Integrity Management of Safety Critical Equipment and

Systems
Life-cycle approach to integrity management

Hazards & Effects Management process is a formal framework that was introduced in the
late 1980s as a methodology to identify hazards, determine and manage risks. As part of
the Hazards & Effects Management process, the duty holder needs to identify HSE
Critical Equipment & Systems (HSECES), HSE critical activities, HSE critical integrity
activities for the various phases of the project development life cycle.

Oil & Gas operators have established codes and standards that enlist typical HSE critical
equipment and systems; however applying only prescriptive approach is not the intention.
Identification of HSECES should be based on goal setting approach considering
prescriptive approach as a minimum requirement. One of the well-known goal setting
approach currently applied is the ALARP demonstration process, wherein the duty holder
should demonstrate that the risks have been reduced to a level that balances with the
costs, efforts and time required in risk reduction.

A typical HSECES identification flowchart that adopts the prescriptive approach is shown
below:
 The above flowchart is a good starting point for identification of Health, Safety &
Environmental Critical Equipment Systems ( HSECES ). The application of this flowchart
should be on the project / asset equipment list, which ensures that the entire asset
inventory has undergone the classification process.

To apply goal setting approach, Health, Safety & Environmental Critical Equipment
Systems ( HSECES ) should be further identified based bowtie methodology. The
bowties should be developed upon finalization of the formal safety studies such as PHA,
Hazard Identification Study ( HAZID ), Quantitative Risk Assessment ( QRA ) , Escape &
Evacuation Study, SIL, Dropped Object Assessment, and Corrosion Risk Assessment.

The bowtie diagram is a useful tool in identifying Health, Safety & Environmental Critical
Equipment Systems ( HSECES ). It starts with defining a top event which is usually the
major concern with respect to a major accident hazard. Examples of top event could be
“loss of containment” or “structural failure”. On the left hand side of the top event are the
threats or causes that lead to the top event. The barriers or threat controls follow the
Swiss Cheese Model and prevent the threats from realizing into the top event. The threat
controls reduce the likelihood of the top event. Should the integrity of the barriers be lost,
the threats can penetrate and lead to the top event. On the right hand side of the top
event are the consequences. The recovery preparedness measures reduce the severity
of the consequence. If the integrity of the recovery preparedness measures are lost, the
consequences can escalate leading to increased severity. Loss of barrier is termed as
escalation and escalation factor controls reduce the likelihood of escalation.

The threat controls, recovery preparedness measures and escalation factor controls are
Health, Safety & Environmental Critical Equipment Systems ( HSECES ) or HSE critical
activities based on their type. The prescriptive list of Health, Safety & Environmental
Critical Equipment Systems ( HSECES ) will be part of some of the controls in the bowtie
diagram. The complete list is only expected to arrive from the goal setting approach.

Applying the goal setting approach will answer the following questions:

 Have all threats been identified?

 Are the numbers of barriers adequate to reduce the risk to ALARP?

 Are the integrity requirements of HSECESs appropriate? and will they ensure that the HSECES
will function as intended in an event of major accident?

HSE CRITICAL INTEGRITY ACTIVITIES

HSE Critical Integrity activities are the design, construction, installation, commissioning,
operation, modification, repair, inspection, testing or examination activities associated
with assuring the integrity of an Health, Safety & Environmental Critical Equipment
Systems ( HSECES ). These activities are different for each phase of the project.

The figure above presents a general approach adopted in identifying the HSE Critical
Integrity activities for each project phase. The activities associated with each of these
phases are discussed in subsequent chapters.

Design HSE Critical Integrity Activities

Design is the first and the last opportunity to introduce inherently safe concepts and built
in quality. The following design HSE Critical Integrity activities are suggested as
examples:

Selection of Competent Design Team:

The team involved in Design have a very important responsibility as they are the
architects of the future benefits or problems they sow. The team should have sufficient
skills, knowledge, experience and training to undertake the design functions. The team
should be aware of their limitations and have the courage and authority to consult experts
in case of doubts. They should consider safety as “second nature” and should not
compromise on safety for reasons governed by project schedule or costs. This requires
competent and open minded staff from both the Duty Holder and Contractor.

Selection of Codes and Standards:

The first HSE Critical Integrity activity is associated with selecting appropriate Codes and
Standards. The selection of Codes and Standards affects the overall safety of the
process design. Inherently safe concept can be introduced through this activity. Applying
the rules listed in the codes ensures that the minimum requirement stipulated by the
prescriptive method is met.

Maintaining Deviation List:

100% compliance with Codes and Standards is easy said than done. If there are
deviations then these need to be recorded and assessed through risk assessment
studies. Only if risks are demonstrated to be ALARP, such deviations should be
approved.

Maintaining Lessons Learnt from other Projects / Accidents:

Designs should benefit from lessons learnt as an initiative towards continuous
improvement.

Formal Safety Studies:

A good variety of safety studies should be chosen considering the type of HSECES that
are being involved in the project. PHA alone may not be beneficial, although additional
studies can be recommendations from PHA. Some of the formal safety studies that
provide value to the design process include Fire & Explosion Analysis, Quantitative Risk
Analysis, Emergency Systems Survivability Analysis, Escape Evacuation and Rescue
Analysis, Environmental Impact Assessment, Dropped Object Studies, Safety Integrity
Limit (SIL) Classification and Verification, Temporary Refuge Impairment Assessment,
Structural Integrity Assessment, Vessel Failure analysis. Some of the aspects that need
to be addressed by the formal safety studies include layout, process safety time, safety
integrity of safety instrumented functions, depressurization analysis, fire proofing
analysis, plant building risk assessments. Use of Computational Fluid Dynamics for
explosion assessment is also extremely valuable in determining realistic explosion
overpressures.

HSE Audits:
To ensure that the HSECES Management System is functioning as intended, internal /
external audits should be undertaken during the design stage. The HSE Audits can help
in identifying shortfalls that can be closed prior to closure of the project phase.

Project HSE Review (PHSER):

PHSER is a formal systematic method that reviews whether the HSE studies have been
undertaken appropriately and the risks are reduced to ALARP.

Maintaining HSE Action Tracking Register:

The actions arising from all the studies that may have effect on HSE should be recorded
and tracked continuously.

Independent Verification / Certification:

This action requires Independent Competent Person (ICP) to verify the integrity
assurance activities associated with HSECES. As per code requirements some of the
HSECES are certified by Third Party.

Procurement, Construction and Commissioning HSE Critical

Integrity Activities
This phase is associated with the HSE Critical Integrity activities associated with
Procurement, Fabrication, Receiving at Site, Storage and Retrieval, Construction and
Installation and Commissioning. The following design HSE Critical Integrity activities are
suggested as examples:

Vendor Selection and Prequalification:

Detailed study of Vendor Prequalification is helpful in establishing better confidence on
project delivery.

Quality Assurance (QA):

QA during procurement helps ensure that the purchases adhere to the specified design
specifications. This activity includes several tasks such as review of Vendor product data
sheets and specifications, undertaking Factory Acceptance Tests, Site Acceptance
Tests.

Record and Approval of Vendor Deviations:

Vendor deviation from design specifications should be recorded and approved only if the
risks of non-compliance are demonstrated to be ALARP through appropriate risk
assessment studies.

Shop Fabrication Quality Assurance:

QA for fabrication includes verification that specifications are followed and that shop
practices do not compromise quality. Depending upon the importance of the equipment
involved, facilities may use shop inspection and shop approval processes. Many
jurisdictions require using a code-approved shop for fabrication of some equipment (e.g.,
relief valves, pressure vessels). These shops have previously undergone an inspection
and may continue to be inspected regularly by third parties (e.g., jurisdictionally
authorized personnel).

Quality Assurance during re-use of Material:

QA during procurement or re-use of used material should be subject to re-certification,
Fitness for Service (FFS) or adequate tests so that the integrity of the material does not
affect the overall HSECES integrity.

Quality Assurance during Material Receipt:

Material Receipt stations or warehouses / laydown areas should undertake quality
assurance activities through site acceptance tests to detect defects during handling and
transportation.

Quality Assurance during Storage and Retrieval:

Material should be stored as per Vendor storage procedures. Quality Assurance activities
should ensure appropriate storage of material (temperature, humidity, cleanliness,
vibration, segregation of exotic or material, compatibility), appropriate material
identification to avoid opportunities for materials to be misapplied, inspection.

Quality Assurance during Construction and Installation:

Construction and installation are the last chance in the equipment life cycle to
compensate for any QA vulnerabilities at earlier stages. Companies and facilities that do
not correct vulnerabilities in the earlier stages of the life cycle should intensify QA for
construction and installation. Errors made during installation can nullify a program full of
good practices up to that point. Quality Assurance activities should ensure that controls
are in place to prevent and/or detect installation errors (e.g., mixing low temperature
valves with carbon steel valves, incorrect alignment of rotating equipment) before they
lead to failures.

Quality Assurance during Repairs, Alterations and Rerating:

Alteration is any physical change in equipment that has design implications, such as
changes that affect pressure containing capabilities. Rerating is a change in the design
temperature and/or the maximum allowable working pressure of the equipment. Because
of the potential catastrophic consequences of, and the technical issues involved with, this
type of work, special QA requirements and Risk Assessment have to be defined with
application of applicable codes and standards. This quality assurance requirement also
applies during in-service repairs, alterations and rerating during the operation phase.

Quality Assurance during Pre-commissioning and Commissioning:

Quality Assurance activities during commissioning include Inspections, Pre-startup
Safety Review (PSSR) studies, Pre-startup Audit, function testing of critical
instrumentation, hydrotests and equipment commissioning tests. Presences of Vendors,
Independent Competent Person during such tests are beneficial if not mandatory.

Operation HSE Critical Integrity Activities

The quality assurance activities associated with the operation phase include operation
itself including maintenance, use of temporary equipment, in-service repairs, alterations
and rerating, use of spare parts.

Operation within Operating Envelope:

The integrity of the HSECES can only be ensured if the operation is within the operating
envelope. The operating envelope should be clearly identified in the operating
procedures. Distributed Control System (DCS) should include alarm in case of deviation
from the operating envelope and necessary actions should be detailed should the
operator be required to take action. The deviations from the operating envelope should
be recorded only and should be subject to PHA (HAZOP) so that operational controls are
identified.

Maintenance and Testing:

The HSECESs should be maintained and tested as per the requirements specified by the
design studies or codes and standards. Maintenance and testing regimes can be based
on Risk Based Inspection methodology.
 Use of Spare Parts:
Quality Assurance requirements for spare parts are same as that of procurement,
construction and commissioning phase.

Decommissioning HSE Critical Integrity Activities

HSE Critical Integrity Activities need to defined for decommissioning phase in case any of
the below statements are true:

 Will the HSECES be re-used?

 Will the removal of HSECES affect other operational HSECESs in the plant / facility?

 Will the failure of the decommissioned HSECES adversely affect personnel health and safety,
assets and environment?

 The quality assurance activities associated with decommissioning phase include risk assessment
for mothballing, draining, purging, storage and re-commissioning.

Technical Integrity Scheme

The Technical Integrity Scheme is a documented procedure that is prepared by

Independent Competent Person detailing the performance standards of the HSECESs for
all the phases of the facility. Performance Standards (PSs) are parameters that are
measured or set so that the suitability and effectiveness of Health, Safety &
Environmental Critical Equipment Systems ( HSECES ) can be assured and verified.
They are essential requirements that the HSECES must maintain throughout the lifecycle
of the installation.

In the case of preventative measures (controls on the left hand side of the bowtie), these
will be the parameters that are examined or measured to assure the integrity. For
detection, control and mitigation measures (recovery preparedness measures on the
right hand side of the bowtie), they will be parameters that demonstrate that the system
has fulfilled its role in limiting the effects of the major accident event.

Each performance standard is defined based on the following criteria:

 Functionality;

 Reliability and Availability;

 Survivability; and

 Dependencies and Interactions.

Functionality:
Functionality is an expression used to define what the Health, Safety & Environmental
Critical Equipment Systems ( HSECES ) is required to do in order to establish and
maintain integrity.

Reliability:
Reliability is defined as the required probability that the Health, Safety & Environmental
Critical Equipment Systems ( HSECES ) will operate on demand where required to
maintain integrity.

Availability:
Availability is defined as the extent to which the Health, Safety & Environmental Critical
Equipment Systems ( HSECES ) is required in order to retain its functional integrity.

Survivability:
Survivability defines the external loading events associated with a major accident event
against which the HSECES is required to retain its functional integrity.

Dependencies and Interactions:

This is used to identify other HSECES that are critical to the functionality of the primary
HSECES. By identifying these dependencies and interactions it can be ensured that all
interfaces are covered with the performance standard.

The performance standards include all the criteria that that HSE Critical Integrity activities
need to meet against which the HSECES are verified or tested during each phase of the
project.

Good Practices and Challenges Encountered

The first challenge is to identify all the HSECESs in the facility. The process that is
suggested in this paper prefers a combination of prescriptive and goal setting approach.
A challenge encountered by the authors in applying this methodology is to avoid non-
HSECES related equipment or system to be classified as HSECES. It has been felt that
during bowtie workshops, several non-HSECES related equipment & systems get
classified as HSECES and thereby dilute the importance of HSECES. This can only
achieved by establishing smart rules and through brainstorming sessions.

Another challenge faced by the authors is to link existing HSECES and Performance
Standards with new HSECES and their Performance Standards. In brownfield projects, it
is quite likely that existing systems are not classified as HSECES. This creates a problem
when there are links between new and existing facility (eg. Structural modifications, new
instrumentation linked to old instrumentation, process modifications). It is suggested that
operating sites should identify existing HSECES and develop performance standards so
that the HSE Critical Integrity can be defined during modification stages.
It is important that Designers are involved in identification of HSECES and aware of the
HSECES during the early design stage. This helps in avoiding potential noncompliance
with design performance standards that are established later on.