 database is an industry initiative consisting of several large company

participants. It is a software tool for the collection and reporting of Offshore Reliability Data.

The software is now publicly available for companies to perform their own reliability data
collection.

Training Manual Page 5-10

4. The Major Hazard Incident Data Service (MHIDAS)or Hazard Incident Data Service
(MHIDAS) - http://www.hse.gov.uk/infoserv/mhidas.htm. A database of world-wide
incidents (mostly UK or USA) involving the transportation, storage and processing of
hazardous materials with actual or potential offsite impacts, such as casualties, evacuations,
property or environmental damage. The MHIDAS database is maintained by AEA
Technology plc, on behalf of the UK Health & Safety Executive.

5. Additional information may also be provided by national bodies such as the Health and
Safety Executive in the United Kingdom.

6. Major Accident Reporting System (MARS) is a searchable online database of accidents

compiled from the European Union by the European Commission's Joint Research Centre.
From the Web site only, 10% of all MARS data can be accessed and are produced in Short
Report format.

7. SAFETYNET - a European Network for Process Safety - http://www.safetynet.de

It is said that in Europe alone, in one year, there are more than 2000 explosions during the
storage and handling of combustible materials; 20 accidents per month involving runaway
reactions; on average, one large fire a day with a loss of more than Euro 100.000. And with
these statistics in mind, it becomes very clear why process safety is a very important matter.

Research in areas of process safety has as its objective a reduction of the risk of an
accident. But a significant gap appears between the generation of research results and new
information and their use by industry, especially by Small to Medium Enterprises (SMEs).

In an effort to reduce this gap, a European Thematic Network on Process Safety, funded
under the Brite Euram Programme has been developed.

The network is called SAFETYNET, and its aim is to encourage links between industrial
enterprises, such as manufacturers, processors, and service providers, and legislative bodies,
research organizations and information outlets so that knowledge on all aspects of health and
safety in the areas of fire, explosion and process hazards becomes as widely disseminated as
possible, leading to rapid adoption of safety techniques and stimulation of further
developments, by the creation of new and wider partnerships.

SAFETYNET has been designed to provide extensive opportunities i.e.,

§ Discuss safety problems

§ Find out about the new ideas from the results of the world-wide effort in safety
research
§ Learn of new safety technologies
§ Be offered opportunities for the analysis and resolution of specific safety problems
§ Keep abreast of new legislation and standards and how they will affect you.

The SAFETYNET Internet site activities include:

§ A monthly electronic newsletter which includes news from the EU, information on
upcoming conferences and seminars, opportunities for co-operation and any other
short messages with the latest news. All participants can submit items for publication,
Training Manual Page 5-11
 § The operation of a database providing information on participating organizations,
areas of current research and location of testing facilities
§ Monthly seminars on the Internet covering fire, explosion and chemical hazards
research, incident reports and general process safety articles
§ Electronic publication of information on research programs, project proposals, Ph.D
research currently underway and sources of information on standards, regulations and
legislation
§ Arranging the exchange of personnel either between research organizations or
research organizations and industry
§ Arranging national and international meetings for SAFETYNET participants

At present SAFETYNET has over 90 participants from 16 countries. The main organizing body
is a company called PROSICHT in Germany and each country has a National Focus Point
(NFP).

8. A major source of quantitative information on losses in the hydrocarbon processing industry

worldwide is the data bank held by Marsh and McLennan Protection Consultants of Chicago,
originally compiled by WG. Garrison and recently by D.G. Mahoney. Lees has provided a
comprehensive study of technical aspects of the problem. The causes of loss in the
hydrocarbon processing, chemical and metal processing industries have been surveyed for
the European Community by Drogaris. The capital costs of the 100 largest process plant
losses that occurred between 1967 and 1996 have been abstracted from the 5th edition of
Large Property Damage Losses and are shown in the following handouts.

Federal Data Sources

The Environmental Protection Agency (EPA) maintains the RMP*Info database under the
agency's Risk Management Program. The RMP*Info database includes five- year incident
histories for covered facilities. About 14,500 facilities filed reports with the agency for the initial
period from 1994 to 1999. Only facilities meeting certain thresholds for listed chemicals are
covered under this program, however.

The ARIP database is a collection of information on accidental releases of hazardous chemicals

at fixed facilities. The ARIP data are collected by the EPA regional offices through the ARIP
questionnaire, and then forwarded to EPA headquarters for inclusion in the ARIP database. The
ARIP questionnaire consists of 23 questions about the facility, the circumstances and causes of
the incident, and the accidental release prevention practices and technologies in place prior to,
and added or changed as a result of, the event.

The National Response Center (NRC) maintains a database known as the Incident Reporting
Information System (IRIS). This database includes information about the thousands of hazardous
material notifications received each year by the NRC. Operated by the Coast Guard, the NRC is
the main federal clearinghouse for notifications of hazardous releases under various federal
statutes. The purpose of NRC notification is to trigger any needed emergency response, and
much of the data contained in the database is preliminary in nature.

Training Manual Page 5-12

The Occupational Safety and Health Administration (OSHA), which regulates workplace safety,
maintains a database of inspections performed in response to reportable worker accidents. This
database, the Integrated Management Information System (IMIS), includes chemical as well as
non-chemical events. Records include casualty information and a description of any regulatory
citations.

In addition, the Department of Transportation maintains a database of hazardous material

releases that occur in the course of transportation. This database is known as the Hazardous
Materials Incident Reporting Subsystem (HMIRS). The U.S. Fire Administration (USFA)
collects voluntary data from fire departments in 42 states in the National Fire Incident Reporting
System (NFIRS). This database includes reports of both chemical and non-chemical incidents

National Response Center (NCR) - http://www.nrc.uscg.mil/

The primary function of the National Response Center is to serve as the sole national point of
contact for reporting all oil, chemical, radiological, biological, and etiological discharges into the
environment anywhere in the United States and its territories. In addition to gathering and
distributing spill data for Federal On-Scene Coordinators and serving as the communications and
operations center for The primary function of the National Response Center is to serve as the
sole national point of contact for reporting all oil, chemical, radiological, biological, and
etiological discharges into the environment anywhere in the United States and its territories. In
addition to gathering and distributing spill data for Federal On-Scene Coordinators and serving
as the communications and operations center for the National Response Team, the NRC
maintains agreements with a variety of federal entities to make additional notifications regarding
incidents meeting established trigger criteria. Details on the NRC organization and specific
responsibilities can be found in the National Oil and Hazardous Substances Pollution
Contingency Plan.

Training Manual Page 5-13

The following table is an example of NCR reporting on oil spills:

STATISTICS > Incident Type ::

Incident Type 1997 1998 1999 2000 2001 2002

Fixed 10,388 10,961 11,230 11,813 12,441 11,917

Unknown Sheen 4,228 4,809 4,802 4,016 4,147 3,426

Vessel 3,778 3,886 3,877 3,945 4,378 3,919

Mobile 2,490 2,718 2,835 3,597 3,216 2,942

Pipeline 1,740 1,657 1,404 1,618 1,841 1,621

Platform 1,943 1,570 1,465 1,428 1,355 1,233

Storage Tank 0 0 0 1,379 3,140 3,044

Ra i l r o a d N o n -R e l e a s e 586 823 1,049 1,335 1,235 1,124

Railroad 1,883 2,266 2,252 1,332 1,241 1,200

Continuous 170 304 376 938 238 393

Aircraft 207 181 241 248 297 278

Drill/Exercise 349 503 532 669 789 908

Unknown 14 3 52 84 0 0

T e r r o r i s t N o n- R e l e a s e 0 18 51 33 42 180

TOTAL INCIDENTS 27,776 29,699 30,166 32,435 34,360 32,185

Training Manual Page 5-14

OSHA, IMIS Database

The table below lists the number of OSHA-170 abstracts by keyword value. The keywords are
established at the time the abstract is reviewed.

Keyword Occurrences - 12633

Table Lamp 1 Tire Rim 86 Tree 830
Table Saw 292 Toaster 3 Tree Felling 518
Tag 3 Toe 181 Tree Limb 246
Tag Line 13 Toluene 62 Tree Pruner 9
Tail Gate 18 Tongs 24 Tree Section 70
Tandem Lift 1 Torch 146 Tree Shear 2
Tank 556 Torso 150 Tree Skidding 9
Tank Cleaning 30 Tote Box 1 Tree Stumping 9
Tank Truck 147 Tow Truck 18 Tree Trimming 332
Telecom Work 158 Towed Equipment 21 Trench 904
Temporary Floor 4 Tower 82 Trench Box 80
Temporary Lighting 6 Tower Crane 16 Trench Digger 17
Temporary Wiring 11 Towmotor 15 Trench Jacks 2
Tendon 72 Toxic Atmosphere 220 Trichlorethylene 14
Test Equipment 95 Toxic Fumes 658 Trichloroethane 32
Testing Lab 15 Toxic Waste 4 Trip Rod 6
Thermal Insulation 1 Tractor 500 Tripped 324
Thermoformer 8 Tractor Trailer 305 Trough 6
Thigh 77 Tractor, Truck 43 Truck 1148
Thinner 5 Traffic Accident 435 Truck Boom 124
Threading Machine 12 Traffic Barrel 10 Truck Crane 144
Throat 97 Traffic Control 96 Truck Driver 440
Thumb 563 Trailer 434 Truss 201
Tibia 38 Trailer Truck 73 Tubular Scaffold 128
Tie Wire 7 Train 94 Tunnel 25
Tie-Off 354 Tramp Metal 2 Tunnel Drop Shaft 1
Tiger 2 Transformer 147 Two Bolt 6
Tiller 4 Transformer Vault 4 Two Pt Susp Scaffold 118
Tilt-Frame Hoist 2 Transmission Tower 26 Two-Blocking 27
Tipper Tie Machine 2 Trap Gas 3 Two-Hand Control 96
Tire 231 Trash Compactor 48
Tire Bead 11 Traveling Block 22

Training Manual Page 5-15

Department of Transport, Office of Pipeline Safety – http://ops.dot.gov

The Department of Transportation's (DOT) Research and Special Programs Administration

(RSPA), acting through the Office of Pipeline Safety (OPS), administers the Department's
national regulatory program to assure the safe transportation of natural gas, petroleum, and other
hazardous materials by pipeline. OPS develops regulations and other approaches to risk
management to assure safety in design, construction, testing, operation, maintenance, and
emergency response of pipeline facilities. Since 1986, the entire pipeline safety program has
been funded by a user fee assessed on a per- mile basis on each pipeline operator OPS regulates.

OFFICE OF PIPELINE SAFETY

HAZARDOUS LIQUID PIPELINE OPERATORS
ACCIDENT SUMMARY STATISTICS BY YEAR
1/1/1986 - 06/30/2003

Year No. of Fatalities Injuries Property Gross Loss Net Loss

Accidents Damage (Bbls) (Bbls)
1986 210 4 32 $16,077,846 282,791 220,317
1987 237 3 20 $13,140,434 395,854 312,794
1988 193 2 19 $32,414,912 198,397 114,251
1989 163 3 38 $8,813,604 201,758 121,179
1990 180 3 7 $15,720,422 124,277 54,663
1991 216 0 9 $37,788,944 200,567 55,774
1992 212 5 38 $39,146,062 137,065 68,810
1993 229 0 10 $28,873,651 116,802 57,559
(1)
1994 245 1 7 $62,166,058 164,387 114,002
1995 188 3 11 $32,518,689 110,237 53,113
1996 194 5 13 $85,136,315 160,316 100,949
1997 171 0 5 $52,283,659 195,549 125,700
1998 153 2 6 $62,864,796 149,297 60,791
1999 168 4 20 $87,108,560 167,245 104,490
2000 147 1 4 $179,468,129 108,818 57,057
2001 129 0 10 $25,296,751 98,178 77,286
2002 143 1 0 $33,650,034 95,888 78,044
2003 72 0 0 $17,494,324 48,807 35,982

(2) (1)
Totals 3246 37 249 $829,923,422 2,956,231 1,812,760

Training Manual Page 5-16

 OFFICE OF PIPELINE SAFETY
NATURAL GAS PIPELINE OPERATORS
INCIDENT SUMMARY STATISTICS BY YEAR
1/1/1986 - 06/30/2003

TRANSMISSION OPERATORS

Year No. of Fatalities Injuries Property

Incidents Damage
1986 83 6 20 $11,166,262
1987 70 0 15 $4,720,466
1988 89 2 11 $9,316,078
1989 103 22 28 $20,458,939
1990 89 0 17 $11,302,316
1991 71 0 12 $11,931,238
1992 74 3 15 $24,578,165
1993 95 1 17 $23,035,268
1994 81 0 22 $45,170,293
1995 64 2 10 $9,957,750
1996 77 1 5 $13,078,474
1997 73 1 5 $12,078,117
1998 99 1 11 $44,487,310
1999 54 2 8 $17,695,937
2000 80 15 18 $17,868,261
2001 86 2 5 $23,610,883
2002 81 1 5 $24,365,559

Totals 1371 59 224 $328,328,816

U.S. Chemical Safety and Hazard Investigation Board (CSB) -

http://www.chemsafety.gov/

The mission of the U.S. Chemical Safety and Hazard Investigation Board is to promote the
prevention of major chemical accidents at fixed facilities. The U.S. Chemical Safety and Hazard
Investigation Board (CSB) is an independent, scientific investigatory agency, not a regulatory or
enforcement body. The CSB was created by the Clean Air Act Amendments of 1990. However,
the Board was not funded and did not begin operations until January 1998.

A number of federal agencies collect data on hazardous chemical incidents (see below).
However, no uniform definition of a "chemical incident" exists across the federal government,
and the reporting requirements for individual programs have evolved over time. There is
currently no single, comprehensive source of data, which would allow the assessment of trends
in incident frequency and severity. Existing data contain gaps, duplications, and inaccuracies. No
statute requires the reporting of all chemical incidents to the federal government, and certain
categories of events may not be reportable or may be reportable only to state agencies. The CSB
calls for improvements to chemical accident data systems in the future.

Training Manual Page 5-17

What is the Purpose of the Chemical Incident Reports Center (CIRC)?

Every day, the Chemical Safety Board (CSB) receives initial reports about chemical incidents
that have occurred around the world. The information comes from official government sources,
the news media, eyewitnesses and others.

The CSB incorporates incident information into databases that it maintains and shares incident
information with other government agencies and chemical safety stakeholders. It makes
decisions about whether to deploy investigation teams based on supplementary information
developed after the initial report has been received.

The sheer volume of incident reports received each day exceeds the investigative resources of the
CSB or any other single organization. Yet sharing knowledge of these incidents may make it
possible for others to take actions that may contribute to improving chemical safety. The refore,
the Chemical Safety Board has committed resources to create and maintain the Chemical
Incident Reports Center (CIRC). This dynamic, searchable online database of chemical incidents,
although subject to limitations inherent in any compilation of information of this type (see
disclaimer below), may enable or inspire actions by a researcher, a government agency or others
in support of improving chemical safety.

Preformatted Reports << BACK TO REPORTS LIST

(data entered as of Tuesday, August 26, 2003)

Top 10 states or Provinces in the CIRC database with the highest number of reported Fatal incidents
over the last 30 days:

Fatalities Injuries Evacuations

No. of No. of No. of
State/Province No. of Fatalities* No. of Incidents No. of Injured*
Incidents Incidents Evacuated *

Ohio 1 1 2 3 2 30

Virginia 1 1 1 1 0 --

Wisconsin 1 1 0 -- 0 --

*
This number may be an estimated amount. The symbol "--" means the number is not available.

Total number of incidents currently in CIRC database: 2667

Training Manual Page 5-18

Top 10 chemicals involved in reported chemical incidents in U.S. and Canada in the CIRC
database over the last 30 days :

Chemical No. of Incidents

Not specified 7

Ammonia 3

Chlorine 3

Oil 1

Propane 1

Hydrocarbon vapors 1

Methane 1

Hydrogen sulfide 1

T-Butyl Amine 1

Sulfuric Acid 1

National Board Of Boiler And Pressure Vessel Inspectors

Each year the National Board publishes a summary of incident reports. These reports cover
power boilers, steam and water boilers, as well as unfired pressure vessels. These data are
compiled from data collected by the National Board and insurance agencies. All deaths and
injuries are industry related and include incidents involving owners and operators. The surveys
receive responses and information from National Board jurisdictional authorities and National
Board authorized inspection agencies.

Training Manual Page 5-19

 SURVEY OF INCIDENTS CAUSED BY METALLURGICAL
FAILURE/DEGRADATION IN THE OIL AND
PETROCHEMICAL INDUSTRY

INTRODUCTION

A survey was conducted on the causes of incidents that have occurred in vessels and piping in
the oil refining and petrochemical industries in the United States.

A thorough survey of publicly available data was used. The scope of the project was restricted by
the limited amount of publicly available information. In addition, the definitions and terms used
in the various databases are not consistent with one another, thus making comparisons difficult.
These data are restricted to vessels and piping. Information pertaining to process equipment,
such as pumps and heat exchangers, is generally limited to failure rates only. Information
regarding the causes of failures of these items was not available and so is not incorporated into
this survey.

BACKGROUND

For this project, we defined incidents and failures. Equipment can fail due to seven failure
categories (1, 2):

1. Design
2. Installation/assembly
3. Maintenance
4. Material defects
5. Fabrication
6. Operation
7. Unintended service.

Often, more than one source contributes to a given failure.

As far as incidents go, we need to know what the criteria are fo r classifying a component failure
as an “incident”. For example, cracks in the lining of a column, with no reportable release, no
injury to personnel, and no additional damage to surrounding equipment would not be an
“incident.” How would corrosion under insulation (CUI) be considered? This is a long-term
degradation mechanism that has, in the past, led to significant releases. For the purposes of
clarity for this report, an incident will be associated with an injury or a release of product, or it
will be associated with the violation of a statutory regulation. The Occupational Safety and
Health Administration and the Environmental Protection Agency have specific reporting
classifications for incidents. An event will refer to a specific change that occurs at a specific
time.

Training Manual Page 5-20

DEFINITIONS

Before such a survey is conducted, it is important to define the boundaries of the project. Three
parameters need careful attention. These would be as follows:

§ Scope
§ Definition of failure
§ Definition of cause of failure

Broad categories of failures are collected by organizations such as the National Board of Boiler
and Pressure Vessel Inspectors. The National Board incident reports are discussed in more detail
in the ‘Results’ section of this report. Summaries of these data are shown in Figures 1 and 2.

Causes of Incidents

Safety Valve

5% 4%
6% Limit Controls
5%

8% Improper Installation

Improper Repair

72% Faulty
Design/Fabrication
Operator Error/Poor
Maintenance

Figure 1 – Major Causes of Incidents.

Major Causes of Death

Safety Valve

2% 2% Limit Controls
7%
13%
Improper Installation

Improper Repair
56%
20%
Faulty
Design/Fabrication
Operator Error/Poor
Maintenance

Figure 2 – Major Causes of Death.

Training Manual Page 5-21

Figures 1 and 2 highlight the different areas that failure reporting and failure surveys can be
conducted. If we consider the scope of a survey, refinery equipment may include the following
list:

§ Pressure vessels
§ Piping
§ Pumps
§ Storage tanks
§ Relief devices
§ Instrumentation and controls

If one were just to focus on pressure vessels, these could be described in many ways. Some
surveys may give specifics, such as amine regenerator column, while others may discuss
columns, drums, and heat exchangers in a general way. Certain equipment items may also be
divided into subcomponents, such as heat exchangers. When surveys discuss heat exchanger
failures, are they alluding to the shell side, tube side or channel? Often this information is not
available or specifics are not discussed.

Failure reporting in the United States depends on Federal and State Regulations, as well as
corporate safety policies. Some categories for recording events may include:

Category Health/Safety Environmental Impact Financial Impact

Very serious Plant fatalities. Serious Major – Full scale Corporate-wide (fines,
impact on public. response. cleanup, significant
downtime, replacement
costs)

Serious Serious injury to plant Serious – Significant Region/affiliate

personnel. Limited impact commitment. (fines, downtime, replace,
on public. plant downtime)
Marginal Medical treatment for Moderate – Limited Division/site
personnel. No impact on response. (replace equipment)
public.
Negligible Minor or no impact on Minor – Little or no Minor (replace minor
personnel. response needed. equipment items)

Obviously, the catastrophic and serious cases are reported and documented. These are usually
caused by catastrophic rupture of components where a large amount of flammable or toxic
material is released. Marginal or negligible categories, usually resulting in a contained leak of
material, may be reported internally within an organization, but will obviously not be captured in
industry surveys or national reporting. However, these incidents are none the less failures of
equipment due to corrosion or other issues, but they do not receive the attention that larger
failures receive. Therefore industry surveys and databases on failures are skewed towards the
causes of major or catastrophic failures.

Failures may also occur due to a host of different reasons. Insurance companies often capture this
data for their own tracking purposes. After a survey of incidents in the petrochemical industry,
an insurance company in the United States published the following graph reflecting the causes of
large property losses:

Training Manual Page 5-22

 CAUSES OF LARGE PROPERTY LOSSES IN THE
PETROCHEMICAL INDUSTRIES (SOURCE UNKNOWN)

Mechanical
Mechanical

Operations
Operations

Upsets

Natural Hazards
Hazards

Design

Arson

Others

0 25 50
Percent of Losses

It appears that approximately half the known causes of failures in the industry are caused by
mechanical failures. These failures may be a result of equipment aging and wearing out or
corrosion and other issues. It is important to note that failures would also be a function of
inspection and maintenance practices at a facility, as well as correct choice of materials and
operating procedures and conditions.

Definitions of failure may include the following (2):

1. Failure in operation
2. Failure to operate on demand or as intended
3. Operation before demand
4. Operation after demand to cease.

In addition, some failures are associated with turnarounds, such as with polythionic acid
cracking. It seems straightforward to ask for a root cause failure analysis (RCFA) database.
These lists are available as well as listings of life expectancies. But often the combined data
report that a specific component could last from 18 months to 40 years. There are also tables that
correlate failure modes and suitable remedial steps. Some reference books may provide
experience-based data on mean-time-between failure (MTBF) and mean-time-to-repair (MTTR)
(1)(3)(4).

For this report, a root cause will refer to the true cause of an event or problem such as chloride
contamination of a vessel (an error in maintenance), while failure cause will refer to the failure
mechanism such as chloride stress corrosion cracking of a stainless steel vessel (3 through 5). A
short list of damage mechanisms would include pitting, general corrosion, crevice corrosion,
cracking, fatigue, creep, brittle fracture, and corrosion under insulation.

Although there is a great deal of data on equipment failure and repair times, the topics of failure
frequency and failure rates are outside the scope of this report. Approximate data are fairly easy
to obtain, while accurate data tend to involve much more effort. For reliability information, one
needs failure information on the following (2).

Training Manual Page 5-23

 1. Age and equipment population size
2. Overall failure rates
3. Failure rates in individual failure modes
4. Variation of failure rates with time
5. Repair times.

Using this information one can calculate frequencies of failure, which is a useful parameter to
include in a failure database.

DATA

Data that is useful to be covered include:

§ Date of incident
§ Location of incident
§ Company concerned
§ Consequences
§ Brief description
§ Causes
§ References

Most of the databases provide anonymous data and do not list the date, location, or company
concerned. Most of the databases were worldwide and the U.S. data could not be separated. As
discussed in the ‘Definitions’ section of this report, there are many ways for defining equipment
scope, failures, and cause of failure. Industry databases often do not classify categories
accurately where one can immediately see these data that were requested in the template.
Without investigating each incident separately, it was not possible to provide all the data
required in the template.

Results- Failure of Vessels Equipment and Machinery

Failure rates and failure modes of pressure vessels have been classified by the nuclear industry
(3)(6)(7). They classify failure as catastrophic or potentially dangerous.

CAUSES AND METHOD OF DETECTION OF

SERVICE FAILURE IN PRESSURE VESSELS
(After Phillips and Warwick, 1968 UKAEA AHSB(S) R162)

Number of Cases Percentage of Total Cases

Causes of Failures:
Cracks 118 89.3
Maloperation 8 6.1
Pre-existing from manufacture 3 2.3
Corrosion 2 1.5
Creep 1 .8
Total 132 100.0

Training Manual Page 5-24

 Number of Cases Percentage of Total Cases

Causes of Cracks:
Fatigue 47 35.6
Corrosion 24 18.2
Pre-existing from manufacture 10 7.6
Miscellaneous 2 1.5
Not ascertained 35 26.5
Total 118 89.4

Method of Detection:
Visual examination 75 56.9
Leakage 38 28.8
Nondestructive testing 10 7.5
Hydraulic tests 2 1.5
Catastrophic failure 7 5.3
Total 132 100.0

National Board of Boiler and Pressure Vessel Inspectors

Each year the National Board publishes a summary of incident reports. These reports cover
power boilers, steam and water boilers, as well as unfired pressure vessels. These data are
compiled from data collected by the National Board and insurance agencies. All deaths and
injuries are industry related and include incidents involving owners and operators. The surveys
receive responses and information from National Board jurisdictional authorities and National
Board authorized inspection agencies.

The 2000 National Board incident report reveals a 24% jump in the total number of incidents
from 1999. Nearly 90% of the incidents reported in 2000 were directly attributed to human error.
For nine straight years, operator error or poor maintenance was the primary cause of unfired
pressure vessel accidents. A summary of incidences in unfired pressure vessels, from 1992
through 1998 is shown below:

Training Manual Page 5-25

 National Board Unfired Pressure Vessel Incident Reports
1992 1993 1994 1995 1996 1997 1998
Object Acc Inj D Acc Inj D Acc Inj D Acc Inj D Acc Inj D Acc Inj D Acc Inj D
Safety Valve 5 4 26 1 31 1 15 7 1 5 1 8 2 5 1 0
Limit Controls 4 24 2 16 9 2 8 1 7 2 1 10 0 0
Improper Installation 29 15 10 25 6 12 20 2 12 23 3 10 0 0
Improper Repair 14 1 24 18 14 7 12 3 6 1 6 7 3
Faulty Design/Fabrication 15 2 11 8 4 16 4 1 27 4 27 3 2 35 7 1 15 3 1
Operator Error/Poor Maintenance 220 5 3 161 3 2 281 8 4 168 52 5 252 3 1 141 6 6 107 1 5

Totals 287 12 3 261 24 6 387 19 5 245 65 6 319 22 6 209 41 11 153 12 9

Acc = Accident
Inj = Injury
D = Death

Training Manual Page 5-26

 Failures in Pipework

Piping failures were surveyed from plants in the nuclear, thermal, refining, and other industries
(3).

FAILURE OF PIPEWORK IN CHEMICAL, REFINERY, NUCLEAR,

AND STEAM PLANTS: FAILURE CAUSE vs. ROOT CAUSE

A. Failures in chemical plants and refineries – ‘failure cause’ vs. ‘root cause’.
Design/
Design Installation Installation Operation Maintenance Manufacture Unknown Unspecified Total
Corrosion:
External 18 8 - 2 4 - - 1 33
Internal 56 1 2 1 1 1 - 3 65
Stress 15 - 1 - - - - - 16
Erosion 2 1 - - 1 - - - 4
Restraint 1 2 4 - - - - - 7
Vibration 9 1 3 1 - - - 1 15
Mechanical 28 10 5 11 12 18 2 21 107
Material 5 7 10 - 4 2 - 21 49
Freezing 13 1 - 2 - - - 1 17
Thermal fatigue 2 1 - 2 - 1 - 1 7
Water hammer 2 1 1 4 - - - - 8
Work systems 6 4 36 47 49 - - 2 144
Unknown - - - - - - 29 1 30
Unspecified 1 1 13 3 3 - - 33 54
TOTAL 158 38 75 73 74 22 31 85 556

B. Failures in steam plants – ‘failure cause’ Vs ‘root cause.”

Corrosion:
External - - - - - - - - -
Internal 16 - - 14 - 1 - - 31
Stress 5 - - - - 1 - - 6
Erosion 13 - - 53 - 1 - - 67
Restraint 2 - 2 - - - - - 4
Vibration 7 1 - - - - - - 8
Mechanical 11 6 - 4 1- 22 1 - 45
Material 3 - - - - 14 - - 17
Freezing 1 - - - - - - - 1
Thermal fatigue 7 - - - - 3 - - 10
Water hammer - - - 2 - - - - 2
Work systems - 2 1 - - - - - 3
Unknown - - - - - - 4 - 4
Unspecified - - - - - 4 - - 4
TOTAL 65 9 3 73 1 45 5 - 202

Training Manual age 5-27

Large Property Damage Losses in Petrochemical Plants and Refineries

Large property losses for hydrocarbon refining industries for the last 20 years were reviewed (8).
Most of the large losses involved fires or explosions. Some records do not have information
about the cause of the fire or explosion.

Equipme nt Type Date Location Description/Cause

Pipe/reactor in hydrocracker 1997 Martinez, CA Expansion of 1¼% Cr, ½% Mo steel due to

creep
LPG pipeline 1997 Visakhaptam, India Pipeline developed leak, ignited, and exploded.

Tubes in RDS unit 1996 Okinawa, Japan Tube failure due to creep in furnace of residual
hydrode-desulfurization (RDS) unit.

Flare line rupture and fire 1995 La Plata, Argentina Propane deasphalting (PDA) knockout drum
overflowed , ignited, numerous pipelines failed
due to fire
Fire and damage to tanks and 1995 Rouseville, PA Fire resulted in failure of tanks and piping.
piping

Equipment failed due to 1995 Kawasaki, Japan Flue gas turbine expander failed during
overspeed, damaged piping maintenance due to overspeed. Damage to
and resulted in fire. process equipment and piping resulted in fire.

Failure of carbon steel elbow 1993 Baton Rouge, LA Elbow in feed line to coker failed, resulting in
fire. Carbon steel elbow should have been 5
chrome alloy steel in this service.

FCC unit pipeline 1992 La Mede France Pipeline developed leak, ignited and exploded.

Heat exchanger failure 1992 Sodegaura, Japan Heat exchanger in the hydrode-desulfurization
unit failed and explosion occurred

Failure of carbon steel elbow 1992 Wilmington, CA Elbow in hydrogen/hydrogen mixture line of
hydrogen processing unit failed and explosion
and fire occurred.
Failure of tee 1991 N. Rhine Westphalia, Failure of tee in air cooler of hydrocracker due
Germany to erosion-corrosion.
Pump seal failure on crude 1991 Beaumont, TX Pump seal failure on crude unit resulted in fire.
unit
Atmospheric residuum 1991 Sweeny, TX Atmospheric residuum desulfurization (ARDS)
desulfurization (ARDS) explosion of reactor.
reactor

Pump seal failure on crude 1991 Port Arthur, TX Pump seal failure on crude unit resulted in fire.
unit

Training Manual age 5-28

 Equipme nt Type Date Location Description/Cause

Heat exchanger failure 1990 Chalmette, LA Heat exchanger in the hydrocracker unit failed
and explosion and fire occurred
Drain line to debutanizer of 1990 Warren, PA LPG gas released from drain line of
FCC gas unit debutanizer of FCC gas unit ignited resulting in
explosion and fire.
Ethane and propane pipeline 1989 Baton Rouge, LA Pipeline developed leak due to low
temperatures, ignited and exploded.
Pipe in hydrotreater unit 1989 Martinez, CA Pipeline developed leak, ignited and exploded.

Pipe in hydrocracker unit 1989 Richmond, CA Pipeline developed leak at weld, ignited and
exploded.
Failure of carbon steel elbow 1988 Norco, LA Failure of carbon steel elbow in depropanizer
failed due to internal corrosion. Pipeline
ignited and exploded.
Overpressure of low pressure 1987 Grangemouth, UK Overpressure of low-pressure separator, vessel
separator exploded and disintegrated.
Overpressure of high pressure 1984 Las Piedras, Venezuela Overpressure of high-pressure separator
separator pipeline pipeline ruptured near weld, ignited and
exploded.
Recycle oil slurry pipeline 1984 Ft. McMurray, Alberta Pipeline in slurry recycle oil line developed
Canada leak due to erosion, ignited and exploded.

Monoethanolamine adsorber 1984 Romeoville, IL Monoethanolamine adsorber column leaked at

column a circumferential weld, failed and exploded.

Recycle oil slurry pipeline 1983 Avon, CA Pipeline in slurry recycle oil line developed
leak, ignited and exploded.

T-8 Database

The NACE International Group Committee T-8 on Refining Industry Corrosion holds meetings
at both the annual spring CORROSION Conference and at the Fall Committee Week each year.
The majority of each meeting is devoted to a corrosion information exchange whe re committee
members and guests share their experiences (successes and failures), problems, and concerns in
the area of refining process corrosion and materials. The information is assembled into a
database called REFINICOR 3.0.

Information is presented as individual paragraphs taken from the actual T-8 Group Committee
minutes, but is arranged such that complete dialogues can be reconstructed and viewed with ease.
REFINICOR3.0 also includes an alloy index, an acronym index, a trademark index, and a
technical papers index with complete references to the alloys, acronyms, trademarks, and
technical papers mentioned in the minutes, as well as the T-8-15 FCCU Corrosion Data Survey
Report that is attached to the CORROSION/91 T-8 Minutes.

Training Manual age 5-29

An example of the use of the program is to search for cracking corrosion. The survey reported
18 cases from 12 units with cracking of carbon steel piping, vessels, or exchangers. Cracking
reported here includes both wet H2 S and carbonate cracking. Four survey responses that reported
cracking in austenitic stainless steel and Admiralty brass heat exchanger tubes are not included in
the data analysis, and three cases in which floating head stud bolts cracked were not included.

Cracking was reported in all unit areas except Area 9 (gasoline splitter). Area 1 (main
fractionator overhead system), Area 4 (deethanizer column), and Area 7 (debutanizer overhead
system) had the highest number of cracking cases. The distribution of reported cracks does not
identify well, and it does not limit areas for future inspection.

Cracking was primarily in plate steel, where material type was identified. The cracking cases
reflect the steel grades commonly used when the units were fabricated. In units that were 10 to
20 years old, 75% of cracks were in a S16-70 grade, and in units that were 20 to 40 years old,
cracking was primarily in A212-GrB, A285-Grc, and A516-Gr70.

Inhibitors and polysulfide additions are generally believed to lower the incidence of cracking.
Survey results indicate a higher percentage of cases using polysulfide reported cracking, 26% vs.
10% without polysulfide. There is no clear explanation for this; however, units often cut back on
water wash when polysulfide is used. This may account for some of the cracking reported.

Cracking in Amine Units

Perhaps the most comprehensive survey found during the current study, and the one that matches
the template most closely was that of the NACE Task Group T-18-14. The NACE International
Task Group T-8-14 is part of the T-8 Committee and conducted a survey on stress corrosion
cracking (SCC) of amine limits. The purpose of the survey was to examine possible correlations
between cracked and non-cracked locations to establish possible causes for cracking (9).
Cracking was found to be most preva lent in monoethanolamine units. Cracking occurs in all
types of equipment and piping operating at all common temperatures. In MEA, cracking is most
prevalent in absorbers/contactors and lean amine lines. In diethanolamine, it is most common in
piping and exchangers.

This NACE study was initiated after the catastrophic 1984 failure in Chicago, Illinois of an
amine absorber tower. An explosion and subsequent fire killed 17 refinery workers and caused
extensive property damage. The Occupational Safety and Health Administration (OSHA)
requested that the National Bureau of Standards (NBS) conduct an investigation into the cause of
the pressure vessel failure. The cause of the failure was due to hydrogen stress cracking, which
initiated in a hard microstructure formed during repair welding. These surface cracks propagated
in a zig- zag path through the vessel wall, possibly by hydrogen induced stepwise cracking,
resulting in tearing of the vessel (10).

The main purpose of the NACE survey was to determine the extent of cracking problems in
amine units and to try and establish possible cause of failure. A total of 294 completed survey
forms were completed and returned. The largest portion of the 294 surveys returned was from

Training Manual age 5-30

refineries – 272. The remainder was divided between gas treatment plants and chemical plants.
The results of this survey are shown in the following tables:

Distribution of Returned Surveys

Amines used
Surveys MEA DEA MDEA DIPA DGA

Refineries 272 (93%) 93 137 22 12 8

Gas plants 16 (5%) 11 5 -- -- --
Chemical plants 6 (2%) 3 -- -- 3 --

Summary of Reported Cracks vs. Amine Used

Amines used
Surveys MEA DEA MDEA DIPA DGA

Refinery: Cracked 78 22 3 1 0
Non-cracked 15 115 19 11 8

Refinery data only

Equipment Type vs. Cases Of Cracking

MEA(1) DEA Other

Absorber/contactor 20 2 1
Regenerator 4 3 2
Exchanger 14 7 2
Piping: Rich 3 6 0
Lean 21 5 1
Other (overhead accumulator, filter, 15 4 0
reclaimer)

(1) All non-stress relieved refinery data only.

Training Manual age 5-31

 Cracked Equipment in MEA vs. Maximum Temperature
Temperature – F (C) Absorber Piping
Contactor Regenerator Rich Lean Exchanger Other
< or = 100 (38) -- -- -- -- 1 --
101-110 (39-44) 1 -- -- 2 1 --
111-120 (45-49) 7 -- 1 5 -- 2
121-130 (50-54) 3 -- 1 1 -- 1
131-140 (55-60) -- -- -- -- -- 1
141-150 (61-65) 2 -- -- 2 -- 2
151-160 (66-71) 3 -- -- -- -- --
161-170 (72-77) 1 -- -- 1 -- 1
171-180 (77-82) -- -- -- 5 2 3
181-190 (83-88) -- -- -- -- 2 --
191-200 (88-93) -- -- -- -- -- 1
> or = 201 (94) 1(2) 4 1(2) 4 8 3

(1) All non-stress relieved refinery data only.

(2) High temperature recorded during steam-out at shutdown.

(1)
Ages of Cracked Equipment in all Amines
Age Number of cases

0-5 y 6
6-10 17
11-15 18
16-20 19
21-25 12
26-30 6
>30 11

(1) All non-stress relieved refinery data only.

Crack Location Identified by Weld

(1)
MEA DEA Other

Shell: Longitudinal 24 3 1
Circumference 36 10 0
Nozzle 27 10 1
Internal Attachment 12 2 4
External Attachment 4 3 0
Piping Butt 20 6 1

(1) All cases non-stress relieved refinery data only; tabulated numbers may
represent multiple locations in a single vessel

Training Manual age 5-32

CONCLUSIONS

This section highlights deficiencies in industry databases and surveys relating to equipment
failures. Many databases are focused on specific areas and scope, and failure data are not clearly
defined. Government data are skewed towards large failures, because these are reportable events.
Industry surveys are often conducted anonymously, as this is the only way organization can get
companies to share their failure experiences. While these surveys provide useful information,
much data are missing when trying to complete a specific template of failures.

REFERENCES

1. Hydrocarbon Processing, H.P. Block, “Looking for RCFA Databases? Consider Failure
Statistics”, Jan. 2002.
2. H.P.Bloch and F.K. Geitner, Machinery Failure Analysis and Troubleshooting,
Butterworth-Heinemann, UK, 1997.
3. Frank P. Lees, Loss Prevention in the Process Industries: Hazard Identification,
Assessment and Control, Butterworths, UK, 1996.
4. Frank P. Lees, Loss Prevention in the Process Industries, Butterworths, London, 1980.
5. R. Keith Mobley, Root Cause Failure Analysis, Butterworths, UK, 1999.
6. T.A. Smith and R.G. Warwick, A Survey of Defects in Pressure Vessels in the UK for the
period 1962-1978 and its relevance to Nuclear Primary Circuits, UK, United Kingdom
Atomic Energy Authority, 1981.
7. T.A. Smith and R.G. Warwick, Second Survey of Defects in Pressure Vessels Built to
High Standards of Construction and its Relevance to Nuclear Primary Circuits, UK,
United Kingdom Atomic Energy Authority, 1974.
8. James C. Coco (ed.) Large Property Damage Losses in the Hydrocarbon –chemical
Industries, A Thirty-Year Review, J.H. Marsh and McLennan Consulting Services, 1998.
9. J.P. Richert, A.J. Bagdasarian, and C.A. Shargay, “Stress Corrosion Cracking of Carbon
Steel in Amine Systems”, Materials Performance, No. 1, 1988.
10. H. McHenry, D. Read, T. Shives, “Failure Analysis of an amine-absorber pressure
vessel”, Materials Performance, 1987.

Training Manual age 5-33

 Chapter 6
ACCEPTABLE AND TOLERABLE RISK

INTRODUCTION

Risk Analysis is rooted in the power industry, and in particular, the nuclear industry where
probabilistic risk analysis (PRA), which was initially required by regulation, is now being used
routinely for maintenance prioritization and risk informed decision making. These programs
were designed to deal with what were called “Extreme Events” which were the low likelihood,
high consequence scenarios. In the chemical industries, OSHA 1910.119 and the Mechanical
Integrity requirements were similarly developed to deal with the avoidance of high consequence
or catastrophic failure events. Since fully quantitative risk assessments are expensive and time
consuming to implement, organizations such as American Petroleum Institute (API) and the
American Society of Mechanical Engineers (ASME) have begun to develop focused, practical
programs specifically for the oil, gas, petrochemical and chemical industries.

RISK BASICS

A risk assessment is the process of gathering data and analyzing information in order to develop
an understanding of the risk of a particular process.

Three basic questions are considered to establish the basis for defining risk as follows:

§ What could go wrong (scenario or event)?

§ How often might it happen (likelihood)?
§ What are the effects (consequences)?

Risk may in its most simple form be characterized as the product of probability of a given failure
event, (the Likelihood of Failure (LOF)) and the consequences of that event, (the Consequences
of Failure (COF).

Risk is the combination of the frequency of some event occurring

and the consequences, (generally negative) associated with that event

DEFINITIONS OF RISK

It should be clear that no unique measure of risk exists. Many such measures have been proposed
and are currently in use, each providing a different view on a particular situation. The main types
of risks are:

Training Manual Page 6-1

 § Impact on personnel and public safety and health
§ Impact on the environment
§ Impact on economical concerns (costs and profits)

Regarding safety, health, and environment (SHE) aspects several generally accepted definitions
and methods already exist. Where cost considerations need to be included within the cope of the
risk analysis, the parameters, which need to be included, are usually determined by the risk based
maintenance and inspection performing company itself.

Individual Risk

A formal definition of Individual Risk is expressed by the I.Chem.E as the frequency at which an
individual may be expected to sustain a given level of harm from the realization of specific
hazards. It is usually taken to be the risk of death, and normally expressed as risk per year.

Individual Risk is the risk experienced by a single individual in a given time period. It reflects
the severity of hazards and the amount of time the individual is proximity to them. There are
typically three different types of Individual Risks:

§ Locations-Specific Individual Risk (LSIR) – Risk for an individual who is present at a

particular location 24 hours per day, and 265 days per year. LSIR is not a realistic risk
measure as an individual does not usually remain at the same location all the time and is
not exposed to the same risk all the time.
§ Individual-Specific Individual Risk (ISIR) – Risk for an individual who is present at
different locations during different periods. ISIR is more realistic than LSIR.
§ Average Individual Risk (ASR) – AIR is calculated from historical data a number of
fatalities per year divided by the number of people at risk.

Individual Risks are also commonly expressed by means of the Fatal Accident Rate (FAR),
which is the number of fatalities per 108 hours of exposure. FARS is typically in the range from 1
to 30, and is more convenient and more readily understandable than Individual Risks per year.

Societal Risk

A formal definition of the Societal Risk is given in I.Chem.E as the frequency and the number of
people suffering a given level of harm from the realization of specified hazards. It usually refers
to the risk of death, and expressed as risk per year.

This expression of risk is useful to limit the risks of catastrophes affecting many people at one
time. Societal risks may be expressed in the form of

§ F-N curves showing the relationship between the cumulative frequency (F) and the
number (N) of fatalities.

Training Manual Page 6-2

 § Annual fatality rates, in which the frequency and fatality data are combined into a
convenient single measure of risk. This is known as potential loss of life (PLL) per year.

Area Risk

A third often-used measure of risk is the Area Risk. This measure is very useful when more than
one source contribute to the overall risk of a certain geographical area. An important tool for the
Area Risk is the I-N histogram. It gives the number of persons (N) in the impact area exposed to
an Individual Risk within the Range I.

Environmental Risk

Environmental Risk includes short-term and long-term effects to the biosphere. Here the affected
area in m2 (soil, ground and surface water, seawater) or the amount of released dangerous
substances to the environment per year can be an adequate measure. Due to the fact that there are
also financial aspects linked to the environmental risk, which can be measured in money (like
cleanup costs, penalties, negative media publicity, etc.), these are best covered when evaluating
the Economic Risk.

Economic Risk

Concerning the Economic Risk, the risk for direct and indirect cost should be addressed. To
quantify the costs related with a certain failure (undesirable event) and a certain probability, the
direct costs include

§ Costs of lost production (including shutdown and start-up costs)

§ Repair costs (spare parts, material and labor costs for primary and secondary damaged
equipment)
§ Cleanup costs (if not tackled within the environmental part)

The indirect costs are much more difficult to estimate. Similarly, the effects of negative media
publicity are not easy to quantify. Finally, the consequences of a specific type of accident may
vary from industry to industry.

Quantitative, Qualitative, Relative, and Absolute Risk

Risk assessments can be qualitative, semi-quantitative or quantitative. Generally, these

assessments are denoted as Level I, II, and III assessments. Qualitative answers are often
sufficient to make robust decisions but as more detail is required, more quantitative methods are
necessary in order to make difficult risk decisions. The level of information necessary to make
decisions varies widely. After identifying the hazards, qualitative methods for assessing the
frequency and consequence are often satisfactory to enable the risk analysis to be completed. In

Training Manual Page 6-3

other cases a more detailed analysis will be necessary. There are many different analysis
techniques and models that have been developed to aid in conducting risk assessments, many of
these techniques have been developed by the aerospace and nuclear industries. The key to
conducting a successful risk analysis is

Choose the correct method for the particular problem at hand,

or choose the appropriate techniques to achieve corporate goals.

Quantitative risk assessments (QRAs) rely on large amounts of accurate data and the
performance of repetitive calculations. In order for a the QRA results to be as accurate as
possible, well developed, state-of-the-art mathematical models must be used to calculate the
consequences of each scenario and be feed into the overall risk calculations. As technology has
moved forward hardware has become much more powerful at less cost and software databases
are more readily available to provide users with friendly solutions. However, since fully
quantitative risk assessments are expensive and time consuming to implement, organizations
such as American Petroleum Institute (API) and the American Society of Mechanical Engineers
(ASME) have begun to develop focused, practical programs specifically for the oil, gas,
petrochemical and chemical industries

The complexity of risk calculations is a function of the number of factors that can affect the risk.
Calculating absolute risk can be very time and cost consuming and often, due to having many
uncertainties, is impossible. In the RBI methodologies, it is recognised that there are many
variables in calculating the risks of loss of containment in petroleum and petrochemical facilities,
and the determination of absolute risk numbers is often not cost effective. RBI is focused more
on a systematic determination of relative risks. In this way, facilities, units, systems, equipment,
or components can be ranked based on relative risk. This serves to focus the risk management
efforts on the higher ranked risks. The most important factor in conducting a risk assessment is
that:

Accuracy is not as important as consistency in assigning

likelihood and consequence values.

Related Programs

The Risk Based Inspection methodology has been designed to interact with other safety
initiatives wherever possible. The output from several of these initiatives provides input for a
variety of RBI evaluations and, in some instances, the RBI risk rankings can be used to improve
other safety systems. Some examples are given below.

Industry Initiatives - In response to OSHA, the CMA produced a document called Responsible
Care, which would give guidance to its members on PSM implementation. As part of this
document a MI supplement was produced. API has produced a recommended practice for the
Management of Process Hazards, API 750, and initiated a RBI task force. This task force has

Training Manual Page 6-4

completed a recommended practice on RBI, API 580, and a base resource document on RBI
implementation on refineries, API 581.

API RP 580 is intended to supplement API 510 Pressure Vessel Inspection Code; API 570
Piping Inspection Code; and, API 653 Tank Inspection, Repair, Alteration and Reconstruction.
These API inspection codes allow an owner/user latitude to increase or decrease the code
designated inspection frequencies, if the owner/user conducts an RBI assessment. The
assessment must systematically evaluate both the LOF and the associated COF. The LOF
assessment must be based on all forms of deterioration that could reasonably be expected to
affect the piece of equipment in the particular service.

ASME post construction committee has produced a draft standard on inspection planning that
incorporates risk concepts. ASME and API are working together to produce RBI documents so
efforts are not duplicated. RBI is typically designed to interact with other safety initiatives. The
output from several of these programs provides valuable input for the RBI evaluation. Other
programs that are important in RBI studies include reliability centered maintenance programs,
PSM programs, Hazard and Operability (HAZOP) studies, and PHA reviews.

PHA - PHA studies are a necessary part of any Process Safety Management program. A Process
Hazard Analysis (PHA) uses a systemized approach to identify and analyze hazards in a process
unit. The RBI study can include a review of the output from any PHAs that have been conducted
on the unit being evaluated. Hazards identified in the PHA can be specifically addressed in the
RBI analysis. There are several methods that can be applied to identify process hazards. One of
these methods, and the most accepted, is the Hazard and Operability (HAZOP) study. A HAZOP
study identifies hazards and hazardous scenarios and their consequence but does not look at the
frequency or probability of these scenarios. These studies therefore provide valuable input to a
RBI initiative.

Potential hazards identified in a PHA would often impact the probability-of-failure side of the
risk equation. The hazard may result from a series of events that could cause a process upset, or
it could be the result of process or instrumentation deficiencies. In either case, the hazard might
increase the probability of failure, in which case the RBI procedure would reflect the same.

Some hazards ident ified would affect the consequence side of the risk equation. For example, the
potential failure of an isolation valve could increase the inventory available for release in the
event of a leak. The consequence calculation in the RBI procedure can be modified to reflect this
added hazard.

The plant layout and construction might be evaluated to see if it has the following characteristics:

§ Equipment spacing and orientation that facilitates maintenance and inspection activities
and minimizes the amount of damage in the event of a fire or explosion.
§ Control rooms and other operator stations that are located and constructed in a manner to
provide proper shelter in the event of a fire or explosion.
§ Appropriate attention has been given to leak detection, fire water systems, and other
emergency equipment.

Training Manual Page 6-5

PSM - A strong Process Safety Management system of the kind described in API RP 750 can
significantly reduce the risk in a process plant. Several of the features of a good PSM program
provide input for an RBI stud y. Extensive data on the equipment and the process are required in
the RBI analysis, and output from PHAs and incident investigation reports increases the validity
of the study. In turn, the RBI procedures can improve the PSM program. An effective PSM
program must include a well- structured equipment inspection program. The RBI system will
improve the focus of the inspection plan, resulting in a strengthened PSM program.

RCM - Reliability-Centered Maintenance is a method for developing and selecting maintenance

design alternatives, based on safety, operational, and economic criteria. It is a method by which
operators can use its failure data, system design redundancies, and operating experiences to
develop a flexible and cohesive maintenance system. Equipment reliability programs can provide
input to the probability analysis portion of an RBI program. Specifically, reliability records can
be used to develop equipment failure probabilities and leak frequencies. Equipment reliability is
especially important if leaks can be caused by secondary failures, such as loss of utilities.

Risk-centered maintenance (or RBI) uses the identical functional description of systems, sub-
systems, functional failures, and failure modes that RCM employs, but it is different in tha t the
criticality class is replaced with an explicit risk calculation. Using a quantitative value of risk
instead of a coarse assignment (criticality class) allows a more complete description of the actual
hazards that exist on a facility.

The risk-based approach replaces the criticality class identification with two separate fields,
namely likelihood and consequence. The product of these two, the risk, becomes an indicator of
each failure mode’s importance to the overall risk of the system. This independent assessment of
both the LOF (probability or frequency) and the COF, resulting in a risk calculation, provides a
ranking system that is a unique benefit of the risk based maintenance or inspection programs.

With risk explicitly computing a numeric value, failure modes can be individually ranked from
high to low risk. This ordering list will provide a priority ranking for choosing maintenance tasks
to mitigate the occurrence of failures. In conclusion:

§ The risk-based approach benefits both the maintenance and inspection departments in
prioritizing inspection and maintenance activities.
§ RCM programs often do not record actual failure modes (damage mechanisms) or there
are failure modes that have not occurred and have therefore not been recorded. A risk
based approach can overcome both these shortcomings
§ RBI, therefore, compliments the RCM methodology, but takes it one step further.
Original RCM analysis and data are useful for the implementation of a RBI program, but
the risk approach takes both likelihood and consequence into account and prioritizes
equipment items and their subcomponents accordingly.

Future work might link reliability efforts such as Reliability Centered Maintenance (RCM) with
RBI, resulting in an integrated program to reduce downtime in an operating unit.

Training Manual Page 6-6

Process

In order to conduct a risk assessment in a systematic and methodical manner, a particular

stepwise process is followed. Basic steps would include:

1. Hazard Identification
2. Frequency Assessment
3. Consequence Assessment
4. Risk Evaluation and Reporting

Hazard Identification

Hazard identification can help focus a risk analysis on key hazards and create discussion on what
hazardous scenarios may occur. Hazard identification can be an implicit step that is not
systematically performed (i.e., a refinery contains large volumes of toxic, flammable materials)
or it can be explicitly performed using structured techniques. A HAZOP study identifies hazards
and hazardous scenarios and their consequence but does not look at the frequency or probability
of these scenarios.

Frequency Assessment

Estimating the frequency of hazardous events can be conducted using several approaches. These
would include investigating historical data (inspection data or frequency of failure data), expert
assessment of a system, conducting an event tree or fault tree analysis or using a cause analysis.
The approach taken will depend on the goals of the program, the data available and the required
sensitivity of the study.

Consequence Assessment

The modeling of consequences can involve the use of analytical models to predict the effects of
certain scenarios. Many models exist for consequence modeling and these could include
dispersion models, source term models, environmental effects modeling, blast and thermal
modeling as well as the effects of mitigation devices. Many databases exist that contain data on
the toxic effects of materials on humans and the fire and blast effects on buildings and structures.
All these resources can be used to calculate consequence effects but only those steps needed to
provide the appropriate information necessary to complete the program goals should be
considered. Assessments can focus on business, safety, and environmental consequences.
Business consequences can include lost production, lost qua lity and maintenance and repair
costs.

Risk Evaluation and Reporting

The simplest form of reporting relative risk is by prioritization using numbers, levels or simply
high, medium or low. Another approach is to use a risk matrix to assign risk. This is the
preferred approach in RBI studies. Each equipment item will fall within in a cell in the matrix,

Training Manual Page 6-7

corresponding to the likelihood and consequence of failure. One of the goals of a RBI program
will be to define appropriate risk categories and what the response will be to each category.
When conducting a quantitative risk assessment it is useful to demonstrate the sensitivity of the
risk results in order to demonstrate the degree of uncertainty in the analysis. Measures of risk and
acceptable levels of risk are discussed in more detail below.

MEASURES OF RISK AND ACCEPTABLE LEVELS OF RISK

In order to understand risk, its definitions and attributes, it is necessary to look at quantified risk
assessments in more detail. This will help to give a better understanding of relative risk. The two
most common risk measurements are societal and individual risk. Both are often considered
when conducting a QRA. Individual risk is defined as “the frequency at which an individual may
be expected to sustain a level of harm from the realization of a specific hazard.” It is usually
taken to be the risk of death, and is expressed in risk per year.

Societal risk provides and indication of the likely severity of an accident. It can be defined as
“the relationship between the frequency of failure and the number of people suffering a given
level of harm from the realization of a specific hazard. It is normally displayed as a FN curve, a
log plot of frequency against number of fatalities. This concept is important for government
regulators as it can be used to address potential disaster scenarios, such a Bhopal and can be
related to the EPA, Risk Management rule and worst-case scenarios.

A quantitative risk assessment only produces numbers, but it is the assessment of those numbers
that allows conclusions to be drawn and recommendations to be drawn. The assessment stage of
a study is therefore of prime importance. The simplest framework for risk criteria is a single
level that divides tolerable risks from intolerable ones. The reason that the procedure relies
heavily on graphics is to enable people who are not well versed in statistics and risk to
understand the results. The graphical risk assessment procedure is designed as a visual tool for a
wide audience. Graphing the abstract mathematical results helps a large audience understand the
practical implications of risk. This is shown in the figure below:

RISK LINE
L
I O
K F
E 1
L F
I A 6
H I 5
O L 7
O U 2
D R 4
E 10
3
9 8

CONSEQUENCE

Training Manual Page 6-8

In regulatory context requirements for acceptance, criteria are usually kept very general.
Basically, there are only qualitative definitions of the risk acceptability limit such as:

§ The industrial activity should not impose any risks, which can be reasonably avoided.

§ The costs of avoiding risks should not be disproportionate to the benefits.

§ The risks of catastrophic accidents should be a small proportion of the total.

Risk contains, by definition, both the Probability of Failure (POF) and Consequence of Failure
(COF) aspects. For the regulatory perspective, the introduction of the consequence element
enables a risk based inspection or maintenance procedure to get acceptance by the authorities.
This is not true for a reliability centered inspection or maintenance approach.

In a risk matrix, ISO-risk lines represent the same level of risk. Usually the plotted risk is linked
to the type of consequences on the horizontal axis. For more details on how to evaluate the
applicable consequences, see the methods described the EPA RMP rule. Normally, the impact on
the following should be investigated:

§ Safety and health of plant personnel and people outside the facility
§ The environment (short term and long term)
§ Economical effects (lost production, repair,)

Whether some or all of the impacts can be summarized within one risk matrix depends on the
type of application. In most cases, it may be reasonable to distinguish at least between the SHE
aspects in one matrix (for internal and external acceptance) and the financial aspects (for internal
purposes acceptance) in a separate one.

The simplest approach for the definition of risk criteria is to define a single risk level, which
separates the acceptable risk form the unacceptable risk areas. In this framework, only a few
countries and industrial organizations have actually accepted and endorsed specific numerical
values for this risk level. For instance, the Netherlands and the United Kingdom give the values
reported below:

The Netherlands United Kingdom

Individual Tolerable Risk : Individual Tolerable Risk:
Existing Situations: 10-5 per year Workers 10-3 per year
New Situations: 10-6 per year Public 10-4 per year
Broadly Accepted 10-6 per year

Societal Tolerable Risk:

1 or more fatalities: 10-3 per year

A more flexible approach is where the risk area is divided in three bands:

Training Manual Page 6-9

 § An upper band (unacceptable area) where risks are considered unacceptable and need to
be reduced, whatever the costs might be.
§ A middle band (ALARP: as low as reasonably possible) where risk-reducing measures
are desirable, but may not be implemented if their costs exceed the benefits gained in
reducing risks.
§ A lower band (negligible risk) where risks are considered acceptable so only minor or no
risk remedial measures are required.

This framework for risk criteria is to use a three level approach as used by the UK HSE. It
specifies a level, the maximum tolerable criterion, above which risk is deemed unacceptable and
must be reduced. Below this level the risk should be made as low as reasonable possible
(ALARP). In terms of individual risk the tiers proposed are:

§ Maximum tolerable risk for workers – 10-3 yr

§ Maximum tolerable risk for members of the public - 10-4 yr
§ Negligible risk - 10-6 yr

Societal Risk ALARP is shown in the following figure:

This system can be taken a step further to provide a generalized decision- making procedure,
which is based on a combination of probability driven, consequence driven and risk driven
procedure. It can also be seen in the figure below, that the risk ranking should include “the
uncertainties linked to the evaluation procedure, relevance of the data basis to be used, or
the assumptions and simplifications that are made. The way in which uncertainty shall be
treated in risk estimates should be defined before performing the risk analysis.”

Training Manual Page 6-10

An example of a decision-making risk graphic is shown in the following figure:

Defining an acceptable level of risk presents significant legal and social problems for a company
that must be overcome. A resolution is to use published risk value data. The problem is different
risk analysis methods abound so that absolute risk values are difficult to ascertain. Acceptable
risk levels can be expressed in many ways and a company can use the risk expression that best
fits their culture, needs, definitions, and goals. Different companies have used many different
expressions for acceptable risk. The expression should be acceptable to the company’s
management and legal groups. Using certain references the range of acceptable risk levels will
most likely fall within certain limits, such as event frequencies that could result in a single
fatality of 10-4 yr - 10-6 yr (one occurrence in 10,000 to 1 million years).

The final output of risk programs in the industry is traditionally a risk matrix. A risk matrix and
definitions are shown below.

Training Manual Page 6-11

 High Risk

L Very High
i
k
High
e
l
i Medium
h
o
Low
o Low Risk
d Very Serious Serious Marginal Minor

Consequence

Likelihood Ranking Likelihood Category Definition

1 Very High Has occurred in the past Possibility of
repeated incidents

2 High Possibility of repeated incidents

3 Medium Possibility of occurring sometime

4 Low Not likely to occur

Consequence Consequence Environmental Impact

Ranking Category Health/Safety Financial Impact
1 or A Very serious Plant fatalities. Major – Full scale Corporate-wide (fines,
Serious impact on response. cleanup, significant
public. downtime, replacement
costs)

2 or B Serious Serious injury to Serious – Significant Region/affiliate

plant personnel. commitment. (fines, downtime,
Limited impact on replace, plant
public. downtime)

3 or C Marginal Medical treatment Moderate – Limited Division/site

for personnel. No response. (replace equipment)
impact on public.
4 or D Negligible Minor or no impact Minor – Little or no Minor (replace minor
on personnel. response needed. equipment items)

Training Manual Page 6-12

TOLERABLE RISK AND INDUSTRY LEVELS

OSHA 1910.119 rule did not aid in determining tolerable risk levels. The UK HSE has explored
tolerable levels of risk and issued a paper titled “The tolerability of Risk from nuclear Power
Stations:” The HSE also uses data for ALARP, which is used around the world.

Tolerable risk is the level of risk in which an organization and society will bear but in fact ma y
not be as low as acceptable risk (e.g., gambling and driving). Tolerability does not mean
acceptability.

For process facilities experience suggests that values for potentially fatalistic events fall in the
range of 10-4yr to 10-5yr. The petrochemical industry has been designed to what’s known as the
10,000yr or 10-4 criteria. The table below reflects the experienced incident rates of some typical
process units.

Unit Frequencies of Explosions

Alkylation 5.1 X 10-4
Cat Cracking 6.5 X 10-4
Cat Reforming 2.6 X 10-4
Crude 4.9 X 10-4
Hydrotreating 2.0 X 10-4
Hydrocracking 5.6 X 10-4
All units 4.3 X 10-4

The above data imply that the above statistics are in fact intolerable or unacceptable. An API
study reported a death rate of direct hire personnel of 14.3 deaths per 100,000 employees
averaged over a 5- year period. This is an average risk of 1.4 X 10-4 , which is 4 times higher than
the average reported by the National Safety Council for all manufacturing. However the API
study only evaluated risks to exposed workers at not all personnel. This outlines the importance
of understanding the basis for the statistics represented.

As mentioned previously, OSHA 1910.119 was developed in response to statistics of fatality and
major injury frequencies in the industry from 1983 to 1990. A study showed that 330 average
fatalities occurred during this period, over a working population of 3 million. This gave an
incident rate of 1.1 X 10-4 (close to the API survey), which was unacceptable. OSHA is
expecting that 80% of these injuries and fatalities will be reduced over a 10- year period resulting
in an average of 65 incidents per year, which gives an incident rate of 2.1 X 10-5 that is more
tolerable.

The US Nuclear Industry has also set a Generic Safety Issues (GSI) evaluation with some Basic
Safety Limits (BSLs). This is linked to core damage frequency per reactor year and is described
as:

Training Manual Page 6-13

 Core Damage Frequency Prioritization
1 X 10-4 High
1 X 10-5 Medium
1 X 10-6 Low
1 X 10-7 Drop

Legal arguments in the United States for establishing Basic Safety Limits is based on the
summation of various Federal court rulings. An evaluation of the risk of death or serious injury
from 132 federal regulatory decisions shows that:

§ >1 X 10-4 years – action must be taken

§ <1 X 10-6 years – action need not be taken

* Between the limits, action should be taken if the cost is below $2 million per life saved.

National standards for providing general guidance on Risk Management and risk analysis are
available and include:

§ British Standard BS 8444

§ Australian/ New Zealand Standard AS/NZ 4360
§ Canadian Standard CAN/CSA-Q634-91

The most compelling argument for the recommended BSL is compiled in a comparison of
Maximum Individual Risk (MIR) criteria for various nations. These are shown in the table
below:

COMPARISON OF SAMPLE RISK CRITERIA

Maximum Societal/ Cost-benefit Analysis

Individual Risk Population Risk (CBA)/as Low as Reasonably
Practical (ALARP)
Source of Format/Scope Numerical Format/ Numerical Format/ Scope Numerical
Proposal Values Scope Values Values
Volkschuisvesting Upper bounds Ru=10-5 per Intolerable Frequency of 10- ALARA (as low None formally
Ruimtelyke members of the year(existing line on an F-N per year for N=1, as reasonably quoted
Ordening public facilities) curve for with slope of -2 achievable)
Milieu(VROM), Ru=10-6 per off-site risks integral part of
The Netherlands year(new framework
(all plants) facilities)
Environmental Upper and lower Ru=5x10-5 Deferred in None CBA/ALARP None
Protection Agency, bounds for local Rl=5x10-7 favor of a alluded to but not
W. Australia (new residents, Per year qualitative actually part of
Plants) industrial, and approach on a proposed criteria
other areas case-by-case
basis
Department of Upper and lower Ru=5x10-5 Deferred in None Not alluded to at None
Planning, New bounds for local Rl=5x10-7 favor of a all
South Wales (new residents, Per year qualitative
plants and industrial, and approach on a
housing) other areas case-by-case
basis

Training Manual Page 6-14

 Maximum Societal/ Cost-benefit Analysis
Individual Risk Population Risk (CBA)/as Low as Reasonably
Practical (ALARP)
Source of Format/Scope Numerical Format/ Numerical Format/ Scope Numerical
Proposal Values Scope Values Values
Health and Safety Upper and lower Ru=10-4 National level Suggested CBA/ALARP is No explicit
Executive, U.K. bounds for the Rl=10-6 derived for “tolerable” integral part of values given
(nuclear power) public, and upper Per year for program of chance of framework and
bound for workers public Ru=10-3 nuclear power significant subject of a
Per year for reactors nuclear accident specific appendix
workers in U.K. at
frequency of 10-4
per year
Health and Safety Upper and lower Ru=10-4 Qualitative Reflected via CBA/ALARP is No explicit
Executive, U.K. bounds for local Rl=10-6 per year judgment < individual risk not specifically values given
(new housing near residents, for local applied to criterion for included, but
existing major industrial, and residents numbers of between 25 and economic
hazard sites) other areas people 75 people considerations
potentially are subject of a
affected specific appendix
Advisory Upper and lower Local and For local CBA/ALARP is Value of Ó2m
Committee on bounds for the national F-N communities, integral part of per life saved
Dangerous public, and upper curves frequency of 10-4 framework, with adopted in
Substances bound for workers derived, for to 10-5 per year, some dispute assessing cost
(transport major intolerability for N = 10, with over inclusion of effectiveness of
hazards) U.K. and slope of -1 financial remedial
negligibility measures

Tolerable and Acceptable Risk, Kirk Clark, Process Safety Management Proceedings, Oct 2001.

STUMBLING BLOCKS

There are many different reactions to the application of risk-based methodologies. Personnel can
be co-operative or highly sceptical. The most common reason for resistance is a concern that the
new project may threaten their jobs. A change may also mean that some personnel may no longer
feel familiar or competent in the new environment. To overcome these concerns the project
should be thoroughly communicated to all parties, sufficient training should be initiated and all
departments included in discussion on results and benefits.

There are two main impediment s with implementing risk based inspection programs on facilities.
The first is the need for the overall group to accept the notion of risk. The second is the
acquisition of data. Plant personnel often feel that they have insufficient failure data in order to
determine the frequency of failure.

If you can remove the following misconceptions, then the hardest part of the project is over:

1. Risk is a theoretical tool without practical application

2. Meaningful risk calculations cannot be performed in situations with sparse data

RISK MANAGEMENT

Based on the ranking of items and the risk threshold, the risk management process begins. For
risks that are judged acceptable, no mitigation is required and no further action is necessary.

Training Manual Page 6-15

For risks considered unacceptable, and, therefore, requiring risk treatment, there are various
mitigation categories that should be evaluated.

§ Decommission: Is the equipment really necessary to support unit operation?

§ Inspection/condition monitoring: Can a cost-effective inspection program, with repair as
indicated by the inspection results, be implemented that will reduce risks to an acceptable
level? Managing risk with inspection activities is discussed in RDMIP Work
Management Program, Volume III.
§ Consequence mitigation: Can actions be taken to lessen the consequences related to an
equipment failure?
§ Likelihood mitigation: Can actions be taken to lessen the probability of failure such as
metallurgy changes or equipment redesign?

BIBLIOGRAPHY

Risk acceptance criteria, Robert Kauer, OMMI vol1 issue 2 Dec 2002

Tolerable and Acceptable Risk Establishing Quantitative Targets for the HPC Industry, Kirk
Clark, Horizon Consultants.

Training Manual Page 6-16

 Chapter 7
PROBABILITY AND CONSEQUENCE OF FAILURE

INTRODUCTION

A risk assessment is the process of gathering data and analyzing information in order to develop
an understanding of the risk of a particular process.

Three basic questions are considered to establish the basis for defining risk as follows:

§ What could go wrong (scenario or event)?

§ How often might it happen (likelihood)?
§ What are the effects (consequences)?

Risk may in its most simple form be characterized as the product of probability of a given failure
event, (the Likelihood of Failure (LOF)) and the consequences of that event, (the Consequences
of Failure (COF).

Risk is the combination of the frequency of some event occurring

and the consequences, (generally negative) associated with that event

It should be clear that no unique measure of risk exists. Many such measures have been
proposed, and are currently in use, each providing a different view on a particular situation. The
main types of risks are:

§ Impact on personnel and public safety and health

§ Impact on the environment
§ Impact on economical concerns (costs and profits)

PROBABILITY OF FAILURE

There are several ways of defining the likelihood that a vessel will fail. These include:

§ Frequency of Failure – Frequency/year

§ Probability of Failure – Low, Medium, High
§ Likelihood of Failure – (LOF)

The LOF of a component can be calculated using two primary methodologies. The first method
uses a statistical approach, while the second uses an evidence-based approach. American
Petroleum Institute’s (API) API 581 uses a statistical approach using generic data taken from
industry databases, while other methodologies use expert input and an evidence-based approach.

Training Manual age 7-1

Central to these programs is the application of the concept of evidence-based risk analysis.
Evidence is gathered in the form of plant equipment design information, history, and process
data and used to conduct the analysis. Evidence can also come from industry experience, similar
plant experience, and plant-specific experience. The better the quality of data (in the form of
evidence), the more certain and less conservative the LOF determination can be. These
approaches are shown on the following page.

Training Manual age 7-2

 Process Equipment Reliability Data: Data Sources, Data Flow, and Data Use.

Training Manual age 7-3

 The probability that an active damage mechanism will continue to failure can be calculated by the following fault tree:

Damage
Initiating Events Arrests Effectiveness
of Nondestructive
Examination

(1-f1) = probability
Damage damage will
Stressor(s) Mechanism be mitigated Damage is
Active Initiates , P1 Detected

Damage
(1-f2) = Continues
Damage probability to Failure
Damage does damage
Continues
not arrest. will
be detected by NDE
,

Damage is Pressure
Damage
not Boundary
Continues
Detected or , is
Arrested Breached

Training Manual Page 7-4

Equipment Failures

Industry data can be presented as equipment failures per 106 operating hours for time-related
failure rates and failures per 103 demands for demand-related failure rates. These rates are given
for some common Chemical Process Industries (CPI) equipment. Other types of failure rate data,
such as predicted values or estimated values using expert opinion or the Delphi technique, are
addressed in the CPQRA Guidelines. Sources of common cause/mode failure data are not
addressed. Human error rates, though necessary for CPQRAs, and human performance in CPI
facilities are addressed in another CCPS Guideline. In preparing data, the CCPS Subcommittee
tried to review all published sources of available generic equipment reliability and failure rate
data, including reliability studies, published research works, reliability data banks, or
government reports that contained information gathered from chemical process, nuclear, offshore
oil, and fossil fuel industries around the world. An industry survey was conducted to solicit
unpublished data.

Equipment Failure Rate Data

To properly use failure rate data, the engineer or risk analyst must have an understanding of
failure rates, their origin and limitations. This section discusses the types and source of failure
rate data, the failure model used in computations, the confidence, tolerance and uncertainties in
the development of failure rates and taxonomies which can store the data and influence their
derivation.

Failure rate data generated from collecting information on equipment failure experience at a
plant are referred to as plant-specific data. A characteristic of plant-specific data is that they
reflect the plant’s process, environment, maintenance practices, and choice and operation of
equipment. Data accumulated and aggregated from a variety of plants and industries, such as
nuclear power plants, CCPI or offshore petroleum platforms, and are called generic data. With
inputs from many sources, generic failure rate data can provide a much larger pool of data.
However, generic data are derived from equipment of many manufacturers, a number of
processes, and many plants with various operating strategies. Consequently, they are much less
specific and detailed.

Both of the sources above contain two types of failure rate data used in CPQRAs: time-related
failure rates and demand-related failure rates. Time-related failure rates, presented as failures per
106 hours, are for equipment that is normally functioning, for example, a running pump, or a
temperature transmitter. Data are collected to reflect the number of equipment failures per
operating hour or per calendar hour.

Failure rates are computed by dividing the total number of failures for the equipment population
under study by the equipment’s total exposure hours (for time-related rates) or by the total
demands upon the equipment (for demand-related rates). In plant operations, there are a large
number of unmeasured and varying influences on both numerator and denominator throughout
the study period or during data processing. Accordingly, a statistical approach is necessary to
develop failure rates that represent the true values.

Training Manual age 7-5

Equipment failure rate data points carry varying degrees of uncertainty expresses by two
measures:

§ Confidence
§ Tolerance

Confidence, the statistical measurement of uncertainty, expresses how well the experimentally
measured parameter represents the actual parameter. Confidence in the data increases as the
sample size is increased.

Tolerance uncertainty arises from the physical and the environmental differences among member
of differing equipment samples when failure rate data are aggregated to produce a final generic
data set. Increasing the number of sources used to obtain the final data set will most likely
increase the tolerance uncertainty.

A failure rate generated from collecting data on a system will be dependent upon all the
circumstances under which the system operates. Consequently, the failure rate data should only
be used for predictions on a system in which the circumstances are identical. Otherwise, the
failure rate applicable to the second system will need to be adjusted.

Unfortunately, the circumstances of a data collection exercise are rarely adequately described;
and therefore, any data will be based on some explicit assumptions, some implicit assumptions,
and some assumptions that are completely ignored.

It is important to appreciate that a failure rate is not an intrinsic and immutable property of a
piece of equipment, and an engineer involved either in collecting or using data must fully
understand the factors that influence failure rate derivation and use. This section discusses many
of the circumstances that can create variations in failure rates.

§ Equipment Boundary. The various data cells in a taxonomy include a written

description of the equipment and a boundary diagram to identify exactly what equipment
is included within the cell. Any change in the boundary diagram or deviation from it in
failure attribution during data processing will influence the failure rate and its
comparability with others.
§ Taxonomy Level Breakdown. The various levels of the taxonomy represent factors that
have an impact on failure rate. For example, lined pipe (CCPS taxonomy number 3.2.2)
has a level that groups pipe into 0-6” size and over 6”. Unless the pipe size is specified,
there is no way of knowing whether a given failure rate came from the 0-6” or the over 6”
range.
§ Process Severity. In the CCPS Taxonomy, four degrees of severity, from “clean” to
“severe”, are used to characterize the process medium - the material being handled by the
equipment – and its influence on reliability. In some cases, the severity will be unknown.
Even if a severity is listed, doubt may exist about its value, since the definitions of
severity are fairly subjective.

Training Manual age 7-6

 § Environment. Another influence on equipment reliability is the environment/application
of the equipment. A component working on a rocket into space is quite likely to have a
different failure rate from the same component operating in a plant control room. Suc h
things as external temperature, humidity, vibration, external corrosion, and any other
external conditions imposed on the system need to be considered by the engineer or
analyst.
§ Suitability for Service. The analyst must, wherever possible, try to assess the validity of
these assumptions for the particular situation and establish if the equipment represented
by the data:
• Was property fabricated;
• Used appropriate materials of construction;
• Was properly maintained;
• Was properly within design conditions;
• Was designed to appropriate standards;
• Was being used beyond its capabilities.
§ Maintenance. The maintenance strategy for a system will significantly affect both the
number and severity of failures:
• An inadequate maintenance program will prevent no failures.
• A cursory routine inspection program will detect some potential failures; for example,
low oil level, which could eventually lead to a seizure.
• A full preventive maintenance program will pick up potential failures as incipient
failures rather than delaying until they become catastrophic.
§ Data Capture. What should be recorded, as a failure is very subjective. For example,
low oil level may be considered too trivial to record, and yet it is an incipient failure on
the way to a lubrication failure and ultimately equipment seizure. A truck backing into a
pump would certainly stop the pump from functioning, but has it been included in the
data collected?
The following example illustrates some of the point made: Consider how different
systems might treat the following pump failures:

1. Seal wore out causing a leak

2. Truck backed into pump shattering case
3. Pumping against closed head and overheated
4. Foreign matter in pumped fluid chewed up seal
5. Wet product corroded impeller
6. Suction blocked by foreign body

All of the above events would cause a pump “failure” over a period of time. Therefore, the
events would qualify for inclusion in the failure rate. So, at one extreme there might be six
catastrophic failures per sample time. However, a data analyst may decide that No. 2 is not a
relevant failure since the cause was neither a function of the equipment nor the operational
application, but was a mistake by an outside agent. The same might be said of No. 3. If a plant
had periodic inspections, the impeller corrosion in No. 5 might be detected before it became a

Training Manual age 7-7

significant problem, thereby altering the failure mode from catastrophic to a degraded or an
incipient failure. In a plant with routine maintenance, it is possible that Nos. 1 and 5 may be
eliminated completely by routine seal and impeller changes.

It is easy to see, therefore, that in one operating system six catastrophic failures would be
recorded, whereas in others would range through a combination of catastrophic, degraded, or
incipient failures until, with better filters, better operator, frequent scheduled maintenance, all the
failures would be eliminated.

The uncertainties of data selection can be reduced by learning as much as possible about data
sets, including the taxonomy and equipment boundaries used; the type, design, and construction
of the equipment; the process medium; plant operation and maintenance programs; and failure
modes. OREDA, IEEE Std. 500-1984 and Reliability Data Book for components in Swedish
Nuclear Power Plants are examples of data sets that provide details of taxonomy, data origin,
treatment, and limitations. By knowing the background of the data pool, an engineer can more
easily choose appropriate data points.

The following pages provide examples of data sources as well as examples of industry data.

Training Manual age 7-8

Training Manual age 7-9
Training Manual age 7-10
Training Manual age 7-11
Training Manual age 7-12
Training Manual age 7-13
An example of a generic failure frequency database (API 581) is shown in the following table.

Leak Frequency
Equipment Type Small Medium Large Rupture
COLUMNBTM 8.00E-06 2.00E-05 2.00E-06 6.00E-07
COLUMNTOP 8.00E-06 2.00E-05 2.00E-06 6.00E-07
COMPC 0.00E+00 1.00E-03 1.00E-04 0.00E+00
COMPR 0.00E+00 6.00E-03 6.00E-04 0.00E+00
CONDENSER 4.00E-06 1.00E-05 1.00E-06 6.00E-07
CONDENSER-TS 4.00E-06 1.00E-05 1.00E-06 6.00E-07
DRUM 4.00E-06 1.00E-05 1.00E-06 6.00E-07
EXCHANGER 4.00E-06 1.00E-05 1.00E-06 6.00E-07
EXCHANGER-TS 4.00E-06 1.00E-05 1.00E-06 6.00E-07
FILTER 9.00E-04 1.00E-04 5.00E-05 1.00E-05
FINFAN 2.00E-03 3.00E-04 5.00E-08 2.00E-08
FINFANCOND 2.00E-03 3.00E-04 5.00E-08 2.00E-08
HEATER 0.00E+00 4.62E-06 1.32E-06 6.60E-07
KODRUM 4.00E-06 1.00E-05 1.00E-06 6.00E-07
PIPE->16 6.00E-08 2.00E-07 2.00E-08 1.00E-08
PIPE-0.75 1.00E-05 0.00E+00 0.00E+00 1.00E-06
PIPE-1 5.00E-06 0.00E+00 0.00E+00 5.00E-07
PIPE-10 2.00E-07 3.00E-07 4.00E-08 2.00E-08
PIPE-12 1.00E-07 3.00E-07 3.00E-08 1.50E-08
PIPE-16 1.00E-07 2.00E-07 2.50E-08 1.00E-08
PIPE-2 3.00E-06 0.00E+00 0.00E+00 3.00E-07
PIPE-4 9.00E-07 5.00E-07 0.00E+00 1.60E-07
PIPE-6 4.00E-07 4.00E-07 0.00E+00 8.00E-08
PIPE-8 3.00E-07 3.00E-07 5.00E-08 2.00E-08
PUMP1 6.00E-02 5.00E-04 1.00E-04 0.00E+00
PUMP2 6.00E-03 5.00E-04 1.00E-04 0.00E+00
PUMPR 7.00E-01 1.00E-02 1.00E-03 1.00E-03
REACTOR 1.00E-05 3.00E-05 3.00E-06 2.00E-06
TANK 1.00E-04 1.00E-04 1.00E-04 2.00E-06
TANK-FLOOR 7.20E-03 0.00E+00 0.00E+00 2.00E-05

Training Manual age 7-14

CONSEQUENCE OF FAILURE

There are several consequences that can occur from the failure of pressure equipment. These
consequences can include:

§ Safety and health of plant personnel and people outside the facility
§ The environment (short term and long term)
§ Economical effects (fines, litigation, lost production, repair,)

For the current discussion we will limit ourselves to safety and health effects. These effects can
be caused by:

§ Toxic Liquids and Gases

§ Flammable gases and liquids resulting in:
• Vapor cloud fires (flash fires)
• Pool fire
• Boiling liquid, expanding vapor explosion (BLEVE)
• Vapor cloud explosion
• Jet Fire

The modeling of consequences can involve the use of analytical models to predict the effects of
certain scenarios. Many models exist for consequence modeling, and these could include
dispersion models, source term models, environmental effects modeling, blast and thermal
modeling, as well as the effects of mitigation devices. Many databases exist that contain data on
the toxic effects of materials on humans and the fire and blast effects on buildings and structures.
All these resources can be used to calculate consequence effects, but only those steps needed to
provide the appropriate information necessary to complete the program goals should be
considered.

The COF of a component can be calculated using many different methodologies. The type of
methodology used depends on what factors are important in the analysis, such as business
interruption, environmental issues, health, worst-case consequences, or a combination of these.
The consequences of a leak or failure can be modeled using sophisticated and complex programs
that incorporate leak rates, dispersion modeling, meteorological conditions, topography, and
population densities. These approaches need lots of data, are expensive, take time and experience
to complete, and arrive at a quantification of consequences that is usually expressed in dollar
terms or as affected area (square yards/feet). Even the most rigorous modeling requires
simplifying assumptions to complete

A flow diagram of a consequence modeling event is shown in the following diagram:

Training Manual age 7-15

 Effectiveness of
Detection System
Or Mitigation

Damage Potential for

Leak Finding Ignition
Continues
Arrests Source or
to Failure
Toxic Receptor

Pressure (1-f3) = probability

leak will be mitigated Leak
Boundary
Disperses no
Is
Consequence
Breached

(1-f4) = probability
Leak is not Leak leak will disperse
Arrested or Continues, with no problems
Mitigated P4
Pinhole
or Minor Leak,
Subcritical Defect Leak Finds
Ignition Destruction
or Leak, or Gross
Source Or Occurs,
Failure are
Receptor P5
Evaluated for
Potential Damage
Mechanisms

Training Manual Page 7-16

RMP RULE

Under the accidental release provisions of the Clean Air Act, regulated sources are required to
conduct hazard assessments, including offsite consequences analyses. This guidance is intended
to assist sources to conduct such offsite consequence analyses for worst-case release scenarios
involving regulated substances and alternative release scenarios. The worst-case consequence
analyses and the analyses for alternative scenarios are to be reported in the risk management plan
(RMP).

Definition of Worst-Case Scenario

The Environmental Protection Agency (EPA) has defined a worst-case release as the release of
the largest quantity of a regulated substance from a vessel or process line failure that results in
the greatest distance to a specified endpoint. The largest quantity should be determined taking
into account administrative controls. Administrative controls are procedures that limit the
quantity of a substance that can be stored or processed in a vessel or pipe at any one time, or,
alternatively, procedures that occasionally allow the vessel or pipe to store larger than usual
quantities (e.g., during shutdown/turnaround). For the worst-case analysis, you do not need to
consider the possible causes of the worst-case release or the probability that such a release might
occur; the release is simply assumed to take place. All releases are assumed to take place at
ground level for the worst-case analysis.

Meteorological conditions for the worst-case scenario are defined for this guidance as
atmospheric stability Class F (stable atmosphere), wind speed of 1.5 meters per second
(3.4 miles per hour), and ambient air temperature of 25°C (77°F).

Two choices are provided for topography for the worst-case scenario. If your site is located in an
area with few buildings or other obstructions, you should assume open (rural) conditions. If your
site is in an urban location, or is in an area with many obstructions, you should assume urban
conditions.

The RMP rule allows operators to calculate a worst-case scenario and alternative scenario. The
requirements are shown in the following table:

Training Manual age 7-17

 REQUIRED PARAMETERS FOR MODELING

WORST CASE ALTERNATIVE SCENARIO

Endpoints
Endpoints for toxic substances are specified in Endpoints for toxic substances are specified in
Appendix B of RMP rule. Appendix B of RMP rule.
For flammable substances, endpoint is overpressure of For flammable substances, endpoint is overpressure of
1 pound per square inch (psi) for vapor cloud 1 psi for vapor cloud explosions
explosions.
Radiant heat level of 5 kilowatts per square meter
(kW/m2 )

Lower flammability limit (LFL) as specified in NFPA

documents or other generally recognized sources.
Wind Speed/Stability
Use wind speed of 1.5 meters per second and F stability For site-specific modeling, use typical meteorological
class unless you can demonstrate that local conditions for your site. If you use this guidance, you
meteorological data applicable to the site show a higher assume wind speed of 3 meters per second and
minimum wind speed or less stable atmosphere at all D stability.
times during the previous three years. If you can so
demonstrate, these minimums may be used. This
guidance assumes 1.5 meters per second and F stability.
Ambient Temperature/Humidity
For toxic substances, use the highest daily maximum You may use average temperature/humidity data
temperature and average humidity for the site during the gathered at the site or at a local meteorological station. If
past three years. If you are using this guidance, 25°C you are using this guidance, 25°C and 50 percent
(77°F) and 50 percent humidity are assumed. humidity are assumed.
Height of Release
For toxic substances, assume a ground level release. Release height may be determined by the release
scenario. For this guidance, a ground-level release is
assumed.
Topography
Use urban or rural topography, as appropriate. Use urban or rural topography, as appropriate.
Dense or Neutrally Buoyant Gases
Tables or modes used for dispersion of regulated toxic Tables or models used for dispersion must appropriately
substances must appropriately account for gas density. If account for gas density. If you use this guidance, see
you use this guidance, see Tables 1-4 of RMP rule for Tables 10-13 of RMP rule for buoyant gases and Tables
buoyant gases and Tables 5-8 of RMP rule for dense 14-17 of RMP rule for dense gases.
gases.
Temperature of Released Substance
Consider liquids (other than gases liquefied by Substances may be considered to be released at a process
refrigeration) to be released at the highest daily of ambient temperature that is appropriate for the
maximum temperature, based on data for the previous scenario. If you are using this guidance, 25°C or the
three years, or at process temperature, whichever is boiling point of the released substance may be used.
higher. Assume gases liquefied by refrigeration at
atmospheric pressure are released at their boiling points.
If you are using this guidance, 25°C or the boiling point
of the released substance may be used.

Training Manual age 7-18

Toxic Gases. Toxic gases include all regulated toxic substances that are gases at ambient
temperature (temperature 25°C, 77°F), with the exception of gases liquefied by refrigeration
under atmospheric pressure. For the consequence analysis, a gaseous release of the total quantity
is assumed to occur in 10 minutes. Passive mitigation measures (e.g., enclosure) may be taken
into account in the analysis of the worst-case scenario. Gases liquefied by refrigeration along and
released into diked areas may be modeled as liquids at their boiling points and assumed to be
released from a pool by evaporation.

The endpoint for air dispersion modeling to estimate the consequence distance for a release of a
toxic gas is presented for each regulated toxic gas in Exhibit B-1 of Appendix B of RMP rule.
The toxic endpoint is, in order of preference: (1) the Emergency Response Planning Guideline 2
(EPRG-2), developed by the American Industrial Hygiene Association (AIHA), or (2) the Level
of Concern (LOC) for extremely hazardous substances (EHSs) regulated under Section 302 of
the Emergency Planning and Community Right-to-Know Act (EPCRA). This endpoint was
chosen as the threshold for serious injury from exposure to a toxic substance in the air. (See
Appendix D, Section D.3, of RMP rule for additional information on the toxic endpoint.)

Toxic Liquids . For toxic liquids, the total quantity in a vessel is assumed to be spilled onto a
flat, non-absorbing surface. Fro toxic liquids carried in pipelines, the quantity that might be
released from the pipeline is assumed to form a pool. Passive mitigation systems (e.g., dikes)
may be taken into account in consequence analysis. The total quantity spilled is assumed to
spread instantaneously to a depth of 0.39 inch (once centimeter) in an undiked area or to cover a
diked area instantaneously. The release rate to air is estimated as the rate of evaporation from the
pool. If liquids at your site might be spilled onto a surface that could rapidly absorb the spilled
liquid (e.g., porous soil), the methods presented in this guidance may greatly overestimate the
consequences of a release. Consider using another method in such a case.

The endpoint for air dispersio n modeling to estimate the consequence distance for a release of a
toxic liquid is presented for each regulated toxic liquid in Exhibit B-2 of Appendix B of RMP
rule. The toxic endpoint is, in order of preference: (1) the ERPG-2 or (2) the LOC for EHSs, as
for toxic gases.

Flammable Substances. For regulated flammable substances, including both flammable gases
and volatile flammable liquids, the worst-case release is assumed to result in a vapor cloud
containing the total quantity of the substance that could be released from a vessel or pipeline.
The entire quantity in the cloud is assumed to be between the upper and lower flammability
limits of the substance. For the worst-case consequence analysis, the vapor cloud is assumed to
detonate.

The endpoint for the consequence analysis of a vapor cloud explosion of a regulated flammable
substance is an overpressure of 1 pound psi. This endpoint was chosen as the threshold for
potential serous injuries to people as a result of property damage caused by an explosion (e.g.,
injuries from flying glass from shattered windows or falling debris from damaged houses.

Training Manual age 7-19

Steps for Performing the Analysis

The following presents the steps you should follow in using this guidance to carry out an offsite
consequence analysis. Before carrying out one or more worst-case and/or alternative release
analyses, you will need to obtain several pieces of information about the regulated substances
you have, the area surrounding your site, and typical meteorological conditions:

§ Determine whether each regulated substance is toxic or flammable, as indicated in the

rule or Appendices B and C of this guidance.
§ For the worst-case analysis, determine the quantity of each substance held in the largest
single vessel or pipe.
§ Collect information about any passive or active (alternative scenarios only) release
mitigation measures that are in place for each substance.
§ For toxic substances, determine whether the substance is stored as a gas, or as a liquid,
liquefied by refrigeration, or as a gas lique fied under pressure. For alternative scenarios
involving a vapor cloud fire, you may also need this information for flammable
substances.
§ For toxic liquids, determine the highest daily maximum temperature of the liquid, based
on data for the previous three years, or process temperature, whichever is higher.
§ For toxic substances, determine whether the substance behaves as a dense or neutrally
buoyant gas or vapor. For alternative scenarios involving a vapor cloud fire, you will also
need this
§ For toxic substances, determine whether the topography information for flammable
substances of your site is either urban or rural as these terms are defined by the rule. For
alternative scenarios involving a vapor cloud fire, you will also need this information for
flammable substances.

After you have gathered the above information, you will need to take three steps (except for
flammable worst-case releases):

1. Select a scenario;
2. Determine the release or volatilization rate; and
3. Determine the distance to the endpoint.

ESTIMATION OF WORST-CASE DISTANCE TO TOXIC ENDPOINT

This guidance provides reference tables giving worst-case distances for neutrally buoyant gases
and vapors and for dense gases and vapors for both rural (open) and urban (obstructed) areas.
Generic reference tables are provided for both 10- minute releases and 60-minute releases. You
should use the tables for 10-minute releases if the duration of your release is 10 minutes or less;
use the tables for 60- minute releases if the duration of your release is more than 10 minutes. For
the worst-case analysis, all releases of toxic gases are assumed to last for 10 minutes. You need
to consider the estimated duration of the release for evaporation of pools of toxic liquids. For

Training Manual age 7-20

evaporation of water solutions of toxic liquids or of oleum, you should always use the tables for
10-minute releases.

To use the reference tables of distances, follow these steps:

For Regulated Toxic Substances Other than Ammonia, Chlorine, and Sulfur Dioxide

n Find the toxic endpoint for the substance in Appendix B of the RMP rule.
n Determine whether the table for neutrally buoyant or dense gases and vapors is
appropriate from Appendix B of the RMP rule. A toxic gas that is lighter than air may
behave as a dense gas upon release if it is liquefied under pressure, because the released
gas may be mixed with liquid droplets, or if it is cold. Consider the state of the released
gas when you decide which table is appropriate.
n Determine whether the table for rural or urban conditions is appropriate.
• Use the rural table if your site is in an open area with few obstructions.
n Use the urban table if your site is in an urban or obstructed area. The urban tables are
appropriate if there are many obstructions in the area, even if it is in a remote location,
not in a city.
n Determine whether the 10-minute table or the 60- minute table is appropriate.
• Always use the 10- minute table for worst-case releases of toxic gases.
• Always use the 10- minute table for worst-case releases of common water solutions
and oleum from evaporating pools, for both ambient and elevated temperatures.
• If you estimated the release duration for an evaporating toxic liquid pool to be 10
minutes or less, use the 10- minute table.
• If you estimated the release duration for an evaporating toxic liquid pool to be more
than 10 minutes, use the 60- minute table.

Example – Liquid Evaporation from Pool (Acrylonitrile)

You estimated an evaporation rate of 307 pounds per minute for acrylonitrile from a pool formed
by the release of 20,000 pounds into an undiked area (Example 4). You estimated the time for
evaporation of the pool as 65 minutes. From Exhibit B-2, the toxic endpoint for acrylonitrile is
0.076 mg/L, and the appropriate reference table for a worst-case release of acrylonitrile is the
dense gas table. Your facility is in an urban area. You use Reference Table 8 for 60-minute
releases of dense gases in urban areas.

From Reference Table 8, the toxic endpoint closest to 0.076 mg/L is 0.075 mg/L, and the closest
release rate to 307 pounds per minute is 250 pounds per minute. Using these values, the table
gives a worst-case consequence distance of 2.9 miles.

Training Manual age 7-21

ESTIMATION OF DISTANCE TO OVERPRESSURE ENDPOINT FOR FLAMMABLE
SUBSTANCES

For the worst-case scenario involving a release of flammable gases and volatile flammable
liquids, you must assume that the total quantity of the flammable substance forms a vapor cloud
within the upper and lower flammability limits and the cloud detonates. As a conservative worst-
case assumption, if you use the method presented here, you must assume that 10 percent of the
flammable vapor in the cloud participates in the explosion. You need to estimate the
consequence distance to an overpressure level of 1 pound per square inch (psi) from the
explosion of the vapor cloud. An overpressure of 1 psi may cause partial demolition of houses,
which can result in serious injuries to people, and shattering of glass windows, which may cause
skin laceration from flying glass.

The method presented here for analysis of vapor cloud explosions is based on a TNT-equivalent
model. Other methods are available for analysis of vapor cloud explosions, including methods
that consider site-specific conditions. You may use other methods for your worst-case analysis if
you so choose, provided you assume the total quantity of flammable substance is in the cloud
and use an endpoint of 1 psi. If you use a TNT-equivalent model, you must assume a yield factor
of 10 percent.

Example - Vapor Cloud Explosion (Propane)

You have a tank containing 50,000 pounds of propane. From Reference Table 13, the distance to
1 psi overpressure is 0.3 miles for 50,000 pounds of propane.
Alternatively, you can calculate the distance to 1 psi using Equation C-2 from Appendix C:

§ D = 0.0081 × [0.1 × 50,000 × (46,333/4,680)] 1/3

§ D = 0.3 miles

Example - Estimating Heat of Combustion of Mixture for Vapor Cloud Explosion

Analysis

You have a mixture of 8,000 pounds of ethylene (the reactant) and 2,000 pounds of isobutane (a
catalyst carrier). To carry out the worst-case analysis, estimate the heat of combustion of the
mixture from the heats of combustion of the components of the mixture. (Ethylene heat of
combustion = 47,145 kilojoules per kilogram; isobutane heat of combustion = 45,576). Using
Equation C-3, Appendix C:

§ HC = [ (8,000/2.2)/(10,000/2.2) × 47,145] + [ (2,000/2.2)/(10,000/2.2) × 45,576]

§ HC = (37,716) + (9,115)
§ HC = 46,831 kilojoules per kilogram

Training Manual age 7-22

Now use the calculated heat of combustion for the mixture in Equation C-2 to calculate the
distance to 1 psi overpressure for vapor cloud explosion.

§ D = 0.0081 × [0.1 × 10,000 × (46,831/4,680) ]

§ D = 0.2 miles

DETERMINING ALTERNATIVE RELEASE SCENARIOS

Alternative release scenarios for toxic substances should be those that lead to concentrations
above the toxic endpoint beyo nd your fence line. Scenarios for flammable substances should
have the potential to cause substantial damage, including on-site damage. Those releases that
have the potential to reach the public are of the greatest concern.

For alternative release scenarios, you are allowed to consider active mitigation systems, such as
interlocks, shutdown systems, pressure relieving devices, flares, emergency isolation systems,
and firewater and deluge systems as well as passive mitigation systems.

Alternative release scenarios for flammable substances are somewhat more complicated than for
toxic substances because the consequences of a release and the endpoint of concern may vary.
For the worst case, the consequence of concern is a vapor cloud explosion, with an overpressure
endpoint. For alternative scenarios (e.g., fires), other endpoints (e.g., heat radiation) may need to
be considered.

Possible scenarios involving flammable substances include:

§ Vapor cloud fires (flash fires) may result from dispersion of a cloud of flammable vapor
and ignition of the cloud following dispersion. Such a fire could flash back and could
represent a severe heat radiation hazard to anyone in the area of the cloud. This guidance
provides methods to estimate distances to a concentration equal to the lower flammability
limit (LFL) for this type of fire.
§ A pool fire, with potential radiant heat effects, may result from a spill of a flammable
liquid. This guidance provides a simple method for estimating the distance from a pool
fire to a radiant heat level that could cause second-degree burns from a 40-second
exposure.
§ A boiling liquid, expanding vapor explosion (BLEVE), leading to a fireball that may
produce intense heat, may occur if a vessel containing flammable material ruptures
explosively as a result of exposure to fire. Heat radiation from the fireball is the primary
hazard; vessel fragments and overpressure from the explosion also can result. BLEVEs
are generally considered unlikely events: however, if you think a BLEVE is possible at
your site, this guidance provides a method to estimate the distance at which radiant heat
effects might lead to second degree burns.
§ You also may want to consider models or calculation methods to estimate effects of
vessel fragmentation.
§ For a vapor cloud explosion to occur, rapid release of a large quantity, turbulent
conditions (caused by a turbulent release or congested conditions in the area of the

Training Manual age 7-23

 release, or both), and other factors are generally necessary. Vapor cloud explosions
generally are considered unlikely events; however, if conditions at your site are
conducive to vapor cloud explosions, you may want to consider a vapor cloud explosion
as an alternative scenario. This guidance provides methods you may use to estimate the
distance to 1 psi overpressure for a vapor cloud detonation, based on less conservative
assumptions than the worst-case analysis. A vapor cloud deflagration, involving lower
flame speeds than a detonation and resulting in less damaging blast effects, is more likely
than a detonation. This guidance does not provide methods for estimating the effects of a
deflagration, but you may use other methods of analysis if you want to consider such
events.
§ A jet fire may result from the puncture or rupture of a tank or pipeline containing a
compressed or liquefied gas under pressure. The gas discharging from the hole can form
a jet that “blows” into the air in the direction of the hole; the jet then may ignite. Jet fires
could contribute to BLEVEs and fireballs if they impinge on tanks of flammable
substances. A large horizontal jet fire may have the potential to pose an offsite hazard.
This guidance does not include a method for estimating consequence distances for jet
fires. If you want to consider a jet fire as an alternative scenario, you should consider
other models or methods for the consequence analysis.

Training Manual age 7-24

 Case Study
LP GAS TANK BLEVE

INTRODUCTION

On April 9, 1998 a Boiling Liquid Expanding Vapor Explosion (BLEVE) involving an

18,000-gallon LP-Gas tank on a turkey farm outside of Albert City, Iowa resulted in the death of
two fire fighters. Since 1993, at least two other similar incidents, involving LP-Gas in a farm
setting resulted in the death of six fire fighters. The first incident in Ste. Elisabeth de Warwick,
Quebec, Canada, on June 27, 1993, resulted in the death of four fire fighters. The other BLEVE
occurred in Burnside, Illinois, which resulted in two fatalities on October 2, 1997.

Scenario:

Causes:

Remedies:

Training Manual age 7-25

 Study Material
SOURCES OF COMMON CAUSE FAILURES IN DECISION MAKING
INVOLVED IN MAN- MADE CATASTROPHES

(Reprint from Advances in Risk Analysis, Vol 7 Plenum Publishing Corporation)

Case Studies:

1. Bhopal

2. Challenger Accident

3. Mile Island

4. Chernobyl

List ten common attributes to major catastrophes:

What attributes are operating in your organization, or on your facility?

Training Manual age 7-26

 Chapter 8
PLANT DESIGN

INTRODUCTION

Although a process or plant can be modified to increase inherent safety at any time in its life
cycle, the potential for major improvements is greatest at the earliest stages of process
development. At these early stages, the process engineer has maximum degrees of freedom in the
plant and process specification. The engineer is free to consider basic process alternatives such
as fundamental technology and chemistry and the location of the plant.

Process Risk Management Strategies

Risk has been defined as a measure of economic loss or human injury in terms of both the
incident likelihood and the magnitude of the loss or injury (CCPS 1989). Thus, any effort to
reduce the risk arising from the operation of a chemical processing facility can be directed
toward reducing the likelihood of incidents (incident frequency), and reducing the magnitude of
the loss or injury should an incident occur (incident consequences), or some combination of both.
In general, the strategy for reducing risk, whether directed toward reducing frequency or
consequence of potential accidents, falls into one of the following categories:

§ Inherent or Intrinsic – Eliminating the hazard by using materials and process conditions
that are non-hazardous (e.g., substituting water for a flammable solvent).
§ Passive – Eliminating or minimizing the hazard by process and equipment design
features that do not eliminate the hazard, but do reduce either the frequency or
consequence of realization of the hazard without the need for any device to function
actively (e.g., the use of higher pressure rated equipment).
§ Active – Using controls, safety interlocks, and emergency shutdown systems to detect
potentially hazardous process deviations and take corrective action. These are commonly
referred to as engineering controls.
§ Procedural – Using operating procedures, administrative checks, emergency response and
other management approaches to prevent incidents, or to minimize the effects of an
incident. These are commonly referred to as administrative controls.

Risk control strategies in the first two categories, inherent and passive, are more reliable and
robust because they depend on the physical and chemical properties of the system rather than the
successful operation of instruments, devices, and procedures. Inherent and passive strategies are
not the same and are often confused. A truly inherently safer process will completely eliminate

Training Manual Page 8-1

the hazard. The typical layers of protection in a modern chemical plant are shown in the
following figure.

Typical Layers of Protection in Modern Chemical Plant (CCPS 1993).

Training Manual Page 8-2

HOW CAN WE DESIGN A SAFER FACILITY? INHERENT PROCESS SAFETY
CHECKLIST1

Elimination/Substitution

§ Is it possible to completely eliminate hazardous raw materials, process intermediates, or

by-products by using an alternative process or chemistry?
§ Is it possible to completely eliminate in-process solvents by changing chemistry or
processing conditions?
§ Is it possible to substitute less hazardous raw materials?
• Noncombustible rather than flammable solvents
• Less volatile raw materials
• Less toxic raw materials
• Less reactive raw materials
• More stable raw materials
§ Is it possible to substitute less hazardous final product solvents?
§ For equipment containing materials that become unstable at elevated temperature or
freeze at low temperature, is it possible to use heating and cooling media that limit the
maximum and minimum temperatures attainable?

Safer Conditions

§ Can the supply pressure of raw materials be limited to less than the working pressure of
the vessels they are delivered to?
§ Can reaction conditions (temperature, pressure) be made less severe by using a catalyst,
or by using a better catalyst?
§ Can the process be operated at less severe conditions? If this results in lower yield or
conversion, can raw material recycle compensate for this loss?
• Is it possible to dilute hazardous raw materials to reduce the hazard potential? For
example:
• Aqueous ammonia instead of anhydrous
• Aqueous HC1 instead of anhydrous
• Sulfuric acid instead of oleum
• Dilute nitric acid instead of concentrated fuming nitric acid
• Wet benzoyl peroxide instead of dry

1
From Hendershot 1991a

Training Manual Page 8-3

Equipment Design

§ Can equipment be designed with sufficient strength to totally contain the maximum
pressure generated, even if the “worst credible event” occurs?
§ Is all equipment designed to totally contain the materials that might be present inside at
ambient temperature or the maximum attainable process temperature? (For example,
don’t rely on the proper functioning of external systems such as refrigeration systems to
control temperature such that vapor pressure is less than equipment design pressure.)
§ Can several process steps be carried out in separate processing vessels rather than a single
multipurpose vessel? This reduces complexity and the number of raw materials, utilities,
and auxiliary equipment connected to a specific vessel, thereby reducing the potential for
hazardous interactions.
§ Can equipment be designed such that it is difficult or impossible to create a potential
hazardous situation due to an operating error (for example, by opening an improper
combination of valves)?

Inventory Reduction

§ Have all in-process inventories of hazardous materials in storage tanks been minimized?
§ Are all of the proposed in-process storage tanks really needed?
§ Has all processing equipment handling hazardous material been designed to minimize
inventory?
§ Is process equipment located to minimize length of hazardous material piping?
§ Can piping sizes be reduced to minimize inventory?
§ Can other types of unit operations or equipment reduce material inventories? For
example:
• Wiped film stills in place of continuous still pots (distillation columns)
• Centrifugal extractors in place of extraction columns
• Flash dryers in place of tray dryers
• Continuous reactors in place of batch
• Plug flow reactors in place of continuous stirred tank reactors
• Continuous in- line mixers in place of mixing vessels
§ Is it possible to feed hazardous materials (for example, chlorine) as a gas instead of
liquid, to reduce pipeline inventories?
§ Is it possible to generate hazardous reactants in situ from less hazardous materials,
minimizing the need to store or transport large quantities of hazardous materials?

Training Manual Page 8-4

Location/Siting

§ Can process units be lo cated to reduce or eliminate adverse impacts from other adjacent
hazardous installations?
§ Can process units be located to eliminate or minimize:
• Off-site impacts?
• Impacts to employees on site?
• Impacts on other process or plant facilities?
§ Can the plant sit e be chosen to minimize the need for transportation of hazardous
materials and to use safer transport methods and routes?
§ Can a multi-step process, where the steps are done at separate sites, be divided up
differently to eliminate the need to transport hazardous materials?

Waste Minimization

§ Is it possible to recycle waste streams to reduce the need for waste treatment?
§ Have all solvents, diluents or other reactant “carriers” been reduced to minimum
quantities? Can they be eliminated entirely?
§ Have all washing operations been optimized to minimize the amount of wash water? Can
countercurrent washing improve efficiently?
§ Can valuable by-products be recovered from waste streams? Can the process be modified
to increase the concentration of by-products making recovery more feasible?

PLANT DESIGN CONSIDERATIONS

This section discusses ways to maximize process safety in the conceptual design and layout
stages of plant design. The quality of the basic design is more critical in determining the safety of
the plant than specific safety features added to minimize the hazards. As F.P. Lees (1980) points
out, the aim is to eliminate the hazard rather than devise measures to control it. The focus of this
chapter is avoiding and mitigating major releases of process materials by implementing safety
reviews at all stages of design from conceptual design to process design, site selection and plant
layout, and civil and structural design. Safety issues relevant to equipment selection and piping
are addressed in subsequent chapters.

Decisions made at the conceptual stages are crucial in forming the basis for process design.
Before beginning the design of the plant, safety elements should receive consideration by the
product and process research and development team, designers, and management. As illustrated
by in the following figure, the timing of design changes can greatly influence their impact. The
opportunity for maximum inherent safety is greatest during early stages of design.

Training Manual Page 8-5

 Effects of Timing of Design Changes (Greenberg 1991).

User Friendly Design

A related concept to inherently safer design is user- friendly design: designing equipment so that
human error or equipment failure does not have serious effects on safety (and also on output or
efficiency). While we try to prevent human errors and equipment failures, only very low failure
rates are acceptable when we are handling hazardous materials, and, as has been shown, it is hard
to achieve them. We should, therefore, try to design so that the effects of errors are not serious.
The following are some of the ways in which we can accomplish this:

§ By simplifying designs: complex plants contain more equipment that can fail, and there
are more ways in which human errors can occur.
§ By avoiding knock-on effects: for example, if storage tanks have weak seam roofs, an
explosion or over pressuring may blow the roof off, but the contents will not be spilled
§ By making incorrect assembly impossible
§ By making the status of equipment clear. Thus, figure-8 plates are better than slip-plates,
as the position of the former is obvious at a glance, and valves with rising spindles are
better than valves in which the spindle does not rise. Ball valves are friendly if the
handles cannot be replaced in the wrong position.
§ Using equipment that can tolerate a degree of misuse. Thus, fixed pipework is safer than
hoses, and fixed pipework with expansion loops is safer than expansion joist (bellows).

Training Manual Page 8-6

The following table provides examples of hazard considerations during a facilities lifetime:

TYPICAL HAZARD EVALUATION OBJECTIVES

AT DIFFERENT STAGES OF A PROCESS LIFETIMEa

Process Phase Example Objectives

Research and Development Identify chemical interactions that could cause runaway reactions,
fires, explosions, or toxic gas releases
Identify process safety data needs
Conceptual Design Identify opportunities for inherent safety
Compare the hazards of potential sites
Pilot Plant Identify ways for toxic gas to be released to the environment
Identify ways to deactivate the catalyst
Identify potentially hazardous operator interfaces
Identify ways to minimize hazardous wastes
Detailed Engineering Identify ways for a flammable mixture to form inside process
equipment
Identify how a reportable spill might occur
Identify which process control malfunctions will cause runaway
reactions
Identify ways to reduce hazardous material inventories
Identify safety-critical equipment that must be regularly tested,
inspected, or maintained
Construction and Startup Identify error-likely situations in the startup and operating
procedures
Verify that all issues form previous hazard evaluations were
resolved satisfactorily and that no new issues were introduced
Identify hazards that adjacent units may create for construction
and maintenance workers
Identify hazards associated with the vessel-cleaning procedure
Identify any discrepancies between the as-built equipment and the
design drawings
Routine Operation Identify employee hazards associated with the operating
procedures
Identify ways an overpressure transient might occur
Identify hazards associated with out-of-service equipment
Process Modification or Plant Expansion Identify whether changing the feedstock composition will create
any new hazards or worsen any existing ones
Identify hazards associated with new equipment
Decommissioning Identify how demolition work might affect adjacent units
Identify any fire, explosion, or toxic hazards associated with the
residues left in the unit after shutdown
a
CCPS 1992a

Training Manual Page 8-7

Typically process flow diagrams are developed to show major equipment items, including sizes,
duties, selected operating temperatures and pressures, major control loops and the process flow
arrangement. The material and energy balances are also included on the process flow diagrams.
Some of the safety elements that can be included on the flow sheets include:

§ Process material properties,

§ Process conditions
§ Inventory
§ Emergency and waste release
§ Process control philosophy

Safe handling and storage of materials begins with an understand ing of their physical and
chemical properties. Some important characteristics are listed in the table below: Data describing
the general properties of substances comprise some of the most useful and easily located
information about most chemical substances.

TYPICAL MATERIAL CHARACTERISTICS

Property Characteristic
General Properties Boiling point
Vapor pressure
Freezing point
Molecular weight
Critical pressure and temperature
Electrical conductivity
Fluid density and viscosity
Thermal properties enthalpy, specific heat, heat of mixing
Reactivity Reactivity with water or air
Potential for sudden violent reaction
Sensitivity to mechanical or thermal shock
Polymerization
Compatibility with materials of construction and other process
materials
Flammability Flash point
Autoignition temperature
Flammability limits
Self-heating
Minimum ignition energy
Toxicity Threshold limit values
Emergency exposure limits
Lethal concentration LC50
Lethal does LD50
Exposure Effects
Stability Thermal stability
Chemical stability
Shell life
Products of decomposition

Training Manual Page 8-8

An important source of chemical data and properties of chemical substances is the Material Data
Safety Sheet (MSDS). MSDS information is now freely available on the internet.

At http://www.ilpi.com/msds/index.html, an always up-to-date listing of the best places to find

free MSDSs on the Internet. Includes a 450+ term MSDS HyperGlossary, pertinent OSHA
regulations and interpretations, MSDS software, MSDS Suppliers, and more. The following table
provides some MSDS resources that can be searched for on the web:

Enable cookies to search by name or 15,000

manufacturers. Registration/login is required to view
the sheets. Free portfolio feature (up to 50 sheets) with
1. MSDS Solutions 1,000,000 auto update and email notification. Sheets are available
in a variety of MSDS formats (OSHA,ANSI,WHMIS)
and file formats (HTML,PDF,text); some available in
French.
Full text searchable - Chemical name, formula,
Seton manufacturer, CAS #, symptoms of exposure, you
2. Compliance 350,000 name it! No login and no cookies required. All sheets
Resource Center are in 16-part ANSI compliant format as HTML files.
You can also purchase this collection on CD-ROM!.
Search by product name and/or manufacturer.
MSDSs.com HTML/text sheets in ANSI-compliant format. Site also
3. 300,000
(Safetec) has an searchable and browsable list of Manufacturer's
sites although not all links go directly to MSDS's.
Keyword searchable MSDS database. Also searchable
Cornell by NIIN and manufacturer. Some info a bit incomplete.
4. 250,000 Text file format. Also check out their Toxic Substances
University
Control Act Inventory.
One of the best general sites to start a search. Either
Vermont SIRI select a letter A-Z to browse manufacturers
hazard.com alphabetically (for sheets not in the SIRI collection) or
5. 180,000
(Mirror sites no do a full-text keyword search in the SIRI MSDS
longer available) database. Mostly OSHA-style sheets,all in text file
format. Lots of additional safety links and info.
Belgium. Search for chemical by name, molecular
formula or CAS number. When you find the one you
want click on the name of the chemical. On the
6. ChemExper 100,000
resulting screen click on "MSDS". Lists suppliers as
well as modeling and infrared data! Sheets in text or
HTML format.
A growing substructure-searchable small- molecule
CambridgeSoft
7. 75,000 database with 2D and 3D structures. Lots of other
web site
handy links.

Training Manual Page 8-9

 Keyword search (see search tips). Data returned are not
University of
8. 20,177 full MSDS's,but contain useful information. HTML
Akron
format.
Chemical names listed in sections A-Z, each of which
Oxford is further broken into subsections. HTML format.
9. 16,103
University Optional search page is now limited to one word in
name only. Some entries incomplete.
Sample database that dynamically produces English or
Conform- Action French ANSI,OSHA and WHMIS-compliant sheets.
10. Data Systems 5,000
User can select HTML or PDF format. Also produces
PDF labels.
Must register (free; email address required). Can
submit on-line requests for MSDS's not in the database.
11. Hazweb 2,000+
Search by keyword,name,manufacturer or CAS
number. ANSI-compliant HTML format.
Typical undergraduate laboratory chemicals. Select
Iowa State
12. 295 from alphabetical list. 16-part ANSI-style sheets in
University
HTML format.

Various sources of recognized exposure limits for airborne contaminants are presented in the
table below. Refer to these sources or the EPA RMP rule to determine exposure limits under a
variety of circumstances.

SELECTED PRIMARY DATA SOURCES FOR

TOXIC EXPOSURE LIMITS

Source Acronym Exposure of Limit Acronym

American Conference of Government ACGIH Threshold Limit Value TLV
Industrial Hygienists
Occupational Safety and Health OSHA Permissible Exposure Limit PEL
Administration
American Industrial Hygiene Association AIHA Workplace Environmental Exposure WEEL
Limit

Emergency Response Planning Guideline ERPG

National Institute of Occupational Safety NIOSH Immediately Dangerous to Life or Health IDLH
and Health Level
National Academy of Science/National NAS/NRC Short-Term Public Emergency Guidance SPEGL
Research Council Level

Emergency Exposure Guidance Level EEGL

Training Manual Page 8-10

In addition to chemicals, process conditions, such as pressure and temperature, have their own
characteristic problems and hazards. High pressures and temperatures create stresses that must be
accommodated by design. Extreme temperatures or pressures individually are usually not a
problem, but rather the combination of the two. A combination of extreme conditions results on
increased plant costs due to the need for material with high mechanical strength and corrosion
resistance.

FACILITY LAYOUT

Adequate separation is often achieved by dividing up a plant into process blocks of similar
hazards (e.g., process units, tank farms, loading/unloading operations, utilities, waste treatment,
support areas), and then separating individual operations or hazards within each block. The block
approach also serves to reduce the loss potential from catastrophic events, such as unconfined
vapor cloud explosions, and to improve accessibility for emergency operations. The traditional
approach is to use standards developed by the industry. Selected references for safe separation
distances include:

NFPA 30, Flammable and Combustible Liquids Code

NFPA 59A, Liquefied Natural Gas
Guidelines for Safe Storage and Handling of High Toxic Hazard Materials
(CCPS 1988a)
Plant Layout and Spacing for Oil and Chemical Plants (IRI 1991a, 1992)
Loss Prevention in the Process Industries (Lees 1980)
Process Plant Layout (Mecklenburgh 1985)
Fire & Explosion Index, Hazard Classification Guide (Dow 1987)

Once a site has been selected, the site layout is revised following the lines of the preliminary
layout and considering the site constraints. Site constraints include topographical and geological
features; weather; people, evacuation routes, activities and buildings in the vicinity; access to
utilities; treatment of effluents; and laws and regulatio ns. When the site layout is complete, it
should be reviewed carefully for statutory requirements, consequences and mitigation measures,
ease of fire fighting and emergency operations.

FACILITY ENGINEERING DESIGN

The safety of the plant can depend on the

§ Civil
§ Structural
§ Architectural design

Training Manual Page 8-11

Civil Design

Failures such as foundations, walls, supporting structures can rupture piping, vessels and lead to
a release of hazardous materials. As long as the structural loads are below or at the design limits,
failures are usually not a problem, because structural failure probabilities under such conditions
are usually one to three orders of magnitude smaller than the mechanical, electrical and
equipment failure probabilities. In rare situations, like natural hazards and explosions, these
structural failure probabilities must be incorporated into the risk assessment (Siteing Studies).

Structural Design

To ensure the integrity of structures and equipment, design engineers must consider potential
natural hazards and events. Engineering design and construction efforts should be devoted to
hazardous materials containment systems as well as earthquake resistant construction. Relatively
minor damage in structural terms can become responsible for a large release. The goal of design
is to prevent leaks rather than just the prevention of a collapse. This could apply to all natural
events such as:

§ Hurricanes and high winds

§ Floods
§ Heavy snows and freezes
§ Earthquakes

Architectural Design

The structural integrity of buildings, equipment, piping and supports and instrumentation and
control systems is essential in preventing loss of containment. Architectural design is important
for both worker and facility safety. Architectural design should impact:

§ Control room design

§ Explosion resistant buildings
§ Safe Havens
§ Ventilation systems
§ Utilities

Plant Utilities

The design of plant utilities is covered on most standard references. The table below highlights
scenarios in which loss or malfunction of a utility service results in the impact of other
equipment and the possible loss of containment.

Training Manual Page 8-12

 POSSIBLE UTILITY FAILURES AND EQUIPMENT AFFECTED

Utility Failure Equipment Affected

Electric Pumps for circulating cooling water, boiler feed, quench, or reflux
Fans for air-cooled exchangers, cooling towers, or combustion air
Compressors for process vapor, instrument air, vacuum or refrigeration
Instrumentation
Motor-operated valves
Agitators
Cooling Water Condensers for process or utility service
Coolers for process fluids, lubricating oil, or seal oil
Jackets on rotating or reciprocating equipment
Quench water
Instrument Air Transmitters and controllers
Process-regulating valves
Alarm and shutdown systems
Pumps
Steam Turbine drivers for pumps, compressors, blowers, combustion air fans, or
electric generators
Reboilers
Reciprocating pumps
Equipment that uses direct steam injection
Eductors
Snuffers
Fuel oil, gas, etc. Boilers
Reheaters reboilers
Engine drivers for pumps or electric generators
Compressors
Gas turbines
Inert gas Seals
Catalytic reactors
Purge of instruments and equipment
(Source: API RP 521. Reprinted courtesy of the American Petroleum Institute.)

PLANT MODIFICATIONS

The safety and integrity of a well-designed plant can be jeopardized by even a minor
modification to the process or equipment. It is critical that safety reviews consider the effects on
all interfacing systems and processes. Many of the familiar examples of plant explosions
illustrate this point (e.g., the Flixborough incident). In addition, modifications to the process,
such as changes in feedstock or operating conditions, must be analyzed for consequences. A
formal set of procedures is used to control both process and plant modifications.

Not only the design of plant modifications, but their implementation is a source of hazards. For
example, “inadequate isolation of equipment on which maintenance is to be carried out” (Lees
1980; Kilby 1968) frequently leads to formation of flammable mixtures.

Modifications often require emptying, purging, and cleaning, and these operations are frequently
not properly analyzed for safety issues (e.g., removal of flammables prior to welding). Welding
and hot tapping are inherently hazardous operations in plants where flammable and toxic

Training Manual Page 8-13

materials are used. Hazard review of a modification should address “temporary” modifications
and isolation procedures, as well as the obvious hazard of welding. The new lines, recently
isolated lines, and lines in active service all need consideration.

BIBLIOGRAPHY

Guidelines for Engineering Design for Process Safety, Center for Chemical Process Safety of the
American Institute of Chemical Engineers, New York, 1993.

Training Manual Page 8-14

 Case Study
FLIXBOROUGH

INTRODUCTION

On a Saturday afternoon in 1974 a vapor cloud explosion occurred in the reactor section of the
caprolactam plant at the Flixborough Works (U.K.). Inside the plant, 28 people were killed and
another 36 were injured. Injuries and damage were widespread outside the Works. “The cause of
the Flixborough disaster was a modification to a 28 inch pipe connection between two
reactors…. The modification involved the installation of a temporary 20- inch pipe with bellows
at each end. The design of the pipe system was defective in that it did not take into account the
bending moments on the pipe due to the pressure in it.

Scenario:

Causes:

Remedies:

Training Manual Page 8-15

 Chapter 9
EQUIPMENT DESIGN

The discussion below follows the usual sequence of plant operations, first the unloading and
storing of raw materials and then the processing of the raw materials in various equipment items
to the final storage and loading of the finished product.

LOADING AND UNLOADING FACILITIES

Loading and unloading facilities have long been recognized as plant operations with a high
potential for hazardous material accidents. This is due to a combination of the high traffic
required in the area compared to other plant operations, the problems of providing secondary
containment and safety shutoffs, the high probability of personnel exposure, and the constant
connection/disconnection between the transport containers and the fixed piping. While the actual
design of the loading/unloading facilities will differ greatly between plants, facilities may be
grouped into four general types:

§ Containers – for gas, liquid, or solid materials. Containers range from a gallon or less, to
the standard 55-gallon drums, to the relatively recent Flexible Intermediate Bulk
Containers (FIBC) that may contain 1 to 6 m3 , with mass capacity ranging from
300-1000 kg.

§ Tank trucks/tank cars – for gas and liquid materials, tanks for overland transport ranging
from approximately 4,500 gallons to 35,000 gallons.

§ Ships/barges – for gas, liquid or solid materials.

§ Bulk solid hopper cars and trucks – for powders, granular and lumpy solids, and pellets.

STORAGE

Storage areas on a facility usually contain the largest volume of hazardous materials. The main
concern in the design of storage installations for such liquids is to reduce the hazard of fire by
reducing the amount of spillage, controlling the spill and the resulting fire.

Detailed information on the mechanical design, fabrication and NDE of storage vessels is found
in many standards and references such as:

§ API 650 Welded Steel Tanks for Oil Storage

§ API 620 Rules for Design and Construction of Welded Low Pressure Storage Tanks

Training Manual Page 9-1

 § ASME Section VIII
§ UL 142 Steel above ground tanks

Whether intended for use at atmospheric, low pressure, or high pressure conditions, the primary
consideration of tank design are stresses, both pressure and thermal, including fire exposure.

CASE STUDIES – SUCKING IN

The primary cause of buckling and failure in tanks is pulling vacuum on atmospheric storage
tanks.

This is by far the most common way in which tanks are damaged. The ways in which it occurs
are legion. Some are listed below. Sometimes it seems that operators show great inge nuity in
devising new ways of sucking in tanks!

Many of the incidents occurred because operators did not realize how fragile tanks are. They can
be over pressured easily but sucked in much more easily. While most tanks are designed to
withstand a gauge pressure of 8 in. of water (0.3 psi or 2 kPa), they are designed to withstand a
vacuum of only 2½ in. of water (0.1 psi or 0.6 kPa). This is the hydrostatic pressure at the bottom
of a cup of tea.

The following are some of the ways by which tanks have been sucked in. In some cases the vent
was made ineffective. In others the vent was too small.

a. Three vents were fitted with flame arrestors, which were not cleaned. After two years
they choked. The flame arrestors were scheduled for regular cleaning (every six months),
but this had been neglected due to pressure of work. (If you have flame arrestors on your
tanks, are you sure they are necessary?)
b. A loose blank was put on top of the vent to prevent fumes from coming out near a
walkway.
c. After a tank had been cle aned, a plastic bag was tied over the vent to keep dirt from
getting in. It was a hot day. When a sudden shower cooled the tank, it collapsed.
d. A tank was boxed up with some water inside. Rust formation used up some of the oxygen
in the air
e. While a tank was being steamed, a sudden thunderstorm cooled it so quickly that air
could not be drawn in fast enough. When steaming out a tank, a manhole should be
opened. Estimates of the vent area required range from 10-inch diameter to 20- inch
diameter.
f. Cold liquid was added to a tank containing hot liquid.
g. A pressure/vacuum valve (conservation vent) was assembled incorrectly – the pressure
and vacuum pallets were interchanged. Valves should be designed so that this cannot
occur. A pressure/vacuum valve was corroded by the contents of the tank.

Training Manual Page 9-2

 h. A larger pump was connected to the tank, and it was emptied more quickly than the air
could get in through the vent.
i. Before emptying a tank truck, the driver propped the manhole lid open. It fell shut.

PROCESS EQUIPMENT

Unit operations may include physical operations and further processing or preparation for further
reactions or for shipment. These operations include mixing or separating, size reduction or
enlargement and heat transfer. General hazards in physical operations are:

§ Vaporization and diffusion of flammable liquids and gasses

§ Spraying or misting of flammable liquids
§ Dispersion of combustible dusts
§ Mixing reactive chemicals
§ Increase in temperature of unstable chemicals
§ Friction or shock of unstable chemicals
§ Pressure increase in vessels
§ Loss of inerts or diluents

Both design and operations are important in maintaining the integrity of the process equipment.
Common causes of loss of containment for different process equipment items are shown on the
following pages.

COMMON CAUSES OF LOSS OF CONTAINMENT FOR

DIFFERENT PROCESS EQUIPMENT
COMMON BASIC CAUSES Columns Heat Furnaces Boilers Filters
Application causes are listed by letter Exchangers
under each type of equipment
1. Rupture of vessel due to over pressurization a a a a a
a. Inadequate relief due to:
§ Absence of relief
§ Incorrect sizing or setting of Relief
Device (AD)
§ Incorrect Installation of RD
§ Incorrect materiel of construction of RD
§ Isolation of RD by operator mistake
§ Excessive beck pressure limiting full
flow of RD
§ Plugging of RD by foreign materials
b. Boiling liquid expansion vapor explosion b b
(BLEVE)
2. Rupture of vessel due to brittle fracture
a. Incorrect materiel specification a a a
b. Vessel not designed for sudden b b b b
depressurization resulting in low temperature
3. Flange/gasket failure/seals/plugs
a. Incorrect gasket (size, material) installed a a a a a
b. Incorrect installation (e.g. incorrect size or b b b b b
Incorrectly tightened)
c. Gasket omitted
c c c c c
4. Weld failures/casting failure
a. Incorrect welding/casting procedures a a a a a
b. Incorrect specification of design codes b b b b b
c. Failure to stress relieve, if needed c c
d. Improper inspection and testing procedure c c d d c
d d d

Training Manual Page 9-3

 COMMON BASIC CAUSES Columns Heat Furnaces Boilers Filters
Application causes are listed by letter Exchangers
under each type of equipment
5. Overstressing of containment shell
a. Incorrect specification of design code a a a a
b. Incorrect setting of spring hangers and pipe b b b b
support or they are not set free
c. Error in stress analysis calculations
d. Omission in testing c c c c
d d d d
6. Vibration
a. Inadequate support a a a a a
b. Failure to correctly align connected rotating equipment b b b b b
c. Failure to test for vibration of rotating equipment prior to c c c c c
start -up after installation/maintenance
d. Failure to check for tube vibration during design d
(exchangers)
e. Failure to stop operating when vibration exceeds e e e e e
limits
7. Corrosion/erosion
a. Corrosion due to abnormal process conditions a a a a a
b. External corrosion from atmosphere b b b b b
c c c c c
c. Erosion due to velocities, dust and debris, liquid d d d d d
droplets e e e e e
d. Lack of periodic inspection and correction
e. Due to local concentration in crevices and
pockets
8. Failure due to external loading/impact
a. Error in foundation designs (e.g., hydraulic head a a a a a
not considered)
b. Foundation collapse b b b b b
c. Excessive ground movement, earthquake c c c c c
d. Collapse of fan/motor onto air fans d
e. External impact during maintenance e e e e e
f. Vacuum (i.e., not design for vacuum) f f f f
9. Internal explosion
a. Improper purging of air from the system prior to a a a a
admitting combustion b b b b
b. Failure to isolate system during maintenance c c c c c
c. Ingress of flammables from loss of containment
elsewhere
- into equipment skirt, with local ignition
- into fire box d d
e e
d. Human error when operating manually
e. Liquid carryover to gas burners

PUMPS

The two main safety concerns when pumping highly toxic fluids are leaks and fugitive
emissions. With proper precautions, a wide variety of equipment is available: centrifugal pumps,
positive displacement pumps, liquid- or gas-driven pumps, and gas-pressurization or
vacuum-suction transfer systems. Other important criteria to be considered are materials of
construction, instrumentation to detect pump-component failure, methods to contain toxic
materials within the pump, and methods to control leaks and emissions (Grossel 1990). The
pumping system should be designed to operate in a manner that prevents the pump from a
deadhead operation for more than a very short period of time. “Deadheading” a pump can result
in excessive temperatures that can lead to high vapor pressure or decomposition reactions that
will blow the pump apart. Methods to maintain and detect a minimum flow through pump or a
temperature rise in the pump may be required along with a shutdown interlock for heat sensitive
materials. A number of pump explosions have occurred where the material in the pump
overheated (even water). Deadheading the pump can cause pump overheating with bearing
burnout and flashing of the liquid in the pump, and the rupture of downstream piping if the

Training Manual Page 9-4

piping is not specified to meet the pump’s deadhead pressure. For flammables or hazardous
service, cast iron pumps should not be used because they are brittle and may crack. Minimum
metallurgy that should be considered is cast ductile iron (ASTM A395).

Operating centrifugal pumps at severely reduced flows can cause excessive vibration and
damage to drivers, piping and adjacent equipment; a minimum- flow recirculating line should be
installed to avoid the instability conditions caused by low flow rates. Minimum flow control is
usually required for large centrifugal pumps to prevent cavitation in the pump impeller and
subsequent damage to the pump. The minimum flow liquid should not pass directly form the
pump discharge to suction without consideration of cooling. Excessive heat buildup defeats the
purpose of the minimum flow which is intended to prevent the liquid being pumped form
vaporizing and/or cavitating which causes mechanical damage to the pump. Normally the
minimum flow stream passes from the discharge line back to the suction vessel. A temperature
sensor in the pump casing and vibration sensors in the bearings may be interlocked to shut off
the pump motor at excessive temperature or vibration. Close attention to the pump seal design
and configuration is important to reduce normal wear and leakage for flammable and toxic
service. Proper alignment will minimize mechanical seal failure.

BIBLIOGRAPHY

Guidelines for Engineering Design for Process Safety, Center for Chemical Process Safety of the
American Institute of Chemical Engineers, New York, 1993.

Training Manual Page 9-5

 Chapter 10
MATERIALS SELECTION

INTRODUCTION

Equipment service life is influenced by many factors, such as materials of construction, design
details, fabrication techniques, operating conditions, and inspection and maintenance procedures.
In recent years there have been many cases where materials have failed either without warning or
with warnings ignored. Material failures, while relatively infrequent, can be extremely severe,
resulting in catastrophic accidents. The best way to reduce the risk of material failure is to fully
understand the internal process, the exterior environment and failure modes, select materials for
the intended application, apply proper fabrication techniques and controls, and provide good
maintenance and inspection and repair techniques. Material failures due to mechanical and
structural failures are addressed in numerous other publications. This section will focus on
premature failure of materials due to corrosion, since corrosion failure is the major unpredictable
route to catastrophic loss of containment of hazardous materials.

Corrosion refers to the degradation or breakdown of materials due to chemical attack. Corrosion
is one of the most important process factors in material selection and yet the most difficult to
predict. In general, equipment service life can be predicted from well established general
corrosion data for specific materials in specific environments. However, the localized corrosion
is unpredictable, difficult to detect and can greatly reduce service life. Even more insidious are
subsurface corrosion phenomena. Some failure frequencies for different corrosion mechanisms
are shown in the table below:

METAL FAILURE FREQUENCY FOR

VARIOUS FORMS OF CORROSION

Forms of Corrosion Failure Occurrences (%)

General 31
Stress Corrosion Cracking 24
Pitting 10
Intergranular Corrosion 8
Erosion-Corrosion 7
Weld Corrosion 5
Temperature (cold wall, high temperature, and hot wall) 4
Corrosion Fatigue 2
Hydrogen-induced attack (grooving, blistering) 2
Crevice 2
Glavanic 2
Dealloying or Parting 1
End Grain Attack 1
Fretting 1
TOTAL 100
a
Collins and Monarch 1973

Training Manual Page 10-1

ENGINEERING MATERIALS – PROPERTIES AND SELECTION1

Engineering Materials

Some of the elements are used as engineering materials in their pure elemental state. Many
metals fall into this category; beryllium, titanium, copper, bold, silver, platinum, lead, mercury,
and many of the refractory metals (W, Ta, Mo, Hf) are used to make industrial items. Many
metals are used in the pure state for electroplating durable goods, tools, and electrical devices:
Cr, Ni, Cd, Sn, Zn, Os, Re, Rh. In the nonmetal category, carbon is used in industrial
applications for motor brushes and wear parts and in the cubic form as diamond for tools. The
inert gases are other nonmetals that are used in the elemental (ions or molecules) form for
industrial applications for protective atmospheres and the like.

A larger percentage of engineering materials utilize the elements in combined forms, in alloys (a
metal combined with one or more other elements), in compounds (chemically combined
elements with definite proportions of the component elements), and, to a smaller degree, in
mixtures (a physical blend of two or more substances). These combinations of the elements can
be solids, liquids, or gases. Our discussions will concentrate on elements combined to make
solids.

Materials used on our facilities include:

§ Metals (pure and alloys)

§ Ceramics
§ Polymers
§ Composites

We have depicted engineering materials as solids formed from various elements. A solid can be a
pure element such as gold; it can be a compound such as sand, a compound of silicon and
oxygen (SiO 2 ); or it can be a combination of molecules.

The Nature of Metals

In chemistry, a metal is defined as an element with a valence of 1, 2, or 3. However, a metal can

best be defined by the nature of the bonds between the atoms that make up the metal crystals.
Metals can be defined as solids comprised of atoms held together by a matrix of electrons. The
electrons associated with each individual atom are free to move throughout the volume of the
crystal or piece of metal. This is why metals are good conductors of electricity; current flow
requires a flow of electrons. Other properties that distinguish metals from other materials are

1
By Kenneth G. Budinski

Training Manual Page 10-2

their malleability (their ability to deform plastically), their opacity (light cannot pass through
them), and their ability to be strengthened.

The Nature of Ceramics

In terms of basic chemistry, a nonmetallic element has a valence of 5, 6, or 7. Elements with a

valence of 4 are metalloids; sometimes they behave as a metal, sometimes as a nonmetal.
Elements with a valence of 8 are inert. They have a low tendency to combine with other
elements, for example, inert gases. A ceramic can be defined as a combination of one or more
metals with a nonmetallic element. What really distinguishes a ceramic from other engineering
materials, however, is the nature of the bond between atoms. As opposed to the long-range
electron matrix bond in metals, ceramic materials usually have very rigid covalent or ionic bonds
between adjacent atoms.

The Nature of Polymers

The engineering materials known as plastics are more correctly called polymers. This term
comes from the Greek words “poly,” which means many, and “meras,” which means parts.
Polymers are substances composed of long-chain repeating molecules (mers). In most cases the
element carbon forms the backbone of the chain (an organic material). The atoms in the
repeating molecule are strongly bonded (usually covalent), and the bonds between molecules
may be due to weaker secondary bonds or similar covalent bonds. The common polymer
polyethylene is composed of repeating ethylene molecules (C 2 H4).

The Nature of Composites

A composite is a combination of two or more materials that has properties that the component
materials do not have by themselves. Nature made the first composites in living things. Wood is
a composite of cellulose fibers held together with a glue or matrix of soft lignin. In engineering
materials, composites are formed by coatings, internal additives, and laminating. An important
metal composite is clad metals.

SUMMARY

§ Some elements (mostly the metals) are used as engineering materials in elemental form.
The other engineering materials are made from compounds formed by the elements
(plastics, ceramics, and some composites).
§ The rules of chemistry and physics apply to engineering materials, chemistry in the
formation of materials, and physics (quantum mechanics and the like) in the study of
atomic reactions and atomic bonding.
§ We know quite a bit about why things happen and how to make a wide variety of
engineering materials. Future developments in materials will depend on new knowledge

Training Manual Page 10-3

 of chemistry and atomic structure. We will probably not find any new stable elements;
we must become more creative with what we have.

PROPERTIES AND SELECTION

The Property Spectrum

When the average person shops for an automobile, he or she establishes selection criteria in
several areas – possibly size, appearance, performance, and cost. Certain things are desired in
each of these areas, and each automobile will have different characteristics in these areas. The
thoughtful car buyer will look at several brands and rate each in various categories and then
make a selection. The goal is usually the car that will provide the best service at an affordable
price. Material selection should be approached in this same manner.

Chemical properties are material characteristics that relate to the structure of a material and its
formation from our elements. These properties are usually measured in a chemical laboratory,
and they cannot be determined by visual observation. It is usually necessary to change or destroy
a material to measure a chemical property.

Physical properties are characteristics of material that pertain to t he interaction of these

materials with various forms of energy and with other forms of matter. In essence, they pertain to
the science of physics. They can usually be measured without destroying or changing the
material. Color is a physical property; it can be determined by just looking at a substance.
Density can be determined by weighing and measuring the volume of an object; it is a physical
property. The material does not have to be changed or destroyed to measure this property.

Mechanical properties are the characteristics of a material that are displayed when a force is
applied to the material. They usually relate to the elastic or inelastic behavior of the material, and
they often require the destruction of the material for measurement. Hardness is a mechanical
property because it is measured by scratching or by application of a force through a small
penetrator. This is considered to be destructive since even a scratch or indentation can destroy a
part for some applications. The term mechanical is applied to this category of properties since
they are usually used to indicate the suitability of a material for use in mechanical applications,
parts that carry a load, absorb shock, resist wear, and the like.

Dimensional properties are not listed in property handbooks, and they are not even a legitimate
category by most standards. However, the available size, shape, finish, and tolerances on
materials are often the most important selection factors. Thus, we have established a category of
properties relating to the shape of a material and its surface characteristics. Surface roughness is
a dimensional property. It is measurable and important for many applications.

Material properties apply to all classes of materials, but certain specific properties may only
apply to one particular class of materials. For example, flammability is an important chemical
property of plastics, but it is not very important in metals and ceramics. Metals and ceramics can
burn or sustain combustion under some conditions; but when a designer selects a metal or

Training Manual Page 10-4

ceramic for an application, it is likely that he or she will not even question the flammability
rating of the metal or ceramic. In the following figure, we have taken the important classes of
engineering materials – metal, plastics, ceramics, and composites – and tried to list some types of
mechanical, chemical, and dimensional properties that are likely to be important in the
consideration of these materials for a particular application. Many more specific properties could
have been listed for each class of materials, but those listed are the ones most likely to be of
importance. It is not possible to list the important physical properties for metals, plastics,
ceramics, or composites because the physical properties that are important for a particular
application are unique to that application, and all physical properties apply to all materials. For
example, ferromagnetism applies to all materials. A material is either ferromagnetic or it is not,
and for some applications this is important; for others it is not. All materials have thermal
properties such as thermal expansion characteristics, thermal conductivity, specific heat, latent
heat, and so on, but only the application will determine if any of these properties are important
selection factors.

Training Manual Page 10-5

 Spectrum of Material Properties

Training Manual Page 10-6

Chemical Properties

§ Composition – The elemental or chemical components that make up a material and their
relative proportions.
§ Microstructure – The structure of polished and etched materials as revealed by
microscope magnifications greater than ten diameter; structure includes the phases
present, the morphology of the phases, and their volume fractions.
§ Crystal Structure – The ordered, repeating arrangement of atoms or molecules in a
material.
§ Stereospecificity – A tendency for polymers and molecular materials to form with an
ordered spatial three-dimensional arrangement of monomer molecules.
§ Corrosion Resistance – The ability of a material to resist deterioration by chemical or
electrochemical reaction with its environment.

Physical Properties

§ Melting Point – The point at which a material liquefies on heating or solidifies on

cooling. Some materials have a melting range rather than a single melting point.
§ Density – The mass of a material per unit volume.
§ Specific Gravity – The ratio of the mass or weight of a solid or liquid to the mass or
weight of an equal volume of water.
§ Curie Point – The temperature at which ferromagnetic materials can no longer be
magnetized by outside forces.
§ Refractive Index – The ratio of the velocity of light in a vacuum to its velocity in another
material.
§ Thermal Conductivity – The rate of heat flow per unit time in a homogenous material
under steady-state conditions, per unit area, per unit temperature gradient in a direction
perpendicular to area.
§ Thermal Expansion (linear coefficient of ) – The rate at which a material elongates when
heated. The rate is expressed as a unit increase in length per unit rise in temperature
within a specified temperature range.
§ Heat Distortion Temperature – The temperature at which a polymer under a specified
load shows a specified amount of deflection.
§ Water Absorption – The amount of weight gain (%) experienced in a polymer after
immersion in water for a specified length of time under controlled environment.
§ Dielectric Strength – The highest potential difference (voltage) that an insulating material
of given thickness can withstand for a specified time without occurrence of electrical
breakdown through its bulk.

Training Manual Page 10-7

 § Electrical Resistivity – The electrical resistance of a material per unit length and cross-
sectional area or per unit length and unit weight.
§ Specific Heat – The ratio of the amount of heat required to raise the temperature of a unit
mass of a substance 1 degree (Celsius or Fahrenheit) to the heat required to raise the same
mass of water 1 degree.
§ Poisson’s Ratio – The absolute value of the ratio of the transverse strain to t he
corresponding axial strain in a body subjected to uniaxial stress.

Mechanical Properties

§ Tensile Strength (ultimate strength) – The ratio of the maximum load in a tension test to
the original cross-sectional area of the test bar.
§ Yield Strength – The stress at which a material exhibits a specified deviation from
proportionality of stress and strain.
§ Compressive Strength – The maximum compressive stress that a material is capable of
withstanding (based on original area).
§ Modulus of Elasticity – The ratio of stress to strain in a material loaded below its yield
strength: a measure of rigidity.
§ Flexural Strength – The outer fiber stress developed when a material is loaded as a
simply supported beam and deflected to a certain value of strain.
§ Shear Strength – The stress required to produce fracture in the plane of the cross section
of a material. The conditions of loading are such that the directions of force and of
resistance are parallel and opposite.
§ Percent Elongation – In tensile testing, the increase in the gage length measured after the
specimen fractures within the gage length.
§ Percent Reduction in Area – In tensile testing, the difference, expressed as a percentage
of original area, between the original cross-sectional area of a tensile test specimen and
the minimum cross-sectional area measured after fracture.
§ Hardness – The resistance of a material to plastic deformation (usually by indentation).
§ Impact Strength – The amount of energy required to fracture a given volume of material.
§ Endurance Limit – the maximum stress below which a material can theoretically endure
an infinite number of stress cycles.
§ Compressive Yield Strength – The stress in compression at which a material exhibits a
specified deviation from the proportionality of stress and strain.
§ Creep – Time-dependent permanent strain under stress. Creep strength – The constant
nominal stress that will cause a specified quantity of creep in a given time at constant
temperature.
§ Creep Strength – The constant nominal stress that will cause a specified quantity of creep
in a given time at constant temperature.

Training Manual Page 10-8

 § Stress Rupture Strength – The nominal stress at fracture in a tension test at constant load
and constant temperature (usually elevated).

Dimensional Properties

§ Roughness – Relatively finely spaced surface irregularities, the height, width, and
direction of which establish a definite surface pattern.
§ Waviness – A wavelike variation from a perfect surface; generally wider in spacing and
higher in amplitude than surface roughness.
§ Lay – The direction of a predominating surface pattern, usually after a machine
operation.
§ Camber – Deviation from edge straightness; usually the maximum deviation of an edge
from a straight line of given length.
§ Out of Flat – The deviation of a surface from a flat plane, usually over a macroscopic
area.
§ Surface Finish – The microscopic and macroscopic characteristics that describe a surface.

EXAMPLE – Motor Car

Why has carbon steel been chosen as the material of choice for car manufacturing?

§ Strength?
§ Formability?
§ Weldability?
§ Corrosion resistance?
§ Price?
§ Toughness?
§ Yield?
§ Strength-to-weight ratio?
§ Asthetic appeal?

Training Manual Page 10-9

Study Results

A. HIGH-STRENGTH STEEL
For Against
Retains all existing Weight saving only appreciable in
technology designing against plastic flow
Use in selected applications, e.g. bumpers.

B. ALUMINIUM ALLOY
For Against
Large weight saving in both Unit cost higher
body shell and engine block
Deep drawing properties poor—loss
Retains much existing in design flexibility
technology

Corrosion resistance excellent

Aluminum alloy offers saving of up to 40% in total car weight, but at
increased unit cost. Good short-term solution.

C. GFRP
For Against
Large weight saving in body Unit cost higher
shell
Massive changes in manufacturing
Corrosion resistance excellent
Designer must cope with some creep
Great gain in design
flexibility and some parts
consolidation
GFRP offers savings of up to 30% in total car weight, at some
increase in unit cost and considerable capital investment in new
equipment. Best long-term solution.

ENGINEERING MATERIALS SUMMARY

Polymers

§ The first thing to question about a new plastic is if it is thermoplastic or thermosetting.

The fabrication differences are significant.
§ The ethenic polymers are all derivatives of the ethylene molecule.
§ The most used plastics of any type are ethenic plastics, PVC, PS, and PE; the reader
should remember the acronyms for various plastics.

Training Manual Page 10-10

 § PVC, PS, and PE are used for all sorts of consumer items; they are often used for
throwaway items, but they have reasonable mechanical properties and they can be used
for structural applications if they are used properly.
§ The term engineering plastic is used to describe plastics that can withstand applications
that require high strength and fracture resistance.
§ There are no strict criteria for engineering plastics, but some thermoplastic materials that
are considered to be engineering plastics are nylons, polycarbonates, acetals, and
polyesters. They all compete for the same market.
§ The more expensive engineering thermoplastics are materials such as PPS, PI, PAI, and
PEEK; these plastics have strengths similar to the other engineering plastics, but they can
withstand much higher temperatures. They often have benzene rings as part of their
chemical structure.
§ The fluorocarbons are part of the ethenic family, and their unique characteristic is
chemical and temperature resistance. They usually cannot be used for a structural
application because they are relatively low strength (compared to engineering plastics).
They all have the element fluorine as part of their structure. The clear thermoplastics are
PS, PC, PMMA, PSU, and the cellulosics. They all have different mechanical and
chemical characteristics; PS is the cheapest; PMMA has good rigidity and the best optical
clarity; PC has the best toughness; PSU has the best temperature resistance.
§ The most important thermosetting resins are phenolics, unsaturated polyesters, and ureas.
These materials make up over 75% of the tonnage produced in the United States.
§ Phenolics are widely used for friction materials and for printed circuit boards; they have
good rigidity and strength and good electrical properties.
§ Ureas are mostly used for adhesives and for similar applications; they are not commonly
used for molded shapes.
§ Unsaturated polyesters are widely used as the matrix material for fiberglass composites;
they are catalyzed to cure and they do not require compression or elevated temperature.
§ The phenolics and the ureas have ring structures and they cross-link to form
macromolecules.
§ An elastomer is a plastic that behaves like a rubber.
§ A rubber is a material that has at least 100% elongations at room temperature and it
forcibly returns to its original dimension when the force is removed.
§ Natural rubber is probably the most “rubbery” rubber, but it is susceptible to degradation
in many types of environments; it is fragile.
§ Most elastomers have something that they do better than the other elastomers: Neoprene
has reasonable oil resistance; butyl rubber is used for seals; EPDM can take outdoor
exposure; nitrile rubber is good in fuels and oils; silicones have the best temperature
resistance; polyurethanes have the beset abrasion resistance; SBR has good friction and
abrasion resistance so it can be used for tires; the thermoplastic elastaomers are used
when injection molding must be used to produce the desired shape.

Training Manual Page 10-11

Composites

§ Chopped strand-reinforced thermoplasts can be specified just like conventional molding

resins, but the effect of the reinforcements on molding properties should be investigated.
§ If you have never guilt a special tank or structure from FRP, the specifications should be
developed through in-depth discussions with a competent fabricator.
§ Design strength calculations for polymer composites are different from those used on
homogeneous metals. Safety factors are as high as ten in tension and five for buckling:
structural strengths of designs should be established by consultation with someone
familiar with reinforced polymer structures.
§ Wherever possible, use previously established standards. There are about 40 different
ASTM specifications on polymer composites, and many specifications exist from other
standards organizations.
§ Thoroughly investigate the chemical resistance of a composite to specific environments
before selecting a resin. Consider long-term effects, swelling, wicking into fibers, and
loss of strength.
§ Decide on flammability requirements and make sure that a specified resin meets your
needs.
§ Thoroughly investigate support of heavy polymer composite structures. Polymer
composites often require special bolting and attachment procedures. Discuss these details
with a composite specialist.
§ Do not make attachments as you might with metal structures. Polymer composites often
require special bolting and attachment procedures. Discuss these details with a composite
specialist.
§ If you are purchasing a completed structure from a fabricator, establish nondestructive
inspection procedures that will ensure that you are getting what you need.
§ When in doubt, consult a specialist; do not guess.

Plastics

§ The best plastics have a modulus of elasticity that is one 1 million psi (6895 MPA). They
do not have the stiffness of metals.
§ Plastics expand at a rate that is at least ten times the rate of metals on heating. This must
be taken into consideration in assemblies.
§ Plastics cannot be fitted to the tolerance of metals. Sliding parts require running
clearances that are at preferably about 10 mils (0.25 mm) per inch of size.
§ Plastics cannot be machined to the tolerances customary in metals; they significantly
change size with slight changes in environment. Tolerances closer than ±0.5% are often
unrealistic.
§ Plastics can be flammable to different degrees.

Training Manual Page 10-12

 § Plastic structural components should be designed to long-term strength levels. Use creep
and fatigue strength rather than short-term tensile properties. Many plastics lose strength
or creep with time.
§ Almost all plastics have lower toughness than metals. Make a concerted effort to
minimize stress concentrations.
§ Plastics make great self- lubricating bearings, but to work properly they must be designed
with proper running clearances.
§ Many plastics rapidly degrade in the outdoor environment because of UV attack. Check
UV resistance before using a plastic outdoors.
§ Plastics are attacked in many environments; environmental data must be reviewed.
§ In selecting polymer coatings, it is important to determine the basic polymer involved in
paints and the like. Do not just use a water-base or oil-base paint. Find out of the polymer
is a vinyl, acrylic, and so on. Then check the durability of the basic polymer system.
§ Remember the basic types of adhesives and become familiar with the properties of the
few systems that were described in our discussions.
§ Consider recyclability when using plastics for disposable items.

Ceramics

§ Engineering ceramics are not clay products, but mostly oxides, nitrides, and carbides that
are sintered to high density.
§ Ceramics get their high hardness and brittleness from strong ionic or covalent bonds
between atoms.
§ Most ceramics are crystalline.
§ Ceramics are brittle; strain-to- fracture may be less than 0.1%, compared to 20% for a
metal.
§ Ceramics are elastic to failure and they can withstand tensile loads as long as they are in
the elastic range.
§ Ceramics can have stiffnesses greater than steels.
§ Ceramics have lower thermal expansion rates than metals and plastics.
§ Ceramics have thermal conductivity similar to metals.
§ The critical flaw size to produce failure of a ceramic can be as small as 10 µm; the
critical flaw size for metals is typically in excess of 1000 µm.
§ Most ceramics cannot be machined after sintering; consider this in design.
§ Ceramics cannot be joined to themselves or other materials with ordinary welding
processes.
§ The mechanical properties of ceramics often depend on the grain size and the amount of
porosity after firing.

Training Manual Page 10-13

 § Glasses have utility in machine design for corrosion resistance and for some of its other
properties, such as low thermal expansion.
§ Carbon-graphites are excellent plain bearing materials that require no lubrication if used
properly. Cemented carbides have the highest stiffness and compressive strength of all
engineering materials.
§ Silicon nitride, aluminum oxide, zirconia, and silicon carbide are the tool materials of the
ceramics field.
§ Silicon carbide usually has the best wear characteristics of the engineering ceramics
(abrasion and mated with other solids).
§ Ceramics mated with other ceramics or metals may produce high wear rates;
compatibility tests are needed.
§ Try to load ceramics only in compression.
§ Radius all edges on ceramic parts and minimize stress concentrations.
§ Join ceramics with compliant material to other surfaces.
§ Design to eliminate machining after firing (if possible).
§ Use statistical values for allowable strengths.
§ Perform a rigorous stress analysis when used for structural applications.
§ Specify rigorous flaw inspection on critical parts.
§ Typical as- fired dimension tolerances are ±1%.

Metals

§ Iron is abundant in nature; about 5% of the earth’s crust is iron.

§ Steel is made by reducing oxide ores of iron by thermochemical reactions in a blast
furnace.
§ Pure iron does not have significant industrial use; it is too weak and soft.
§ Steel is an alloy of carbon and iron with limits on the amount of carbon (less than 2%).
§ Pig iron, which is the product of a bla st furnace, is used for making steels, but it is also
the starting material for cast irons.
§ Currently, most steel is made in the basic oxygen furnace, and a significant amount of the
output of these furnaces is continuously cast into slabs for mill processing to steel
products.
§ Steel cleanliness should be a concern when surface finish, high strength, weldability and
structure-related properties are selection considerations.
§ Steel melting practice can be specified to control steel cleanliness.
§ Ingot cast steel has properties that vary depending on the type of practice used in pouring
the ingot.

Training Manual Page 10-14

 § Continuous cast steels (concast) are deoxidized, and a steel user does not have to be
concerned about ingot solidification practice.
§ Hot- finished steels have lower mechanical properties than cold- finished steels.
§ Hot- finished steels do not work-harden in manufacture because the elevated working
temperatures produce dynamic recrystallization.
§ Grains form in casting solidification, and what happens to these grains in mill processing
the metal affects the end properties of the metal.
§ Steels should be identified by a number from some standards setting organization; the
AISI system is the most prevalent in the United States.
§ When steel is purchased for a job, the purchaser must question such factors as surface
finish, dimensional tolerances, composition limits, mechanical properties, and the like.
Neglecting to inquire about one of these may cause the steel to be unsuitable for use.

Alloys

§ Equilibrium diagrams provide profiles of alloy systems; the phases present, heat-treat
temperatures, compositions to avoid, temperatures to avoid, and so on.
§ The concept of solid solubility must be understood; many heat-treat operations are based
on the solubility characteristics of metals (quench hardening, precipitation hardening, and
the like).
§ Many metals of industrial importance are multiphase, and the relative amounts of various
phases present determine the properties of the alloy.
§ The stable phases in soft steel at room temperature are ferrite and cementite; martensite is
the hard phase.
§ The iron-carbon diagram is probably the most important reference on the metallurgy of
carbon steels.
§ The requirements for hardening a steel are (1) heating to the proper temperature, (2)
sufficient carbon content, and (3) adequate quench. All three must be met.
§ Quench-hardened steel always requires tempering to prevent brittleness.
§ Stress relieving is a subcritical process, but adequate temperature must be used for it to be
effective (1200°F [650°C] for most carbon steels).
§ Each hardenable steel has quenching requirements that must be met; IT diagrams are
used to predict quenching requirements.
§ All heat treatments over 1000°F (538°C) must be done in protective atmospheres if a
part’s surface or dimensions are important. Oxidation will occur.
§ Stress relieving should be considered on most parts with close dimensional tolerances.
§ Heat-treating drawing notes should show the type of steel, the desired process, the
desired hardness, and any special processing, such as deep freeze, or double temper.

Training Manual Page 10-15

Metals Treatment

§ Flame and induction hardening require the use of hardenable steels.

§ Diffusion processes usually only apply to steels with insufficient carbon content for
through hardening.
§ Some metallic coatings such as electroplated copper provide a barrier to the diffusion of
carbon and nitrogen. They are used for masking areas to be left soft.
§ Carburizing does not harden a steel; quenching after carburizing is necessary to get
hardening.
§ Nitriding is the lowest-temperature diffusion- hardening process and it does not require a
quench.
§ Induction hardening is usually most efficient on small parts.
§ Diffusion takes place in all metals at elevated temperatures if there is a concentration
gradient in the metal or in the atmosphere surrounding the metal.
§ Carbon and nitrogen diffusion processes involving other species, such as boron,
chromium, and vanadium, are less available and the processes may be proprietary.
§ Diffusion treatments and selective hardening are most commonly used when a through-
hardened part would be too brittle for the intended service.
§ The abrasion resistance of tool steels depends on the amount of carbide phase present, as
well as the carbide size and distribution.
§ It is the nature of the carbide phase that discriminates tool steels form each other and
from other steels.
§ The cold-work and high-speed steel properties depend heavily on their carbide
morphology.
§ The P, L, H, and S series of tool steels do not contain the large carbide particles present
in the cold-work and high-speed tool steels.
§ Hot-work tool steels have resistance to softening and toughness as their main strengths.
§ P series tool steels are low carbon and they are either used at about 30 HRC or they are
case hardened.
§ Shock-resisting steels have about 0.5% carbon and a few percent alloy; they cannot be
hardened above 56 HRC.
§ There are many cold-work tool steels, but they are all intended for punch and die types of
applications.
§ The high-speed steels are harder than all other tool steels (65 to 68 HRC); they are
intended for cutting tools.
§ Most tool steels have their optimum properties at the recommended working hardness.
Always try to pinpoint the wear mode that will occur in a tool; pick a steel that is good
for this specific wear mode.

Training Manual Page 10-16

 § Never weld tool steels by design; avoid it where possible.
§ Cemented carbides and similar cermets will usually provide longer service life than tool
steel, but fabrication costs are higher.
§ The use of P/M tool steels provides abrasion resistance intermediate between carbides
and other tool steels.
§ Grind allowances and stock allowances for decarburization are often the designer’s
responsibility.
§ Avoid crack-prone designs.

Thus, material selection is still a part of the engineering process whether you design the machine
or if somebody else designs the machine. All the factors that would go into your own design
should also be considered when evaluating someone else’s design if it is your responsibility to
make the piece of equipment function. If the gray cast iron corrodes through in six months, it is
your fault, not the pump manufacturers. You bought the equipment, and it is the engineer’s
responsibility to buy something compatible with the intended service environment.

Training Manual Page 10-17

 Role of Material Selection in the Design Process

Training Manual Page 10-18

 Material Selection Checklist

Training Manual Page 10-19

BIBLIOGRAPHY

Budinski, Kenneth G., Senior Metallurgist, Eastman Kodak Company, Engineering Materials –
Properties and Selection, Prentice-Hall, Inc., 1992, 1989, 1983, 1979.

Guidelines for Engineering Design for Process Safety, Center for Chemical Process Safety of the
American Institute of Chemical Engineers, New York, 1993.

Training Manual Page 10-20

 Chapter 11
PRESSURE VESSEL DESIGN

DESIGN LOADS

The forces applied to a vessel or its structural attachments are referred to as loads and, as in any
mechanical design, the first requirement in vessel design is to determine the actual values of the
loads and the conditions to which the vessel will be subjected in operation. These are determined
on the basis of past experience, design codes, calculations, or testing.

A design engineer should determine conditions and all pertaining data as thoroughly and
accurately as possible, and be rather conservative. The principal loads to be considered in the
design of pressure vessels are:

§ Design Pressure (internal or external)

§ Dead Loads
§ Wind Loads
§ Earthquake Loads
§ Temperature Loads
§ Piping Loads
§ Impact or Cyclic Loads

Many different combinations of the above loadings are possible; the designer must select the
most probable combination of simultaneous loads for an economical and safe design.

Generally, failures of pressure vessels can be traced to one of the following areas:

§ Material: improper selection for the service environment; defects, such as inclusions or
laminations; inadequate quality control;
§ Design: incorrect design conditions; carelessly prepared engineering computations and
specifications; oversimplified design computations in the absence of available correct
analytical solutions; and inadequate shop testing;
§ Fabrication: improper or insufficient fabrication procedures; inadequate inspection;
careless handling of special materials such as stainless steels;
§ Service: change of service conditions to more severe ones without adequate provision;
inexperienced maintenance personnel; inadequate inspection for corrosion.

Training Manual Page 11-1

Combinations of the Design Loads

Many combinations of loads considered in the design of pressure vessels may be possible, but
highly improbable; therefore it is consistent with good engineering practice to select only certain
sets of design loads, which can most probably occur simultaneously, as the design conditions for
pressure vessels. If a more severe loading combination does occur, the built- in safety factor is
usually large enough to allow only a permanent deformation of some structural member, without
crippling damage to the vessel itself.

It is standard engineering practice that all vessels and their supports must be designed and
constructed to resist the effects of the following combinations of design loads without exceeding
the design limit stresses. (In all combinations wind and earthquake loads need not be assumed to
occur simultaneously, and when a vessel is designed for both wind and earthquake, only the one
that produces the greater stresses need be considered.)

1. Erection (empty) design condition includes the erection (empty) dead load of the vessel
with full effects of wind or earthquake.
2. Operating design condition includes the design pressure plus any static liquid head, the
operating dead load of the vessel itself, the wind or earthquake loads, and any other
applicable operating effects such as vibration, impact and thermal loads.
3. Test design condition for a shop hydrotest, when the vessel is tested in a horizontal
position, includes only the hydrotest pressure plus the shop test weight of the vessel. For
a field test performed on location, the design condition includes the test pressure plus the
static head of the test liquid, and the field test dead load of the vessel. Wind or earthquake
loads need not be considered. All insulation or internal refractory is removed.
4. Short-time (overload) design condition includes the operating design condition plus any
effects of a short-time overload, emergency, startup, or shutdown operations, which may
result in increased design loads. At startup, the vessel is assumed to be cold and
connecting pipelines hot. Wind or earthquake need not be considered.

STRESS CATAGORIES AND DESIGN LIMIT STRESSES

Introduction

After the design loads are determined and the maximum stresses due to the design loads are
computed, the designer must qualitatively evaluate the individual stresses by type, since not all
types of stresses or their combinations require the same safety factors in protection against
failure.

For instance, when a pressure part is loaded to and beyond the yield point by a mechanical
(static) force, such as internal pressure or weight, the yie lding will continue until the part breaks,
unless strain hardening or stress distribution takes place. In vessel design, stresses caused by
such loads are called primary and their main characteristic is that they are not self limiting, i.e.,
they are not reduced in magnitude by the deformation they produce.

Training Manual Page 11-2

On the other hand, if a member is subjected to stresses attributable to a thermal expansion load,
such as bending stresses in shell at a nozzle connection under thermal expansion of t he piping, a
slight, permanent, local deformation in the shell wall will produce relaxation in the expansion
forces causing the stress. The stresses due to such forces are called secondary and are self-
limiting or self- equilibrating.

The practical difference between primary and secondary loads and stresses is obvious; the
criteria used to evaluate the safety of primary stresses should not be applied to the calculated
vales of stresses produced by self- limiting loads. Some stresses produced by static loads, such as
the bending stresses at a gross structural discontinuity of a vessel shell under internal pressure,
have the same self- limiting properties as thermal stresses and can be treated similarly.

Stresses from the dynamic (impact) loads are much higher in intensity than stresses from static
loads of the same magnitude. A load is dynamic if the time of its application is smaller than the
largest natural period of vibration of the body.

General Design Criteria – ASME Pressure Vessel Code, Section VIII, Division 1

While Division 1 of the ASME Pressure Vessel Code, Section VIII provides the necessary
formulas to compute the required thicknesses and the corresponding membrane stresses of the
basic vessel components due to internal and external pressures, it leaves it up to the designer to
use analytical procedures for computing the stresses due to other loads. The user furnishes or
approves all design requirements for pressure vessels, U-2.

General Design Criteria – ASME Pressure Vessel Code, Section VIII, Division 2

Higher basic allowable stresses than in the Code Division 1 are permitted to achieve material
savings in vessel construction. Also increased stress limits for various load combinations are
allowed by using the factor k. To preserve the high degree of safety, strict design, fabrication,
and quality control requirements are imposed.

The most important points can be summarized as follows:

§ Specifications of the design conditions, including all sufficient data pertaining to the
method of support, type of service (static or cyclic), and type of corrosion, is the
responsibility of the user. The report must be certified by a registered professional
engineer.
§ The structural soundness of the vessel becomes the responsibility of the manufacturer,
who is required to prepare all design computations proving that the design as shown on
the drawings complies with the requirements of the Division 2. Again, a registered
professional engineer experienced in the design of pressure vessels has to certify the
design report. Stress classification and a detailed stress analysis are required. Maximum-
shear failure theory is used in preference to maximum-distortion-energy theory not only

Training Manual Page 11-3

 for its ease of application, but also for its directional applicability to fatigue stress
analysis. Specific design details for vessel parts under pressure are provided, as well as
the rules and guidance for analytical treatment of some types of loadings. A set of
conditions is established (AD-160) under which a detailed fatigue analysis is required.
Evaluation of thermal stresses is also required.
§ Strict quality control must be maintained by the manufacturer. Additional tests
(ultrasonic, impact, weld inspection) are imposed which are not required in Division 1.

One of the design requirements of Division 2 is an accurate classification of stresses according to

the loads that cause them, their distribution, and their location. Division 2 establishes different
allowable stress limits (stress intensities) for different stress categories.

Basically, the stresses as they occur in vessel shells are divided into three distinct categories,
primary, secondary, and peak.

1. Primary stress is produced by steady mechanical loads, excluding discontinuity stresses

or stress concentrations. Its main characteristic is that it is not self- limiting. Primary
stress is divided into two subcategories; general and local.

(a) General primary stress is imposed on the vessel by the equilibration of external and
internal mechanical forces. Any yielding through the entire shell thickness will not
distribute the stress, but will result in gross distortions, often carried to failure.
General primary stress is divided into primary membrane stress and primary bending
stress; the limit design method shows that a higher stress limit can be applied to the
primary bending stress than to the primary membrane stress. Typical examples of
general primary membrane stress in the vessel wall are: stress due to internal or
external pressure and stress due to vessel weight or external moments caused by wind
or seismic forces. A typical example of primary bending stress is the bending stress
due to pressure in flat heads.

(b) Local primary stress is produced by the design pressure along or by other mechanical
loads. It has some self- limiting characteristics. If the local primary stress exceeds the
yield point of the material, the load is distributed and carried by other parts of the
vessel. However, such yielding could lead to excessive and unacceptable
deformations, so it is necessary to assign a lower allowable stress limit to this type of
stress than to secondary stresses. An important property of local primary stress is that
the maximum stress remains localized and diminishes rapidly with distance from the
point of load application. Local primary stress can be divided into direct membrane
stress and bending stress. Both, however, have the same stress intensity limits.
Typical examples of local primary stress are stresses at supports and local membrane
stresses due to internal pressure at structural discontinuities.

2. The basic characteristic of secondary stress is that it is self- limiting. Minor yielding will
reduce the forces causing excessive stresses. Secondary stress can be divided into
membrane stress and bending stress, but both are controlled by the same limit stress

Training Manual Page 11-4

 intensities. Typical examples of secondary stress are thermal stresses and local bending
stresses due to internal pressure at shell discontinuities.

3. Peak stress is the highest stress at some local point under consideration. In case of
failure, peak stress does not generate any noticeable distortion, but it can be a source of
fatigue cracks, stress-corrosion, and delayed fractures. Generally, the computation of the
peak stresses is required only for vessels in cyclic service as defined by AD-160. Typical
examples of peak stress are thermal stress in carbon steel plate with stainless steel
integral cladding and stress concentrations due to local structural discontinuities such as a
notch, a small-radius fillet, a hole, or an incomplete penetration weld.

The following definitions apply in the above discussion:

§ Membrane stress is a normal stress component (tension or compression) uniformly

distributed across the thickness of the wall section.
§ Bending stress is a normal stress component linearly distributed across thickness about
the neutral axis of the thickness of the wall section.
§ Shear stress is a stress component tangent to the plane of the section and usually assumed
uniformly distributed across the thickness of the wall section.
§ Secondary bending stress (in contrast to the primary bending stress) is a bending stress
needed for compatibility of displacements, physical continuity of the shell under loads,
but not needed for overall equilibrium of forces acting on a structure. A typical example
is the discontinuity bending stress at a shell junction of two different wall thicknesses
under pressure.
§ Maximum principle stress theory is the theory predicting that yielding in a structural part
begins when the maximum principle stress induced at some point in the part reaches the
value equal to the yield stress in a simple tension test regardless of any other stresses that
occur in the part.
§ Endurance Limit denotes the alternating stress, which a specimen can infinitely (more
than 2 X 106 cycles) sustain in a fatigue test.
§ Fatigue strength denotes the average maximum alternating stress, which a specimen can
sustain for a given number of stress cycles.
§ Significant stress means a stress or a stress component that cannot be omitted with
respect to other stresses without effecting the design.

Fatigue Design

Nearly all materials subject to cyclic loads break at stresses much lower than the rupture stresses
produced by steady loads. This phenomenon is referred to as fatigue. When the design conditions
involve varying or alternating mechanical of thermal loads and under the Code Div. 2 rules a
fatigue analysis has to be made. The permissible design stress must be based on the Code Div. 2
fatigue strength.

Training Manual Page 11-5

ASME Pressure Vessel Code, Section VIII, Division 1

Division 1 of the ASME Pressure Vessel Code, Section VIII provides the necessary formulas to
compute the required thicknesses and the corresponding membrane stresses of the basic vessel
components due to internal and external pressures.

The organization of Section VIII, Division 1 is as follows:

1. Subsection A General requirements

Part UG General requirements for all methods of construction and all
requirements
2, Subsection B Methods of Fabrication
Part UW Fabricated by welding
Part UF Fabricated by forging
Part UB Fabricated by brazing

3. Subsection C Materials
Part UNC Carbon steel
Part UNF Nonferrous
Part UHA High alloy steel
Part UCI Cast iron
Part UCL Cladding and weld overlay
Part UCD Cast ductile iron
Part UHT Heat-treated ferritic steels
Part ULW Layered construction
Part ULT Low-temperature materials

4. Mandatory Appendices (Indicated by numbers)

5. Non-mandatory Appendices (Indicated by letters)

Part UG considers design requirements for:

§ Cylindrical Shells
§ Spherical Shells, Heads and Transition Sections
§ Flat Plates, Covers and Flanges
§ Openings and re-enforcements
§ Attachments, nozzles and piping
§ Special Components

For the purpose of this course only cylindrical shells will be considered.

Training Manual Page 11-6

MEMBRANE STRESS ANALYSIS OF VESSEL SHELL COMPONENTS

Introduction

In structural analysis, all structures with shapes resembling curved plates, closed or open, are
referred to as shells. In pressure vessel design pressure vessels are closed container for the
containment of pressure. Most pressure vessels in industrial practice basically consist of few
shapes:

§ Spherical
§ Cylindrical
§ Hemispherical, ellipsoidal, conical, toriconical, torispherical
§ Flat end

The shell components are welded together, sometimes bolted together by means of flanges,
forming a shell with a common rotational axis.

Generally, the shell elements used are axisymmetrical surfaces of revolution, formed by rotation
of a plane curve or a simple straight line, called a meridian or generator, about an axis of rotation
in the plane of the meridian. The plane is called meridional plane and contains the principal
meridional radius of curvature. Only such shells will be considered in all subsequent discussions.

For analysis, the geometry of such shells has to be specified using the form of the midwall
surface, usually the two principal radii of curvature, and the wall thickness at every point. The
angles è, Ø and the radius R can locate a point on a shell. In engineering strength of materials a
shell is treated as thin if the wall thickness is quite small in comparison with the other two
dimensions and the ratio of the wall thickness t to the minimum principal radius of curvature is
Rt /t >10 or Rt /t > 10. This also means that the tensile, compressive, or shear stresses produced by
the external loads in the shell wall can be assumed to be equally distributed over the wall
thickness.

Cylindrical Shells Under Uniform Internal Pressure

The cylindrical shell is the most frequently used geometrical shape in pressure vessel design. It is
developed by rotating a straight line parallel with the axis for rotation. The meridional radius of
curvature RL - ∞ and the second, minimum radius of curvature is the radius of the formed
cylinder Rt = R. The stresses in a closed-end cylindrical shell under internal pressure P can be
computed from the conditions of static equilibrium shown in following figure.

Training Manual Page 11-7

 Closed End Cylindrical Shell

Circumferential direction with t<0.5ro (or r) or P<0.385SE:

Inside radius

P* r S * E *t
t= P=
( S * E − 0.6 * P) r + 0.6 * t

Outside radius:

P * ro S * E *t
t= P=
( S * E + 0.4 * P ) ro − 0.4 * t

Longitudinal direction with t<0.5r or P<1.25SE

P *r 2*S *E *t
t= P=
(2 * S * E + 0.4 * P) r − 0.4 * t

t = minimum thickness for T- min or current thickness for MAOP

P = internal pressure (design or operating)
r = inside shell radius
S = applicable allowable stress
E = quality, weld joint factor

Training Manual Page 11-8

Calculated Example

Material: SA-516-70
Inside diameter: 8 ft (96 inch)
Internal design pressure: 100 psi at 450°F
Corrosion allowance: 0.125 inch
Joint efficiency: 0.85
Allowable stress: 17,500 psi at 450°F

Check: 0.385SE = 5727 psi >100 psi (design)

Radius = 48 + 0.125 = 48.125 inch

Thickness requirement in circumferential direction:

P* r 100 * 48.125
t= + corrosion = + 0.125 = 0.45 inch (or 11.4 mm)
( S * E − 0.6 * P) (17,500 * 0.85 − 0.6 *100)

Thickness requirement in longitudinal direction:

P * ro 100 * 48.125
t= + corrosion = + 0.125 = 0.29 in (or 7.4mm)
(2 * S * E + 0.4 * P) ( 2 * 17,500 * 0.85 + 0.4 * 100)

Required thickness chosen: 0.45 inch

WORK EXAMPLE

ASME Section VIII – 1: Example – Pressure Vessel Calculations

Given: Pressure vessel with cylindrical shell and flat end plates, fabricated from carbon steel
material.

Material is SA-516-70 (SA-516M-485)

Design Temperature: 350ºC
Design Pressure: 17.2 MPa
Inner Diameter: 0.915 m
Length: 8.60 m

Using ASME Section VIII – 1

A. Determine the volume (V), minimum wall thickness (t), and outer diameter (OD) of the
vessel.

B. Determine the minimum thickness of the end plates.

Give results in Metric and English units.

Training Manual Page 11-9

tshell = PR/(S - 0.5*P) for P < 0.4*S

tshell = R (eP/S – 1) for P > 0.4*S

tplate = d (CP/SE)1/2

Where: P = design pressure

R = inner radius
d = inner diameter
C = coefficient (between 0.10 and 0.33) dependant on corner details
E = butt-welded joint efficiency
t = thickness
S = allowable stress

Conversion Factors and Helpful Formulas

§ Temperature: ºF = 9/5 * ºC + 32
§ Length: 1 inch = 0.0254 meter
§ Stress (pressure): 1 psi = 6.895 x 103 Pa
§ Area circle = πD2 /4
§ Volume cylinder = Area * Length

Allowable stress is based on Tensile and Yield strengths of the material. It is determined by the
lower value from the following computations.

S = ST * 0.92/4 or S = 2/3 * 0.92 SY

DEMONSTRATION OF CODEWARE SOFTWARE

BIBLIOGRAPHY

Bednar, Henry H., P.E., Pressure Vessel Design Handbook, Second Edition, Van Nostrand
Reinhold Company Inc., 1986.

Training Manual Page 11-10

 Chapter 12
PIPING SYSTEMS

The foundation for safe piping design is provided by the codes and standards that are available
throughout the industrial community. Engineers select applicable codes and standards as the
minimum requirements for the design of a safe chemical facility. There are many sound and
accepted industrial standards and codes throughout the world, but this chapter will focus on those
used in the United States.

“Loss of containment from a pressure system generally occurs not from pressure vessels but
from pipework and associated fittings. It is important, therefore, to pay at least as much attention
to the pipework as to the vessels” (Lees 1980). The purpose of this chapter is to provide
information on safe engineering practices in the areas of detailed piping and valve specifications,
piping flexibility analysis, piping supports, special piping materials of construction and
maintenance in accordance with the proper ASME B31 code. The chapter will focus on process
lines carrying hazardous materials.

Codes of practice and standards address the solutions to common problems, but establish only
minimum design, fabrication, testing, and examination requirements for average service. Many
circumstances relating to service, operation, materials and fabrication, inspection or unusual
design deserve special consideration if the resulting piping systems are to operate safely and be
reasonably free from frequent maintenance. Standards and codes of practice related to the safe
design of piping are the following codes issued by American Society of Mechanical Engineers
(ASME); those also approved by American National Standards Institute (ANSI) are indicated
with an asterisk:

B31.1* Power Piping

B31.2 Fuel Gas Piping
B31.3* Chemical Plant and Petroleum Re finery Piping
B31.4* Liquid Transportation Systems for Hydrocarbons, Liquid Petroleum Gas,
Anhydrous Ammonia, and Alcohols
B31.5* Refrigeration Piping
B31.8* Gas Transmission and Distribution Piping Systems
B31.9* Building Service Piping
B31.11* Slurry Transportation Piping Systems

These various sections provide different margins of safety for pressure piping systems, based on
service considerations and industry experience.

Of all the ASME B31 series piping codes, only ASME B31.3 clearly defines special
requirements for toxic fluid services. The code defines Category M Fluid Service as that which
has the potential for serious harm to personnel. A single exposure to a very small quantity of a

Training Manual Page 12-1

toxic fluid, caused by leakage, can produce irreversible harm to persons by inhalation or bodily
contact, even when prompt restorative measures are taken. The owner of a chemical facility must
designate which, if any, chemicals are designated Category M. B31.3 Code provides the designer
with a basic set of requirements that will, when properly applied, aid the designer in achieving a
design suitable for the intended purpose. Additional requirements may be necessary to complete
the engineering design and ensure a safe, reliable system. The impact of designating the fluid
service as Category M should be factored into the cost estimate, as many of he requirements are
more stringent than those for general fluid service.

For process piping (using ASME B31.3) the minimum thickness requirement is calculated as:

P*d 2S * E *t
t= P=
2( S * E + P * y ) d − 2y *t
with t<d/6

t = minimum thickness for T- min or current thickness for MAOP

P = pressure (design or operating)
d = outer diameter based on Nominal diameter
S = Specified minimum yield stress of the Material Code at temperature range
E = longitudinal weld joint factor
y = temperature factor(0.4), this factor can be changed

Calculated Example

Material: A-53-B
Outside diameter: 12.75 in
Internal design pressure: 605 psi at 536°F
Corrosion allowance: 0.0 in
Temperature factor: 0.4
Joint efficiency: 1.00
Corrosion allowance: 0.0 in
Allowable stress: 18,324 psi

Thickness requirement:

P*d 605 *12.75

t= + corrosion = + 0 = 0.208 in (or 5.3mm)
2( S * E + P * y) 2(18,324 * 1.00 + 605 * 0.4)

Hangers and Supports

When did you last consider your spring hangers and supports? Spring hangers and piping
supports are an essential part of any process piping system, but these important components are
often neglected when it comes to maintenance and inspection. This can lead to the following:

Training Manual Page 12-2

 § Sagging
§ Upward displacement
§ Longitudinal displacement
§ Excessive stress on fittings
§ Support damage or distortion
§ Piping or support interferences

These products of forgotten or neglected maintenance can eventually lead to costly and
catastrophic failures of process piping systems.

Hot and cold walkdown inspections and stress analysis of spring hangers and supports is
essential for correct operation. This could include:

§ Hot and cold walkdowns of spring hangers and supports.

§ Hot and cold settings for each piping support. This will be used to compare
displacements with design specifications.
§ Nondestructive examination of piping.
§ Information generated will be used as input for piping flexibility or code compliance
analysis.
§ Design and operating stress calculations review.
§ Final recommendations for optimal functioning.

The results of the walkdowns will provide all design and as-built documentation and will include
data gathered in the field. Reports containing recommendations for preventing future problems
and methods to upgrade the hangers and supports to obtain a longer service life should be
documented.

SPECIFYING VALVES TO INCREASE PROCESS SAFETY

The Code requirements for valves include ANSI B16.34, B16.5, and MSS Standards.

General Design Features

§ The key to safe valve selection and installation lies in the generic specifications written
for the plant, with specific requirements created only for well-defined purposes. The
factors that need to be addressed in creating these specifications are discussed below.
§ The service that the valve will perform (on/off, throttling, back- flow prevention, etc.),
including the pressure drop and the amount of permissible leakage through the valve, will
determine the type of valve (gate, ball, diaphragm, etc.) that can be used.
§ The need to visually determine the operating position (open/closed) of the valve may also
be a factor. Visual determination is evident on rising stem gate valves and quarter turn
valves (butterfly, plug, and ball). Other types of valves may require indicator attachments
to allow for visual identificatio n.

Training Manual Page 12-3

 § The process fluid conditions the valve must accommodate [chemicals, material phases
(including solids), temperature, pressure, and flow rate] will determine the pressure and
temperature class, end connection type, and the materials of construction for the valve
body, internals, seat, trim, and seals/gaskets. Consideration of corrosion/erosion and
temperature stress will be part of the determination.

JOINTS AND FLANGES

Welded joints will limit the number of points susceptible to leakage but these also pose problems
when maintenance is required. Proper tightening of flange joints and selection of bolts and
gaskets will lead to minimal leakage at flange joints.

Options for Joints and Flanges

Various types of joining methods are used:

§ Welded Fittings – The preferred method where fugitive emission control is a primary
issue.
§ Quick Connect – These should not be used in hazardous service.
§ Screwed or Threaded – These are used primarily for instrumentation and maintenance
and also for non-hazardous fluids. ASME B31.3 Code restricts size range based on fluid
service.
§ Bolted, Flanged Connections – For these connections, the raised face is typical; a ring
type joint provides a better seal; and a ring type with smooth finish allows the least
leakage.

In order to keep the joint tight and keep leakage to a minimum, the following issues may need to
be considered:

§ Specification of surface finish (e.g., smoother finish for hazardous or toxic materials;
stock finish for general process).
§ Choice of bolting materials.
§ Welding technique: weldneck flanges provide better alignment.
§ Imbedment and relaxation losses are inherent to a bolted, gasketed assembly, but can be
compensated for.
§ Choice of gasket material and design. The trend is to the use of metallic spiral wound
gaskets. However, these require proper installation or they can leak badly. Russell (1974)
discusses problems with spiral-wound gaskets and installation requirements for safe
operation.
§ Installation procedure and inspection for leak tightness.

Training Manual Page 12-4

EXPANSION JOINTS

Training Manual Page 12-5

EXAMPLE OF REGENERATOR CATALYST
STANDPIPE WITH EXPANSION JOINTS.

EXAMPLES OF PIPING SAFETY DESIGN CONCERNS

The following concerns are typically included in design of piping systems and valves (adapted
from CCPS 1992).

Piping Systems

§ Has all piping systems handling toxic or lethal materials been identified? (For example,
piping handling hydrogen cyanide, nitrogen, etc.)
§ Does the piping need to be designed to contain a deflagration? A detonation?
§ Are special monitoring provisions provided for overflow lines, which have a tendency to
plug? (For example, lines in caustic service)
§ Has the proper metallurgy been selected for the fluid transported? Has deleterious
materials of construction been avoided? (For example, has copper or brass been

Training Manual Page 12-6

 eliminated from ammonia service? Or has copper or iron been eliminated from benzyl
chloride service?)
§ Have high temperature shutdowns been provided for pumps that handle heat sensitive or
reactive material?
§ Has the proper bolt design been provided for frangible flange systems to accurately
control the break point?
§ Has a surge vessel been provided to contain thermal expansion of a hazardous liquid (like
chlorine) instead of a pressure relief valve?
§ Has special insulation been used on Terminol or high temperature systems to prevent
cracking of high molecular weight organics to a lower flash point material with
subsequent auto-ignition?
§ If a bellows type expansion joint is used in flammable and/or pressure relief systems, has
this type joint been correctly aligned during installation to maintain integrity?
§ If a hazardous condition exists when mechanical agitation is lost, has emergency gas
agitation via a dip-pipe been provided?
§ Do dip pipes have weep holes to de- inventory the pipe during a plant shutdown?
§ Has a “deadman” start-stop station on a pump been provided to prevent overflow of
flammable or very hazardous materials from the downstream vessel due to operator
inattention?
§ Has a remote “stop” been provided on a pump that transports flammable material into an
operating unit from the outside the battery limits?
§ Should uninsulated sections of pipe be added for planned heat loss? (For example, the
feed water regulator on a boiler).
§ Have the spring hanger settings for piping used in high temperature or high pressure
service been documented during installation?
§ Has the proper gasket type and material been used in hazardous service? (For example,
lethal systems need spiral wound gaskets.)

Valves

§ Have “air to open” control valves been selected for those remote valves that you want to
activate closed during a fire event and has plastic air tubing been provided?
§ Are the valves that must be manually opened or closed during an emergency capable of
remote operation?
§ Have the valves, nipples (open ended), etc. used in pressurized flammable, lethal gas or
oxygen service been capped off?
§ Have the valves and piping, etc. in chloride or oxygen service been degreased before start
up (and/or after repair)?
§ Have excess flow check valves been installed in pressurized hazardous gas systems such
as those involving ammonia, chlorine, hydrogen, etc.?

Training Manual Page 12-7

 § Has a hole been drilled in a butterfly valve to prevent overpressure due to thermal
expansion? If this is not possible, has a pressure relief valve been provided?
§ Have “deadman” (spring to close) sampling valves been installed in high pressure,
flammable, or lethal systems to prevent continued flow of material if the operator
becomes incapacitated?
§ Has a manually activated water flush or quench system (if possible) been provided to stop
an uncontrolled reaction or to provide internal fire fighting capability?
§ Have air-activated valves been locked out (defused) in the field while maintenance is in
progress.
§ Has a hazard analysis of the process been conducted to determine the fail safe position of
control valves during a specific or total utility outage (electrical power, instrument air,
etc.)?
§ Has a valve in a tank car and/or truck unloading line been provided that closes on
disconnecting, or that may be closed to disconnect?
§ Have special position indicators been provided for three way valves to clearly indicate
which port is active.

Piping and Valves used in ASME Section 1 Service

§ Have the piping systems been analyzed for stresses and movement due to thermal
expansion?
§ Are the piping systems properly supported and guided?
§ Have the piping systems been provided with freezing protection, particularly cold water
lines, instrument connections, lines in dead end service such as piping in standby pumps?
§ Have cast iron valves and fittings been eliminated from piping that is subjected to strain
or shock service?
§ Have non-rising stem valves been avoided where possible and has a visual indication of
valve position been provided?
§ Have double block and bleed valves been provided on battery limit piping and/or
emergency interconnections to ensure positive isolation and/or to prevent
cross-contamination where this is undesirable?
§ Has a means of draining and trapping condensate from steam piping been provided?

BIBLIOGRAPHY

Bednar, Henry H., P.E., Pressure Vessel Design Handbook, Second Edition, Van Nostrand
Reinhold Company Inc., 1986.

Center for Chemical Process Safety, American Institute of Chemical Engineers, Guidelines for
Engineering Design for Process Safety, 1993.

Training Manual Page 12-8

 Chapter 13
PRESSURE RELIEVING DEVICES

Pressure relieving devices protect equipment and personnel by automatically opening at

predetermined pressures and preventing destructive consequences of excessive pressures in
process systems and storage vessels.

All pressure vessels within the scope of ASME section VIII, irrespective of size or pressure,
shall be provided with pressure relief devices in accordance with the requirements of UG125-
UG 137. It is the responsibility of the user to ensure that the required pressure relief device are
properly installed prior to initial operation.

Details regarding pressure relief devices are given in:

§ ASME Section VIII, UG 125-137

§ API 520 and 521
§ API 576

A pressure relief device is actuated by inlet static pressure and designed to open during
emergency or abnormal conditions to prevent a rise of internal fluid pressure in excess of the
specified design pressure. The device may also be designed to prevent excessive internal
vacuum. The device may be a pressure relief valve, non-reclosing pressure relief valve or a
vacuum relief valve.

Common examples include direct spring loaded pressure relief valves, pilot operated pressure
relief valves, rupture discs, weight loaded devices and pressure and/or vacuum vent valves.

PRESSURE RELIEF VALVE

A pressure relief valve is a pressure relief device designed to open and relieve excess pressure
and to recluse and prevent further flow of fluid after normal conditions have been restored. The
valve opens when its upstream pressure reaches the opening pressure. It then allows fluid to flow
until the upstream pressure reaches the closing pressure. It then closes preventing further flow.
Examples include safety valve, relief valve, balanced safety relief valve and pilot operated
pressure relief valve.

Safety valve – A safety valve is a direct spring loaded pressure relief valve that is actuated by the
static pressure upstream of the valve and characterized by rapid opening or a pop action. It is
normally used with compressible fluids and should not be used in:

§ Corrosive service

Training Manual Page 13-1

 § Where discharge needs to be piped
§ Where escape of process fluids is undesirable
§ As a pressure control or bypass valves

Relief Valve – A relief valve is a direct spring loaded pressure relief valve actuated by the static
pressure directly upstream of the valve. These valves have closed bonnets to prevent the release
of corrosive, toxic, flammable or expensive liquids. An example is shown in the figure below.

Relief Valve

Training Manual Page 13-2

Safety Relief Valve – Is a direct spring loaded pressure relief valve that may be used as either a
safety or relief valve depending on the application.

Conventional Safety Relief Valve – Is a direct spring loaded pressure relief valve whose
operational characteristics are directly affected by changes in the back pressure.

Balanced Safety Relief Valve – Is a direct spring loaded pressure relief valve that incorporates a
bellows or other means for minimizing the effect of back pressure on the operational
characteristics of the valve.

Pilot operated pressure relief valve – Is a pressure relief valve in which the major pressure
relieving device or main valve is combined or controlled by a self actuating auxiliary pressure
relief valve (pilot).

PRESSURE AND/OR VACUUM VENT VALVE

A pressure and/or vacuum vent valve is an automatic pressure or vacuum reliving device
actuated by the pressure or vacuum in the protected equipment. There are three basic categories:

§ Weight loaded pallet vent valve

§ Pilot operated vent valve – shown in the following figure
§ Spring and weight loaded valve

Pressure and/or vacuum vent valves are not normally used in applications requiring a set pressure
greater than 103 kPa.

Training Manual Page 13-3

 Pilot Operated Vent Valve

RUPTURE DISK DEVICE

The combination of a rupture disk holder and rupture disk is known as a rupture disk device. It is
a non-reclosing pressure relief valve actuated by the static differential pressure between the inlet
and outlet of the device. Shown in the following figure. Types of rupture disks include:

§ Conventional rupture disk

§ Scored tension-loaded rupture disk
§ Composite rupture disk
§ Reverse action rupture disk
§ Graphite rupture disk

Training Manual Page 13-4

 Ruptured Disk Device

CAUSES OF IMPROPER PERFORMANCE

Causes of improper performance of pressure relief devices include:

§ Corrosion
§ Damage seating surfaces
§ Failed springs
§ Improper setting and adjustment
§ Plugging and sticking
§ Misapplication of materials
§ Improper location, history or identification
§ Poor handling
§ Improper differential between operating and set pressures
§ Improper discharge piping test

INSPECTION AND TESTING

Pressure relieving devices are installed on process equipment to release pressure due to
operational upsets, external fires and other hazards. These hazards are discussed in API 520 and
521. Failure of a device to function properly when needed could result in the overpressure of

Training Manual Page 13-5

vessels or other equipment they are installed to protect. One of the principal reasons for
inspecting these devices is to ensure that they will operate as designed.

Periodically pressure relief devices need to be removed, disassembled and inspected. These
inspections are referred to as shop inspections or overhaul. Details for the inspection of pressure
relief devices are given in API 576.

RELIEF VALVE SAFETY

Very few incident occur because of faults in relief valves themselves. When equipment is
damaged because the pressure could not be relieved, someone usually finds afterwards that the
relief valve was isolated, or interfered with in some way.

All companies need to keep a register of relief valves and test them regularly (every one to two
years) and not to allow sizes to be changed without proper calculations and documentation.
Equipment has been over pressured because the following items had not been registered or had
been overlooked:

§ Hole or vent size was reduced

§ Restriction orifice plate limited flow into the vessel
§ Control valve limiting flow into a vessel, needs to be registered if its size was taken into
account in sizing the relief valve.
§ Check valves should be registered and inspected regularly if failure could cause the relief
valve to be undersized.

Changing of Relief Valves

Some vessels are provided with two full size valves so that one can be changed online. On the
plant side of the relief valve, isolation valves are usually provided below each relief valve, so
that one relief valve is always open to the plant. If the relief valve discharges into the flare
system, it is not usual to provide suc h valves on the flare side. Instead the valve is normally
removed and a blank is installed for a short period. This practice can lead to problems and
possibly explosions. Removing the valve and fitting a blank is satisfactory if the operators make
sure, before the valve is removed, that the plant is steady and that the valve is not likely to lift.
Unfortunately such instructions lapse with time. Several accidents have occurred because of this.

Here are some common examples of faults in relief valves themselves. These are the result of
poor maintenance practices.

§ ID stamped on springs, weakening them

§ Sides of springs ground down (so they fit)
§ Corroded springs
§ A small spring put inside a corroded spring

Training Manual Page 13-6

 § Use of washers to maintain spring strength
§ Welding of springs to end caps
§ Deliberate bending of spindle to gag the valve
§ Too many coils, allowing little lift

How do you handle relief valve inspection and maintenance?

DEMONSTRATION OF RELIEF VALVE SIZING SOFTWARE

BIBLIOGRAPHY

Bednar, Henry H., P.E., Pressure Vessel Design Handbook, Second Edition, Van Nostrand
Reinhold Company Inc., 1986.

Training Manual Page 13-7

 Chapter 14
SAFETY SYSTEMS

The types of computers involved in process control in today’s chemical plants range from mini-
computers to microcomputers and can be found in the basic process control system as well as in
sensors and final control elements. While increased automation may reduce the potential for
operator error, new types of faults may be introduced by the application of computer technology.

A summary of current practice in the area of safe automation is provided in Guidelines for Safe
Automation of Chemical Processes, know as the Safe Automation Guidelines (CCPS 1993).
When evaluating safety, it is important to realize that programmable electronic equipment is
fundamentally different from other equipment. For example, it is not always easy to predict the
effects of the failure of a programmable electronic system, (PES), or even find out where the
fault lies. It is essential to follow systematic steps, which may include:

§ Hazard Analysis
§ Identification of Safety Related System
§ Determination of the Required Safety Level
§ Design of the Safety Related Systems
§ Safety Analysis

The concept of safety layers of protection (described in chapter 8) also applies to the design of
control systems. Facilities with process hazards should be designed with multiple layers of
protection. A Safety Interlock System (SIS) or the emergency shutdown system (ESD) may be
the next level of protection. The SIS provides automatic action to correct abnormal plant events,
which have not been mitigated by action in the inner layers. An SIS system functions only when
normal process controls are inadequate to keep the process within acceptable boundaries.
Subsequent layers may provide physical means to mitigate the situation, such as vents and dikes.

SAFETY SYSTEMS

Informatio n that fully describes all of the safety systems and functions in the plant. This will
cover a broad range of mechanical and electrical equipment. The following is a general list of the
type of systems and equipment involved:

§ Control interlocks that automatically inhibit the operation of critical equipment until
certain process parameters are within acceptable ranges. The interlocks either stop
equipment that is running or prohibit the starting of standby or idle equipment.

Training Manual Page 14-1

 § Systems designed to completely or partially depressurize the process. These take the form
of SRVs or valves that automatically open at a predetermined setpoint to vent piping or
vessels to a safe location.
§ Systems designed to safely contain and dispose of excess hazardous material as it is
generated. Examples of such systems are flares, scrubbers and holding tanks.
§ Systems designed to suppress toxic or flammable materials as they are released, such as
deluge and spray systems.
§ Systems designed to detect toxic or flammable materials or heat as they are released.
These devices are available commercially for a number of common materials, however,
their reliability in an outdoor environment under varying weather conditions may be less
than optimum.

ALARM SYSTEMS

Development of the alarm system includes determining what parameters should be alarmed, how
they should be alarmed and how they should address operator response. The need for stand-alone
dedicated alarm system, even when modern PES controls are implemented, continues for two
primary reasons. First, with modern distributed alarm systems there is a tendency to over-alarm.
This tendency comprises reliability and safety of an alarm system. Consequently a dedicated
alarm has the ability to draw attention to specific information. The second factor contributing to
stand-alone systems is the desire to provide redundancy for critical alarm functions. Provides
added security in the event of a workstation failure.

SAFETY SYSTEM MAINTENANCE TESTING

Reliability and availability goals of a safety system should be taken into consideration during the
design phase of the safety system when redundancy and failure modes are addressed. However,
no safety system can be presumed to perform its intended function under abnormal conditions
every time. Under normal conditions the safety components remain in one position over an
extended period of time and may become fixed. It is therefore mandatory to conduct regularly
scheduled testing to exercise these components periodically and thus ensure operation.
Safety system components typically are thought of as the initiating device (sensors), the interlock
circuit and the final control device. However a testing bypass, used to facilitate the online testing
of the safety components should also be considered as an integral component of the system.

It is imperative that administrative controls regarding bypass testing be clear and thorough so
that bypassing occurs only when appropriate, all appropriate personnel are aware of the bypass
status, and that all systems are properly activated following testing and maintenance.

Training Manual Page 14-2

IMPLEMENTATION OF THE PROCESS CONTROL SYSTEM

The development of a PES system requires a team approach consisting of the following players:

§ Process Engineer
§ Instrument Engineer
§ Process Hazards Engineer
§ Operations Representative
§ Maintenance Representative
§ Materials Engineer
§ Process Dynamics Consultant – dynamic analysis and testing of system

The following process information needs to be considered:

§ Material Balance
§ Energy Balance
§ Mitigation of Hazardous Events
§ Product Quality
§ Energy Consumption

Implementation steps include:

§ Hazards Identification
§ Process Control Dynamics
§ Materials of Construction
§ Operational Requirements
§ Maintenance Requirements
§ Miscellaneous requirements

Some important aspects of control and instrument systems, from a safety viewpoint, are:

1. Allocation of supervisory roles between operator and automatic control systems must be
analyzed.
2. Each design should be checked in detail for the need of an elaborate instrumentation
system base don potential hazards and operating difficulties. Before deciding to provide
an elaborate system to combat the hazards, determine whether the hazards can be reduced
by changing the basic process design.
3. The control and instrumentation design philosophy should be clearly defined early in the
design process. The philosophy includes process characteristics and disturbances, the
plant operational constraints, the scope of control systems, the role of plant operations,
and the administration of fault conditions.
4. The design philosophy should also cover monitoring instrumentation, display, hard-wired
alarms, protective systems, interlocks, trips, emergency isolation and use of
manual/analog computer control.

Training Manual Page 14-3

 5. Measurements should be taken from the correct location and of the variable of direct
interest.
6. If a measurement variable is used to initiate an interlock or trip action, redundant
measurements should be used for normal control and for a trip or alarm.
7. The fail-safe design of equipment such as control and solenoid valves (in case of failure
of signal, instrument air or electricity) should be based on overall process consequences.
This methodology, however, should not discourage design approaches that tend to
minimize false trips provided no aspect of safety is compromised.
8. Proper performance and reliability specifications for critical instruments should be
defined and assessed quantitatively if possible. Reliability estimates should include the
practices that the operators adopt in their use of instrumentation.
9. The control system should also take into account startup and shutdown conditions when
large process deviations are often encountered.

The following pages provide a self assessment guide to aid you in determining if your safety
instrumented system conforms to certain requirements of the industry consensus standard
ANSI/ISA S84.01, Application of Safety Instrumented Systems in the Process Industries (1996).
(Exida).

Training Manual Page 14-4

The standard contains numerous requirements in the area of design, installation, operation,
maintenance and testing of Safety Instrumented Systems (SIS). This guide will help you evaluate
the content of your Safety Requirements Specification, a critical design document that forms the
basis for safe and reliable operation.

Ref Question Answer Notes

Y/N
1 Does your facility use Safety Instrumented Systems (emergency
shutdown systems (ESD). interlock systems, permissives, etc) that
are comprised of any combination of the following:
§ Electromechanical relays
§ Solid state logic
§ Programmable electronic systems (e.g., PLC)
§ Motor-driven timers
§ Solid state relays and timers
§ Hard-wired logic
§ Associated sensors, final control elements, and interfaces
If yes, you are covered by the ANSI/ISA 84.01 standard.
2 For existing Safety Instrumented Systems designed and constructed
in accordance with codes, standards, or practices prior to February,
1996 (date of issuance of ISA 84.01 standard)…
Have you determined that the equipment is designed, maintained,
tested, and operating in a safe manner, i.e. grandfathered?
If yes, you have no further obligations under the standard for such
systems (until you make a change in these systems).
4.2 For new projects (since February, 1996) that include Safety
Instrumented System installations or upgrades –
§ Have you performed an analysis to identify hazards that the SIS
will protect against?
§ Have you identified and applied non-SIS protections to reduce
or eliminate risk?
§ Have you identified the Safety Instrumented Functions for the
process?
5.3 Have you developed a Safety Requirements Specification,
documenting the functional requirements and integrity
requirements for the SIS?
5.3 Does your Safety Requirement Specification address the following
Functional Requirements
§ Have you defined the safe state of the process for each hazard
that the SIS protects against?

Training Manual Page 14-5

Ref Question Answer Notes
Y/N
§ Have you listed the process inputs to the SIS and their trip
points?
§ Have you defined the normal operating range of process
variables and their operating limits?
§ Have you defined the process outputs from the SIS and their
actions?
§ Have you defined the functional relationship between process
inputs and outputs, including logic, mathematical functions,
and any required permissives?
§ Have you selected the method of shutdown as de-energized-to-
trip or energized-to-trip?
§ Have you considered and, as appropriate, provided for manual
shutdown?
§ Have you defined actions to be taken on loss of energy sources
to the SIS?
§ Have you defined the response time requirements for the SIS to
bring the process to a safe state?
§ Have you defined appropriate response actions to any overt
fault?
§ Have you defined the Human-machine interface requirements?
§ Have you considered and provided for, as appropriate. Reset
Functions?
5.4 Does your Safety Requirements Specification address the following
Safety Integrity Requirement?
§ Have you defined the required Safety Integrity Level (SIL) for
each safety function?
§ Have you defined requirements for diagnostics to achieve the
required SIL?
§ Have you defined requirements for maintenance and testing to
achieve the required SIL?
§ Have you defined the reliability requirements if spurious trips
may be hazardous?
6.2 Have you performed a Conceptual Design that satisfies the Safety
Requirements Specification, including...
§ For each Safety Function, have you verified that the selected
SIS architecture that is capable of meeting the required SIL?
§ Where multiple safety functions share common components
(e.g., logic solver), do the common components satisfy the
highest SIL of the shared safety function?

Training Manual Page 14-6

Ref Question Answer Notes
Y/N
6.2 Have you addressed the following considerations in your
conceptual design in order to meet the required SIL?
§ Separation
§ Redundancy
§ Software Design
§ Technology Selection
§ Failure rates and Failure modes
§ Architecture
§ Power Sources
§ Common Cause Failures
§ Diagnostics
§ Fie ld Devices
§ User Interface
§ Security
§ Wiring Practices
§ Documentation
§ Functional Test Interval
7 Detailed Design

The ISA standard contains requirements for detailed design of the

Safety Instrumented System. Listing all of these is beyond the
scope of this self-assessment guide. For more information, contact
Exida.

In addition to the Safety Requirements Specification, the standard contains numerous other
requirements. Our customers frequently ask for assistance in these areas:
§ Detailed Design of the Logic Solver, Sensors, Final Control Elements, Operator
Interfaces, Maintenance/Engineering Interfaces, Communications Interfaces, Power
Sources, System Environment, and Application Logic.
§ Verification that the detailed design is capable of meeting the required SIL rating through
quantitative reliability analysis.
§ Installation, and commissioning - including A Pre-Startup Acceptance Test to provide a
full functional test of the SIS and to show conformance with the Safety Requirements
Specification.
§ SIS Operatio n and Maintenance – including procedures for operation, maintenance and
testing of the SIS that conform with the Safety Requirements Specification.

Training Manual Page 14-7

 § SIS Management of Change — including procedures to initiate, document, review, and
approve changes to the SIS that are not “replacements in kind.”
If you answered “NO” to any of questions (except for Item 1), or are unsure about how the
standard applies to your situation, you are strongly encouraged to investigate further.

BIBLIOGRAPHY

Bednar, Henry H., P.E., Pressure Vessel Design Handbook, Second Edition, Van Nostrand
Reinhold Company Inc., 1986.

Training Manual Page 14-8

 Technical Paper

INHERENT SAFETY AND RELIABILITY IN PLANT DESIGN

(By Dennis C. Hendershot and Robert L. Post, Rohm and Haas Co.)

Inherent safety principles apply at all stages in a process life cycle. While the biggest gains are
achieved early, through the selection of inherently safer process technology, there are many
opportunities for enhancing the inherent safety and reliability of a plant at the detailed design
stage. This insight discusses specific methods and materials for accomplishing safety and
reliability in a plant, including examples of pump and compressor selection, vessel design,
human factors in equipment design, and design modifications to reduce the frequency of plant
startup and shutdown. This insight also explores the connection between the inherent safety of a
plant and plant reliability.

INTRODUCTION

Inherently safe process design – the elimination or substantial reduction of hazards from a
manufacturing process, rather than the application of engineering and procedural controls to
manage hazards – has the greatest benefits early in process development. However, there are
opportunities for application of inherently safe principles throughout the process life cycle. The
term “inherently safe design” is relatively recent, but many of its principles have been a part of
good engineering design for many years. This insight describes an early example of the
application of inherently safer design principles, and then focuses on opportunities for enhancing
the inherent safety of chemical plants during detailed design. In particular, the relationship
between plant reliability and inherent safety is emphasized. A reliable plant is inherently safer,
and design features that enhance reliability will generally also enhance safety.

A HISTORICAL EXAMPLE OF INHERENTLY SAFER MATERIAL HANDLING

On Tuesday April 3, 1866, a massive explosion destroyed the steamship European while it was
being unloaded at the port of Aspinwall on the Caribbean coast of the Isthmus of Panama. The
European was carrying 70 crates of nitroglycerine, which were being shipped to California for
use in mines and construction. More than 50 people were killed and a nearby ship, as well as all
of the buildings near the waterfront, were badly damaged.

On April 15, 1866, another explosion destroyed a freight office of the Wells Fargo Co. in
downtown San Francisco, killing 15 people and destroying several buildings, including the
freight office, the Union Club, an assay office and the waterworks office. Two damaged crates of

Training Manual Page 14-9

nitroglycerine had been refused for delivery because of their condition and then were sent to the
freight office to determine how they should be handled. The explosion resolved that question.

Another nitroglycerine explosion killed six laborers on April 17, 1866, in the Sierra Nevada,
where the Central Pacific Railroad was working its way through the mountains on its way to
becoming the western section of the first transcontinental railroad in the United States. The
railroad was having an extremely difficult time blasting its way through the hard granite of the
Sierra Nevada, and was experimenting with nitroglycerine, which was estimated to be eight
times more powerful tha n the black powder previously used.

Following this series of disasters, California authorities quickly passed laws that forbade the
transportation of nitroglycerine through San Francisco and Sacramento, making it virtually
impossible to use the material for construction of the Central Pacific Railroad. The railroad
desperately needed the explosive to maintain its construction schedule in the mountains.
Fortunately, a British chemist, James Howden, approached Central Pacific and offered to
manufacture nitroglycerine at the construction site. This is an early example of an inherently safe
design principle – minimize the transport of a hazardous material by in situ manufacture at the
point of use. While nitroglycerine still represented a significant hazard to the workers who
manufactured, transported and used it at the construction site, the hazard to the general public
from nitroglycerine transport was eliminated. At one time, Howden was manufacturing 100
pounds of nitroglycerine per day at the railroad construction sites in the Sierra Nevada. Central
Pacific Railroad continued to use nitroglycerine with no further fatalities directly attributed to
use of the explosive during the Sierra Nevada construction. 1

Clearly, by today’s standards, little about 19th Century railroad construction would qualify as
safe, but the in situ manufacture of nitroglycerine by Central Pacific Railroad did represent an
advance in inherent safety for its time.

A further, and probably more important, advance occurred in 1867 when Alfred Nobel invented
dynamite by absorbing nitroglycerine on a carrier, greatly enhancing its stability. This is an
application of another principle of inherently safer design – to moderate, by using a hazardous
material in a less hazardous form.

REVIEW OF INHERENTLY SAFER DESIGN PRINCIPLES

A chemical process is described as inherently safer if it reduces or eliminates one or more

process hazards and if this reduction of elimination is accomplished through changes that are
permanent and inseparable. Approaches to the design of inherently safer processes and plants
have been grouped into four major strategies.2

Minimize Use small quantities of hazardous substances;

Substitute Replace a material with a less hazardous substance;
Moderate Use less hazardous conditions, a less hazardous form of a material, or use
facilities that minimize the impact of a release of hazardous material or
energy; and

Training Manual Page 14-10

 Simplify Design facilities that eliminate unnecessary complexity and make
operating errors less likely, and that are forgiving of potential errors.

The examples discussed in this insight generally fall into the “simplify” strategy. Design
improvements intended to improve plant reliability will simplify plant operations by reducing the
frequency of startup and shutdown, whether planned for anticipated maintenance or repair, or
unplanned due to the sudden failure of a piece of equipment that causes a plant shutdown.

SAFETY AND RELIABILITY

Improved reliability decreases plant and process risks. Equipment failure increases risk in several
ways:

• Directly, by the immediate consequences of the equipment failure, such as leaks and spills;
• Indirectly, by disabling protective systems that may not be available when needed (for
example, alarms and interlocks, sprinkler systems, relief valves); and
• Indirectly, by increasing the amount of time that a plant or process spends in “higher risk”
phases of operation, such as planned startup and shutdown, unplanned and unanticipated
shutdown and “hardship” operation with equipment out of service.

Similarly, design of inherently more reliable protective equipment, design of plant systems
conducive to regular testing of protective equipment, and design of systems in which normal
process operations verify correct operation of some components of protective systems, clearly
improve plant safety. The third item postulates that a plant that spends a greater portion of time
operating at steady state, producing quality product and profits for the owner, is also a safer
plant.

Most process engineers have an intuitive feeling that a continuous plant is more likely to
experience a safety or environmental incident during startup or shutdown than during routine,
steady state continuous operation. We have confirmed this intuitive understanding of continuous
plant risk in several chemical process quantitative risk analysis (CPQRA) studies for a variety of
types of continuous plants.

For example, Plant A consists of a continuous-stirred tank reactor (CSTR) and its associated feed
and downstream processing vessels. The reaction is highly exothermic and is capable of
generating a large amount of gas and pressure if not properly controlled. A CPQRA of the
system identified two primary runaway reaction scenarios, and both are dominant contributors to
total risk. Figure 1 shows the portion of time the plant spends in startup and shutdown mode;
about 2 percent of the time for each. Figure 1 also shows the two dominant contributors to total
risk for startup continuous operation and shutdown. Clearly, the contributio n to total risk of the
startup and shutdown phases of operation is disproportionately high.

Training Manual Page 14-11

 Figure 1 — Risk Contribution for Startup, Normal Operations, and Shutdown for Plant A.

Plant B consists of a continuous gas phase reactor and its associated feed and downstream
treatment systems. Again, the reaction is highly exothermic and the gas being processed is highly
flammable. Figure 2 shows the portion of time Plant B spends in startup, continuous operation
and shutdown, along with the two dominant risk scenarios for this plant. As with Plant A, the
startup and shutdown phases of operation contribute disproportionately to total risk.

Figure 2 — Risk Contribution for Startup, Normal Operations, and Shutdown for Plant B.

Training Manual Page 14-12

Clearly, it is desirable that Plant A and Plant B be kept operating in the normal continuous
operating mode as much as possible. Startup and shutdown of both plants present a higher risk
than normal operation. Therefore, if the plant designers can improve the reliability of the plant
equipment, it will be shut down less frequently, will have to be started up less frequently and,
ultimately, will be safer. This is an optimal solution for nearly all concerned.

Obviously, business managers will find this desirable because the plant will be operating and
producing product rather than being shut down for repairs. Operators realize benefits because
there is a lot more work involved in starting up a plant and shutting it down compared to
maintaining the plant in routine continuous operations. Mechanics and other maintenance staff
will be able to spend time doing planned and scheduled maintenance tasks rather than rushing
about trying to react to the latest failure and scrambling to get the plant back on line. Perhaps the
only people not likely to be pleased with this solution are the outside contractors because the
plant will no longer require the services of contract personnel to perform emergency
maintenance.

SPECIFIC EXAMPLES OF MORE RELIABLE DESIGN

Pumps. When specifying a pump, the design should be robust enough to allow the pump to
deliver the required flow rate over a wide range of operating conditions. In particular, the pump
should be insensitive to variation in the downstream pressure. Variations ma y be caused by
fouling or plugging of pipes, valves stuck in a partially open position, failure of control valves or
operator error in setting manual valves.

Perhaps the material being pumped is a critical reactant to the CSTR in Plant A, Figure 1. If the
flow drops below the critical value, the plant may have to be shut down because of product
quality or safety problems.

Compressors . Similar attention to performance curves also can improve the reliability of a
compressor design. Vendors provide this information for a good reason and it is up to the plant
designer to use the available data to specify a robust design that will provide acceptable
performance over a wide range of operating conditions. Again, perhaps the compressor is a
critical piece of equip ment for plant operability or safety. For example, it might be the
refrigeration compressor for the brine supply to a reactor with a highly exothermic reaction.

Fans. The selection of fan type can impact the robustness of a design. There also is the potential
for the fan to trip out due to high power draw for the fan motor. The power draw for a radial
blade fan increases as downstream dampers are opened, possibly reaching a point where the
motor could trip due to high power. A fan with backward curved blades has a maximum possible
power draw, making it possible to design the system so the fan cannot trip due to high power.

Vessel Design. Many years ago, emergency relief systems from reactors and other vessels
discharged directly into the atmosphere, usually through a stack or to a building roof where

Training Manual Page 14-13

potential exposure to people could be minimized. This is no longer acceptable for many vessels
today because of environmental concerns and a greater understanding of potential health and
safety issues arising from an emergency relief system release. Therefore, it often is necessary to
provide a complex system to teat the effluent form an emergency relief device. This might
include equipment such as catch tanks, quench tanks, scrubbers, absorbers or flare systems.
Figure 3 illustrates an example of one such system.

These systems are expensive to build and operate and can never be considered 100 percent
reliable. Because they are emergency systems, which do not operate when the plant is
functioning properly, failures may be hidden, detectable only by testing and other preventive
maintenance programs. In many cases, it may be possible to eliminate the need for complex
emergency relief and effluent treatment systems by building a stronger reaction vessel, as shown
in Figure 4.

If the vessel can be designed with enough strength to contain the maximum pressure from the
worst credible runaway reaction event, the emergency relief system might be eliminated or
greatly simplified and remain in compliance with code and regulatory requirements. Of course, if
this strategy is adopted, it is absolutely essential that the design engineers fully comprehend
potential chemical reactions that can occur with extreme conditions of temperature and pressure
resulting from a runaway reaction. Experimental data for all credible runaway scenarios must be
available to confirm the maximum runaway pressure and temperature.

Figure 3 — A Complex Emergency Relief System for a Batch Reactor with a Potential
Exothermic Runaway Reaction.

Training Manual Page 14-14

Figure 4 — A Reactor with a Higher Design Pressure May Eliminate the Need for the Complex
Emergency Relief System.

(Note: It is essential that the chemistry, kinetics, thermodynamics, maximum temperature and
maximum pressure for the runaway reaction are thoroughly understood to properly design the
reactor.)

A PIPING DESIGN EXAMPLE

In order to avoid over-pressurization due to gas and heat generation from solid packing material,
the column in Figure 5 must always be lined up either to the process flow (which will carry the
gas and heat away) or vented to a collection and treatment system if the column is taken off- line.
Use of a three-way valve, designed to always be open to at least one of the flow paths (either to
the process flow or to the vent system), will ensure that the column cannot be blocked in. In
order to close the process feed valve, the vent valve must be opened.

Training Manual Page 14-15

 Figure 5 — A Three-way Valve Ensures the Column is Always Either On Line or Vented.

HUMAN FACTORS

Attention to human factors can have a large impact on inherent safety and plant reliability. The
impact of design on a person’s ability to operate equipment correctly and safely has been
recognized for a long time. In 1828, the pioneering railway engineer Robert Stevenson stated the
basis of his design policy in improving the newly developed steam locomotive when he said that
his father, George Stevenson, “…has agree to an alteration which I think will considerably
reduce the quantity of machinery as well as the liability to mismanagement. Mr. Jos. Pease writes
my father that in their present complicated state they cannot be manager by ‘fools,’ therefore
they must undergo some alteration or amendment.”3

Today, most of us would not agree with Stevenson’s characterization of early locomotives
drivers as “fools,” but rather recognize their behavior as typical for most people most of the time.
We are unlikely to be successful in redesigning people, so a more effective approach is to design
equipment and systems to be tolerant of human error.

Logical layout of controls and equipment is critical. Figure 6 shows the control and equipment
layout for an actual plant that was shut down a number of years ago. From this design, the
potential for a high frequency of errors due to improper identification of equipment exists.
Reference 2 illustrates many more examples of human factor considerations in design.

Training Manual Page 14-16

 Figure 6 — Poor Design of Plant Control Room.

Robustness of the plant design impacts how quickly an operator must be able to diagnose and
correct the cause of an abnormal situation before the plan shuts down or moves into an unsafe
state. For example, sensitive pump and compressor design will enable the plant to get into a
shutdown stage much most quickly in case of an adverse event that requires more rapid operator
diagnosis and response. The operator is much more likely to be able to correctly diagnose the
problem if he has more time, as shown by the data in the following table.

OPERATOR DIAGNOSIS OF A PROBLEM AS A

FUNCTION OF AVAILABLE RESPONSE TIME
(From Swain and Guttmann4 )

Available Response Time (Minutes) Probability of Incorrect Diagnosis

1 ~1
10 0.5
20 0.1
30 0.01
60 0.001

Training Manual Page 14-17

The design of operating and control displays also significantly impacts operator performance.
The following table shows the probability of selecting the correct display for a variety of
different ways in which plant information is presented to the operator in the control room.

PROBABILITY OF SELECTION ERROR FOR DIFFERENT

PROCESS INFORMATION DISPLAYS
(From Swain and Guttmann4 )

Display Appearance Description Probability of Selection

Error
Dissimilar to adjacent display Negligible
Similar displays, but with clearly drawn “process mimic” 0.0005
lines
Similar displays in functional groups in a panel 0.001
Similar displays in an array identified by label only 0.003

Design engineers must pay attention to human factors with respect to plant layout and also with
respect to maintenance of process equipment. Maintenance tasks that are extremely difficult are
much less likely to be accomplished.

GENERAL ATTENTION TO GOOD DESIGN

Paying attention to design details when laying out a plant can have a major impact on plant
reliability and safety. It is hard to establish a set of rules depicting a “good design,” but a
thorough review of a design by engineers, operators and mechanics, using their own experience
and common sense, might identify design problems such as those in the following examples:

§ Flammable and reactive additives in small containers are store directly below an
important instrument cable tray. The plant designer did not provide appropriate storage
for these materials near the point of use.
§ Instrument lines are prone to filling up with condensate. Clearly somebody realized this
and provided drains, but does anybody ever drain the condensate?
§ A conduit enters the top of a junction box, possibly allowing water to get in. The conduit
should enter the bottom of the box.

Attention to design details can enhance safety. In a situation where all nitrogen connections to a
reactor originate from a supply through a flexible hose that passes across the reactor manway, it
is not possible to open the manway without physically disconnecting the nitrogen from the
reactor. Of course, this does not guarantee that the reactor atmosphere is safe for entry, but it
does positively eliminate one hazard when the reactor is entered.

Many tools are available for detailed review of a plant design. These tools should be applied
early in detailed design so that any improvements and modifications can be easily and
economically implanted. We have found that a combined Hazard and Operability and Reliability

Training Manual Page 14-18

Centered Design review or HAZROP (hazard, reliability and operability) study is a particularly
valuable tool. By bringing together the process and reliability experts, along with operations,
safety, environmental and other disciplines, the resulting study enhances the quality from both an
EHA and reliability perspective.5, 6

CONCLUSIONS

A process design engineer often is presented with the need to provide a detailed design for a
plant that has a predetermined basic process technology. Although different manufacturing
technology is not an option; the design engineer has many opportunities to enhance the inherent
safety of the technology that has been selected. In particular, he must pay attention to the
inherent reliability and user friendliness of the plant. Plant startup and shutdown tend to have a
disproportionately large contribution to the total risk of operation. A more reliable plant design
will minimize the number of startups and shutdowns, minimizing the risk from these unsteady
state operations while improving plant economics and operability. Examples of the major
contribution of startup and shutdown to overall plant operating risk have been presented. Also, a
number of specific examples of how detailed plant design can impact reliability and safety have
been discussed. Incorporating reliability and inherent safety principles into a plant design
requires painstaking attention to details of the design, including thorough review by a
multidisciplinary team of process and equipment experts.

REFERENCES

1. Bain, D.H. Empire Express: Building the First Trans-continental Railroad. Viking: New
York, 1999.

2. Center for Chemical Process Safety (CCPS). Inherently Safer Chemical Processes: A Life
Cycle Approach, ed. D.A. Crowl. New York: American Institute of Chemical Engineers,
1996.

3. Rolt, L.T.C. The Railway Revolution: George and Robert Stevenson. New York: St. Martin’s
Press, 1960, p. 147.

4. Swain, A.D., and H. E. Guttmann. Handbook of Human Reliability analysis with Emphasis
on Nuclear Power Plant Applications (Final Report). Washington, D.C.: United States
Nuclear Regulatory Commission, NUREG/CR-1278-F, August 1983.

5. Hendershot, D.C., R.L. Post, P.F. Valerio, J.W. Vinson, and D.K. Lorenzo. “Let’s Put the
‘OP’ Back in ‘HAZOP’.” International Conference and Workshop on Reliability and Risk
Management, September 15-18, 1998, San Antonio, TX, 153-167. New York: American
Institute of Chemical Engineers, 1998.

Training Manual Page 14-19

6. Hendershot, D.C., R.L. Post, P.F. Valerio, J.W. Vinson, D.K. Lorenzo and D.A. Walker.
“Putting the ‘OP’ Back in ‘HAZOP’.” MAINTECH South ’98 Conference and Exhibition,
December 2-3, 1998, Houston, TX.

Training Manual Page 14-20

 Chapter 15
FABRICATION AND WELDING

The rules in Part UW of ASME Section VIII are applicable to pressure vessels and vessel parts
that are fabricated by welding and shall be used in conjunction with the general requirements in
Subsection A (general requirements) with the specific requirements in Subsection C that pertain
to the class of material being used.

Subsection C (e.g., part UCS – Carbon and low alloy steels) contains details on material scope,
properties, shapes, design, and post weld heat treatment. The condition of various materials used
for welded structures will affect the overall quality. Welding inspectors cannot evaluate a welded
structure without information from the designer or the welding engineer regarding weld quality.
The inspector also needs to know when and how to evaluate the welding.

To satisfy this need, there are numerous documents available to the designer, welding engineer
and welding inspector that state what, when, where, and how the inspection is to be performed.
Many of these documents also include acceptance criteria. They exist in various forms depending
upon the specific application. Some of the documents that the welding inspector may use include
drawings, codes, standards, and specifications. Contract documents or purchase orders may also
convey information such as which of the above documents will be used for that job. In the case
where more than one of the above are specified, they are intended to be used in conjunction with
each other. Job specifications may include supplemental requirements altering portions of the
governing code or standard.

DRAWINGS

Drawings describe the part or structure in graphic detail. Drawing dimensions, tolerances, notes,
weld and welding details, and accompanying documents should be reviewed by the inspector.
This gives the welding inspector some idea of the part size and configuration. Drawings also help
the inspector understand how a component is assembled. And, they can assist in the
identification of problems that could arise during fabrication.

Tolerances are also applied to location dimensions for other features such as holes, slots,
notches, surfaces, welds, etc. Generally tolerances should always be as large as possible, all other
factors considered, to reduce manufacturing costs. Tolerances may be very specific and given
with a particular dimension value. They may also be more general and given as a note or
included in the title block of the drawing. General tolerances will apply to all dimensions in the
blueprint unless otherwise noted. Tolerances give the CWI some latitude in terms of
acceptance/rejection during size inspections of welds and weldments.

Training Manual Page 15-1

Drawing notes provide both instructions and information that are additions to the illustrations, as
well as the information contained in the Title Block, or List of Materials. Notes eliminate the
need for repetition on the face of the drawing, such as the size of holes to be drilled, fasteners
(hardware) used, machining operations, inspection requirements and so forth.

Notes can be classified as General, Local or Specifications depending on their application on the
blueprint. General Notes apply to the entire drawing and are usually placed above or to the left of
the title block in a horizontal position.

Specifications presented as local notes will denote materials required, welding processes to be
used, type and size of electrodes, and the kind and size of the welding rod. Specifications are
located near a view when it refers specifically to that view.

An important welding inspector attribute is knowledge of drawings, codes and standards. A

number of organizations are responsible for the production and revision of various documents.
They include, but are not limited to:

§ American Welding Society (AWS) http://www.aws.org/

§ Welding Institute (TWI) http://www.twi.co.uk
§ American Society of Mechanical Engineers (ASME)
§ American National Standards Institute (ANSI)
§ American Petroleum Institute (API)
§ American Bureau of Shipping (ABS)
§ Department of Transportation (DOT)
§ Military Branches (Army, Navy, etc.)
§ Other Government Agencies

CONTROL OF MATERIALS

In many industries, an important aspect of fabrication is the identification and traceability of

materials. This certainly holds true in pressure vessel and nuclear work. Some inspectors may be
required to assist in this material control program as part of their regular duties. If this is the case,
the individual must be capable of properly identifying material and comparing that information
with related documentation.

Materials for welded fabrication are often ordered with the stipulation that they meet a particular
standard or specification. To demonstrate this compliance, the supplier can furnish
documentation that describes the important characteristics of the materials. This documentation
for metals is sometimes referred to as an “MTR”, which is the abbreviation for Material (or Mill)
( Test Report, or “MTC”, which is the abbreviation for Material (or Mill) Test Certificate.

The inspector may be involved with the total material control system or just a particular aspect,
such as the identification of materials for procedure qualification.

Training Manual Page 15-2

A successful system for material control has several important attributes. First, it should be as
simple as possible. If a system is too complex, it may not be followed, resulting in loss of
control. Simple systems that are understood by everyone have the best chance of providing
satisfactory results. Another important feature is that they contain adequate checks and balances
to ensure that the system will not break down and allow for the loss of traceability.

There are several effective ways to maintain the necessary traceability of materials. Depending
on the degree of control required, and the number of different types of material expected, a
company can develop a system, which meets their particular needs. If only two or three different
types of material will be encountered, a simple system of segregation, or separation, might be
sufficient. This method simply requires that individual types of material are stored separately.
This separation could be achieved by using specially marked racks or by using different types of
materials in separate areas of the fabrication facility.

Another effective way of maintaining control is accomplished with a color coding system.
Individual types of grades of material are assigned a particular color marking with this approach.
Upon material receipt, someone is responsible for marking each piece with the proper color.
Color-coding aids material identification during later fabrication steps. A note of caution with
color coding: The color ‘fastness’, or longevity must be considered since many colored marking
materials may change color when exposed to sunlight or weather conditions.

Another method of material control is the use of an alphanumeric code. It I certainly possible to
maintain a material’s traceability by transferring its entire identification information to the piece.
However, this information can be quite extensive and require a considerable amount of time and
effort. The use of alphanumeric codes can eliminate the need to transfer all the information such
as type, grade, size, heat number, lot number, etc. on each piece.

A final method to be discussed is the ‘bar code’ system that can be automated and is very
effective for both material control and inventory control. This system uses a group of short,
vertical lines of varying widths as the marker on the material. These bar codes can be applied
manually in the field, or automatically in the manufacturing system.

ALLOY IDENTIFICATION

Industry associations such as the Society of Automotive Engineers (SAE) usually develop alloy
identifications, American Iron and Steel Institute (AISI), and the Copper Development
Association (CDA). Alloy identification systems were created to assist those working within a
particular industry, and often with little regard to industries outside their sphere of influence.
Thus, the alloy specifications developed by these different associations often overlapped or even
used identical alloy designations for completely different alloys, leading to confusion or even
mistakes in alloy usage.

The ‘Unified Number System’ (UNS) was developed in 1974 to help interconnect many
nationally used numbering systems that are currently supported by societies, trade associations,
and individual users and producers of metals and alloys. The UNS is a means to avoid confusion

Training Manual Page 15-3

caused by the use of more than one identification number for the same material, or the same
identification numbers appearing for two or more entirely different materials.

The standard practice initiated by the Unified Numbering System aids the efficient indexing,
record keeping, data storage, retrieval and cross referencing of metals and alloys. The system is
not, however, a specification regarding form, condition, quality, etc., of the materials covered. It
is for basic identification purposes only.

The UNS was devised to assign alphanumeric designations for each family of metals and allows,
considered as having a “commercial standing”, or “production usage.” This information is found
in the SAE HS-1086/ASTM DS-56 E, Metals & Alloys in the Unified Numbering System, (a joint
publication by both organizations).

PRIMARY UNS NUMBERS

“UNS” – PRIMARY SERIES OF NUMBERS

A00001-A99999 Aluminum and aluminum alloys
C00001-C99999 Copper and copper alloys
E00001-399999 Rare earth and similar metals and alloys
F00001-FF99999 Cast irons
G00001-G99999 AISI and SAE carbon and alloy steels
H00001-H99999 AISI and SAE H-steels
J00001-J99999 Cast steels (except tool steels)
K00001-K99999 Miscellaneous steels and ferrous alloys
L00001-L99999 Low melting metals and alloys
M00001-M99999 Miscellaneous nonferrous metals and alloys
N00001-N99999 Nickel and nickel alloys
P00001-P99999 Precious metals and alloys
R00001-R99999 Reactive and refractory metals and alloys
S00001-S99999 Heat and corrosion resistant steels (including
stainless), valve steels, and iron-base “superalloys”
T00001-T99999 Tool steels, wrought and cast
W00001-W99999 Welding filler metals
Z00001-Z99999 Zinc and zinc alloys

As shown in the table below, welding filler metals have been divided into a secondary series of
numbers within the primary UNS classification. The reader should note, however, that this list is
for filler metals as defined by chemical composition and the list should not be confused with the
AWS designation ‘E’ for electrode in its classification of welding electrodes based on weld
deposit.

Training Manual Page 15-4

 SECONDARY UNS NUMBERS

“UNS” – SECONDARY SERIES OF NUMBESR

W00000-W09999 Weld, filler – carbon steels
W10000-W19999 Weld, filler – manganese- molybdenum alloys
W-20000-W29999 Weld, filler – Ni steels
W30000-W39999 Weld, filler – austenitic stainless steels
W40000-W49999 Weld, filler – ferritic stainless steels
W50000-W59999 Weld, filler – chromium low alloy steels
W60000-W69999 Weld, filler – copper alloys
W70000-W79999 Weld, filler – surfacing alloys
W80000-W89999 Weld, filler – Ni alloys

TYPICAL STEEL SPECIFICATION

The welding inspector is sometimes required to compare actual material properties with the
requirements of the specified material specification. ASTM has developed numerous material
specifications; those referring to metals contain much the same types of information. To become
familiar with what type of information is provided, as well as how it is presented, a typical steel
specification will be discussed.

For this example, the ASTM specification A514, “Standard Specification for High Yield
Strength, Quenched and Tempered Alloy Steel Plate, Suitable for Welding” will be used to
illustrate some of the details which may be included in a typical steel specification.

Scope. This statement explains exactly what is to be described by the specification. That is, it
defines the limits of the specification’s coverage.

Applicable Documents. This is a listing of other documents that may be referred to within the
text of the specification.

General Requirements for Delivery. Here, there is a statement regarding the required condition
of the material if ordered to comply with this specification. Steel specifications will normally
refer to ASTM A6 instead of including all of those requirements in each individual specification.

Process. The approved method(s) of producing this product are listed.

Heat Treatment. For alloys requiring some heat treatment, the details of that treatment will be
stated.

Chemical Requirements. This statement simply refers you to a table that lists the actual
chemical composition requirements. It is important to note that several grades will usually be
listed, and each grade has a separate required chemical composition.

Training Manual Page 15-5

Tensile Requirements. This paragraph simply refers to a table that defines the required tensile
values for the alloy. Required tensile values are usually different for various thickness ranges.

Brinell Hardness Requirements. For materials requiring Brinell hardness testing, the extent
and requirements are stated.

Test Specimens . Any information relating to the location, preparation and treatment of test
specimens is stated here.

Number of Tests. The number of test specimens required to s how compliance is stated.

Retest. This paragraph describes what procedures will be followed if any of the test specimens
fail.

Marking. A statement is made regarding how this material will be identified.

Supplemental Requirements. Any additional details that may be required by the purchaser are
stated. These are not considered to be requirements unless so stated by the purchaser.

QUALIFICATION OF PROCEDURES AND WELDERS

Part of every major welding project, whether completed in the shop or field, is the qualification
of welding procedures and welders, or welding operators. It is one of the most important
preliminary steps in the fabrication sequence. Too often projects are begun without the benefit of
proven welding procedures and personnel. This can result in excessive reject rates in production
due to some unsuspected deficiency in the technique, materials or operator skill.

During the performance of this qualification testing, the welding inspector may become
involved. Individual company structures will dictate the degree of involvement in this process.
Some codes require that the welding inspector witness the actual qualification welding and
testing. Consequently, the welding inspector should be aware of the various steps in the
qualification of welding procedures and welding personnel.

Most codes place the burden of responsibility for qualification on the fabricator or contractor.
Therefore, welding qualifications are statements by that company that the welding procedures
and personnel have been tested in accordance with the proper codes and specifications and found
to be acceptable.

PROCEDURE QUALIFICATION

The very first step in the qualification process is the development of the welding procedure, and
its performance within the procedure qualification. This must preceded both the welder
qualification and the production welding because it will determine if the actual technique and

Training Manual Page 15-6

materials are compatible. In general, the welding procedure qualification is performed to show
the compatibility of:

1. Base metal(s)
2. Weld or braze filler metal(s)
3. Process(es)
4. Techniques.

You will note that there is no mention of the skill level of the welder who performs the
qualification test. Although most codes will consider the welder who performs the welding to be
automatically qualified, the procedure qualification is not meant to specifically judge the
welder’s ability. Even though each code handles the qualification of welding procedures slightly
differently, the general intent is the same.

There are three general approaches to procedure qualification. These include prequalified
procedures, actual procedure qualification testing, and mock-up tests for special applications.
The mock- up tests may simply be used to supplement the other more standard methods of
procedure qualification.

AWS D1.1 recognizes four welding processes as being prequalified, including shielded metal arc
(SMAW), submerged arc (SAW), flux cored arc (FCAW), and gas metal arc (GMAW) except
short circuiting transfer. In the ASME system, these essential variables must be stated on a
Welding Procedure Specification (WPS). It will list the total ranges of each of the essential
variables. Since these ranges may exceed the limits for various essential variables, numerous
qualification tests may be required for full coverage. The actual test conditions are recorded on a
second document, the Procedure Qualification Record (PQR). Consequently, there may be
numerous PQR’s referencing a single WPS.

WELDER QUALIFICATION

Once the procedure has been qualified, it is of no use until individual welders have been
qualified to perform welding in accordance with that procedure.

With some processes, requalification may be required if there is a change in the type of electrode
specified. Normally, qualification with an electrode of a higher number group will automatically
qualify that welder for welding with any electrode of a group bearing a lower number. Therefore,
a qualification test performed with an E7018 electrode, which is in Group F4, will provide the
welder with qualification coverage for all carbon steel SMAW electrode types.

The specific welding technique used is also considered to be an essential variable for welder
qualification. Changes in such details as the direction of welding for the vertical position (i.e.
uphill or downhill) will require additional qualification testing. Other typical technique related
essential variables may include changes in the process, position, base metal type, base metal
thickness, and tubing diameter.

Training Manual Page 15-7

Certification (documentation of qualification) may be terminated when the welder leaves one
employer and is hired by another. Since each manufacturer or contractor is responsible for the
qualification of his own procedure and welders, codes generally require that a welder be
qualified by each separate employer.

To summarize the above, the general sequence for the qualification of a welder is:

§ Identify essential variables.

§ Check equipment and materials for suitability.
§ Check test coupon configuration and position.
§ Monitor actual welding to assure that is complies with the applicable welding procedure.
§ Select, identify and remove required test samples.
§ Test and evaluate specimens.
§ Complete necessary paperwork.
§ Monitor production welding.

The qualification of individual welders provides the manufacturer or contractor with personnel to
perform the production welding in accordance with qualified procedures.

SUMMARY

Documents represent one side of the inspection equation. The other is, of course, the inspector;
whose function is to establish product or piece part quality. Traditionally, inspection is viewed as
a post production activity. Welding inspection is significantly different. Welding inspection
embodies activities taking place before, during and after welding. Welding inspection is thus
both predictive and reactive.

Quality is, by definition, conformance to “specification”. As has been shown herein, the term
“specification” may in fact refer to job or contract- invoked provisions embodied in:

§ Drawings
§ Codes
§ Standards
§ Specifications

Drawings give details of item size, form and configuration. Codes, Standards and Specifications
give details of design, materials, methods and quality requirements to be satisfied. Included in
the methods are the welding procedures and the skill of welding personnel; the qualification of
which may well also involve the welding inspector.

Based on the concept of predictive action, welding inspection ideally covers all activities where
the problems may develop. As such, welding inspection and the documents setting out specific
requirements are concerned with:

Training Manual Page 15-8

 § Design of joints
§ Materials, base metal and filler metal
§ Procedures, of welding and of workmanship
§ Preparations, join form and dimensions
§ Production, before during and after welding

The welding inspectors’ ability to read, interpret, and fully understand the applicable
documentation is basic to successful welding inspection.

WELDING

Welding is the art and science of joining metals by use of adhesive and cohesive attractive forces
between metals. Welding, brazing, and soldering produce metallurgical bonds. Both process
metallurgy and physical metallurgy are involved in welding. Welding has been compared to a
series of metallurgical operations involved in metal production like steelmaking, which are
performed in rapid succession and on a minimum scale.

A volume of molten metal is formed (cast) within the confines of a solid base metal (mold). The
base metal may ha ve been preheated to retard the cooling rate of the weld joint just as casting
molds are preheated to slow down cooling. Upon solidification, the weld deposit or nugget
(ingot) may be placed in service in the as-welded (as-cast) condition or may be peened or worked
(wrought).

Welding involves comparatively small masses which are heated very rapidly by intense heat
sources and which cool rapidly because of the large surrounding mass of colder base metal.
Equilibrium conditions are seldom seen in conventiona l welding operations and welding
conditions represent a great departure from equilibrium. That is why weld zones often display
unusual structures and properties.

PHYSICAL METALLURGY OF WELDING

After a weld is made, postweld heat treatment may be required to alter the unusual structure and
properties produced by the rapid cooling. Treatments to soften the weld zone (annealing) or
complete hardening and tempering operations can be performed to obtain weld zone properties
which are equal to those in the base metal.

The metallographic microscope allows visual examination of the microstructural changes

produced by the thermal effects of the welding operation.

Metallurgy is important for controlling two important features of a weld joint:

1. The composition and soundness of the weld metal

2. The microstructure of the weld and base metal heat affected zones

Training Manual Page 15-9

Most welding processes apply heat to the work pieces and some of the metal in the joint area is
melted. The harmful effects of applying heat for welding outnumber the benefits, in terms of
metal properties. By controlling the heating and cooling cycles, it is possible to minimize the
undesirable effects.

Unusual combinations of time and temperature are generated by the welding process. The
temperature changes dur ing welding are wider and more abrupt than in any other metallurgical
process. The use of working and heat treatment to restore optimum properties is usually
restricted in the case of welded structures.

The following points are important for evaluating the thermal effects of welding:

§ Rate of heating
§ Length of time at temperature
§ Maximum temperature
§ Rate of cooling
§ Cooling end-point

HEAT AND TIME IN WELDING

Heat will move from one area to another whenever there is a difference in temperature. Heat
transfer occurs in three ways:

1. Conduction: Direct transfer of kinetic energy from one atom to another.

2. Convection: Transfer of heat from one place to another by actual motion of the hot
material.
3. Radiation: Heat is transformed into electromagnetic radiation and radiated from one
surface to another.

The difference in temperature per unit distance is called the temperature gradient. Welding
involves very steep temperature gradients between the heat source and the work and within the
work piece itself. Welding generally involves heat transfer through conduction.

RATE OF HEATING

The rate of heating of a work piece that is being welded on depends on how hot the heat source is
and how efficient the heat is transferred to the work. A higher temperature at the source means a
steeper temperature gradient between it and the work and so the heating rate should be faster.

In gas welding, the heat is generated in the flame and the gas molecules transfer their thermal
energy to the metal. In arc welding, much higher heating rates are encountered. The arc
temperature is much higher than that of an oxyacetylene flame (10,000°F compared to about
5000°F). In addition, the arc is kept in intimate contact with the base metal so there is efficient
transfer of the heat.

Training Manual Page 15-10

In electric resistance welding, the metal itself is the heat source. Since most of the heat is
generated at the contacting work surfaces, there is no effective transfer of heat and a very high
heating rate is obtained.

MAXIMUM TEMPERATURE

More heat is required to melt a given amount of metal than would appear from the mass of metal
involved because once the temperature is raised in one spot, it rises in all adjacent regions. So the
heat of welding must be sufficient to not only melt the metal required for welding but also to heat
the surrounding metal. Slower heat input rates result in greater amounts of heat required above
the amount necessary to just metal the metal.

HEAT GENERATION

In arc welding, some of the heating of the material occurs through resistance to the passage of
current through the material as it returns via the ground connection, but the majority of heat is
produced by the arc.

The heat output of an arc is approximately equal to arc voltage x arc current x time in seconds
that the arc burns. For example, a covered electrode arc operating at 35 volts and 150 amps
liberates 35 x 150 = 5250 joules every second. This is equivalent to melting 0.02 pounds of steel
in a second.

The energy output that enters the metal ranges from 20% to 75%, depending on other welding
conditions, such as travel speed.

TEMPERATURE DISTRIBUTION

Since metals are good heat conductors, the atoms in metal pass heat along to neighboring atoms
very readily.

The temperature distribution is actually occurring over a cross section that is constantly changing
as the heat source moves along the weld.

TIME AT TEMPERATURE

The length of time at a maximum temperature depends on maintaining an even balance between
heat input and heat loss. In most welding operations, this balance exists for only a very short
period of time.

Training Manual Page 15-11

Usually, the temperature in a local area rises to the maximum and almost immediately begins to
fall. It is this very rapid thermal cycling which accounts for the unusual aspects of a heat affected
zone.

COOLING RATES

Cooling rates are even more important than heating rates in welding. Three features of the weld
have the most profound effect on cooling rate:

1. The weld nugget acts as a heat source.

2. The mass of the bass metal represents a heat sink.
3. The base metal temperature establishes the initial temperature gradient.

High current, high-speed welds cool more slowly than low current, low speed welds. Increased
heat-input results in slower cooling rates if other factors are held constant.

BASE METAL MASS

The mass of metal in the work piece, previously deposited weld metal, fixtures, chill bars, etc. all
act as heat sinks around the weld nugget.

Even with the same plate thickness, the mass of metal around the weld bead can be changed by
depositing the bead on the edge of the plate or in an angle between two plates. The heat supplied
to the edge bead can only flow in one direction while the heat in the fillet weld can flow into
both plates.

Only the volume of metal within a 3-inch radius of the weld affects the cooling rate through the
important temperature ranges. Base metal further away only affects the cooling rate through low
temperature levels.

PREHEATING

Preheating involves welding on plates that have been heated to an elevated temperature to reduce
the cooling rate by lowering the temperature gradient. In multiple bead welds, the succeeding
beads may be deposited on metal that has been preheated by the preceding beads.

COOLING RATE INFLUENCE

The faster the weld metal is cooled, the greater tendency it has to undercool and the grain size of
the solidified weld is smaller. Faster cooling rates also favor the formation of trapped slag
inclusions and gas blowholes. Because of the allotropic changes that occur in steel, the cooling
rate below 1650°F influences the structure.

Training Manual Page 15-12

Very rapid cooling from 1650°F to 1380°F causes the austenite to undercool rather than
transform immediately to pearlite. Because there is insufficient time for the diffusion of carbon
atoms required for the austenite to pearlite transformation, the massive transformation to
martensite occurs instead at about 600°F. The carbon atoms are trapped in the distorted body-
centered tetragonal martensite crystals.

WELDING PROCESSES

Arc welding power supplies reduce the high line voltage to a suitable output voltage range (20 to
80 volts). Transformers, solid state inverters or motor-generators are used. The same device then
supplies the high welding current (30 to 1500 amps) in either Ac or DC or both.

Shielded Metal Arc Welding (SMAW)

Coalescence of metals is produced by heat from an electric arc that is maintained between the tip
of the covered electrode and the surface of the base metal in the joint being welded. The covered
electrode consists of a core rod which conducts the electric current to the arc and provides filler
metal for the joint. The electrode covering acts to provide arc stability and to shield the molten
metal from the atmosphere with the gases created during heating and decomposition of the
covering.

Welding commences when an electric arc is struck between the tip of the electrode and the work.
The intense heat of the arc melts the tip of the electrode and the surface of the work close to it.
Tiny globules of molten metal form on the electrode tip and then transfer through the arc stream
into the molten metal that is forming the weld pool.

Gas Tungsten Arc Welding (GTAW)

An arc is established between a nonconsumable tungsten electrode and the weld pool. Shielding
gas is used and the filler metal may or may not be added. Shielding gas is fed through the torch
to protect the electrode, molten weld pool, and solidifying weld metal from contamination by the
atmosphere. The electric arc is produced by the passage of current through the conductive
ionized shielding gas. The arc is established between the tip of the electrode and the work. Heat
generated by the arc melts the base metal. If filler wire is used, it is added to the leading edge of
the weld pool to fill the joint.

Gas Metal Arc Welding (GMAW)

A continuous (wire) consumable electrode is fed automatically and shielded by an external

shielding gas. After initial settings by the operator, the process is self-regulating.

Training Manual Page 15-13

The welding gun guides the consumable electrode and conducts the electrical current and
shielding gas to the work. Energy is provided to establish and maintain the arc and melt the
electrode as well as the base metal.

Flux Cored Arc Welding (FCAW)

An arc is maintained between a continuous filler metal electrode and the weld pool. Shielding is
obtained from a flux contained within the tubular electrode and additional shielding may be
supplied from an externally supplied gas.

The flux cored electrode is a composite tubular filler metal electrode with a metal sheath and a
core of various powdered materials. An extens ive slag cover is produced during welding. Self-
shielded FCAW protects the molten metal through the decomposition and vaporization of the
flux core by the heat of the arc. Gas shielded FCAW uses a protective gas flow in addition to the
flux core action.

Submerged Arc Welding (SAW)

An arc between a bare metal electrode and the work accomplishes heating. The arc and molten
metal are “submerged” in a blanket of granular fusible flux on the work. The filler metal is
obtained from the electrode and sometimes from a supplemental source such as welding rod or
metal granules.

The flux’s main role is to stabilize the arc, determine the mechanical and chemical properties in
the weld deposit, and maintain quality of the weld.

SAW is a versatile, commercial production welding process capable of making welds with
currents up to 2000 amps using single or multiple wires or strips of filler metal.

OTHER COMMON WELDING PROCESSES

Electroslag Welding (ESW)A molten slag melts the filler metal and the surfaces of the work
pieces to be joined. The weld pool is shielded by this slag, which moves along the full cross
section of the joint as welding progresses. After the arc is initiated, it heats the granulated flux
and melts it to form the slag. The arc is then extinguished by the conductive slag, which is kept
molten by its resistance to the electric current passing between the electrode and the work pieces.

ESW produces extremely high deposition rates and is capable of welding very thick material in
one pass. There is minimum joint preparation and materials handling. Welding distortion is also
minimized.

Training Manual Page 15-14

ESW can only be used on carbon steel and low alloy steels and must be performed in the vertical
position. Welding must be completed in one cycle and cannot be interrupted. Material to be
welded must be at least ¾- inch. thick and welding must be performed in the vertical position.

Stud welding - Stud welding is a general term for joining a metal stud or similar part to a metal
work piece. Welding can be done with many processes such as arc, resistance, friction, and
percussion.

Arc stud welding joins the base (end) of the stud to the work piece by heating the stud and the
work with an arc drawn between the two. When the surfaces to be joined are properly heated,
they are brought together under low pressure.Capacitor discharge stud welding is performed with
heat derived from the rapid discharge of electrical energy stored in a bank of capacitors.

Plasma Arc Welding (PAW) produces heat between an electrode and the work piece by heating
them with a constricted arc. Shielding is obtained from hot ionized gas issuing from the torch. A
supplementary shielding gas is usually provided. The constricted gas flow differentiates PAW
from GTAW.The plasma issues from the nozzle at about 30,000°F and allows for better
directional control of the arc and smaller heat affected zones. The major disadvantage of PAW is
high equipment expense.

Oxyfuel Gas Welding (OFW) - In OFW, base metal and filler metal are melted using a flame
which is produced at the tip of a welding torch. Fuel gas and oxygen are combined in a mixing
chamber and ignited at the tip. An advantage of OFW is the independent control the welder has
over the heat and the filler metal and so it is commonly used for repair welding and for welding
thin sheet and tubing. Equipment is low cost, portable, and versatile. Cutting attachments,
multiflame heating nozzles, and other accessories are available. Mechanized cutting operations
are easily set up.

Brazing and Soldering - Brazing joins materials by heating them in the presence of filler metal
having a liquidus above 840°F but below the solidus of the base metal. Soldering follows the
same principals as brazing except that the filler metal liquidus is below 840°F. The filler metal
distributes itself between the closely fitted surfaces of the joint by capillary action.

SHRINKAGE AND DISTORTION IN WELDMENTS

Because of the unavoidable heat effects that always accompany welding, dimensional changes
will occur. However, they can be minimized and often one condition can be used to counteract
another.

Weld metal shrinks upon solidification but this has little to do with the distortion problem in
welding. During solidification, as the atoms of iron in the melt assume the fixed positions in the
crystal lattice of growing solid grains, the coupling of the liquid and solid are very weak. So the
weld metal cannot exert much stress on the adjacent base metal members. Solidification
shrinkage accounts for dishing or deformation in the weld metal. It cannot, however, generate

Training Manual Page 15-15

sufficient stresses capable of decreasing the overall size of the weldment or pulling a portion of
the weldment.

Immediately following solidification however, the cooling weld metal continues to contract. This
thermal contraction generates stresses up to the yield strength of the material at that temperature
in the cooling cycle.

Residual stress is the internal stress that remains in a member of a weldment after a joining
operation. Residual stresses are generated by localized partial yielding during the thermal cycle
of welding and the hindered contraction of these areas during cooling.

Structure stress arises from grain boundaries, crystal orientations, and phase transformations in
small volumes of weld metal.

Reaction stress is an internal stress, which exists because the members are not free to move.
Stress concentration refers to the increased level of stress, which develops at abrupt changes in
section such as sharp corners, notches, cracks.

Distribution of Stress in a Simple Weld

A weld is rapidly deposited along the edge of two pieces of metal as shown. The entire weld
zone is still at a high temperature when the weld is completed.

At high temperature, the metal close to the weld attempts to expand in all directions. It is
prevented (restrained) by the adjacent cold metal.

Because it is being prevented from elongating, the metal close to the weld is upset.

During cooling, the upset zone attempts to contract. Again, it is restrained by the cold metal. As
a result, the upset zone becomes stressed in tension.

When the welded joint has cooled to room temperature, the weld and the upset region close to it
are under residual tensile stresses close to the yield strength.

To balance the tensile shrinkage stresses at the edge, there must be a region of tensile shrinkage
stresses at the opposite unwelded edge and a region of compressive stresses between the two
tensile zones.

Residual Stresses

In order to calculate residual stresses in weldments, detailed accurate information on the

temperature distribution during the welding process must be known. Variations in thermal
conductivity and changes in mechanical properties at high temperatures complicate the
calculation.

Training Manual Page 15-16

It is known that stress gradients similar to temperature gradients exist in metal adjacent to a
weld. Restraint during welding (such as rigid clamping or even the mass of the structure) result
in even higher residual stresses. Since the stress system is in equilibrium, externally applied
loads cannot add to the residual tensile stresses until the residual compressive stresses are
overcome.

If the load does cause a small amount of plastic strain in highly stressed areas, then the peak
stresses in those areas will be reduced. Stress relief heat treatment may dissipate residual
stresses.

SHRINGKAGE OF WELDMENTS

Shrinkage Transverse to a Butt Weld

Shrinkage perpendicular to the long axis of a weld is called transverse shrinkage. It is primarily
dependent on the cross-section of the weld metal in the joint as well as the thickness of the joint.

Shrinkage Longitudinal to a Butt Weld

Longitudinal shrinkage is proportional to the length of the weld. Longitudinal shrinkage is also a
function of the weld cross-section and the cross-section of the surrounding colder base metal
which resists the expansion and contraction forces of the heated weld and base metal.

DISTORTION OF WELDMENTS

The localized area along which the arc or heat source passes is the starting point of a distortion
problem. The temperature differential between the weld zone and the unaffected base metal is
great and much localized expansion and plastic flow take place here. Restraint from clamping
and mass influences the extent of plastic flow.

Distortions may be:

§ Angular
§ Longitudinal
§ Buckling

TYPICAL WELD DEFECTS

Quality means that a weldment is: (1) Adequately designed to meet the intended service for the
required life, (2) Fabricated with specified materials and in accordance with design concepts, (3)
Operated and maintained properly. Quality is a relative term, so different weldments and

Training Manual Page 15-17

individual welds may have different quality levels depending on the service requirements.
Quality includes factors such as hardness, chemical composition, and mechanical properties.

Discontinuities in Fusion Welded Joints

Discontinuities may be related to the welding procedure and process, design, or metallurgical
behavior. Process, procedure, and design discontinuities affect the stresses in the weld or heat
affected zone (HAZ). Metallurgical discontinuities may also affect the local stress distribution
and may also alter mechanical or chemical (corrosion resistance) properties of the weld or HAZ.

Discontinuities may amplify stresses by reducing cross-sectional area. The more serious effect
though is stress concentration – stresses are concentrated at notches, sharp corners, and
(especially) cracks. Discontinuities should be considered in terms of: (1) Size, (2) Acuity or
sharpness, (3) Orientation with respect to the principal working stress, and (4) Location with
respect to the weld, joint surfaces, and critical sections of the structure.

Porosity

Porosity is the result of gas being entrapped in solidifying weld metal and is generally spherical
but may be elongated. Uniformly scattered porosity may be scattered throughout single weld
passes or throughout several passes of a multipass weld.

Faulty welding technique or defective materials generally cause porosity. Cluster porosity is a
localized grouping of pores that can result from improper arc initiation or termination. Linear
porosity maybe aligned along a weld interface, root, or between beads. It is caused by
contamination along the boundary.

Piping porosity is elongated and, if exposed to the surface, indicates the presence of severe
internal porosity. Porosity has little effect on strength, some effect on ductility, and significant
effect on fatigue strength and toughness. External porosity is more injurious than internal
porosity because of the stress concentration effects.

Inclusions

Slag inclusions are nonmetallic particles trapped in the weld metal or at the weld interface. Slag
inclusions result from faulty welding technique, improper access to the joint, or both. Sharp
notches in joint boundaries or between weld passes promote slag entrapment.

With proper technique, slag inclusions rise to the surface of the molten weld metal. Tungsten
inclusions are tungsten particles trapped in weld metal deposited with the GTAW process.
Dipping the tungsten electrode in the molten weld metal, or using too high current that melts the
tungsten can cause inclusions. The effect of inclusions is similar to that of porosity.

Training Manual Page 15-18

Incomplete Fusion

Incorrect welding techniques, improper preparations of materials, or wrong joint designs

promote incomplete fusion in welds. Insufficient welding current, lack of access to all faces of
the joint and insufficient weld joint cleaning are causes. Cracks can initiate in the incompletely
fused area.

Inadequate Joint Penetration

When the actual root penetration of a weld is less than specified, the discontinuity at the root is
inadequate penetration.

It may result from insufficient heat input, improper joint design (metal section too thick),
incorrect bevel angle, or poor control of the arc.

Some welding procedures for double groove welds require backgouging of the root of the first
weld to expose sound metal before depositing the first pass on the second side to insure that there
is not inadequate joint penetration.

Cracks can initiate in the unfused area and propagate as successive beads are deposited. Cyclic
loading can cause catastrophic failures to initiate.

Undercut

Visible undercut is associated with improper welding techniques or excessive currents, or both. It
is parallel to the groove at the root or toes of the weld.

Undercut creates a mechanical notch at the weld joint line. In addition to the stress raiser caused
by the undercut notch, fatigue properties are seriously reduced.

Underfill

Underfill results from the failure to fill the joint with weld metal, as required. It is corrected by
adding additional layers of weld metal.

Overlap

Incorrect welding procedures, wrong welding materials or improper preparation of the base
metal causes overlap. It is a surface discontinuity that forms a severe mechanical notch parallel
to the weld axis. Fatigue properties are reduced by the presence of the effective crack.

Training Manual Page 15-19

Cracks

Cracks occur when the localized stresses exceed the tensile strength of the material. Cracking is
often associated with stress amplification near discontinuities in welds and base metal, or near
mechanical notches associated with weldment design.

Hot cracks develop at elevated temperatures during or just after solidification. They propagate
between the grains. Cold cracks develop after solidification as a result of stresses. Cold cracks
are often delayed and associated with hydrogen embrittlement. They propagate both between and
through grains. Throat cracks run longitudinally in the face of the weld and extend toward the
root. Root cracks run longitudinally and originate in the root of the weld. Longitudinal cracks are
associated with high welding speeds (such as during SAW) or with high cooling rated and
restraint.

Transverse cracks are perpendicular to the weld and may propagate from the weld metal into the
HAZ and base metal. Transverse cracks are associated with longitudinal shrinkage stresses in
weld metal that is embrittled by hydrogen. Crater cracks are formed by improper termination of
the welding arc. They are shallow hot cracks.

Toe cracks are cold cracks that initiate normal to the base metal and propagate from the toes of
the weld where residual stresses are higher. They result from thermal shrinkage strains acting on
embrittled HAZ metal.

Underbead cracks are cold cracks that form in the HAZ when three conditions are met: (1)
Hydrogen in solid solution, (2) Crack-susceptible microstructure, (3) High residual stresses.
They cannot be detected by visual inspection and do not normally extend to the surface.

Cracking in any form is an unacceptable discontinuity and is the most detrimental type of
welding discontinuity. Cracks must be removed.

Surface Irregularities

Surface pores are caused by improper welding technique such as excessive current, inadequate
shielding, or incorrect polarity. They can result in slag entrapment during subsequent pass
welding.

Variations in weld surface layers, depressions, variations in weld height or reinforcement,

non-uniformity of weld ripples, and other surface irregularities can indicate improper welding
procedures were followed, or that welding technique was poor.

Training Manual Page 15-20

Base Metal Discontinuities

Base metal properties such as chemical composition, cleanliness, laminations, stringers, surface
conditions, and mechanical properties can affect weld quality. Laminations are flat, elongated
discontinuities found in the center of wrought products such as plate. They may be too tight to be
detected by ultrasonic tests. Delamination may occur when they are subjected to transverse
tensile stresses during welding.

Lamellar tearing is a form of fracture resulting from high stress in the through-thickness
direction. Lamellar tears are usually terrace- like separations in the base metal caused by
thermally- induced shrinkage stresses resulting from welding.

Weld profiles affect the service performance of the joint. Unfavorable surface profiles on internal
passes can cause incomplete fusion or slag inclusions in subsequent passes.

BIBLIOGRAPHY

Welding Inspection Technology, Module 5, American Welding Society.

Training Manual Page 15-21

 Chapter 16
Fabrication Quality Assurance

Quality Assurance personnel shall evaluate Contractor & Supplier compliance and
implementation of project specified requirements, through the use of pre-designated checklists.
The checklists are not to be considered, as all encompassing but are intended to be a guide to the
areas of interest to be evaluated during QAS visits.

Quality Assurance representative will be responsible for sample checks of weld quality &
fabrication on the shop floor as well as radiographic film quality, interpretation & other NDE or
hydro, & heat treatment methods performed. Conduct QA Surveillance & submit report
accounting for tests and further submit detailed account of findings on checklists. Monitor
inspection levels & reporting defined in supplier documentation. Monitor supplier control of
non-conforming materials, equipment, & review schedule for slippage, potential or actual.
Provide verification of Contractors implementation and compliance with project specified
SOURCE INSPECTION requirements. Provide evaluation of supplier implementation of project
specified requirements during fabrication & report on overall quality compliance as well as
unsafe work procedures.

The following is an example of a Fabrication Checklist:

Training Manual Page 16-1

P.O. # & Rev.# Supplier Name & Location Visited Visit #
Contract Reference / Item description
CHECKLIST Series QAS 4.0 Fabrication Welding & Assembly 4.1
Status
Check Item Requirements CO
1 Are welders equipped with melt sticks for checking preheat temperatures?
2 Are joint fit ups accepted prior to welding & are they in accordance with specifications & drawings?
3 Are tack weld lengths & spacing adequate for the weld joint configuration?
4 Is there evidence of cracked tacks / insufficient throat thickness etc?
5 Are WPSs being utilized in accordance with specified application matrix?
6 PQRs, confirm status of approval & do they address impacts at min design temperature, hardness? (as applicable)
Welding & 7 Are the type & size of welding consumables being used compliant with the applicable WPS?
Assembly 8 Are production welding heat input values for low temperature compliant with WPS?
9 Are welder qualifications valid for process & production material thickness being welded?
10 Has supplier conducted production weld testing per specification? (Pressure Vessels)
11 Are production weld test res ults available for review & copies provided to ENL? (Pressure Vessels)
12 Conduct verification of production application of key WPSs? See form 4.1.WPS.
13 Are WPSs endorsed by EPC contractor evident in production locations?
14 Sample check quality of welding, overall workmanship & finished product.
15 Have fit ups been monitored by EPC representative?
16 Has EPC conducted any in process parameter / WPS compliance checks & are there issues?
17 Have preheat & interpass temperatures been monitored by EPC representative or others?
EPC S.I.
18 Has production weld testing been monitored by EPC contractor? (Pressure Vessels)
19 Has the supplier / EPC contractor documented the welding parameters for production welding test? (P.Vessels)
20 Have results been approved by EPC contractor & are there issues documented by EPC for action? (P. Vessels)
Comments

Corrective action agreed with Contractor

Follow Up

Closed date

QAS Representative ________________________________ Date ____________________________

Training Manual Page 16-2

The following is an example of a QA summary checklist.

Pre - Inspection Meetings - Series QAS 1.0

QAS 1.1 QAS 1.2
PIM Information/ Data PIM Observations
q Roster q Review ITPs
q Collect names q PO Verification
q Confirm supplier scope q Sub-supplier approval
q Establish first visit q Specifications
q Relay QAS role q Review open issues
q Supplier Review q Open issues / Action items
q Confirm Witness Hold Pt q Technical Passport
q Scheduling

Documentation - Series 2.0

QAS 2.1 QAS 2.2 QAS 2.3 QAS 2.4
Quality Management Documents. PO Control Drawing Control Welding Records

q Quality Plans Approved / Distribution q Completed PO q Drawing register q Approved welder qualifications
q ITPs Approved / Distribution q Deliverable listing q Latest drawings used q EPC register of welders
q Procedures finalized q Latest specifications q Controls for drawings q Contractor approved WPSs
q Source Inspection Plan for Sub-contracted q Data sheet approval q Pending approvals q PWHT / PQRs
work q Concessions q Drawing control q WPS in work area
q Third party ITP q Changes & deviations
q Procedures distribution
q Approvals
q Witness Hold point notification
q Number of visits by contractor

Training Manual Page 16-3

 Material Control - Series 3.0
QAS 3.1
Material Receiving, Storage, &
Handling
q Material identification
q MTRS
q OS&Ds
q Deficiency reporting & resolution
q NCR’s
q MTRs
q Positive recall
q Segregation of non-conforming Materials
q Alloy materials
q Damaged materials
q MTR traceability
q Received materials cleaned & primed
q Material Identification
q Heat numbers

Training Manual Page 16-4

 Fabrication - Series 4.0
QAS 4.1 QAS 4.2 QAS 4.3 QAS 4.4 QAS 4.5 QAS 4.6
Welding Assembly Consumable Control Weld / Welder Heat Treatment Radiography Ultrasonic Testing
Traceability
q Material Identification q MTRs, COCs q WPS # approval confirmation q Furnace condition q RT technician q UT technician
q Preparation joint detail q Consumables store q Welder ID vs. qualified process q Temperature recorders certifications certifications
q Compliance with WPS conditions q Welder / operator qualification q Local stress relief q NDE Procedures q Calibration blocks
q Acceptance of Fit Up q Shelf Storage & q Thickness ranges q Reports complete q RT reports & film q Instrument calibration
condition Segregation q Consumable type & size before PWHT q Density checks q Transducer selection
q Tack Welding q Baking conditioning q Welding progression q Heat cycle q Technique & coverage q Scanning pattern
q EPC monitoring q Holding Conditions q Amps, volts & T/S, HI for low q Documentation q Calibration q Repairs
q Material segregation temp toughness WPS q Hardness testing q Accept / reject criteria q Reports
q Issue control q Welding temperatures q Repairs & tracer film
q Sub-Arc Flux conditioning q Welding equipment calibration q Reports
q Housekeeping & condition

QAS 4.7 QAS 4.8 QAS 4.9 QAS – 4.10 QAS 4.11 QAS 4.12
NDE MT, PT, Vessel Dimensional Pressure Testing Vessel Final Final Assembly of FAT
Hardness Testing Control Assembly Structural, Skid, &
Pkg Units
q NDE certifications q Review reports q Final inspection completed q Installation of internals q Installation as per q Over-speed tests
q Methods q Sample check dimensions q Internals removed q Bolts & gaskets drawing q Electrical equipment heat
q Coverage & specifications q Attachment orientation q Procedure approved q Instrument & electrical q Spare parts run tests
q Equipment uses q Report signed off by EPC q Calibrated gages & recorder installation q Inspection completed q Impulse voltage tests
q Calibrations q Calibrated measuring q Safety valves q Completed inspection q Instrumentation q Electrical short circuit
q Cleaning of specimens / devices q Fill medium & increments rpts q Insulation tests
pre-test q Records q Component support q Hydro been completed q Grounding q Noise level tests
q Lighting q Hydro procedure q Visual acceptance by q Gaskets & Flanges q Instrument mechanical
q Repairs q Final reports EPC q Hydro tested run / dynamic tests
q Report q Internals installed q Welding completed q Calibration results test
q Workmanship q Vibration tests
q Motor tests
q Proof load tests
q Performance /
Acceptance tests

Training Manual Page 16-5

Painting - Series 5.0
QAS 5.1
Surface Treatment & Painting
q Test panel for qualification
q Release for treatment inspections
complete
q Blast medium & pressure
q Equipment condition
q Ambient condition recording
q Anchor pattern
q Blast standard
q Records
q Paint Storage
q Prime coat remedial work
q Paint material storage conditions
q Batch Numbers
q Paint specification
q Temperature control
q Method of application
q WFT& DFT checks
q Application between coats
q Curing period
q Finished system visual & to specification
q Identification & reporting

Training Manual Page 16-6

 Electrical & Instrumentation - Series 6
QAS 6.1 6.2 6.3
Electric Motors Electrical & Instrumentation Instruments
q Measurement of all the winding resistances q Instrument data sheets completed & approved by contractor
q Phase sequence check / direction of rotation check
q Instrument index q SDRL calculations submitted to contractor & approved
q Instruments & electrical equipment suitable for Zone 1
q Load curve / voltage regulation q Instrument index, current & approved
q Motors & motor control stations in conformance with spec
q No load characteristic q Outstanding issues / NCR's still to be cleared
q Control & alarm circuits fail safe
q Short circuit characteristic / determination of stray losses q Electronic instruments comply with Instrument Specification
q Control devices for safety hard wired
q Determination of efficiency q Pressure instruments comply with Instrument Specification
q Double-pole-double-throw contacts fitted for unit malfunction
q Vibrations check q Level instruments comply with Instrument Specification
alarms
q Over speed test q Temperature instruments comply with Instrument
q Enclosures been correctly sized, rated, constructed correctly
q Auxiliary wiring check Specification
q Flameproof enclosures
q Insulation measurement to manufacturer standard on rotor & q Flow instruments comply with Instrument Specification
q Spec. requirements for Terminals, instrument wiring & shield
stator q Control valves comply with & Instrument Specification
drains
q Dielectric test (High voltage test) on rotor & stator q Control panels comply with UL508 & Instrument
q Cables installed on cable trays & racks
q Heat run temperature rise test Specification
q Cables tested to CSA cold bend & cold impact tests
q Pressure relief devices sizing comply with API RP 526 &
q Cable glands approved according zone 1 or 2
API 527
q Nameplates securely mounted with stainless steel screws
q Pressure / temperature rating of instruments, flanges are
q Any issues / NCR's / approvals outstanding
correct
q Valves tested by suppliers & supplied with certification
q Instruments tagged inline with spec
q Steel tags used made from 316 material as required

Technical Passports & Vendor Data - Series 7

QAS 7.1 QAS 7.2
Export Requirements Certificate of Conformity
q Drawings included (GAs, P&IDs, SLDs, q GGTN permit number & date of issue submitted to
q Instr. Block Diagrams, D&IDs)? GOSSTANDART
q Design calculation q Detailed product description with full technical description of
q Basis of the design (Standards and Specifications) the rig
q Weld procedures q Main technical parameters & quantity, documentation
q List of materials used in construction q Quality & safety regulatory documents
q Operation and maintenance instruction q ISO certificate number of supplier
q Spare parts list
q Product certification and safety information
q FAT records
q Certificate of Conformity complete

Training Manual Page 16-7

Shipping Release - Series 8
QAS 8.1
Load Out
q Package contain one order per package
q Packaging fit & seaworthy for ocean freight shipments
q Fragile items packed with special precautions
q Fragile items marked on all sides
q Packages over three tons marked with sling points on both sides
q Special inner packing to protect against moisture
q Pumps, valves & machinery been coated & all openings covered for
protection
q Export markings been shown on all documents & inland bill of lading
q Crated small components & label on two adjacent sides
q Hazardous material identified properly
q Tally is correct & documented
q Contractor representative signed off tally
q Shipping release
q Equipment been labeled & identified?
q Lifting capacities
q Crating
q Secure loads
q Final inspection
q Contractor sign off
q Final load conditions

Training Manual Page 16-8

 Chapter 17
BOLTED JOINT MAINTENANCE

INTRODUCTION

The rules for the design and assembly of bolted joints given by the American Society of
Mechanical Engineers (ASME) Boiler and Pressure Vessel Code are often difficult to interpret.
Although relatively few rules apply to bolting and bolted joints, those that do apply are scattered
throughout the Code.

Designers and analysts who frequently utilize the Code become familiar with its requirements,
applications, and limitations. Plant engineers and maintena nce supervisors, however, do not
routinely use the design sections of the Code, and sometimes have difficulty locating and
interpreting information it contains. In addition, designers and analysts may not always have
experience with field applications. This section will:

§ Discuss the theories, which relate the design, assembly, and performance of bolted joints.
§ Explore failure modes and practical applications of theories, which have been successful
in solving problems or preventing failures.

By gaining insight into the two areas we can reduce the incidence of failures and solve chronic
problems. These problems include the fact

§ Most people give little thought to bolted joints.

§ The bolted joint and fastener appear deceptively simple.
§ The technology of Comp uter Aided Design and Computer Aided Engineering
(CAD/CAE) has not been applied to bolted joints.

Industry groups are working on bolting problems.

§ PVRC – gaskets and leaks

§ RCSC – structural bolting
§ SAE – loosening gaskets
§ EPRI – Nuclear bolting issues

Bolt

A bolt is a clamp; its purpose is to provide clamping force to hold assemblies together.

Training Manual Page 17-1

Preload

Preload is the force developed in the fastener at assembly, before the joint is placed into service.

Failure

Occurs when bolts fail to perform their intended function, i.e.,

§ Broken bolts due to static tensile overload, fatigue

§ Loss of preload resulting in:

• Leaks
• Loss of bolt or nut, and separation of joint members
• Reduction of fatigue life
• Fretting due to relative movement of parts

Bolt load is essential to the performance of the joint:

§ Prevent Leaks
§ Prevent Fatigue
§ Prevent Loosening

In general, fasteners are most efficiently used by introducing the highest acceptable preload at
assembly, striving for uniformity of preload in the assembly. A high preload produces:

§ Margin for relaxation

§ Reduce cyclic component
§ Better leak sealing
§ Less prying

Too much preload can result in failures such as:

§ Buckling of gaskets
§ Permanent yielding of flanges
§ Thread stripping
§ Yielding of joint members
§ Stress corrosion cracking

The following table shows failure modes and corrections:

Training Manual Page 17-2

 Table from Product Engineering, October 1978

By E.R. Friesth of John Deere, Moline, Ill.

Failure Mode and Cause Correction

Yielding of bolt: Better assembly specs and control:
§ Over tightening; overloads in service Joint design; size & number of fasteners
Threads stripping: Use grade 10 nuts; thread length 1.00D in
§ Soft nuts, short thread length, shallow threads steel, 1.25D with stud, 1.50D with cap screw
in cast iron, 2.00D in Al; 55-65% thread
depth; coarse thread in cast iron & non-
ferrous
Shear failures: Increase clamp loads to increase friction;
§ Transverse loads act on shear planes bushings to carry shear loads on pivot joints;
design for shear through body of bolt, not
threads; larger bolts.
Fatigue failures: Wrench to higher percentage of bolt strength;
§ Low clamp load with high cyclic stress larger bolts
Stress concentration at radii under head, first thread Proper radii under head and at root of thread;
or first thread under load more threads (3-6) exposed to load; threads
rolled after heat treatment
Bending stresses increase stress at concentration Increase clamp load to reduce bending
points stresses; increase ductility of bolt by smaller
size, or low C boron steels
Loosening of nut: Increase clamp load; use locking device on
§ Axial vibration bolt or threads
§ Self-loosening by friction changes
Wear of surface due to transverse vibration Increase clamping load; decrease bearing
surface stress
Embedment of bearing surfaces: Increase bearing surface area with flanged
§ High compressive stresses on soft joints hex, closer clearance holes, or washer, harder
joint materials
Loss of clamp force on early loading: Spot face, fla tten, clean off dirt, mask paint
§ High localized stresses and crushing of surface from surface, check gaskets
roughness

There is an important link between establishing a leak free joint and meeting requirements of the
design and technical specifications for the plant that deserves attention, particularly with regard
to assembly. The purpose of this section is to outline the foundation for design-basis integrity of
pressure boundary joints by presentation and discussion of pertinent Code requirements, thus,
establishing the basis for the link between design, maintenance, and operation. Design
information from the code as well as from other sources is presented. No attempt is made to
change or extend any portion of the Code. Explanation and discussion of Code requirements and
ambiguities are also presented.

Training Manual Page 17-3

Section VIII Requirements

ASME Section VIII, Division 1 of the Boiler and Pressure Vessel Code provides rules for the
design of bolted flange connections. Bolted flange connections covered by this Code are joints
whose gaskets are entirely within the bolt circle. No flange contact occurs outside this circle.

ASME Section VIII, Appendix 2 provides rules for calculating flange stresses and the amount of
bolting required. This Appendix also provides information for calculating the amount of bolting
required for types of unstayed flat heads and covers.

Concept of “y” and “m” Factors

When high gasket seating stress is achieved at assembly, better sealing performance is achieved.
This is the “y” factor.

When a joint is in service, the hydrostatic end load unloads the joint, resulting in a reduction in
gasket stress. Under operating conditions, it is desirable to have a residual gasket stress higher
than the pressure of the contained fluid. ASME Section VIII recommends that, for good sealing
performance, the residual gasket stress at operating conditions be at least 2 to 3 times the
contained pressure. The ratio of gasket stress of operating pressure is the “m” factor.

Gasket Seating

ASME Section VIII, Division 1, Appendix 2 defines the minimum load required to seat a gasket.

Effective Gasket Seating Width

ASME Section VIII, Division 1, provides rules for determining effective gasket width (b), which
is used to calculate gasket stress.

Required Bolt Area

The total minimum required cross sectional area of the bolts is the greater of Wm2/Sa and Wm1/Sb.

Where, Sa = Allowable bolt stress at atmospheric temperature (psi)

Sb = Allowable bolt stress at design temperature (psi)

ASME Section VIII, Appendix 2 recommends that bolts and studs have a nominal diameter of
not less than ½ inch. Bolts or studs smaller than ½ inch must be made of alloy steel.

Training Manual Page 17-4

ANSI B16.5 Flange Connections

Similar considerations as described in foregoing paragraphs on ASME VIII bolted joints apply to
ANSI B16.5 flanges.

ASME Section III, Division 1, Subsection NB (6) provides rules for the design of bolted
gasketed joints for Class l service in nuclear power plants. This Subsection requires that bolted
gasketed joints be analyzed for the following:

§ Assembly loads
§ Fatigue
§ Bending, shear
§ Stress concentrations
§ Stress intensities (maximum principal stress difference)
§ Operating loads, including:
• Thermal loads
• Pressure loads
• External loads and moments

ASME Section III, Division 1, Paragraph NB-3000 provides design rules for components. The
Paragraph’s “design-by-analysis” approach requires the calculation of principal stresses, the use
of stress concentrations, and the consideration of operating and assembly loadings for each
component. The design rules require that a component be evaluated for fatigue.

§ Vessels: Paragraph NB-3300

§ Pumps: Paragraph NB-3400
§ Valves: Paragraph NB-3500
§ Piping: Paragraph NB-3600

ASSEMBLY

The last section focused on design considerations for pressure boundary joints. This section
begins with an outline of general assembly procedures, and discusses:

§ Considerations for establishing torque values, and development of torque tables to obtain
desired gasket stress.
§ Hydraulic tensioning, stretch of fasteners, and stretch control assembly procedures.
§ Gasket compression and torquing assembly procedures.

As discussed in the previous section, the question of how much preload is appropriate is
practically speaking somewhat ambiguous, and at best may be confusing. A key point was made
that merits reiteration, i.e., the intent of the Code (specifically ASME VIII and ANSI B31.1) is to
allow tightening to levels that are deemed sufficient for service, and the upper limit is that which
does not excessively distort the flange or grossly distort the gasket. This statement is in general

Training Manual Page 17-5

also true for safety related joints with the clarifier that an interaction analysis is required by the
Code to preclude excessive loads.

The following diagrams give examples of gasket failures in the industry:

Review of 100 gasket failures

70

60
Frequency of failures

50

40

30

20

10

0
Not Lack of load Over-loaded Other*
recommended

Training Manual Page 17-6

 Lack of Load Categories

40

35
Frequency of failures

30

25

20

15

10

0
Rotated flange Uneven load Poor design Improper
equipment

General Assembly Procedures

Equally important to the design of a bolted joint in determining performance is the assembly
procedure. If the joint is not properly assembled, it will not perform as intended. Many variables
affect the performance of a joint. Examples of these variables include smoothness and lubricity
of all surfaces condition of the parts (e.g., rust, tool marks, defects, etc.), hardness of the parts,
calibration of the tools used on the parts, accessibility of the bolts, and environment in which the
mechanics operate.

The following are guidelines for bolting assembly procedures:

§ Be consistent. Do not magnify the variables that affect joint performance with
inconsistent assembly procedures. Whenever possible, the mechanic should use the same
tools in the same way and in the same sequence for each assembly.
§ Train the bolting crews. Explain why good work practices are important. Warn the crews
of problems that will be encountered if procedures are not followed. Training improves
bolting results.
§ Supervise the work, especially on critical joints.
§ Keep tools in good repair. Tool repairs waste time and are counter-productive.
Calibrating and rebuilding the tools periodically ensures that they perform as required. A
written procedure for assembling joints should be developed and include the following:
§ Joint identification, including number, system, location, material, size, etc.
§ Fastener identification, including size and grade

Training Manual Page 17-7

 § Tool identification and verification of current calibration sticker
§ Detail assembly steps:
• Cleaning of parts (e.g., solvents, etc.)
• Lubrication: type, grade, and application
• Visual inspection of components
• Tool settings (e.g., pressure, torque, or turn)
• Specification of the tightening sequence and tool setting for each pass
• Check list with sign off blocks for bolting crew, supervisor, and quality assurance
• Preparation of joint mating surfaces, including the following:
1. Clean the mating surfaces with a suitable solvent and wire bristle brush. Use
stainless steel bristles on alloy components.
2. Inspect the seating surface for defects such as burrs and corrosion.
3. Inspect the surfaces for signs of warping.
4. Wire brush studs and nuts when necessary to remove any dirt from the threads.
Use stainless steel bristles on alloy materials.
5. Inspect studs and nuts for burrs. Nuts should turn freely on studs to the in-service
makeup position. If any burrs are present, one of the following steps should be
performed.
6. Burrs of a minor nature may be filed off. Files used to remove burrs from alloy
materials should not have been used previously on carbon steel materials.
7. If burrs are too numerous or too large to be filed off, the nut or stud should be
returned to the store room for replacement
• Coat studs with an approved lubricant.
• Coat the bearing surface of the turned element (the nut or the bolt head) with an
approved lubricant.
• If torque is used for assembly, use hardened washers between the turned element and
the joint surface. Although hardened washers are not mandatory, they are helpful.

Lubricants

Lubrication of the fastener threads and the bearing surface of the turned element is essential
when torque is used to control preload. An estimated 40% of torquing effort is used to overcome
friction at the thread surfaces. When threads gall, however, there is no relative rotation between
the nut and the bolt. Therefore, no increase in preload is achieved. Under normal conditions, an
estimated 50% of torquing effort is used to overcome friction at the nut-bearing surface.

Training Manual Page 17-8

Consider the following when selecting a lubricant:

Compatibility. The lubricant must be compatible with the fastener material and with
the contained fluid. Chlorides, fluorides, and sulfides are undesirable
since they contribute to stress corrosion cracking. Copper-based
lubricants can contaminate primary reactor coolant fluids.

Lubricity. Tables provide a wide range of nut factors for various lubricants. A
lower nut factor is indicative of a more effective lubricant.

Temperature. Each lubricant has a recommended temperature limit. Consult the

manufacturer for additional information.

Consider the following when using a lubricant:

§ Use only specified or approved lubricants on assemblies.

§ Apply the lubricant in a consistent manner.
• Lubricate threads as well as bearing surfaces.
• Avoid over- lubricating since the efficiency of the lubricant may be reduced.
• Apply a thin uniform coating of lubricant to the parts.
§ Close the lubricant container when not in use and store it in a clean, controlled area.

Practical Considerations for Tensioning

The following should be considered before performing tensioning:

Ensure that the tensioner has enough load capacity. Typically the tensioner load should be 25%
to 30% higher than the preload desired in the stud.

Ensure that the nut is run down firmly. This is the most important consideration in the tensioning
process. If the nut is not run down firmly, zero preload can result. Nut rundown is adversely
affected by the following:

§ A poorly constructed nut rundown mechanism. Right angle gear arrangements are
preferable, and high and controlled rundown torque is desirable.
§ Avoid using fine stud threads. Fine stud threads can cause the nut to bind during
rundown. Coarse threads are preferable.
§ A tensioner base that does not fit squarely on the joint surface. Check the base for signs
of yielding or distortion. An ill- fitting base can create interference with the nut and thus
prevent nut rundown.
§ Studs that are not perpendicular to the joint surface. Non-perpendicularity results in stud
bending and binding of the nut during rundown. Shimming the tensioner can correct for
perpendicularity problems.

Training Manual Page 17-9

There are two trends:

1. The longer length to diameter ratio studs has higher tension efficiency.

2. Coarse threads have higher tensioner efficiency than fine threads.

The longer studs are more efficient in tensioning since they experience greater stretch under
action of the hydraulic tensioner. When the tensioner loads is released, the stud stretch is lost as
the upper nut taper load is smaller on a percentage basis.

Coarse threads allow for better nut rundown; there is less chance of binding between the nut and
studs.

The following page shows diagrams of tensioning procedure:

Training Manual Page 17-10

Training Manual Page 17-11
Assembly Procedures for Tensioning

To effectively perform tensioning procedures, follow the tensioner manufacturer instructions and
the following recommendations:

§ Use multiple tensioners grouped together, if possible, to reduce elastic interactions.

§ Perform the tensioning procedure twice. The second procedure compensates for any
short-term relaxation of the gasket. This step is extremely important for ring joints.
§ Use uniform run down torque. Ensure that the nut turns.
§ Verify that the specified hydraulic pressure is applied to the tensioner. This may be done
by doing the following:
• Check all hydraulic connections.
• Check the pressure prior to running down the nut on each stud. When using multiple
tensioners on one pump, running down one nut may reduce the system pressure.
• Check that the nominal tensioner load is 20 lbs to 30 lbs higher than the desired stud
preload. This over-tension compensates for relaxation effects.
• Perform a final check of the make up procedure after the specified tightening passe.
This may be accomplished by applying the final tensioner pressure to each stud an
attempting to run down the nut. If the nut moves, the residual preload is low and
additional tightening passes are required.

Stretch of Fasteners

Measurement of bolt stretch is an accurate indicator of preload, provided it is measured with

sufficient precision. Bolt stretch is used in many critical assemblies, including nuclear reactor
pressure heads. Elongation charts list the approximate stretch for various materials at different
stress levels.

Stretch Measurements

Micrometers, displacement gages, and ultrasonic extensometers are used to measure fastener
stretch. A “C” type micrometer requires access to both ends of the fastener and a reasonably
short fastener length.

Torquing Assembly Procedures

The following is an example assembly procedure for torquing:

1. Ensure that all load-bearing surfaces are in good condition. Check the thread flanks the
bearing surfaces of the nuts or bolt heads, the washers, and the flange surface.

Training Manual Page 17-12

 2. Clean and lubricate threads and the nut and bolt head-bearing surface. Use the lubricant
specified and apply it uniformly as directed.
3. Hardened washers are recommended for use under the turned element. Hardened washers
improve the torque/preload relationship.
4. Run the nuts or bolts down by hand. If a fastener does not run by hand, the thread is
defective.
5. Use a multiple-pass, cross-bolting procedure:
§ If there is a gasket, ensure that it is compressed evenly. Use caliper measurements in
four quadrants if possible
§ Torque as many studs as possible simultaneously. This will help pull the joint down
evenly and reduce the loss of bolt load during the pass.
§ All torque wrenches should be of adequate capacity and have been recently
calibrated.
§ All thread lubricants and anti-seize compounds should be approved. It is
recommended that a limited number of types of lubricants be used. This helps avoid
mistakes and provides a performance history for each lubricant.
§ Apply torque at a uniform rate. Ideally, the final torque should be reached while the
turned element is moving in the tightening direction.
§ Hold torque wrenches perpendicular to the axis of the bolt while torque is being
applied.
§ If hydraulically powered torque wrenches are used, ensure that adequate reaction
points are provided.

The following is the torquing assembly procedure for gasketed joints:

1. Torque the joint with a minimum of four torquing passes, using a cross-bolting sequence
for each pass. Diagram on following page gives typical flange bolting patterns. The
torque values for each sequence are given below:
§ Pass 1: Bring all nuts up hand tight. Then tighten snugly and evenly.
§ Pass 2: Torque to a maximum of 30% of the final torque. Check that the flange is
bearing uniformly on the gasket (i.e., uniform gap, parallel sealing surface).
§ Pass 3: Torque to a maximum of 60% of the final torque.
§ Pass 4: Torque to the final torque.
2. After completing the four basic torquing passes, continue torquing the nuts in a clockwise
manner until no further rotation of the nut is observed. This process may require an
additional five to seven passes.
3. Torquing the fasteners of a joint in the reverse sequence in the final pass may improve
preload uniformity. In critical situations, the preload achieved can be verified by making
stretch measurements of the fastener.

Training Manual Page 17-13

Torque Tables

Torque tables are generally developed from short form torque preload equation. Assumptions
made in the torque tables include the “nut factor” (K=2, as received condition) and the cross
sectional area used in the stress calculation.

Tables show torque required to develop 40%, 70% and 85% yield strength of various materials.
The values given are based on the nut factor and the root area of the fastener. A torque table for
SA-193 material is given on the following page:

TROUBLE SHOOTING

If, at any time, a gasketed assembly leaks, begin trouble shooting by shutting down the system.
§ Drain off all pressures that are being applied to the joint and remove all bolts, nuts, and
washers.
§ Carefully remove the gasket from the flange. Try to keep the gasket intact.
§ Now, examine the gasket to determine if it was damaged during the installation .for
example, a roll over at the edge onto the seating surface.

Training Manual Page 17-14

 § At this time, also look for chemical attack and over compression .two very common
reasons for gasket failure.
§ Check if an additional anti-stick or anti—seize compound was applied to the seating
surfaces of the gasket or the flanges. These materials can lower the performance of the
gasketing materials.
§ Inspect the seating surfaces of the gasket. Impressions that were left by the flange will
help determine what kind of hold the flanges had on the gasket and, if the flanges had the
required surface finish.
§ Finally, measure the thickness of the gasket all the way around the seating area. This will
determine if the gasket was compressed evenly. If the gasket was compressed more
towards the OD of the seating area than the ID, flange rotation is occurring.
If these troubleshooting steps are unsuccessful, consult your supervisor or contact a consultant
for help.

Training Manual Page 17-15

 Flange Bolting Patterns

Training Manual Page 17-16

VIDEO PRESENTATION – PRESSURE BOUNDARY BOLTING PROBLEMS

BIBLIOGRAPHY

Aptech Engineering Services, Inc., Bolted Joint Maintenance & Applications Guide, Research
Project 3814-07, Final Report, May 1995

Training Manual Page 17-17

 Chapter 18
PROCESS HAZARD ANALYSIS

The Occupational Safety and Health Administration (OSHA) views the process hazard analysis
as the cornerstone of any effective program for managing hazards because it is a thorough,
orderly, systematic approach for identifying, evaluating and controlling processes involving
highly hazardous chemicals. By performing a hazard analysis, the employer can determine where
problems may occur, take corrective measures to improve the safety of the process and plan
actions that would be necessary if safety controls failed.

PURPOSE, GOAL

The purpose of conducting a process hazard analysis (PHA) is to identify potential accidents or
hazard scenarios that may occur and could result in undesirable consequences. In the context of
OSHA’s standard, these primarily include the potential for serious injury to employees. Using a
broader definition, other consequences include the potential for serious injury to off- site
personnel, equipment and property damage and adverse environmental impact. The emphasis in
conducting the study is on identification of potential hazards and their consequences.

The follow-up procedures to the PHA studies have two purposes: to prioritize the identified
hazards and to initiate hazard control methods. The follow-up actions should be conducted in a
timely fashion; however, the employer makes the decision on what recommendations, if any, will
be implemented.

The revalidation of PHA studies, conducted at least every five years, is necessary to ensure that
the PHA is consistent with the current process, identifies the know process hazards and confirms
that adequate, existing controls can manage the hazards.

REQUIRED, RECOMMENDED ACTIONS

Process hazard analyses are required for any purpose involving a highly ha zardous chemical as
defined in the standard. A process includes any manufacturing or use of a highly hazardous
chemical, including storage, handling or the onsite movement of the chemical, or combination of
these activities. Any interconnected group of vessels and separate release is considered a single
process. To simplify, almost any facility that has a designated hazardous chemical onsite in the
quantities named in the standard must conduct a process hazard analysis for the equipment and
process in which the material is present (29 CFR 1910.119 (e)(1)).

Process hazard analyses are required to be conducted at intervals of at least once every five years
or more often as may be required under management of change requirements.

Training Manual Page 18-1

The scope of the hazard analysis must include:

§ The hazards of the process;

§ The identification of any previous accident that had a likely potential for catastrophic
consequences in the workplace;
§ Engineering and administrative controls applicable to the hazards in the process and the ir
interrelationships, such as appropriate application of detection methodologies to provide
early warnings of releases;
§ Consequences of failure of engineering and administrative controls;
§ Facility siting;
§ Human factors; and
§ A qualitative evaluation of the effects on all workplace employees (29 CF$ 1910.119
(e)(3))

TYPES OF ANALYSES

The regulation identifies six hazard analysis techniques as acceptable for compliance (18 CFR
1910.119 (e)(2)). Employers also can choose an appropriate equivalent methodology.
Acceptable techniques are:

§ What-if analysis;
§ Checklists;
§ What-if/checklist analysis;
§ Hazard and operability studies (HAZOP);
§ Failure mode and effects analysis (FMEA); or
§ Fault tree analysis (FTA).

Employers are required to choose a methodology that is appropriate to the complexity of the
process. Given that an analysis may identify a scenario as requiring more in-depth study, the use
of a more detailed technique for follow-up study may be required.

In brief, the techniques can be described as follows:

What-if: The process is reviewed by the study team leader and questions are set out that postulate
mistakes in operation or failures of equipment. For example, the question could be posed “What
if the operator fails to shut down Pump 23A?” After review of the questions by the team before
starting the study, the questions are posed to the team as a group, answered, and the
consequences and preliminary recommendations are documented.

Checklist: The process is reviewed by use of a checklist that reflects previous operating
experience in the process under study or a very similar process elsewhere. Deviations from
appropriate answers are reviewed and appropriate actions are considered.

Training Manual Page 18-2

What-if/Checklist: A what- if analysis is conducted as described above in conjunction with use of
a checklist to ensure that certain types of potential hazards or scenarios that have been identified
in previous service are not overlooked.

Hazard and Operability Study: A hazard and operability study (HAZOP) uses a highly structured
approach where process parameters, such as flow and temperature, are examined for deviations
from their design intent. The effects of these deviations are considered to determine if potential
hazards will result and preliminary recommendations for possible improvement may be
proposed.

Failure Mode and Effects Analysis: Failure mode and effects analysis (FMEA) is based on a
component-by-component study of the process where component-specific failure modes are
identified. The effects of these specific failure modes are evaluated and preliminary
recommendations may be proposed.

Fault Tree Analysis: A fault tree analysis (FTA) uses a graphical binary representation of
specific events that lead to an undesired hazardous event. The connection of the specific events is
made through Boolean logic thus allowing both qualitative and quantitative hazard analysis
results. The technique provides results that identify potential hazards and also the sequences of
events that may lead to the potential hazards. Preliminary recommendations for hazard reduction
may be made with respect to equipment and procedures.

CONTENT OF HAZARD ANALYSIS

A process hazard analysis comprises three parts: preparation, conducting the hazard analysis and
follow-up actions resulting from the hazard analysis.

The preparatory phase for a process hazard analysis requires the gathering of data, drawings,
procedures and formation of a team. Typically, each of the acceptable methods will require up-
to-date process flow diagrams, piping and instrumentation drawings, and data regarding process
materials and conditions. Certain hazard analysis techniques may require addition, more detailed
materials.

The hazard analysis is conducted with the clear goal of identifying potential hazards.
Recommendations may be made with the intent of reducing or eliminating a potential hazard.
Items of concern also may be identified for further, more detailed study.

The follow-up phase involves evaluating the proposed recommendations to determine the
appropriate course of action. The action taken may include:

§ Accepting and implementing the recommendation as made;

§ Accepting the recommendation in principle but developing an alternative approach to
meet the intent; or
§ Accepting the current situation and not implementing the recommendation. The current
situation may be the course of action taken if there appears to be no technically feasible

Training Manual Page 18-3

 solution for the situation identified, if any recommendation considered would pose
additional, more serious hazards, or if it is determined that the reduction in risk is not
significant enough to justify implementing any recommendation.

Further study may be required to determine if certain hazards identified are indeed significant to
exposed workplace employees. This further study initially may require a more detailed hazard
analysis, possibly with a different technique from the group of approved methods, followed by a
consequence analysis that will more precisely evaluate the consequences of the potential hazards.

The type of conseque nce analysis required will depend upon the identified potential hazards. For
example, hazards involving fires may require evaluation of thermal radiation effects, where toxic
releases may require the use of vapor dispersion models along with toxicology effect models.

The follow-up phase of a process hazard analysis is often an iterative process whereby the hazard
analysis and/or consequence evaluations are redone as required to ensure that potential hazards
are minimized.

PROCESS HAZARD ANALYSIS TEAMS

OSHA requires that the process hazard analysis be conducted using a team approach (29 CFR
1910.119 (e)(4)). The rationale for this is that a team with varying backgrounds will result in a
more comprehensive review than would occur if the team members individually reviewed the
process.

Selection of team members should be based on their ability to make a contribution to the study.
Usually, this means that each member has either specific experience with the process or
equipment under study or that the team member has other knowledge that will augment the team.
For example, in a hazard analysis of a tank farm, a transfer operator would have practical
experience of the process while an instrument specialist might be able to offer expertise on the
alarms and indicators of the tanks.

Generally speaking, a combination of an individual with practical experience in operations and

maintenance, along with a design or process engineer, is desirable. This provides a reasonable
balance in considering existing and hypothetic al hazards.

The mix of team members will depend upon the particular study. In some cases, a small group
will have sufficient knowledge to consider all aspects of the process. In other cases, it may be
necessary to have some team members with a specific expertise available on an as-needed basis.
For example, in a process with a complex distributed computer control system, it may be
necessary to have a controls engineer. Such a specialist team member may attend the study only
when required.

Typical teams may include the following:

§ Team leader;

Training Manual Page 18-4

 § Safety engineer;
§ Process engineer;
§ Maintenance/inspection supervisor;
§ Operations supervisor; and
§ Facilities/mechanical engineer.

Team composition will depend upon the objectives of the study, the type of unit being studied,
the titles used by the local facility and a variety of other considerations. Teams can be gathered
from personnel within the facility or can utilize the skills of outside consultants. In any case,
OSHA requires that at least one team member has experience and knowledge specific to the
process being evaluated and one is knowledgeable in the specific process hazard analysis
methodology being used (29 CFR 1910.119 (e)®).

Managers of the team members should be made aware of the study schedule Process hazard
analyses can be time consuming and often will run for many weeks. A commitment by
management that the team members will be available for the duration of the study is important to
ensure a good quality study.

CONDUCTING A PROCESS HAZARD ANALYSIS

There are a number of steps to be accomplished in conducting a hazard analysis. The proper
attention paid to each of these steps can help ensure a successful study, one that adequately
identifies potential hazards and provides meaningful recommendations that can be implemented.
The steps in conducting a hazard analysis can be broken down as follows:

§ Define the study purpose, scope and objectives;

§ Gather and prepare the relevant information, including a site survey;
§ Conduct the study;
§ Document the study;
§ Review results of study;
§ Communicate study results; and
§ Follow up on recommendations.

Each of these steps is essential to a successful study.

Without a clear set of objectives and scope, a study will lack focus. A lack of information and/or
the insight gained from a site survey could slow the study. A predetermined and well-considered
risk ranking will avoid confusion on the part of the team and allow for consistent results.

If a result of the study is to conduct further, more detailed studies, the above seven steps should
be repeated for each succeeding study to reflect the changes in the scope of study ads well as the
more detailed focus.

Training Manual Page 18-5

An important note should be made of the need for consistency in hazard analyses. Consistency
must be maintained on two levels, within the study of each process and between various studies
of different processes.

Consistency is important within a given study to ensure that all hazards that are considered are
judged against a common background. Inconsistency in a study will result in some
recommendations being given a higher priority than is justified, possibly resulting in greater risks
to affected employees instead of decreased risk. For example, the hazard of personnel exposure
to a given quantity of a highly toxic material should be weighted identically between similar
types of releases wherever these might occur in the process.

Maintaining consistency within a study is a responsibility of the study team leader. It requires a
constant level of vigilance to ensure that hazards are considered using the predetermined scope
and objectives for the study and the risk rankings (if these are used).

Consistency between different studies is a responsibility of the facility management. If each

study considers hazards according to widely different criteria, then the management of hazards
for the facility as a whole will be flawed. For example, the hazard of a large-scale fire spreading
throughout the facility should not be considered as a major level hazard in one study and medium
level in another, assuming that the likelihoods are similar.

Therefore, it is necessary to ensure that each study has objectives and scope that are considered
carefully in light of other studies already completed and upcoming studies to ensure an “apples
to apples” comparison. This will further assist management by allowing more clear prioritization
of recommendations from the different studies.

ANALYSIS FINDINGS

After a study has been conducted, the findings and recommendations of the study must be
addressed. For this to be done systematically, a system should be established that covers the
following:

§ Assures that each recommendation is resolved in a timely manner and that the resolution
is documented;
§ Documents the proposed remedial measures or actions undertaken with respect to the
recommendations;
§ Completes actions as soon as possible;
§ Develops a written schedule of when these actions are to be completed; and
§ Informs operating, maintenance and other employees who may be affected by the
identified potent ial hazards and the recommendations and/or actions taken
(29 CFR 1910.119(e)(5)).

Recommendations often are made in a hazard analysis that require more detailed evaluation.
Additional engineering or procedural review may determine that the recommendations are not

Training Manual Page 18-6

feasible, are not desirable or that other more appropriate changes should be made. Such
determinations do not invalidate the study, but must be weighed carefully in light of the
identified potential hazard. All decisions regarding recommendations, and whether to implement
them, should be fully documented. Such documentation should include the decision, reasons for
the decision, planned implementation and final completion dates. Unnecessary questions of
liability may arise if an incident occurs rega rding a recommendation that was not implemented,
without proper review and documentation to justify the decision.

OSHA has said that when responding to the team’s findings and recommendations, the employer
retains the flexibility to not only reject proposals that are erroneous or infeasible, but also to
modify a recommendation that may not be as protective as possible or may be no more protective
than a less complex or expensive measure. OSHA’s position is that an employer is required to
implement the team’s findings and recommendations except to the extent that an employer can
document that an alternative will be at least as effective or efficient in addressing the safety
concerns.

Once action has been taken based upon the recommendations, resulting in either process
modifications, new or revised procedures or both, employees who work in the facility should be
properly informed of these changes. This communication may be handled as a part of the
standard’s requirements for refresher training.

Once proposed, evaluated and determined appropriate, recommendations should be implemented

in a timely fashion. Recommendations that can be implemented without major shutdowns of the
process should be done at the earliest opportunity. Recommendations that require a facility
shutdown may need to wait until the next scheduled process turnaround. In establishing a
schedule for implementation, consideration should be given to the likelihood and severity of the
potential hazard. Recommendations associated with high likelihood and/or severity scenarios
should be given a higher priority than recommendations associated with less-hazardous
scenarios.

UPDATES

The regulation requires that process hazard analyses be updated and revalidated at least every
five years (29 CFR 1910.119(e)(6)). In addition, under the requirements for management of
change, all or portions of a study may have to be amended and updated more frequently.

The process of updating and revalidating a study can take several forms. If no major changes in
the process have been made, this effort simply may be a review of the previous study. If
significant changes have been made to the process, it may be necessary to conduct another
hazard analysis study. Some specific examples, provided by JBF Associates In., of what would
warrant a new analysis include:

§ Incomplete or inaccurate process safety information;

§ Lack of initial PHA documentation;
§ Inappropriate analysis technique for the process’ complexity;

Training Manual Page 18-7

 § Non-routine operations were not addressed;
§ Process unit was not operational during the PHA;
§ Processes did not receive a formal management of change review;
§ Many or significant management of change after the initial PHA; and
§ Many or individual major incidents after the initial PHA.

The new analysis may use the same technique as the initial study or may use another of the
approved techniques.

The team that conducts the update and revalidation study should have similar qualifications to
the team that conducted the previous study. It is not required that the update team is the same
team that conducted the previous study. However, it is recommended that the revalidation team
have access to the original PHA team members. In some circumstances, it is advantageous to use
some of the original PHA team members in the revalidation team (see #350).

An important first step is deciding whether the original PHA study was completed in such a
manner that it can be revalidated or whether significant changes have occurred to the process
since the PHA study. Some may find it more beneficial to redo the entire PHA study to ensure
compliance with the standard than to revalidate. Employers need to analyze the existing PHA
study to determine which action to take when facing the revalidation deadline (see #350).

DEADLINES

At the time the PSM standard was promulgated in 1992, OSHA established a five-year phase- in
period for facilities to complete initial PHAs for existing covered processes (29 CFR
1910.119(e)(1)). For all other covered processes, including new processes constructed since the
PSM standard’s promulgation date, a PHA must be conducted and recommendations resolved or
implemented prior to startup (29 CFR 1910.119(I)). Before a PHA is performed, the process
safety information (see 310) for the covered process must be compiled. For processes that are
modified, refer to the management of change requirements (see #650)

RECORDKEEPING

Employers must retain process hazard analyses and updates or revalidation for each covered
process, as well as documented resolution of recommendations, for the life of the process (29
CFR 1910.119(e)(7)).

TRAINING

The standard does not set out any specific training requirements for persons involved in
conducting process hazard analyses. However, while hazard analyses are not necessarily an
arduous technical requirement, some training for both team leaders and team members is
recommended.

Training Manual Page 18-8

The study team leader should be well trained in the technique chosen for the study. Some
techniques, such as checklists, require minimal training and experience. Other techniques, such
as a fault tree analysis, require more knowledge and experience on the part of the study leader.
The study leader ideally should have both training and practical experience in the method.
Training may be self- taught through the use of a varie ty of references, by taking a course at a
college or university, or by attendance at one of a number of short courses offered by various
organizations. Practical experience is best gained by participating in a number of studies as a
team member.

It usually is desirable for team members to have some training and/or experience in the technique
to be used. The degree of training or experience is dependent upon the technique chosen. The
training may be as simple as reviewing previous checklists, to having a series of classroom
seminars in hazard analysis techniques.

The training of additional personnel will depend upon the future needs of the company. If the
potential exists for a number of persons to be involved in future studies, then training of a large
number of personnel may be efficient. If, on the other hand, only a handful of personnel are
expected to participate in a hazard analysis, then only those personnel need to be trained. Some
organizations take the approach that training all personnel in hazard analysis techniques produces
a greater awareness of process safety, but this is not required under the standard.

BIBLIOGRAPHY

Chemical Process Safety Report, Tab 300, PHA Program for Large Projects Requires Careful
Planning, July 2001

Training Manual Page 18-9

 Technical Paper

THE PHA BEYOND THE P&ID REVIEW MEETINGS

(By Jack Philley, NUS Corp., Houston, Texas)

INTRODUCTION

Once the piping and instrumentation drawing (P&ID) review sessions are finished, some process
hazard analysis (PHA) teams consider their charter to be complete. In most cases, a significant
amount of activity remains that is best executed by the team itself. An effective PHA
management system addresses at least 10 separate tasks, which involve:

1. Implementing employee participation;

2. Developing a complete and up-to-date process safety information (PSI) package;
3. Specifically identifying the scope and boundaries of the process system being examined
and the extent of the PHA study activity;
4. Planning and conducting the team study sessions, team selection and training, and
methodology selections;
5. Documenting the team study and findings;
6. Communicating actions to workers, including maintenance and contractor employees
whose work assignments are in the process and “who may be affected by the
recommendations or actions;”
7. Following- up and achieving closure on recommendations and findings;
8. Updating the PHA for process changes that invoke the management of change system;
9. Revalidating the PHA every 60 months; and
10. Maintaining documentation for the life of the process.

This insight article focuses on the three tasks initially facing the PHA team at the conclusion of
the P&ID review sessions. These tasks involve:

§ Developing the formal report (part of task 5 above);

§ Communicating the results of the study to workers who may be affected by the
recommendations (task 6 above); and
§ Following- up and achieving closure on recommendations (task 7 above).

Updating the PHA study for process change management (task 8 above) is usually not the
responsibility of the initial PHA team. Periodically revalidating the PHA (task 9 above) and
maintaining documentation (task 10 above) are recognized future events that the initial PHA
team is generally not accountable for. The remainder of this article addresses insights and

Training Manual Page 18-10

practical tips for developing the report, communicating the results and resolving the
recommendations.

THE PHA REPORT

Purpose

The PHA report has multiple purposes. It:

§ Presents a clear and concise summary of the study results to decision makers within the
organizational structure;
§ When coupled with the data base that is generated during the team study sessions,
provides a baseline for revalidation studies;
§ Preserves and conveys conclusions, deliberations and concerns of the PHA team;
§ Supports other elements of an integrated PSM program such as incident investigations
and emergency preparedness;
§ Provides evidence that the PHA study was performed according to sound engineering
practices;
§ May become a legal document, discoverable in regulatory or tort action, and may, under
certain circumstances, be examined (subject to trade secret protection) by non-company
parties; and
§ Can become a portion of the employee training manuals and operating procedures.

PHA documentation (task 5 above) is most often executed in two phases; initial capture of the
team discussion and development of a formal report. A variety of report styles and formats are
employed to achieve these objectives. Regardless of the format used, the report must contain the
recommended action items and sufficient back- up information necessary to understand the
concerns uncovered during the study.

Summary

A succinct summary often is a neglected aspect of a PHA report. In many organizations, the
PHA management system and PHA report are new (or recently upgraded) events and therefore
are not as well understood as some traditional technical reports. The PHA team cannot
reasonably expect readers of the report to be familiar with the purpose and mechanism of the
PHA study. This creates an additional challenge to develop a clear and concise summary of the
PHA study report.

Training Manual Page 18-11

Process Description

A summarized description of the process is usually helpful (one to two pages maximum). It
should identify major known hazards and hazardous properties/conditions potentially present.
Any unusual conditions, unique, or non-conventional features of the process must be included in
the process description. Block flow diagrams and chemical reaction/material balances are
sometimes included where the process is complex or if the scope or boundaries of the study are
not obvious.

Method Selection

The PHA method(s) applied in the study sessions should be discussed, along with the rationale
used for method selection. The specific boundaries of the study should be clearly described
(physical and administrative). Any assumptions, stipulations, limitations, or exclusions placed on
the team should be identified. A common example of a stipulation would be the reliability
assumed for primary pressure relief systems and performance of safety relief valves. Definitions
for categories of consequence severity or frequency (likelihood) are necessary for proper reader
comprehension. These definitions can be incorporated into an appendix, which also may include
MSDs, plant layout diagrams, and actual P&ID documents (with line segment/nodes marked).

Recommendation Wording

It usually is a mistake to oversimplify the wording of the recommendations presented in the

report. Sufficient degree of detail and justification should be included so that the intent of the
recommended action is clear to someone not present in the team study sessions. Some PHA
teams include a quality assurance check for clarity. One practical method is for the initial draft to
be reviewed for readability by a person who was not in the team study sessions. This review is
conducted prior to submitting the report to management.

Global Issues

It sometimes is preferable to separately present in the report some items and concerns in a
general (or global) perspective. Fire protection, for example, usually is addressed in every line
segment/node of the P&ID, yet is most effectively presented as a separate portion of the report.
This often is true for special safety related systems flares, flammable vapor detectors, etc.
Arranging related items has been found to improve reader comprehension and can enhance
economic justification and decision making.

Previous Incidents

The OSHA PSM standard requires identification of previous incidents involving the process.
Some report formats devote a special section to a review of previous incidents. The causes

Training Manual Page 18-12

should be reviewed in conjunction with the current PHA study. The PHA team should confirm
that recommendations resulting from previous incidents were completed.

Human Factors

Human factors (human performance) issues usually are considered when evaluating each
individual potential cause scenario. However, the team should ensure that documentation clearly
indicates where credible human factor issues were discussed. Anticipated human errors and
mistakes along with their consequences should be considered in each line segment/node of the
P&ID. There is significant variation in the attention given to physical human factor issues such
as ergonomics, repetitive trauma and chronic low level exposures. The emphasis given to these
issues depends on the scope of the study, the specified hazard boundaries, and the culture and
policies of the organization.

Non-Process Hazards

Traditional PHA practice has been to focus on process-related hazards that could result in
catastrophic consequences and to exclude discussion of “non-process” hazards. A slip/trip/fall
incident could certainly result in a fatality under the right set of circumstances. However, this
type of single employee consequence typically is not included in the scope of the PHA study. A
properly executed PHA study is, by nature, systematic and thorough and will therefore expose
many of these non-process hazards. The follow-up and documentation of non-process hazards
must be considered when establishing the report format.

Siting

Siting for proposed facilities can be a separate section of the report. For existing processes, the
siting issue is addressed when evaluating a range of credible consequences cause by failures of
controls. Individual siting issues usually are included when recommending mitigation controls.
Failure to address and document siting is a deviation from the minimum criteria established by
the OSHA PSM standard for PHA studies.

Initial Closure

The documentation of the study team discussion should show initial closure for each item
(scenario, concern, parameter/deviation) initiated by the team. Satisfactory closure of a team
discussion item can be indicated in the PHA data based in several ways:

§ The team determines that no credible scenario exist for this particular item;
§ The team determines that no process safety concerns exist for this item;
§ The team determines that existing safeguards (protections) are adequate;

Training Manual Page 18-13

 § The team determines that no new concerns exist (i.e., safety concerns have been
previously addressed in a previous item in the current study and the two items are linked
together by clear documentation);
§ The team develops a recommendation; or
§ The original recommendation (as submitted by the team) is modified (or rejected) and a
sound technical justification for the decision is documented. This case can occur when
additional information becomes available after the PHA team sessions are concluded.

Team Review

The report is a team product and therefore the draft should be reviewed and approved by every
member of the PHA team. Some teams take the additional step of having each member of the
team sign-off on the report. This gives an additional sense of ownership and team perspective.

Page Marking

For the initial draft report that is circulated, it usually is helpful to conspicuously identify each
page as a “daft” and indicate the date or edition of the draft report. Another practical tip is to
identify the intended distribution so that each reviewer will know who has had the opportunity to
review the draft, thus speeding up the review cycle. If the report is not the final edition, it should
be clearly labeled as a “draft”.

Critique of the Study. Many organizations have found it beneficial for the PHA team to conduct
a critique of the PHA study process itself and to note in the report any observations or lessons
learned which could improve future PHAs. A typical example would be a suggested adjustment
to the scope and boundaries of the next study. The team may identify a critical dependency or
related system that should logically be included in the scope of the PHA. There needs to be a
mechanism for capturing and implementing practical lessons learned by the team so that future
PHA studies can be done more effectively. The re-evaluation process is shown below:

Training Manual Page 18-14

COMMUNICATING RESULTS TO WORKERS

A successful PHA management system communicates results to those workers who would be
affected by study findings and recommendations. In most cases, changes in operating practices,
procedures, and training programs will be implemented as a direct result of team discussions.
Employee qualification criteria may be modified based on new information uncovered in the
PHA. In many cases, previously unrecognized insights and relationships will be discovered.
Additional respect for potential hazards and scenarios often will be adopted. Applying lessons
learned requires effort and resources.

In Guidelines for Hazard Evaluation Procedures (Center for Chemical Process Safety), four
recognized limitations of PHA methodologies are identified. One limitation is inscrutability and
the ensuing potential for PHA team findings to be misunderstood. If the reader of a PHA report
does not understand the jargon, stipulations, scope, and boundaries of the study, it may be easy to
misinterpret the results. Distorted comprehension of PHA team conclusions could then be
disseminated with adverse consequences. This creates a challenge and a responsibility for the
PHA team to clearly communicate study findings.

Trade secret protection is a significant economic concern and a potential obstacle to

communicating PHA results. Protection was incorporated into OSHA’s PSM standard and can be
exercised as necessary. The need to maintain trade secrets does not, however, relieve an

Training Manual Page 18-15

employer of the obligation to inform all workers of the actions and findings of the PHA study.
The communication must include contractors if the contract worker may be affected by the
recommendations. It may not be reasonable or appropriate to simply distribute or post copies of
the unedited recommendations as documented in the team study sessions.

One solution to this challenge is to proactively develop a plan and document9s) for specifically
conveying PHA results to workers who may be impacted. The hard lessons learned from
implementing OSHA’s hazard communication standard can be applied to communicating PHA
results. The plan should include an opportunity for workers to get additional information or
clarification, and a reasonable opportunity to review the entire documentation.

Simply posting (or circulating) a list of the PHA recommendations may not be sufficient unless it
is accompanied by supplemental discussion or information. Some organizations find it worth the
effort to develop and circulate a specific document that is an abbreviated edition of the full PHA
report. Any unique terminology should be explicitly addressed. The justification for determining
a risk to be acceptable should be available. The communication of PHA results should be
adequately documented since results are likely to be requested by regulators if complaints arise.

FOLLOW-UP AND CLOSURE ON RECOMMENDATIONS AND FINDINGS

The complexity and extent of typical PHA report recommendations demand a system for
addressing them. An initial listing of recommendations should identify, for each
recommendation, a person assigned responsibility for implementation or follow-up, as well as a
target date for a specified level of action or completion. Some recommendations (such as
modifications to procedures) can be implemented quickly, while others can reasonably require
years to complete (i.e., major process rearrangements). For long-range recommendations, it often
is feasible to establish interim measures that satisfy the original intent and concern identified by
the PHA team.

Recently, OSHA has clarified its expectations regarding documenting the decision to modify or
reject a recommendation from the PHA team. Any decision to modify the original
recommendation must be technically sound and adequately documented. The formation and
attributes of recommendations are beyond the intended scope of this particular insight. However,
it is appropriate to remember that the purpose of the recommendation is to remove or reduce the
hazard, consequence, or the likelihood of the undesirable event.

Each recommendation from the PHA team is an official endorsement for a recognized or
perceived need for preventive action. PHA recommendations are submitted by the PHA team to
decision- makers in the organization. If the PHA is conducted in accord with accepted industry
guidelines, the team should be chartered with the freedom and obligation to make any
recommendation that the team determines to be needed, reasonable and appropriate, regardless of
potential conflicts with internal organizational policies.

A lesson learned by seasoned PHA teams is to clearly identify those recommendations that are
mutually dependent. Any specific interrelations or dependencies between recommendations must

Training Manual Page 18-16

be considered during the mana gement review cycle. Modifying or rejecting one recommendation
may adversely affect another recommendation.

It may be necessary to reconvene a special session of t he PHA team to review new data found
during the implementation phase. The PHA team may be in the best position to evaluate this new
information since the team understands the interrelationships considered in the study. Consistent
or excessive rejection or modification of PHA team recommendations by management is an
indication of a deficiency in the PHA and/or PSM management system.

Failure to resolve a recommendation could result in avoidable incidents and injury to people.
Professional ethics demands action on items where failure to act has a reasonably credible
chance of resulting in harm. Failure to resolve recommendations also can significantly increase
liability exposure for the employer and possibly the personal liability exposure for decision-
making personnel in the organization. Additional knowledge of a hazard or suggested precaution
can, under certain circumstances, be accompanied by additional responsibility to act to remove
or control that hazard.

THE PATH FORWARD

PHA technology is not infallible, is highly dependent on the existing knowledge available to the
PHA team, and requires subjective judgments by experienced, capable, yet imperfect human
beings. Despite these acknowledged limitations, PHA studies are powerful tools that can
significantly impact the safety of workers and can help avoid a catastrophic economic loss. A
properly executed study represents a major commitment of personnel and economic resources,
both in the study stage and I n the implementation of recommendations.

From a practical application perspective, there is a natural temptation to mentally disengage at

the conclusion of the last P&ID review and turn to face the overflowing “in-basket,” as well as
other non-PHA crises that have been deferred during PHA team study meetings. Team members
and their immediate supervisors must have a clear understanding and appreciation of the entire
task chartered by the PHA scope. It is a serious mistake for an organization to consider PHA
team membership as an “add-on” task to be done in addition to the existing eight- hours-a-day
workload. PHA quality will decrease and the quality of attempted non-PHA, “regular” work also
will be substandard. Forward thinking organizations have responded to this challenge by
recognizing the time needed for proper completion of the PHA and by making corresponding
adjustments in the regular workload.

The structure of the PSM and PHA management systems can impact the successful execution of
the post-team-session phase. This article has attempted to highlight three initial tasks facing the
PHA team at the conclusion of the P&ID review sessions. Implementing concepts presented will
assist in achieving the goals of PHAs as defined by the Center for Chemical Process Safety,
including the objective of presenting results in a format easy for decision- makers to use.
Opportunities for continuous improvement are available, if we have the energy and motivation to
take that next step.

Training Manual Page 18-17

 Chapter 19
METALLURGY, CORROSION
AND PREVENTION OF FAILURES

METALLURGY

What is a metal? Metals are best described by their properties. Metals are crystalline in the solid
state and solid at room temperature (except for mercury). They are good conductors of heat and
electricity and they usually have comparatively high density. Most metals are ductile, meaning
that their shape can be changed permanently without breaking by the application of relatively
high forces.

Metallurgy is the science and techno logy of metals and alloys. Process metallurgy is concerned
with the extraction of metals from their ores and the refining of metals. Physical metallurgy is
concerned with the physical and mechanical properties of metals as affected by composition
processing and environmental conditions, and mechanical metallurgy is concerned with the
response of metals to applied forces.

Pure Metals/Alloys

Pure metals are soft and weak and are used only for specialty purposes. Foreign elements
(metallic or non- metallic), which are always present may be detrimental or beneficial or not have
any influence on a particular property. Disadvantageous foreign elements are called impurities,
while advantageous foreign elements are called alloying elements. When alloying elements are
deliberately added, the result is called an alloy.

Iron alloys, which contain 0.1% and 2% carbon, are designated as steels. Iron alloys with greater
than 2% carbon are called cast irons.

Crystal Lattices

The three dimensional network of imaginary lines connecting the atoms is called the space
lattice. The smallest unit having the full symmetry of the crystal is called the unit cell. Most
important metals crystallize in either the cubic or hexagonal systems, in one of three space
lattices.

Allotropy

Some pure metals and many alloys have different crystal structures depending on temperature.
Iron is the best-known example of an allotropic metal. When iron crystallizes from the liquid

Training Manual Page 19-1

state at 2800°F, it is bcc (δ iron); as it cools to 2554°F, the struc ture changes to fcc (γ iron); as it
further cools to 1670°F, it again becomes bcc (α iron).

Allotrophic changes are the basis for heat treatment of a great many engineering materials.

Solidification

When a liquid metal’s temperature has dropped sufficiently below its freezing point, stable
aggregates of atoms or nuclei appear spontaneously at various points in the liquid. These solid
nuclei act as centers for further crystallization.

As cooling continues, more atoms attach themselves to already existing nuclei or form new
nuclei. Crystal growth continues in three dimensions with the atoms attaching themselves in
certain preferred directions along the axes of the crystal.

This forms the characteristic tree-like structure called a dendrite. Each dendrite grows in a
random direction until finally the arms of the dendrites are filled and further growth is obstructed
by the neighboring dendrite. As a result, the crystals solidify in irregular shapes and so are called
grains.

The mismatched area along which crystals meet is the grain boundary. It has non-crystalline or
amorphous structure with irregularly spaced atoms. Because of this irregularity, grain boundaries
tend to be regions of high energy and reactions such as corrosion often favor grain boundary
sites.

Grain Size

The relation between the rate of growth and the rate of nucleation determines the size of grains in
a casting. Cooling rate is the most important factor in determining grain size. Rapid cooling
allows many nuclei to be formed and the material will be fine grained.

PHASE DIAGRAMS

Structures

The properties of a material depend to a large extent on the type, number, amount, and form of
the phases present and can be changed by altering these quantities. Phase diagrams explain the
conditions under which phase exist and the conditions under which phase changes occur.

Three variables are used to describe the state of a system in equilibrium: (1) temperature, (2)
pressure, (3) composition. Phase diagrams assume a constant (ambient) pressure. Since
equilibrium conditions do not normally exist during heating and cooling, phase changes tend to
actually occur at temperatures slightly higher or lower than the phase diagram would indicate.
Rapid variations in temperature can prevent normally occurring phase changes.

Training Manual Page 19-2

Phase Diagrams

Phase Diagrams are usually plotted with temperature as the ordinate and alloy composition in
weight percentage as the abscissa.

Type I – Two metals completely soluble in the liquid and solid states. The only type of solid
phase formed will be a substitutional solid solution. Usually the two metals have the same kind
of crystal structure and similar atomic radii.

A series of cooling curves for various compositions is obtained by experiment and they are
combined to form the phase diagram.

The upper line connecting the points showing the beginning of solidification is the liquidus line.
The area above the liquidus line is a single-phase region of a homogeneous liquid solution. The
lower line connecting the points showing the end of solidification is the solidus line. The area
below is a single-phase region of a homogeneous solid solution. The iron carbon phase diagram
is shown below:

Iron-Iron Carbide Phase Diagram

Iron is an allotropic metal – it can exist in more than one type of lattice structure depending on
the temperature. The temperature at which the changes occur depends on the alloying elements
in iron, especially the carbon content.

Training Manual Page 19-3

The iron-carbon phase diagram that is of most interest is the portion between pure iron and an
interstitial compound Fe 3C (iron carbide). This is not a true phase diagram since iron carbide
will eventually decompose into iron and graphite. However, even at 1300°F, this process takes
several years and the iron carbide phase is considered to be metastable.

The maximum solubility of carbon in bcc δ Fe is 0.10%. The solubility of carbon is much greater
in FCC γ iron or austenite. The presence of carbon influences the δ to γ allotropic change. As
carbon is added to iron, the temperature of the allotropic change increases from 2554°F to
2720°F.

There is a eutectic reaction at 2065°F. The eutectic point E is at 4.3% carbon and 2065°F.
Whenever an alloy crosses this line, the eutectic reaction must take place. Any liquid which is
present at this temperature must now solidify into the very fine mixture of the two phases that are
at either end of the horizontal line – austenite and iron carbide (cementite).

Liquid cooling forms austenite + cementite

heating

However, since austenite is not normally stable at room temperature, another reaction occurs
during subsequent cooling.

The small solid region to the left of the eutectic line consists of a solid solution of carbon
dissolved in bcc α Fe, called ferrite. A eutectoid reaction occurs at 0.80% carbon and 1333°F.
Any austenite that is now present must transform into the very fine eutectoid mixture of ferrite
and cementite called pearlite. Austenite, being FCC, has much denser packing than the BCC
ferrite. A volumetric expansion occurs when austenite changes to ferrite during slow cooling.

Liquid cooling forms ferrite + cementite (pearlite)

heating

Alloys containing less than 2% carbon are known as steels and those containing more than 2%
carbon are called cast irons. Steels containing less than 0.8% carbon are known as hypoeutectoid
steels, and those containing 0.8% carbon are eutectic steels. If the carbon content exceeds 0.8%,
the material is called a hypereutectoid steel.

Carbon Solubility in Iron – 0.20% Carbon Steel

A hypoeutectoid steel containing 0.20% carbon when heated to the austenite range has a uniform
interstitial solid solution of carbon in fcc iron. Upon cooling, nothing happens until the line GJ is
crossed at point x1. This line is called the upper-critical-temperature line and is called A3.

The allotropic change from fcc iron to bcc iron occurs at 1666°F for pure iron and the
transformation temperature decreases as the carbon content increases.

At A3, ferrite begins to form at the austenite grain boundaries. However, ferrite can dissolve only
a small amount of carbon. The carbon must come out of the solution where the ferrite is forming
before the atoms rearrange themselves into the bcc lattice.

Training Manual Page 19-4

This carbon is dissolved in the remaining austenite so that as cooling progresses, the remaining
austenite becomes richer in carbon. The line HJ is reached at point x2. This line is the lower-
critical-temperature line and is called A1. This eutectoid temperature line is the lowest
temperature at which fcc iron can exis t under equilibrium conditions.

Just above the A1 line, the microstructure consists of 25% austenite and 75% ferrite. This
remaining austenite (which contains 0.8% carbon) experiences the eutectoid reaction:

Austenite cooling forms ferrite + cementite (pearlite)

heating

Therefore, when the reaction is complete, the microstructure is 25% pearlite and 75% ferrite.

The formation of pearlite involves several processes: Since bcc ferrite can only dissolve very
little carbon and the austenite contains 0.8% carbon, the change cannot happen until some of the
carbon atoms come out of the austenite solid solution. The first step in the transformation is the
precipitation of carbon atoms to form plates of cementite (iron carbide). So in this area, the
carbon is depleted and the atoms can rearrange themselves to form bcc ferrite. Thin layers of
ferrite are formed on each side of the cementite plate.

The process continues by the formation of alternate layers of cementite and ferrite to give the
fine fingerprint mixture called pearlite. The reaction usually starts at the austenite grain
boundaries, with the pearlite growing along the grain boundary and into the grain.

Since ferrite and pearlite are stable structures, the microstructure remains the same down to room
temperature. It consists of 75% proeutectoid ferrite (formed between the A3 and A1 lines) and
25% pearlite (formed from the austenite at the A1 line).

These same changes would occur for any hypereutectoid steel. The only difference would be in
the relative amounts of ferrite and pearlite. More carbon causes the formation of more pearlite.

HEAT TREATMENT OF STEELS

Heat treatment is defined as “A combination of heating and cooling operations, timed and
applied to a metal or alloy in the solid state in a way that will produce desirable properties.” The
first step in heat treatment of steel is to heat the material to some temperature at or above the
critical range in order to form austenite.

Different heat treatments are based on the subsequent cooling and reheating of the austenitized
material.

Training Manual Page 19-5

Full Annealing

The full annealing process consists of heating the steel to the proper temperature and then
cooling slowly through the transformation range in the furnace. The purpose of annealing is to
produce a refined grain, to induce softness, improve electrical and magnetic properties, and
sometimes to improve machinability. Annealing is a slow process, which approaches equilibrium
conditions and comes closest to following the phase diagram.

Spheroidizing

In hypereutectoid steels, the cementite network is hard and brittle and must be broken by the
cutting tool during machining. Spheroidizing annealing is performed to produce a spheroidal or
globular form of carbide and improve machinability. All spheroidizing treatments involve long
times at elevated temperatures.

Stress Relief Annealing

The stress relief annealing process is used to remove residual stresses due to heavy machining or
other cold-working process. It is usually carried out at temperatures below the lower critical line
(1000°F to 1200°F) and is actually a sub-critical anneal.

Normalizing

Normalizing is carried out at about 100°F above the upper-critical- temperature (A3 line),
followed by cooling in still air.

Normalizing produces a harder and stronger steel, improves machinability, modifies and refines
cast dendritic structures, and refines the grain size for improved response to later heat treatment
operations. Since cooling is not performed under equilibrium conditions, there are deviations
from the phase diagram predicted structures.

Hardening by Martensite Transformation

Under slow or moderate cooling rates, carbon atoms have time to diffuse out of the fcc austenite
structure so that the iron atoms can rearrange themselves into the bcc lattice. This γ to α
transformation takes place by nucleation and growth and is time dependent.

Faster cooling rates do not allow sufficient time for the carbon to diffuse out of solution and the
structure cannot transform to bcc with the carbon atoms trapped in solution. The resultant
structure – martensite – is a supersaturated solid solution of carbon trapped in a body-centered
tetragonal structure. This is a highly distorted structure that results in high hardness and strength.

Training Manual Page 19-6

Martensite atoms are less densely packed than austenite atoms so a volumetric expansion occurs
during the transformation. As a result, high localized stresses produce distortion in the matrix.
The transformation is diffusionless and small volumes of austenite suddenly change crystal
structure by shearing actions. It proceeds only during cooling and stops if cooling is interrupted.
The temperature of the start of martensite transformation is known as the M s temperature and at
the end the M f temperature. Martensite transformation cannot be suppressed or the Ms
temperature changed by changing the cooling rate. Ms is a function of chemical composition
only.

Martensite is never in a state of equilibrium although it can persist indefinitely at or near room
temperature. Martensite would eventually decompose into ferrite and cementite.

Isothermal-Transformation (I-T) Diagrams

Since the phase diagram is of little use for steels that have been cooled under non-equilibrium
conditions, I-T diagrams have been developed to predict non-equilibrium structures. The I- T
diagram for 0.8% carbon eutectoid steel follows:

Above the Ae austenite is stable. The area to the left of the beginning of transformation consists
of unstable austenite. The area to the right of the end-of-transformation line is the product to
which austenite will transform at constant temperature.

The area between the beginning and the end of transformation labeled A + F + C consists of
three phases: austenite, ferrite, and carbide. The M s temperature is indicated as a horizontal line
and temperatures for 50% and 90% transformation from austenite to martensite are noted.

The transformation product above the nose region is pearlite. As the transformation temperature
decreases, the spacing between the carbide and ferrite layers becomes smaller and the hardness
increases. Between the nose region of 950°F and the Ms temperature, an aggregate of ferrite and
cementite appears which is called bainite. As the transformation temperature decreases, the
bainite structure becomes finer.

Training Manual Page 19-7

PRINCIPLES OF HEAT TREATMENT

Quenching

Cooling proceeds through three separate stages during a quenching operation.

Vapor-Blanket Cooling describes the first cooling stage when the quenching medium is
vaporized at the metal surface and cooling is relatively slow. Vapor-Transport Cooling starts
when the metal has cooled down enough so that the vapor film is no longer stable and wetting of
the metal surface occurs. This is the fastest stage of cooling. Liquid Cooling starts when the
surface temperature of the metal reaches the boiling point of the liquid so that vapor is no longer
formed. This is the slowest stage of cooling.

Training Manual Page 19-8

Hardenability

Hardenability is related to the depth of penetration of the hardness. It is predicted by the Jominy
test. A 1 in. round specimen 4 in. long is heated uniformly to the proper austenitizing
temperature and then quenched by a controlled water spray.

A plot of the hardness vs. distance from the quenched end is made. Since each spot on the test
piece represents a certain cooling rate and since the thermal conductivity of all steels is assumed
to be the same, the hardnesses at various distances can be used to compare the hardenability of a
range of compositions.

Tempering

Steel in the as-quenched martensitic condition is too brittle for most applications. High residual
stresses are induced as a result of the martensite transformation. Therefore, hardening is nearly
always followed by tempering or drawing.

Tempering involves heating the steel to some temperature below the lower critical temperature
and thus relieving the residual stresses and improving the ductility and toughness of the steel.
There is usually some sacrifice of hardness and strength.

WORKING METALS

Elastic Limit

When a material is stressed below its elastic limit, the resulting deformation or strain is
temporary. Removal of an elastic stress allows the object to return to its original dimensions.
When a material is stressed beyond its elastic limit, plastic or permanent deformation takes place
and it will not return to its original dimensions when the stress is removed. All shaping
operations such as stamping, pressing, spinning, rolling, forging, drawing, and extruding involve
plastic deformation.

Plastic Deformation

Plastic deformation may occur by slip, twinning, or a combination of slip and twinning. Slip
occurs when a crystal is stressed in tension beyond its elastic limit. It elongates slightly and a
step appears on the surface, indicating displacement of one part of the crystal. Increasing the load
will cause movement on a parallel plane, resulting in another step. Each successive elongation
requires a higher stress and results in the appearance of another step. Progressive increase of the
load eventually causes the material to fracture.

Twinning is a movement of planes of atoms so that the lattice is divided into two symmetrical
parts, which are differently oriented. Deformation twins are most prevalent in close-packed
hexagonal metals such as magnesium and zinc and body-centered cubic metals such as tungsten

Training Manual Page 19-9

and α iron. Annealing twins can occur as a result of reheating previously worked face-centered
cubic metals such as aluminum and copper.

Fracture

Fracture is the separation of a body under stress into two or more parts. Brittle fracture involves
rapid propagation of a crack with minimal energy absorption and plastic deformation. It occurs
by cleavage along particular crystallographic planes and shows a granular appearance.

Ductile fracture occurs after considerable plastic deformation prior to failure. Fracture begins by
the formation of cavities at nonmetallic inclusions. Under continued applied stress, the cavities
coalesce to form a crack. This process is seen as microvoid coalescence on the fracture surface.

Cold Working

A material is considered to be cold worked when its grains are in a distorted condition after
plastic deformation is completed. All of the properties of a metal that are dependent on the lattice
structure are affected by plastic deformation.

Tensile strength, yield strength, and hardness are increased. Hardness increases most rapidly in
the first 10% reduction and tensile strength increases linearly. Yield strength increases more
rapidly than tensile strength.

Ductility and electrical conductivity are decreased. Ductility is most reduced in the first 10%
reduction and then decreases at a slower rate.

Annealing

Full annealing is the process by which the distorted cold-worked lattice structure is changed back
to one which is strain- free through the application of heat. This is a solid-state process and is
usually followed by slow cooling in the furnace.

MECHANICAL PROPERTIES OF METALS

Strength of Materials

The body of knowledge dealing with the relation between internal forces, deformation, and
external loads.

The member is assumed to be in equilibrium and the equations of static equilibrium are applied
to the forces acting on some part of the body in order to obtain a relationship between the
external forces and the internal forces resisting their action.

Training Manual Page 19-10

Although metals are made up of an aggregate of crystal grains having different properties in
different directions, the equations of strength apply since the crystal grains are so small that the
materials on a macroscopic scale are statistically homogeneous and isotropic.

Elastic and Plastic Behavior

All solid materials can be deformed when subjected to external load.

The recovery of the original dimensions of a deformed body when the load is removed is called
elastic behavior.

The limiting load beyond which material no longer behaves elastically is the elastic limit.

A body that is permanently deformed is said to have undergone plastic deformation.

For most materials that are loaded below the elastic limit, the deformation is proportional to the
load in accordance with Hooke’s Law.

Ductile vs. Brittle Behavior

A completely brittle metal would fracture almost at the elastic limit and a mostly brittle material
such as white cast iron would show some measure of plasticity before fracturing.

Adequate ductility is an important consideration since it allows the material to redistribute

localized stresses. If localized stresses at notches and other stress concentrations do not have to
be considered, it is possible to design for static situations on the basis of average stress.

With brittle materials, localized stresses continue to build up when there is no local yielding.
Finally, a crack forms at one or more points of stress concentration and it spreads rapidly over
the section. Even without a stress concentration, fracture occurs rapidly in a brittle material since
the yield stress and tensile strength are practically identical. The figure below shows a typical
stress strain curve.

Training Manual Page 19-11

Failure

Structural members fail in three general ways:

§ Excessive elastic deformation

§ Yielding or excessive plastic deformation
§ Fracture

Failure due to excessive elastic deformation are controlled by the modulus of elasticity rather
than the strength of the material.

Yielding, or excessive plastic deformation occurs when the elastic limit is exceeded. Yielding
rarely results in fracture of a ductile metal since the metal strain hardens as it deforms and an
increased stress is required to produce further deformation. Failure is controlled by the yield
strength of the material.

At elevated temperature, metals no longer exhibit strain hardening and can continuously deform
at constant stress – creep.

Metals fail by fracture in three general ways:

§ Sudden brittle fracture

§ Fatigue or progressive fracture
§ Delayed fracture

A change from ductile to brittle behavior can occur when the temperature is decreased, the rate
of loading is increased, and a notch forms a complex state of stress.

Training Manual Page 19-12

Most fractures in machine parts are due to fatigue. A minute crack starts at a localized spot
(notch or stress concentration) and gradually spreads over the section until it breaks. There is no
visible sign of yielding at the average stresses, which are well below the tensile strength of the
material.

Delayed fracture can occur as stress-rupture when a statically loaded material at elevated
temperature over a long period of time fractures. Static loading in the presence of hydrogen can
also cause delayed fracture.

Fracture Mechanics

Fracture control is a combination of measures to prevent fracture due to cracks during operation.
It includes damage tolerance analysis, material selection, design improvement, and
maintenance/inspection schedules.

Damage tolerance analysis has two objectives:

§ The effect of cracks on strength

§ The crack growth as a function of time

The effect of crack size on strength is diagrammed. Crack size is denoted as a length, and
strength is expressed in terms of the load, P, that the structure can carry before fracture occurs.

Crack Growth and Fracture

Crack growth occurs slowly during normal service loading. Fracture is the final event and often
takes place very rapidly.

Crack growth takes place by one of five mechanisms:

§ Fatigue, due to cyclic loading

§ Stress corrosion due to sustained loading
§ Creep
§ Hydrogen induced cracking
§ Liquid metal induced cracking

Even at very low loads there is still plastic deformation at the crack tip because of the high stress
concentration.

Crack growth by stress corrosion is a slow process in which the crack extends due to corrosive
action (often along grain boundaries) facilitated by atomic disarray at the crack tip.

Fracture can only occur by one of two mechanisms; cleavage or rupture. Cleavage is the splitting
apart of atomic planes. Each grain has a preferred plane and the resultant fracture is faceted.

Training Manual Page 19-13

TESTING OF METALS

Tensile Test

The tensile test is used to establish operational load limits for metals and alloys. A sample of the
material is prepared so that a force can be applied along its axis. A central portion of the sample
is reduced so that it will experience the highest stresses.

The tensile test measures the ability of a material to support a stress (force per unit area).

The response of a tensile sample to the application of an increasing stress can be described in
terms of elastic and plastic behavior.

Hardness Test

Hardness is defined as the resistance to plastic deformation by indentation.

Brinell, Rockwell, and Vickers or Knoop are most common indentation hardness test methods.
The depth or width of the impression left by the indentation is measured to indicate hardness.

Impact Test

Measure the ability of a material to absorb energy during sudden loading in order to evaluate its
tendency to brittle fracture.

A heavy mass is positioned above the sample and allowed to strike the sample upon release. The
difference between the potential energy of the mass before and after impact (i.e., the energy
absorbed by the impact and fracture) is calculated and is called the impact energy or toughness.

Creep Test

Creep is time-dependent plastic deformation, which occurs at loads below the yield strength of
the material and is normally of significance only at elevated temperatures.

A tensile specimen that is loaded in tension below its yield strength and heated will elongate with
time.

A creep curve is generated by plotting the creep strain (or elongation) vs. time.

If time-to- failure is the parameter of interest, the test is called a stress-rupture test.

Training Manual Page 19-14

Fatigue Test

Failure under repeated loads is called fatigue failure.

Typically, fatigue cracks initiate at some defect in the part and propagate through it as a result of
the cyclic stress.

Iron-based alloys exhibit a fatigue or endurance limit – a stress below which the part can
theoretically be cycled infinitely without failure.

EQUIPMENT FAILURES

Tanks, vessels, and process piping systems, composed of various components, are necessary to
most industries in the United States and abroad. Catastrophic failures of a component in a piping
system or a tank or vessel often result in costly business interruptions. Catastrophic failures may
also endanger personnel. Fatalities or undesirable environmental consequences may result from
an explosion or fire or a release of hazardous chemicals.

“One of the most famous tank failures was that of the Boston molasses tank, which failed in
January 1919 while it contained 2,300,000 gallons of molasses. Twelve persons were drowned in
molasses or died of other injuries, 40 more were injured, and several horses were drowned.
Houses were damaged, and a portion of the Boston Elevated Railway structure was knocked
over.” Barsom

To improve the availability of systems and components, operating personnel and management
need a fundamental understanding of the common causes of failures. Premature failures result
from a variety of causes. These may include design deficiencies, manufacturing or fabrication
defects, or service-related deterioration.

Perfection does not exist. A defect is defined as an imperfection or the absence of something
needed for completion. A failure is defined as an omission of occurrence or performance or a
failure to perform.

Specifications govern the manufacture of the pipes, fittings, valve, pumps, etc. Codes and
standards govern the design, fabrication, erection and inspection of components and systems.

The applicable codes and standards include American Society of Mechanical Engineers (ASME)
Boiler and Pressure Vessel Code. The ASME B&PV Code Committee rules of safety govern the
design, fabrication, and inspection during construction of boilers and pressure vessels. The
ASME B&PV Code apply to both fired (Section I) and unfired (Section VIII) pressure vessels.
American National Standards Institute (ANSI) and ASME are the governing organizations for
many documents relating to material selection, especially pipe. American Society for Testing and
materials (ASTM) is the primary source of specifications relating to corrosion-resistant materials
and various kinds of corrosion tests. Development of these standards was stimulated by the
desire to prevent failures, although failures still occur.

Training Manual Page 19-15

Failures in systems are generally due to one of the following; design deficiencies, manufacturing
defects, fabrication defects, service-related deterioration, accidents and upset operating
conditions.

Design Deficiencies

Design deficiencies sometimes produce failures in chemical process or piping systems.

Frequently, changes in design or upgrading an application may lead to failures. For example, a
system is designed for operation at a relatively slow, but constant speed, and performed well
operating at full load for 24 hours a day. The system was placed in service where speed and load
were cycled. The load ranged from idling to 10% overload for a short period of time. Several
failures occurred.

Materials-related problems may also occur. Sometimes it is necessary to change materials after a
specification has been established. Many materials may be very similar in chemical composition
but not perform the same in service, particularly in corrosive conditions.

Classifying corrosion can be difficult, as there are many forms of corrosion. General corrosion is
usually the uniform loss of a small amount of metal over a large surface. While localized
corrosion is a selective attack by corrosion at a small area or zone. Pitting is the most common
form of localized corrosion, where small areas of metal are dissolved by the corrosion process to
produce pits.

Insufficient design criteria may take place when service conditions are not accurately predicted
or the stress analysis is complex. Dissimilar metals are a common design-related problem.
Galvanic corrosion generally occurs as a result of the potential differences between two metal
surfaces, often two different metals, which are in contact with each other in a conductive solution
producing a galvanic couple.

Erosion corrosion is corrosion attack accelerated by high velocity flow or impingement by

particles. If the flow of liquid over a metal surface becomes turbulent, the random liquid motion
impinges on the surface. For some failures produced by erosion corrosion, erosion removes a
protective scale or oxide coating and corrosion attack the bare metal. Erosion prevents the metal
oxide from reforming and corrosion continue s to propagate on the metal surface.

Manufacturing Defects

Material deficiencies sometimes produce failures in chemical process or piping systems, such as
discontinuities in castings. Manufacturing defects include improper heat treating or improper
cleaning

Pitting corrosion of copper tubes sometimes occurs when exposed to humid environments
containing small amounts of organic chloride compounds typically used for degreasing copper
tubes.

Training Manual Page 19-16

Fabrication Defects

Fabrication defects may also lead to premature failures in chemical process systems. Imperfect
weldments are very common often involving weld defects such as, poor selection of weld filler
metal, incomplete fusion, lack of penetration or cracking. For example, piping is often
longitudinally welded using the electrical resistance welding (ERW) process. Poor quality
welding resulted in crevices in welds, that when combined with poor control of water chemistry
in a large cooling water system resulted in through-wall penetration and leaks.

Misalignment is another fabrication-related defect. Small errors in alignment of a condenser coil

created a situation where the coil unit was subject to vibration and relative movement in service.
This condition led to fatigue, the progressive localized permanent structural change that occurs
when a material is subjected to repeated or fluctuating strains at a maximum value less than the
tensile strength of the material. The fatigue cracking of the coil, resulting in through-wall
penetration and refrigerant leakage.

Service-Related Deterioration

Chemical process systems are subject to various service conditions. The variety of equipment
includes, for example, tanks, vessels, piping, pumps, tubing, and shell-and-tube heat exchangers
etc. The environment of the systems includes refrigerants, corrosion inhibitors, brines and so
forth.

Improper startup and shutdown is a common cause of failures, particularly in the case of heat
exchangers. During startup and shutdown, equipment may be subjected to conditions not
encountered in normal operation.

Insufficient maintenance or lack of proper maintenance contributes to many service failures.

Preventive maintenance is performed on a regular basis to avoid failure or extend useful life.
Predictive maintenance quantifies corrosion rates and attempts to establish schedules for
replacement or refurbishment by minimizing down time and lost production.

A corrosion inhibitor is a chemical or combination of substances that, when present in the proper
concentration and forms in the environment, prevents or reduces corrosion. In selecting an
inhibitor for a specific application the efficiency is the primary consideration although
economics and possible adverse effects should also be considered. For example, a particular
corrosion inhibitor may be incompatible with specific components in a system, even though it
may be protective of the major material of construction.

Accidents and Upset Operating Conditions

Accidents or upset operating conditions may also produce failures in chemical process systems.
Fires in adjacent equipment are obvious upset conditions that result in localized overheating and

Training Manual Page 19-17

uncontrolled processes. The effects of overheating as a result of upset conditions require careful
evaluation.

SUMMARY

Failures in components such as pumps, valves, process piping, tanks, and vessels may occur for a
variety of reasons, including design deficiencies, manufacturing or fabrication defects, or service
related deterioration. It is logical that that owners and operators of components have a clear
understanding of the types of failures that may occur. The inspections of components within
process piping and systems need to be need to be made to fit to detect defect conditions which
may lead to failures.

Unfortunately, a pressure vessel, tank or piping system may be inspected and defects not found.
Some dangerous conditions may not be detectable with the inspection and testing equipment
available. Often inspection consists only of taking thickness measurements at a few locations on
the outside of a vessel or tank without inspection of internals. Sometimes inspection scope is
reduced because of budgets and cutbacks.

Ductile and Brittle Fractures

The terms ductile and brittle describe the amount of microscopic plastic deformation that
precedes fracture. Ductile fractures are characterized by tearing of metal accompanied by gross
plastic deformation and the expenditure of considerable energy. Brittle fractures are
characterized by rapid crack propagation with less expenditure of energy and without appreciable
gross plastic deformation.

Ductility is the property of a material to deform plastically without fracturing. The term used to
describe the measure of the amount of energy absorbed by a material as it fractures is toughness.
It’s an important property of materials that usually determines their suitability for many
applications. For a material to be tough it must display both strength and ductility.

Brittle fractures are caused by defects that are initially present or by defects that develop during
service. The defects act as stress concentrators and can take many forms:

1. Notches are discontinuities caused by abrupt changes in the direction of a free surface
such as sharp fillets and corners, holes, keyways, and mechanical damage such as gouges.
2. Laps, folds, large inclusions, and laminations, segregation, and undesirable grain flow are
introduced during working operations.
3. Segregation, inclusions, undesirable microstructures, porosity, and surface discontinuities
can have serious consequences.
4. Cracks resulting from machining, quenching, fatigue, hydrogen embrittlement, or SCC
can lead to brittle failure.
5. Residual stresses can be an important factor in initiating brittle fractures.

Training Manual Page 19-18

Ductile fractures may result from overload due to under design, improper fabrication, defective
materials, or service conditions that exceed those for the intended use.

Failures from Improper Fabrication. Forming operations such as cold heading, stamping,
bending, and straightening can produce severe imperfections. Machining marks and sharp corner
and edges can act as stress raisers. Welding and brazing can introduce imperfections such as
porosity, incomplete fusion, inclusions, arc strikes, and hard spots that can act as crack initiation
points.

Improper thermal treatment such as overheating, case hardening in notched areas, and inadequate
tempering can cause deficiencies that lead to cracks.

Improper electroplating or acid pickling can cause steel parts to absorb hydrogen, leading to
hydrogen embrittlement or leave arc strikes.

Residual stresses can be produced by nearly every manufacturing operation such as machining,
blasting, rolling, extruding, heat treating, welding, and straightening.

FAILURE MECHANISMS

Damage mechanisms could be divided into group s in several ways. One method could be:

§ Mechanical-related mechanisms
§ Fabrication-Related mechanisms
§ Corrosion-related mechanisms

Each broad category may have several specific subcategories. These could be further divided for
example as follows:

Mechanical-related mechanisms may be caused by or resulting from a variety of reasons

including:

§ Brittle Fracture
§ Bucking
§ Creep
§ Distortion
§ Erosion
§ Fatigue
§ Fretting
§ Overload
§ Wear

In a similar manner, fabrication-related mechanisms may be caused by or resulting from a

variety of reasons including:

§ Welding Related
§ Heat Treatment related

Training Manual Page 19-19

In a similar manner, corrosion-related mechanisms may be caused by or resulting from a variety
of reasons including:

§ Uniform corrosion
§ Localized corrosion
§ Dealloying
§ Intergranular corrosion
§ Velocity Effects
§ Galvanic corrosion
§ Cracking Phenomenon
§ High temperature corrosion

In a similar manner, each subcategory of corrosion-related mechanisms may be associated with

various specific corrodents. For example, uniform corrosion may possibly be associated with,
among other things, acids, caustics, or sour water.

Common Mechanisms

A variety of common mechanisms are discussed.

Fatigue Damage. Fatigue is the term used when failure occurs, at relatively low stress levels, of
structures that are subject to rapidly fluctuating and cyclic stresses. Fatigue damage results in
progressive localized permanent structural change and occurs in materials subjected to
fluctuating stresses and strains. Fatigue is very important because it is often catastrophic,
occurring without warning.

Fatigue cracks are caused by the simultaneous action of cyclic stress, tensile stress, and plastic
strain. All three factors are necessary for fatigue cracks to initiate and propagate.

There are three stages to fatigue:

1. Initial fatigue damage leading to crack nucleation and initiation

2. Progressive cyclic growth of a crack (propagation)
3. Final, sudden fracture of the remaining cross section

Fatigue cracks generally form at the surface because of higher stress levels. To determine life
(number of cycles), plots of the allowable stress amplitude for a specific number of cycles
plotted as a function of the mean stress are used.

Distortion Failures. Distortion failures occur when a structure or component is deformed. The
structure deforms so that it no longer can support the load it was intended to carry. Distortion
failures can be elastic (returns to original shape if load is removed) or plastic (permanently
changes shape) and may be accompanied by fracture.

Causes include:

Training Manual Page 19-20

 § Overloading
§ Incorrect specifications
§ Failure to meet specifications

Wear Failure. Wear is damage to a solid surface, usually involving progressive loss of material,
due to relative motion between that surface and a contacting substance or substances. Wear,
friction, and lubrication all affect a part’s probability of failure.

Types of wear include:

§ Adhesive wear (galling)

§ Abrasive wear
§ Fretting
§ Friction
§ Lubricated wear
§ Erosion

Liquid Erosion Failure. Cavitation damage occurs as a result of the formation and subsequent
collapse of bubbles within a liquid on a surface.

Liquid impingement erosion results from the high velocity impact of a drop of liquid against a
solid surface.

Corrosion Failures. Corrosion is the term used for unintended destructive chemical or
electrochemical reaction of a material, usually a metal, with its environment.

Forms of corrosion include:

§ Uniform corrosion
§ Pitting corrosion, or localized
§ Selective leaching, or dealloying
§ Intergranular corrosion
§ Velocity Effects
§ Galvanic corrosion
§ Cracking Phenomenon
§ High temperature corrosion

Uniform and Localized Corrosion. Corrosion is the deterioration of a substance (usually a metal)
or its properties because of a reaction with its environment. It can be either localized or
generalized across the entire surface.

Stress Corrosion Cracking. Stress Corrosion Cracking (SCC) is a failure process that occurs
because of the simultaneous presence of tensile stress, an environment, and a sensitive material.
Failure by SCC can take place in seemingly mild environments at tensile stresses well below the
yield strength.

Training Manual Page 19-21

Liquid Metal Embrittlement. Liquid Metal Embrittlement (LME) is the catastrophic brittle
failure of a normally ductile metal when coated with a thin film of liquid metal and subsequently
stressed in tension.

Hydrogen Damage Failures. Hydrogen damage refers to a number of processes in which the
load-carrying capacity of the metal is reduced due to the presence of hydrogen, often in
combination with residual or applied tensile stresses.

Corrosion Fatigue. Corrosion fatigue describes cracking of materials under the combined action
of cyclic stresses and a corrosive environment.

Elevated Temperature Failures. Stress imposed at elevated temperature produces a continuous

strain in the material and results in creep. Creep is time-dependent strain occurring under stress.
Creep which terminates in fracture is called creep or stress rupture.

Thermal fatigue is caused by transient thermal gradients within a component.

Metallurgical instabilities can cause failure by reducing strength, recrystallization, aging or

overaging, phase precipitation or decomposition of carbides, delayed transformation, general
oxidation, slag-enhanced corrosion, etc.

BIBLIOGRAPHY

Budinski, Kenneth G., Senior Metallurgist, Eastman Kodak Company, Engineering Materials –
Properties and Selection, Prentice-Hall, Inc., 1992, 1989, 1983, 1979.

Training Manual Page 19-22

 Chapter 20
MECHANICAL INTEGRITY

THE OSHA REGULATION

The requirements for a MI program for covered equipment are itemized in 29CFR 1910.119 (j).
The following list identifies the key points of this section:

§ The kinds of equipment covered

§ Written procedures
§ Training for maintenance activities
§ Inspecting and testing for deficiencies
§ Defining and correcting deficiencies of covered equipment
§ Quality assurance for materials, spare parts, and workmanship

Each of these items is discussed in the lessons that follow. During these lessons you will develop
a program for your facility, addressing each of the above key points.

IDENTIFYING AND LISTING EQUIPMENT

OSHA requires that all “covered” facilities handling hazardous materials be subject to their MI
standard for process equipment. All of the covered equipment requires documentation, written
maintenance procedures, training on procedures, periodic inspection and testing, correction of
deficiencies, and a program for the quality assurance of materials and installation.

The Regulation

(1) Application. Paragraphs (j) (2) through (j) (6) of this section apply to the following
process equipment:
(i) Pressure vessels and storage tanks.
(ii) Piping systems (including piping components such as valves).
(iii) Relief and vent systems and devices.
(iv) Emergency shutdown systems.
(v) Controls (including monitoring devices and sensors, alarms, and interlocks).
(vi) Pumps.

Training Manual Page 20-1

This lists the kinds of equipment that are covered by the regulation. “Storage tanks” has been
interpreted by OSHA to mean both atmospheric and pressurized. “Pumps” has been interpreted
to mean any mechanical device that moves a fluid, including gas compressors.

REGULATED NON-PROCESS EQUIPMENT

Non-processing equipment that supports a regulated process must be included in the equipment
managed for MI. A supporting function is one that is critical to the safe operation of the primary
processing equipment, or one that controls and limits catastrophic releases.

Covered Non-Process Equipment

When equipment offers critical protection to the process, it must be covered. The following are
common non-processing equipment that may be required to be included in the MI program.

§ Ventilation systems for buildings, booths, and hoods

§ Fire suppression systems; including fire pumps, fire trucks, deluge systems, and fire
water systems, including piping, fittings, valves, controls, and interlocks
§ Deluge systems for vapor control
§ Emergency power supplies
§ Automatic blast and fire doors
§ Alarms and interlocks to detect and/or contain hazardous released

Equipment Exempt

If it can be shown that certain equipment or facilities cannot be subjected to hazardous materials,
it may be exempted from the covered list. Generally, to be exempt, such equipment cannot:

§ Contain a hazardous substance

§ Have any connection or pathway to a source of hazardous materials or conditions
§ Have any controls or relief systems that have the potential to create hazardous conditions
§ Be an integrated safety support system for equipment covered by the regulation, even if
the equipment itself is not subject to hazards

NON-REGULATED NON-PROCESS EQUIPMENT

The employer is required to include in the covered list, any other equipment that may be critical.

Training Manual Page 20-2

Additional Critical Equipment

The equipment listed as covered in paragraph (j) (1) of the regulation is the minimum list. Any
equipment deemed critical to process safety must b covered.

The determination for additional critical equipment status, which must be covered, is made by
following other PSM guidelines for your facility. If the Process Hazard Analysis (PHA) shows
that the equipment is potentially hazardous for creating, or failing to prevent or control, a
catastrophic release, it must be listed as covered equipment.

This determination must be made by the employer. All equipment, of course, is subject to OSHA
scrutiny and audit. Good engineering judgment should be followed for each piece of equipment
to determine if it should be covered.

Documentation

What is really important is that the process of examination and determination should be well
documented, especially for any equipment determined to be non-covered equipment.

IDENTIFYING AND TAGGING EQUIPMENT

All equipment covered by the standard must be properly identified for documentation. Good
practices also dictate that equipment in the field should be labeled for easy identification (ID).

Identification Information

For identification and reference, the following information should be recorded on a data sheet for
each item of covered equipment:

§ Descriptive name of the piece of equipment

§ Location description (process unit, area, division, etc.)
§ Plant identification number
§ Manufacturer’s name
§ Manufacturer’s item number
§ Manufacturer’s serial number

This information helps to assure proper identification so errors can be prevented. It is also useful
for reference when the manufacturer must be consulted for parts or maintenance information.

Training Manual Page 20-3

Labeling in the Field

It is a good practice to clearly label each separate item in the field. This helps to correctly
identify an item that is the subject of MI. Durable identification marks can be accomplished in
several ways:

§ Stencil with durable pain

§ Attach etched or stamped nameplates
§ Label with weld-bead script
§ Attach metal tags

Labels should clearly distinguish an equipment item from other similar items. Usually, plant ID
numbers can serve as tag information. Plant labels are in addition to the manufacturer’s
nameplate or to code stamp plates.

INTEGRITY INFORMATION AND METHODS OF DOCUMENTING

When initiating the MI program, you must document that each piece of equipment in use meets
the standard. This documentation is also required for new equipment added after initiation of the
program. Once the program is started up-to-date records must be kept for all elements of the
on-going maintenance, inspection, and testing program. Good records help verify that your
facility is in compliance with the regulation. This section identifies the records you will need for
your facility.

Information Needed to Initially Verify Integrity

The following information is required for each item of equipment to initially verify MI.

§ Proper identification of the item.

§ Date of fabrication.
§ The engineering methods and specifications used for the design.
§ Materials used in fabrication as it exists.
§ Electrical classification (when appropriate).
§ Relief system design basis and specifications used for the design.
§ Design codes, standards, and practices employed.
§ When codes, standards, and practices are no longer in general use, employer shall
determine and document that the equipment item is designed, maintained, inspected,
tested, and is operating in a safe manner.
§ Current service of the equipment item (not required, but good practice).

Training Manual Page 20-4

Methods of Documentation

Most any record keeping method, common practice, is acceptable for the documentation of MI
data. Some common methods used are:

§ Printed forms filled out be handwriting or by being typed

§ Computer record print-outs
§ Microfilm or microfiche documents

Availability of Documents

All MI records must be readily available to all affected employees. The location must be made
known to employees, and free access given to them.

As with all documents for MI, the documentation must reflect current conditions. New and
revised information must be recorded in a timely manner.

Training Manual Page 20-5

FEEDBACK EXERCISES

1. List the types of process equipment covered under MI.

2. Identify regulated non-process equipment that should be covered under MI.

Training Manual Page 20-6

WRITTEN PROCEDURES FOR MECHANICAL INTEGRITY

The employer shall establish and implement written procedures to maintain the on-going
integrity of process equipment.

OSHA interprets “written procedures” in the regulation as those required to establish a program
for MI. This includes the following written elements for each specific equipment item or
category of equipment covered by the rules:

§ Procedures for a MI program

§ Procedures for safe work practices
§ Manufacturers’ recommended maintenance procedures
§ On-line maintenance procedures
§ A description of the inspection and testing activity required to ensure integrity
§ Inspection and testing frequency
§ Procedures for reporting and resolving problems
§ Description of required special safety equipment

Procedures are required for correcting deficiencies. (There are exceptions to this requirement
when employee input states otherwise.) When these procedures are required, they should
contain.

§ Steps to safely complete a maintenance task

§ Specific instruction when criticality or complexity are encountered
§ Sufficient detail that integrity will be restored when task is completed
§ Sufficient information to allow employee to determine that task is completed.
§ A list of relevant maintenance safety equipment and precautions required, including
operational concerns.
§ References to original equipment manufacturer (OEM) manuals and documents for basic
guidelines, as appropriate.

The regulation in Section (c) also requires that employee participation and input is a part of the
procedure- making process. If employees state that a procedure is not needed for a particular item
or category of equipment, then that documented statement is sufficient in lieu of a procedure.

Procedures for Identical Equipment

Every piece of covered equipment is required to be covered by a procedure. However, it is not

necessarily required that a procedure be written for each single piece of equipment. For those
items that are so similar that they require exactly the same procedure steps, these items can be
covered by one procedure.

Training Manual Page 20-7

Note: It is required that each item in a covered group be listed in the procedure. In this way,
positive ID can be made that the right procedure is applied to the item.

Here are several examples of equipment groups of similar items. Each of these groups can
contain a list of all similar items and on procedure written for that group.

§ General duty centrifugal pumps

§ Hot service centrifugal pumps
§ Cryogenic service centrifugal pumps
§ Reciprocating steam-driven pumps
§ Reciprocating gear-driven pumps
§ Atmospheric storage tanks
§ Pressurized storage tanks

Mechanical items, or systems, that are unique in construction and maintenance requirements,
must have individual procedures written.

HOW TO OBTAIN PROCEDURE INFORMATION

The regulation requires that the procedures established for a MI program shall follow
manufacturers’ recommendations, or safe and generally accepted good engineering practices.
These practices have usually been established by engineering societies involved in the industry,
or by accepted plant practices based on operating and maintenance history within the facility. In
establishing the procedures for your MI program, both are good sources of information.

Manufacturers and Vendors

Manufacturers and vendors are excellent primary sources for procedure information. Their
equipment instructions usually provide recommendations for maintenance, such as frequency of
inspections, and what parts to replace on a routine basis. Clearances, tolerances, and other data
are also furnished. For new installations, the mechanical catalogs, furnished by the construction
contractor, sho uld include these manufacturers’ documents.

Employee Input

When methods and procedures are common knowledge among employees and are easily
assimilated by the apprentice, a written procedure may not be needed. For example, tightening
flanges, packing valves, and dismantling heat exchangers are all routine mechanical operations.
The employees may so state that a written procedure is not necessary for the operation. If this
statement is documented, that document should suffice in lieu of a procedure.

Training Manual Page 20-8

Good Engineering Practices

Engineering societies, associations, and groups are generally reliable sources for procedure
information. Their publications offer guidelines for MI. Some of these frequently consulted
engineering organizations are listed in Appendix A.

The logs and maintenance records of the equipment in your plant provide history information for
determining failure points and allowable run times. Additional information can be obtained from
interviews with journeymen craftspersons and operators in yo ur facility. Their experience is
invaluable when setting up a MI program for equipment.

Other Documents to Include

Other types of documents to include for developing written procedures are:

§ Plant safe work practices and procedures

§ Work order procedures
§ Confined space entry procedures and permitting
§ Lockout/tagout
§ Material Safety and Data Sheets (MSDSs) that apply
§ Inspection and testing procedures

Codes

Civil and engineering society codes sometimes apply to a MI procedure program that define or
mandate inspection and testing methods. These codes originate from the accepted engineering
guidelines of societies and organizations, or they may be a local, state, or federal law. Some
examples of these codes are:

§ Welding codes for pressure vessels (societies)

§ Electrical codes (local or state law/societies)
§ Steam boilers and steam equipment code (local or state law/societies)
§ Pressure vessel codes (societies)
§ Nuclear energy equipment (federal NRC regulations)

IMPLEMENTING THE MI PROCEDURES PROGRAM

Implementing a MI procedures program requires a great deal of documentation, and established

methods to keep the documentation current. To be effective the procedures must include the
means to ensure that procedures are followed. The following elements are guidelines for
accomplishing these objectives.

Training Manual Page 20-9

Implementation Key Steps

These steps are recommended to place the procedure program in operation, to establish and keep
the necessary records, and to assure the procedures are followed:

§ Issue the procedures. Make them available to all employees, especially engineering
design, procurement, purchasing, warehousing, maintenance, testing and inspecting, and
safety departments.
§ Train personnel in the program, procedures, and safe work practices.
§ Establish responsibilities for performance.
§ Establish methods for monitoring performance.
§ Establish methods for auditing the program.
§ Take corrective actions on a timely basis.
§ Document all of the elements of the program that offer proof to an OSHA inspector of
your commitment to maintaining MI in your facility. These records should be kept
current at all times.
§ Incorporate Management of Change (MOC) into the MI program.

Training Manual Page 20-10

FEEDBACK EXERCISES

1. Describe the written procedures required for establishing a MI program.

2. List acceptable sources of information for writing MI procedures.

3. Describe how to implement the program for MI procedures.

Training Manual Page 20-11

TRAINING

Training is a necessary and integral part of an on- going MI program. Employees involved in all
phases of maintenance need training for the job tasks, for safe work practices, and for knowledge
of the hazards encountered in the work place.

The Regulation

Training for process maintenance activities. The employer shall train each employee involved in
maintaining the on-going integrity of process equipment in an overview of that process and its
hazards and in the procedures applicable to the employee’s job tasks to assure that the employee
can perform the job tasks in a safe manner.

In practice, OSHA interprets this paragraph to cover the following kinds of training:

§ In an overview of the process to the extent that the maintenance employee understands
the hazards present and the types of hazardous materials used by the process.
§ In operating procedures to the extent that the employee can perform any operating
procedure prescribed in the maintenance job task for the assigned maintenance job.
§ In safe work practices.
§ In specific job task procedures for maintenance operations critical to on-going MI.

New maintenance employees must be trained in all of these before beginning work at the job
site.

Process Overview Training

Process overview training should include the following:

§ A brief description of the process.

§ Process hazards and the hazardous materials handled.
§ The specific areas hazardous materials may be encountered.
§ The location and use of safety equipment, safety showers, eye baths, neutralization vats,
etc.

Procedures Training

Training in maintenance procedures is required for specific kinds of complex or safety-critical

equipment. These procedures must be readily available to all employees who perform
mechanical maintenance.

Equipment maintenance procedures may be obtained or developed by:

Training Manual Page 20-12

 § Acquiring them from vendors and manufacturers
§ Acquiring them from engineering and technical societies and groups, as listed in Lesson 3
§ Developing them in-house, using journeyman craftspersons as subject matter experts

Training in safe work practices is required for all employees, including maintenance personnel.
Safe work practices procedures must contain these elements.

§ Hot work permits

§ Lockout/tagouts procedures
§ Confined space entry permits
§ Line and vessel opening

Other procedures are required if they are part of the job assignment. Examples are the safe
draining of equipment or blocking the sources of pressure.

Activity Related Procedures

Training should be provided or certification verified (where required) in job specific tasks, such
as:

§ Welding on code vessels

§ Nondestructive testing
§ Instrument calibration
§ Pipefitting
§ Grinding and cutting operations

HOW TO CONDUCT MI TRAINING

The emphasis of MI training is to develop and maintain a work force with the knowledge and
skill levels to perform their duties safely. There are several approved methods to conduct this
kind of training.

Accepted Methods of Training

Training in maintenance procedures and inspecting and testing procedures may be performed in
several acceptable ways:

§ Formal classroom training, in- house with company trainers

§ Formal training outside the workplace (at vendors, manufacturers, or technical school
location
§ On-the-job training

Training Manual Page 20-13

 § Formal training sponsored by an engineering or technical society, given in house or at
another location

Skill Certification

Certain skills for personnel involved in MI require certification, either by law or by industry
standards. Workers applying these skills must be trained by certified trainers. Examples of skills
generally requiring testing and certification are:

§ Pressure vessel welding and grinding

§ Ultrasonic testing
§ Radiographic testing
§ Operating cranes, fork lifts, and other mobile lifting equipment
§ Performing work on equipment handling radioactive materials

When to Train

New employees must receive training before being assigned to a maintenance task. Periodic
refresher training is required on a scheduled routine basis. All training must be constantly
updated to conform to process and equipment changes.

TRAINING RECORDS REQUIRED

Training records must be maintained for each employee involved in the MI program.

Record Keeping

It is recommended that training records be established for the following kinds of training
activities:

§ Maintenance task procedures any employee is responsible for performing

§ An overview of the processes and hazards, where the employee works
§ Safe work practices
§ Refresher training
§ The emergency action plan

These records need to show:

§ That training is consistently kept current with changes in the process, equipment, work
methods, and procedures.
§ When refresher training is required

Training Manual Page 20-14

 § When refresher training was successfully completed for each course and each cycle of
refresher training.

The Record Form

Each employee’s record is required to show:

§ The employee’s name

§ The date of the training
§ The method used to verify that the employee understood the training (the test)

Record Filing

Training records should be organized in two ways:

§ By course — listing all the employees who have received training in the subject taught
§ By individual — listing all of the training courses the employee has received

Where to Store Records

Training records should be readily accessible to those concerned with the MI training program.
This could include:

§ Training department
§ Maintenance department
§ Inspection department
§ OSHA inspectors

Paper and/or electronic files are acceptable methods of record keeping. Hardcopy backups
should be kept for electronic files. Accessibility and security are important factors in record
keeping for training records. Only authorized personnel should be allowed to access the training
records of others.

Training Manual Page 20-15

FEEDBACK EXERCISES

1. Describe the training required for MI under the PSM standard.

2. Describe how to conduct training for all employees involved in maintaining the integrity of
process equipment.

3. Describe the requirements to maintain training records in accordance to the PSM standard.

Training Manual Page 20-16

CONDUCTING AN INSPECTION AND TESTING PROGRAM

The equipment in your facility is required to be covered by an inspection and testing program
that insures MI. As you will learn later in this workshop, the program begins for each item of
equipment when the item is procured, and it does not end until it is retired from service. Each
facility must tailor its program to meet the needs of the facility, while complying with PSM to
ensure MI.

In this lesson you will learn about inspection and testing procedures and how to implement an
inspection and testing program. You will also learn how to develop and manage the
documentation required for the program and keep these records up to date.

INSPECTION AND TESTING

A key element of the MI program is formal inspection and testing. Inspection and testing applies
to both preventive maintenance and to new equipment. Because of this dual role and its
importance in the program, it is given its own section in the OSHA regulations. For the process
industry, formalized inspection and testing usually involve plant engineers, technicians,
laboratory personnel, outside testing contractors, and maintenance craftspeople.

The Regulation

Inspection and testing.

(i) Inspections and tests shall be performed on process equipment.

(ii) Inspection and testing procedures shall follow recognized and generally accepted good
engineering practices.
(iii) The frequency of inspections and tests of process equipment shall be consistent with
applicable manufacturers’ recommendations and good engineering practices, and more
frequently, if determined to be necessary by prior operating experience.
(iv) The employer shall document each inspection and test that has been performed on
process equipment. The documentation shall identify the date of the inspection or test,
the name of the person who performed the inspection or test, the serial number or other
identifier of the equipment on which the inspection or test was performed, a description
of inspection or test performed, and the results of the inspection or test.

When to Inspect and Test

Normally process facilities schedule inspections and tests at various times every two to six years.
The key for determining when to inspect and test is doing it before an expected breakdown.
Operating history, past inspections, and referencing good and accepted engineering practices or
manufacturer’s recommendations should provide guidance in establishing these frequencies.

Training Manual Page 20-17

On-Line Inspection

There are two situations for inspection and testing for MI. Limited inspection and testing can be
made on line, but a complete inspection usually must wait for a total process or system
shutdown.

Typically, for in-service inspections, nondestructive inspection and testing procedures are used:

§ Visually check equipment for leaks, hot spots, deformation of vessels

§ Sound check for unusual noise
§ Performance- monitor processes, reactors, heat exchangers, fired heaters, rotating
equipment
§ Vibration- monitor rotating equipment
§ Ultrasonic examination of vessels, piping, pumps
§ Infrared thermography of fired-heater tubes, shells of internally insulated
high-temperature vessels, and electrical equipment

Off-Line Testing and Inspections

Routinely, processes are shutdown for preventive maintenance. During these shutdowns (or
turnarounds), equipment is opened or dismantled and inspected on a scheduled basis. After any
repair and reassembly, testing may be done to further verify MI.

Examples of off- line inspections and testing operations are:

§ Dismantling, with visual inspection

§ Measuring clearances, thickness, and tolerances
§ Ultrasonic testing for metal thickness
§ X-ray, magnetic particle, and dye penetrant testing for cracks and fissures
§ Spark testing of glass lined vessels
§ Hydrostatic and pneumatic testing
§ Run-in testing of rotating equipment
§ Calibration and bench-testing of instrumentation
§ Laboratory analysis of corrosion scale samples

In all cases the written procedure program shall specify when these formal inspections and
testing will take place and which methods are to be applied.

Training Manual Page 20-18

Bypassing Equipment for Inspection

It is accepted practice to bypass pieces of equipment or entire segments of a process, so this

equipment may be shutdown and inspected while the remainder of the process is still in
operation. Examples of this type of inspection are:

§ Removing spare pumps to a shop and dismantling to inspect the parts

§ Taking heat exchangers from service one at a time for dismantling, cleaning, inspection,
and repair
§ Bypassing one distillation tower in a train of towers, and opening for cleaning,
inspection, and repair

OSHA requires that special procedures must be written to cover all of these factors before the
equipment can be taken from service. Extreme care must be taken when performing these types
of shutdown operations. A critical hazard analysis must be made before the actual shutdown.

Inspecting and Testing New Equipment

New equipment requires inspection and testing to establish the initial MI. Most of the required
tests and inspections for existing equipment maintenance are also required for new equipment,
plus a few more. Examples are:

§ The design must be checked and documented to be suitable for the specific service.
§ The construction must be checked and documented that suitable materials were used and
good workmanship and good engineering practices were followed.
§ The installation must be checked and documented that the equipment is properly
installed, following manufacturer’s recommendations and good engineering practic es.

HOW TO IMPLEMENT INSPECTIONS AND TESTS

A mechanism must exist in the inspection and testing program to identify what kinds of defects
or minor failures you would reasonably expect for each piece of covered equipment. Inspection
and testing procedures must then be applied to each equipment item to detect possible defects or
failures in expected areas. It is not necessary to apply every possible test to every item of
equipment.

The Inspection and Testing Program

Typically, resources for establishing and maintaining a MI program are limited. Because of this
limitation, the inspection and testing program needs to be prioritized. For each piece of
equipment, this process may involve identifying:

Training Manual Page 20-19

 § The probability for creating a hazard
§ The likely severity of a hazard
§ The likely failure points for high potential equipment

The highest inspection and testing priority should be the equipment with the highest potential for
creating a severe hazard. The hazards to be considered are the overall affect on the process, not
just the direct effect on the equipment. The inspections and tests to prioritize should be those that
identify likely points of failure.

Determining Inspection Priorities

Examples of resource data for determining inspection priorities are:

§ Equipment failure history and analysis

§ Equipment outage impact on plant downtime
§ Operator logs
§ Inspection logs
§ Existing maintenance, inspection, operating, and quality knowledge

After analyzing this information, the following should be revealed:

§ The equipment with the greatest probability for failure

§ The expected points of failure for each item of equipment
§ The expected rate of degradation
§ The expected severity for the hazards created when the equipment fails

This information, in turn, will determine:

§ Where to direct the inspecting and testing priorities

§ What kind of tests should be performed
§ How frequently they should be performed

Procedures can now be written for each piece of equipment to maintain an on-going inspection
and testing program. Evidence should be documented that inspection and testing frequency is in
accordance with manufacturer’s recommendations and good engineering practices.

STANDARD RECORD FORM FOR INSPECTION AND TESTING

As with all phases of the MI program, keeping records of inspection and testing is a key element.
This section describes what needs to be included in equipment inspection and testing records.

Training Manual Page 20-20

What a Standard Record Needs to Contain

As evidence that a facility is complying with the standard for inspecting and testing, OSHA
looks for the following elements in the documentation:

• The name and description of the piece of equipment

• Equipment serial number or other positive identifier
• The date of the inspection or test
• Name of the person performing the procedure
• Description of the inspection or test performed
• Results of the inspection or test

Sufficient information should be recorded concerning the inspection and test to verify that good
engineering practices are being followed.

HOW TO MANAGE INSPECTION AND TESTING RECORDS

It has been stated numerous times in this workshop that your record keeping system is the core of
your MI program. How these records are managed can create or prevent problems when OSHA
visits.

Attributes of the Record System

The following list states the required inspection and testing records for each item in a MI
program:

§ A description of the equipment

§ An analysis of the process variables to detect changes that would impact the frequency or
type of inspection
• The inspection and tests to be performed
• References to engineering standards and/or manufacturers’ recommendations
§ A check list describing the following:
§ A record of the execution of inspections and tests
§ A record showing any corrective actions required

Managing the Records

From these records, mechanical work orders can be generated for doing the inspection, testing,
and afterward, the repair. The work order should list the work to be performed and all required
procedures. A reference to the process description and MSDA documents that apply should also
be included. The work order assignment must be made to a qualified craftsperson(s).

Training Manual Page 20-21

Each item listed on the work order is checked off and signed as complete by the assigned
craftsperson(s). The completed work order is then returned to the maintenance planner/scheduler
for filing or recording.

Inspection and testing records can be recorded with any accepted media. All inspection and
testing records for each piece of equipment should be maintained for the life of the equipment.

Training Manual Page 20-22

FEEDBACK EXERCISES

1. Describe the inspection and testing procedures for a MI program.

2. Describe how to implement inspection and testing to meet PSM standards.

3. Describe a standard record form for inspection and testing documentation.

4. Describe an adequate records management program for inspection and testing at your plant.

Training Manual Page 20-23

CORRECTING EQUIPMENT DEFICIENCIES

Unsafe equipment deficiencies must be corrected as soon as possible or actions must be taken to
provide safe operation if the decision is made to continue operating with the deficiency.

In this lesson you will learn what is required to correct deficiencies and what is required for
continued operation. You will learn what procedures need to be in place to ensure safe operation
if a deficiency cannot be immediately corrected. You will also learn what documentation is
needed to support your decision to continue operation, and show that necessary steps have been
taken to provide safety for the process.

TAKING ACTION FOR EQUIPMENT DEFICIENCIES

This section reviews the regulation regarding equipment deficiencies. It also describes what
actions to take in the event equipment deficiencies are found in process equipment.

The Regulation

Equipment deficiencies. The employer shall correct deficiencies in equipment that are outside
acceptable limits (defined by the process safety information in paragraph (d) of this section)
before further use, or in a safe and timely manner when necessary means are taken to assure safe
operation.

Safety Limits

Paragraph (d) requires that acceptable limits be defined for process equipment. If covered
process equipment is under any of the following conditions, then a deficiency has occurred:

§ The equipment has failed.

§ The material of construction, or the system, has deteriorated to be operating outside
acceptable limits.
§ The equipment cannot safely do what it was designed to do.

Some Examples of Deficiencies

The following are common examples of process equipment deficiencies:

§ Loss of vessel strength due to corrosion

§ Hazardous materials leak into the atmosphere
§ Upset or damaged process vessel internals that cause unprocessed material to carry over
and over-tax other processes

Training Manual Page 20-24

 • A blind inadvertently left under a relief valve
• A motor burned out on a fan that ventilates a hazardous work enclosure
• A critical pressure switch is off calibration

Actions Required

When a MI deficiency has been found that is outside acceptable limits, management has two
ways to respond:

§ Immediately correct the deficiency so that full MI is restored. This may require a
shutdown.
§ Take immediate action to offset the deficiency so the process may safely continue to
operate. Later, in a timely manner, the process must then be shut down to correct the
deficiency and restore full MI.

Steps to Determine Which Action to Take

To determine which action to take, the following must be considered.

§ Confirm that the deficiency is outside accepted limits.

§ Determine if MI can be restored to the original level with the process in operation, or if a
shutdown is required.
§ Determine the safety consequences of shutting down now versus later.
§ Determine what steps, if any, can be taken to safely offset the deficiency and remain in
operation for a limited time.

To remain in operation requires that certain safety criteria must be met. The safety of the process
and people is OSHA’s prime concern. A process shutdown often introduces additional risks,
which must be weighed in the decision. The next section discusses this issue.

REQUIREMENTS TO CONTINUE OPERATION WHEN DEFICIENCIES EXIST

OSHA recognizes that shutting down a process often involves risks for a catastrophic incident.
Because of this risk, the regulation allows continued operation after a deficiency occurs, if
immediate actions are taken to ensure safe operation.

Training Manual Page 20-25

The Decision to continue Operating

There are often good reasons to continue operating a process after a deficiency is found. Among
these are:

§ Unavoidable delays awaiting repair parts or manpower

§ Time is needed for good planning
§ Safety hazards and damage to equipment in the advent of severe freezing weather

Operations may continue if steps are immediately taken to assure safe operation. Taking these
steps is not a license to continue operating indefinitely. The regulation states that repairs shall be
made in a timely manner. When repairs are made for deficiencies, OSHA expects full MI to be
restored so normal operation can be resumed.

Steps That May Be Taken

Examples of steps that may be taken to a process to assure safe operation while a deficiency
exists are:

§ Bypass faulty equipment and adjust operations accordingly.

§ Apply temporary appliances to stop leaks.
§ Temporarily hook up substitute equipment.
§ Reduce operating rates, temperatures, or pressures to bring conditions into an acceptable
safe range.

Written Procedures

Revised operating procedures are required to be written to cover any change in operations when
deficiencies occur. The same is true if the method of operation has not been changed, but new
limitations apply. Often these revised procedures can be classified as “Temporary,” as defined by
the regulation.

Justifying Continued Operation

Continued operation with deficiencies must be supported by documentation. Statements must be

included to explain:

§ Why was the decision made to continue operating?

§ What analyses, alterations, and precautions were applied to the process to assure process
safety while the deficiency existed?

Training Manual Page 20-26

FEEDBACK EXERCISES

1. Describe what actions are necessary when equipment deficiencies are found in operating
equipment.

2. Describe what written procedures and documented rationale are required to safely continue
operation, when deficiencies cannot be immediately addressed.

Training Manual Page 20-27

ESTABLISHING QUALITY ASSURANCE FOR NEW AND MODIFIED EQUIPMENT

The MI for new equipment depends greatly upon the Quality Assurance for the equipment, as it
is designed, constructed, and installed. A system must be in place to assure quality as the
equipment moves from the design stage, through construction, inspection, installation, and
testing.

In this lesson you will learn how to establish controls for Quality Assurance in new or modified
equipment and how to establish and manage a record system, which assures quality for the
construction and installation of new or modified equipment.

QUALITY ASSURANCE FOR NEW OR MODIFIED EQUIPMENT

Quality Assurance for new or modified equipment initiates the MI process. The quality of new,
modified, or replacement equipment applies to the quality of design, materials, construction, and
installation.

The Regulation

Quality assurance.

(i) In the construction of new plants and equipment, the employer shall assure that
equipment as it is fabricated is suitable for the process application for which they will be
used.
(ii) Appropriate checks and inspections shall be performed to assure that equipment is
installed properly and consistent with design specifications and the manufacturer’s
instructions.

Quality Control for New Equipment Integrity

Quality control for new equipment used in a new process, or as a replacement part for an existing
process, involves a chain of controls and responsibilities. For this reason, the quality of new
equipment may be more difficult to control than the quality of maintenance.

These major steps are required for Quality Assurance of new equipment.

§ Design
§ Procurement
§ Fabrication
§ Inspection
§ Installation
§ Check and test
§ Correct deficiencies

Training Manual Page 20-28

 § Custody turn-over

A system of controls must be established for each step. Often, some or all of these steps are
conducted by contractors or suppliers outside your organization. Company management is
ultimately responsible to assure quality for each step.

Design Quality Assurance

The design of new or replacement equipment must follow good engineering practices and be
suitable for its intended use. Management is responsible for these criteria of design. During
design development, good controls are required to track and document changes. Only the latest
revision should be released for construction.

If the design is in-house, it must be checked, certified, and documented by a senior or

supervising engineer. When design work is contracted to an outside engineering company,
management must ensure that the contractor is qualified to do the work and will follow the
regulations and good engineering practices.

Procurement Quality Assurance

Management is responsible to ensure that outside equipment manufacturers are qualified to do

the work. Some ways to verify their qualification are:

§ Obtain documentation of their engineering standards.

§ Check that the manufacturer has had experience with fabricating similar designs.
§ Use recommendations of process technology suppliers.
§ For major construction items, observe their production techniques and results.
§ Enter into a Total Quality Assurance program with a sole supplier.

Small companies do not have the resources to adequately perform all of the above steps.
Agreements and documentation can be worked out with contractors, suppliers, or manufacturers
that should satisfy OSHA inspectors that a good effort was made to assure quality. It is well to
include quality guarantee clauses in contracts with fabricators or suppliers. A guarantee clause is
also needed that the manufacturer will adhere to the regulation.

Fabrication Quality Assurance

With turnkey jobs, manufacturing quality can be assured by contractual agreement with the
project constructor. The contract would include an agreement clause that the MI and Quality
Assurance portions of the regulation would be followed. Contact persons should be designated
for both parties (the contractor and the processing plant) so issues may be resolved expeditiously
during fabrication. (Companies with sufficient resources sometimes assign a staff member to the
fabrication site to follow the construction of major pieces of equipment.)

Training Manual Page 20-29

Installation Quality Assurance

Some common on-site Quality Assurance checks are:

§ Verification that the proper equipment was shipped.

§ Initial inspection of the equipment.
§ Secured and separate warehousing for project equipment, with controls in place for
releasing equipment to the installer.

During and following installation, punch lists should be made and items checked off, such as:

§ Foundation installation and anchor bolt pattern meet specifications.

§ Piping, electrical, utilities, etc. are properly fabricated, fitted, and oriented.
§ Inspection of fabricated equipment and package units, for shipping and handling damage,
and missing parts.
§ Properly oriented, bolted, torqued, and grouted equipment.
§ Machinery, as installed, is properly assembled, tested, and run- in.

Correction of Deficiencies

Deficiencies that are detected upon testing must be corrected. Controls must be in place to
expedite and document the correction process. This process should start with work orders, which
are signed off when completed. Correction of the deficiencies should follow manufacturer
recommendations and good engineering practices.

Documentation must verify that deficiencies have been corrected to restore original engineering
specifications. If design alterations are required to correct a deficiency, the alteration must pass
through MOC procedures and Quality Assurance checks. The revision is documented and signed
by a senior engineer, an outside engineering contractor, or other responsible party.

Transfer of Custody

When the installation of new equipment has been completed and documented, custody is
transferred to the operating department or user. Before this transfer is done, special procedures
may need to be in place so that mechanical integrity is maintained during equipment startup.
Close coordination is required between operating and mechanical personnel for the transfer.

Examples of items of concern for custody transfer that involve operator cooperation are:

§ Training in new operating procedures (especially initial start- up)

§ Curing refractory in fired heaters
§ Controlling stress on initial start- up

Training Manual Page 20-30

 § Conditioning catalysts

RECORDING INSPECTION AND TESTING INFORMATION FOR QUALITY

ASSURANCE

When new equipment is installed, your documentation is the evidence of a Quality Assurance
inspection and testing program being in place. Documentation is required that appropriate checks
and inspections have been made to ensure that equipment is installed properly and is consistent
with design specifications and manufacturer’s instructions. This includes contractor-supplied
equipment.

Documentation

The record form for equipment should include, at least, the following information:

§ The name of the equipment

§ Serial number or ID number of the equipment
§ Date of each inspection or test
§ Description of inspection or test performed
• Nondestructive tests
• Hydrostatic tests
• Flushing pipes and vessels
• Tests of electrical continuity and resistance to ground
• Software checks
• Tests of trips and interlocks
• Any and all other tests and checks required for Quality Assurance
§ Names of inspectors that performed each test
§ Results of each inspection and tests
§ Description of any deficiencies found
§ Steps taken to correct deficiencies

IMPLEMENTING INSPECTION AND TESTING FOR QUALITY ASSURANCE

To ensure the quality of new equipment, inspection and testing procedures must be written and
implemented to form an integrated program involving all persons who are connected with
inspection and testing.

Quality Assurance for New or Replace Equipment

The following elements should be in place for a Quality Assurance inspection and testing
program for newly installed or replacement equipment:

Training Manual Page 20-31

 § Procedures should be in place to ensure that equipment is installed properly and
consistent with design specifications, including inspections and testing. This should
include writing and using punch lists.
§ Methods must be developed for documenting inspections, tests, and checks.
§ Company engineering standards and procedures, as well as vendor recommendations,
must be at hand so inspections, tests, and checks will conform to these standards.
§ New or modified processes must include a pre-startup safety review.
§ A coordination plan must be in place to ensure that start- up operations incorporate all
special procedures for maintaining MI and Quality Assurance.

MANAGING QUALITY ASSURANCE RECORDS

Documentation becomes the bulk of evidence that OSHA requires to show that a Quality
Assurance program is in force. How your documents are maintained will greatly affect the way
an OSHA inspector will judge the MI of your facility.

Documentation for a Quality Assurance Program

The following documents are required for materials and equipment installed in new processes, or
as replacements in existing processes:

§ Design is certified that the equip ment, as designed, is suitable for the intended use in the
process.
§ Fabricated items are inspected and certified as meeting the design specifications. Good
engineering practices were employed throughout the design, fabrication, and installation.
§ Off-the-shelf items are documented to be ordered as specified, received as ordered, and
installed as the design requires.
§ Training documentation that requisitioners, warehouse personnel, and installers are
trained in equipment and materials Quality Assurance.
§ Installed equipment is documented to be installed, checked, inspected, and tested as
necessary for Quality Assurance.
§ When deficiencies are found, documentation verifies that the deficiencies have been
report, repaired, and inspected.
§ When equipment is turned over to process personnel, documentation exists to show that
all of the above items have been accomplished.

Training Manual Page 20-32

FEEDBACK EXERCISES

1. Describe how to ensure that controls are in place for the Quality Assurance of new or
modified installations.

2. Describe a standard record form for inspection and testing for Quality Assurance.

3. Describe how to implement an inspection and testing program for Quality Assurance.

4. Describe an adequate records management program for Quality Assurance at your plant.

Training Manual Page 20-33

CORRECTING EQUIPMENT DEFICIENCIES

The quality of replacement parts and materials can become substandard because of: (1) the
wrong specifications were given the supplier; (2) the supplier furnishes substandard or incorrect
parts and materials; and, (3) poor control of parts and materials distribution at the plant site.

In this lesson ;you will learn how to ensure that parts and materials are correctly specified, that
suppliers are furnishing what is specified, and that adequate controls are in place for
warehousing and distribution at your facility.

ENSURING THAT THE MANUFACTURER SUPPLIES QUALITY REPLACEMENT

PARTS AND MATERIALS

For a manufacturer to supply parts and materials that are adequate for their intended use, they
must be ordered correctly by the customer. The manufacturer is then obligated to fill the order
with the correct items having quality workmanship and materials.

The Regulation

The employer shall assure that maintenance materials, spare parts, and equipment are suitable for
the process application for which they will be used.

Selecting the Supplier for Quality Assurance

Most often the supplier will be the manufacturer of the equipment or his representative vendor. If
they have been in business for a time, their reputation has been well established. Care must be
taken to ensure that your suppliers are not only good and honest business people, but that they
are also fully aware of the MI regulation. It is well to choose a selected few suppliers that will
work with you on these basis. Bargain hunting for replacement parts and materials is generally
not a good idea.

Specifying Materials and Parts to Be Used

Manufacturer recommendations, along with good engineering checks and reviews, should be
followed in specifying appropriate parts and materials for equipment in critical service.
Documentation of the specifications and acceptable suppliers to be used need to be available to
both the maintenance and purchasing departments. Deviation from these recommendations or
specifications may require implementation of a MOC procedure to properly document the
approved deviation.

Training Manual Page 20-34

ENSURING QUALITY DURING THE MOVEMENT AND STORAGE OF
REPLACEMENT PARTS AND MATERIALS

Proper control of requisitioning, receiving, storing parts and materials, and distribution is another
imperative for the Quality Assurance of maintenance parts and materials.

Requisitioning for Quality Assurance

The person requiring a maintenance part or repair material plays a vital role in Quality
Assurance. Usually this is the front line craftsperson, who initiates the process with a requisition
or stores issue request. This person is also the last line of defense against the wrong material,
part, or procedure being used in their installation.

The requisitioner must ensure quality by supplying the correct information for the parts or
materials. As examples, the requisitioner is responsible for determining and listing the following
kinds of information in his requisition.

§ Correct ID of the equipment being maintained (name, ID number, service)

§ Manufacturer’s model and serial numbers.
§ Determine the parts needed:
• Check manufacturer recommendations
• Check plant specifications
• Check material standards for specific use
• Be sure all required associate parts are included
• Check if the part needs to be matched to other parts
• Check that part numbers are from a current catalogue

All parts and materials must be requisitioned exactly as it is specified according to the above
parameters. No substitutions should be made unless approved by appropriate plant personnel or
perhaps by an MOC procedure.

Purchasing for Quality Assurance

The purchasing documents for spare parts and materials must incorporate sufficient engineering
input to ensure that the supplier understands what is appropriate for the intended use. Purchasing
documents for maintenance parts, materials, and supplies should contain (or be accompanied by)
design specifications that include:

§ References to the codes and standards that govern the design and application of the
equipment.
§ The expected flow, temperature, pressure, or other process parameters under which the
items will operate.
§ The expected corrosion/erosion environment.

Training Manual Page 20-35

 § The expected ambient conditions where the equipment will be installed.
§ The required functionality during emergency conditions, such as fire, flood, or loss of
power.
§ Purchase orders for special parts and materials for a specific critical maintenance job
should include no other parts or materials.
§ Unique requirements outside of normal codes and standards.

All purchases must be made exactly as they are requisitioned. No substitutions can be made
unless approved by appropriate plant personnel.

Receiving for Quality Assurance

Checks must be made to verify that material received is exactly what was ordered. Typ ical
examples of receiving controls are:

§ Material description and serial numbers match requisition and purchase order.
§ Quantity counts are correct.
§ Supporting documentation (such as mill test reports) is properly submitted.
§ Positive Material Identificatio n (PMI) procedures are implemented in accordance with
plant procedures.

Warehousing and Issuing

Careful quality control is required when warehousing parts and materials for maintenance.

§ Proper storage facilities must be established for each part and material.
§ Each item must be stored in its proper place.
§ Parts and material bins must be adequately labeled.
§ Each type of item may have its own bin.
§ Parts that apply to only one type of equipment should be tagged with its part number,
description, and equipment tag number.
§ When warehousing, take care to identify the material of construction, as well as type and
size.

Requisition orders filled from warehouse stock should be filled exactly as ordered. No
substitutions may be made unless approved by appropriate plant personnel.

Training Manual Page 20-36

Training

For quality assurance to be successful in the acquisition and distribution of parts and materials,
each person involved in the process must understand their unique roles and responsibilities in
assuring MI.

§ The craftsperson must understand the necessity to requisition exactly according to the
specifications.
§ The purchasing agent must understand the need to purchase exactly according to the
requisition.
§ The receiving warehouse and personnel must be trained to properly identify, label, and
store material exactly in its proper place.
§ The person issuing parts and materials must understand the need to fill orders exactly as
requisitioned.

Periodic Auditing

Random periodic auditing is needed to ensure that the quality of parts and materials is
maintained, as required for installation. The audit must include checking the accuracy of each of
the above operations, beginning with the requisition, until the part or material is brought to the
job site for installation. When deficiencies are uncovered by the audit, corrective steps are
required. A tracking system is necessary to ensure that corrective action is taken and is effective.

There should be documentation of the results of each audit and the tracking of corrective actions.

THE ROLE OF THE CRAFTSPERSON FOR QUALITY ASSURANCE OF

MATERIALS AND EQUIPMENT

The installers of parts and materials are the last line of defense against poor quality or wrong
application of maintenance items. Craftspeople have the responsibility to check, verify, or
question the appropriateness of what is being installed.

Visual Checks and Observations

When parts and materials are received at the job site, they must be checked to ensure that they
are exactly what was ordered:

§ Check description and part numbers.

§ Compare shape and size of the new part with the one removed.
§ Visually check the part for material identifier codes or other markings.

Training Manual Page 20-37

 § Check close tolerances not easily observed, using micrometers or other precision
instruments.
§ Read any descriptive literature enclosed in the shipment.
§ If substitution was made from what was ordered, refer the situation to the appropriate
person before installing.
§ Resolve any discrepancies with appropriate personnel before proceeding.

Training

For the Quality Assurance program to work at the craftsperson level, adequate training,
knowledge, or experience is necessary. Craftspersons must know how to:

§ Check parts against the requisition and parts catalogues.

§ Recognize materials of construction.
§ Make accurate measurements.
§ Read mechanical drawings.
§ Do a limited amount of nondestructive testing.

In addition they must:

§ Have an adequate knowledge of the process

§ Know its critical process variables
§ Understand the nature of the materials in the process
§ Know the types of materials used in the equipment
§ Understand the mechanics of the equipment

And most importantly, they must understand their roles in the Quality Assurance process as it is
applied to the MI requirements of the OSHA rule.

Training Manual Page 20-38

FEEDBACK EXERCISES

1. Describe how to ensure that replacement parts and equipment are appropriate for intended
use, for maintenance Quality Assurance.

2. Describe a system of receiving, warehousing, and dispensing parts and equipment for
maintenance Quality Assurance.

3. Describe the role of the craftsperson for maintenance Quality Assurance.

Training Manual Page 20-39

CONCLUSION

The regulations describe actions to be taken by the employer to ensure the MI of your plant. To
carry out these actions, a plan must be installed to maintain an on- going program. This program
must ensure that the MI is adequate in the mechanical specifications, construction, installation,
and on-going maintenance of the equipment.

In this workshop you learned how OSHA inspectors interpret the regulation, and you learned
about the documented evidence you must offer to prove that the intent of the regulation has been
carried out. You learned that the most important actions you can take is to maintain an adequate
documentation for everything that applies to OSHA’s interpretation. Above all, OSHA would
like to see that your MI program is not just a stack of documents, but a way of doing business to
ensure the safety of your plant, its works, and the surrounding community.

Training Manual Page 20-40

 Chapter 21
MAINTENANCE

Maintenance programs should use industry best practices to move away from reactive
maintenance programs towards preventative and predictive programs, which incorporate
reliability and risk. In the future, facilities will operate using risk-based reliability centered
maintenance and inspection programs driven by the latest technologies and practices.

Maintenance goals and objectives would be:

§ Maximize Reliability, Availability, Maintainability of Equipment

§ Enhance Plant Performance
§ Reduce Maintenance Expenses
§ Optimize Sparing
§ Reduce risk and comply with company and local regulations

INTRODUCTION

The majority of plant maintenance staff operate in a reactive mode. This means that the largest
expenditure of maintenance resources in plants typically occurs in the area of corrective
maintenance i.e., when problems or failures occur, they are corrected. Most facilities have been
operating for extended periods in a reactive maintenance mode. Maintenance resources have
been almost totally committed to responding to unexpected equipment failures and very little is
done in the preventative arena. Corrective, not preventative, is frequently the operational mode
of the day, and this tends to blur how many people view what is preventative and what is
corrective. Some plants actually foster pride in how quickly they can fix things or correct failures
under pressure. However, it has been proven that this type of operation is not cost effective in
terms of safety, downtime, and efficient use of resources.

Some common maintenance problems include:

§ Insufficient proactive maintenance

§ Frequent problem repetition
§ Erroneous maintenance work
§ Not using sound maintenance practices
§ Unnecessary and conservative preventative and predictive maintenance (PM)
§ Poor rationale for conducting PM actions
§ Program lacks traceability and visibility
§ Blind acceptance of original equipment manufacture’s (OEM) input
§ PM variability between like units
§ Exclusion of new technologies, such as predictive applications, reliability, and risk

Training Manual Page 21-1

By addressing these problems and moving towards a preventative and predictive program, a
facility can achieve the following:

1. Prevent failures
2. Detect the onset of failures
3. Discover hidden failures

Creating a new PM program or updating an existing one involves essentially the same process.
One needs to determine what is to be achieved with the PM program and how the program can
be built into a new or existing infrastructure. This should be the starting point for the Facility
program

There are a host of supporting technologies that can be included in a PM program. Some of these
include:

§ Failure Analysis Technology

§ Incipient Failure Detection
§ Information Management – Maintenance Management Information System (MMIS) or
Computerized Maintenance Management System (CMMS)
§ Reliability/Availability/Maintainability (RAM) technology
§ Risk Technology

Some or all of these technologies should be considered in facilities maintenance program.

A useful philosophy to incorporate into a PM program is the concept of reliability. Reliability

Centered Maintenance (RCM) has been so named to emphasize the role that reliability theory
and practice play in properly focusing (or centering) preventative maintenance activities on the
retention of the equipment’s inherent design reliability. As the name implies, reliability
technology is at the very center of the maintenance philosophy and planning process.

Finally, the latest concept in maintenance and inspection activities is the incorporation of risk to
prioritize maintenance tasks and schedules. It is no longer practical to choose systems for RCM
analysis based on subjective risk importance. The primary systems on refineries and
petrochemical plants are not as obvious as in the aircraft and nuclear industries (where RCM was
born). Risk-centered maintenance uses the identical functional description of systems,
subsystems functional failures, and failure modes that RCM employs. However, it is different
from the RCM method in that the criticality class is replaced with an explicit risk calculation.
Using quantitative values, instead of coarse assignments, allows a more complete description of
the actual hazards that exist in a facility and help to properly focus and prioritize maintenance
activities.

All of these concepts and tools will be considered in the development of a “worlds best practice”
maintenance and inspection program for a facility.

Training Manual Page 21-2

IMPLEMENTATION

Maintenance program implementation can be divided into four separate phases. The following
phases would be applicable:

§ Phase 1 – Industry Review and Audit of existing current practices

§ Phase 2 – Development of Project Plan
§ Phase 3 –Implementation
§ Phase 4 –Training

Assessment of Facilities and Practices

Engineering and management structures, currently in place at the facility, need to be reviewed.
Such a review should focus on operational set-up, operating strategies, contracting schemes,
organizational structures, and management culture.

In addition to this, a review of the facility histories, procedures, and inspection and maintenance
records should be conducted to determine the current mechanical status of plant assets. This
review could include plant walkdowns and comparison with industry practices and general plant
conditions. This “gap analysis” should highlight deficient areas that need correcting in the PM
program.

The review will cover the following:

§ Equipment files
§ Inspection reports and results
§ Inspection procedures
§ Training records for inspectors
§ Inspection plans
§ Inspection schedules
§ Existing local rules and regulations
§ Existing inspection program organizational charts
§ Personnel job duties and responsibilities
§ Interviews with key inspection personnel, including inspectors, inspector supervisors,
maintenance manager, and others, as deemed necessary.

The purpose of the review can be considered to be three- fold:

§ Determining whether the current inspection program and its practices meets what would
be considered generally and accepted good engineering practices
§ Determining whether the current inspection program meets local rules and regulations
§ Determining whether the current inspection program provides sufficient and clear
information for deciding whether or not equipment is fit for service

Training Manual Page 21-3

Information Database

The management and implementation of such a PM program requires that much data be
collected, analyzed, and stored. Many software programs exist for these tasks, however, many of
them are standalone and communication between different disciplines is rare. For the PM
program to work effectively, all data should be stored, analyzed, managed, and acted upon from
a single source. This source could be a program, portal, or methodology. An example of a
computerized maintenance management system is shown in Figure 1. Following the industry
review, a system should be agreed upon and incorporated into the PM plan.

Software systems may include reliability tools such as:

§ UNIRAM- Availability Modeling

§ ACOM – Cost Optimization
§ UNISAM – Spares Analysis
§ OVERT – Overhaul, Replacement Decision analysis
§ BALIFE – Bayesian Life Prediction
§ RBI – Risk Based Inspection Tools

Failure PM Tasks/ PM work

Work Orders Frequencie Orders
s

Root Cause Management PdM work

failure System Orders
analysis

Risk Based PdM PdM

Inspection Tasks/ Repair
DB Frequencie Work

PdM – Predictive Maintenance

PM – Preventative Maintenance

Figure 1 – Maintenance Information Management System.

Training Manual Page 21-4

Implementation

The reliability improvement program plan should identify changes or improvements to the
following:

§ Physical assets
§ Operational strategy
§ Maintenance and inspection practices
§ Asset management systems (including software)
§ Organizational set up and management philosophy

Such a program may take time to implement, but should follow a project plan. Milestones and
reliability improvement achievements should be carefully tracked and reported on. Within a year,
the program should be showing overall improvements and benefits for the facility, which should
be reported to management and personnel. This will ensure continued development and
implementation of the plan.

Training, Reviews and Ongoing Support

For such a program to be successful and sustainable in the long term, facility personnel will
require training. This training may cover the following issues:

§ Damage mechanisms affecting equipment

§ Appropriate means of identifying such damage mechanisms
§ Risk based inspection theory
§ Plant life assessment theory
§ Preventative, predictive, and reliability theory
§ Engineering materials selection

An example of the overall implementation process is shown in Figure 2.

Training Manual Page 21-5

 Business Operational Regulatory Current Plant
Design Data
Objective Imperatives Compliance Condition

Plant Risk Analysis

Concepts
- Identify Critical Plant
- Identify Highest Priority Components
- Assess Safety Risks

Risk Based Best Practice

Condition
Inspection Maintenance
Monitoring
Program Management

Performance Performance
Plant Inspection Testing Improvement

Integrity Remaining Life

Assessment Optimization

Fitness for Purpose

(Run / Repair / Replace)

Repair Procedures
Maintenance
Requirements
Operational
Design
Charges
Modification

Figure 2 – Asset Management Program.

Training Manual Page 21-6

RELIABILITY CENTERED MAINTENANCE AND RISK BASED
MAINTENANCE/INSPECTION

RCM

Reliability-Centered Maintenance is a method for developing and selecting maintenance design

alternatives, based on safety, operational and economic criteria. It is a method by which
operators can use its failure data, system design redundancies and operating experiences to
develop a flexible and cohesive maintenance system.

RCM began in the US commercial aviation industry. Because of the compact nature of the
industry, the risks associated with failures were easily divided into four criticality classes, (flight)
safety, operations, economics and hidden failures. These are typically still the categories used to
develop a safe,. economical maintenance plan. RCM was then applied to the nuclear industry
and these four criticality classes continued to work well. However as RCM is applied to other
industries the range of probabilities and consequences is becoming larger. It is therefore no
longer practical to choose systems for RCM based upon subjective risk importance.

RISK BASED RCM

Risk-centered maintenance (or RBI) uses the identical functio nal description of systems, sub-
systems, functional failures and failure modes that RCM employs but it is different in that the
criticality class is replaced with an explicit risk calculation. Using a quantitative value of risk
instead of a coarse assignment (criticality class), allows a more complete description of the
actual hazards that exist on a facility.

In RCM, risk assignments are made through decision logic trees and are coarse classifications.
These criticality classes may vary in name but generally relate to safety, production, economics
and hidden failures. Once a failure mode is classified into a criticality class, there are no further
discrimination or ordering of the category. The failure modes that fall into each category are all
considered of equal importance. In practice however there is usually an ordering system based
on team or individual judgement. The criticality class is meant to provide general information
about either the importance of preventing the failure or to the nature of the failure itself. When
the range of consequences is small, this simple categorization is good enough.

The risk based approach replaces the criticality class identification with two separate fields,
namely probability (likelihood) and consequence. The product of these two, the risk, becomes
an indicator of each failure modes importance to the overall risk of the system. This independent
assessment of both the likelihood (probability or frequency) and the consequence of failure,
resulting in a risk calculation, provides a ranking system that is a unique benefit of the risk based
maintenance or inspection programs.

With risk explicitly computing a numeric value, failure modes can be individually ranked from
high to low risk. This ordering list will provide a priority ranking for choosing maintenance
tasks to mitigate the occurrence of failures.

Training Manual Page 21-7

BENEFITS

The benefits of implementing a RBI program on a facility are many and varied. Benefits depend
on the type of program implemented, the goals of the program, and the facility’s previous
inspection and maintenance history.

Typical Benefits of RBI Program

Regulatory Compliance
Improved Safety and Reduced Risk
Long-Term Cost Saving Benefits
Thickness Measurement Location Reduction
Improved Inspection and Maintenance Planning
Focus Inspection Resources
Use of New Technology
Informed, Documented, Defensible Decisions

Plant Performance Benefits from Risk Based Inspection Programs

RBI studies provide a detailed understanding of potential hazards and failure mechanisms related
to the possible loss of pressure containment in pressure vessels and piping. This information can
provide an excellent MI program, resulting in properly managed hazards. This improvement in
MI approach provides substantial cost/performance benefits in four major areas.

Cost and Performance Benefits

Avoided Catastrophic Failure

Turnaround-Related Impacts
Turnaround Intervals
Turnaround Duration
Unexpected Damage Findings
Turnaround Inspection Costs
Unplanned Outages due to Pressure Equipment Failure
Costs Due to Excessive Inspections on Low Risk Equipment
Protecting Equipment from Excessive Wear and Corrosion

Training Manual Page 21-8

A comprehensive RBI analysis identifies the damage mechanisms of concern, as well as the
potential consequences that could result from pressure vessel failure. The complete program then
establishes the necessary inspection system to properly monitor and manage plant equipment.

Experience has shown that even excellent inspection programs sometimes miss the mark
because:

§ They often focus almost exclusively on visual and thickness measurement inspections.
Other mechanisms such as cracking, embrittlement, etc. may not be adequately
addressed.
§ They inspect low potential, low consequence equipment far more often than necessary.

RBI analysis defines the required inspection methods and the necessary schedule. Frequently,
some equipment requires additional inspection techniques because of damage mechanisms at
work. More inspections may be required in some equipment. In the vast majority, the required
inspections can be greatly reduced.

A comprehensive RBI analysis identifies the damage mechanisms of concern, as well as the
potential consequences that could result. The complete program then establishes the necessary
inspection sys tem to properly monitor and manage plant equipment. The cost advantages are
dramatic. Total inspection costs can typically be reduced by 50%, or more, using this approach.

A brief discussion of each RBI related performance benefit is given below.

Avoide d Catastrophic Failure. The first priority of any MI system is to avoid catastrophic
failure, which could result in injury, environmental damage, or major financial loss. RBI analysis
provides the understanding required to properly manage pressure equipment integrity.

Turnaround-Related Impacts. RBI can be used to provide the following benefits:

Turnaround Intervals – RBI is used to define required equipment inspection schedules. This
information is then included in turnaround planning. Often, plant turnaround intervals can be
lengthened. This can extend average annual operating days by 1 to 2% per year, resulting in
substantial increases in production value.

Turnaround Duration – RBI analysis information often allows reductions of planned turnaround
duration. Proper inspection intervals frequently allow the inspection work scope to be
substantially reduced. This allows shorter duration when inspection requirements are on the
critical path. It also allows better turnaround planning with fewer surprises in execution.

Unexpected Damage Findings – Often equipment damage is discovered during a turnaround that
requires either additional unexpected work, extended turnaround duration, or both. This can have
a substantial unplanned cost impact because of both the additional work and the added lost
production. Plants can often reduce turnaround costs by 10% or more by using RBI information
in the turnaround planning process.

Training Manual Page 21-9

Turnaround Inspection Costs – Reduction of excessive inspection work during a turnaround is
normally achieved by using RBI defined inspection plans. This reduces turnaround costs for
these inspections. It also helps the turnaround by allowing planning and execution to focus on
fewer things.

Unplanned Outages Due to Pressure Equipment Failure . Most equipment failures are not
catastrophic. However, they can still have significant impacts. Unscheduled downtime or
reduced operating rates may be required to repair damaged equipment. RBI analysis greatly
reduces this risk by better knowledge of damage mechanisms at work. An appropriate program
can be established to manage pressure equipment assets.

Costs Due to Excessive Inspections on Low Risk Equipment. The traditional inspection
methodology required a baseline thickness inspection for all equipment followed by one to two
more inspections over the next three to five years. Corrosion rates are calculated and then used to
extend future intervals where appropriate. This approach requires a major inspection cost
investment, especially in the first few years of the life of a plant.

Protecting Equipment from Excessive Wear and Corrosion. By understanding potential

damage mechanisms and using appropriate risk reduction techniques, the life span of equipment
items can be increased.

CONCLUSIONS

1. The Risk Based Approach benefits both the maintenance and inspection departments in
prioritizing inspection and maintenance activities.

2. RBI therefore compliments the RCM methodology but takes it one step further. Original
RCM analysis and data is useful for the implementation of a RBI program, but the risk
approach takes both likelihood and consequence into account and prioritizes equipment
items and their sub-components accordingly.

PRESENTATION – SYSTEMATIC MANAGEMENT OF ASSETS USING RELIABILITY

TOOLS, (SMART) SYSTEM.

DEVELOPING A MAINTENANCE STRATEGY

It is one thing to decide on a mission. It is quite another to develop and implement a strategy that
enables the maintenance enterprise to accomplish that mission.

Given all the day-to-day pressures faced by maintenance managers, the first question is where do
we start? Buy a new maintenance management system (MMS)? Reorganize? Invest in loads of
condition monitoring equipment? Knock the whole place down and rebuild it?

Training Manual Page 21-10

The answer lies at the beginning of the mission statement, which states that our mission is to
preserve the functions of our assets. It is only when these functions have been defined that it
becomes clear exactly what maintenance is trying to achieve, and also precisely what is meant by
“failed”. This makes it possible to move on to the next step, which is to identify the reasonably
likely causes and effects of each failed state.

Once failure causes (or failure modes) and effects have been identified, we are then in a position
to assess how and ho w much each failure matters. This in turn enables us to determine which of
the full array of failure management options should be used to manage each failure mode.

At this point, we have decided what must be done to preserve the functions of our assets. This
process could be called “work identification”.

When the tasks that need to be done - the maintenance requirements of each asset - have been
clearly identified, the next step is to decide sensibly what resources are needed to do each task.
“Resources” consist of people and things, so the following questions must now be answered:

§ Who is to do each task: a skilled maintainer? the operator? a contractor? the training
department (if training is required)? engineers (if the asset must be redesigned)?.
§ What spares and tools are needed to do each task, (including condition monitoring
equipment).

It is only when resource requirements are clearly understood that we can decide exactly what
systems are needed to manage the resources in such a way that the tasks get done correctly, and
hence that the functions of the assets are preserved.

RELIABILITY CENTERED MAINTENANCE

Reliability centered Maintenance is defined as ‘a process used to determine what must be done to
ensure that any physical asset continues to do whatever its users want it to do in its present
operating context’. It entails asking seven questions about the asset under review, as follows:

§ What are the functions and associated performance standards of the

asset in its present operating context?
§ In what ways does it fail to fulfill its functions?
§ What causes each functional failure?
§ What happens when each failure occurs?
§ In what way does each failure matter?
§ What can be done to predict or prevent each failure?
§ What if a suitable proactive task cannot be found?

These questions are reviewed in the following paragraphs.

Training Manual Page 21-11

Function and Performance

The first step in the RCM process is to define the functions of each asset in its operating context,
together with the associated desired standards of performance. The users of the assets are usually
in by far the best position to know exactly what contribution each asset makes to the physical
and financial well-being of the organization as a whole, so it is essential that they are involved in
the RCM process from the outset.

Functional Failures

The objectives of maintenance are defined by the functions and associated performance
expectations of the asset. But how does maintenance achieve these objectives?

The only occurrence that is likely to stop any asset performing to the standard required by its
users is some kind of failure. However, before we can apply a suitable blend of failure
management tools, we need to identify what failures can occur. The RCM process does this at
two levels:

§ By identifying what circumstances amount to a failed state

§ By asking what events can cause the asset to get into a failed state

In the world of RCM, failed states are known as functional failures because they occur when an
asset is unable to fulfill a function to a standard of performance which is acceptable to the user.
In addition to the total inability to function, this definition encompasses partial failures, where
the asset still functions but at an unacceptable level of performance (including situations where
the asset cannot sustain acceptable levels of quality or accuracy).

Failure Modes

Once each functional failure has been identified, the next step is to try to identify all the events
which are reasonably likely to cause each failed state. These events are known as failure modes.
‘Reasonably likely’ failure modes include those that have occurred on the same or similar
equipment operating in the same context, failures that are currently being prevented by existing
maintenance tasks, and failures that have not happened yet but that are considered to be real
possibilities in the context in question.

Most traditional lists of failure modes incorporate failures caused by deterioration or normal
wear and tear. However, the list should include failures caused by human errors (on the part of
operators and maintainers) and design flaws, so that all reasonably likely causes of equipment
failure can be identified and dealt with appropriately. It is also important to identify the cause of
each failure in enough detail for it to be possible to identify a suitable failure management
policy.

Training Manual Page 21-12

Failure Effects

The fourth step in the RCM process entails listing failure effects, which describe what happens
when each failure mode occurs. These descriptions should include all the information needed to
support the evaluation of the failure consequences, such as:

§ What evidence (if any) is there that the failure has occurred?
§ In what ways (if any) does it poses a threat to safety or the environment?
§ In what ways (if any) does it affect production or operations?
§ What physical damage (if any) is caused by the failure?
§ What must be done to repair the failure?

Failure Consequences

A detailed analysis of an average industrial undertaking is likely to yield between three and ten
thousand possible failure modes. As mentioned in Part 1 of this paper, each of these failures
affects the organization in some way, but in each case, the consequences are different. The RCM
process classifies failure consequences into four groups, as follows:

§ Hidden failure consequences: Hidden failures have no direct impact, but they expose the
organization to multiple failures with serious consequences.
§ Safety and environmental consequences: A failure has safety consequences if it could
hurt or kill someone. It has environmental consequences if it could breach a corporate,
regional, national or international environmental standard.
§ Operational consequences: A failure has operational consequences if it affects
production (output, product quality, customer service or operating costs in addition to the
direct cost of repair)
§ Non-operational consequences: Evident failures that fall into this category affect neither
safety nor operations, so they involve only the direct cost of repair.

The RCM process uses these categories as the basis of a strategic framework for maintenance
decision- making. By forcing a structured review of the consequences of each failure mode in
terms of the above categories, it focuses attention on the maintenance activities which have most
effect on the performance of the organization, and diverts energy away from those that have little
or no effect (or which may even be actively counterproductive). It also encourages users to think
more broadly about different ways of managing failure, rather than to concentrate only on failure
prevention.

Failure Management Policy Selection

Failure management policies fall into two categories:

Training Manual Page 21-13

 § Proactive tasks: these are tasks undertaken before a failure occurs, in order to prevent the
item from getting into a failed state. As discussed below, RCM further subdivides these
tasks into scheduled restoration, scheduled discard and on-condition maintenance
§ Default actions: these deal with the failed state, and are chosen when it is not possible to
identify an effective proactive task. Default actions include failure- finding, redesign and
run-to- failure.

Scheduled Restoration and Scheduled Discard Tasks

Scheduled restoration entails remanufacturing a component or overhauling an assembly at or

before a specified age limit, regardless of its condition at the time. Similarly, scheduled discard
entails discarding an item at or before a specified life limit, regardless of its condition at the time.
Collectively, these two types of tasks are now generally known as preventive maintenance.

APPLYING RCM

Correctly applied, RCM contributes to remarkable improvements in maintenance effectiveness,

and often does so surprisingly quickly. However, as with any fundamental change management
project, RCM only succeeds if proper attentio n is paid to thorough planning, how and by whom
the analysis is performed, auditing and implementation.

Planning

The successful application of RCM depends first and perhaps foremost on meticulous planning
and preparation. The key elements of the planning process are as follows:

§ Define the scope and boundaries of each project

§ Define and wherever possible quantify the objectives of each project (now state and
desired end state)
§ Estimate the amount of time (number of meetings) needed to review the equipment in
each area
§ Identify project manager and facilitator(s)
§ Identify participants (by title and by name)
§ Plan training for participants and facilitators
§ Plan date, time and location of each meeting
§ Plan management audits of RCM recommendations
§ Plan to imple ment the recommendations (maintenance tasks, design changes, changes to
operating procedures)

Training Manual Page 21-14

Review Groups

We have seen that the RCM process embodies seven basic questions. In practice, maintenance
people simply cannot answer all these questions on their own. This is because many (if not most)
of the answers can only be supplied by production or operations people. This applies especially
to questions concerning functions, desired performance, failure effects and failure consequences.

For this reason, a review of the maintenance requirements of any asset should be done by small
teams which include at least one person from the maintenance function and one from the
operations function. The seniority of the group members is less important than the fact tha t they
should have a thorough knowledge of the asset under review. Each group member should also
have been trained in RCM.

RCM2

What users expect from their assets is defined in terms of primary performance parameters such
as output, throughput, speed, range and carrying capacity. Where relevant, the RCM2 process
also defines what users want in terms of risk (safety and environmental integrity), quality
(precision, accuracy, consistency and stability), control, comfort, containment, economy,
customer service, etc.

The next step in the RCM2 process is to identify ways in which the system can fail to live up to
these expectations (failed states), followed by an FMEA (failure modes and effects analysis), to
identify all the events which are reasonably likely to cause each failed state.

Finally, the RCM2 process seeks to identify a suitable failure management policy for dealing
with each failure mode in the light of its consequences and technical characteristics. Failure
management policy options include: predictive maintenance - preventive maintenance - failure-
finding - change in design or configuration of the system - change in the way the system is
operated - run-to-failure.

The RCM2 process provides powerful rules for deciding whether any failure manageme nt policy
is technically appropriate. It also provides precise criteria for determining how often routine
tasks should be done.

About RCM 2

RCM 2 is a process used to decide what must be done to ensure that any physical asset, system
or process continue s to do whatever its users want it to do.

What users expect from their assets is defined in terms of primary performance parameters such
as output, throughput, speed, range and carrying capacity. Where relevant, the RCM 2 process
also defines what users want in terms of risk (safety and environmental integrity), quality

Training Manual Page 21-15

(precision, accuracy, consistency and stability), control, comfort, containment, economy,
customer service, etc.

The next step in the RCM 2 process is to identify ways in which the system can fail to live up to
these expectations (failed states), followed by an FMEA (failure modes and effects analysis) to
identify all the events which are reasonably likely to cause each failed state.

Finally, the RCM 2 process seeks to identify a suitable failure management policy for dealing
with each failure mode in the light of its consequences and technical characteristics. Failure
management policy options include: predictive maintenance, preventive maintenance, failure-
finding, change the design or configuration of the system, change the way the system is operated
or run-to-failure.

The RCM 2 process provides powerful rules for deciding whether any failure management
policy is technically appropriate. It also provides precise criteria for deciding how often routine
tasks should be performed.

Heavy emphasis on the expectations of the user is one of the many features of RCM 2 that
distinguish it from other less rigorous interpretations of the RCM philosophy. Another is the use
of cross- functional RCM 2 review groups of users and maintainers to apply the process. With
careful training, such groups are able to use RCM 2 to produce extraordinarily robust and cost-
effective asset management programs, even in situations where they have access to little or no
historical data.

RCM 2 complies fully with SAE Standard JA1011 "Evaluation Criteria for Reliability-Centered
Maintenance RCM Processes.”

Training Manual Page 21-16

 Summary of Pump Failures on a Facility Tracked by a CMMS

Training Manual Page 21-17

 Summary of Maintenance Work Orders

Training Manual Page 21-18

 Chapter 22
NONDESTRUCTIVE EXAMINATION

INTRODUCTION

The primary objective of any inspection of a system is to verify that the system is not in jeopardy
due to a loss of integrity or excessive leakage caused by corrosion, loss of flow capacity or heat
transfer capabilities. But why do we what to know? We want to know are we ‘okay’ now? Are
we ‘okay’ in the near future?

Different reasons have different types of inspection. “It’s easy to solve the wrong problem.” If
we don’t know what the real source of the problem is we’re unlikely to “solve” it. To formulate
an action plan we first need to characterize the environment or the conditions for degradation,
such as corrosion – then determine a mitigation approach.

Important systems need to be inspected regularly to assure plant operation. In economic terms,
direct costs for corrosion related problems for the United Stated is considered to be
approximately 4% of the Gross National Product (GNP) or between $8 billion to $126 billion per
year. (Find reference) Indirect costs add to these costs. A few examples include plant downtime,
loss of product, loss of efficiency, contamination of product and over design. (Find reference)
(See Principles and Prevention of Corrosion Denny Jones 1992 Macmillion NY)

Predicting the performance of structures from a laboratory test is complex because size,
configuration, environment, and type of loading differ. For welded joints, the complexity is
increased by the nature of the joint that is both metallurgically and chemically heterogeneous.

WELDING

Weld joints consist of weld metal and the heat affected zone, which are in turn composed of
many metallurgical structures as well as chemical heterogeneities, resulting in a variety of
properties.

Inspection Plans

Inspection prior to welding can include the following activities:

1. Procedures and qualifications

2. Fabrication and testing plans
3. Base metal specifications and quality
4. Welding equipment and consumables
5. Joint designs and joint preparations
Training Manual Page 22-1
Inspection during welding can include:

1. Proper fitup, distortion control procedures, tack welds

2. Conformity to welding procedures and plans
3. Preheat and interpass temperature requirements
4. Control and handling of consumables
5. Welder qualifications
6. Interpass and final cleaning
7. Visual and nondestructive inspection

Inspection after welding can include:

1. Conformity to drawings and specifications

2. Cleaning and visual inspection
3. Nondestructive, proof, and mechanical testing
4. Repair activities
5. Postweld heat treatment
6. Documentation of fabrication and inspection activities

INSPECTION TECHNIQUES

Inspections may be very industry-specific. Inspection techniques include:

§ Visual examination
§ Liquid Penetrant Testing
§ Magnetic Particle Testing
§ Radiographic Testing
§ Ultrasonic examination (straight beam and shearwave)
§ Eddy Current Testing
§ TOFD

Visual Inspection (VT)

Visual inspection is based on what you yourself can see, as well as using low-powered optical
lenses. Visual inspection is the most extensively used and inexpensive method of NDE. It should
be the primary evaluation method for any program since flaws, fabrication problems, and process
deviations can be detected and corrected.

Liquid Penetrant Testing (PT)

Penetrant testing reveals open discontinuities by bleedout of a liquid penetrant medium against a
contrasting background developer.

Training Manual Page 22-2

Penetrating liquid is drawn into a discontinuity and held there while the excess is removed from
the surface. Upon application of a powder developer, blotter action draws the penetrant from the
discontinuity to provide a contrasting indication on the surface. Fluorescent PT uses a
fluorescing penetrant that glows under ultraviolet radiation.

Surface cracks, surface porosity, metallic oxides, and slag will hold penetrant. Inadequate joint
penetration and incomplete fusion are also detected.

Magnetic Particle Testing (MT)

Magnetic particle testing is used to detect surface or near-surface discontinuities in magnetic

materials. It is based on the principle that magnetic lines of force will be distorted by a distinct
change in material continuity such as a crack. When fine magnetic particles are distributed over
the area, they will accumulate at the discontinuity and be held in place.

Magnetization can be achieved by either passing an electric current through the material or by
placing the material within a magnetic field originated by an external source. Alternating current
is used to detect only surface discontinuities and direct current is more effective for detecting
subsurface discontinuities.

Radiographic Testing (RT)

RT employs x-rays or gamma rays to penetrate an object and detect any discontinuities by the
resulting image on a recording or viewing medium such as film. When an object is exposed to
penetrating radiation, some of the radiation will be absorbed, some scattered, and some
transmitted through the object.

Variations in the amount of radiation transmitted depend on the relative densities of the metal
and any inclusions, through-thickness variations, and characteristics of the radiation itself.

RT can produce visible images of weld discontinuities either at the surface or embedded in the
part. It does not reveal very narrow discontinuities such as unaligned cracks, laps, and
laminations. Inclusions, porosity, incomplete fusion, inadequate joint penetration, undercut, root
concavity, and some crack discontinuities are revealed.

Ultrasonic Testing (UT)

Beams of high frequency sound energy are introduced into a test object to detect and locate
surface and internal discontinuities. Interfaces or other interruptions reflect the beam in material
continuity. The reflected beam is detected and analyzed to define the presence and location of
discontinuities.

UT can be used to detect cracks, laminations, shrinkage cavities, pores, slag inclusions,
incomplete fusion or bonding, incomplete joint penetration, and other discontinuities.

Training Manual Page 22-3

Eddy Current Inspection (ET)

The eddy current inspection uses electromagnetic induction to inspect ferrous and nonferrous
alloys. Technicians place a test specimen within the magnetic field of a coil carrying alternating
current, which then produces eddy currents within the samples.

Eddy current inspections can be used on a material that conducts electricity and is most
applicable to nonmagnetic materials such as stainless steels and copper alloys. It doesn’t require
direct electrical contact with the piece being inspected and is adaptable to high-speed inspections
such as condenser tubing.

Time Of Flight Diffraction (TOFD)

The high performance of the Time Of Flight Diffraction Technique (TOFD) with regard to the
detection capabilities of weld defects such as slag, lack of fusion etc., has led to rapidly
increasing acceptance of the technique as a pre-service inspection tool. Since the early 1990’s the
TOFD technique has been applied to many projects, where it replaced radiography as the
commonly utilized procedure. The use of TOFD leads to major cost and time saving during new
builds and replacement projects. At the same time, the technique establishes a baseline data,
which enables monitoring in the future for critical welds.

Training Manual Page 22-4

Video Imaging

This system has a 1¼- inch diameter 98- foot long cable. It has a 4- inch built- in color monitor and
a color 9- inch slave monitor. It has recording capabilities and utilizes centering devices for

Training Manual Page 22-5

diameter ranges. (4 inches to 6 inches, 8 inches to 12 inches) The system also has various light
heads available including a 34-bulb, 2-inch head for larger diameter pipe or spaces.

Corrosion Mapping

The system can provide data by utilizing one single channel or eight independent channels. Grid
mapping can be collected on intervals as small as 1/32 inch or as large as 1.0 inch. The data can
be revealed in A, B, or C scans multi color form. Copies of the hard numbers can also be
provided. Our data are collected by utilizing X-Y scanners, encoded line scanning, or by video
camera with an infrared target attached to the transducer.

Training Manual Page 22-6

Flange Seal Connection

A method is available to quantify degradation of flange connections prior to leakage and without
opening the flanged connection.

Incursion of process fluid between the flange face and gasket is caused by or accompanied by
corrosion of the flange face. The ability to measure the width of the remaining seal face allows

Training Manual Page 22-7

plant operators to plan flange maintenance without breaking the connection. Thus future leakage
can be predicted and only connections requiring rework need be opened.

There are numerous types of pipe flanges available. For process and utilities pipe work, the two
commonly used flange standards are ANSI B16.5 (American National Standards Institute) and
BS 1560 (British standards). For each style of flange, there are three types of flanges most
commonly used, ring type joint, raised face and flat face.

When ultrasonically inspected for flange face corrosion, it is important to accurately identify the
flange type, size, and class. Doing so will define the flange geometry, which in turn will
determine the transducer selection and scan plan. The Automated flange face corrosion system
combines a manually driven two-axis scanner with the computer data system. The flange scanner
magnetically attaches to the OD for pipe diameters of 2 inches or more. The inspector determines
the type, class, and size of the flange being inspected. The data system will then recall the
parameter file, scan plan, and transducer to be used.

Training Manual Page 22-8

 Chapter 23
RISK BASED INSPECTION

RBI uses risk to prioritize and manage an inspection and maintenance program. In an operating
plant, a large fraction of the risk is associated with a small fraction of the equipment items. RBI
helps management assign inspection and maintenance resources to provide a higher level of
coverage on the high-risk items, and possibly a lower effort on lower risk equipment. A potential
benefit of a RBI program is to increase operating times and run lengths of process facilities while
improving, or at least maintaining, the same level of risk.

Traditional inspection programs consist of baseline inspections and documentation on all

equipment. Field inspection data are used to determine degradation mechanisms, corrosion rates,
and the remaining useful life of equipment. These programs are both costly and time consuming
since resources are not focused on high-risk items, particular damage mechanisms, and specific
inspection techniques. RBI philosophy is now being recognized in the United States and
elsewhere as an alternate methodology for the planning and implementation of inspection and
maintenance programs. The American Petroleum Institute (API) and others have recognized this
approach as a means of determining inspection scopes and intervals. A comparison of traditional
methods and the RBI approach is shown in the following figure.

RDMIP/RBI Approach

High Risk
Comparison of Traditional Items
Inspection Approach Versus
RBI Approach.

Baseline All Equipment Items

Traditional Approach

Training Manual Page 23-1

The elements of a RBI program can be summarized as follows:

§ Screen operating units within a plant to identify areas of high risk.

§ Estimate a risk value associated with the operating of each equipment item in a refinery
or a chemical process plant based on a consistent methodology.
§ Prioritize the equipment based on the measured risk.
§ Design an appropriate inspection program.
§ Systema tically manage the risk of equipment failures.

A RBI program has a strategic phase and a tactical phase. The strategic phase includes a hazard
screen, risk ranking, and development of equipment plans. Implementation of equipment plans
occurs in the tactic al phase.

Strategic Phase. The initial hazard screen identifies all equipment required to be covered
under OSHA 29 CFR 1910.119 and the EPA Risk Management Rule. These rules address the
quantity of hazardous chemicals in equipment that justify screening.

Some plants elect to include equipment with steam or condensates that, while not covered in the
PSM standard, may be important from a personnel safety standpoint. In addition, some plants
include equipment on the bases of plant reliability and availability.

After gathering equipment data, an operations and technical team performs a risk analysis. The
team considers scenarios of what can go wrong, the likelihood of failure (LOF), and the
consequences of failure (COF). The product of LOF and COF provides a measure of risk. Risk
categories, such as high, medium- high, medium, and low are then used for purposes of
inspection planning.

The risk analysis identifies equipment for which the relative risk is judged to be high. That is, in
relationship to other equipment at the facility, the relative consequences of the component failing
and likelihood of it failing provide sufficient concern to warrant some immediate measures.
Immediate measures may include gathering additional evidence concerning the integrity of the
equipment or additional information on process or metallurgical conditions.

The results of the risk-ranking process provide additional information, which can be used for
allocation of resources and establishing relative priorities. The information developed can also
assist in improvement of contingency plans, backups, and emergency response plans.

Tactical Phase. Upon completion of the risk ranking, the team develops equipment plans.
These plans consist of inspection schedules, scope, and techniques.

When sufficient knowledge exists on high- risk ranked items to demonstrate suitability for
service, the facility can change from a traditional inspection schedule to one based on the risk
analysis. A program based on risk analysis is managed via the plant’s maintenance management
system and inspection results database. The data in the management system are continuously

Training Manual Page 23-2

improved. Reevaluation of the risk ranking takes place as a result of additional evidence through
the inspection or corrosion-control program or of new knowledge associated with the MI of the
equipment.

INDUSTRY STANDARDS

Many companies follow standards provided by professional bodies, such as the API, ASME,
Chemical Manufacturers Association, National Association of Corrosion Engineers, and
National Petroleum and Refiners Association.

Although standards and guidelines issued by these bodies are not law, they possess a high degree
of credibility and authority when a company is planning a safety program. Many of these
standards would be considered as good engineering practice by regulatory bodies.

Interaction of Risk Based Inspection with Other Programs

As mentioned previously, risk-based concepts have been around for decades in the nuclear and
aerospace industries. Only since the introduction of OSHA 119.1910 have the chemical
industries started looking at risk methodologies as a means of prioritizing inspection and
maintenance activities.

In response to OSHA, the CMA produced a document called Responsible Care, which would
give guidance to its members on PSM implementation. As part of this document a MI
supplement was produced. API has produced a recommended practice for the Management of
Process Hazards, API 750, and initiated a RBI task force. This task force has completed a
recommended practice on RBI, API 580, and a base resource document on RBI implementation
on refineries, API 581.

API RP 580 is intended to supplement API 510 Pressure Vessel Inspection Code; API 570
Piping Inspection Code; and, API 653 Tank Inspection, Repair, Alteration and Reconstruction.
These API inspection codes allow an owner/user latitude to increase or decrease the code
designated inspection frequencies, if the owner/user conducts an RBI assessment. The
assessment must systematically evaluate both the LOF and the associated COF. The LOF
assessment must be based on all forms of deterioration that could reasonably be expected to
affect the piece of equipment in the particular service.

ASME post construction committee has produced a draft standard on inspection planning that
incorporates risk concepts. ASME and API are working together to produce RBI documents so
efforts are not duplicated.

RBI is typically designed to interact with other safety initiatives. The output from several of
these programs provides valuable input for the RBI evaluation. Other programs that are
important in RBI studies include reliability centered maintenance programs, Hazard and
Operability (HAZOP) studies, and PHA reviews.

Training Manual Page 23-3

 BASIC RISK BASED INSPECTION CONCEPTS

Until recently the traditional role of commercial and industrial risk management has been to
recognize known hazards to plant operations and to support decisions on the types and extent of
insurance coverage to be obtained. Risk assessment and risk management methods provide a
solid basis for anticipating, preventing, and/or mitigating both physical and economic risks. The
application of risk assessment and active risk management tools can be viewed as a supplement
to insurance protection, particularly when applied to management of the challenges of aging
equipment subject to degradation and corrosion in the plant environment.

Three simple questions are considered to establish the basis for defining risk.

1. What could go wrong (a scenario or event), or what are the hazards?

2. How often might it happen (the likelihood or frequency of failure)?
3. What are the consequences?

Risk is the combination of the frequency of some event occurring

And the consequences, (generally negative) associated with that event.

There are various types of risk. Risk to personnel, risk to the general public, risk of an
environmental problem, or risk of economic loss. RBI can help address any or all of these, but
management needs to determine which has priority.

There are many different analysis techniques and models that have been developed to aid in
conducting risk assessments. Many of these techniques have been developed by the aerospace
and nuclear industries.

The key to conducting a successful risk analysis is choosing the correct

method for the particular problem at hand or choosing the appropriate
techniques to achieve corporate goals.

PROCESS

In order to conduct a risk assessment in a systematic and methodical manner, a particular

stepwise process is followed. Basic steps would include the following:

Training Manual Page 23-4

 STEPWISE PROCESS
n Hazard Identification
n Frequency Assessment
n Consequence Assessment
n Risk Evaluation and Reporting

Hazard Identification – Hazard identification can help focus a risk analysis on key hazards and
create discussion on what ha zardous scenarios may occur. Hazard identification can be an
implicit step that is not systematically performed (i.e., a refinery contains large volumes of toxic,
flammable materials) or it can be explicitly performed using structured techniques. A HAZOP
study identifies hazards and hazardous scenarios and their consequence, but does not look at the
frequency or probability of these scenarios.

Frequency Assessment – Estimating the frequency of hazardous events can be conducted using
several approaches. These would include investigating historical data (inspection data or
frequency of failure data), expert assessment of a system, conducting an event tree or fault tree
analysis, or using a cause analysis. The approach taken will depend on the goals of the program,
the data available, and the required sensitivity of the study.

Consequence Assessment – The modeling of consequences can involve the use of analytical
models to predict the effects of certain scenarios. Many models exist for consequence modeling,
and these could include dispersion models, source term models, environmental effects modeling,
blast and thermal modeling, as well as the effects of mitigation devices. Many databases exist
that contain data on the toxic effects of materials on humans and the fire and blast effects on
buildings and structures. All these resources can be used to calculate consequence effects, but
only those steps needed to provide the appropriate information necessary to complete the
program goals should be considered. Assessments can focus on business, safety, and
environmental consequences.

Risk Evaluation and Reporting – The simplest form of reporting relative risk is by prioritization
using numbers, levels, or simply high, medium, or low. Another approach is to use a risk matrix
to assign risk. This is the preferred approach in RBI studies. Each equipment item will fall within
a cell in the matrix, corresponding to the LOF and COF. One of the goals of a RBI program will
be to define appropriate risk categories and what the response will be to each category. When
conducting a quantitative risk assessment, it is useful to demonstrate the sensitivity of the risk
results in order to demonstrate the degree of uncertainty in the analysis. The definitions are
shown in the following table and a Risk Matrix is shown on the next page.

Training Manual Page 23-5

 DEFINITIONS

Likelihood Ranking Likelihood Category Definition

1 Very High Has occurred in the past
Possibility of repeated incidents

2 High Possibility of repeated incidents

3 Medium Possibility of occurring sometime

4 Low Not likely to occur

Consequence Consequence Environmental

Ranking Category Health/Safety Impact Financial Impact
1 or A Very serious Plant fatalities. Major – Full scale Corporate-wide
Serious impact on response. (fines, cleanup,
public. significant downtime,
replacement costs)

2 or B Serious Serious injury to Serious – Significant Region/affiliate

plant personnel. commitment. (fines, downtime,
Limited impact on replace, plant
public. downtime)

3 or C Marginal Medical treatment Moderate – Limited Division/site

for personnel. No response. (replace equipment)
impact on public.
4 or D Negligible Minor or no Minor – Little or no Minor (replace minor
impact on response needed. equipment items)
personnel.

Training Manual Page 23-6

 Risk Matrix.

High Risk

L Very High
i
k
e High

l
i Medium
h
o
Low
o Low Risk
d Very Serious Serious Marginal Minor

Consequence

KEY PARAMETERS FOR CONDUCTING A RISK ASSESSMENT

Before conducting a risk assessment, management or the responsible team needs to define key
parameters. These would include the following:

§ Program Objective
§ Scope
§ Approach
§ Resources

For any risk assessment to produce the necessary results, objectives need to be clearly defined.
Requiring the assessment team to do more than is necessary to satisfy a particular objective is
expensive and counter productive. Appropriate technical models can be selected once the
program objectives have been defined. A range of modeling techniques, computer programs, and
data sources are available to produce desired results. The approach and software used should
supply the appropriate data fields to satisfy the study objectives – and no more. Quality reviews
by peers or experts are important in producing a consistent, defensible assessment.

Training Manual Page 23-7

Different Approaches

Risk can be absolute or relative. An absolute risk value, such as 0.001 fatalities per year within a
one- mile radius of a facility, is very time consuming and expensive to calculate. Also, due to
uncertainties in basic data and in being sure that all failure modes have been considered, absolute
values are often subject to a good deal of error. Therefore, almost all risk analyses use relative
risk in which one piece of equipment is ranked against another.

A RISK ANALYSIS C AN BE
n Qualitative
n Semi-Quantitative
n Quantitative

Qualitative – A qualitative analysis is typically used when equipment counts are very large, data
and information is limited, and time and resources are scarce. The results of such an analysis are
more intuitive than quantitative and work well as a first- level screening tool. Such an analysis
does have its short comings, and one must be aware of its limitations.

Semi Quantitative – A semi-quantitative analysis is typically used when equipment counts are
large, replacement costs are high, and the technology and data are available to conduct an in-
depth analysis. Numeric information is used to calculate a risk level. These calculations are not
as rigorous as a fully-quantitative analysis and include assumptions and the weighting of factors.
This level can also act as a screen for determining which equipment items may need a full
quantitative analysis. Aptech Engineering Services, Inc.’s (APTECH) RDMIP program is
considered a semi-quantitative risk analysis.

Quantitative – A quantitative analysis is used when equipment counts are not large,
replacements costs are very high, the consequences of a failure are considerable, and time and
resources are available for sophisticated ana lysis. The analysis is fully numeric, and the results
are based on probabilistic analysis to describe the distributed risk. It is considered that if a
quantitative study is conducted rigorously, that the resultant risk number is a fair approximation
of the absolute risk of loss of containment due to mechanical deterioration. The amount of
numeric information used in this type of analysis is intense, and, therefore, the time and cost of
such an analysis may be prohibitive in certain operations and facilities.

If statistics are used during a risk assessment, the following set of guidelines outlines the
components that should be clearly identified in the reporting of statistics or that should be
identified when using statistics to make a case for or against a certain hypothesis. Every statistic
reported should contain elements from the four essential areas:

§ Number: How many items were counted in forming the statistic?

§ Item: What type of item was counted?

Training Manual Page 23-8

 § Time: Over what amount of time was the data collected?
§ Limitations: What region, state, or general physical space was used for data collection?

The accuracy of the output is a function of the methodology used as well as the quantity and
quality of the data available. While numerical approaches may imply a greater level of
confidence or accuracy, this cannot be assumed.

It can be seen from the above that there are many ways of measuring and representing risk.
Therefore, considerable planning is necessary before such a program is implemented on a plant.
Before a risk analysis is undertaken, a facility must determine what goals it wants to achieve by
implementing such a program. This will give guidance as to what approach should be taken.

Detailed analysis, when it is not necessary, does not only not benefit the corporate
decision- maker, but it also inappropriately uses financial resources and time, which could have
been spent more appropriately on important issues.

By inappropriately using resources (time and money), one

increases the risk.

The objective is to perform the minimum level of analysis necessary to provide enough
information adequate for decision making. The key would be to begin an analysis at a general
level and only perform more detailed assessments in areas where additional analysis will benefit
the decision- makers.

RBI is a method for using risk as a basis for prioritizing and managing the efforts of an inspection
program. In an operating plant, a relatively large percentage of the risk is associated with a small
percentage of the equipment items. RBI permits the shift of inspection and maintenance resources to
provide a higher level of coverage on the high-risk items and an appropriate effort on lower risk
equipment. A potential benefit of a RBI program is to increase operating times and run lengths of
process facilities while improving, or at least maintaining, the same level of risk.

RISK BASED INSPECTION

In process plants, inspection and testing programs are established to detect and evaluate
deterioration due to in-service operation. The effectiveness of inspection programs varies widely,
ranging from reactive programs that concentrate on known areas of concern to broad programs
that cover a variety of equipment. One extreme of this would be the "don't fix it unless it's
broken" approach. The other extreme would be complete inspection of all equipment items.

Setting the intervals between inspections has evolved over time. With the need to periodically
verify equipment integrity, organizations initially resorted to time-based or calendar-based
intervals. With advances in inspection approaches and better understanding of the type and rate
of deterioration, inspection intervals became more dependent on the equipment condition, rather

Training Manual Page 23-9

than what might have been an arbitrary calendar date. Codes such as API 510, API 570, and
API 653 evolved to an inspection philosophy with elements such as :

§ Inspection intervals based on equipment half- life

§ External inspection in lieu of internal inspection based on low corrosion rates
§ Internal inspection requirements for deterioration mechanisms related to process
environment induced cracking
§ Consequence based inspection intervals

RBI represents the next generation of inspection approaches and interval setting, recognizing that
the ultimate goal of inspection is the safety and reliability of operating facilities. RBI, as a
risk-based approach, focuses attention specifically on the equipment and associated deterioration
mechanisms representing the most risk to the facility. In focusing on risks and their mitigation,
RBI provides a better linkage between the mechanisms that lead to equipment failure and the
inspection approaches that will effectively reduce the associated risks (API 580).

RBI provides a methodology for determining the optimum combination of inspection methods
and frequencies. Each available inspection method can be analyzed and its relative effectiveness
in reducing failure probability estimated. Given this information and the cost of each procedure,
an optimization program can be developed. The key to developing such a procedure is the ability
to assess the risk associated with each item of equipment and then to determine the most
appropriate inspection techniques for that piece of equipment.

There are two impediments with implementing RBI programs on facilities. The first is the need
for the overall group to accept the notion of risk. The second is the acquisition of data. Plant
personnel often feel they have insufficient failure data in order to determine the frequency of
failure.

The hardest part of the project is over if one can remove the following misconceptions:

§ Risk is a theoretical tool without practical application and

§ Meaningful risk calculations cannot be performed in situations with sparse data,

KEY PARAMETERS FOR A RBI ANALYSIS

Before conducting a RBI study, just like any risk assessment, certain key parameters need to be
defined. These would include the following:

§ Program Objective
§ Scope
§ Resources
§ Approach
§ Measuring Factors
Training Manual Page 23-10
Objectives – For any risk assessment to produce the necessary results, objectives need to be
clearly defined. These objectives may be to achieve corporate safety goals; increase productivity;
focus inspection resources; reduce maintenance and inspection costs; meet local, state and
federal regulations; or, improve turnaround planning.

Scope – The scope of the program can include a facility, plant, or several plants. Each plant is
typically broken down into operating units. Some units may have a higher priority than others or
may be due for turnaround. These units may then form the focus of the risk-ranking procedure.
Each unit can then be divided into systems and equipment types. This may include all equipment
types covered by the MI program. Equipment types can be further divided into subcomponents.
The goals and scope of the program will determine what level of detail is needed in the analysis.

Resources – Conducting a risk-based study is a team-based process. A team of people with the
requisite skills and background typically conducts the work. These individuals should have the
necessary skill, experience, and risk assessment qualifications in order to implement the
technology. One individual should be identified to function as the focal point for the RBI
program i.e., the RBI champion or project manager. Other individuals who are important in the
evaluation process include inspectors, data clerks, process engineers, and metallurgists or
corrosion engineers. Departments that should be involved in the study include management,
operations, engineering, inspection, maintenance, and perhaps information technology.

Technical Approach – Appropriate technical models or methodologies can be selected once the
program objectives have been defined. A range of methodologies, modeling techniques,
computer programs, and data sources are available to produce risk assessment results. The
approach and/or software used should supply appropriate data fields to satisfy the study
objectives – and no more. Quality reviews by peers or experts is important in producing a
consistent, defensible assessment.

Measuring Factors – If objectives are clearly defined at the beginning of the study, the program
will have clear goals that can be used as a measure of success, once the program has been
initiated. Measurement factors may include improved safety, reduced downtime, inspection cost
savings, etc.

Establish Goals and Operating Boundaries

The RBI assessment normally includes review of both LOF and COF for normal operating
conditions. Startup and shutdown conditions, as well as emergency and non-routine conditions,
should also be reviewed for their potential effect on LOF and COF.

The operating conditions, including any sensitivity analysis, used for the RBI assessment should
be recorded as the operating limits for the assessment. Boundaries for physical assets included in
the assessment are established and should be consistent with the overall objectives. The level of
data to be reviewed and the resources available to accomplish the objectives directly impact the
extent of physical assets that can be assessed. The screening process is important in centering the
focus on the most important physical assets so that time and resources are effectively applied.

Training Manual Page 23-11

A RBI assessment is a team-based process. At the beginning of the exercise, it is important to
define the following:

DEFINING THE ASSESSMENT

n Why is the assessment being done?
n How will the RBI assessment be carried out?
n What knowledge and skills are required for the assessment?
n Who is on the RBI team?
n What are their roles in the RBI process?
n Who is responsible and accountable for what actions?
n Which facilities, assets, and components will be included?
n What data are to be used in the assessment?
n When will the assessment be completed?
n How long will the assessment remain in effect, and when will it be updated (API 580)?

If these questions are clearly answered at the beginning of the process, the program will have
clear goals and objectives that can be used as a measure of success once the program has been
initiated.

Different Approaches

Just like there are several different approaches to risk analysis, there are also different types of
RBI analysis. A RBI analysis can be qualitative, semi-quantitative, or quantitative depending on
the level of risk analysis, and results can be presented as absolute or relative.

API 580 recognizes different risk assessment approaches. The complexity of risk calculations is
a function of the number of factors that can affect the risk. Calculating absolute risk can be very
time and cost consuming and often, due to having many uncertainties, is impossible. In the RBI
methodologies, it is recognized that there are many variables in calculating the risks of loss of
containment in petroleum and petrochemical facilities, and the determination of absolute risk
numbers is often not cost effective. RBI is focused more on a systematic determination of
relative risks. In this way, facilities, units, systems, equipment, or components can be ranked
based on relative risk. This serves to focus the risk management efforts on the higher ranked
risks.

Training Manual Page 23-12

The APTECH RDMIP program is considered to be a semi-quantitative risk analysis. It uses
specific numerical data to calculate both the LOF and COF. Results are represented as single
numbers and represent the relative risk associated with each equipment item on a facility.

The type of results needed are important factors in choosing an analysis technique. As shown
above, a variety of techniques can be used to conduct a risk assessment. Satisfying the program
objectives is the most important criteria for selecting a particular analysis technique.

APTECH uses a combination of historical data and expert input in order to determine the LOF.
Both are recognized as appropriate techniques that can be used to determine the frequency of
failure. Often this approach can be conducted without on-site inspection data.

In conclusion, APTECH’s RDMIP methodology uses a semi-quantitative method for

determining a relative risk ranking of equipment items and subcomponents on a facility. Results
are displayed on a four-by- four risk matrix and prioritized into four risk categories, namely, very
high, high, medium, and low risk.

Once risks are calculated, failure modes are ranked from high to low, relative to each other, not
to an absolute standard. Risk analysis for specific industries is not standardized so absolute risk
is something of a misnomer, especially in the refinery and petrochemical industries. For risk
calculations associated with RBI:

Accuracy is not as important as consistency in assigning

likelihood and consequence values.

RISK MANAGEMENT

Based on the ranking of items and the risk threshold, the risk management process begins. For
risks that are judged acceptable, no mitigation is required and no further action is necessary.
For risks considered unacceptable, and, therefore, requiring risk treatment, there are various
mitigation categories that should be evaluated.

§ Decommission: Is the equipment really necessary to support unit

operation?

§ Inspection/condition monitoring: Can a cost-effective inspection program, with repair as

indicated by the inspection results, be implemented that
will reduce risks to an acceptable level? Managing risk
with inspection activities is discussed in RDMIP Work
Management Program, Volume III.
§ Consequence mitigation: Can actions be taken to lessen the consequences related
to an equipment failure?

Training Manual Page 23-13

 § Likelihood mitigation: Can actions be taken to lessen the probability of failure
such as metallurgy changes or equipment redesign?

Risk management decisions can now be made on which mitigation action(s) to take (per API 580
standard).

RISK MITIGATION

It may appear that risk management and risk reduction are synonymous. However, risk reduction
is only part of risk management. Risk reduction is the act of mitigating a known risk to a lower
level of risk. Risk management is a process to assess risks, to determine if risk reduction is
required, and to develop a plan to maintain risks at an acceptable level. By using risk
management, some risks may be identified as acceptable so that no risk reduction is required.

RELIABILITY CENTERED MAINTENANCE

Reliability-Centered Maintenance is a method for developing and selecting maintenance design

alternatives, based on safety, operational, and economic criteria. It is a method by which
operators can use its failure data, system design redundancies, and operating experiences to
develop a flexible and cohesive maintenance system.

RCM began in the U.S. commercial aviation industry. Because of the compact nature of the
industry, the risks associated with failures were easily divided into four criticality classes, (flight)
safety, operations, economics, and hidden failures. These are typically still the categories used to
develop a safe, economical maintenance plan. RCM was then applied to the nuclear industry and
these four criticality classes continued to work well. However, as RCM is applied to other
industries, the range of probabilities and consequences is becoming larger. It is therefore no
longer practical to choose systems for RCM based upon subjective risk importance.

Risk-centered maintenance (or RBI) uses the identical functional description of systems, sub-
systems, functional failures, and failure modes that RCM employs, but it is different in that the
criticality class is replaced with an explicit risk calculation. Using a quantitative value of risk
instead of a coarse assignment (criticality class) allows a more complete description of the actual
hazards that exist on a facility.

In RCM, risk assignments are made through decision logic trees and are coarse classifications.
These criticality classes may vary in name, but generally relate to safety, production, economics,
and hidden failures. Once a failure mode is classified into a criticality class, there is no further
discrimination or ordering of the category. The failure modes that fall into each category are all
considered of equal importance. In practice, however, there is usually an ordering system based
on team or individual judgement. The criticality class is meant to provide general information
about either the importance of preventing the failure or to the nature of the failure itself. When
the range of consequences is small, this simple categorization is good enough.

Training Manual Page 23-14

The risk based approach replaces the criticality class identification with two separate fields,
namely likelihood and consequence. The product of these two, the risk, becomes an indicator of
each failure mode’s importance to the overall risk of the system. This independent assessment of
both the LOF (probability or frequency) and the COF, resulting in a risk calculation, provides a
ranking system that is a unique benefit of the risk based maintenance or inspection programs.

With risk explicitly computing a numeric value, failure modes can be individually ranked from
high to low risk. This ordering list will provide a priority ranking for choosing maintenance tasks
to mitigate the occurrence of failures. In conclusion:

§ The risk based approach benefits both the maintenance and inspection departments in
prioritizing inspection and maintenance activities.

§ RBI, therefore, compliments the RCM methodology, but takes it one step further.
Original RCM analysis and data are useful for the implementation of a RBI program, but
the risk approach takes both likelihood and consequence into account and prioritizes
equipment items and their subcomponents accordingly.

Limitations of RBI

Since RBI is part of a MI program, it focused on mechanical issues. Therefore, RBI does not
cover all eventualities that may occur in a plant since risk cannot be reduced to zero solely by
inspection efforts. RBI attempts to address and mitigate failures that occur due to the natural
wear and corrosion of vessels in service. Much of the risk associated with plant operations are
risks that cannot be impacted on by inspections or maintenance. It has been shown that
approximately 50% of the failures in industrial plants are caused by degradation (wear and tear)
related to normal operations. Human error, design faults, environmental hazards, etc. cause the
remaining 50% of failures. RBI does not address these issues; therefore, it does not address half
of the known causes of industrial accidents. However, the plant should have a good PSM
program in place and should have completed a HAZOP study. These programs should address
and mitigate these issues and compliment the RBI program. The residual risk factors for loss of
containment include, but are not limited to, the following:

§ Human error
§ Natural disasters
§ External events (e.g., collisions or falling objects)
§ Secondary effects from nearby units
§ Deliberate acts (e.g., sabotage)
§ Fundamental limitations of inspection method
§ Design errors
§ Unknown mechanisms of deterioration

Many of these factors are strongly influenced by the PSM system in place at the facility
(API 580).

Training Manual Page 23-15

In addition to this, the accuracy of a RBI program depends on the accuracy of available
information and assumptions used in the analysis.

FACTORS THAT CAN IMPACT RESULTS

Equipment factors – Unidentified damage, incorrect data, and unexpected process conditions
Modeling factors – Approximations, uncertainty in populations and inventories
Other Factors – Excursions, operating outside normal limits, management changes, etc.

RBI attempts to address some of these concerns by completing an evaluation of the management
systems in place. These management systems may prevent or mitigate the likelihood that
unexpected failures occur.

Training Manual Page 23-16

 PROCEDURES, ORGANIZATIONAL ROLES, AND TRAINING

Any RBI program should integrate into a facilities PSM program, and more specifically, into the
MI program and procedures.

PROCEDURES SYSTEM

Typically there are only three or four types of documents that are important to management and
to employees. These documents serve in the following function:

§ Communicating to regulatory authorities on commitments to safety and maintenance of

the plant in a condition suitable for safe operation
§ Establishing requirements for plant staff
§ Communicating engineering requirements to plant staff on what must be done to meet
these requirements
§ Work instructions to facilitate staff implementation and assure documentation of same

Procedures and Software

The RBI program should not be seen in isolation but should be connected to other plant
initiatives such as MI and PSM. Because of this, RBI procedures should be linked to other plant
documents, such as guidelines, procedures, and specific work instructions. RBI procedures
should be integrated into the plants overall documentation and safety system.

The procedures and software for implementation of a RBI program should address:

§ Strategic Management Plan or Analysis

Ø Hazard screening
Ø Risk ranking
Ø Equipment plans
§ Tactical Management Plan or Day-to-Day Management of the Program
Ø Inspection plans including scope, schedule, reviews, and approvals
Ø Inspection reports including quality assurance, approvals, archiving, updates,
refinement of risk rank, and plan for next inspection
Ø Procedures for in-service inspection and use of non-intrusive inspection tools
Ø Documentation and tracking of RBI and Risk Directed Mechanical Integrity Program
RDMIP (RDMIP) critical repairs or modifications

Training Manual Page 23-17

 Ø Identification and trending of failures and process excursions that might change the
RBI/RDMIP analysis
v Simple logging over network by operators
v Date/time, equipment identification, impact on plant
Ø Tracking of deficiency resolution and fitness-for-service analysis
Ø Documentation and tracking of MI risk evaluations

All of these documents, procedures, and software should be incorporated into a company’s
overall safety management system.

ORGANIZATIONAL ROLES

The development of a RBI program requires a significant amount of data collection, specialized
analysis, and risk management decisions. A team of people with the requisite skills and
background typically conducts the work. One individual should be identified to function as the
focal point coordinator for the RBI program. This person is typically known as the RBI
champion. The primary role of the RBI champion would be to provide direction and
management of the overall program, including:

§ Forming the team and assuring team members have necessary skills and knowledge.
§ Ensuring proper procedures are used.
§ Ensuring data used in the analysis are correct and verifiable.
§ Verifying assumptio ns are logical and documented.
§ Utilizing appropriate personnel to provide data or assumption.
§ Providing quality control of data collection and data analysis.
§ Reporting to management.
§ Following up to assure the appropriate risk mitigation actions have been implemented.
§ Being responsible for assuring all necessary resources are available for the programs
success, which could include obtaining specialized expertise as required from outside
consultants e.g., inspection planning, turnaround execution, on- line condition monitoring,
etc.

The following diagram provides an overview of how one plant has organized to implement a
RBI/RDMIP program.

Training Manual Page 23-18

 Functional Relationships for Implementation of an RBI/RDMIP Program.

Maintenance Corporate
Inspection Contractor Design Contractor Other Contractors
Contractor Interface
+ Routine Maintenance, + Routine and Specialized NDE + Design Calculations + Specialized NDE, FFS
Repairs, and Modifications + Drawing Updates Analysis, etc., as Needed
+ Transient Evaluations and
Rerates

Integrity and Inspection

Engineers

Responsible for Providing Direction and

Management of Overall MI Program
+ Obtaining Management Approvals on
Policies and Procedures
Mechanical Integrity Engineers Lead Inspectors Area Inspectors
+ Management of Resolution of FFS and
RDMIP Including Completion of Evergreen
Analysis and Approval of Inspection Plans Responsible for Assisting MI Coordinator Responsible for MI Program, Data Responsible for Implementation of the RDMIP
+ Audit of Functional Area of MI Program with Reduction/Processing, Trending, and Quality Inspections During Normal Operations,
+ Sign-off on Deficiency Resolution + Development of Specialized Programs and Control Emergency Scenarios, and Turnarounds
+ Maintain Broad Knowledge of MI Programs, NDE Procedures, Inspection Plans, and + Aministration and Maintenance of MI Program + Participate in Development of RDMIP
Tools, Process Plants, and Equipment Audits Manual, RDMIP, and Inspection Database Inspection Plans
+ Material Selection + Tracking and Reporting to Management on + Conduct Normal and Emergency Inspections
+ Conduct FFS Analysis Level 1 or 2 MI Critical Repairs and Modifications + Manage Inspection Personnel
+ Responsible for Deficiency Resolution and + Review Contractor Control Procedures and + Generate Inspection Reports, Including
Corrosion Control Programs Qualification of Personnel Approval of Reports by Personnel Under
+ Assurance the Engineering Integrity of the + Maintain MI Procedures Matrix for All Supervision
RDMIP and Inspection Data Disciplines + May be Responsible for Implementation of
+ Work with Area Inspectors to Develop CUI Program
Inspection Plans
+ Develop Procedures for Critical Repairs
+ Participate in Audits & Equipment Deficiency
Resolution

Work with MI Cooordinators and Inspection Team:

Instrument Reliability Engineers

Reliability Engineers Maintenance Team Warehouse & Stores
Site Electrical Engineers
Responsible for Ensuring Implementation of Responsible for Maintaining a High Level of + High Tech Predictive and Preventive Maintenance + Receipt Inspection, Storage, Inventory
MI Program for Covered Instrumentation, All Knowledge on Equipment + Repairs and Modifications Control, and Release to Craft
ESDs, and Controls + Contribute Equipment Knowledge to RDMIP + Maintenance of Properly Specified Material
+ Development and Maintenance of All MI + Responsible for Integrity of Dynamic and Equipment
Procedures in Area of Responsibility Equipment, PSV Overhauls, and Predictive &
+ Development of Procedures for Critical Preventive Maintenance Procedures
Repairs or Specialized Tests, Contractor + Responsible for Assuring Qualified Materials
Control Procedures, and Qualification of Used for Modifications or Repairs
Personnel + Responsible for Equipment Deficiency
+ Track and Report on Status of MI Critical Resolution
Repairs, Modifications, MI Data, and Test + Coordinate with MI QA Coordinator to
Approvals Assure only Qualified Welding and
+ May Participate in Audits and Equipment Maintenance Procedures used by Qualified
Deficiency Resolution Personnel

Training Manual Page 23-19

Requirements

The requirements for implementing a MI and RBI program are varied and complex. Personnel
need experience in many disciplines, such as:

§ Knowledge of Federal and State Regulations

§ Knowledge of industry guidelines
§ Knowledge of process, operations, and equipment
§ Familiar with nondestructive examination techniques and methods
§ Metallurgical and corrosion skills
§ Consequence issues
Ø Environmental
Ø Financial
Ø Health and safety

It can be seen from the above requirements that a multi-disciplinary team is needed for the
implementation of MI and RBI programs. The following personnel may participate in various
aspects of such a program, either during the development or on an on- going basis during
day-to-day management and implementation. A list of their qualifications and responsibilities is
provided.

Equipment Inspector(s). The inspectors’ function typically will not change upon
implementation of a RBI/RDMIP program. As always he is responsible for gathering accurate
data on the condition of equipment using sound proven inspection techniques and recognized and
generally accepted good engineering practices. He is responsible for assuring the quality of the
documentation and in collaboration with a materials and/or corrosion engineer, should provide
predictions of the current condition. The inspector and materials and/or corrosion engineer
should assist with determining effectiveness of past inspections and implement future inspections
defined by the RBI/RDMIP program.

Materials and/or Corrosion Engineer. The person serving in this capacity must be an
engineer who has significant experience in the petroleum and chemical industry in the area of
metallurgy, materials, and or corrosion engineering. He is responsible for conducting the LOF
analysis using input as required from the process engineer for identification of damage
mechanisms and their possibility of occurrence and severity to the equipment considering the
process conditions, environment, metallurgy, age, etc. of the equipment. The materials/corrosion
engineer will also be responsible for evaluating the appropriateness of the inspections in relation
to the deterioration mechanism. He will provide recommendations on methods of mitigating the
LOF (such as changes in metallurgy, addition of inhibition, addition of coatings/linings, etc.).

Process Engineer. The process engineer should be a qualified engineer and must have
significant experience in the petroleum and chemical industry in the area of process engineering.
He will evaluate operating conditions through discussions with operators, and he will review and

Training Manual Page 23-20

evaluate the process flow diagrams and process and instrument diagrams. The process engineer
will be responsible for the accuracy of process condition information (including primary
constituents and contaminants, along with variations due to normal and abnormal operating
conditions as well as flammability, toxicity, health, and other parameters). This information will
be used in the RBI/RDMIP analysis of LOF and COF. The process engineer should
evaluate/recommend methods of risk mitigation through changes in process conditions.

Operations and Maintenance Personnel. Fundamentally, responsibilities will not change

to ensure the plant is being operated within the design basis for the equipment. Operations and
maintenance personnel should provide information to the inspection department when the
process deviates from the design basis. They will assist the team by ensuring completeness of
equipment information on repairs, replacements, and modifications or additions. Operations and
maintenance personnel will be responsible for implementation of certain risk mitigation
recommendations and may on occasion be requested by the RBI/RDMIP coordinator to trend
and report on certain operating parameters, such as transients that may involve contamination of
the process condition. They will also be responsible for trending and reporting on all failures
involving covered equipment.

Management. Management will approve the RBI/RDMIP policies and enabling procedures
and will provide sponsorship and resources (personnel and money) for the program, including
analysis, inspections, and risk mitigation. In addition, management will make, evaluate, and/or
approve risk management recommendations and decisions, and may provide the
framework/mechanism for others to make these decisions based on the results of the
RBI/RDMIP study.

Risk Assessment Personnel. This function may have a dual role, such as process or
materials and/or corrosion engineer and will be responsible for identify data requirements,
defining accuracy required for the data, and verifying the soundness of data and assumptions and
documenting this verification. Risk assessment personnel will also assure data are accurately
input into the RDMIP software or other package such as API, provide quality control of data
input/output, and prepare the report.

Environmental, Health, and Safety Personnel. These personnel may assist the
RBI/RDMIP project by providing data on environmental and safety systems and regulations.
They may also assist the team with identification of ways to mitigate the COFs.

Training Manual Page 23-21

TRAINING AND QUALIFICATIONS

Risk Assessment Personnel

Risk assessment personnel will be required to have detailed training on the RBI/RDMIP or API
methodology as appropriate. These personnel should have training and experience with the
software being utilized. Experience or training in formal risk analysis principles is also desirable.

Qualifications of the risk assessment personnel should be documented. APTECH has a procedure
for training personnel on our RDMIP program and can provide documentation of training and
qualifications, which demonstrates that only experienced personnel should conduct this work.
Facility owners that have internal risk assessment personnel conduct the RBI/RDMIP analysis
should have a procedure to document that their personnel are sufficiently qualified.

Other Team Members

The other team members should receive basic training on the RBI/RDMIP or API methodology
as applicable, and on the software being used. This training should be geared primarily to an
understanding of RBI.

Training Manual Page 23-22

 RDMIP METHODOLOGY

PROCESS

In order to conduct a risk based inspection (RBI) program in a systematic and methodical
manner, a particular stepwise process is followed.

STEPWISE PROCESS
n Hazard Identification
n Frequency Assessment
n Consequence Assessment
n Risk Evaluation and Reporting

Hazard identification can help focus a risk analysis on key hazards and create discussion on what
hazardous scenarios may occur. Hazard identification can be an implicit step that is not
systematically performed (i.e., a refinery contains large volumes of toxic, flammable materials),
or it can be explicitly performed using structured techniques.

Estimating the frequency of hazardous events can be conducted using several approaches. These
would include investigating historical data (inspection data or frequency of failure data), expert
assessment of a system, conducting an event tree or fault tree analysis, or using a cause analysis.
The approach taken will depend on the goals of the program, the data available, and the required
sensitivity of the study.

The modeling of consequences can involve the use of analytical models to predict the effects of
certain scenarios. Many models exist for consequence modeling, and these could include
dispersion models, source term models, environmental effects modeling, blast and thermal
modeling, as well as the effects of mitigation devices. Many databases exist that contain data on
the toxic effects of materials on humans and the fire and blast effects on buildings and structures.
All these resources can be used to calculate consequence effects, but only those steps needed to
provide the appropriate information necessary to complete the program goals should be
considered. Assessments can focus on business, safety, and environmental consequences.

The simplest form of reporting relative risk is by prioritization using numbers, levels, or simply
high, medium, or low. Another approach is to use a risk matrix to assign risk. This is the
preferred approach in RBI studies. Each equipment item will fall within a cell in the matrix,

Training Manual Page 23-23

corresponding to the likelihood of failure (LOF) and consequence of failure (COF). One of the
goals of a RBI program will be to define appropriate risk categories and what the response will
be to each category.

IMPLEMENTATION

The implementation of the Risk Directed Mechanical Integrity Program (RDMIP™) requires the
following steps:

IMPLEMENTING RDMIP
n Determine goals, objectives, and benchmarks
n Determine technical approach
n Determine scope of program
n Determine resources (assemble RBI team)
n Develop equipment hierachy
n Collect data
n Risk rank equipment
n Implement risk ranking in inspection and maintenance programs
n Audit, review, and document

These steps are graphically shown in the following figure.

Training Manual Page 23-24

 Goal/Ojectives

Assemble Determine Technical

Resources Approach/Software

Initial Screen (Scope)

Implementing RDMIP Identify

Hazards

Data
Collection

COF LOF

Quality Initial Risk

Assurance Ranks
(QA)

Risk Management Others

Risk Reduction
(Mitigation)
No
Deficiencies Inspection Deficiencies
Others
Plans

Evergreen Fitness For

Implementation Services

Remedial
Actions

Goals – By determing the goals of the program, it will become evident what approach and
program is needed to achieve these goals. Does the program need to be qualitative or
quantitative, and what important consequences need to be highlighted? Are business
consequences, environmental issues, or worst case scenarios important, or a combination of
these?

The key to conducting a successful risk analysis is choosing the correct

method for the particular problem at hand or choosing the
appropriate techniques to achieve corporate goals.

Technical Approach – Appropriate technical models or methodologies can be selected once the
program objectives have been defined. A range of methodologies, modeling techniques,
computer programs, and data sources are available to produce risk assessment results. The

Training Manual Page 23-25

approach and/or software used should supply appropriate data fields to satisfy the study
objectives – and no more. Quality reviews by peers or experts is important in producing a
consistent, defensible assessment.

Scope – The scope of the program can include a facility, a plant, or several plants. Each plant is
typically broken down into operating units. Some units may have a higher priority than others or
may be due for turnaround. These units may then form the focus of the risk-ranking procedure.
Each unit can then be divided into systems and equipment types. This may include all equipment
types covered by the mechanical integrity (MI) program. Equipment types can be further divided
into subcomponents. The goals and boundaries of the program will determine what level of detail
is needed in the analysis.

Resources – Organization Roles, and Training. If all components of the team can not be made
from facility personnel, then it is advised that outside consultants be used to implement the
program. The RBI team should have sufficient training and experience in RBI implementation.

Hierachy – Process flow diagrams (PFDs) and process and instrument diagrams (P&IDs) need to
be reviewed in order to determine an equipment hierachy. Equipment items are divided into
subcomponents where necessary, and piping systems are linked to these components. Inventory
groups can be developed at this stage in order to determine the volume contents of components
or groups of components.

RDMIP METHODOLOGY

RDMIP risk ranks equipment items and their subcomponents, as well as piping systems and
associated circuits. RDMIP contains two levels of analysis. The Level A analysis encompasses
all the essential data necessary to complete a semi-quantitative risk ranking of equipment. The
Level B analysis needs the collection of more data in order to complete a more in-depth risk
analysis. The Level B analysis considers more factors than the Level A analysis. The flowchart
in the following figure shows the major steps in the overall RDMIP risk-ranking process.

Training Manual Page 23-26

 Risk Ranking Procedure

Rank Process Equipment Documentation

Units Review

Development of Equipment Worksheet

Consequence of Likelihood of Failure

Failure (COF) (LOF)

Review of Process Identify Industry Experience for

Design and Operating Specific Unit (Interviews - Process,
Data Maint. Engrs./Inspector )

Calculate PTV Value Identify Potential Damage

and Hazard Factor Mechanisms

Calculate Preliminary Identify Failure

Consequence Value Modes

Calculate Initial
Calculate PCV Modifier
Damage Rank

Review and Adjust COF Review and Adjust LOF

Rating Rating

Risk Directed
Risk Rank = Inspection Plan
COF x LOF - Scope &
Frequency

Training Manual Page 23-27

A basic description of the overall process is out lined below.

PROCESS
n Set-Up
Ø Determine program goals, scope, and boundaries.
Ø Review and prioritize all units to be evaluated.
Ø Review of PFDs and/or P&IDs for the selected unit.
Ø Develop equipment list and individual checklist.
Ø Develop simplified process sketches with marked up inventory groups.

n LOF Process
Ø Review industry experience for the unit.
Ø Review and evaluate inspection/maintenance equipment files.
Ø Review Hazard and Operability analysis for the unit.
Ø Interview the unit process engineer.
Ø Interview the unit inspector/maintenance engineer.
Ø Identify potential damage mechanisms.

n COF Process
Ø Review and enter process design and operating data.
Ø Determine if any trace elements are present (<1%) in process stream, which may cause
corrosion problems.
Ø Interview operating personnel.

n Generate Equipment Risk Rating

Both the LOF and the COF evaluations use a ranking scale that ranges from 1 (highest LOF and
worst COF) to 4 (lowest LOF and COF).

The LOF and COF ratings for each fixed equipment item are multiplied to achieve a combined
risk ranking. The results are placed into a matrix for inspection planning purposes, which rated a
risk of 1 or 2 as a very high risk; 3 or 4 as a high risk; 5 through 9 as a medium risk; and, 10
through 16 as a low risk.

The output from the LOF and COF analysis is combined in a linear (non-weighted) matrix that
assumes there is equality between like-ranked elements of LOF and COF. The 4-by-4-matrix
results in ranking values between 1 and 16. This matrix is partitioned back down to a 1 to 4 value
for the convenience of assigning inspection frequencies and providing a practical limit to the
number of ranking levels to consider. These risk categories are as follows:

Training Manual Page 23-28

 RISK CATEGORIES
n Very High
n High
n Medium
n Low

The ultimate goal of this effort is to use the risk ranking to prioritize the maintenance and
inspection workload and improve (or lower) the level of risk through increased proactive and
focused maintenance and inspection of critical equipment.

LOF Evaluation

The LOF process initially concentrates on documented industry experience to determine the
damage mechanisms (e.g., erosion, overheating, and various types of corrosion) that are
theoretically possible, and a possibility of occurrence is assigned for each mechanism. Each
mechanism is evaluated individually, and a ranked potential failure mode rating (e.g., gross
rupture down to a small leak) that may result from those mechanisms is determined. Additional
mitigating and aggravating factors for the damage mechanisms are the n considered and the
highest ranked mechanisms are identified. Actual/specific plant experience is then factored into
the process, the LOF rating is shifted up or down as necessary, and the basis for this adjustment
is documented.

COF Evaluation

The COF evaluation uses the worst-case inventory volumes of vessels as well as the National
Fire Protection Association (NFPA) ranking for a particular process stream in order to calculate a
consequence value. Operating conditions, mitigation, and aggravating factors are weighted in
order to adjust the consequence value. The consequence value is a single value that represents
the relative risk associated with a piece of equipment on the facility.

This is the first step of the Inspection Planning program. Aptech Engineering Services, Inc.
(APTECH) has taken this information and developed risk matrices, summary reports, and
specific inspection plans. These reports include the possible damage mechanisms for each
equipment item, recommended inspection techniques, and the scope and frequency of scheduled
inspections. The tactical phase or day-to-day management of the RDMIP plan is described in the
RDMIP Work Management Program Manual, Volume III.

Training Manual Page 23-29

ESSENTIAL DATA AND DATA COLLECTION

Responsible personnel must clearly define what the scope and boundary limits of the program
are going to be. Once this has been decided, an equipment list is typically used to begin the data
collection. Data can be collected either on data entry forms or can be entered directly into the
database.

Sources of Information

There are many sources of information available on plants.. Some of these data may be recent
data, or it may be old and out dated. The quality of documentation on a facility can also vary
from department to department. The ava ilability of data greatly influences the ease of completing
a RBI project. The more data available and the better organized it is, the easier the project will
proceed. The following lists contain sources of data that may be useful when conducting the RBI
study.

Original Equipment Design Data. Equipment and construction information must be in

accordance with design specifications. These data, in addition to process chemical contents, are
required to help in identifying the elements that govern the damage mechanisms and catastrophic
extent area when a failure occurs. Data sources for pressure vessels may include some of the
following:

§ An U-1 form or other equivalent documentation or specification sheets.

§ The original, rerated, or updated design calculations for the load equipment.
§ User Design Specification, if the vessel is designed to the American Society of
Mechanical Engineers (ASME) Code.
§ Vessel fabrication drawings must show sufficient details to permit calculation of the
maximum allowable working pressure (MAWP) or component volume. Detail sketches
with sufficient data necessary to perform MAWP calculations may be used if fabrication
drawings are not available.
§ Material test reports.
§ A record of the original hydrotest, including the test pressure and metal temperature at
time of the test, or the water or ambient temperature.

Process Chemical Data. Process chemical contents must also be obtained in order to
evaluate the COF and LOF levels. The NFPA ratings for the component(s) in the process stream
are added to form the Hazard Factor. Detailed information on traces of impurities or toxic
elements is important to ascertain likely damage mechanisms.

§ Original copies of PFDs contain information of process chemicals. These must include
the updated data for operating temperatures and pressures.

Training Manual Page 23-30

 § Generally, maximum inventory is estimated for the component for the effects of a
release, if there is an accident. The intended inventory is the amount of the material that
can be stored within the component.

§ If the PFDs are not available, reliable sources such as line lists from the plant’s process
engineers or operators must be provided. Lines should describe a connection from one
component to another.

§ P&IDs are also useful sources of information on equipment operating conditions and
piping streams.
§ Documentation that contains chemical contents for the components must be used in order
to determine NFPA rating numbers for a process stream. For report purpose, major
process chemicals should be separated from contaminant s that make up the streams.

The compiled information about the chemicals needs to be comprehensive for an accurate
assessment of the fire and explosive characteristics, reactivity hazards, the safety and
health hazards to workers, and the corrosion and erosion effects on the process
equipment. Current Material Safety Data Sheet (MSDS) information or the RDMIP
software can be used to help meet this requirement. If the NFPA numbers are not
available, a good judgment can be determined by responsible engineering personnel.
NFPA numbers contain a degree of hazard ranges from Category 0 to 4, which are
indicated as follows:

Ø Category 4 (Deadly)

These are materials in which the potential for personnel exposure could cause death
or major residual injury even though prompt medical treatment is given. This includes
those materials that are too dangerous to be approached without specialized protective
equipment. This degree should include materials that can penetrate ordinary
protective clothing and materials that under normal conditions or under fire
conditions give off gases that are extremely hazardous through inhalation or through
contact or absorption.

Ø Category 3 (Extreme Danger)

These are materials that upon short-term exposure could be significant or cause
serious injury even though prompt medical treatment is given. These include those
materials requiring protection from all bodily contact. This degree should include
materials giving off highly toxic combustion products and materials corrosive to
living tissue or are toxic through skin absorption.

Ø Category 2 (Hazardous)

These are materials that on intense or continued exposure could cause temporary
incapacitation or possible residual injury unless prompt medical treatment is given.
This includes those materials requiring use of respiratory protective equipment with
independent air supply. This degree should include materials giving off toxic

Training Manual Page 23-31

 combustion products; materials giving off highly irritating combustion products;
materials that either under normal cond itions or under fire conditions give off toxic
vapors lacking warning properties; and, materials that either under normal conditions
or under fire conditions give off toxic vapors lacking warning properties.

Ø Category 1 (Slightly Hazardous)

These are materials that on exposure would cause irritation but only minor injury,
even if no treatment is given. These include those materials that require use of an
approved canister type gas mask. This degree should include materials that under fire
conditions would give off irritating combustion products and materials that on the
skin could cause irritation without destruction of tissue.

Ø Category 0 (Normal Material)

These are materials that on exposure under fire conditions would offer no hazard
beyond that of ordinary combustible material.

§ Alternatively, laboratory analyses must list all chemical elements. These data should
include mass, volume, or the molecular percentage of each chemical species.

§ An investigation should be conducted if there are any trace elements present in the
process stream that may cause corrosion problems.

Maintenance and Operational History. In addition to original equipment design data,

information pertaining to repair history and past and future operating conditions should be
gathered. These data should include a summary of repairs and alterations, as well as current wall
thickness. Previous or proposed criteria should be included, such as operating conditions, startup,
shutdown, and extreme environmental conditions. These data are used to establish the most
severe operating and exposure conditions encountered during the life of the equipment.

§ Documentation of any significant changes in service condition, including pressure,

temperature, fluid content, and corrosion rate.
§ The date of installation and a summary of all alterations and repairs, including required
calculations, material changes, drawing, and repair procedures. These data should include
the required wall thickness, MAWP, corrosion allowance, nondestructive examination
(NDE) results, and hydrotest procedures.
§ Records of all hydrotests performed as part of repair, including the test pressure and
metal temperature at time of the test if known.
§ Results of prior inspections, including remaining wall thickness measurements and other
NDE results, which determine the MI of the component and establish a corrosion rate.
§ Record of all internal repairs, weld build-up and overlay, and modification of internals.
§ Records of on- line monitoring equipment or injection points.

Training Manual Page 23-32

 § Any records showing upsets and excursions.
§ Data from reliability centered maintenance (RCM) and process hazards analysis (PHA)
programs are also useful.

Data for Level A Assessment

Once all data have been collected, they can be entered into the database. The following
information is important in setting up the database structure, as well as calculating a risk ranking
for each equipment item and subcomponent.

Plant Location and Unit Identity:

§ Name of company, division, plant, and unit from which components are to be studied
must be entered initially.
§ Unique equipment identification (I.D.) number that is used to by the facility to identify
equipment items must be entered. This identity is unique and cannot be used more than
once.
§ Other fields in the data input form that may be required include:

Ø Equipment type and service

Ø Serial numbers
Ø Location in plant and in building
Ø PFD, drawing, and P&ID
Ø Vessel class, category, and OSHA coverage
Ø In-service date
Ø Description

Design Data and Specifications

The other information identified on the data entry form is required to establish the COF value
and is the basis for determining the potential damage mechanisms for the LOF.

§ As previously mentioned, equipment items may be composed of different

subcomponents. Data for each subcomponent must be entered individually.

Ø Shell, tube, channel, head, and jacket subcomponents must be entered for a heat
exchanger.
Ø The top and bottom subcomponents for a distillation column, absorber, regenerator,
or contactor must be entered.
Ø Nozzle, drain, boot, and other parts associated with the equipment can be distinctly
separated.

Training Manual Page 23-33

 § Important data for the components include the following:

Ø Material of construction and liner material of construction

Ø Actual design, operating, and test temperatures and pressures
Ø Corrosion rate and corrosion allowance
Ø Post weld heat treatment of material
Ø Insulation information
Ø Length, diameter, and thickness dimensions
Ø Time length in service, previous inspection dates
Ø On-line monitoring and protection, such as cathodic protection and corrosion
monitoring

§ Details of equipment modifications or repairs, inspection techniques used, and inspection

findings are summarized. Inspection findings essentially help to identify the damage
mechanisms that may cause failure of the equipment during in-service operation.

Process Stream Information

Once all equipment and subcomponent data have been entered into the equipment form, process
stream data is then entered into the process stream form.

§ Major chemicals, toxic, and contaminants are listed in this form. Process chemicals can
be found when the “detailed” button is selected.
§ State of the fluid, frequent changes of feedstock, corrosion inhibitors, and intended
inventory of vapor, liquid, and total of liquid/vapor in mass for the component content is
entered.
§ MSDS and corresponding NFPA numbers are also part of the COF calculation. Hazard
levels range from 0 (lowest) to 4 (highest) category.

Once these data have been entered into the program, the items can be evaluated by calculating
the LOF and COF.

RISK RANKING RESULTS

RBI is a tool to provide management with an analysis of the risks associated with the loss of
containment of equipment. Many companies have corporate risk criteria on acceptable levels of
safety, environmental, and financia l risks. Management should use these risk criteria when
making RBI decisions. Because each company is unique in terms of acceptable risk levels, risk
management decisions can vary among companies. Cost-benefit analysis is a powerful tool that
is being used by many companies, governments, and regulatory authorities as one source of data
in determining risk acceptance (per API 580 standard).

Training Manual Page 23-34

Once risk values are developed, they can then be presented in a variety of ways to communicate
the results of the ana lysis to decision-makers and inspection planners. One goal of the risk
analysis is to communicate the results in a common format that a variety of people can
understand. Using a risk matrix or plot is helpful in accomplishing this goal.

On completion of the LOF and COF evaluations, the RDMIP software calculates a risk ranking
for each piece of equipment or subcomponent. This risk ranking is a number from 1 to 4, with 1
being very high risk and 4 being low risk. The results of the risk-ranking process can be viewed
as several outputs. These outputs are typically in the form of reports that are generated by the
software once the analysis has been completed.

MOST IMPORTANT OUTPUTS

n Risk Ranking
n Risk Matrix
n Risk Summary Report
n Specific Equipment Summary Report

Examples of each of these reports are given in the Appendix D.

The information generated by the RDMIP software can now be used to plan important inspection
and maintenance activities on a facility. The most important function of the risk ranking
procedure is to prioritize equipment. This can impact the following:

§ Inspection Planning
§ Maintenance Planning
§ Turnaround Planning
§ Risk Reduction by Inspection
§ Consequence Mitigation

Risk analysis is “state-of-knowledge” specific and, since the processes and systems are changing
with time, any risk study can only reflect the situation at the time the data were collected.
Although any system when first established may lack some needed data, the RBI program can be
established based on the available information, using conservative assumptions for unknown. As
knowledge is gained from inspection and testing programs and the database improves,
uncertainty in the program will be reduced. This results in reduced uncertainty in the calculated
risk.

When an inspection identifies equipment flaws, they are evaluated using appropriate engineering
analyses or fitness- for-service methods. Based on this analysis, decisions can be made for
repairs, maintenance, or continued operation. The knowledge gained from the inspection,
engineering evaluation, and maintenance is captured and used to update the plant database.
The new data will affect the risk calculations and risk ranking for the future.

Training Manual Page 23-35

REVIEW

After completing the risk ranking of a unit, results should be reviewed for consistency. This
review should be conducted together with knowledgeable plant personnel. Important issues that
should receive priority during the review process include the following:

§ Critique of equipment items that receive a high or very high risk ranking. Agreement
must be reached on the classification of these equipment items and the reasons why they
are in the high-risk category.
§ Identical components in the same service should be reviewed in order to ensure they are
ranked the same.
§ Finally, the distribution of equipment items between very high, high, medium, and low
risk on the unit should be agreed on.

If agreement on these items is consistent, then it can generally be accepted that the rest of the
risk ranking process has been consistent.

RISK MANAGEMENT

Based on the ranking of items and the risk threshold, the risk management process begins. For
risks that are judged acceptable, no mitigation is required and no further action is necessary.
For risks considered unacceptable, and, therefore, requiring risk treatment, there are various
mitigation categories that should be evaluated.

§ Decommission: Is the equipment really necessary to support unit

operation?
§ Inspection/condition monitoring: Can a cost-effective inspection program, with repair
as indicated by the inspection results, be
implemented that will reduce risks to an acceptable
level? Managing risk with inspection activities is
discussed in RDMIP Work Management Program,
Volume III.
§ Consequence mitigation: Can actions be taken to lessen the consequences
related to an equipment failure?
§ Likelihood mitigation: Can actions be taken to lessen the probability of
failure such as metallurgy changes or equipment
redesign?

Risk management decisions can now be made on which mitigation action(s) to take (per API 580
standard).

Training Manual Page 23-36

RISK MITIGATION

It may appear that risk management and risk reduction are synonymous. However, risk reduction
is only part of risk management. Risk reduction is the act of mitigating a known risk to a lower
level of risk. Risk management is a process to assess risks, to determine if risk reduction is
required, and to develop a plan to maintain risks at an acceptable level. By using risk
management, some risks may be identified as acceptable so that no risk reduction is required.

The risk on a facility can be reduced by lowering the COF or LOF of equipment items and
processes or both. Inspection may not always provide sufficient risk mitigation or the most
cost-effective solution. Risk mitigation activities can fall under one or more of the following:

§ Reduce the magnitude of the consequence

Ø Improve survivability of people and facility
Ø Mitigate the primary consequence source
§ Reduce the LOF

Equipment Replacement and Repair

When equipment deterioration has reached the point that the risk of failure cannot be managed to
an acceptable limit, replacement or repair is the only way to mitigate the risk.

Evaluating Flaws for Fitness for Service

The RBI analysis may identify equipment that is sufficiently high risk for which repair or
replacement is recommended. A fitness- for-service assessment can then be completed to
determine if the equipment may continue to be safely operated and under what conditions.

Equipment Modification, Redesign, and Rerating

Modifications and redesign of equipment can provide mitigation of the LOF. Some examples
would include:

§ Changes in metallurgy
§ Addition of linings or coatings
§ Removal of deadlegs
§ Increasing the corrosion allowance

Sometimes equipment is over designed for the process conditions. Rerating the equipment may
result in a reduction of the LOF assessed for that item.

Training Manual Page 23-37

As discussed previously, the COF cannot be impacted by the inspections. If the COF of certain
operations is deemed unacceptable by management, the mitigation steps listed below may be
appropriate.

By implementing these mitigation steps, the LOF, COF, and overall risk of equipment items can
be reduced, resulting in a safer plant or facility.

Emergency Isolation. Emergency isolation capability can reduce toxic, explosion, or fire
consequences. Remote operation is usually required to provide significant risk reduction. To
mitigate explosion risk, operations need to be able to detect and actuate equipment quickly
(within minutes). A longer response time may still mitigate the effects of ongoing fires or toxic
releases.

Emergency Depressurizing or De-Inventory. This method reduces the amount and rate of
release. Like emergency isolation, the emergency depressurizing and de- inventory needs to be
achieved within a few minutes to affect explosion risk.

Modify Process. Mitigation of the primary source of consequence can be achieved by

changing the process towards less hazardous conditions (per API 580 standard). Examples are as
follows:

§ Reduce temperature to below atmospheric pressure boiling point to reduce size of cloud.
§ Substitute a less hazardous material e.g., high- flash solvent for a low-flash solvent.
§ Use a continuous process instead of a batch operation.
§ Dilute hazardous substances.

Reduce Inventory. This method reduces the magnitude of consequence. Some examples are:

§ Reduce/eliminate storage of hazardous intermediate products.

§ Use better process control to permit a reduction in inventory contained in reflux drums or
other in-process inventories.
§ Select process operations that require less inventory/hold- up.
§ Substitute gas phase technology for liquid phase.

Water Spray/Deluge. This method can reduce fire deterioration effects and prevent escalation.
A properly designed system can greatly reduce the probability that a vessel exposed to fire will
cause a boiling liquid expanding vapor explosion.

Training Manual Page 23-38

Water Curtain. Water sprays entrap large amounts of air into a cloud. Water curtains mitigate
water soluble vapor clouds by absorption, as well as dilution and insoluble vapors (including
most flammables) by air dilution. Early activation is required in order to achieve significant risk
reduction. The curtain should preferably be between the release location and permanent ignition
sources (e.g., furnaces) or locations where people are likely to be present. Design is critical for
flammables, since the water curtain can enhance flame speed under some circumstances.

Blast Resistant Construction. Utilizing blast-resistant construction provides mitigation of

the damage caused by explosions and may prevent escalation of the incident. When used for
buildings (see API RP 752), it may provide personnel protection from the effects of an
explosion. This may also be useful for equipment critical to emergency response, critical
instrument/control lines, etc.

Other Mitigation Steps. The following mitigation steps may also be appropriate, if the COF
of certain operations is considered unacceptable by management.

§ Spill detectors
§ Steam or air curtains
§ Instrumentation (interlocks, shutdown systems, alarms, etc.
§ Inerting/gas blanketing
§ Ventilation of buildings and enclosed structures
§ Piping design
§ Mechanical flow restriction
§ Ignition source control
§ Improved design standards
§ Improvement in Process Safety Management
§ Emergency evacuation
§ Shelters (safe havens)
§ Toxic scrubbers on building vents

By implementing these mitigation steps, the LOF, COF, and overall risk of equipment items can
be reduced, resulting in a safer plant or facility.

TURNAROUND PLANNING

The quality and level of scope of work dramatically impacts the successful planning and
execution of a turnaround. The basis of the scope of work is determined by using the work lists

Training Manual Page 23-39

from operations, inspection, maintenance, capital projects, etc. These work lists are then
combined and estimated against a budget and target schedule (business/marketing impact).

RBI identifies systems, equipment, components, and activities critical to safety. This then
provides more quality and evidence-based information for the scope definition and planning
process for a turnaround and prioritizes the work to be planned and executed.

The LOF and COF information can also enhance risk management decisions around discovery
work that is uncovered during a turnaround.

COMPLIANCE

The Occupational Safety and Health Ad ministration’s OSHA 29 CFR Part 1910 contains
requirements for preventing or minimizing the consequences of catastrophic releases of toxic,
flammable, or explosive chemicals. Paragraph (j) relates to mechanical integrity and applies to
pressure vessels, storage tanks, piping systems, relief devices, vent and emergency shutdown
systems, as well as controls, alarms, and interlocks. A requirement for compliance is that
inspections and tests shall be performed on process equipment.

“Inspection and testing procedures shall follow applicable codes and standards,
such as those published by ASME, API, AICE, ANSI, ASTM and NFPA, where
they exist; or, recognized and generally accepted engineering practices.”

“The frequency of inspections and tests shall be consistent with applicable codes
and standards; or, more frequently if determined necessary by prior experience.”

“The employer shall have a certification record that each inspection and test has
been performed in accordance with paragraph (j)."

The generally accepted standards for the inspection of petrochemical equipment are found in API
Standards 510, 653, and 570. The API 510 Pressure Vessel Inspection Code relates to the
maintenance inspection, rating, repair, and alteration of pressure vessels.

Industry Guidelines and Standards

To ensure vessel integrity, all pressure vessels shall be inspected at the frequencies provided in
API 510, Section 6. In selecting the technique to be used for the inspection of a pressure vessel,
both the condition of the vessel and the environment in which it operates should be taken into
consideration. Internal inspection is preferred because process side degradation can be
non-uniform throughout the vessel, and, therefore, difficult to locate by external NDE.
On-stream inspectio n may be acceptable in lieu of internal inspections for vessels under specific
circumstances. In situations where on-stream inspections are acceptable, such inspections may be
conducted while the vessel is out of service and depressurized or on stream and under pressure.

Training Manual Page 23-40

Internal Versus External Inspections

The period between internal or on-stream inspections shall not exceed one-half the estimated
remaining life of the vessel, based on corrosion rate or 10 years, whichever is less. Internal
inspection is normally the preferred method of inspection and shall be conducted on vessels
subject to significant localized corrosion and other types of damage. At the discretion of the
authorized pressure vessel inspector, on-stream inspection may be substituted for internal
inspection in the following circumstances.

§ When size, configuration, or lack of access makes internal inspection physically

impossible.
§ When the general corrosion rate of a vessel is known to be less than 0.005 inch
(0.125 mm) per year, and the estimated remaining life is greater than 10 years, and all of
the following conditions are met:

Ø The corrosive nature of the contents, including trace components, has been
established by at least five years of the same or comparable service experience with
the type of contents being handled.
Ø No questionable condition is disclosed by the external inspection.
Ø The operating temperature of the steel vessel shell does not exceed the lower
temperature limits for the creep rupture range of the vessel material.
Ø The vessel is not considered to be subject to environmental cracking or hydrogen
damage from the fluid being handled (sour service).
Ø The vessel is not strip lined or plate lined.

In addition, when a vessel has been internally inspected, the results of this inspection can be used
to determine whether an on-stream inspection can be substituted for an internal inspection on a
similar vessel operating in the same service and conditions.

When vessels are known to have a remaining life of over 10 years or are protected against
external corrosion (e.g., insulated vessels, jacketed cryogenic vessels, and insulated low
temperature vessels), they do not have to have insulation removed for an external inspection.
However, the condition of the insulating system or jacket needs to be visually inspected or
observed at least every five years, and repaired if necessary.

Risk Based Inspection

Owners/users can choose to conduct a RBI assessment of equipment, which must include a
systematic evaluation of both the LOF and the associated COF. The likelihood assessment
should be based on all the forms of degradation that could possibly affect a vessel in any
particular service. It is essential that all RBI assessments be thoroughly documented, clearly
defining all the factors contributing to both the LOF and COF of the vessel. API 580 provides
recommended practice guidelines for implementing a RBI program.

Training Manual Page 23-41

After an effective RBI assessment is conducted, the results can be used to establish a vessel
inspection strategy, and, more specifically, to better define the following:

§ The most appropriate inspection methods, scope, tools, and techniques to be utilized,
based on the expected forms of degradation.
§ The appropriate frequency for internal, external, and on-stream inspections.
§ The need for pressure testing after damage has occurred or repairs have been completed.
§ The prevention and mitigation steps to reduce the LOF and COF of a vessel.

A RBI assessment may be used to increase or decrease the 10- year inspection limit described in
Section 6.4 of API 510. When used to increase the 10- year inspection limit, the RBI assessment
shall be reviewed and approved by a pressure vessel engineer and authorized pressure vessel
inspector at intervals not to exceed 10 years, or more often if warranted by process, equipment,
or consequence changes. The RBI study should be conducted according to the guidelines
described in API 580 (or any other engineering standard that constitutes good engineering
practice).

Local Authorities and Jurisdictions

Many states, counties, and cities have their own regulations that regulate industry within their
local jurisdiction. These regulations are aimed at protecting citizens and the environment from
catastrophic events and releases. These regulations are governing and take precedence over other
requirements that are required by law. It is up to the user to ensure that local regulations and
requirements are met. However, it is sometimes possible for the user to negotiate the terms of
these regulations with local authorities. It may be possible for a user that has implemented a RBI
program to convince a local authority to relax some of the more stringent inspection and
maintenance requirements.

Documentation

All goals and decisions need to be carefully documented in order to be in compliance.

Documentation needed to satisfy regulators is discussed in RDMIP Management Overview,
Volume 1.

Training

All personnel who facilitate and implement a RBI program need to be sufficiently trained in RBI
methodologies. APTECH staff responsible for RBI implementation have undergone RDMIP
training, and their qualifications are documented.

Training Manual Page 23-42

Conclusions

Barring state, county, or city regulations that are more stringent than the federal code, it is
apparent from current industry guidelines and standards that inspections can extend beyond
10-year intervals and that external inspections can be substituted for internal inspections. This
can be done by conducting a thorough RBI study in which one closely examines both the LOF
and COF for pressure equipment. The RBI study should be conducted according to the
guidelines described in API 580 (or any other engineering standard that constitutes good
engineering practice). In addition to this, there is justification for doing external inspections over
internal inspections if certain criteria are met, as described in API 510. It is suggested that these
criteria become part of the LOF procedure used to conduct the risk ranking of equipment. The
decision that certain vessels meet these criteria should be carefully discussed with appropriate
personnel when risk ranking is being conducted. Recommendations based on the risk ranking of
vessels or equipment meeting these criteria should be carefully analyzed, and the final decision
to extend inspection intervals beyond 10 years or to substitute internal inspections must be made
by the a chief inspector or engineer, as described and recommended in the standard.

If these steps are completed correctly and are well documented, the client will be in compliance,
based on the fact that officially accepted standards and guidelines have been used to reach such
decisions.

BENEFITS

The benefits of implementing a RBI program on a facility are many and varied. Benefits depend
on the type of program implemented, the goals of the program, and the facility’s previous
inspection and maintenance history.

TYPICAL BENEFITS OF RBI P ROGRAM

n Regulatory Compliance
n Improved Safety and Reduced Risk
n Long-Term Cost Saving Benefits
n Thickness Measurement Location Reduction
n Improved Inspection and Maintenance Planning
n Focus Inspection Resources
n Use of New Technology
n Informed, Documented, Defensible Decisions

Plant Performance Benefits from Risk Based Inspection Programs

RBI studies provide a detailed understanding of potential haza rds and failure mechanisms related
to the possible loss of pressure containment in pressure vessels and piping. This information can

Training Manual Page 23-43

provide an excellent MI program, resulting in properly managed hazards. This improvement in
MI approach provides substantia l cost/performance benefits in four major areas.

COST AND PERFORMANCE BENEFIT S

n Avoided Catastrophic Failure
n Turnaround-Related Impacts
Ø Turnaround Intervals
Ø Turnaround Duration
Ø Unexpected Damage Findings
Ø Turnaround Inspection Costs
n Unplanned Outages due to Pressure Equipment
Failure
n Costs Due to Excessive Inspections on Low Risk
Equipment
n Protecting Equipment from Excessive Wear and
Corrosion

A comprehensive RBI analysis identifies the damage mechanisms of concern, as well as the
potential consequences that could result from pressure vessel failure. The complete program then
establishes the necessary inspection system to properly monitor and manage plant equipment.

Experience has shown that even excellent inspection programs sometimes miss the mark
because:

§ They often focus almost exclusively on visual and thickness measurement inspections.
Other mechanisms such as cracking, embrittlement, etc. may not be adequately
addressed.
§ They inspect low potential, low consequence equipment far more often than necessary.

RBI analysis defines the required inspection methods and the necessary schedule. Frequently,
some equipment requires additional inspection techniques because of damage mechanisms at
work. More inspections may be required in some equipment. In the vast majority, the required
inspections can be greatly reduced.

A comprehensive RBI analysis identifies the damage mechanisms of concern, as well as the
potential consequences that could result. The complete program then establishes the necessary
inspection system to properly monitor and manage plant equipment. The cost advantages are
dramatic. Total inspection costs can typically be reduced by 50%, or more, using this approach.

Training Manual Page 23-44

A brief discussion of each RBI related performance benefit is given below.

Avoided Catastrophic Failure. The first priority of any MI system is to avoid catastrophic
failure, which could result in injury, environmental damage, or major financial loss. RBI analysis
provides the understanding required to properly manage pressure equipment integrity.

Turnaround-Related Impacts. RBI can be used to provide the following benefits:

§ Turnaround Intervals – RBI is used to define required equipment inspection schedules.

This information is then included in turnaround planning. Often, plant turnaround
intervals can be lengthened. This can extend average annual operating days by 1 to 2%
per year, resulting in substantial increases in production value.

§ Turnaround Duration – RBI analysis information often allows reductions of planned

turnaround duration. Proper inspection intervals frequently allow the inspection work
scope to be substantially reduced. This allows shorter duration when inspection
requirements are on the critical path. It also allows better turnaround planning with fewer
surprises in execution.

§ Unexpected Damage Findings – Often equipment damage is discovered during a

turnaround that requires either additional unexpected work, extended turnaround
duration, or both. This can have a substantial unplanned cost impact because of both the
additional work and the added lost production. Plants can often reduce turnaround costs
by 10% or more by using RBI information in the turnaround planning process.

§ Turnaround Inspection Costs – Reduction of excessive inspection work during a

turnaround is normally achieved by using RBI defined inspection plans. This reduces
turnaround costs for these inspections. It also helps the turnaround by allowing planning
and execution to focus on fewer things.

Unplanned Outages Due to Pressure Equipment Failure. Most equipment failures are
not catastrophic. However, they can still have significant impacts. Unscheduled downtime or
reduced operating rates may be required to repair damaged equipment. RBI analysis greatly
reduces this risk by better knowledge of damage mechanisms at work. An appropriate program
can be established to manage pressure equipment assets.

Costs Due to Excessive Inspections on Low Risk Equipment. The traditional

inspection methodology required a baseline thickness inspection for all equipment followed by
one to two more inspections over the next three to five years. Corrosion rates are calculated and
then used to extend future intervals where appropriate. This approach requires a major inspection
cost investment, especially in the first few years of the life of a plant.

Training Manual Page 23-45

Protecting Equipment from Excessive Wear and Corrosion. By understanding
potential damage mechanisms and using appropriate risk reduction techniques, the life span of
equipment items can be increased.

Training Manual Page 23-46

 RISK MANAGEMENT AND RISK MITIGATION

Once equipment items have been risk ranked, the information must be used to the benefit of the
facility. The primary objective of doing a risk assessment is to prioritize equipment items so that
the risk can be managed efficiently and effectively. Risk management and risk mitigation were
discussed in some detail in RDMIP Implementation, Volume II. The following section discusses
likelihood mitigation and how one can manage risk through inspection activities.

LIKELIHOOD OF FAILURE MITIGATION

If the likelihood of failure (LOF) of equipment items is deemed high or unacceptable, several
mitigation steps can be undertaken. The first and most obvious is to conduct inspections in order
to determine the integrity of the vessel and then to take appropriate action. These inspections
need to be conducted using the appropriate techniques, scopes, and frequencies. If particular
damage is found or suspected, certain remediation steps can be taken to reduce damage from
occurring or getting worse in the future. These remediation steps may include the following:

Changing Operational Conditions of Process Stream

Increasing or decreasing temperatures and or pressures may minimize the occurrence of certain
damage mechanisms from occurring. Increasing or decreasing flow velocities may minimize the
occurrence of damage mechanisms that are velocity sensitive. This would include erosion, sour
water corrosion, under-deposit corrosion, and naphthenic acid corrosion. Addition of scrubbers,
coalescers, or filters to remove fractions or contaminants that are causing damage is also useful.

Application of a Solid Barrier of Lining or Coating

Application of a solid barrier to keep the service environment isolated from the base metal can be
implemented. Linings or coatings can be organic, metallic, or refractory. Organic linings must be
compatible with the service and resistant to process fluids. Organic films fall into two classes;
these could be thin film or thick film coatings. Thin films include epoxy, epoxy phenolic, and
baked phenolic coatings applied to a thickness of not more than 10 mils. Thick film coatings
include vinyl ester and glass fibre reinforced coatings, and are usually more than 10 mils thick.

Metallic linings fall into three classes. These are metal spray linings, strip linings, and weld
overlay. Spray linings are best applied by high velocity oxy- fuel and are usually applied in
multiple layers. Surface preparation is critical, but the application is useful because the base
metal is not heated as in welding.

Training Manual Page 23-47

Strip linings consist of thin strips of metal that are fastened to the base metal with small welds.
These linings have a high incidence of cracking and need periodic maintenance. In weld overlay
a corrosion resistant metal is applied to the surface with a weld overlay process. The base metal
is heated to a high temperature, which can cause cracking problems particularly in hydrogen type
service. Weld overlay may also necessitate a post weld heat treatment (PWHT).

Refractory linings can be used to decrease the base metal temperature, provide erosion resistant
surfaces, as well as corrosion resistant surfaces. Refractory anchoring and curing are critical to
the success of the lining.

Injection of Water and or Chemicals

This can be done to modify the environment or the surface of the metal on a continuous basis.
Examples include water washing to dilute contaminants (as in FCC and HDS overheads) and the
injection of chemicals to change aggressive solutions. Examples would include neutralising
chemicals, polysulfide, and oxygen scavengers. Injection of filming type chemicals causes a thin
film to coat the metal surface, thereby protecting the base metal from aggressive attack.

External Weld Overlay

This can be done to increase wall thickness to compensate for internal or external wall loss due
to degradation. This method, however, does not reduce the rate of degradation. Careful
consideration should be applied before this remediation method is attempted.

In-Service Monitoring

As discussed above, mitigation methods can be applied, but in some cases these are not feasible.
Online monitoring methods can be applied to monitor damage or to see whether other mitigation
steps are effective. Typical monitoring methods include the following:

§ Corrosion probes
§ Hydrogen probes
§ Retractable corrosion coupons
§ On-line acoustic emission testing
§ Ultrasonic (UT) measurements and scanning
§ Radiographic inspection
§ Stream samples
§ Infrared thermography
§ Thermocouples

Training Manual Page 23-48

Other steps that may impact the LOF include:

ADDITIONAL LIKELIHOOD M ITIGATION STEPS

n Ensure equipment operates within design parameters
n Monitor feedstock changes and contaminants
n Ensure inspection techniques are appropriate for expected damage
n Monitor documentation and MOC issues
n Maintain operational control
n Change or alter materials

MANAGING RISK WITH INSPECTION ACTIVITIES

The results of a risk based inspection (RBI) assessment and the resultant risk management
assessment may be used as the basis for the development of an overall inspection strategy for the
group of items included. The inspection strategy should be designed in conjunction with other
mitigation plans so all equipment items will have resultant risks that are acceptable. Users should
consider risk rank, risk drivers, item history, number of inspections, type and effectiveness of
inspections, and remaining life in the development of their strategy.

Inspection is only effective if the inspection technique chosen is sufficient for detecting the
deterioration mechanism and its severity. As an example, spot thickness readings on a piping
circuit would be considered to have little or no mitigation if the deterioration mechanism results
in local pitting. In this case, UT scanning may be more effective. The level of risk reduction
achieved by inspection will depend on the following:

§ Deterioration mechanism’s mode of failure

§ Time interval between the onset of deterioration and failure
§ Detection capability of inspection technique
§ Scope of inspection
§ Frequency of inspection
§ Follow- up work, such as deficiency resolution and fitness- for-service (FFS) assessments
§ Management of change issues

Organizations need to be deliberate in assigning the level of risk mitigation achieved through
inspection. The strategy should be a documented, iterative process to assure that inspection
activities are continually focused on items with unacceptable risk and that the risks are
effectively reduced by the activity.

The effectiveness of past inspections is part of the determination of the present risk. The future
risk can now be impacted by future inspection activities. RBI can be used as a “what if” tool to
determine when, what, and how inspections should be conducted to yield an acceptable future
risk level. Key parameters and examples that can affect the future risk include the following:

Training Manual Page 23-49

 § Frequency of Inspection – Increasing the frequency of inspections may serve to better
define, identify, or monitor the deterioration mechanism(s), and, therefore, reduce the
risk. Both routine and turnaround inspection frequencies can be optimized.
§ Coverage – Different zones or areas of inspection of an item or series of items can be
modeled and evaluated to determine the coverage that would produce an acceptable level
of risk. For example:
Ø A high-risk piping system may be a candidate for full radiographic inspection.
Ø An assessment may reveal the need for focus on hydrogen blistering in the top section
of a pressure vessel instead of the entire pressure vessel.
§ Tools and Techniques – The selection and usage of the appropriate inspection tools and
techniques can be optimized to cost effectively and safely reduce risk. In the selection of
inspection tools and techniques, inspection personnel should take into consideration that
more than one technology might achieve risk mitigation. However, the level of mitigation
achieved can vary depending on the choice. As an example, radiography may be more
effective than UT for thickness monitoring in some cases.
§ Procedures and Practices – Inspection procedures and the actual inspection practices can
impact the ability of inspection activities to identify, measure, and/or monitor
deterioration mechanisms. If the inspection activities are executed properly, the expected
risk management should be obtained.
§ Internal or External Inspection – Risk reductions by both internal and external inspections
should be assessed. It is worth noting that invasive inspections, in some cases, may cause
deterioration and increase the risk of the item. Examples where this may happen are:
Ø Moisture ingress to equipment leading to stress corrosion cracking (SCC) or
polythionic acid cracking
Ø Internal inspection of glass- lined vessels
Ø Removal of passivating films.
Ø Human errors in restreaming

The user can adjust these parameters to obtain the optimum inspection plan that manages risk, is
cost effective, and is practical. (Refer to API 580 standard.)

If problems or deficiencies are found during inspections, they should be addressed using FFS
evaluations, repairs, or replacements. All alterations, modifications, repairs, and evaluations
should be carefully documented using appropriate management of change procedures. These
issues are discussed in more detail later in this volume.

Training Manual Page 23-50

 INSPECTION GUIDELINES

The following inspection guidelines present detailed recommendations for the inspection of
piping and fixed equipment using a risk-based approach. The purpose of inspection is to
determine the present condition and rate of deterioration of plant equipment and piping.
Inspections are necessary in order to determine safe operating intervals and to permit the repair
and replacement of equipment at appropriate times. Implicit in an inspection program are
concerns for both personnel safety and equipment reliability.

In order to prevent unnecessary shutdowns and accidents, the condition of equipment and piping
should be monitored to detect when equipment should be retired from service (retirement limit).
This monitoring can be done acoustically with an UT probe or with a radioactive source and film
(radiography). With the development of UT thickness instruments and radiography, the thickness
of metal in process equipment can be monitored while the unit is operating. This allows
management and inspectors to identify problems before they create dangerous conditions or
cause expensive shutdowns.

Unfortunately, equipment at chemical plants is difficult to reach and is usually insulated.

Because of this, equipment is generally inspected at only a few locations. Inspection points are
selected where experience suggests corrosion is likely to cause significant problems. This
process of defining and naming corrosion circuits, identifying thickness monitoring locations,
and measuring and analyzing data is crucial in assisting management in making important
economic and safety decisions.

Using the concept of circuits, data about one part of a circuit can be used to infer conditions
about the rest of the circuit. Given a history of measurements for inspection points in a circuit,
corrosion rates can be calculated for both individual inspection points and the entire circuit. This
information, combined with knowledge about the type of equipment, operating conditions, and
various safety considerations, can be used to determine the expected life of equipment and when
it would be prudent to inspect the equipment again. Naturally, the most corrosive systems or
circuits demand the most attention. However, as equipment and piping ages, the lower corrosion
rate circuits also achieve the potential to fail and become hazardous. These lower corrosion rate
circuits often tend to be overlooked or over inspected. Therefore, it is essential that an organized,
scientific monitoring program be developed for a particular plant.

Any process equipment corrosion monitoring system requires a realistic representative sample.
This is because corrosion behaves differently in equipment systems relative to the thickness
monitoring location, as well as the particular type of equipment. A realistic circuit sample will
include inspection locations at the most potentially critical equipment configuration locations
that can be perceived by experienced personnel coupled with a knowledge of local unit process
piping and equipment systems.

Training Manual Page 23-51

The types of corrosion occurring in process piping and equipment in petroleum refining or
chemical processing plants are numerous. These range from simple forms, such as uniform
corrosion and erosion/corrosion, to the complex phenomenon of SCC and high temperature
effects, such as sulfidation and oxidation. In addition, the high operating temperatures can cause
problems of hydrogen damage, carbonization, and embrittlement. Inspectors responsible for the
inspection of process equipment and piping in corrosive environments should be aware of the
complex forms of corrosion, which may affect the safe operation of a plant. This knowledge of
the interaction of different materials with their environments is essential in developing an
inspection plan, which may prevent premature and sometimes catastrophic failures.

General corrosion is the most common form of corrosion in process equipment and piping, and it
represents the greatest destruction of metals on a per tonnage basis. This type of corrosion is
normally characterized by one or more electrochemical reactions, which under ideal conditions
proceeds uniformly over the entire exposed surface. Usually the life of a given material can be
estimated on the basis of available literature and field data. However, one must be aware that
ideal conditions often do not prevail, and pitting results or the corrosion rate can change
dramatically by individual conditions existing at a particular location. For example, acids may
concentrate at low-piping configurations, or changes in flow velocity of a fluid may have an
adverse effect on the corrosion rate. This is particularly true for materials that depend on
protective films, such as iron sulfides or oxides, for their corrosion protection. When these
materials become subject to high fluid velocities and turbulence, such as in reducers and elbows,
mechanical damage and the removal of protective films can occur, resulting in accelerated
localized attack.

Temperature also increases the corrosion rate of almost all materials. For example, the corrosion
of a carbon steel pipe by an acid solution rapidly increases as temperature increases. This is due
to the higher oxidizing power of many corrosives at higher temperatures. In addition to this, the
concentration of corrosives and the presence of process contaminants affect the corrosion rates of
metals. Specific damage mechanisms for fixed equipment generally are given in the specific
inspection plans for summary reports for each equipment item.

The first step in monitoring corrosion or erosion is to evaluate the potential corrosion problem
and determine the actual plant need for inspection. Some environments and equipment are not
important enough and do not represent any significant safety hazard. The systems requiring
attention should be analyzed and organized into convenient groups, which relate to each other
geographically, organizationally, or maintenance-wise. Typically, a process unit is used. Once
the scope of a unit or plant has been established, an inspection program is developed that will
depend on the available time and budget.

If the amount of piping and equipment is large in relation to the time, manpower, and budget
available, a two-step approach may be used. For the first step, only the most important or critical
circuits are submitted to the computer databank. At a later date, after the critical circuit s are
analyzed, the remaining less corrosive circuits are added. All covered equipment items have been
risk ranked, and this ranking has been used to develop an inspection plan.

Training Manual Page 23-52

GENERAL INSPECTION GUIDELINES

The American Petroleum Institute’s (API) philosophy of inspection recognizes three basic
concepts:

§ Inspection intervals shall not normally exceed those listed in applicable codes and
standards. The intervals recommended in Section 8 represent common practice.
§ The inspection frequency and inspection method for equipment should be related to the
type and rate of deterioration.
§ The frequency of inspection must be reconsidered if the operation of the equipment
differs from the historical basis, such as when changing the equipment design, operating
conditions, and/or feed streams (particularly if critical corrosion-control equipment is
removed from or added to service).

An integral part of applying this philosophy is implementing practices that reflect appropriate
degrees of emphasis for equipment in vario us services. A higher degree of emphasis should be
placed on inspection practices and frequencies for the following:

§ Equipment for which corrosion rates exceed an established acceptable rate, due to
changes in process conditions or service.
§ Equipment identified as being susceptible to non-uniform corrosion or cracking
mechanisms such as alkaline stress cracking (e.g., caustic, amine), hydrogen induced
cracking, sulfide stress cracking [SSC]), and high temperature hydrogen damage.
§ Equipment in hydrogen sulfide and similar services, which contain acutely toxic
materials.
§ Equipment in liquefied, light hydrocarbon service and subject to auto-refrigeration.
§ Equipment that contains hydrogen or hydrocarbons that operates at > 500 psig.
§ Equipment items that have been identified as high risk.

The operating department routinely monitors the operation of each process unit. It is therefore
their responsibility to identify factors that could affect the equipment deterioration, such as:

§ Changed operating conditions, including changes in operating temperatures, pressure, or

feedstock compositions, etc.
§ Equipment additions or deletions.
§ Discontinued use, addition of corrosion-control systems, or changes to procedures.

The operating departments must assure that the equipment service and operating conditions used
as a basis for determining inspection methods and frequencies properly reflect actual operating

Training Manual Page 23-53

conditions. Adjustments to the types of inspections and/or frequencies should be made only after
a review of this information by operations, engineering, and inspection.

Fixed Equipment

One of the important benefits of a RBI program is the prioritization of equipment. These results
can now be used as a basis for prioritizing equipment inspections and developing detailed
inspection plans.

The three basic types of inspection for vessels include visual external inspection, complete
external inspection, and internal inspection.

§ Visual External: Typically carried out while the vessel is in service and
according to guidelines given in API 510.
§ Complete External: Consists of a visual external inspection supplemented by
UT measurements or other appropriate nondestructive
(NDE) techniques (such as radiography) to measure metal
loss. Thickness measurements should be taken on all major
components and a representative sample of vessel nozzles.
If cracking mechanisms are suspected, UT shear wave
techniques can be used.
§ Internal Inspection: Consists of a thorough visual inspection of all internal
surfaces and components, as well as obtaining thickness
measurements described above. If cracking mechanisms are
anticipated (such as SCC), dye penetrant or wet fluorescent
magnetic particle techniques (WFMT) should be used.
Eddy current techniques can be used to determine the
degradation of tubes in a heat exchanger.

Locations of likely damage depend on the type of vessel being inspected. For example,
inspection plans for towers, tanks, drums, heat exchangers, and heaters will be different because
of the different geometries and internal components. A distillation column may be broken into
groups of trays of any seemingly practical number. The vapor and liquid zones within each group
of trays will carry a common primary circuit number. Grid patterns to locate readings may also
be adapted to these identification fields, if desired. Drum and heat exchanger corrosion may be
similarly monitored through assignment of corrosion environment circuit numbers.

Aptech Engineering Services, Inc. (APTECH) has developed detailed inspection plans for these
equipment items. Each plan describes the scope and frequency of inspection for the equipment
item, as well as inspection techniques to be used and specific inspection locations.

Generally one cannot translate risk into a set number of thickness measurement locations
(TMLs), so APTECH does not give specific TML numbers for each vessel. Throughout the
industry there is no specific method for determining the number of TMLs on a vessel. Each

Training Manual Page 23-54

vessel should be considered individually when setting the number of TM Ls. In the past this was
done using the guidelines in API 510.

Points to consider when determining the number of TMLs for a vessel include:

§ Risk ranking
§ Damage mechanism
§ Susceptible areas
§ Previous history
§ Size of vessel and number of subcomponents, bands, or courses

If one is uncertain about the number of TMLs that should be selected for a particular vessel,
APTECH suggests a conservative approach until additional evidence is gained.

Piping

The occurrence of cracking in piping is usually less common than in vessels. This is because the
welds in piping are usually one-sided, leading to the tempering of the root pass by subsequent fill
and cap passes. Because of this, the normal procedure is to concentrate on vessels and
exchangers when inspecting for cracking. Once cracking is found in a vessel or exchanger, the
upstream and downstream piping is inspected, usually with UT, to determine whether the
associated piping system contains cracks.

Few cracking problems have been experienced with carbon steel piping in wet H2 S service for
the following reasons:

§ Many companies use only seamless pipe in ISBL applications calling for pipe diameters
of 18.0 inches or less.
§ Most piping is of the low-strength variety, and, hence, connection welds are less likely to
have hard zones.
§ Piping is welded from the inside out, so the root pass is always tempered by subsequent
weld passes.
§ There is no opportunity for high concentrations of aqueous H2S to build up. This would
occur, for example, under condensing conditions or in vessel stagnant areas.

Nevertheless, it is recommended that at least four consecutive connection welds be UT inspected

in all NPS 2.00- inch or larger process piping, which is attached to a pressure vessel containing
SSC damage.

Training Manual Page 23-55

If UT indications suggest cracking is present, the affected pipe weldment should be removed for
metallurgical examination. If cracking is confirmed, the remaining connection welds in the pipe
should be UT inspected.

Longitudinal seams in electric fusion welded pipe, used in ISBL applications calling for pipe
diameters of greater than 18.0 inches and attached to a pressure vessel containing SSC, should be
UT inspected for their entire length. If physically possible, areas with indications should be
WFMT inspected from inside the pipe.

Many cracking problems have been experienced with carbon steel piping in lean-amine service,
regardless of temperature. As a rule PWHT prevents cracking of welds due to the alkaline SCC
mechanism involved. Nevertheless, it is recommended that selected connection welds, primarily
in the hot lean-amine piping leaving the regenerator (stripper) tower, should be tested by using
shearwave UT on a periodic basis to monitor cracking tendency. Piping in rich-amine service,
primarily between the absorber and the regenerator towers, should be treated as carbon steel
piping in wet H2 S service.

Piping inspection should reflect the requirements of API 570 “Piping Inspection Code”, which
defines inspection, repair, alteration, and rerating of in-service piping systems. Additional details
and requirements (e.g., corrosion under insulation, deadlegs, erosion, fatigue, environmental
cracking, localized corrosion) can be found in the specific inspection plans for piping circuits.

Injection points are defined as locations where relatively small quantities of materials are
injected into the process stream to control chemistry or other process variables. (Examples
include water injection in overhead streams and inhibitor/neutralizer/antifoam injection in
process streams.) The injection point system shall be defined as a minimum of 12.0 inches or
3 pipe diameters upstream of the injection point (whichever is greater) to the second change in
flow direction past the injection point, or 26.0 feet beyond the first change in flow direction
(whichever is less).

Each piping circuit shall be monitored by taking thickness measurements at TMLs, sometimes
referred to as inspection points. Piping circuits with high consequence of failures (COFs)
(i.e., Class 1 and some Class 2) and those subject to higher corrosion rates or localized corrosion,
should normally have more TMLs assigned. Piping inspection sketches or isometrics should
show TMLs.

Procedures should be written that define and identify how TMLs are assigned, numbered,
identified in the field, and monitored, measured, and recorded.

Training Manual Page 23-56

 GUIDELINES FOR ESTABLISHING INSPECTION
FREQUENCY AND SCOPE

This guideline is to assist in establishing the inspection frequency and scope based on the
previously established risk ranking. The frequency of inspection recommended in this document
is based on the principles outlined in API 510, API 570, and API 653 (industry standards) and
the National Board Inspection Code, which are considered to be generally recognized and
accepted good engineering practices. If the state and local laws supersede these documents, they
should be used to the extent applicable. Guidance on appropriate NDE techniques is found in the
Risk Directed Mechanical Integrity Program (RDMIP) database and specific equipment
inspection plans.

The scope and frequency of inspections is determined by the risk ranking obtained for each
equipment item. Many guidelines exist for the frequency of inspections, from industry guidelines
(such as API 510 and 570) to pilot RBI studies. The frequency of inspection will depend on
damage mechanisms, risk ranking, and specific plant conditions and goals. For some facilities it
may be important to keep equipment in a certain risk range or reduce high LOF items by
conducting inspections. These inspections may have to be conducted at frequent intervals to
maintain a certain level of risk.

APTECH has developed its own guidelines and procedures for determining scope and
frequencies of inspections. These guidelines have been used on several facilities and are based
on the LOF and COF values for the equipment item. Inspection intervals can also be based on
piping service classification, corrosion-rate/remaining life calculations, risk ranking, and
applicable jurisdictional requirements. Inspection intervals must be reviewed and adjusted as
necessary after each inspection or significant change in operating conditions.

A facility typically knows its operations and equipment better than anyone else, and, because of
this, may alter these guidelines based on other industry guidelines, specific plant experience,
Hazard and Operations studies, or good engineering judgment. Deviations from these
requirements should be based on sound engineering judgment, should be approved by operations,
and should be documented. The risk ranking of equipment is a significant factor to be used when
considering these deviations.

These scope and frequency guidelines are intended as preliminary discussion points until further
data and knowledge are gained. Additional engineering analysis may be required when
establishing a new inspection scope and frequency based on risk ranking, particularly for items
that exhibit a high COF ranking and the change constitutes relaxation of the current inspection
program. Evidence from previously collected data in areas having the highest potential for
damage should be considered to the maximum extent possible when conducting such analysis.

Training Manual Page 23-57

FIXED EQUIPMENT GUIDELINES

Scope of Inspections

From the LOF and COF procedures, record the product of these numbers on the Risk Ranking
Matrix.

Risk Matrix

High Risk

L Very High
i
k
e High

l
i Medium
h
o
Low
o Low Risk
d Very Serious Serious Marginal Minor

Consequence
The following table shows the recommended scope of inspection can be related to the risk
ranking, where a decrease in the risk ranking results in a decrease in the relative amount of
surface area inspected and the number of different locations to inspect (e.g., 1 = 100%, 2 = 50%,
3 = 25%, and 4 = 10%). The percentage of specific areas to be inspected are defined by three
statements, which apply to each risk level and its associated percent as follows:

§ Percent of susceptible areas to be inspected for the identified damage mechanism with an
appropriately effective technique
§ Percent of highly stressed areas (e.g., longitudinal weld seams, nozzle and other
openings, or attachment welds) to be inspected
§ Percent of affected surface area to be inspected by visual techniques for either uniform or
random corrosion mechanisms

Training Manual Page 23-58

 SCOPE OF INSPECTION

Inspection Level Percent Areas of Coverage for Each

(Risk Ranking) Coverage Inspection Level
1 100 Susceptible areas to be inspected for damage
mechanism with highly effective technique in
highly stressed areas and affected surface.
2 50
3 25
4 10

The effective technique referenced above should be based on the identified damage mechanism.
Suggested inspection techniques have been identified for each damage mechanism in the specific
inspection plans for each equipment item.

In addition to this, one can use the LOF and COF to determine the scope of inspections. On the
risk matrix, associated with each LOF and COF ranking, a scope of inspection can be described.

LOF
1 2 3 4

1 100% 50% 25% 10%

Recommended
Equipment
COF

Inspection Scope
2 50% 50% 25% 10%

3 25% 25% 10% 10%

4 10% 10% 10% 10%

In certain circumstances, the scope of inspection can be described by the probability that a
certain NDE mechanism will detect a specific damage mechanism. This approach will be
specific to the damage mechanism identified and the NDE technique used. One needs to identify
the desired confidence or reliability levels required, based on the risk ranking of the equipment
item. For a high-risk item, one would want a high degree of confidence that, using the
appropriate NDE technique, a potential damage me chanism will be found and identified. This
approach is described in the following table.

Training Manual Page 23-59

 INSPECTION SCOPE

Scope Examples
§ Define at risk population for common § Integrity of over 7,000 piping system welds
mechanism
Ø Suspected of microbial induced
Ø Percent area or linear feet of weld corrosion and lack of penetration
Ø Characterized by biased sample of
§ Identify desired confidence and reliability 64 radiographs (95%
levels desired confidence/reliability)
Ø Integrity justified by fracture mechanics
Ø RR1 = 95% confidence/reliability calculations
Ø RR2 = 85% confidence/reliability
Ø RR3 = 75% confidence/reliability § Butane storage sphere with over
Ø RR4 = 60% confidence/reliability 2,000 defects

§ Define biased sample Ø Approximately 200 defects

characterized depth and length
Ø High stressed areas Ø Smaller sample size characterized
Ø Crevices metallurgically
Ø Weld heat affected zones (HAZs), etc. Ø Integrity justified by fracture mechanics
calculations
§ Use effective inspection and test techniques

Frequency of Inspection or Inspection Schedules

The LOF, COF, damage mechanism, and risk ranking of an equipment item determines the
inspection schedules for a facility. In general terms, very high-risk items need to be inspected
immediately or as soon as possible—high risk items at intervals ranging from 2 to 5 years, while
certain low-risk items can be inspected once every 20 years. These inspections can range from
external visual inspections to full scale internal inspections. Comprehensive external inspections
may reduce the risk of equipment items so internal inspection frequencies can be reduced. The
process is dynamic and depends on damage mechanisms, plant evidence, operating conditions,
and the altering risk of equipment as items age and inspections gain additional knowledge.

The frequency of inspection can be established from the following table.

FREQUENCY OF INSPECTION

Max interval should not exceed one-half of remaining useful life (RUL) of component.
(Or as required by State/Federal Law)

Training Manual Page 23-60

 Inspection Level
(Risk Rank) Frequency

1 Develop inspection interval based on applicable damage mechanism

and associated risk.
2 Every turnaround or a maximum of 5 years for vessels and 10 years
for tanks.
3 Every other turnaround or a maximum of 10 years for vessels and 15
years for tanks.
4 Every third turnaround or a maximum of 10 years for vessels and 20
years for tanks.

For the highest risk equipment, this frequency should be established on an individual basis
considering all aspects of the risk involved. For the remaining risk levels, the frequency is based
on the standard unit turnaround interval. Maximum intervals have been suggested for Levels 2,
3, and 4, based on the guidelines in API 510 and API 653. In addition, two other considerations
have been noted as follows:

§ The inspection interval should not exceed one- half of the estimated remaining life (this
applies to all risk levels) without appropriate consideration and documentation.
§ The inspection intervals should not exceed state and local laws, if applicable.

Other approaches to setting inspection intervals are shown in the following table. These intervals
are based on client guidelines and regulatory authorities.

Training Manual Page 23-61

 DETERMINATION OF INSPECTION FREQUENCY*

Inspection Regulatory Suggested

Interval Rank APTECH Guidelines Based Approach Provisional Rule Set
1 Damage No set rule Damage mechanism Damage mechanism
mechanism specific specific. Maximum
specific 3-year interval

2 Each Vessels: 5 years 4 to 8 years Maximum 6-year

turnaround Tanks: 10 years interval

3 Every other Vessels: 10 years 8 to 12 years Maximum 9-year

turnaround Tanks: 15 years interval

4 Every three Vessels: 15 years 12 to 20 years Maximum 12-year

turnarounds Tanks: 20 years interval

*Or one-half RUL if data are available.

The following figure shows inspection intervals based on both the LOF and COF. On the risk
matrix, associated with each LOF and COF ranking, a frequency of inspection is described.
Since inspections impact the LOF and high likelihood items need to be inspected more
frequently, the matrix is likelihood skewed.

Training Manual Page 23-62

 Recommended Equipment Inspection Intervals

LOF
1 2 3 4

1 2-5 5-7 5-10 10-15

2 2-5 5-7 5-10 10-15

COF

3 5-7 5-10 10-15 10-20

4 5-7 5-10 10-15 10-20

Or one-half RUL, whichever comes first.

Inspection intervals and next inspection dates are also recommended by inspection data
management programs, such as PCMS, Ultrapipe, and 3 Rivers Technology. Together, with the
risk ranking of a vessel, these are powerful tools for guiding inspection dates and intervals.
However, these tools are only really effective for uniform corrosion and are less effective for
localized corrosion. Other damage mechanisms, such as cracking, fatigue, and thermal effects
may need more rigorous models in order to predict the next inspection dates.

Training Manual Page 23-63

The outputs from PCMS are shown in the following three figures and show how UT data can be
used to predict future inspection and retirement dates.

Circuit Summary Graph

Training Manual Page 23-64

 Corrosion Rate and TML Thickness Graph

TML Thickness Graph

Training Manual Page 23-65

 PIPING GUIDELINES

SCOPE OF INSPECTIONS

From the LOF and COF procedures, select the product of these numbers on the Risk Ranking
Matrix. The risk ranking of a piping circuit (or that of the attached vessel) can now be used to
determine the scope of piping inspections and how many TMLs need to be identified.

Each piping circuit shall be monitored by taking thickness measurements at TMLs, sometimes
referred to as inspection points. Piping circuits with high COFs (i.e., Class 1 and some Class 2)
and those subject to higher corrosion rates or localized corrosion should normally have more
TMLs assigned. Inspection techniques for uniform corrosion of piping systems are typically UT
readings at the predetermined TMLs (or radiography techniques for small bore piping systems on
fittings, 2.00 inches or less in diame ter. Depending on the type of damage anticipated or
encountered in either the piping system or upstream or downstream equipment, other NDE
techniques may be recommended. Non- uniform corrosion mechanisms such as SCC should be
inspected using the guidelines provided in the specific equipment inspection plans.

The following guidelines on the recommended number of TMLs apply to uniform corrosion and
are to be applied to new or in-service piping systems where there has either been no inspections
or insufficient experience or inspections documented to determine that no degradation potential
exists. Once a piping inspection system has been in place and corrosion or damage data
collected, the specific corrosion rate and inspection history can be used to determine the optimal
number of TMLs.

As stated in API 570, inspectors must use their knowledge (and that of others) of the process unit
to optimize the TML selection for each circuit, balancing the effort of collecting the data with the
benefits provided by the data. It is recommended that inspection priority be given to examining
(in order of preference):

§ Deadlegs/injection points
§ Elbows
§ Reducers
§ Other turbulent flow areas (downstream of orifice plates on restriction orifices, throttling
control valves, pumps, etc.)
§ Tees
§ High point vents/low point drain
§ Straight-run piping

The inspection objectives should be based on the following criteria.

Training Manual Page 23-66

 Risk Level Percentage of Piping System Elements Inspected

1 100% of fittings identified above

2 Minimum of 50% of the fittings
3 Minimum of 25% of the fittings
4 Minimum of 10% of the fittings

If the number of TMLs calculated exceeds the number of TMLs assigned, based on the above
criteria, the remaining TMLs can be assigned to representative sections of the straight run piping
in the system.

Specific locations for thickness measurements are based on the pattern of corrosion expected in a
piping system or on actual historical data. This should be used as a starting point in establishing
the initial TMLs in new piping sys tems or in systems where no prior inspections have been
recorded. Isometrics and TMLs are shown in Appendix E.

Injection points are defined as locations where relatively small quantities of materials are
injected into the process stream to control chemistry or other process variables. (Examples
include water injection in overhead streams and inhibitor/neutralizer/antifoam injection in
process streams.) The injection point system shall be defined as a minimum of 12.0 inches or
3 pipe diameters upstream of the injection point (whichever is greater) to the second change in
flow direction past the injection point, or 26.0 feet beyond the first change in flow direction
(whichever is less). Deadlegs should be scanned (depending on line diameter) using a grid
pattern in order to determine an average corrosion rate and minimum wall thickness.

Inspection intervals and next inspection dates are also recommended by inspection data
management programs, such as PCMS, Ultrapipe, and 3 Rivers Technology. Together, with the
risk ranking of circuits, these are powerful tools for guiding inspection dates and intervals.
However, these tools are only really effective for uniform corrosion and are less effective for
localized corrosion. Other damage mechanisms, such as cracking, fatigue, and thermal effects
may need more rigorous models in order to predict the next inspection dates.

Training Manual Page 23-67

 CHECKLIST OF TYPICAL MECHANICAL INTEGRITY ISSUES

The following conditions may be considered:

EROSION/CORROSION

1. Contamination from chemical species that could cause stress corrosion cracking (e.g.,
wet H2 S, Co/Co2 + H2 O, caustic, amines, chlorides, polythionic acids) or corrosion
fatigue cracking of deaerators.
2. Rapid corrosion at or near an injection point due to addition or deletion of an
injection point, changes in flow rate, changes in flow patterns, or other failure of the
injection system to perform as required.
3. Severe corrosion downstream of alloyed equipment due to process upsets that cause
unneutralized corrosive species or contaminants to be present in systems with
materials not specified for corrosive conditions.
4. Hydrogen embrittlement or hydrogen blistering from increased concentrations of H2 S
or cyanides.
5. Accelerated corrosion from increased concentrations of naphthenic acids in feed
stocks or various distillation cuts.
6. Ammonium hydrosulfide or ammonium chloride salt deposition and resultant
corrosion rate acceleration with increased concentrations of ammonia, sulfides, or
chlorides or insufficient water washing.
7. Caustic cracking of bolted connections from small leaks of boiler feedwater or other
caustic containing solutions? Caustic cracking of non-stress relieved equipment from
heat exchanger tube leaks or caustic carryover.
8. Introduction of moisture during process upsets or shutdowns that caused increased
corrosion rates in otherwise dry systems or the deletion of moisture in systems
otherwise dependent on moisture for protection against corrosion or cracking.
9. Liquid carryover into gas streams or velocity changes of mixed phase streams
accelerating corrosion-erosion of elbows, tees and other areas subject to turbulence
(e.g. downstream of control valves).
10. Changes in pH or corrosion control measures that could lead to accelerated corrosion
or cracking.
11. Changes in water treating chemistry or procedures that accelerate water side
corrosion.
12. Changes in the monitoring or maintenance of cathodic protection systems that could
lead to accelerated corrosion of buried piping or storage tank bottoms.

Training Manual Page 23-68

MATERIALS OF CONSTRUCTION

1. Temperature changes that might cause brittle fracture of any equipment from
materials with low toughness due to thermal shock or from transient conditions
experienced in startup or shutdown of heavy wall vessels.

2. Localized corrosion or cracking of heat-affected zones in sensitized stainless steels.

3. Over stressing or shocking brittle materials such as cast iron and aged or embrittled
steels.

4. Sigma phase contact in weld overlays per the Delong diagram.

DESIGN/MECHANICAL

1. Vibrations that could lead to fatigue fracture of vibrating piping, over-stressed

threaded connections, unsupported over-hung weight, or exchanger tubes.

2. Thermal fatigue cracking due to sudden or severe swings in temperature.

3. Slugging in piping or flare lines that could cause hydraulic shock and transient over
stress conditions.

4. Changes in operating capacity or throughput that have not considered the impact on
relief capacity.

5. Changes in operating flow rates by adding or reducing pumping or compressor rates

that lead to accelerated corrosion, erosion, or expansion bellows fatigue.

6. Over stressing piping systems not designed with sufficient flexibility if higher
temperature fluids are introduced.

OPERATING AND CONFORMANCE TO LIMITS

1. Exceeding the temperature or hydrogen partial pressure limits that might lead to high
temperature hydrogen attack in hydro process environments or accelerated creep or
other embrittlement phenomena.

2. Freezing temperatures causing rupture of piping deadlegs containing water.

3. Excessive temperatures or hot spots that could cause rupture from short-term,
overheating of furnace tubes, transfer lines, or catalyst containing vessels.

Training Manual Page 23-69

 4. Fouling or plugging of inlet or outlet piping of relief devices.

5. Changes in feed compositions where trace amounts of certain species previously

provided corrosion inhibition or could cause increased corrosion.

6. Steam cleaning of equipment containing caustics or amines that might lead to

cracking.

7. Changes in erosion rates due to catalyst carryover or changes in process flow rates
where solid phases are present.

8. Increased temperatures or increased sulfur and H2 S concentrations accelerating

corrosion rates in sour hydrocarbon service.

9. Sulfuric acid concentration falling below critical limits due to process upsets or
changes causing accelerated corrosion.

10. Temperature, pressure or other process changes that cause shifts in dew point and
therefore shifts in areas where corrosive compounds condense and accelerate
corrosion rates.

11. Accelerated corrosion by the activation or deactivation of a piping segment or the

installation of temporary facilities.

12. Changes in process temperatures or idling of normal hot equipment that might lead to
accelerated corrosion under wet insulation.

13. Introductio n of oxygen contamination in systems that are otherwise non-corrosive in

the absence of oxygen.

14. Over pressuring equipment or piping when using high pressures or positive
displacement pumps to unplug a line.

Training Manual Page 23-70

 Isometric

Training Manual Page 23-71

 Deadlegs

Training Manual Page 23-72

 Injection Points

Training Manual Page 23-73

 Chapter 24
EQUIPMENT CONDITION ASSESSMENT, FITNESS FOR SERVICE,
AND DEFICIENCY RESOLUTION

Once equipment has been risk ranked and inspections conducted, any deficiencies need to be
solved using industry guidelines and good engineering practices. This procedure defines the
process for evaluating inspection results and determining if equipment conditions comply with
appropriate design codes, industry standards, and generally recognized good engineering
practices.

In addition, it provides a guideline for establishing the equipment’s FFS based on the inspection
findings and provides for the resolution of any defined deficiency. This guideline is based on the
draft copy of API’s Document 579, Fitness for Service, and is intended to meet the requirements
of the Occupational Safety and Health Administration’s 29 CFR 1910.119 (j). If state and local
laws supersede this document, they should be used, as applicable.

OVERVIEW

This process is initiated when a potential equipment flaw, defect, or other deficiency
(e.g., general or localized corrosion, cracking, blistering, buckling, reduced ductility due to
in-service embrittlement) is identified in the plant by inspection. The following is a simplified
flow diagram.

Training Manual Page 24-1

 Simplified Flow Diagram

Potential
Equipment
Identify Specific Damage Deficiency
Mechanisms and Extent Identified
of Damage

Brittle Localized General Uniform

Pitting Cracking Blistering Other
Fracture Corrosion Corrosion

Assess Damage Per Appropriate

API Level I (Inspection)

Fail

Input-API Assess Per Appropriate Pass Approval by Appropriate Level

510, 653, API Level II
of Management
570, 579 (Plant Engineering)

Fail

Assess Per Eppropriate

API Level III
Document
(Specialty Engineering)

Fail

Initial MIRE Modify Inspection Plan

Process or and/or Long-Term
Shut Down Recommendations

Develop and Document

Rationale for Continued
Operation

The process ensures a thorough, systematic analysis of the problem utilizing industry standards
(API 510, 570, 653, and 579) and provides for a standardized documentation and approval
process.

The following is used to summarize and document the approval process.

Training Manual Page 24-2

 § The plant inspector documents the inspection results and secures engineering help in the
analysis of these findings. The condition assessment is reviewed/conducted by the
engineer. Additional review is required by management for higher levels of ana lysis.
§ If the condition assessment indicates that the equipment is unacceptable for continued
operation without additional evaluation, then a FFS analysis is initiated.
§ If the FFS analysis indicates that the equipment cannot be operated safely in its present
condition, a Mechanical Integrity Risk Evaluation (MIRE) can be initiated.
§ The engineering and/or inspection group will calculate the remaining life and develop
repair and monitoring plans.
§ The unit inspection plan is updated, and the condition assessme nt results are documented
and filed in the equipment inspection files.

PROCEDURE

A basic design/operating philosophy should be established which covers the minimum design
code requirements, corrosion allowances, and acceptable levels of risk that the plant is willing to
assume with increasing complexity of engineering assessment. An increased level of review and
approval is required for increased levels of assessment.

Condition Assessment

In the previous figure, equipment deficiencies are identified through inspections, tests, design
reviews, process hazard analysis (PHA), etc. For fixed equipment, deficiencies are often various
forms of deterioration such as uniform or localized corrosion, pitting, blistering, cracking, or
mechanical deformation. In some cases, a deficiency could exist where the design of a piece of
equipment does not meet the intended or existing service conditions, including cases that do not
involve corrosion (e.g., inadequate material thickness resulting in a over-stressed condition or
inadequate toughness, resulting in a brittle fracture concern).

Fitness for Service

If the deficiency falls outside of the allowable design criteria (usually limited to the corrosion
allowance and/or allowable defect/flaw sizes from the appropriate ma nufacturing code), then a
FFS analysis is initiated.

The initial FFS Level 1 evaluation is intended for use at the plant inspection level. At this level,
the described condition is compared against simplified charts or graphs for acceptable cracking
levels or the average thickness measured across a corroded region, which are related to the
nominal wall thickness minus the corrosion allowance (per API 510 and 653 standards). An
increasing level of complexity is required for the analysis of defects or conditions that do not
pass the previous level. Level 2 was intended to be applied by a plant mechanical engineer. At
this level, standard design calculations are made to take credit for any extra fabricated thickness,
which can in turn be used as additional corrosion allowance. Other less conservative assumptions

Training Manual Page 24-3

are made at this level, which assumes that the user is knowledgeable in the appropriate field to
allow for the subjective judgment. A Level 3 analysis is intended to be used by an engineering
specialist in the appropriate field. At this level complex calculations are often employed,
including finite element analysis and fracture mechanics.

The following covers the basic outline of API 579 and the procedural controls necessary to
approve the continued operation of a vessel with less than the originally intended margin of
safety.

§ A deficient equipment condition is discovered through a design review, inspection, PHA,

or some other means.
§ The specific type of damage or suspected design weakness is then identified utilizing
various inspection techniques and from referencing the damage mechanisms identified
for each equipment item in the specific equipment inspection plans.
§ The existing condition is compared to the design requirements (condition assessment).
§ Utilizing the guidelines established in API 579 for the identified damage type, the
damage is characterized as required for further analysis. The amount of characterization
needed, in some cases, will depend on the level of analysis utilized. A listing of the API
specific sections covering the various damage types is as follows:
Ø Section 3 — Brittle Fracture
Ø Section 4 — General Metal Loss
Ø Section 5 — Local Thin Areas
Ø Section 6 — Pitting Corrosion
Ø Section 7 — Blisters and Laminations
Ø Section 8 — Groove-Like Flaws
Ø Section 9 — Crack-Like Flaws
Ø Section 10 — Weld Misalignment and Shell Distortions
Ø Section 11 — Fire Damage
Ø Section 12 — Creep

Starting with a Level 1 assessment conducted by the Inspector, the summary of findings and
recommendations should be carefully documented. The person performing the evaluation should
indicate if the deficiency passed the level of analysis being applied. If not, the analysis level
should be increased, to the point that a MIRE is conducted or the equipment is shut down. The
appropriate approval signatures, as indicated for each level on a worksheet, should be obtained
by the evaluator.
1. API 579 Contents

§ Definition of FFS
§ Purpose of RP 579
§ Relationship to API 510, 570, and 653
§ Responsibilities
Training Manual Page 24-4
 Ø Role of an Inspector
Ø The Engineer and Functional Roles

2. General Assessment Method

§ Step 1 – Flaw and Damage Mechanism Identification
§ Step 2 – Applicability and Limitations of the FFS Assessment Procedure
§ Step 3 – Data Requirements
§ Step 4 – Assessment Techniques and Acceptance Criteria
§ Step 5 – Remaining Life Evaluation
§ Step 6 – Remediation
§ Step 7 – In-Service Monitoring
§ Step 8 – Documentation

3. Levels of Assessment
§ Level 1
§ Level 2
§ Level 3

4. Flaw and Damage Matrix

§ Brittle Fracture
§ Corrosion, Erosion
Ø Uniform or Local
§ Pitting
Ø Current Acceptance Criteria
Ø Assessment as Local Metal Loss and the Conditions
§ Crack-Like Flaws
§ Mechanical Damage
§ Fire Damage
§ Creep Damage

5. Determination of Assessment Procedure for Corrosion

§ Decision Tree for Assessment Damage Due to Corrosion
§ Logic Diagram for General Metal Loss
§ Logic Diagram for Local Metal Loss

6. Assessment of General Metal Loss

§ Current Acceptance Criteria
§ Level 1 – Sample Problem
Ø Level 2 – Sample Problem

7. Assessment of Local Metal Loss

§ Current Acceptance Criteria
§ Level 1 – Sample Problem
§ Level 2 – Sample Problem

8. Assessment of Crack-Like Flaws

Training Manual Page 24-5

 § Pre-Service
Ø Damage Types
§ In-Service
Ø Damage Types
§ Current Acceptance Criteria
§ Limitations Imposed on Levels 1 and 2
Ø Conditions
Ø Loads
Ø Material
§ Logic Diagram for Level of Assessment
§ Level 1 Problem

9. Assessment of Weld Misalignment

§ Categories of Weld Misalignment
Ø Centerline Offset
Ø Angular or Peaking
Ø Combinations

10. Assessment of Shell Distortions

§ Categories of shell Distortion
Ø General Distortion
Ø Out-of-Roundness
Ø Bulge
Ø Dent

The Fitness-For-Service assessment procedures in this document are organized by flaw type
and/or damage mechanism. A list of flaw types and damage mechanisms and the corresponding
section which provides the FFS assessment methodology.. In some cases, it may be necessary to
use the assessment procedures from multiple sections if the primary type of damage is not
evident. For example, the metal loss in a component may be associated with general corrosion,
local corrosion and pitting. If multiple damage mechanisms are present, a degradation class, e.g.,
corrosion/erosion, can be identified to assist in the evaluation. Several flaw types and damage
mechanisms may need to be evaluated to determine the Fitness-For-Service of a component.
Each section referenced within a degradation class includes guidance on how to perform an
assessment when multiple damage mechanisms are present.

The general Fitness-For-Service assessment procedure used in this Recommended Practice (RP)
for all flaw types is provided in this section. An overview of the procedure is provided in the
following eight steps. The remaining sections in this RP utilize this assessment methodology for
a specific flaw type or damage mechanism and provide specific details covering Steps 2 through
8 of this procedure.

Step 1 — Flaw and Damage Mechanism Identification: The first step in a Fitness-For-Service
assessment is to identify the flaw type and cause of damage (see paragraph 2.1.2). The
original design and fabrication practices, the material of construction, and the service
history and environmental conditions can be used to ascertain the likely cause of the
damage. Once the flaw type is identified, the appropriate section of this document can
be selected for the assessment.

Training Manual Page 24-6

Step 2— Applicability and Limitations of the FFS Assessment Procedures: The applicability
and limitations of the assessment procedure are described in each section, and a
decision on whether to proceed with an assessment can be made.

Step 3— Data Requirements: The data required for a FES assessment depend on the flaw type
or damage mechanism being evaluated. Data requirements may include: original
equipment design data, information pertaining to maintenance and operational history,
expected future service, and data specific to the FF5 assessment such as flaw size, state
of stress in the component at the location of the flaw, and material properties. Data
requirements common to all FES assessment procedures are covered in this section.
Data requirements specific to a damage mechanism or flaw type are covered in the
section containing the corresponding assessment procedures.

Step 4—Assessment Techniques and Acceptance Criteria: Assessment techniques and

acceptance criteria are provided in each section. If multiple damage mechanisms are
present, more than one section may have to be used for the evaluation.

Step 5— Remaining Life Evaluation: An estimate of the remaining life or limiting flaw size
should be made for the purpose of establishing an inspection interval. The remaining
life is established using the FES assessment procedures with an estimate of future
damage. The remaining life can be used in conjunction with an inspection code to
establish an inspection interval.

Step 6— Remediation: Remediation methods are provided in each section based on the damage
mechanism or flaw type. In some cases, remediation techniques may be used to control
future damage associated with flaw growth and/or material degradation.

Step 7— In-Service Monitoring: Methods for in-service monitoring are provided in each section
based on the damage mechanism or flaw type. In-service monitoring may be used for
those cases where a remaining life and inspection interval cannot adequately be
established because of the complexities associated with the service environment.

Step 8— Documentation: Documentation should include a record of all information and

decisions made in each of the previous steps to qualify the component for continued
operation. Documentation requirements common to all FF5 assessment procedures are
covered in this section. Documentation requirements specific to a damage mechanism
or flaw type are covered in the section containing the corresponding assessment
procedures.

Three Levels of assessment are provided in each Section of this document which cover FFS
assessment procedures. A logic diagram is included in each Section to illustrate how these
assessment levels are interrelated. In general, each assessment level provides a balance between
conservatism, the amount of information required for the evaluation, the skill of the personnel
performing the assessment, and the complexity of analysis being performed. Level I is the most
conservative, but is easiest to use. Practitioners usually proceed sequentially from a Level 1 to a
Level 3 analysis (unless otherwise directed by the assessment techniques) if the current
assessment level does not provide an acceptable result, or a clear course of action cannot be
determined. A general overview of each assessment level and its intended use are described
below.

Level 1 — The assessment procedures included in this level are intended to provide conservative
screening criteria that can be utilized with a minimum amount of inspection or

Training Manual Page 24-7

 component information. Level 1 assessments may be performed by either plant
inspection or engineering personnel (see Section 1, paragraphs 1.4.2 and 1.4.3).

Level 2— The assessment procedures included in this level are intended to provide a more
detailed evaluation that produces results that are more precise than those from a Level
1 assessment. In a Level 2 Assessment, inspectio n information similar to that required
for a Level 1 assessment are needed; however, more detailed calculations are used in
the evaluation. Level 2 assessments would typically be conducted by plant engineers,
or engineering specialists experienced and knowledgeable in performing FFS
assessments.

Level 3— The assessment procedures included in this level are intended to provide the most
detailed evaluation which produces results that are more precise than those from a
Level 2 assessment. In a Level 3 Assessment the most detailed inspection and
component information is typically required, and the recommended analysis is based
on numerical techniques such as the finite element method.

A Level 3 analysis is primarily intended for use by engineering specialists

experienced and knowledgeable in performing FFS assessments.

Each of the FFS assessment methodologies presented in this document utilize one or more of the
following acceptance criteria:

Allowable Stress — This acceptance criteria is based upon calculation of stresses resulting from
different loading conditions, classification and superposition of stress results, and comparison of
the calculated stresses in an assigned category or class to an allowable stress value. An overview
and aspects of these acceptance criteria are included in Appendix B. The allowable stress value is
typically established as a fraction of yield, tensile or rupture stress at room and the service
temperature, and this fraction can be associated with a design margin. This acceptance criteria
method is currently utilized in most new construction design codes. In FFS applications, this
method has proven to have limited applicability because of the difficulty in establishing suitable
stress classifications for components containing flaws. As an alternative, assessment methods
based on elastic-plastic analysis can be used.

Remaining Strength Factor— Structural evaluation procedures using linear elastic stress
analysis with stress classification and allowable stress acceptance criteria provide only a rough
approximation of the loads which a component can withstand without failure. A better estimate
of the safe load carrying capacity of a component can be provided by using nonlinear stress
analysis to: develop limit and plastic collapse loads, evaluate the deformation characteristics of
the component (e.g. deformation or strain limits associated with component operability), and
assess fatigue and/or creep damage including ratcheting.

a. In this document, the concept of a remaining strength factor is utilized to define the
acceptability of a component for continued service. The Remaining Strength Factor
(RSF) is defined as:

LDC
RSF =
LUC

where

Training Manual Page 24-8

 LDC = Limit or plastic collapse load of the damaged component
(component with flaws), and
LUC = Limit or plastic collapse load of the undamaged component.

b. With this definition of the RSF, acceptance criteria can be established using traditional
code formulas, elastic stress analysis, limit load theory, or elastic-plastic analysis. For
example, to evaluate local thin areas (see Section 5), the FFS assessment procedures
provide a means to compute a RSF. If the calculated RSF is greater than the allowable
RSF (see below) the damaged component can be placed back into service. If the
calculated RSF is less than the allowable value, the component can be repaired, rerated or
some form of remediation can be applied to reduce the severity of the operating
environment. The rerated pressure can be calculated from the RSF as follows:
 RSF 
MAWPr = MAWP   for RSF < RSFa
 RSFa 

MAWPr=MAWP for RSF ≥ RSFa

where

MAWP r = Reduced permissible maximum allowable working pressure of the damaged

component
MAWP = Maximum allowable working pressure of the undamaged,
RSF = Remaining strength factor computed based on the flaw and damage
mechanism in the component, and
RSFa = Allowable remaining strength factor

Remaining life estimates will fall into one of the following three general categories.
The Remaining Life Can be Calculated With Reasonable Certainty — An example is
general uniform corrosion, where a future corrosion allowance can be calculated and
the remaining life is the future corrosion allowance divided by the assumed corrosion
rate from previous thickness data, corrosion design curves, or experience in similar
services. Another example may be long term creep damage, where a future damage rate
can be estimated. An appropriate inspection interval can be established at a certain
fraction of the remaining life. The estimate of remaining life should be conservative to
account for uncertainties in material properties, stress assumptions, and variability in
future damage rate.
The Remaining Life Cannot be Established With Reasonable Certainty — Examples
may be a stress corrosion cracking mechanism where there is no reliable crack growth
rate data available or hydrogen blistering where a future damage rate can not be
estimated. In this case remediation methods should be employed, such as application of
a lining or coating to isolate the environment, drilling of blisters, or monitoring.
Inspection would then be limited to assuring remediation method acceptability, such as
lining or coating integrity.

There is Little or No Remaining Life — In this case remediation, such as repair of the
damaged component, application of a lining or coating to isolate the environment,
and/or frequent monitoring is necessary for future operation.

Training Manual Page 24-9

 OVERVIEW OF FLAW AND DAMAGE ASSESSMENT PROCEDURES

Flaw or Damage Overview

Mechanism
Brittle Fracture Assessment procedures are provided for evaluating the resistance to
brittle fracture of existing carbon and low alloy steel pressure vessels,
piping, and storage tanks. Criteria are provided to evaluate normal
operating, start-up, upset, and shut-down conditions.
General Metal Loss Assessment procedures are provided to evaluate general corrosion.
Thickness data used for the assessment can be either point thickness
readings or detailed thickness profiles. A methodology is provided to
utilize the assessment procedures of Section 5 when the thickness data
indicates that the metal loss can be treated as localized.
Local Metal Loss Assessment techniques are provided to evaluate single and networks of
Local Thin Areas and groove-like flaws in pressurized components.
Detailed thickness profiles are required for the assessment. The
assessment procedures can also be utilized to evaluate blisters as
provided for in Section 7.
Pitting Corrosion Assessment procedures are provided to evaluate widely scattered
pitting, localized pitting, pitting which occurs within a region of local
metal loss, and a region of localized metal loss located within a region
of widely scattered pitting. The assessment procedures can also be
utilized to evaluate a network of closely spaced blisters as provided for
in Section 7.
Blisters and Laminations Assessment procedures are provided to evaluate isolated and networks
of blisters and laminations. The assessment guidelines include
provisions for blisters located at weld joints and structural
discontinuities such as shell transitions, stiffening rings, and nozzles.
Weld Misalignment and Assessment procedures are provided to evaluate stresses resulting from
Shell Distortions geometric discontinuities in shell type structures including weld
misalignment and shell distortions (e.g. out-of-roundness, bulges, and
dents).
Crack-Like Flaws Assessment procedures are provided to evaluate crack-like flaws.
Solutions for stress intensity factors and reference stress (limit load) are
included in Appendices C and D, respectively. Methods to evaluate
residual stress as required by the assessment procedure are described in
Appendix E. Material properties required for the assessment are
provided in Appendix F. Recommendations for evaluating crack growth
including environmental concerns are also covered.
High Temperature Assessment procedures are provided to determine the remaining life of
Operation and Creep a component operating in the creep regime. Material properties required
for the assessment are provided in Appendix F. Recommendations for
evaluating crack growth including environmental concerns are also
covered.
Fire Damage Assessment procedures are provided to evaluate equipment subject to
fire damage. A methodology is provided to rank and screen components
for evaluation based on the heat exposure experienced during the fire.
The assessment procedures of the other sections of this publication are
utilized to evaluate component damage.

API 579

Training Manual Page 24-10

FITNESS FOR SERVICE CALCULATED EXAMPLE

This example will be handed out during the training class.

REPORTS AND RECORD KEEPING

All condition assessments are to be documented and reviewed. After the appropriate reviews are
completed, the condition assessments are filed in the specific equipment or piping files.

REMAINING USEFUL LIFE DETERMINATION

The purpose of this procedure is to provide a detailed work instruction for the determination of
the RUL of process equipment. This work instruction is intended to be used in conjunction with
the LOF and COF work instructions, alo ng with other procedures, as appropriate.

OVERVIEW

Equipment is designed with assumed environmental and operating conditions. These conditions
(flows, pressures, temperatures, etc.) are documented as the “design basis.” Material selection is
made and the design finalized in accordance with design specifications and codes and standards.
Safe design is a relative term that can be considered on a case-by-case basis and is governed by
local regulations and good engineering practices. The risk ranking procedure in RDMIP
Implementation, Volume II, documents the design and process conditions for equipment.

The first principle of mechanical integrity (MI) requires that the owner/operator be able to
demonstrate FFS at any given time for covered equipment. This requires that there is knowledge
of the current condition of the equipment (through inspection activities), and that the design and
operating conditions are known (from documentation and management of change programs). The
RUL assessment is critical to the overall MI program, in that it is used to determine a future
point where the margin of safety has deteriorated to a predetermined point.

Various organizations within an operating facility ultimately have responsibilities associated

with operating and maintaining equipment in a safe manner within the design parameters.

§ Operations must remain within the as-designed operating parameters or seek changes to
the design basis.
§ Maintenance and inspection functions provide services to periodically check the
operating and material condition of the plant to provide advance warning of potential
problems.
§ Technical and engineering functions define the design basis and operating limits and
resolve discrepancies.

Equipment is generally specified and procured to a design life. If not provided in procurement
documents, an acceptable definition of design life can be found in recognized industry norms.

Training Manual Page 24-11

RUL is the estimated remaining time a piece of equipment can continue to safely function until it
will require repair or replacement. In general, there is no real limitation to useful life except as
governed by the relative economics of maintenance, rate of degradation, and cost of repair or
replacement.

There are three levels of RUL assessments that can be determined. In general, the level of
analysis will depend on specific damage mechanism involved, the current degree of degradation,
and the complexity of the analysis. There is no specific rule that allows for predetermination of
the required assessment level. The following guidelines provide assistance in determining the
appropriate level and type of analysis that may be applied.

§ Level 1 – The first level is the lowest level of technical analysis, and generally consists of
an evaluation based on the original equipment design, the nominal thickness values (less
the corrosion allowance), and the time in service. Actual corrosion rate data or industry
data may be considered in the evaluation. Standard analysis techniques such as those
embodied in API-510, 653, and 570 are usually employed. This level primarily
encompasses the uniform corrosion mechanisms. Inspection management programs, such
as PCMS and Ultrapipe typically calculate retirement dates and RUL based on UT data
history and corrosion rates.

Training Manual Page 24-12

 TML Thickness Graph

§ Level 2 – The second level of analysis utilizes more advanced techniques exemplified by
the American Society of Mechanical Engineers’ calculations for the minimum code
thickness allowed, statistical analysis of corrosion data, inferential analysis using
empirical corrosion data, or calculated corrosion rates.
§ Level 3 – The third level of analysis typically utilizes the same techniques for
determining the rate of degradation as noted in Level 2; however, a more advanced
treatment of the minimum allowable thickness based on closed form formulas and/or
finite element analysis and fracture mechanics principals is used. The actual material
properties as determined by laboratory testing can be incorporated in the analysis. This
removes the need to use minimal properties as defined by the codes. This level of
analysis is developed for an individual component or piece of equipment, and a detailed
explanation of the process is outside the scope of this procedure.

Utilizing the information from LOF and COF analysis for individual equipment, the following
procedure shall be applied to evaluate the RUL. The evergreen procedure will be applied to
update the risk ranking as future inspection data or results of additional engineering analysis
become available. These data may likewise be used to update the RUL analysis. Should
discrepancies be discovered, they should be resolved using the FFS procedures outlined in
Section 11 of this volume.

The following steps are involved in implementing this procedure:

Training Manual Page 24-13

 § Document existing process conditions and basic equipment design parameters.
§ Review history and current conditions with process/operations, maintenance, and
engineering/technical personnel and determine potential changes.
§ Determine process contaminants and COF considering operating conditions and
aggravating and mitigating factors.
§ Determine potential damage mechanisms and LOF considering current operating
conditions and inspection results, practices, and frequency.
§ Determine RUL 1 and 2, as necessary. Conduct FFS evaluation.
§ Consider effects of increased production, and identify any need for rerating of equipment.
The rerating analysis is outside the scope of this procedure.

PROCEDURE

Level 1 Assessment

For the initial Level 1 evaluation, design parameters shall be examined to ascertain if, on the
basis of most conservative considerations, the component has remaining life greater than the
anticipated extended service period information. Service parameters to be evaluated include:

§ Unit startup date

§ Specified or anticipated design life
§ Number of hot, warm, and cold starts and applicable ramp rates
§ Unit load records (% of design capacity)
§ Past failure history and failure analysis reports
§ Predictive and preventive maintenance programs
§ Specifics of past component repairs or replacements
§ Actual installation was down as per design
§ Composition checks on materials of construction
§ Dimensional checks as applicable
§ Process stream conditions
§ Design parameters (pressure, temperature, and flow)
§ Operating parameters (pressure, temperature, and flow)

Based on above information, the following issues shall be addressed:

§ Has operation exceeded the design parameters for significant excursions and/or duration?
§ Have the design parameters or material choices been shown to be inadequate since the
unit began operation?

Training Manual Page 24-14

 § Has the equipment had a history of failures?
§ Will the desired future service exceed original or modified design parameters?
§ Are process stream records inadequate or not available for assessment of those
components that function at higher than design parameters?
§ Referring to the LOF analysis, are any of the damage mechanisms given a damage rank
of 1 (high chance of gross failure or rupture) or 2 (high chance of sub-critical defect or
moderate chance of gross failure or rupture)?

If the answer to any of these key questions is ‘yes’ or if the component is found to have less
remaining life than the expected design life, the evaluation shall move to a Level 2 assessment.

If actual corrosion data exist, the corrosion rate may be determined utilizing the formula as
referenced in API-510. The retirement thickness at this level should be considered to be the
specific thickness minus the corrosion allowance.

Level 2 Assessment

If a Level 2 assessment is required as a result of the information obtained in the Level 1

assessment, then the following additional information will be required for each component:

§ Actual inspection data gathered from prior inspection(s), including the inspection
techniques used and the results to confirm whether or not damage mechanisms ranked 1
or 2 are active
§ Previous repair or alteration reports
§ Actual process condition (temperature, pressure, process composition, and flow rates)

The specific method and data considered in the determination of RUL will vary depending on the
damage mechanisms that are active. In general, the calculation will include the specific measured
rate of deterioration (most commonly in the form of UT thickness measurements) or
corrosion/damage rate charts from industry sources. Consideration should be given to a statistical
based analysis, if a significant amount of data exist. For a Level 2 analysis, the actual required
thickness by the applicable code may be used in lieu of the nominal thickness minus the
corrosion allowance.

If the actual inspection data reveal deviations from the original design dimensions or damage or
process information indicates possible damage from over pressure, over temperature, or greater
than specified process flow rates, additional dimensional checks or NDE may be required to
improve the state of knowledge about equipment integrity prior to proceeding with the RUL
analysis.

A FFS analysis must be conducted, in addition to the RUL analysis, if prior inspection data
reveal any of the following degradation mechanisms:

Training Manual Page 24-15

 § Localized or uniform corrosion exceeding the corrosion allowance
§ Crack-like defects (including original fabrication defects)
§ Fatigue due to related changes in operating conditions
§ A thermal or environmental condition exists which is degrading the MI of the equipment
(e.g. fire damage, embrittlement mechanisms, etc.)

The following figure shows the Levels 1 and 2 assessment procedure for general metal loss, and
the next table contains a list of damage mechanisms and indicates what leve l of RUL evaluation
needs to be conducted.

Training Manual Page 24-16

 Overview of Level 1 and Level 2 Assessment
Procedures for General Metal Loss – API 579

Determine
Minimum
Thickness

Locate Regions of
Metal Loss on the
Equipment

Take Thickness
Readings and Use Assessment
Additional NDE to Using Thickness
Confirm General Profiles?
Corrosion
Note:

Determine
Tmm : minimum measured thickness
Determine Tmm Inspection Plan(s)
Tam: average measured thickness
and L from the L: length for thickness averaging
Thickness Data
s: metal loss in longitudinal direction
For Each Inspection
Plan, Measure, and
Record Thickness
Reading

Determine the Critical Thickness Profile in

the Logitudinal and Circumferential Directions
Based on Inspection Data

Determine Dimensions of
Area, Tmm and Tam for the
Critical Thickness Profiles

Metal Loss at Major Determine Average

Yes
Structural Thickness within the Zone
Discontinuity? for Thickness Average

No

Assessment Evaluate the

No Thickness No
Using Thickness MAWP Using
Average?
Profiles? Level 2 or Level 3
Assessment
Yes

Region of Is
Yes
Metal Loss is
s<=L?
Acceptable
No

Evaluation
Option

Simple Thickness Localized

Approach Averaging Metal Loss

Use Tam=Tmm , Evaluate Determine Average Evaluate As

Level 1 or Level 2 - May Thickness Over Length L
Localized
Lead to Overly and Evaluate Level 1 or Metal Loss
Conservative Results Level 2 Assessment

Training Manual Page 24-17

 DAMAGE MECHANISM TABLE WITH TYPICAL RUL
ASSESSMENT LEVEL AND APPROPRIATE ANALYSIS METHOD

RUL
Mechanism Failure Mode Level Analysis Method

Acidic Condensates Uniform 1, 2, 3 The corrosion rate is determined by the use of

Corrosion, Pitting periodic ultrasonic (UT) thickness measurements or
industry corrosion rate charts based on pH of the
solution. Simple analysis is based on the "long" and
"short" rates from API-510 and 653 compared to the
nominal thickness. More complicated analysis can
combine actual required thickness and statistical
analysis of the UT data.

Amine Caustic Uniform 1, 2, 3 The corrosion rate is determined by the use of

Carbonate Corrosion, Pitting periodic UT thickness measurements or industry
Corrosion corrosion rate charts based on pH of the solution.
Simple analysis is based on the "long" and "short"
rates from API-510 and 653 compared to the nominal
thickness. More complicated analysis can combine
actual required thickness and statistical analysis of
the UT data.

Amine SCC Stress Corrosion N/A Stress-related corrosion mechanisms are typically
Cracking very environment sensitive, and determining cracking
rates outside of a controlled environment is difficult.

Ammonia SCC Stress Corrosion N/A Stress-related corrosion mechanisms are typically
Cracking – very environment sensitive, and determining cracking
Transgranular rates outside of a controlled environment is difficult.
and Intergranular

Ammonium Pitting, Erosion, 1, 2, 3 The corrosion rate is determined by the use of

Bisulfide/Salt General periodic UT thickness measurements or industry
Deposit Corrosion Corrosion corrosion rate charts based on pH of the solution.
Simple analysis is based on the "long" and "short"
rates from API-510 and 653 compared to the nominal
thickness. More complicated analysis can combine
actual required thickness and statistical analysis of
the UT data.

Atmospheric Uniform 1, 2, 3 The corrosion rate is determined by the use of

Corrosion Corrosion periodic UT thickness measurements or industry
corrosion rate charts based on pH of the solution.
Simple analysis is based on the "long" and "short"
rates from API-510 and 653 compared to the nominal
thickness. More complicated analysis can combine
actual required thickness and statistical analysis of
the UT data.

Training Manual Page 24-18

 RUL
Mechanism Failure Mode Level Analysis Method

Brinelling and False Adhesive Wear, N/A Due to the typical location (bearings) for this
Brinelling Fatigue mechanism, damage rate measurements are usually
in the form of SMP/accelerometer or other structural
vibration measurements. Although some form of RUL
is possible, it will be determined on an individualized
basis.

Brittle Fracture Cracking N/A This is not a time dependent damage mechanism
and therefore a remaining useful life calculation is not
appropriate.

Buckling Localized Plastic N/A This is not a time dependent damage mechanism,
Deformation and, therefore, a RUL calculation is not appropriate.

Carbonate Cracking Stress Corrosion N/A Stress-related corrosion mechanisms are typically
Cracking very environment sensitive and determining cracking
rates outside of a controlled environment is difficult.

Carburization Fracture, 2, 3 Carburization rates can be measured from

Cracking. metallographic techniques and or calculated if the
specific environment is known. The degradation of
the mechanical properties is difficult to estimate, and
the use of empirical industry data may be necessary.

Caustic Corrosion Uniform 1, 2, 3 The corrosion rate is determined by the use of

Corrosion, Pitting periodic UT thickness measurements or industry
corrosion rate charts based on pH of the solution.
Simple analysis is based on the "long" and "short"
rates from API-510 and 653 compared to the nominal
thickness. More complicated analysis can combine
actual required thickness and statistical analysis of
the UT data.

Caustic SCC Stress Corrosion N/A Stress-related corrosion mechanisms are typically
Cracking very environment sensitive, and determining cracking
rates outside of a controlled environment is difficult.

Chloride (Halide) Stress Corrosion N/A Stress-related corrosion mechanisms are typically
SCC Cracking very environment sensitive, and determining cracking
rates outside of a controlled environment is difficult.

Chloride Corrosion Uniform 1, 2, 3 The corrosion rate is determined by the use of

Corrosion, Pitting periodic UT thickness measurements or industry
corrosion rat e charts based on pH of the solution.
Simple analysis is based on the “long” and “short”
rates from API-510 and 653 compared to the nominal
thickness. More complicated analysis can combine
actual required thickness and statistical analysis of
the UT data.

Training Manual Page 24-19

 RUL
Mechanism Failure Mode Level Analysis Method

CO/CO2 SCC Stress Corrosion N/A Stress-related corrosion mechanisms are typically
Cracking very environment sensitive, and determining cracking
rates outside of a controlled environment is difficult.

Condensate Uniform 1, 2, 3 The corrosion rate is determined by the use of

Corrosion Corrosion periodic UT thickness measurements or industry
corrosion rate charts based on pH of the solution.
Simple analysis is based on the "long" and "short"
rates from API-510 and 653 compared to the nominal
thickness. More complicated analysis can combine
actual required thickness and statistical analysis of
the UT data.

Training Manual Page 24-20

 Chapter 25
ROOT CAUSE ANALYSIS HANDBOOK
A Guide to Effective Incident Investigation

OBJECTIVES AND SCOPE

Root cause analysis is simply a tool designed to help investigators:

1. Describe WHAT happened during a particular occurrence,

2. Determine HOW it happened, and
3. Understand WHY it happened. Only when investigators are able to determine WHY an
event or failure occurred will they be able to specify workable corrective measures.

Most event analysis systems allow investigators to answer questions about what happened during
an event and about how the event occurred, but often they are not encouraged to determine why
the event occurred.

Imagine an occurrence during which an operator is instructed to close Valve A; instead, the
operator closes Valve B. The typical investigation would probably result in the conclusion that
“operator error” was the cause of the occurrence. This is an accurate description of what
happened and how it happened. An operator committed an error by manipulating the wrong vale.
If the ana lysts stop at this level of analysis, however, they have not probed deeply enough to
understand the reasons for the mistake. Generally, mistakes do not “just happen.” They can be
traced to some well-defined causes. In the case of the valving error, we might ask: Was the
procedure confusing? Were the valves clearly labeled? Was the operator who made the mistake
familiar with this particular task? These and other questions should be asked to determine why
the error took place.

When the analysis stops at the point of answering WHAT and HOW, the recommendations for
preventing recurrence of the event may be deficient. In the case of the operator who turned the
wrong valve, we are likely to see recommendations like “Retrain the operator on the procedure,”
“Remind all operators to be alert when manipulating valves,” or “Emphasize to all personnel that
careful attention to the job should be maintained at all times.” Such recommendations do little to
prevent future occurrences. Investigations that probe more deeply into WHY the operator error
occurred are able to provide more specific, concrete, and effective recommendations. In the case
of the valving error, examples might include, “Revise the procedure so that references to valves
match the valve labels found in the field” or “Require operator trainees to have a training
procedure in hand when manipulating valves.”

The root cause analysis system provides a structured approach for the investigators trying to
discover the WHYs surrounding a particular occurrence. Identifying these root causes is the key

Training Manual Page 25-1

to preventing similar occurrences in the future. An added benefit of an effective root cause
analysis is that, over time, the root causes identified across the population of occurrences can be
used to target major opportunities for improvement. For example, if a significant number of
analyses point to procedure inadequacies as root causes, then resources can be focused on
procedure improvement programs. Trending of root causes allows tracking of occurrence causes,
development of systematic improvements, and assessment of the impact of corrective programs.

The figure below illustrates the overall event analysis process works.

Training Manual Page 25-2

 Overall Event Investigation Process

Training Manual Page 25-3

DEFINITION OF ROOT CAUSE

Although there is substantial debate concerning the definition of a root cause, the SOURCE
methodology uses the following definition:

“Root causes are the most basic causes that can reasonably be identified, which management
has control to fix and for which effective recommendations for preventing recurrence can be
generated.”

This definition contains the following four key elements:

Root Causes are Basic Causes

The investigator’s goal should be to identify basic causes. The more specific the investigator can
be about the reasons why an event occurred, the easier it will be to arrive at recommendations
that will prevent recurrence of the events leading up to the occurrence.

Root Causes are Those Causes over which management has control

Analysts should avoid using general cause classifications such as “operator error”. Such causes
are not specific enough to allow those in charge to rectify the situation. Management needs to
know exactly why a failure occurred before action can be taken to prevent reoccurrence.

Root Causes Are Those Causes That Can Reasonably Be Identified

Occurrence investigations must be completed within a reasonable time frame. It is not practical
to keep valuable manpower indefinitely occupied searching for the root cause of occurrences.
Root cause analysis helps analysts get the most out of the time they have allotted for the
investigation.

Root Causes Are Those Causes For Which Effective Recommendations Can Be
Generated

Recommendations should directly address the root causes identified during the investigation. If
the analysts arrive at vague recommendations such as “Remind the operator to be alert at all
times,” then they probably have not found a basic enough cause and need to expend more effort
in the analysis process.

Training Manual Page 25-4

ROOT CAUSE ANALYSIS: FOUR MAJOR STEPS

The root cause analysis process is a four-step process involving: (1) data collection and
preservation, (2) causal factor (CF) charting, (3) root cause identification, and (4)
recommendation generation and implementation.

Step 1: Data Collection and Preservation

The first step in the analysis is to gather data. Without complete information and an
understanding of the event, the causal factors and root causes associated with the event cannot be
identified. The majority of time spent analyzing an event is spent in gathering data.

Step 2: Causal Factor Charting

CF charting provides a way for investigators to organize and analyze the information gathered
during the investigation and to identify gaps and deficiencies in knowledge as the investigation
progresses. The CF chart is simply a sequence diagram that describes the events leading up to
and following an occurrence, as well as the conditions surrounding these events. The final step in
CF charting involves identifying the major contributors to the occurrence (i.e., causal factors).

Step 3: Root Cause Identification

The next step, root cause identification, involves the use of a decision diagram called the Root
Cause Map TM to identify the underlying reason(s) for each causal factor identified during CF
charting. The identification of root cause helps the investigator of a specific event determine the
reasons why the event occurred so that the problems surrounding the occurrence can be fixed. In
addition, trending of the root causes of occurrences identified over a period of time can provide
valuable insight concerning specific areas for improvement. This is an added benefit of the
SOURCE root cause analysis process. Not only can it be used to prevent the recurrence of
specific events, but also lessons learned from individual occurrences can be combined to identify
major areas of weakness. This allows actions to be taken before a seemingly unrelated accident
of failure occurs.

Step 4: Recommendation Generation and Implementation

The next step is the generation of recommendations. Following identification of the root
causes(s) for a particular causal factor, achievable recommendations for preventing its recurrence
must be generated.

Training Manual Page 25-5

ROOT CAUSE ANALYSIS: THE PROCESS

Preparation of the CF chart should begin as soon as investigators start to collect information
about the occurrence. They begin with a “skeleton” chart that is modified as more relevant facts
are uncovered. Data collection continues until the investigators are satisfied with the
thoroughness of the chart (and hence are satisfied with the thoroughness of the investigation).
When the entire occurrence has been charted out, the investigators are in a good position to
identify the major contributors to the incident. These are labeled as causal factors. Causal factors
are those contributors (human errors and component failures) that if eliminated, would have
either prevented the occurrence or reduced its severity.

After all of the causal factors have been identified, the investigators begin root cause
identification. Each causal factor is analyzed, one at a time, using the Root Cause Map. The map
structures the reasoning process of the investigators by helping them answer questions about why
particular causal factors exist of occurred. After each causal factor is analyzed, the investigators
attempt to arrive at recommendations that will prevent its recurrence. This process continues
until root causes have been identified for each causal factor.

In many traditional analyses, the most visible causal factor is given all of the attention. Often, the
investigators are tempted to “jump to conclusions” about how to solve the problem. Rarely are
events caused by one causal factor. They are usually the result of a combination of contributors.
When only one predominant causal factor is addressed, the list of recommendations will likely
not be complete. Consequently, the occurrence may repeat itself. To help prevent the analyst
from omitting important recommendatio ns, the root cause analysis process requires that all
causal factors be determined form analysis of the relevant events data and that each causal factor
be addressed separately. Root causes are identified for each causal factor, and recommendations
are generated in this manner, one at a time. The probability of missing important details
decreases by using this approach.

ROOT CAUSE ANALYSIS: PRESENTATION OF RESULTS

The methodology uses root cause summary tables, to organize the information compiled during
CF charting, root cause identification, and recommendation generation. A summary table is
prepared for each causal factor identified during CF charting. The table is divided into three
columns with each column representing a major aspect of the root cause analysis process (i.e.,
identification of a causal factor, root cause identification, and recommendation generation). In
the first column, a general description of the causal factor is presented. This column provides
sufficient detail for the reader of an occurrence report to be able to understand, in a general
sense, the scenario surrounding the causal factor. The second column shows the path or paths
through the Root Cause Map that were used to categorize the causal factor. The third column
presents recommendations to address each of the root causes identified for the causal factor. Use
of this three-column format aids the investigator in addressing each casual factor individually
and is effective in ensuring that all important items are sufficiently covered.

Training Manual Page 25-6

The end result of a root cause analysis investigation is generally an investigation report.
Reporting formats vary according to the particular reporting system requiring the investigation.
The format of the report is generally well defined by the administrative documents governing the
particular reporting system; however, a thorough root cause analysis will greatly simplify the
preparation of any type of investigative repot. The completed CF chart provides an excellent
basis for the occurrence description required by most reporting systems. Root cause
identification should leave the investigators feeling confident that they have discovered the
reasons why the event occurred. In addition, a quick check for obvious blank spaces in the root
causes summary tables should help ensure that the investigators have generated
recommendations for each root cause.

If the investigators have completed a table for each of the causal factors identified, then the
results of the root cause analysis are completely documented. Although the internal requirements
of a company for an event report may not be flexible enough to allow the complete root cause
analysis to be placed in the body of the occurrence report, it is usually appropriate to attach the
CF chart and the tables as appendices to the final document.

The root cause analyst is often not responsible fort the implementation of recommendations
generated by the analysis. However, if the recommendations are not implemented, the effort
expended in performing the analysis is wasted. In addition the events that triggered the analysis
should be expected to recur. Because the recommendations are not implemented, the situation
has not been changed and it is inevitable that the event will occur again.

SUMMARY

The goal of root cause analysis is not only to understand the what and how of an event, but also
why it happened. The analysis of an event begins with the gathering of data. As the data is
gathered, it is organized and analyzed using causal factor charting. The goal is to identify the
causal factors for the event. Causal factors are those contributors (human errors and component
failures) that if eliminated, would have either prevented the occurrence or reduced its severity.
Once the event is understood by using causal factor charting and other analysis techniques, root
causes are identified for each causal factor. Root causes are the most basic causes that can
reasonably be identified, which management has control to fix and which effective
recommendations for preventing recurrence can be generated. Finally, recommendations are
developed and implemented to prevent the causal factors from occurring again.

Training Manual Page 25-7

 Equipment Difficulty
LTA- Less Than Adequate

TYPICAL ISSUES

These include problems with equipment design, fabrication, installation, maintenance, and
misuse. Problems with the equipment reliability program are also identified/categorized under
this node.

TYPICAL RECOMMENDATION

See lower level nodes.

Training Manual Page 25-8

EXAMPLE

A spill to the environment occurred because a valve failed. The valve failed because it was not
designed for the environment in which it operated.

Training Manual Page 25-9

 Reliability Problems

TYPICAL ISSUES

These include problems related to the design and implementation of the maintenance program.
Was the wrong type of maintenance specified for the equipment? Are there problems with the
analysis process used to determine the appropriate maintenance requirements? Are there
problems related to performing the maintenance activities? Are monitoring activities
implemented to detect deteriorating equipment? Does the repair activity cover the required
scope?

Training Manual Page 25-10

TYPICAL RECOMMENDATIONS

§ Improve equipment operational and maintenance records to enable selection of the proper
type of maintenance
§ Assign additional resources to equipment with a demonstrated history of problems
§ Reduce maintenance on equipment that has no significant impact on production or safety
and that can be easily repaired or replaced
§ Provide maintenance procedures and training appropriate to the experience level of
personnel

EXAMPLES

During the past year, the failure rate for the feed pumps has doubled. Maintenance records are
inadequate to determine why any of the failures occurred. Work records just say “pump
repaired.”

A number of pump bearings have failed recently. Predictive maintenance was selected as the
appropriate type of maintenance for the pump bearings. However, there is no requirement for
monitoring of the pump bearings. As a result, the predictive maintena nce activity was never
implemented.

Preventive maintenance (a calibration) was being performed on a product scale every 3 months.
However, operators requested additional calibrations about once per month as they noticed the
scale drifting. The frequency of the calibration was changed to once a month.

Training Manual Page 25-11

 Maintenance Program

TYPICAL ISSUES

These include problems related to the design

and implementation of the maintenance
program. Was the wrong type of maintenance
specified for the equipment? Are there
problems with the analysis process that is used
to determine the appropriate maintenance
requirements?

TYPICAL RECOMMENDATIONS

§ Ensure that the proper level of risk

acceptance is used in determining the level
and type of maintenance to perform on
equipment.
§ Ensure that the analysis process addresses
all aspects of equipment operation
important to safety and reliability.
§ Improve equipment operational and
maintenance records to enable the
selection of the proper type of
maintenance.
§ Assign additional resources to equipment
with a demonstrated history of problems.
§ Reduce maintenance on equipment that
has no significant impact on production or
safety and that can be easily repaired or
replaced.

EXAMPLES

Maintenance activities had been specified for the running components of a wood chipping
machine (i.e., bearings, blades) but no maintenance activities had been specified for the safety
interlocks associated with the machine. The analysis procedure did not require safety interlocks
to be addressed. As a result, an operator’s arm was amputated when it was caught in the chipper
and the auto stop feature failed.

Training Manual Page 25-12

A number of pump bearings have failed recently. Predictive maintenance was selected as the
appropriate type of maintenance for the pump bearings. However, there is no requirement for
monitoring

Incorrect Maintenance Assigned

TYPICAL ISSUES

Was the wrong type of maintenance

specified for the equipment? Should
corrective maintenance be used instead of
proactive maintenance? Should predictive
maintenance be assigned instead of
proactive maintenances?

TYPICAL RECOMMENDATIONS

§ Review equipment failure records to

determine if the failures occur at specific
intervals of operation or calendar time.
Assign preventive maintenance tasks if
the risk associated with the equipment
failure is high enough.
§ Determine if the failures can be
predicted by monitoring a parameter
(i.e., pump vibration, temperature, flow).
Assign predictive maintenance tasks if
the risk associated with equipment
failure is high enough.
§ Determine if failures occur shortly after
certain events (i.e., startup, shutdown).
Assign proactive maintenance tasks if
the risk associated with equipment
failure is high enough.
§ If other types of maintenance are not
appropriate, or if the risk associated with
the failure is low enough, assign
corrective maintenance.

Training Manual Page 25-13

EXAMPLES

Corrective maintenance was assigned to an auger that provided raw materials to a food process.
This selection was based on a very low expected failure rate and a quick repair time. Actua l
experience indicates the failures took much longer to repair than the analysis team estimated. As
a result, the risk associated with the failures was much higher than the team thought.

Records indicated that tube failures were occurring in heat exchangers shortly after plant startup.
The failures were determined to be caused by hot spots that developed when contaminants
collected in portions of the heat exchanger. Proactive maintenance activities were implemented
to clean out the system prior to startup. This removed the contaminants and prevented the heat
exchanger failures.

Maintenance Implementation

Training Manual Page 25-14

TYPICAL ISSUES

These include problems related to the implementation of maintenance activities. Was the repair
incorrectly performed? Was the troubleshooting less than adequate? Did the monitoring activity
fail to detect a filing component? Was maintenance performed when it should have been (i.e.,
following a shutdown, before a startup, when vibration readings reached a trigger point)?

TYPICAL RECOMMENDATIONS

§ Provide troubleshooting guides based on equipment failure analyses for diagnosis of

failed components
§ Review the frequency of preventive maintenance. If the same activity routinely needs to
be performed between scheduled intervals, shorten the preventive maintenance interval
§ Ensure that equipment monitoring for predictive maintenance is appropriate for the
component

EXAMPLES

A number of pump bearings have failed recently. Predictive maintenance was selected as the
appropriate type of maintenance for the pump bearings. However, monitoring of the pump
bearings was never performed even though it was identified as a requirement in the equipment
reliability program. As a result, the pump failed before the predictive maintenance activity was
implemented.

Preventive maintenance (a calibration) was being performed on a product scale every 3 months.
However, operators requested additional calibrations about once per month as they noticed the
scale drifting. The frequency of the calibration was changed to once per month after the company
was fined for shipping overloaded trucks.

Training Manual Page 25-15

SAMPLE ROOT CAUSE FAILURE ANALYSIS

The following information is a sample root cause failure analysis report.

SUMMARY

Metallurgical observations indicate that cracking in stainless steel tubing is a result of chloride
stress corrosion cracking (SCC). The cracking is the result of a corrosive environment on
external surfaces of the tube.

A possible cause of the SCC may be from excessive quantities of leachable chlorides in
insulation around the tube or the adhesives used to attach the insulation to the tube. Though other
sources for chloride contamination are possible, they are not expected under normal storage and
installation practices.

Steps towards resolution should include discussions with the tube bundle manufacturer
concerning chloride contaminates in his insulating materials. Unfortunately, this will not address
reliability concerns for existing installations, but it will help assure reliable equipment in future
installations.

OBSERVATIONS

Two ½- inch diameter stainless steel tubing samples containing representative cracking damage
were examined. Reportedly, both samples were from the same application.

1. A shorter section with insulation material stripped

2. A longer section wrapped with a fibrous insulating material

Sample 1

The shorter piece of tubing with multiple, circumferential cracks best represented the
characteristics of the failure (Figure 1).

A metallurgical cross section at the cracking damage showed cracking originated on the outside
diameter (OD) of the tube. The cracking was transgranular and branched, characteristic of
chloride stress corrosion cracking (Figures 2 through 4).

The metallurgical cross section also showed cracking adjacent to the primary damage. The small
tight crack was not seen during the visual surface examination of the sample. The cracking is on
the OD of the tube and is characteristic of chloride SCC (Figure 3).

Training Manual Page 25-16

Sample 2

The only damage on the longer piece appeared to be on one end of the sample, which also
appeared to be the result of circumferential cracking.

The sample was mechanically broken apart during removal, and the distortion at the separation
gives the appearance of corrosion thinning. However, the thinning is a result of the mechanical
separation. Uniform corrosion does not appear to be a factor in these failures. Measurements at
other locations on the sample showed no thinning.

A metallurgical cross section where the tubing was separated also showed that cracking
originated on the outside diameter of the tubing. The transgranular, branched crack appearance is
characteristic of chloride stress corrosion cracking (Figure 4).

Design

Reportedly, the stainless steel tubing is in steam service and is part of the pre- insulated “bundle”.
The failure was unexpected, and the environment to cause SCC damage is not obvious in these
operating conditions. The process condition, pressures, and temperatures are well within the
design limits for the equipment. Reportedly, the steam is from a clean source, and corrosion
contaminants are not expected. In addition, a durable plastic sheath protects the tube bundle from
environmental corrosives, and there is no clear external source for corrosion.

With the design of the pre-insulated bundle, it appears that it would be very difficult to introduce
a corrosive to cause the damage found. Never the less, it would be prudent to reemphasize
storage and installation practices to prevent bundle contamination with corrosives.

This type of failure in this equipment is unusual. Similar chloride SCC damage on two previous
and separate events in a similar design have occurred in the past, but with a different
manufacturer. The solution may lie with quality control at the manufacturer.

CONCLUSIONS

The cracking failure in stainless steel tubing is a result of chloride SCC from the outside
surfaces. The chloride environment is likely a result of excessive leachable chlorides in the
insulation or adhesives used to assemble the bundle.

Training Manual Page 25-17

 Figure 1 – Circumferential Cracks Characterize Appearance of Failure.

Figure 2 – Cracking Originating on OD of tube was Transgranular and Branched, Characteristic

of Chloride SCC. (200X)

Aptech Engineering Services, Inc. Training Manual

Page 25-18
Figure 3 – Cracking was Adjacent to Primary Damage, Not Visible on Tube Surface with
Unaided Eye. (200X)

Figure 4 – Chloride SCC was also observed on failed tube samples where mechanical tearing
gave the appearance of corrosion thinning. There was no corrosion thinning. (200X)

Aptech Engineering Services, Inc. Training Manual

Page 25-19
 Chapter 26
MANAGEMENT OF CHANGE

Most major accidents occur in plants that have extended periods of safe operation. Operating
procedures and training on startup are clear, current and understood. Like cars, trains, airplanes
and other forms of 20th century mechanization, chemical plants and refineries are designed and
constructed to perform safely. If one considers the major accidents that have occurred over the
past 10 to 15 years – Bhopal, Seveso, Flixborough, the Challenger rocket explosion, Amtrak
train wrecks, plane wrecks, and the Piper Alpha offshore platform accident – each of these
mechanisms operated safely over a relatively long period before they become famous as widely
publicized accidents.

Why did these accidents occur at facilities after protracted periods of safe operation? More often
than not, the answer to this question is that something changed. Often the significance of the
change went unnoticed because the change was inadvertent or because systems were not in place
to detect and report that a change had occurred.

The purpose of the process safety standard is to assure that good engineering principles and
practices always are used when designing, constructing, operating and maintaining chemical
processing facilities. For instance, consider the design of a new plant. The very act of designing
the plant causes change, but in this case the change is conscious and intended. Upon startup,
other forms of change take place as feed materials, utilities, energy and operators are added to
the facility to transform it into a production plant. To this, add the urgency and confusion that
can be associated with startup, weather, spare parts, innovation, boredom and frictions between
plant workers and operating groups. All of these factors contribute to unmanaged, unintended
and uncontrolled change.

In management of change, changes need to be recognized. Then changes are reviewed to assure
that any hazard introduced is recognized, understood and controlled. Finally, procedures, training
and plant documentation are updated to accommodate the changes.

Changes can be obvious (like a new pump size) or subtle (like a new raw materials supplier
whose product has different impurities). Changes to be reviewed are:

§ Operation with technology or materials that were not reviewed previously and found to
be safe;
§ Operation outside the boundaries of operating parameters that were reviewed previously
and found to be safe; and
§ Operation with any equipment or hardware change that is not “replacement in-kind” of
origina l equipment reviewed previously and found to be safe.

Training Manual Page 26-1

PURPOSE, GOAL

The purpose of management of change (MOC) within the framework of the process safety
management standard is to control change within the plant. “Control” in this context refers to
systems, procedures and philosophies that facilitate intended change and prevent inadvertent
and/or unintended changes that may have the potential of causing unexpected results. Inadvertent
and unintended change can produce unpredicted sequences of events that culminate in
explosions, fires and injuries. The objective of MOC is to prevent “surprises” by controlling
change.

Implementation of a formal management of change system may appear to be a loss of facility

autonomy with the additional burden of non-productive paperwork. Perceived loss of autonomy
can become a morale issue with both management and the work force in facilities that have
remote locations. Gas plants provide an example. Experience indicates that there are cultural
differences between facilities that are liked closely to resource production operations and those
that have little or no contact with resources production, such as gas plants as compared to
petrochemical plants. In some companies the chemical business units are leading upstream
refining and production business units into MOC.

Likewise, the ease with which MOC is accepted by facilities can depend on the relationship
between management and labor. Difficulties associated with implementing MOC may be eased if
MOC is seen as an opportunity for meaningful two-way communication between management
and line workers. The cost-benefit of MOC comes from focusing everyone involved in a plant on
improving the plant. A principal responsibility and a major challenge in implementing a
management of cha nge system is to keep work patterns and information flow open, simple and
consistent with existing organizational structures, management styles, work patterns and
channels of communication.

Because MOC is cultural in nature, implementation of a management of change system is an

iterative process. At times management philosophy may emphasize development of process
safety information in preference to developing management of change. At other times
management may emphasize implementation of a management of change system before
committing resources to upgrading documentation elements of process safety information. The
relationship between MOC and process safety information for older facilities may be similar to
that between the chicken and the egg, particularly if documentation elements are long out of
date. To be functional, a MOC system requires current documentation as a starting point; to be
cost-effective, a process information system relies on MOC to maintain documentation in an
“evergreen” condition. In this situation, a facility can do both MOC and process safety elements
simultaneously by initiating the MOC process as process safety information is being updated. If
the updating process begins with piping instrumentation diagrams (P&IDs), then the MOC
system also should begin with P&IDs.

Change goes on within a plant at many levels. Most of these changes are intended to occur
during the course of work. It is the responsbility2 of t he facility to determine what is considered
to be a change within the context of a particular process and organizational structure and to
manage that change. That is, management of change is an organizational responsibility that
grows from management’s commitment to controlling the plant. What constitutes like- in-kind

Training Manual Page 26-2

replacement at one facility may be different from that at another facility. Like- in-kind
replacements need not be reviewed, whereas not- in-kind replacements do need review. If
management places an overly restrictive interpretation on not- in-kind changes and subseque ntly
puts into place a system that captures all not- in-kind changes, then the management of change
capture and tracking system will be so large and cumbersome that no one will use it.

Simple procedures for recognizing changes, reviewing them and documenting them are needed.
These procedures define “check points” for actions (such as work orders and materials ordering).
At these checkpoints, a decision is made on whether the action constitutes a change requiring
review.

Each operation must apply judgment in identifying the changes that require review and must
devise a MOC system that makes optimum use of available resources. That is, each plant should:

§ Reach a consensus regarding what constitutes a change at that facility;

§ Decide how personnel within the plant are going to deal with each kind of change;
§ Construct a MOC system that controls change by emphasizing communications between
functional groups within the facility. Each group in the facility must be aware of its
responsibilities to actions occurring adjacent groups.

One method of accomplishing this is to integrate MOC into existing approval and authorization
procedures for capital projects, small projects, non-capital projects, and operating and
maintenance systems. The facility’s existing work request/work order system may provide a
vehicle for accomplishing this quickly and easily.

Capital projects, both large and small, are focused efforts of intended change. Most facilities
have long-established procedures for reviewing the engineering design of capital projects.
Usually, MOC can be incorporated within the existing management systems for capital projects.
Field changes associated with construction usually can be captured in the work request/work
order system. Likewise, the work request/work order system can capture non-capital
modifications and not-in-kind substitutions that occur during construction, startup and
maintenance. Changes that are not captured and tracked by the work order system can be
captured by pre-startup reviews and mechanical integrity inspections. Part of the key to a simple
MOC system is integrating its objectives with other elements of process safety management.

The objective of MOC is not to cause plants to rework existing management systems. Rather,
MOC is intended to encourage facilities to make incremental modifications to existing systems
to make the more effective in identifying and reviewing change. A MOC procedure for many
facilities will consist of a simple “change request form.” The “change request” flags an item as
requiring a process hazard review prior to implementation and documentation update when
implementation is complete. The hazard evaluation may be a hazard and operability study
(HAZOP), a checklist or another methodology. It is the facility’s responsibility to select the
appropriate evaluation procedure and develop criteria for selecting the appropriate evaluation
methodology.

It is sometimes effective to select a hazard evaluation methodology for a particular type of

project (for example, a line-by- line HAZOP for capital projects or checklist review for field-

Training Manual Page 26-3

initiated changes and not-in-kind substitutions). Then structure the MOC procedure accordingly
by referencing the safety procedure that describes the appropriate type of evaluation. This
simplifies and shortens the MOC procedure and provides flexibility in both the MOC procedure
and the hazard evaluation procedure. Use of a modular approach in constructing procedures
simplifies management of the procedures. A structured, modular approach to procedure writing
facilitates modification of one procedure without affecting other procedures. Procedure revision
becomes a minor task.

Structure of the MOC system is specific to the plant and process, as well as to the organization
and its culture. The MOC system for an ammonia plant will not be the same as that for a
cogeneration plant, even though both facilities may deal with the same hazardous material,
ammonia. There is no cookbook formula for MOC; the MOC system and procedures must fit the
plant, the people and the hazards.

RECOGNITION OF CHANGE

The dollar value associated with a “change” is not a criteria for identifying an action as deserving
of identification, review and control. Failure of a flange gasket costing $5.00 can result in a
release of a toxic or flammable chemical that is equivalent in size and hazard potential to a
catastrophic failure in the shell materials of a reactor vessel. An example of this is use of rubber
rather than asbestos gasket material in chlorine service. The rubber is degraded quickly, leaving
the equivalent of a 1-inch diameter hole in the system. In this example there is considerable
hazard associated with gasket materials. Therefore, “change” at this facility will necessarily
include consideration of gasket materials. The definition of what constitutes change for a
particular plant emerges form pertinent questioning by persons who are knowledgeable about the
process.

The OSHA standard assists operators in identifying change by grouping changes according to
mechanisms that are useful in determining when a change is about to take place. This is done by
categorizing change as relating to technology, facility or organization. A fourth type of change
implied but not stated in the standard is software changes. A growing number of facilities are
installing computerized distributed control systems (DCS units) for process control. The logic for
controlling the process is imbedded in the software of the DCS unit. Changes to the software are
changes to control logic. Changes in software associated with process control also must be
identified, reviewed and documented.

Generally, persons within a facility will deal with only one type of change, though they may
have a general awareness of the other types of change. For example, consider a technology
change that involves increasing yield of a particular product. Typically a technology change
involves chemists and process engineers. These are the functional groups familiar with the
chemistry of the process and have related the chemistry to engineering aspects of design through
heat and material balances, materials of construction and other means. It is likely that these
changes will be brought for review.

However, subtle mechanical changes, for example a change of flange bolts to bolts with different
low-temperature ductility, may not be so obvious. Engineering may intend the change, in which

Training Manual Page 26-4

case it is likely to be reviewed. But purchasing, warehouse, maintenance or inspection
departments also may inadvertently cause the change. Thorough training of these ancillary
personnel is needed to assure that such changes are recognized and then reviewed.

Below is a step-by-step method for creating a MOC procedure.

Step 1: Familiarize management with the requirements and the expectations for compliance
with process safety management regulations by reviewing compliance requirements.

Step 2: Designate a subcommittee that is responsible for management of change at the facility.
This committee should be comprised of a cross section of personnel, including one
maintenance representative, and chaired by a senior manager.

Step 3: Appoint a chairperson and subcommittee members for the management of change
subcommittee.

Step 4: Prepare a list of actions that are “changes” requiring review at the facility.

The object is to generate a list of items that comprise change at the facility. Lists can be
generated by a variety of methods:

§ Brainstorming among functional groups of the business unit to establish what

constitutes change for each functional group within the facility business unit;
§ Brainstorming to identify what constitutes change for the facility using a team of
representatives from each of the functional groups;
§ Reviewing accidents for the last 10 years to identify changes that contributed to root
causes of accidents or incidents; and
§ Reviewing literature pertaining to accident reports to determine how change
contributes to accidents in other facilities.

The items on the list should be specific to a facility and should be described in jargon
commonly used within the facility. The objective is to identify change to facility
personnel in a manner and language that is directly associated with employees’
experience at the facility.

Items that are to be subject to review when making a change should be included in the
change review process; that is, in generating the list of changes, a facility has identified
those items that must be subject to review in the MOC system. Examples of changes at
a facility may include:

§ The type of gasket material used in the HF alkylation unit;

§ The grade of bolting materials used in the hydrotreater section;
§ Radiography versus dye penetrant inspection for forged pressure vessel heads in
hydrogen sulfide service;

Training Manual Page 26-5

 § Re-adjustment of delayed coker cycle times to increase unit throughput. (Increasing
coker throughput will increase load on the overhead vapor recovery system. This
has implications relative to environmental compliance and process safety.)

Step 5: Organize the list of changes into categories that have meaning to facility personnel, for
example, that relate to:

§ Functional responsibilities at the facility (operations versus maintenance);

§ Categories of unit operations (rotating equipment versus reboiler-distillation
columns);
§ Specific chemical hazards (flammable hydrocarbons versus toxic sulfur
compounds);
§ Labor skills (electrical versus pipefitting);
§ The type of change (process change versus not- in-kind changes); and
§ Process changes that fall outside safety limits for operation or processing
equipment. (A facility is responsible for defining the safety limits of all operating
equipment under compliance requirements of the proposed standard.)

Step 6: Establish a level of signature authority for authorizing/reviewing each category of

change. What is the purpose of authorization? Is authorization permission to review,
install or implement?

This issue deserves careful consideration Selection of authority at too high a level may
have the effect of impeding the MOC process.

Step 7: Design a “change request” form. The form should include considerations such as:

§ Date;
§ Name of person proposing the change;
§ Identifying location of person requesting the change;
§ Basis for the change request;
§ Whether the request is routine or an emergency request;
§ Description of the proposed change;
§ Names of the persons reviewing the change;
§ Indication of whether the change is approved or not approved (What are the
implications of approval?);
§ A justification for the decision to approve or not approve the change;
§ Requirements for implementing the change (communications, permits and levels of
review);
§ Responsibility for satisfying the requirements of the change;
§ The date the requirements were initiated and the date the requirements were
completed; and

Training Manual Page 26-6

 § Signature of the process safety management coordinator and the date the change
was signed off. (What is the implicit assumption that accompanies sign-off?)

Step 8: Train facility personnel to recognize change, including subtle changes that often go
unnoticed or unreported in the course of daily routine.

Step 9: Train facility personnel in using the “change request” form and implementing the
management of change procedure.

Step 10: Develop an auditing procedure that verifies that the MOC procedure is capturing
changes, for example that personnel:

§ Understand and exercise appropriate judgment about what constitutes change for
the facility;
§ Know how to request, review and implement changes; and
§ Consistently notify appropriate personnel regarding documentation updating
requirements.

Step 11: Develop procedures for actions and/or activities that are related to management of
change. Specifically:

A multilevel review procedure consisting of a preliminary design review, a formal

HAZOP procedure, a detailed design reviews. (The level of review is a difficult
judgment to make and one that has a direct effect on the efficiency of the MOC
process. If the level is too high or too complicated, then MOC is impaired. If the level
is too low or too imprecise, then risk associated with the change is increased.)
Considerable attention should be given to this decision:

§ Review sign-off procedures and authorities;

§ Construction inspection’
§ Pre-startup safety inspection procedures;
§ Pre-startup testing procedures;
§ Procedures for ensuring that punch list items are performed;
§ Procedures for integrating change activities into the work order system, the MSDS
tracking system, the warehouse monitoring system, and the TEROMAN
maintenance system; and
§ Communication channels and procedures for updating documentation elements that
are affected by the change.

Step 12: Devise a method for modifying the MOC procedure.

Step 13: Provide regular audit review to verify the MOC system is functioning as intended.

Step 14: Devise a strategy for reinforcing the importance of managing change as a way of doing
business and improving safety.
Training Manual Page 26-7
IMPLEMENTING MOC AS A PROCEDURE

Management of change is a safety procedure for a facility, a philosophy of managing a

chemical/refining facility and a regulatory requirement. MOC implementation may be initiated
by executive management or by health and safety personnel at the middle management level.
The initial point of focus for implementing MOC depends more on the organizational structure
of a facility than on issues inherently associated with MOC.

In practice, the MOC procedure must consider two basic types of change: intended changes
associated with capital projects and unintended changes associated with daily maintenance and
operation of a facility. Procedures must be developed and implemented for managing change
within each of these environments.

The “change request” form raises operational issues:

§ Who identifies the work as a change?

§ Who reviews and authorizes changes?
§ Are certain kinds of changes pre-approved provided they have specific associated
maintenance or installation procedures?
§ What level of process hazard review is appropriate for the change: checklist, what if, or
line-by- line HAZOP?
§ Who is responsible for organizing and conducting the review?
§ Who is responsible for authorizing the change?
§ How is the change verified to have been completed as authorized?
§ What is the procedure for conducting a “pre-startup safety review”?
§ How are changes handled in emergency situations?
§ How are changes handled during off-shifts?

Answers to these questions are facility- and organization-specific. A procedure that works at one
facility will not necessarily work at another. One solution is to reference changes to a separate
process hazard review procedure.

The MOC procedure is not a stand-alone procedure. Rather, there is an advantage to constructing
a framework of modular procedures in which the MOC procedures reference other procedures by
title. This approach adds flexibility to the MOC procedure and provides a mechanism for making
changes in specific modules of the MOC framework without having to rewrite or update
documentation associated with the entire framework.

MOC as a philosophy for managing a refinery or a chemical processing facility is described in

API Recommended Practice 750. However, even a well- written MOC procedure can bog down
when implemented if it fails to categorize changes by the levels of risk they present. For
example, bottlenecks can easily occur if small changes with essentially little impact are afforded

Training Manual Page 26-8

the same level of safety review and authorization as changes that have significant impacts. It is
not cost-effective or a productive use of limited technical resources to review all changes with
the same level of detail. To address this problem, Dr. Harry West with Shawnee Engineers in
Houston recommends a screening procedure to distinguish between “non-safety critical” and
“safety critical” changes. West recommends categorizing process changes by their safety impact.
Changes with minor safety impacts would be reviewed at the process unit level, while changes
with major impacts would require a more rigorous review and a higher authorization level.

To develop a risk-level screening procedure, management should first define which process
systems are covered by the PSM standard or corporate policy. Then process boundaries should
be established to help the plant staff determine which software and documentation should be
controlled and covered by the MOC procedure.

Once a change is recognized, then a management of change project coordinator, who should
follow the change through to the analysis and implementation of the change should conduct risk-
ranking analysis. West discourages use of only one MOC coordinator because if he or she is
unavailable, a bottleneck can occur when the system must wait for that person’s review.

The management of change project coordinator should apply a risk ranking technique to
determine which technique (i.e., “what- if” checklist versus HAZOP analysis) should be used to
evaluate the safety of the proposed change. West notes that several risk ranking techniques are
available. He suggests using the technique described in Appendix 7A of the American Institute
of Chemical Engineers’ Center for Chemical Process Safety’s (CCPS) Plant Guidelines for
Technical Management of Chemical Process Safety, which ranks changes by their potential
hazard in high or low degrees and their potential severity, ranked either as low or high
significance to the process. The high and low classification for hazard and severity can be
determined by a series of “yes” or “no” questions listed in the CCPS book. Once the two criteria
are properly ranked, they are placed in a risk matrix establishing the risk level and corresponding
type of safety review needed (see figure below, Management of Change Risk Matrix).

Training Manual Page 26-9

 Management of Change Risk Matrix

Significance (Severity) of Change

Low High

Degree Low Risk Level 1: Risk Level 2:

of Simple checklist What-if checklist
Hazard High Risk Level 3: Risk Level 4:
HAZOP HAZOP with
consequence
analysis

A change that qualifies as a low hazard and low severity would only need a simple checklist. A
low hazard with high severity would require a “what- if” checklist. A high hazard with low
severity would necessitate a HAZOP. And a high hazard change with high severity would need a
HAZOP with consequence analysis.

Another valuable recommendation for a successful MOC program involves combining MOC
procedures with pre-startup safety review procedures. “A number of major chemical
organizations have combined their PSM manage ment of change element and their closely related
PSM pre-startup safety reviews into the same procedure for simplicity,” said Roy Sanders,
compliance team leader for PPG Industries in Lake Charles, La., in Chemical Process Safety:
Learning from Case Histories.

According to Sanders, the pre-startup safety review – although a separate element in the PSM
standard – is the final step in management of change. Process changes that require
implementation of the MOC procedure also require modification to process safety information –
which triggers a pre-startup safety review.

Specifically, the PSM standard states, “the employer shall perform a pre-startup safety review for
new facilities and for modified facilities when the modification is significant enough to require a
change in the process safety information” (29 CFR 1910.119(I)(1).

Facilities that combine MOC and pre-startup safety review procedures also must update process
and instrument diagrams, operating procedures and training before startup of a process, as
indicated under the pre-startup safety review requirements in the PSM standard, Sanders states.

MANAGEMENT COMMITMENT TO MOC

MOC requires management support. Management is likely to be more receptive to committing

resources to developing, implementing and maintaining a MOC procedure if they are presented
with objective, as opposed to subjective, requirements that are required by the regulations.
Examples of an objective approach include:

Training Manual Page 26-10

 § The time frame within which the facility has to demonstrate compliance;
§ Issues of timing associated with documentation and reporting requirements for
emergency and off- shift situations;
§ A clear description of what constitutes an adequate process hazard review (for example,
is a line-by- line HAZOP required or will a checklist approach suffice in some instances?)
§ A clear statement of minimum compliance requirements; and
§ An estimate cost for minimum compliance.

PSM is required by law and so are many other programs associated with health, safety and the
environment. Most organizations do not have the resources to comply with all aspects of all
regulations. Therefore, management must allocate resources according to some form of
prioritization. Determine the prioritization criteria for your organization and structure the
requirements for MOC within those criteria. Finally, demonstrate the benefits and possible cost
savings that can be realized by maintaining an effective MOC system. PSM and MOC are rooted
philosophically in total quality control programs for chemical processing facilities.

Some of the recent catastrophic accidents are directly attributable to unrecognized subtle change.
No management system is infallible. Workers must be trained to recognize change and be
encouraged to respond to it.

RECORDKEEPING

Recordkeeping elements of the MOC section are implied, rather than outlined within the
standard. Facilities are urged to develop a “change report” form that would record every time a
change is to be made and whether that change is a replacement in-kind or a change. Changes
would require authorization. The form serves as the first record of a change.

Furthermore, facilities are required to note changes that affect the process safety information and
the operating procedures in those documents, respectively. (For more information on process
safety information, for more information on operating procedures.

The goal here is to keep written plant materials up-to-date with the actual operation of the plant.
An unrecorded change could lead to trouble down the road.

Training

Employers must inform and train workers in a change of process before the process, or affected
portion of the process, is started. The term “employee” includes direct-hire, contract, and
maintenance workers (29 CFR 1910.119(l)(3)).

The section includes “implied” training, too. Employers will have to train workers to recognize a
change when they see it. Especially important is recognition of subtle changes. Most facilities do
not have procedures to recognize and control subtle changes. This type of change includes not-

Training Manual Page 26-11

in-kind substitutions and digressions from documented operating and maintenance procedures.
Workers should be trained to recognize and respond to this type of change.

Training Manual Page 26-12

 CASE STUDY – EQUILON ENTERPRISES

INTRODUCTION

On November 25, 1998 a fire at the Equilon oil refinery delayed coker unit in Anacortes caused
6 fatalities. A loss of electric power and steam supply approximately 36 hours prior to the fire
resulted in abnormal process conditions.

Scenario:

Causes:

CASE STUDY – CONDEA VISTA

INTRODUCTION

On October 13 1998, a reaction vessel explosion and fire at the Condea Vista Company detergent
alkylation plant in Baltimore resulted in the injury of four people.

Scenario:

Causes:

Training Manual Page 26-13

 Article

MANAGING CHANGE WITHIN THE CHEMICAL INDUSTRY

The following is adapted from Chapter 9 of the book entitled Management of Change in
Chemical Plants by Roy Sanders. It is published by Butterworth-Heinemann Ltd., Woburn,
Mass.,

Introduction

A formal method to deal with change in a chemical plant must be developed. The safety features
that were designed into the original processes often were obtained after a multi-disciplinary
design team agonized over the optimum arrangement of process and layout. This process safety
must not be jeopardized by poor-quality modification schemes.

No recipe or procedure for managing changes can be devised that would be universally
acceptable. The exact approach used to evaluate a proposed change must be site specific. There
must be a sustained management commitment to the management of change program and this
may require a change in culture within an organization.

Each chemical plant and refinery must adopt or develop a procedure tailored to fit the specific
hazards, the available technical resources, and the culture of the organization and any required
government regulations. It must be practical and workable without undue delays. Keep in mind,
a modest system that is regularly used and works is much better than an elaborate, sophisticated
system that is ignored. To ensure the procedure continues to be properly utilized, there must be
periodic audits.

Essential elements of an effective management of change policy would include a program in

which all employees:

§ Understand the definition of change and why it is necessary to examine proposed

changes;
§ Recognize changes as they are proposed and see third-party review;
§ Have access to a qualified resource person and an available committee that can assist in
identifying all potentially negative consequences of a proposed change;
§ Document the changes on drawings (process, electrical, instrumental, electrical area
classification, underground, etc.), revise operating procedures, change instrument testing
methods and revise training manuals, etc., if necessary;
§ Ensure that all recommendations offered to enhance process safety are studied and
implemented in a timely manner; and

Training Manual Page 26-14

 § Believe that the company’s management firmly supports the program.

A Reality Check

For a chemical manufacturing facility to survive in a dynamic industry, it must be able to quickly
adapt to changes, such as increasing production, reducing operating costs, improving employee
safety, accommodating technical innovation, compensating for unavailable equipment and/or
reducing pollution potential. The chemical plant also must have a method to review temporary
repairs, temporary connections or deviations from standard operations.

Chemical plant modifications must be properly engineered and implemented to avoid actual and
potential problems. A hidden practical or technical flaw created when a worker attempts to
correct a specific problem potentially could cause an incident. Gradual changes created by
unauthorized alterations, deterioration and other symptoms of aging also can compromise the
integr ity of containment and protective systems. The presence of these unwanted modifications
can be minimized by proactive inspection, safety instrument system testing and follow-up
repairs.

An incident can occur if hasty modifications are employed. To address the problems of “one-
minute” modifications, chemical plant management must be resolute about training employees
about the potential dangers created by quick, inexpensive substitutions. It is essential that well-
maintained engineering and equipment specifications are readily available. Changes, which
might include improper substitutes such as incompatible construction materials or improper
procedures, must be reviewed by a third party. This is sometimes easier said than done in the
hectic pace of keeping ma intenance and production schedules.

It is crucial that companies refrain from making their management of change procedures so
restrictive or so bureaucratic that individuals try to circumvent them. Overly complicated
paperwork schemes and procedures that are perceived as ritualistic must be avoided. It has
become apparent that some companies require awkward, time-consuming review processes
during the day shift. It has been said in those companies that the changes occur at night.

The industry head count (or the total number of skilled employees) is leaner and meaner than
before. A measurable excess in human resources is a luxury rarely found in today’s chemical
industry in developed countries. Personnel changes can result in a loss of important process
safety knowledge. The significance of such changes is often underestimated. Management must
constantly be attuned to the problems of knowledge dilution caused by changes in personnel.

Some Historical Approaches to Plant Changes

Many of the management of change practices used in the 1970s and 1980s are still applicable
today. In 1976, four chemical corporations shared their progressive modification procedures at a
Loss Prevention Symposium sponsored by the American Institute of Chemical Engineers
(AIChE). Those technical papers were published in the AIChE’s Loss Prevention, Volume 10.

Training Manual Page 26-15

In one paper, Peter Heron described the approach that BP Chemicals International, Ltd., of
London used at that time. He pointed out that all process and plant changes were subjected to a
regimen of formal scrutiny and authorization. Minor alterations, such as the addition of a valve, a
change in materials of construction or a switch in the type of mechanical seal were made at the
discretion of the group manager, or at the supervisory level above the unit supervisor. Major
changes to existing units in BP Chemical required consideration and formal authorization by
personnel at the departmental management level.

The proposal initiator and plant manager, plant engineer, chemical engineer and
instrument/electrical engineer, as appropriate, discussed any proposed modification. They
prepared a set of notes and a sketch describing the modification and submitted these for approval
to the relevant staff.

The plant manager assessed the effect of the proposals on all plant operations, including normal
and routine operations, start-up, shutdown and emergency actions. He or she checked that
hazardous conditions would not arise. The plant engineer and/or instrument electrical engineer
assessed the effect of the modification on maintaining the plant and equipment and also ensured
that the proposal mete the original plant design standards and the level of good engineering
standards demanded on site.

Heron’s article concluded with a statement that all of these procedures bring together a multi-
disciplined team that ensures fewer problems in implementing, commissioning and operating
modified units.

In 1985, the Canadian Chemical Producers Association (CCPA) released a pamphlet to help
Canadian chemical manufacturers determine the adequacy of their process safety programs.
Modifications to a plant or process were one of the nine internal programs examined by the
CCPA. The guiding principles required a management program to formally examine and approve
any significant changes in chemical components, process facilities or process conditions,
whether temporary or permanent, prior to implementation. The procedure, as recommended by
the CCPA, addressed 12 elements. It was intended that each element would be reviewed by
qualified individuals to assess is the proposed change could jeopardize the integrity of the
system. The 12 elements are:

1. Does the change involve any different chemicals that could react with other chemicals,
including dilutents, solvents and additives already in the process?
2. Does the new proposal encourage the production of undesirable byproducts either through
primary reactions, side reactions or introduction of impurities with the new chemical?
3. Does the rate of heat generation and/or the reaction pressure increase as a result of the new
scheme?
4. Does the proposed change encourage or require the operation of equipment outside the
approved operating or design limits of chemical processing equipment?
5. Does the proposal consider the compatibility of the new chemical component and its
impurities with materials of construction?
6. Has the occupational health and environmental impact of the change been considered?

Training Manual Page 26-16

7. Has the design for modifying the process facilities or conditions been reviewed by a qualified
individual using effective techniques for analyzing process hazards, particularly when the
modifications are being made in rush situations or emergency conditions?
8. Has there been an on-site inspection by qualified personnel to ensure that the new equipment
is installed in accordance with specifications and drawings?
9. Have the operating instructions and engineering drawings been revised to take into account
the modifications?
10. Have proper communications been made for the training of chemical process operators,
maintenance craftsmen and supervisors who may be affected by the modification?
11. Have proper revisions been made to the process control logic, instrumentation set points and
alarm points, especially for computer control systems?
12. Have provisions been made to remove or completely isolate obsolete facilities/equipment in
order to eliminate the changes for operator error involving abandoned equipment?

The Process Safety Management Standard

OSHA’s process safety management (PSM) standard (29 CFR 1910.119) addresses management
of change in paragraph (i). It states:

The employer shall establish and implement written procedures to manage

changes (except for “replacements in kind”) to process chemicals, technology,
equipment and procedures; and changes to facilities that affect a covered process;
The procedures shall ensure that the (i) technical basis for the proposed change;
(ii) impact of change on safety and health; (iii) modifications to operating
procedures; (iv) necessary time period for the change; and, (v) authorization
requirements for the proposed change are considered prior to a proposed change;
Employees involved in operating a process and maintenance and contract
employees whose job tasks will be affected by a change in the process shall be
informed of, and trained in, the change prior to start-up of the process;
If a change covered by this paragraph results in a change to the process safety
information required by paragraph (d) of the section, then process safety
information shall be updated accordingly; and
If a change covered by this paragraph results in a change to the operating
procedures or practices required by paragraph (f) of this section, such procedures
or practices shall be updated accordingly.

The standard also defines “replacement in kind” as a replacement that satisfies the original
design specification. Appendix C to the PSM standard, Compliance Guidelines and
Recommendations for Process Safety Management (Non-mandatory), serves as a guideline to
assist in complying with the standard.

Training Manual Page 26-17

An Overview of Training in a Management of Change Program

Since changes may be introduced to a process or facility by supervisors, engineers, chemical

process operators, process control technicians, electricians, machinists, pipefitters, other
craftsmen, purchasing agents, contractors, etc., there must be a training program to reach all
players on the team. Employees must understand what is meant by change and companies must
convince all players concerned that these modification procedures are necessary. There must be a
program to identify changes and to encourage the proper individuals to review them. There also
must be some type of assessment guide sheet or trained “modifications man” to help the
modification’s sponsor logically study management of change proposals.

One way to assist with properly training key individuals at a plant site is to research previous
incidents that may have been caused by failures in management of change programs. The
effectiveness of training can be enhanced if case histories of the accidents caused by an improper
plant modification at the plant site are added. Previous incidents where a plant modification was
suspected to be a contributing factor should be researched for written reports, photos, sketches,
etc., and included in training programs. Perhaps incidents addressed in Trevor Kletz’s book,
What Went Wrong?, or the British Institution of Chemical Engineers “Hazards of Plant
Modifications” training, or Roy Sanders’ book, Management of Change in Chemical Plants, can
help make special points. Naturally, any new incident within your organization or reported by the
news media can help with training efforts.

A Workable Approach for Reviewing Proposed Plant Modifications

For a workable management of change program, companies must show that management is
committed. Management must be willing to allocated resources and, if necessary, change the
corporate culture to ensure a successful management of change program.

At each level in the organization, management must visibly support and continuously reinforce
the policies that are designed and implemented to reduce spills, releases, fires and explosions.
There also must be clear roles and responsibilities within process safety programs. A logical
approach to plant modifications must be developed for each chemical plant site. Ideally, it should
be a tiered approval system. Consideration must be given to the size of the facility, the relative
hazards of the chemicals, the type of equipment and the number of employees, including process
safety personnel, engineers, etc.

To change the culture of the organization, all plant employees who could have an impact on
change must be trained to understand what is considered to be a plant modification, and why.
Anyone considering a small change sho uld be encouraged to discuss the idea with a peer to find
out if the change is considered within specified operating limits or acceptable maintenance or
engineering practices. This is not always practical. Employees should understand the review
process.

An example of a tiered approach can be found in the figure below. The unit manager (area
superintendent) should first be consulted. The review process may be triggered by discussions, a
work order approval procedure that requests permission for “changes,” or other means. This

Training Manual Page 26-18

approach assumes that the unit manager is a second level supervisor with one or more operations
and/or maintenance foremen reporting to him. Four different management of change logic
diagrams – based on facility resources and the degree of examination required l- as well as a
logic diagram for an emergency procedure, are available in a Chemical Manufacturers
Association publication entitled A Manager’s Guide to Implementing and Improving
Management Systems (1993).

A Management of Change Decision Tree

The non- mandatory appendix to the PSM standard states that organizations must define what is
meant by change. The unit manager should ultimately be responsible for classifying a particular
change. As an initial step, he or she must evaluate whether a prospective change leads to basic
good engineering practices, meets manufacturers and plant specifications and results in operation
within normal allowable limits. Frequently, unit managers will make recommendations for
change based on this evaluation.

If the unit manager determines that the change is a “replacement in kind,” or is otherwise
determined to be minor in scope, he or she can make the modification without utilizing formal

Training Manual Page 26-19

management of change procedures. Some examples of changes that can be approved by the unit
manager include:

§ Sampling a process stream on Tuesdays and Fridays instead of on Mondays and

Thursdays (assuming the related operational activities are the same);
§ Reducing the inspection frequency of a vessel based upon accepted good engineering
practices (e.g., using remaining life calculations based upon wall thickness);
§ Raising the reactor operating temperature within the previously specified safe operating
limits envelope;
§ Replacement of gate va lves with ball valves (within the plant valve specifications or
within regular usage for that service);
§ Replacement of compressed asbestos gaskets with a different gasket material that has
been approved by the engineering department and written into the plant specifications;
§ Replacement of heat exchanger tubes with a more corrosion resistant material that has
been approved by an experienced corrosion engineer; and
§ Changes in lubricants for pumps and valves that have been approved by an experienced
maintenance engineer.

Some changes that would require a review under the management of change procedures include:

§ Mechanical, process or instrument system changes made to increase production rates,

including those changes that only increase temperatures and/or pressures beyond the
previously defined safe operating envelope;
§ Facility changes made to significantly increase storage capacity of a hazardous material;
§ Feedstock, equipment or procedural changes made to increase production yield or
increase product purity;
§ Alterations to protective equipment systems, such as changes to critical values for alarm,
interlock or shutdown systems; or changes involving safety relief or vent systems;
§ Changes made to compensate for unavailable equipment, instruments, rotating equipment
or vessels, such as using jumpovers, hoses vacuum trucks, etc.;
§ Experiments to change raw materials, additives, inhibitors, catalyst, etc.;
§ Proposals to operate at significantly different pressures, temperatures, flow rates, acidity,
etc., that are considered outside the well- understood and documented safe operating
envelope;
§ Proposals to improve personal safety or process safety, or for increased environmental
stewardship;
§ Plans to change materials of construction for components, such as new gasket materials
that are under experimental service conditions;
§ Unique “one-time maintenance,” such as chemical cleaning, hot tapping, freezing
pipelines to work downstream of the plug;

Training Manual Page 26-20

 § Schemes for coping with temporary situations, such as pipe clamps on leaking, high
hazard lines, operating with a heat exchanger out of service, changing delivery methods
(e.g. accepting a truck delivery when the normal method was by drum or pipeline);
§ Restart of a unit after being idle for six months or more;
§ Decommissioning and demolition of parts of units;
§ Any change in the physical plant that could increase business interruption potential that
may not have been identified above; and
§ Any item that the unit supervisor or the process safety engineer believes requires
additional exa mination.

The company may need to employ a “modifications specialist.” This person should be available
to the operations, engineering and maintenance departments. He or she would work closely with
unit managers to evaluate proposed changes in areas where decisions on proposed changes are
beyond the unit manager’s authority. This modifications person may be a process safety
engineer, loss-prevention engineer or a mechanical or chemical engineer who has been trained in
chemical process safety. Preferably, this individual would be a plant employee, possibly
accompanied by a regional engineer, a property insurance consultant or a contractor.

The modifications person must understand the basic loss prevention principles of proper layout,
fundamentals of the fire and explosion protection, overpressure protection, electrical area
classification, property insurance guiding principles, etc. It is unrealistic to expect to have such a
well-trained individual who can think of all the right questions. Therefore, a thorough safety
assessment checklist for modifications should be utilized to assist with change evaluations.

An abundance of ritualistic or overcomplicated paperwork schemes must be avoided. One

experienced project engineer stated, “It is easier to get forgive ness than permission.” Do not
create or nurture such a system. Some published articles covering management of change
systems and some actual plant procedures, which were reviewed, appeared too cumbersome to
be effective.

There should be a procedure to ale rt or assign a modifications person to examine the early stages
of the change. If it is covered by specifications or plant policy, or properly addressed by codes of
practice, the review may stop at this point with or without a brief note, depending upon systems.
If the type of modification under consideration is not covered by plant specifications, codes or
design and operating philosophy, or if an assessment form generates unanswered questions, the
modifications person should extend the review process.

In such circumstances, an evaluation by a multi-disciplinary chemical process safety review

committee may be in order. Typically, this technical safety committee is chaired by mid- level
supervisors, such as a technical manager, engineering superintendent, manager or process safety,
etc., who are not directly affected by the budgetary constraints or the start-up deadlines that the
typical production department faces.

Most medium-sized and large chemical and petrochemical corporations have implemented
flexible procedures for several layers of process safety reviews for capital projects, such as major
modifications, expansions, etc. In certain cases, such as changes created by a significant

Training Manual Page 26-21

expansion, it is better to have a small group of specialists first identify the potential hazards and
quantify the risk, prior to any type of committee review.

Review and Approval of Proposed Changes

A responsive modification review an approval system with competent reviewers can gain
acceptance quickly. If a modification approval system is unnecessarily cumbersome, there can be
tension between the sponsor and the reviewer or there can be attempts to circumvent proposals.
We all must realize that a modification control system, especially for small but vital changes,
must not be so formal that responses cannot be given in a reasonably short time. A tiered system
must be in place to deal with the entire range of proposals, from the very simple change to the
very complex.

Before a modification is implemented, it must be compared to corporate or plant standards, state

and local codes, insurance regulations and consensus standards. Many companies have
developed excellent checklists or standards based upon years of experience with the
manufacture, us and handling of various chemicals.

These checklists, as well as “what if” methods and multi-disciplinary reviews are excellent tools
for reviewing modifications. These methods can ensure adherence to design specifications,
identification of previously recognized hazards and that piping instrumentation diagrams
(P&IDs) and operating procedures are updated. With careful planning, management of change
reviews can be incorporated into the process hazard analyses process.

“What if” type studies have been used to some degree for years. This type of questioning activity
originally was used to informally evaluate possible scenarios associated with a proposal.
Recently, the method has been refined and is now a more formal method of hazard evaluation.
Little has been written on this type of group brainstorming activity; however, CCPS’s Guidelines
for Hazard Evaluation Procedures offers examples of a systematic approach. A “what if”
analysis is a suitable hazard evaluation technique for an experienced staff reviewing a
modification.

Checklists can be useful if properly prepared by experienced engineers. Such checklists can
assist less experienced engineers in considering situations that fault tree analysis might find, if
given enough time, or that “what ifs” might overlook.

Management of change procedures can range in length to fit a facility’s specific needs. Some
may be long on definitions while others may rely more on checklists. But each should allow for a
flexible approval system.

Minutes should be taken at all chemical process safety meetings. These minutes should be
reviewed and approved by senior management and senior technical individuals. The minutes of
the process safety meetings that include the recommendations, the limitations and individuals
assigned to handle the follow-up should be kept for the life of the modification and perhaps the
life of the unit involved.

Training Manual Page 26-22

Periodic compliance questionnaire should be sent to the operating unit to check the progress on
those recommendations that were made to reduce risk, but were not required to be completed
before start- up. It is necessary to verify that recommended actions have been completed and this
must be acknowledged in the records.

Training Operations and Maintenance About the Changes

Operations, maintenance and contractors whose job tasks will be affected by the change shall be
informed and trained in a change of process. Individuals who are off-shift or absent shall be
trained prior to resumption of their job responsibilities. The particular form of training should be
determined during the evaluation of the change. It could range from a note in the logbook that
must be initialed by the operators, to classroom style training with visits to the new equipment
(this important aspect of management of change must be mentioned even though it is part of
another element of the PSM standard’s pre-startup safety review).

Auditing the Management of Change Program

Common sense and the PSM standard required auditing a facility’s compliance with
management of change requirements. Periodic review and documentation of a site’s activities in
managing aspects of personnel and process safety should be a part of an organization’s culture. A
good audit can measure the “actual” versus “intended” effectiveness of PSM programs.

Each organization must devise its own way to conduct an audit. The Dow Chemical Co. reported
that it had been developing a “consolidated audit” in its Freeport, Texas plant since 1988. The
consolidated audit covers safety, loss prevention, occupational health, environment and other
topics in a single audit. Prior to 1988, many of these audits were individually achieved on an
annual basis.

Dow Chemical was pleased with the efficiency of the combined audit. Since half a dozen audits
could be rolled into one audit, early planning was more practical and more effort could be given
to gathering incident records, process flowsheets, and P&IDs. Preparations for the consolidated
audit began about three months before the actual audit, as engineers and plant superintendents
reviewed policies and standards and reviewed their plant’s status in areas scheduled for audit.

Some Generic Management of Change Audit Questions

Below are some common sense audit questions for management of change:

§ Is there a formalized documented policy in place for the review and authorization of
changes in the hardware and the operating procedures in units that produce, use, handle,
or store hazardous materials?
§ Do all of the affected individuals, including the engineers, supervisors, chemical process
operators, maintenance mechanics, purchasing employees, etc., understand that there is a
management-of-change policy?

Training Manual Page 26-23

 § Is there a “modifications person” available who can provide expertise, has the time to
review changes, and can promptly answer process safety questions?
§ Is the system to track and verify process safety recommendations working well and is it
up-to-date?
§ Is there a procedure to cope with and authorize “minor” temporary changes such as
operating without some critical alarms and a system to ensure that these “minor”
temporary changes are restored?
§ How is the management-of-change policy perceived by operators, supervisors,
mechanics, engineers, etc.?
§ Have any recent incidents appeared to have been created by a change within the plant,
either authorized or unauthorized?

Closing Thoughts on a Management of Change Policy

There must be a formal method to deal with change in a chemical plant. The safety designed into
the original plant often occurred after a multi-disciplinary design team agonized over the
optimum arrangement of process and layout. This process safety must not be jeopardized by
poor-quality modification schemes. No recipe or procedure can be devised to be universally
acceptable. The exact approach used to scrutinize a proposed change must be site-specific and
developed for that location. There must be a sustained management commitment to the
management of change program, since this may require a change in culture within many
organizations. Each chemical plant and refinery must adopt or develop a procedure tailored to fit
the specific hazards, the available technical resources, the culture of the organization and
relevant regulations. It must e practical and workable without undue delays.

A modest system that is used regularly and is workable is better than an elegantly stated,
sophisticated system that is ignored.

Training Manual Page 26-24

 A Safety Assessment Checklist For Modifications

Circle those factors that may be changed by the proposal.

Proposed Classification Maintenance Considerations Equipment Inspection

Capital Improvement Pre-modification
Environmental Improvement Periodically in Service Trip and Alarm Testing
Process Change Specialty Contractors
Abnormal Operations
Hot Tapping or Stopple
Emergency Operations
Temporary Change On-stream Leak Repair
Materials Change Line Freezing Vessel Alteration
Preparation for Maintenance

Engineering Considerations
Process Conditions Instrument Drawings
Temperature Process Drawings
Pressure Wiring Diagrams
Vacuum Trip & Alarm Procedures
Flow Plant Layout
Level Pressure Relief Design
Composition Flare & Vent Specifications
Flash Point Design Temperature
Reactive Conditions Isolation for Maintenance
Toxicity Static Electricity
Corrosion Potentials Drainage

Training Manual Page 26-25

Does the proposal properly address these process concerns:

1. Does the proposal for change introduce new chemicals in the form of new reactants, solvents, catalysts or
impurities?
2. If so, are the new chemicals flammable, explosive, toxic, carcinogenic, irritants, capable of decomposition,
oxidants, etc.? If so, are material safety data sheets available?
3. Does the rate of heat generation and/or reaction pressure increase as a result of this new scheme? Is there a
potential for overt temperature during start-up, shutdown, normal operation or in other cases such as loss of
agitation or loss of utilities?
4. Are the vent and pressure relief systems sufficient under the new conditions?
5. Is there a risk of creating a damaging vacuum condition?
6. Is there an increased risk of backflow or cross-contamination?
7. Does the proposal introduce flammable liquids or gases or combustible dusts into areas that do not have the
proper electrical area classifications?

Does the proposal properly address the equipment/hardware concerns:

1. Does the change involve the alteration of a pressure vessel? And if so, is the code certification preserved?
2. Is there sufficient pressure difference between the new operating pressure and the maximum allowable
working pressure of the vessel?
3. Is the relief capacity adequate for process upsets, valve or tube failure, fire, loss of utilities, etc.?
4. Are remote-operated isolation valves now needed? Are “double block and bleeds” required?
5. Have safety critical process alarms and shutdown systems been modified to include the new situation?
6. Does the proposal introduce a source of ignition (including hot surfaces, flame mechanical sparks, static
electricity, electrical arcing, etc.)?
7. Will the gas detection systems, fire-water systems, diking or drainage need to be changed to accommodate
the change?

Does the proposal properly address the procedural, training and documentation
requirements?

1. Have the process, mechanical and instrument drawings been updated where required?
2. Have the new material safety data sheets been provided to the operations and maintenance departments?
3. Have the start-up, normal shutdown and emergency shutdown scenarios and procedures been reviewed?
4. Have the schematic wiring and other electrical drawings been updated?
5. Have the equipment files been updated to show the addition of pressure vessels or storage tanks or
revisions to them?
6. Have the sewer and underground drawings been updated where required?
7. Have the alarm listings and safety critical proof-test procedures been developed?
8. Have all the other necessary maintenance testing and inspection procedures been developed?

Training Manual Page 26-26

BIBLIOGRAPHY

Chemical Process Safety Report, Tab 300, Management of Change, May 1992.

Training Manual Page 26-27

 Chapter 27
SAFETY AUDITS

The two most important safety audits in the US are the EPA RMP rule audits and the OSHA
Safety audits. Both require that facilities conduct their own audits and produce documents that
can be quality assured and audited.

These programs require that a facility operator does the following three things:

§ Say what you are going to do

§ Do what you say would do
§ Provide proof that you have done what you said you would do

CHEMICAL SAFETY AUDITS

Chemical Safety Audits are designed to:

§ Share information about chemical safety practices and technologies with visits to sources
that handle hazardous substances;
§ Heighten awareness of the need for and promote chemical safety at chemical facilities
and in the communities where chemicals are located; and
§ Build cooperation among sources, government agencies, and others.

Chemical safety audits are usually voluntary and may include sources not covered by the Risk
Management Program provisions. One purpose of auditing a facility is to identify and
characterize the strengths and weaknesses of specific chemical accident prevention program
areas, as a means to high- light the elements which form an effective program.
Additionally, audits facilitate the sharing of information about successful practices and
recommending safety improvements. This can lead to process safety improvements, which may
prevent or mitigate releases by the audited source.

RMP Audits

RMP audits help ensure compliance with the Risk Management Program. EPA intends to use the
audit process as a way to verify the quality of the program summarized in the RMP. When it is
reasonable, EPA will require modifications to the RMP that may lead to quality improvements in
the underlying program.

Training Manual Page 27-1

RMP audits focus on the data contained in the Risk Management Plan, as well as the underlying
risk management program. An RMP is a blueprint of how Risk Management Program provisions
are incorporated into process safety at the facility, just as an emergency response plan is a
blueprint of an emergency response program for a community or a facility. Emergency plans do
not directly protect the public; emergency response programs are the comprehensive approach to
protecting the public.

APPROACHES TO AN RMP AUDIT

Full compliance with the Risk Management Program regulations cannot be determined without
on-site or independent verification of all or part of the information submitted in an RMP.
However, each implementing agency should determine the scope of the audit process to be used.
This determination is based on available resources, priorities, expertise, and other factors.
Auditing to ensure compliance with the Risk Management Program regulation may consist of a
range of off-site and on-site activities. Off-site activities might include determining that the rule
applies to the source, that the facility placed itself in the correct program level, and that the
source submitted a complete and correct RMP. On-site activities might include verification of
documentation and process review.

To ease the inspection burden, the implementing agency should also determine how the scope
and conduct of on-site audit activities can be coordinated with other regulatory inspections. For
example, the implementing agency might coordinate with either the federal or state OSHA office
with in its jurisdiction. If chemical facilities are subject to the OSHA PSM Standard, OSHA has
its own authority over the facilities' prevention program. This inter-agency coordination may
save resources and decrease the burden on the facility.

HOW TO USE REVIEWS / AUDITS / INSPECTIONS

The Risk Management Program regulations mention the use of completeness checks, reviews,
audits, and inspections. These terms are defined below.

The lead auditor should determine at this point whether or not the source will be notified in
advance of the site visit. Prior notification may be dictated by implementing agency policy or
practices. If the source is to be notified in advance of the visit, the lead auditor should schedule
well in advance the date, time, and point of arrival at the source.

The lead auditor should:

§ Brief all auditors on the rationale for the audit;

§ Assign each auditor specific section(s) of the audit report, including collecting stationary
source background information related to his/her report section;
§ Identify related regulatory requirements (e.g., hot work permit, HAZWOPER); and

Training Manual Page 27-2

 § Establish a schedule for completing collection of the necessary background information,
conducting the pre-visit meeting, conducting the audit, and completing the audit report.

COLLECTING BACKGROUND INFORMATION

Preliminary preparation is key to a well organized audit. It is useful to collect as much of the
source background information as possible in advance of the audit. The lead auditor may elect to
notify the source, state, and local officials of the pending audit and request appropriate
background information. The auditor(s) then can review this information prior to the visit,
prepare a detailed list of topics and questions to help organize their on-site activities, and
minimize the amount of time spent at the source. The following table lists some examples of
background information that may be useful to auditors.

Auditors should also determine the applicability of existing checklists specific to the source
being audited; for example, checklists developed by EPA in sector-specific RMP guidances may
be used (e.g., ammonia refrigeration, publicly owned treatment works, chemical warehouses,
propane users).

Auditors should also familiarize themselves with industry and government standards specific to
the source (e.g., standards developed by OSHA, NFPA, ANSI).

PLANNING THE AUDIT

An on-site audit might include review of programs and records, verification of data, and analysis
of prevention measures. See the following table of potential audit components
for suggestions.

PREPARE AUDIT STAFF AND PLAN LOGISTICS

The lead auditor should hold a pre-visit meeting with all auditors as close to the date of the audit
as possible. By this time all auditors should be familiar with this guidance and any information
they have collected about the stationery source to be audited and its processes. Additional
information to be obtained at the source should be identified and auditors should develop
individual plans for conducting their portion of the audit. For extensive audits, the pre-visit
meeting should:

§ Establish the entry authority of each auditor;

§ Review each auditor's area of responsibility;
§ Review the audit objectives and highlight areas of special interest;
§ Review any site-specific personal health and safety issues, and complete, if necessary, a
site safety plan for on-site activities;
§ Review information about key personnel and operations at the site;
§ Establish an agenda for each day of the site visit;

Training Manual Page 27-3

 § Review logistical matters (e.g., nightly team meetings to discuss results and plan the next
day's activity);
§ Review the RMP submitted by the source and preliminarily evaluate compliance with
regulatory requirements;
§ Arrange for proper management of confidential business informatio n (CBI); and
§ Cover any additional topics.

The lead auditor should also:

§ Develop site-specific guidance, if needed;

§ Reserve work space and equipment at the source;
§ Develop employee interview questionnaires, if an interview is planned; and
§ Schedule opening meetings, closing meetings, and daily debriefings.

OPENING MEETING

The auditor(s) should conduct an opening meeting with management personnel (e.g., plant
manager, superintendents of safety and operations, legal counsel, corporate representative). The
lead auditor should clearly explain the purpose and objectives of the audit.

The lead auditor may give a copy of this guidance to the source to help them understand the
scope, purpose, and objective of the audit. In addition, this guidance may help the source in
assembling information to be reviewed by the auditor(s). At a minimum, the following items
should be addressed during the opening meeting:

§ Discussion of entry and information gathering authorities (with presentation of auditor(s)

credentials);
§ Audit purpose and objectives;
§ On-site agenda;
§ Identification and management of CBI;
§ Information necessary to conduct the audit;
§ Safety issues (e.g., source-specific safety orientation training, emergency response
procedures and alarms that may sound in an emergency);
§ Schedule for exit briefing; and
§ Audit report preparation.

The auditor(s) should also request a detailed overview of the chemical processes and/or
manufacturing operations at the source, including block flow and/or process flow diagrams
indicating chemicals and processes involved.

Training Manual Page 27-4

Prior to walking around the facility, the auditor(s) should request an explanation of the source's
Risk Management Program, including, at a minimum:

§ How the elements of the program are implemented;

§ Personnel who are responsible for the implementation of the various elements of the
program; and
§ A description of the source's records documenting compliance. At the conclusion of the
opening meeting, the lead auditor should request access to the following information,
where applicable:
§ Documentation for the hazard assessment, including selection of model and procedures
followed;
§ Documentation supporting reports under the five-year accident history (e.g., follow- up
release reports, initial notifications);
§ Documentation for the process hazards analysis or hazard review;
§ Standard operating procedures;
§ Training records (e.g., hazard communication, emergency response) for all employees;
§ Pre-startup safety review;
§ Integrity or preventive maintenance records;
§ Hot work permit program;
§ Written procedures to manage change to processes;
§ Plan of action for implementation of employee participation;
§ Written process safety information;
§ Incident investigation reports;
§ The emergency response plan developed by the source;
§ The two most recent compliance audit reports; and
§ Documentation on coordination with local officials on emergency response activities

COLLECTING AND ANALYZING INFORMATION

After the opening meeting, the auditor(s) may accomplish their tasks individually or in small
groups, performing their work as quickly and efficiently as possible. Special attention should be
paid to:

§ Verifying the reported program level; and

§ Comparing the stationary source's RMP to policies and procedures actually implemented,
especially for production or equipment changes.

The attached checklist may be used as guidance to ensure that regulatory requirements are met
and that a basic level of data quality is achieved. However, this checklist is not intended to be

Training Manual Page 27-5

comprehensive of all applicable requirements. Accordingly, the checklist is not a substitute for
knowledge and understanding of the regulations.

During the audit, a variety of materials will be gathered relating to operations at the source. Most
of these materials should be referenced in the report and maintained in a central file.

Examples of the types of material that might be included are:

§ Sample source memoranda, guidelines, safe operating procedures, policy statements (e.g.,
safety practices, Responsible CARE);
§ Correspondence between the source and the implementing agency; or
§ Graphic materials such as photographs, maps, charts, plot plans, organizational charts.
§ All materials should be labeled with :
§ Name of the source;
§ Date of the audit; and
§ Other identifying information.

PERSONAL PROTECTIVE EQUIPMENT (PPE)

In addition to normal protective equipment (e.g., safety shoes, hard hats, goggles), auditor(s)
may need special equipment:

§ Flame-retardant coveralls in all areas of the plant where there is potential for flash fires
and as may be required by policy at the source;
§ Emergency escape respirators during the walk-around portion of the audit (personnel
conducting these audits should have received proper training in the use of emergency
escape respirators);
§ Alert monitors approved for the environment where they will be used (e.g., HCN, Cl2);
§ Electronic equipment (i.e., still cameras, video cameras, cellular phones) that are safe for
use in the process areas being audited; and
§ Follow facility guidance relative to the appropriate use of PPE and request notice of any
unusual conditions, which may dictate specific precautions.

EXIT BRIEFING

Prior to the exit briefing, auditor(s) should meet privately to review findings and establish topics
for the briefing. Significant observations and findings should be presented to management
personnel. Any issues requiring clarification should be listed for discussion with the management
personnel. The team leader will determine what conclusions or recommendations will be
forwarded to the source at the exit briefing.

Training Manual Page 27-6

In the exit briefing, the auditor(s) will meet with the management personnel to discuss the audit
results. The lead auditor should report to the source management all significant findings,
conclusions, and recommendations for which a team consensus exists.

Auditor(s) should maintain a professional, courteous demeanor during all discussions with
source personnel. Auditor(s) should make source officials aware of any standards,
guidelines, or resources that would be helpful in improving the source risk management
program. However, auditor(s) should be careful to avoid making suggestions which imply a
"consultant" type of relationship, such as endorsing one product or firm exclusively.

Auditor(s) should never state that "violations" have been observed. Determining that a
violation has occurred is generally done after an enforcement inspection by the appropriate
enforcement program in consultation with legal counsel. Auditor(s) should not make any
representations that could affect any subsequent enforcement actions against the source (e.g.,
guaranteeing no enforcement will be taken if a source performs certain actions to correct a
deficiency).

The audit leader should alert the management personnel to situations that are in need of
immediate remediation (e.g., improper storage of incompatible chemicals).

FOLLOW-UP MEETING

Auditor(s) should meet as soon as possible after completion of the site visit to ensure details of
the audit are accurately recorded. At a minimum, auditor(s) should:

§ Immediately review and edit personal notes taken during the site visit for clarity and
completeness;
§ Review report format, and identify any additional information needed to complete the
report;
§ Review all important observations and findings;
§ Agree on a date for the final report;
§ Differentiate recommendations from any observed non-compliance; and
§ Resolve conclusions or recommendations that are not supported by team consensus.

AUDIT REPORT

The report should summarize information gathered during the audit (the attached checklists may
be helpful). The report should include:

§ A basic profile of the source and general information about the audit;
§ A description of the criteria, rationale, and factual information used to select the source
for an audit; and

Training Manual Page 27-7

 § Findings, conclusions, and recommendations.

The findings, conclusions, and recommendations section should summarize the rest of the
information from the completed checklists. Each finding should be documented with information
collected through document reviews. The auditor(s) should no t interject opinions or speculative
statements in findings. Any conclusions should be based upon a comparative analysis of the
finding with applicable rules, regulations, standards, and accepted guidances. Conclusions should
be accompanied by recommendatio ns. Each recommendation should cite the specific rules,
regulations, standards, accepted guidances, or technical basis used to formulate the
recommendation. The lead auditor should consult with all appropriate auditors and personnel in
the implementing age ncy to determine if recommendations that are not supported by a team
consensus should be included.

Each auditor should sign the report before it is submitted to the appropriate agencies. The
original report should be maintained by the implementing agency. A copy of the report should be
forwarded to the facility's owner or operator, as well as to the:

§ State Emergency Response Commission;

§ Local emergency planning committee in whose area the stationary source is located; and
§ If requested, any other federal, state, and local agencies that participated in the audit.

Training Manual Page 27-8

An example of a checklist for safety audits is provided below (Guidance for Implementing Risk
Management Plans):

Program 3 Prevention – Mechanical Integrity [68.73]

¨ 5.25 Has the owner or operator established and implemented written procedures to
maintain the on-going integrity of the process equipment listed in 68.73(a)?
[68.73(b)]

¨ 5.26 Has the owner or operator trained each employee involved in maintaining the on-
going integrity of process equipment? [68.73(c)]

Has the owner or operator:

¨ 5.27 Performed inspections and tests on process equipment? [68.73(d)(1)]

¨ 5.28 Followed recognized and generally accepted good engineering practices for
inspection and testing procedures? [68.73(d)(2)]

¨ 5.29 Ensured the frequency of inspections and tests of process equipment is consistent
with applicable manufacturers' recommendations, good engineering practices, and
prior operating experience? [68.73(d)(3)]

¨ 5.30 Documented each inspection and test that had been performed on process
equipment, which identifies the date of the inspection or test, the name of the
person who performed the inspection or test, the serial number or other identifier of
the equipment on which the inspection or test was performed, a description of the
inspection or test performed, and the results of the inspection or test? [68.73(d)(4)]

¨ 5.31 Corrected deficiencies in equipment that were outside acceptable limits defined by
the process safety information before further use or in a safe and timely manner
when necessary means were taken to assure safe operation? [68.73(e)]

¨ 5.32 Assured that equipment as it was fabricated is suitable for the process application
for which it will be used in the construction of new plants and equipment?
[68.73(f)(1)]

¨ 5.33 Performed appropriate checks and inspections to assure that equipment was
installed properly and consistent with design specifications and the manufacturer's
instructions? [68.73(f)(2)]

¨ 5.34 Assured that maintenance materials, spare parts and equipment were suitable for the
process application for which they would be used? [68.73(f)(3)]

Training Manual Page 27-9

PROGRAM 3 PREVENTION - MANAGEMENT OF CHANGE [68.75]

¨ 5.35 Has the owner or operator established and implemented written procedures to
manage changes to process chemicals, technology, equipment, and procedures, and
changes to stationary sources that affect a covered process? [68.75(a)]

¨ 5.36 Do procedures assure that the following consideration are addressed prior to any
change: [68.75(b)]

¨ 5.36.1 The technical basis for the proposed change? [68.75(b)(1)]

¨ 5.36.2 Impact of change on safety and health? [68.75(b)(2)]

¨ 5.36.3 Modifications to operating procedures? [68.75(b)(3)]

¨ 5.36.4 Necessary time period for the change? [68.75(b)(4)]

¨ 5.36.5 Authorization requirements for the proposed change? [68.75(b)(5)]

¨ 5.37 Were employees, involved in operating a process and maintenance, and contract
employees, whose job tasks would be affected by a change in the process, informed
of, and trained in, the change prior to start- up of the process or affected part of the
process? [68.75(c)]

¨ 5.38 If a change resulted in a change in the process safety information, was such
information updated accordingly? [68.75(d)]

¨ 5.39 If a change resulted in a change in the operating procedures or practices, had such
procedures or practices been updated accordingly? [68.75(e)]

PROGRAM 3 PREVENTION - PRE-STARTUP REVIEW [68.77]

¨ 5.39 Has the owner or operator performed a pre-startup safety review for new stationary
sources and for modified stationary sources when the modification was significant
enough to require a change in the process safety information,? [68.77(a)]

¨ 5.40 Did the pre-startup safety review confirm that prior to the introduction of regulated
substances to a process: [68.77(b)]

¨ 5.40.1 Construction and equipment was in accordance with design specifications?

[68.77(b)(1)]

¨ 5.40.2 Safety, operating, maintenance, and emergency procedures were in place and were
adequate? [68.77(b)(2)]

Training Manual Page 27-10

¨ 5.40.3 For new stationary sources, a process ha zard analysis had been performed and
recommendations had been resolved or implemented before startup? [68.77(b)(3)]

¨ 5.40.4 Modified stationary sources meet the requirements contained in management of

change? [68.77(b)(3)]

¨ 5.40.5 Training of each employee involved in operating a process had been completed?
[68.77(b)(4)]

Training Manual Page 27-11

 Chapter 28
HUMAN FACTORS

PEOPLE: THE NEWEST MEASURE IN RISK

The control man has secured over nature has far outrun his control over himself.
Ernest Jones (educator, radiation physicist)

People are the main assets of any business, and at the same time, its main liabilities. There would
be no plant, product, or service without the actions of people. People are an integral part of plant
operations and maintenance. This fact is indisputable. What is not clear is exactly how many
people contribute to the safety and risk of plant operation. This is a very subtle area, and risks
here are the most difficult to quantify. This area of research is a growing part of human reliability
analysis studying the relationships between worker schedules, the natural biological rhythms of
the human body, and worker performance.

The Human Contributions to Risk

In discussing human contributions to risk, it is useful to distinguish between two kinds of errors:

1. “Active errors” result in almost instantly observable effects. Generally, active errors are
associated with direct, responsible operations, such as those performed by air traffic
controllers, pilots, and to some extent, process control operators. These people, and the
systems in which they operate, detect errors, and feed back information directly to them.
2. “Latent errors” have consequences that are not expressed or realized for a relatively long
time. Latent errors are not observed until they combine with other factors. Such errors are
most likely to arise with managerial personnel, designers, construction workers, and
maintenance personnel.

In two independent studies of operational downtime performed on nuclear power downtime

event in the late 1970s and early 1980s, the single largest root cause category was human
performance. The other categories were component failures, design deficiencies, manufacturing,
external, and documentation. The actual percentages of downtime events that fell into the human
performance category were 42% in one study and 5% in the other. Regardless of which of these
values you choose to believe, the number of operational failures fundamentally caused by human
performance was very high. At the time of the writing of this book, there is no substantial
database across industries that assess human-performance-related errors.

Training Manual Page 28-1

It is fairly well known in insurance underwriting that humans are the primary contributors to
operational risk. Personnel errors, especially latent errors, are a current topic of considerable
concern. Some experts believe that while our technology is increasing equipment reliability, it is
actually reducing the human reliability of its operation. Find this surprising?

There are at least two factors that support this premise. First, machine or process operation used
to be a more direct “hands on” activity. As process design increased in complexity and size,
computer automation has promoted people to higher levels, less “hands-on” tasks, far removed
from the process. Control has been made more precise by removing local human intervention
and placing humans in a remote control room full of computer displays. The information
operators receive is channeled through computer interfaces and displayed in color, touch-
controlled video screens. Systems have defenses against the failures the designers knew about.
They are usually defenseless against the rest. Thus, for an accident to occur, a sequence of highly
unlikely events must occur in the right order at the right time. Latent failures generally are major
players in these events. It has been demonstrated in many accidents that the technology deluges
operators with information they don’t want and inhibits them from obtaining the information
they need to know. Technology applied to process management operation and maintenance does
not, and cannot, contain all of the required human checks and balances for active and latent error
detection and correction. As a result, catastrophic events, however unlikely, cannot be eliminated
from risk management.

Fatigue is one factor in the people contribution to plant risk. As you might expect, there are
many other human related contributors that are not as easily identified. Everyone knows that the
manner in which people operate and maintain equipment has a major effect on reliability, but the
difficulty is to identify the procedures and managerial practices that are at the root cause of
problems.

Human errors, especially latent errors, go unnoticed and are not considered important until
something bad happens. Also, in some cases, the standard operating and testing procedures
themselves are the major causes of failure. For example, in a recent study of emergency diesel
generators for a research facility, 22 failures were observed over an 8-hour period. An analysis of
failure events determined that 10 of them had as a root cause the procedures used to test and
operate the equipment. It is in the identification of this type of information that can save
downtime and reduce the consequences when a failure does occur.

Training Manual Page 28-2

A root cause summary of major accidents is listed in the table below. Procedural and
management failures accounted for the most causes.

Root Cause Analysis Summary of Major Accidents

Gov’t & Procedural &

Accident Regulatory Management Design Maintenance Operator Training
3 Mile Island 3 7 2 1 0 2
Bhopal 3 26 6 4 4 0
Chernobyl 1 5 3 0 2 0
Free
Enterprise 1 8 2 1 0 0
Kings Cross 1 6 0 1 0 0
Totals: 9 52 13 8 6 2

Another study looked at human factors associated with a group of major accidents using a
methodology specially developed to identify the nature of the management and organizational
failures and their root. It categorizes each accident with regards to management failures that
occurred and the root causes. A summary of this study is shown on the following page.

Notice in this table there are several management failures, but only three root causes. The nature
of these root causes can be interpreted as a complex mixture of technical and human-related
faults. In my opinion, it is this area, the “human-centered” compared to the “reliability-centered,”
that is the next major frontier in the spiral of continuous improvement.

Fallible decision- making is a basic part of life. People will always make mistakes. It is idealistic
to attempt to eliminate all mistakes. This is an attractive goal to talk about in corporate
boardrooms, but in practice, it is unachievable. The real task is to ensure that the adverse effects
of poor decision can be quickly detected and proper responsive actions are taken. Equipment
failures by themselves do not cause major accidents or significant downtime events. These
incidents are caused by a sequence of events that together define accident scenarios.

Training Manual Page 28-3

 Taxonomy for Management Failures and Associated Root Causes

Root Causes Management Failures Scenario Where Identified

Lack of strategic 1. No effective two way 1. Challenger
communication system communication system 2. Herald of Free Enterprise
3. Kings Cross
4. Clapham Junction
2. Confused reporting 1. Challenger
lines 2. Three Mile Island
3. Poor information 1. Kings Cross
exchange 2. Clapham Junction
3. Camelford
4. Piper Alpha
4. Insufficient employee 1. Piper Alpha
involvement
Lack of technical understanding 1. Expert knowledge not 1. Challenger
present 2. Camelford
2. Poor organization and 1. Herald of Free Enterprise
planning
3. Management failed to 1. Flixborough
resolve technical
problems
4. Inappropriate written 1. Chernobyl
procedures
Management structure 1. Inadequate definition of 1. Challenger
roles and 2. Herald of Free Enterprise
responsibilities 3. Kings Cross
4. Clapham Junction
5. Flixborough
6. Camelford
7. Piper Alpha
2. Inadequate safety 1. Challenger
organization 2. Herald of Free Enterprise
3. Kings Cross
4. Clapham Junction
3. Complicated decision 1. Flixborough
making process

SUMMARY

The people component of risk assessment represents a new and exciting challenge. By managing
employees’ circadian influences and identifying high-risk procedures and management practices,
the people component of risk can be greatly reduced. The next frontier in design and analysis
emphasis is toward human-centered management. Reducing risk contributions associated with
people is spawning new research fields and new technologies. Reducing the people contribution
to risk is a virtual gold mine of opportunity.

Training Manual Page 28-4

BIBLIOGRAPHY

Jones, Richard B., Risk Based Management, Gulf Publishing Company, Houston, TX, 1995.

Training Manual Page 28-5

 Article

HOW TO IDENTIFY POTENTIAL HUMAN ERRORS

IN PROCESS OPERATIONS

(By Donald K. Lorenzo, William G. Bridges,

John Q. Kirkman of JBF Associates, Inc.Knoxville, Tenn.)

Abstract

Recent accidents and new regulations underscore the need for companies to identify potential
human errors and to reduce the frequency and consequences of those errors as part of an overall
process safety management (PSM) program. But how do personnel responsible for coordinating
or performing process hazard analyses (PHAs) satisfy this need to uncover potentially important
human errors with out consuming too much time and too many resources? This insight describes
an approach for integrating human factor considerations into hazard evaluations of process
designs, operating procedures, and management systems. We believe this approach meets
OSHA’s and EPA’s requirements for consideration of human factor issues within PHAs. Critical
issues related to human factors can be identified and addressed in different phases of a hazard
evaluation. A case study illustrates the effectiveness of this strategy.

Introduction

Human error in research, design, construction, installation, operation, maintenance

manufacturing, inspection, management, etc., can be considered the cause of almost all industrial
accidents. (Experts typically quote that about 85% of accidents are caused by human error,
although some say, except for natural disasters, this figure is 100%.) However, simply attributing
these accidents to “human error” without evaluating the root cause implies that the errors are
inevitable, unforeseeable, and uncontrollable. Nothing could be further from the truth.

People make mistakes for many reasons, but experts estimate that only about 10%of accidents
due to human errors in the workplace occur because of personal influences, such as emotional
state, health, or carelessness. All other mistakes made by people in the workplace result from
external influences, such as:

§ Deficient procedures;
§ Inadequate supervision;
§ Insufficient staffing;
§ Ineffective training;

Training Manual Page 28-6

 § Poor human- machine interfaces; or
§ Poor physical work environment

These human-error causes, which in turn result from other human errors, are all directly within
management’s control.

Recent accidents and new regulations underscore the need for companies to
pursue effective ways to identify potential human errors and to mitigate their causes
and/or consequences. This effort can be logically incorporated into each company’s
PSM program. Paragraph (e) of OSHA’s PSM standard, 29 CFR 1910.1191 , and the analogous
PHA paragraph in EPA’s proposed regulation for risk management programs, (58 FR 54190, to
be codified at 40 CFR 68)2 specifically require that PHAs consider human factors. But what does
it mean to “consider human factors”? Fir st, we must try to define what OSHA and EPA mean by
“human factors.” Since this term is not defined in the regulations, we must look at other sources
of interpretation, including citations, settlement agreements, compliance directives, and
clarifications (e.g. Appendix C of 29 CFR 1910.119).

This insight provides a strategy for efficiently addressing human factors using widely accepted
hazard evaluation techniques, such as those approved by OSHA and EPA for PHAs (which
include checklist analysis, what-if analysis, failure modes and effects analysis (FMEA), and
hazard and operability (HAZOP) analysis). In the description of each step of the strategy, we
explain how this approach addresses OSHA’s and EPA’s interpretation of human factors. This
strategy is thorough in identifying the root causes of human error, yet provides for a practical
allocation of resources. Although this insight focuses on the requirements of a PHA, the
approach is equally effective for other hazard evaluations, such as preliminary and detailed
design reviews (for new/revised processes) and large management of change hazard reviews.

To implement this strategy, a four-step approach is suggested. Step 1, evaluating process design,
requires the use of standard PHA techniques expended to provide in-depth coverage of human
factors. In Step 2, the PHA team performs a review of procedures using a HAZOP or what-I
analysis to uncover potential human errors associated with routine and nonroutine operations. In
Step 3, the PHA team uses interviews, questionnaires, and checklists to evaluate the management
systems designed to control issues related to human factors (including those in Steps 1 and 2).
Finally, in Step 4, a detailed human reliability analysis (HRA) addresses any unresolved issues
raised in Steps 1 through 3. This insight briefly describes Steps 1 through 4, and provides a case
study to illustrate the analysis approach and the usefulness of this strategy. Companies may
incorporate any one, or all four, of these steps in their PSM programs We typically recommend
that Steps 1 and 2 be included as part of a PHA. Executing all four steps during PSM
implementation will result in more complete identification and prevention of human errors.

Step 1 – Human Factors in Design Process

Traditionally, hazard evaluations of process designs, using techniques such as checklist analysis,
what- if analysis, HAZOP analysis, and FMEA, have focused on process chemistry and hardware.
However, analysts can incorporate human factors considerations into an y of these techniques.

Training Manual Page 28-7

Incorporating human factor considerations helps identify not only the possible errors, but also
reasons why the errors might occur – making it easier for managers to improve process safety.

Analysts frequently use a combination of techniques to ensure completeness of a hazard analysis.

For instance, an analyst may use a checklist of global design issues (such as plant layout or
emergency response) to augment an analysis based primarily on either a what-if analysis,
HAZOP analysis, or FMEA. Checklists of this nature should (and easily can) include general
human factor concerns as well.

During a review of the process design, the majority of human errors identified are those resulting
from deficiencies in the human- machine interface. OSHA recognizes the importance of this
category of human error causes. Specific examples of human-machine interface issues cited in
the PSM standard’s compliance directive (OSHA Instruction CPL 2-2.45A) are:

“…operator/process and operator/equipment interface, … clarity and simplicity

of control displays, automatic instrumentation versus manual procedures,…”3

In the past four years, OSHA has specifically cited as violations human- machine interface issues
such as inadequate control displays and inadequate labeling.

Checklist Analysis

Checklists can be expanded to include human factor considerations and, when expanded, are
particularly effective aids in identifying human- machine interface deficiencies. Questions like
the following can be incorporated into a checklist:

§ Are all controls accessible and easy to identify?

§ Are workers provided with enough information to diagnose the cause of an alarm?
§ Are all displays easy to see and read?
§ Are related displays and controls grouped together?

The Guidelines for Hazard Evaluation Procedures, Second Edition with Worked Examples,4
prepared by JBF Associates Inc. for AIChE’s Center for Chemical Process Safety, contains an
excellent starting checklist. Other checklists are included in publications5, 6 available from the
Chemical Manufacturers Association. At the end of this article is a checklist (Table 2) of
questions particularly useful for augmenting a PHA to better address “human factors
engineering” issues. We typically use this checklist at the end of a PHA meeting (regardless of
the primary hazard evaluation techniques chosen for the PHA) to ensure that we have adequately
covered these issues.

What-if Analysis

To include human factor considerations in a what- if analysis, team members must be sensitive to
human factor issues. If the question, “What if the operator added too much catalyst?” reveals a

Training Manual Page 28-8

potential problem, the team should ask, “Why would an operator add too much catalyst?” But the
team should never simply accept superficial answers, such as “operator inattention,” as the only
reason. More specific answers, like “poor training,” “previous shift failed to notify oncoming
shift,” or “defective weigh scale,” should be considered and further examined by questions such
as “How do we ensure adequate operator training?” or “What is the shift turnover procedures?”
Only then will the team address the true root causes of human errors. These answers also suggest
possible solutions; more rigorous training may be required for new or transferred operators;
perhaps a checklist should be developed to help operators keep track of where the are in the
procedures; operators could keep a logbook noting the time of each catalyst addition; instrument
maintenance personnel could check and calibrate the weight scale periodically; or a redundant
measuring device (i.e. independent weigh scale, flow totalizer) could be provided so that a false
weight scale indication will not mislead the operator into adding too much catalyst.

HAZOP Analysis

Incorporating human factor considerations into a HAZOP analysis is very similar to

incorporating them into a what- if analysis. Whenever the team identifies “operator error” as the
cause of any deviation, the HAZOP analysis leader must ask, “Why?” in order to continue the
brainstorming process. For example, operator error might cause low flow in a pipeline. When
asked why this occurred, the team might mention, (1) the flow controller is difficult to adjust, (2)
the flow indicator could give a false high reading, or (3) operators often step on the adjacent
piping to reach some overhead valves and can break or pinch the air supply line to the valve
actuator. After considering any existing safeguards against these specific causes, the HAZOP
analysis team could make specific recommendations for eliminating the identified human factor
deficiencies.

FMEA

Because an FMEA generally focuses on hardware failures, incorporating human factor

considerations into an FMEA can be more challenging than for other techniques. To successfully
identify human factors issues, the analyst(s) must investigate such issues as: (1) hardware
failures that could mislead the operator into taking inappropriate action, (2) hardware failures
that could prevent an operator from accomplishing the desired action, and (3) hardware failures
that could be caused by inappropriate operator action or inaction.

For a thorough investigation of issues (1) and (2) above, an FMEA must consider all the
components with which humans interact and consider failure modes that would affect human
performance. For example, the FMEA would have to investigate the consequences of a local
pressure indicator reading falsely high or low, since a false reading could cause an operator to
make a mistake. Often, an FMEA would not cover a local indicator at all because its failure
would not directly cause a system failure. Similarly, an FMEA would not normally consider
“valve handle missing” a meaningful failure mode, if the valve is manually operated and not
used for process operation. But obviously, such a valve would be useless in mitigating a
downstream rupture if the handle were missing.

Training Manual Page 28-9

FMEAs, as generally conducted, can effectively investigate human factor issues of the third type,
as long as the analyst remembers that a failure mode like “valve closed” can be caused by either
a hardware failure or a human error. The FMEA analyst, just like the what- if or HAZOP analysis
leader, must then pursue the question, “Why?” to identify the root causes of operator error.

Step 2 – Human Factors in Procedures

Although incorporating human factor considerations into hazard evaluation studies of process
designs (as discussed previously) is straightforward, this approach addresses only a small
fraction of the potential human errors that can affect process safety. A European study conc luded
that most (about two-thirds) process industry accidents happen during startups, shutdowns, on-
line maintenance, and batch operations. These results are not surprising, since it is precisely
during these step-by-step operations that systems are most vulnerable to human error.

OSHA recognized the importance of this category of human error when it emphasized that
training should address human errors by including review of:

§ Consequences of failure to perform a task;

§ Consequences of incorrect performance of a task; and
§ Procedures and controls to minimize errors.

The PSM standard (29 CFR 1910.119 (f) and (g)1 ) and its compliance directive 3 also emphasize
addressing this source of error by stressing the importance of (1) having written, step-by-step
instructions, and (2) ensuring the written procedures are followed. Some believe that “human
factors,” mentioned in paragraph (e) relating to PHAs, do not apply to procedural errors.
However, in the first major PSM inspection under the final PSM standard, OSHA assessed a
serious violation when the PHAs did not address “human factors such as board operator error,
line-braking mistakes, and improper lockout and isolation of process equipment,” all of which
are errors originating from failure to either perform tasks or perform them correctly.

H.C. Woodcock’s recent article, entitled “Program Quality Verification of Process Hazard
Analyses” (for use in OSHA’s training program), stated that a PHA should included analysis of
the “procedures for the operation and support functions” (emphasis added) and goes on to define
a “procedure analysis” quite similar to the approach we describe in the following paragraphs.

EPA also recognizes the importance of procedures analysis. The agency defines the purpose of a
PHA as to “exa mine, in a systematic, step-by-step way, the equipment, systems, and procedures
(emphasis added) for handling regulated substances” (proposed regulation 40 CFR 68)2 .

Most companies currently do not perform process hazard evaluations of procedures, although
many perform some type of job safety analysis (JSA). The JSA is an excellent starting point for
an evaluation of procedures because JSA identifies the tasks that workers must perform and the
equipment required to protect workers from typical industrial hazards (slips, falls, cuts, burns,
fumes, etc.). Unfortunately, a typical JSA usually will not identify process safety issues or

Training Manual Page 28-10

related human factor concerns. (From a JSA perspective, it may be perfectly safe for an operator
to open a steam valve before opening a feed valve; however, from a process safety perspective,
the feed valve may need to be opened before the steam valve to avoid the potential for
overheating the reactor and initiating an exothermic decomposition.) The primary purpose of a
JSA and other traditional methods for reviewing procedures has been to ensure that the
procedures are accurate and complete (which is required of employers by 29 CFR
1910.119(f)(3)). However, even the best procedure may not be followed for any number of
reasons, and these failures to follow prescribed instructions can result in accidents.

To identify potential human errors that may be overlooked by the more traditional hazard
evaluation techniques discussed in Step 1 and those arising from a failure to follow the intended
procedural steps, a process hazard evaluation technique for procedures is clearly needed. We
have found that a combination of JSA with either a HAZOP or what-if analysis structured to
address procedures can be used effectively for this purpose.11, 12

To apply this new technique of worker and instruction safety evaluation (WISE), the procedure
under review must e divided into individual tasks. Then, a set of guidewords or questions is
systematically applied (as procedural deviations or what- if questions) to each action of the
procedure under review. “WISEguides” shown in Table 1 were derived from HAZOP
guidewords commonly used for analysis of batch processes and from typical questions asked
during JSAs. The definition of each guideword is carefully chosen to allow universal and
thorough application to both routine and nonroutine procedures.13

Note that the first six WISEguides focus on process safety issues; the remainder focus on more
traditional worker safety and industrial hygiene issues. For process safety issues concerning
compliance with 29 CFR 1910.119 and 40 CFR 68, only use the first six WISEguides. However,
to combine separate job safety and process safety analyses into a single, less expensive review,
use the full list of WISEguides. In either case, only apply the WISEguides that make sense;
rarely are all meaningful for a given step in a procedure.

The actual review team structure and meeting progression are identical to that of a process
equipment HAZOP or what- if analysis, except that active participation by several operators is
essential. For each deviation (denoted by these WISEguides), the team must dig beyond the
obvious cause, ”human error”, to identify root causes like “inadequate emphasis on this step
during training,” “inadequate labeling of valves,” or “instrument display confusing or not
readable.”

The guide word missing elicits causes such as “no written procedural step or formal training to
obtain a hot work permit before this step,” or “no written procedural step or formal training to
open the discharge valve before starting the pump.” A checklist of global issues (see Table 2)
should be used to ensure that topics such as procedure format, use of illustrations, use of
warnings and notes, etc., are considered.

A first step in the hazard review of procedures is to screen the procedures and analyze only those
procedures with significant hazards. Reviews of routine procedures are important, but reviews of
nonroutine procedures are even more important. The nature of nonroutine procedures (startups,

Training Manual Page 28-11

shutdowns, on- line maintenance, etc.) means that operators have much less experience
performing them and many organizations do not regularly update these procedures (although this
should change as companies comply with 29 CFR 1910.119(f)). Also, during nonroutine
operations many of the standard equipment safeguards or interlocks are off or bypasses. Clearly,
OSHA understood these points when they stated in Appendix C of the PSM standard that PHAs
should consider “human errors (routine and nonroutine).” OSHA emphasizes the importance of
addressing errors during nonroutine operations several other times in Appendix C. Our
experience shows that reviews of nonroutine procedures have revealed many more hazards
warranting additional protection tha n have reviews of routine procedures.

Training Manual Page 28-12

 Table 1

WISEguides and Their Meanings

WISEguides Meaning Examples

Missing A step is missing from the written procedure The flammable unloading procedure failed
at, or just before, the step being examined to mention connecting an electrical bond
(ground) wire
Skip/part of The worker skips this step (or some part of The worker skipped Step X (open lube oil
it) and performs the rest of the procedure valve), so the compressor burned up when it
correctly was stated in Step Y
More The worker does too much of the specified The worker opened the valve too quickly,
action or does it too quickly causing a water hammer which ruptured the
steam line
Less The worker does too little of the specified The work added too little catalyst (Step X),
action or does it too slowly so pressure built up when feed was added in
Step Y, over pressurizing the reactor with
unreacted feed material
Out of sequence/as The worker performs the steps in a different The worker added Reactant X as well as
well as order than specified by the procedure, Reactant Y before starting the mixer
possibly as a short cut
Other than/reverse The worker performs some action other than When reaching for the Valve X control
the one specified in the procedure, usually switch, the operator grasped and actuated
because of confusion or haste the adjacent switch for Valve Y. After
reinstalling the motor, the electrician wired
it to run in reverse
Caught The equipment entangles a body part or The work’s arm was broken when it was
in/on/by/between clothing, often because the machine guards caught on the spinning coupling
are missing or inadequate
Struck by/contact by The equipment or process material hits the A forklift ran into a worker, or a box
worker toppled off a forklift onto a worker. Acid
splashed out of a vat into a worker’s eyes
Contact with/struck The worker inadvertently touches or hits the The pipefitter hit an unprotected light bulb
against process and was electrocuted. The worker hit his
head on a low pipe
Slip/trip/fall The worker loses his/her grip or footing The worker dropped a wrench, which
punctured the top of the fiberglass tank
Stress/strain/fatigue The worker is poorly positioned with respect The worker must carry 50-pound bags up a
to the equipment, must frequently repeat a ladder and empty them into a tank
motion, o r is overloaded
Exposure to The process or location creates an acutely or The worker may be exposed to fumes when
chronically dangerous work environment - taking a sample
fumes, vibration, noise, heat, radiation, etc.
Process The process experiences an abnormal The relief valve on Tank X discharges while
upset/malfunction condition during this step of the procedure the worker is checking the level on adjacent
Tank Y. The belt breaks while the machine
is being threaded
Layout/traffic/siting The worker cannot approach or evacuate the The operator was run over as she sprinted
area because of permanent or temporary from the control room to close an
obstructions emergency isolation valve
Tools/equipment The worker cannot perform the required The workers could not promptly isolate the
actions because the necessary tools and release because the PPE cabinets were
equipment (including PPE) are not available engulfed in the cloud

Training Manual Page 28-13

Step 3 – Human Factors in Management Systems
Most other sources of human error not specifically related to process design or procedures are
related to management systems. These management systems establish guidelines and control:

§ Hazard analysis programs;

§ Supervision of operators;
§ Employee selection and training;
§ Follow- up to safety suggestions;
§ Engineering design standards;
§ Safe work policies and practices;
§ Management of change; and
§ Procedure and document control.

Management system problems often surface during the analyses mentioned in Steps 1 and 2.
However, many other problems or weaknesses can be determined by structured, questionnaire-
based interviews with plant supervisors and managers. Similar questionnaire-based interviews
with operators help to highlight differences in perception or underscore areas of common
concern. The questions should be structured to be non-confrontational. Any identified
weaknesses in PSM systems should be accompanied by suggestions for change or further study.

The Chemical Manufacturers Association’s guide to reducing human error5 contains an

abbreviated example of a general questionnaire. Questions should be tailored to the needs of
each company or facility, and specific questions should be included to address administrative
issues raised during execution of Steps 1 and 2. Typical questions related to the control of
written procedures might include: “How often are procedures updated?” or “Who review
procedures for correctness?” questions regarding process design might include: “Are safety-
related checklists used in the design of new equipment? If so, how is thoroughness ensured?”
Questions related to the physical work environment also should be included, such as, “Are
displays legible and do they use consistent units and scales?” or “Has adequate lighting and
ventilation been provided to optimize worker alertness?” or “Can the unit be safely operated in
foul weather?” These questionnaires can help address specific human factor concerns listed in
the PSM standard’s compliance directive by facilitating “review of the number of tasks operators
must perform and the frequency, evaluation of extended or unusual work schedules…and
operator feedback.” However, don’t expect any questionnaire to be complete. Questions should
be modified and updated on a continuing basis.

In application, we find that much of the management systems questionnaire can be covered
during Steps 1 and 2. In fact, the majorities of the questions simply provide a broader net for
capturing general deficiencies in process design or procedures, but usually will shed new light on
management’s philosophy and understanding of safety issues. Therefore, the questionnaire and
results may be better kept with PSM audit results rather than with a particular PHA report. This
is especially true since results of the questionnaire will apply facility-wide (perhaps
encompassing the scope of many individual PHAs). The current trend at most companies is to
include this step in PSM audits, and we agree with that approach.

Training Manual Page 28-14

Step 4 – Detailed Human Reliability Analyses

One product of the techniques described in Steps 1 through 3 above should be a list of potential
accidents (or classes of accidents) caused by human error. Since human errors are high-
frequency events, companies may want to subject those accident scenarios with particularly
severe consequences (i.e., high-risk scenarios) to a detailed qualitative (or quantitative) human
reliability analysis (HRA). This detailed analysis involves having an experienced human
reliability analyst interview knowledgeable workers 9operators, maintenance personnel,
engineers, managers, etc., depending on the specific scenario), perform a task analysis and
evaluate the specific human- machine and human- human interfaces involved. By observing
personnel during step-by-step process operations and examining the ergonomic characteristics of
process instrumentation and hardware, the human reliability analyst can identify important
human factor issues overlooked by the other hazard evaluation techniques. As part of this review,
the analyst also may evaluate other performance-shaping factors such as the shift rotation
schedule, labor- management relations, and physical and mental stressors. The results of these
analyses likely will identify both specific ways to improve human reliability on critical tasks and
general ways to improve human performance throughout the facility.

Case Study

The following case study illustrates the usefulness of the approach outlined in this insight. It
shows how the various steps in the recommended approach complement one another.

The company in the cast study had traditionally performed checklist reviews of its process
system and JSAs of its procedures. After an explosion that resulted in fatalities, the company
embarked on an aggressive program to conduct PHAs (using primarily the HAZOP analysis
technique) of their process equipment and procedures. The following results were taken from a
toxic material unloading system analysis.

Training Manual Page 28-15

Step 1 – Human Factors in Process Design

The HAZOP analysis of the unloading equipment considered the deviation “high pressure” in the
tank truck, which could lift the truck’s relief valve and release toxic material. The toxic material
was delivered in various types of tank trucks, which could include tanks of different pressure
ratings and relief valve setpoints. Investigation of possible causes revealed that high pressure in
the truck could result from several human errors and mechanical failures, including: (1) the truck
driver overstating the truck’s pressure rating, (2) the operator setting the nitrogen pressure
regulator incorrectly, or (3) the nitrogen pressure regulator failing to throttle closed during a
pressure surge from the nitrogen header. The review team recommended installatio n of a
pressure relief valve on the nitrogen header. The review team recommended installation of a
pressure relief valve on the nitrogen line between the regulator and the truck and that this new
relief valve be set below the lowest know relief valve setpoint of delivery trucks.

Step 2 – Human Factors in Procedures

The HAZOP review of the unloading procedure considered the WISEguide “less” as it applies to
the step “pull vacuum in the unloading line before starting the unloading process.” To complete
this step, the operator had to align several valves and start a steam ejector system in an adjacent
building. The review team realized that reading a vacuum gauge at the steam ejector did not
ensure that a vacuum had been pulled in the unloading line out to the unloading rack. If the
unloading line was not evacuated, leftover material in the line could contaminate other storage
tanks (reducing product quality) and cause very rapid corrosion in other downstream equipment
(likely resulting in a loss of containment). The team recommended installing a vacuum gauge at
the unloading rack so the operator could verify that vacuum had been achieved and maintained at

Training Manual Page 28-16

that location before starting to unload the truck. Also, the WISEguide “layout” revealed that in
the event of a release, the operator might not be able to quickly exit the area, so the team
recommended providing an alternate escape route.

Step 3 – Human Factors in Management Systems

During the analyses in Steps 1 and 2, the PHA team discovered that procedures had not been
updated in a timely fashion. The operators had made several modifications (mostly
improvements) to the procedures that had not been documented and management was unaware
of these changes. In addition, the procedures had not been reviewed for accuracy in over two
years. Interview confirmed the existence of administrative requirements for: (1) annually
updating operating procedures; and (2) implementing changes in design and/or operations
documents, but revealed that management had not taken steps to ensure adequacy or compliance
with these administrative controls. One remedy suggested by the team was to have the document
control clerk issue a schedule and audit the status of procedure updates. Also, it was suggested
that the procedure update team include both operators and engineers and that any procedural
changes be analyzed for error- likely situations (as described in Step 2) by an independent team
of similar composition.

Step 4 – Detailed Human Reliability Analysis

In Steps 1 and 2, the PHA team identified several operator errors that could cause a toxic release.
As discussed above, improvements were made regarding some of the specific errors identified.
However, company management felt that an additional, more detailed, qualitative analysis
should be conducted. To accomplish this, a human reliability expert observed operators (on
various shifts, with varying degrees of experience) performing routine operations. This
qualitative analysis revealed several additional recommendations, including the following:

§ Improving the outdoor lighting near the unloading rack;

§ Unloading only during daylight hours (when leaks are easier to see and emergency
response personnel are more readily available);
§ Locking closed the crossover valve to reduce the change of material being unloaded into
the wrong tank; and
§ Providing a local indicator of storage tank pressure ate the unloading rack (operators do
not check the pressure frequently because the existing indicator is on top of the storage
tank).

The detailed analysis was stopped at this point, since quantitive results were not necessary to
reach a decision to implement the changes recommended.

Training Manual Page 28-17

 Conclusion

Human factor considerations are a vital element of process safety management that can easily be
incorporated into popular hazard evaluation methodologies. Regardless of the hazard evaluation
technique employed, it is imperative for PHA teams to ask, “Why would someone make this
mistake?” whenever a human error is identified as a cause of a hazard. The two-step combination
of qualitative analyses, possibly followed by a management system evaluation and/or a detailed
human reliability analysis (either qualitative or quantitative), as outlined above, is a powerful set
of tools for uncovering deficiencies that can lead to human errors. “To err is human” may be a
true statement, but the frequency and consequences of such errors can be effectively reduced
with a well-designed strategy for addressing human factors.

References

1. 29 CFR 1910.119, “Process Safety Management of Highly Hazardous Chemicals; Explosives

and Blasting Agents,” final rule issued Feb. 24, 1992.

2. EPA Proposed Rule 40 CFR 68, “Risk Management Programs for Chemical Accidental
Release Prevention,” Oct. 20, 1993, 58 FR 54190.

3. OSHA Instruction CPL 2-2.45A, Compliance Guidelines and Enforcement Procedures (for
29 CFR 1910.119), Directorate of Compliance Programs, Sept. 28, 1992.

4. Guidelines for Hazard Evaluation Procedures, Second Edition with Worked Examples,
AIChE, Center for Chemical Process Safety, New York, 1992.

5. A Manager’s Guide to Reducing Human Errors, Chemical Manufacturers Association,

Washington, D.C., 1990.

6. A Managers Guide to Ergonomics in the Chemical and Allied Industries, Chemical

Manufacturers Association, Washington, D.C., 1992.

7. B. Rasmussen, “Chemical Process Hazard Identification,” Reliability Engineering and

System Safety, Vol. 24, Elsevier Science Publishers Ltd., Great Britain, 1989.

8. OSHA Instruction CPL 2-2.45, Systems Safety Evaluation of Operations with Catastrophic
Potential, page C-11, Directorate of Compliance Programs, Sept. 6, 1988.

9. OSHA Inspection Number 103490306, page 7 or 77, issued Nov. 2, 1992.

10. Program Quality Verification of Process Hazard Analyses, Henry C. Woodcock, OSHA,
1993 (for instructional purposes only).

11. A similar approach for analysis of procedures is discussed in Chapter 8 or W. Hammer’s

book, Occupational Safety Management and Engineering, 3rd Ed., Prentice Hall, 1985.

Training Manual Page 28-18

12. A HAZOP approach to analyzing procedural steps is demonstrated in H.E. Kongso’s article,
“Application of a Guide to Analysis of Occupational Hazards in the Danish Iron and
Chemical Industry,” International Conference on Hazard Identification and Risk Analysis,
Human Factors and Human Reliability in Process Safety, AIChE, Center for Chemical
Process Safety, New York, 1992.

13. D. Lorenzo, “The WISE Technique – Combining Process Hazard Analysis with Job Hazard
Analysis,” National Safety Council Congress, Chicago, Ill., Oct. 4, 1993.

Training Manual Page 28-19

 Table 2
HUMAN FACTORS ENGINEERING CHECKLIST

Item
No. Question
Housekeeping and General Work Environment
1.1 Are working areas generally clean?
1.2 Are adequate signs posted in cleanup and maintenance areas?
1.3 Is the ambient temperature normally within comfortable bounds?
1.4 Is noise maintained at a tolerable level?
1.5 Is the lighting sufficient for all facility operations?
1.6 Is the general environment conducive to efficient performance?
Accessibility/Availability of Controls and Equipment
2.1 Are adequate supplies of protective gear readily available for routine and emergency use?
2.2 Is communications equipment adequate and easily accessible? How would others know that a
worker is incapacitated in the process area?
2.3 Are the right tools available and used when needed?
2.4 Are special tools required to perform any tasks safely or efficiently?
2.5 What steps are taken to identify and provide special tools?
2.6 Is the whole workplace arranged so that the workers can maintain a good working posture and
perform a variety of movements?
2.7 Are all controls accessible?
2.8 Is access adequate for routine operation and maintenance of all equipment?
Component Labeling
3.1 Is all important equipment (vessels, pipes, valves, instruments, controls, etc.) clearly and
unambiguously labe led?
3.2 Does the labeling program include components (e.g., small valves) that are mentioned in the
procedures even if they are not assigned an equipment number?
3.3 Are plant instruments and controls clearly labeled?
3.4 Are the labels accurate?
3.5 Who is responsible for maintaining and updating the labels?
3.6 Are emergency exit and response signs clearly visible and easily understood?
Feedback/Displays
4.1 Is adequate information about normal and upset process conditions displayed in the control
room?
4.2 Are the controls and displays arranged logically to match the expectations of the operators?
4.3 Are the displays adequately visible from all relevant working positions?
4.4 Do separate displays present information in a consistent manner?
4.5 Is all significant operating information logically arranged?
4.6 Are related displays and controls grouped together?
4.7 Is the information displayed in ways the operators can understand?
4.8 Are the operators provided with enough information to diagnose an upset when an alarm
sounds?
4.9 Are the alarms displayed by priority? Are critical safety alarms separate from control alarms?
4.10 Is an alarm summary permanently on display?
What kinds of calculations do the operators perform when reading displays, and how are these
4.11 calculations checked?
Do the displays provide an adequate view of the entire process as well as essential details of
4.12 individual systems?
4.13 Do the displays give rapid feedback for all operational actions?
4.14 Do all mimic displays (board or screen) match the actual equipment configuration?

Training Manual Page 28-20

Item
No. Question
Controls
5.1 Is the layout of the consoles logical, consistent, and effective?
5.2 Are the controls distinguishable and easy to use?
5.3 Do any controls violate strong expectations (color, direction of movement, etc.)?
5.4 Do the control panel layouts reflect the functional aspects of the process or equipment?
5.5 Does the control arrangement logically follow the normal sequence of operation?
5.6 What are the consequences of operator intervention in computer-controlled processes?
5.7 Are any process variables difficult to control with the existing equipment?
5.8 Does the control logic seem adequate?
5.9 Is there a dedicated emergency shutdown panel, and where is it located?
Procedures
6.1 Is a complete, current set of procedures for startup, shutdown, normal operation, and
emergencies available for workers to use?
6.2 Are procedures written for the workers, considering their education, background, experience,
native language, etc.?
6.3 Is a step-by-step format used and are the steps in the correct order?
6.4 Are diagrams, photographs, drawings, etc. used to clarify the written text?
6.5 Are cautions and warnings clearly stated in prominent locations before the potentially dangerous
action?
6.6 Are checklists used for critical procedures with only one action specified per numbered step?
6.7 Do steps requiring control actions also specify the correct system response?
Workload and Stress Factors
7.1 Are the operators only in the control room or do they work in a variety of locations?
7.2 How many manual adjustments must a worker perform during normal and emergency
operations?
7.3 What is the normal operating shift duration? Is this duration appropriate based on its impact on
alertness/fatigue?
7.4 How many extra hours must an operator work if his/her relief fails to show up?
7.5 How many hours do operators/maintenance personnel typically work on a shift during startup or
turnarounds?
7.6 Has the operator’s mobility been considered in selecting the design of protective gear for certain
tasks, including emergency response?
General Issues
8.1 Have the operators made any modifications to the displays, controls, or equipment to better suit
8.2 their needs?
8.3 Is there a formal mechanism for correcting human factor deficiencies in the human/machine
interface?
8.4 What means are provided to allow personnel to compensate for errors? Can personnel detect an
error they or someone else makes with sufficient time to correct the error?
Is the control room adequately located relative to the process?

Training Manual Page 28-21

 ECONOMIC DECISION MODELING FOR THE REFINERY AND
CHEMICAL INDUSTRY

Large costs are at stake in many inspect/mitigate/repair/replace decisions made by refineries and
chemical plant operators - potentially on the order of tens of millions of dollars. This is because
the downside risks of leaking vessels and piping and subsequent equipment downtimes are very
large. On the other hand, the costs of inspections, mitigation measures, repairs, and replacements
are likewise large.

We have found that many clients need a structured and practical decision framework to develop
least-cost” inspection/mitigation/repair/replacement strategies from at least two perspectives:

1. Optimization of total operating and maintenance costs for a single facility, or for a
company that has more than one facility.

2. Proper resource allocation of constrained operations and maintenance (O&M) budgets to

minimize total costs.

The need for experience, technical knowledge of the issues, and economic modeling expertise
has led to the successful development of needed economic decision tools. The decision analysis
systems have been designed to be easily used by the client’s staff and flexible enough to address
a wide range of engineering-economic issues.

We consider three or more types of decision models –

§ scenario analysis,
§ probabilistic modeling,
§ and decision trees (incorporating influence diagrams)

- in addressing the needs of its clients. For certain applications, we recommend the use of a
decision tree modeling approach for the reasons provided below.

Probabilistic models can be readily developed employing commercial spreadsheet modeling. The
analysis typically involves specifying the uncertainty in one or more input variables and
reporting the expected value (and precision) of the computed results. However, there is a major
drawback to this type of probabilistic modeling as opposed to using a decision tree model.
Namely, probabilistic modeling does not explicitly treat the decision process (options and
interrelationships). Strategies that specify combinations of decisions must be formulated outside
of the modeling framework as scenarios and implemented in the model by the analyst in a
logically consistent manner. What generally needs to be modeled as uncertain is the effectiveness
of inspection strategies in indicating equipment failure rates and the effectiveness of remediation
strategies in mitigating or delaying failures.

Training Manual Page 28-22

Decision trees offer an excellent framework to derive the “value of added information” such as
the value of additional inspections in subsequent decision making on remedial actions. Another
advantage is its ability to evaluate the relative “riskiness” of competing strategies. The lowest
expected cost strategy may not always be preferred by decision makers. To fully inform
management of the risks associated with a strategy, risk profiles should be created. Each strategy
has an expected value associated with it, as well as a range of possible total costs, given various
uncertainties.

The evaluation of the “best” strategy depends on the risk preferences of the decision maker. The
“totally risk averse” decision maker will select a strategy, with the least downside risk. The
evaluation of relative risk among strategies is often left to subjective decision making. We can
generate risk profiles for each analysis conducted so that the appropriate decision makers can be
more informed concerning the relative risks associated with each proposed strategy, including
reliability centered maintenance and other performance-centered programs.

The following engineering expertise is needed:

§ First- hand experience with engineering model and other tools (e.g., remaining useful life
analysis models) that are useful in determining component failure rates.
• Understand risk-based models used for developing strategies for operations,
inspections, and maintenance.
§ The understanding of equipment failure modes. We have access to industry data on
equipment failure problems.

Need extensive economics/decision analysis experience in:

§ Applying decision analysis tools to similar problems in several industries.

§ Engineering economic analyses and reliability and maintainability (RAM) analyses to
find least cost solutions to plant O&M and capital expenditure problems.
§ The costs of various types of inspections, remedial actions, repairs and replacements of
plant components.

A well- constructed modeling framework is especially well suited for allowing the user to
examine the relative effectiveness of inspection and remediation options prior to conducting the
inspection or remediation. The following steps are generally involved in developing the
appropriate models and databases:

§ Data Collection and Review

§ Develop Primary Options
§ Develop Failure Mode Statistics or RAM Statistics Database
§ Develop Cost and Economics Input Databases
§ Adapt Appropriate Decision Models
§ Exercise Model to Derive Recommended Strategies

Training Manual Page 28-23