Integrity Management of Safety Critical Equipment and Systems

Wildfire Risk Assessment and Management
January 6, 2017

Integrity Management of Safety Critical Equipment and Systems

Life-cycle approach to integrity management

Process Containment Integrity Verification Questionnaire

Process Containment Integrity Verification Questionnaire

Hazards & Effects Management process is a formal framework that was introduced in the late 1980s as a methodology to identify hazards, determine and manage risks. As part of the Hazards & Effects Management process, the duty holder needs to identify HSE Critical Equipment & Systems (HSECES), HSE critical activities, HSE critical integrity activities for the various phases of the project development life cycle.

Oil & Gas operators have established codes and standards that enlist typical HSE critical equipment and systems; however applying only prescriptive approach is not the intention. Identification of HSECES should be based on goal setting approach considering prescriptive approach as a minimum requirement. One of the well-known goal setting approach currently applied is the ALARP demonstration process, wherein the duty holder should demonstrate that the risks have been reduced to a level that balances with the costs, efforts and time required in risk reduction.

A typical HSECES identification flowchart that adopts the prescriptive approach is shown below:

The above flowchart is a good starting point for identification of Health, Safety & Environmental Critical Equipment Systems ( HSECES ). The application of this flowchart should be on the project / asset equipment list, which ensures that the entire asset inventory has undergone the classification process.

To apply goal setting approach, Health, Safety & Environmental Critical Equipment Systems ( HSECES ) should be further identified based bowtie methodology. The bowties should be developed upon finalization of the formal safety studies such as PHA, Hazard Identification Study ( HAZID ), Quantitative Risk Assessment ( QRA ) , Escape & Evacuation Study, SIL, Dropped Object Assessment, and Corrosion Risk Assessment.

The bowtie diagram is a useful tool in identifying Health, Safety & Environmental Critical Equipment Systems ( HSECES ). It starts with defining a top event which is usually the major concern with respect to a major accident hazard. Examples of top event could be “loss of containment” or “structural failure”. On the left hand side of the top event are the threats or causes that lead to the top event. The barriers or threat controls follow the Swiss Cheese Model and prevent the threats from realizing into the top event. The threat controls reduce the likelihood of the top event. Should the integrity of the barriers be lost, the threats can penetrate and lead to the top event. On the right hand side of the top event are the consequences. The recovery preparedness measures reduce the severity of the consequence. If the integrity of the recovery preparedness measures are lost, the consequences can escalate leading to increased severity. Loss of barrier is termed as escalation and escalation factor controls reduce the likelihood of escalation.

The threat controls, recovery preparedness measures and escalation factor controls are Health, Safety & Environmental Critical Equipment Systems ( HSECES ) or HSE critical activities based on their type. The prescriptive list of Health, Safety & Environmental Critical Equipment Systems ( HSECES ) will be part of some of the controls in the bowtie diagram. The complete list is only expected to arrive from the goal setting approach.

Applying the goal setting approach will answer the following questions:

  • Have all threats been identified?
  • Are the numbers of barriers adequate to reduce the risk to ALARP?
  • Are the integrity requirements of HSECESs appropriate? and will they ensure that the HSECES will function as intended in an event of major accident?


HSE Critical Integrity activities are the design, construction, installation, commissioning, operation, modification, repair, inspection, testing or examination activities associated with assuring the integrity of an Health, Safety & Environmental Critical Equipment Systems ( HSECES ). These activities are different for each phase of the project.

The figure above presents a general approach adopted in identifying the HSE Critical Integrity activities for each project phase. The activities associated with each of these phases are discussed in subsequent chapters.

Design HSE Critical Integrity Activities

Design is the first and the last opportunity to introduce inherently safe concepts and built in quality. The following design HSE Critical Integrity activities are suggested as examples:

Selection of Competent Design Team:

The team involved in Design have a very important responsibility as they are the architects of the future benefits or problems they sow. The team should have sufficient skills, knowledge, experience and training to undertake the design functions. The team should be aware of their limitations and have the courage and authority to consult experts in case of doubts. They should consider safety as “second nature” and should not compromise on safety for reasons governed by project schedule or costs. This requires competent and open minded staff from both the Duty Holder and Contractor.

Selection of Codes and Standards:

The first HSE Critical Integrity activity is associated with selecting appropriate Codes and Standards. The selection of Codes and Standards affects the overall safety of the process design. Inherently safe concept can be introduced through this activity. Applying the rules listed in the codes ensures that the minimum requirement stipulated by the prescriptive method is met.

Maintaining Deviation List:

100% compliance with Codes and Standards is easy said than done. If there are deviations then these need to be recorded and assessed through risk assessment studies. Only if risks are demonstrated to be ALARP, such deviations should be approved.

Maintaining Lessons Learnt from other Projects / Accidents:

Designs should benefit from lessons learnt as an initiative towards continuous improvement.

Formal Safety Studies:

A good variety of safety studies should be chosen considering the type of HSECES that are being involved in the project. PHA alone may not be beneficial, although additional studies can be recommendations from PHA. Some of the formal safety studies that provide value to the design process include Fire & Explosion Analysis, Quantitative Risk Analysis, Emergency Systems Survivability Analysis, Escape Evacuation and Rescue Analysis, Environmental Impact Assessment, Dropped Object Studies, Safety Integrity Limit (SIL) Classification and Verification, Temporary Refuge Impairment Assessment, Structural Integrity Assessment, Vessel Failure analysis. Some of the aspects that need to be addressed by the formal safety studies include layout, process safety time, safety integrity of safety instrumented functions, depressurization analysis, fire proofing analysis, plant building risk assessments. Use of Computational Fluid Dynamics for explosion assessment is also extremely valuable in determining realistic explosion overpressures.

HSE Audits:

To ensure that the HSECES Management System is functioning as intended, internal / external audits should be undertaken during the design stage. The HSE Audits can help in identifying shortfalls that can be closed prior to closure of the project phase.

Project HSE Review (PHSER):

PHSER is a formal systematic method that reviews whether the HSE studies have been undertaken appropriately and the risks are reduced to ALARP.

Maintaining HSE Action Tracking Register:

The actions arising from all the studies that may have effect on HSE should be recorded and tracked continuously.

Independent Verification / Certification:

This action requires Independent Competent Person (ICP) to verify the integrity assurance activities associated with HSECES. As per code requirements some of the HSECES are certified by Third Party.

Procurement, Construction and Commissioning HSE Critical Integrity Activities

This phase is associated with the HSE Critical Integrity activities associated with Procurement, Fabrication, Receiving at Site, Storage and Retrieval, Construction and Installation and Commissioning. The following design HSE Critical Integrity activities are suggested as examples:

Vendor Selection and Prequalification:

Detailed study of Vendor Prequalification is helpful in establishing better confidence on project delivery.

Quality Assurance (QA):

QA during procurement helps ensure that the purchases adhere to the specified design specifications. This activity includes several tasks such as review of Vendor product data sheets and specifications, undertaking Factory Acceptance Tests, Site Acceptance Tests.

Record and Approval of Vendor Deviations:

Vendor deviation from design specifications should be recorded and approved only if the risks of non-compliance are demonstrated to be ALARP through appropriate risk assessment studies.

Shop Fabrication Quality Assurance:

QA for fabrication includes verification that specifications are followed and that shop practices do not compromise quality. Depending upon the importance of the equipment involved, facilities may use shop inspection and shop approval processes. Many jurisdictions require using a code-approved shop for fabrication of some equipment (e.g., relief valves, pressure vessels). These shops have previously undergone an inspection and may continue to be inspected regularly by third parties (e.g., jurisdictionally authorized personnel).

Quality Assurance during re-use of Material:

QA during procurement or re-use of used material should be subject to re-certification, Fitness for Service (FFS) or adequate tests so that the integrity of the material does not affect the overall HSECES integrity.

Quality Assurance during Material Receipt:

Material Receipt stations or warehouses / laydown areas should undertake quality assurance activities through site acceptance tests to detect defects during handling and transportation.

Quality Assurance during Storage and Retrieval:

Material should be stored as per Vendor storage procedures. Quality Assurance activities should ensure appropriate storage of material (temperature, humidity, cleanliness, vibration, segregation of exotic or material, compatibility), appropriate material identification to avoid opportunities for materials to be misapplied, inspection.

Quality Assurance during Construction and Installation:

Construction and installation are the last chance in the equipment life cycle to compensate for any QA vulnerabilities at earlier stages. Companies and facilities that do not correct vulnerabilities in the earlier stages of the life cycle should intensify QA for construction and installation. Errors made during installation can nullify a program full of good practices up to that point. Quality Assurance activities should ensure that controls are in place to prevent and/or detect installation errors (e.g., mixing low temperature valves with carbon steel valves, incorrect alignment of rotating equipment) before they lead to failures.

Quality Assurance during Repairs, Alterations and Rerating:

Alteration is any physical change in equipment that has design implications, such as changes that affect pressure containing capabilities. Rerating is a change in the design temperature and/or the maximum allowable working pressure of the equipment. Because of the potential catastrophic consequences of, and the technical issues involved with, this type of work, special QA requirements and Risk Assessment have to be defined with application of applicable codes and standards. This quality assurance requirement also applies during in-service repairs, alterations and rerating during the operation phase.

Quality Assurance during Pre-commissioning and Commissioning:

Quality Assurance activities during commissioning include Inspections, Pre-startup Safety Review (PSSR) studies, Pre-startup Audit, function testing of critical instrumentation, hydrotests and equipment commissioning tests. Presences of Vendors, Independent Competent Person during such tests are beneficial if not mandatory.

Operation HSE Critical Integrity Activities

The quality assurance activities associated with the operation phase include operation itself including maintenance, use of temporary equipment, in-service repairs, alterations and rerating, use of spare parts.

Operation within Operating Envelope:

The integrity of the HSECES can only be ensured if the operation is within the operating envelope. The operating envelope should be clearly identified in the operating procedures. Distributed Control System (DCS) should include alarm in case of deviation from the operating envelope and necessary actions should be detailed should the operator be required to take action. The deviations from the operating envelope should be recorded only and should be subject to PHA (HAZOP) so that operational controls are identified.

Maintenance and Testing:

The HSECESs should be maintained and tested as per the requirements specified by the design studies or codes and standards. Maintenance and testing regimes can be based on Risk Based Inspection methodology.

Use of Spare Parts:

Quality Assurance requirements for spare parts are same as that of procurement, construction and commissioning phase.

Decommissioning HSE Critical Integrity Activities

HSE Critical Integrity Activities need to defined for decommissioning phase in case any of the below statements are true:

  • Will the HSECES be re-used?
  • Will the removal of HSECES affect other operational HSECESs in the plant / facility?
  • Will the failure of the decommissioned HSECES adversely affect personnel health and safety, assets and environment?
  • The quality assurance activities associated with decommissioning phase include risk assessment for mothballing, draining, purging, storage and re-commissioning.

Technical Integrity Scheme

The Technical Integrity Scheme is a documented procedure that is prepared by Independent Competent Person detailing the performance standards of the HSECESs for all the phases of the facility. Performance Standards (PSs) are parameters that are measured or set so that the suitability and effectiveness of Health, Safety & Environmental Critical Equipment Systems ( HSECES ) can be assured and verified. They are essential requirements that the HSECES must maintain throughout the lifecycle of the installation.

In the case of preventative measures (controls on the left hand side of the bowtie), these will be the parameters that are examined or measured to assure the integrity. For detection, control and mitigation measures (recovery preparedness measures on the right hand side of the bowtie), they will be parameters that demonstrate that the system has fulfilled its role in limiting the effects of the major accident event.

Each performance standard is defined based on the following criteria:

  • Functionality;
  • Reliability and Availability;
  • Survivability; and
  • Dependencies and Interactions.

Functionality is an expression used to define what the Health, Safety & Environmental Critical Equipment Systems ( HSECES ) is required to do in order to establish and maintain integrity.


Reliability is defined as the required probability that the Health, Safety & Environmental Critical Equipment Systems ( HSECES ) will operate on demand where required to maintain integrity.


Availability is defined as the extent to which the Health, Safety & Environmental Critical Equipment Systems ( HSECES ) is required in order to retain its functional integrity.


Survivability defines the external loading events associated with a major accident event against which the HSECES is required to retain its functional integrity.

Dependencies and Interactions:

This is used to identify other HSECES that are critical to the functionality of the primary HSECES. By identifying these dependencies and interactions it can be ensured that all interfaces are covered with the performance standard.

The performance standards include all the criteria that that HSE Critical Integrity activities need to meet against which the HSECES are verified or tested during each phase of the project.

Good Practices and Challenges Encountered

The first challenge is to identify all the HSECESs in the facility. The process that is suggested in this paper prefers a combination of prescriptive and goal setting approach. A challenge encountered by the authors in applying this methodology is to avoid non-HSECES related equipment or system to be classified as HSECES. It has been felt that during bowtie workshops, several non-HSECES related equipment & systems get classified as HSECES and thereby dilute the importance of HSECES. This can only achieved by establishing smart rules and through brainstorming sessions.

Another challenge faced by the authors is to link existing HSECES and Performance Standards with new HSECES and their Performance Standards. In brownfield projects, it is quite likely that existing systems are not classified as HSECES. This creates a problem when there are links between new and existing facility (eg. Structural modifications, new instrumentation linked to old instrumentation, process modifications). It is suggested that operating sites should identify existing HSECES and develop performance standards so that the HSE Critical Integrity can be defined during modification stages.

It is important that Designers are involved in identification of HSECES and aware of the HSECES during the early design stage. This helps in avoiding potential noncompliance with design performance standards that are established later on.

About the Author