MECHANICAL INTEGRITY AS AN ELEMENT OF

PROCESS SAFETY MANAGEMENT

Arturo I. Peon
DuPont S.A. de C.V.

ABSTRACT
In simple terms, Process Safety Management (PSM) can be seen as a mandated Quality
program intended to: a) Make sure; b) the important things; c) are done right
To prevent catastrophic events leading to loss of life, significant property loss, or
damage to the environment. The mechanical integrity PSM element might be defined as
the program that assures the system integrity to contain hazardous substances, and that
is maintained throughout the life of the facility. Although this is a definition that is not
shared by everybody (there is the idea to include a more general term, as reliability), the
concept so defined forces us to focus in all the failures modes of the system (equipment,
human, system) that could affect the safety of people and communities, the environment
and the integrity of a facility. Although it is not easy or humble to say, as a company,
We will not make, handle, use, sell, transport, or dispose of a product unless we can do
so safely and in an environmentally sound manner it conveys a leadership message to
all the organization that everybody must share. This implies that essentially all the
failure modes are known, and a specific strategy to handle each of them should exist
since the early design concept until a facility is dismantled. That is the scope of a
Mechanical Integrity system should have. The main load of this safety effort relies on
the design of the facility and is spelled out in the specifications of the equipment and the
effort spent in the assurance of the quality of the equipment until its commissioning.
Once built, operations and maintenance needs to understand the intent of the design and
maintain this specification for the life time of the facility.
In USA, since the PSM and the Mechanical Integrity aspects were regulated, about three
or four round audits have been done in the majority of the facilities. In Latin-American
countries not all of them have regulated PSM or MI in a comprehensive regulation. An
important aspect to maintain the mechanical integrity of the facility relies on the regular
audits that should be performed to the system. Audit protocols are usually based on
statements to be assessed by an audit team. However a comprehensive management
system, based in mechanical integrity sub - elements as should be applied to each PSM
critical equipment would lead to assess the quality of the relationship among elements,
trying to build a thorough protection layer.
Such audits, made to several facilities in USA and Latin-American would reveal
important areas of opportunity. The main purpose of this paper is to reduce to the
greatest extend the consecutio temporum steps that comprises the PSM MI element and
provide management ideas on how to improve a MI program as applies to a LatinAmerican industry that handles hazardous materials based on the experience gained in
those audits.

INTRODUCTION
Companies need to earn the right granted them by society to operate. Over time the
demands of society in several areas are becoming more complex, demanding and
challenging. Lawsuits and safety requirements, environmental, social responsibility, and
other equally important matters that companies seeking the sustainability of its
operations, serve and even seek to establish codes of conduct voluntarily before they are
legally regulated.
This paper focuses on two elements of the Process Safety Management System (PSM):
Mechanical Integrity and Quality Assurance. Certainly PSM regulations have risen the
bar and increased demand after catastrophic incidents coming from the chemical, oil
and gas industries. DuPont has not been immune to this situation. Given the nature of its
operations, over more than 200 years, the attitude towards safety has been one of its
core values.
Since its founding as an explosives company in 1803, DuPont has had a core
value for safety and process safety, with E.I. DuPont noting that we must seek
to understand the hazards we live with.[Regarding Process Safety] The design of
the first powder mills, for example, included consideration of the production
facilities, minimization of ignition sources, blast resistant construction and
over-pressure venting, all intended to help minimize the effects of potential
incidentsi.
Although throughout the article we will not be talking about the responsibilities of
leadership, this does not imply that the sustainability of PSM and Mechanical Integrity
(MI) systems are independent of the leadership and its support. This was soon
discovered at DuPont:
E.I. DuPont also established clear management accountability in terms of
process safety in the operation of the powder mills, including a policy that line
management was accountable and that no employee may enter a new or rebuilt
mill until a member of top management has personally operated itii
Just for the sake of completion, it is worth to mention some important milestones
regarding PSM evolution within DuPont:
1915: Safe Operating Procedures, Management of Change
1950: Early application of the first computer to maintain records for
preventive maintenance of process equipment
1966 Introduction of Process Hazards Review wide company program.
1970 PSM is further developed, refined and in 1979 acquires its current
shape of 14 elements under the categories of technology, personnel
and facility.

1990: New focus on Operating Discipline to ensure PSM systems are

properly maintained and followed.
Given the diversity of processes and hazardous materials that are operated and handled
in the company, a respectable amount of experience and knowledge has been
accumulated. When working within the company, immersed in a culture of safety, it
does happen what happens to people in the language they speak. Few people could track
how they learned their native language. This same dilemma has been experienced in the
safety business of DuPont (DuPont Safety Resources). A considerable amount of effort
has been spent in the the task of sharing the company knowledge in the industrial
environment (not just safety). So a vision that helps to better share and communicate
the reliability and quality demanded from the Mechanical Integrity system, as an
element of PSM, is the main purpose of this paper, based on the experience gained with
the Latinamerica DuPonts consulting business.
Perhaps is human nature, but a rather successful starting point is the one that can be
built from an auditor point of view. We are talking about a mechanical integrity audit
looking into the whole system and focusing mainly on the quality of the
interrelationships among elements or subelements. Each element considered as a
process that connects its outcome to the next element. We will proceed through the
sequence marked by time (Consecutio Temporum), in the way we would conduct an
audit to the mechanical integrity system of a critical equipment family. This has the
advantage to show how the system should perform to accomplish its intended function.
An audit of this kind might be done in a day or a day and a half to a plant of the size you
might find in a refinery, gas processing or chemical facility. At the end of this paper,
briefly we will report the results of audits conducted in this way to several chemical and
petrochemical plants, showing only averages, in order to maintain the confidentiality of
data.

PROCESS SAFETY MANAGEMENT SYSTEM

The intended objective of the Process Safety Management System is to help the
occurrence of, or minimize the consequence of, catastrophic reseases of toxic or
explosive materialsiii iv. In addition to that, OSHA 1910.119 also states that this
regulation applies to a process which involves a chemical at or above the specified
threshold quantities, and the ones listed in an appendix.
When implementing a PSM or a MI system is convenient to keep this definitions at
hand. Keeping requirements at the minimum is important because is a way to avoid
discussion or confusion if something has to be done or the way to be done. Also helps to
avoid a sense of leniency in management or the workforce regarding to what has to be
done. You might find rather frequently an instilled cultural reluctance towards
compliance with PSM or MI regulations. This is not to say that the scope of the
underlying management system cant be expanded towards reliability and productivity
improvement. If it is decided to include these additional criteria, this makes bigger the
inertia of the system, and in some cases, confuse or overwhelm the whole organization
with the requirements and freedom degrees that other criteria might offer or accept
when resources are scarce .

In order to obtain a firmly rooted PSM system is convenient to start with a philosophic
statement like DuPonts:
We will not make, handle, use, sell, transport, or dispose of a product unless we
can do so safely and in an environmentally sound manner.
Process Safety Management is a comprehensive, integrated set of management systems
designed to help manage chemical risk and other types of process hazards with the
primary goal of preventing process related incidents and injuries. So PSM is directed
toward preventing serious, process-related incidents which might affect plant personnel,
off-site communities, the environment, or result in significant property loss or loss of
business. It involves the application of systems and controls to chemical, O&G, and all
the manufacturing processes in a way that hazards are identified, understood, and
controlled. So PSM is a mandated Quality program intended to:
Make sure
the important things
are done right
To prevent catastrophic events leading to loss of life, significant property loss, or
damage to the environment. The 14 DuPonts PSM system elements shown in the next
figure, comprises the way we:

Emergency Pl anning&
Response

Audi ting

QualityAssurance

Make sure the sum of the

managing systems (ticklers,
audits, record keeping,
management attention)

PreStartup
Safety Review
MechanicalIn

Managementof Change

The important things:

Identification of PSMcritical equipment,
processes, and tasks
performed

I nci dentInvestigation&
Reporting
Contrac tors

Trainingand
Performance
ProcessTechnol ogy

Managemento fChange
OperatingProceduresand
SafePractices

ProcessHazardsAnalysis

Are done right

Job procedures, test &
inspection methods, data
collection, analysis, and
follow-up

Mechanical Integrity.
From Mechanical Integrity definitions we might findv that MI means the process of
ensuring that process equipment is fabricated from the proper materials of construction
and is properly installed, maintained, and replaced to prevent catastrophic failures and
accidental releases. This might be spelled out as: All efforts focused on ensuring the
integrity of the process system or equipment (fluid and pressure boundaries) that

contains hazardous materials is maintained from the beginning to the end of life of the
facility
Containment is the word that will be guiding the Mechanical Integrity management
system-in this case. Containment of hazardous materials. So all the failure modes of the
process and equipment, related to the containment of hazardous materials from cradle to
grave (tomb) needs to be known and a specific strategy to handle each of them needs to
be put in place before a facility is built. So, our purpose is to focus an organization in all
efforts required to go, in engineering terms, from design to contruction, commissioning,
prestart safety startup, operation, maintenance up to dismantling a facility and, if
required, remediation although this shouldnt happen, it does usually in the case of
dismantling old facilities.
The following picture illustrates de DuPonts way to structure the Mechanical Integrity
System. Although in the remaining of the paper we will not focus specifically on the
Computer Maintenance Maintenance System (CMMS), it ought to be obvious that such
support is an important element to the MI System. And just to emphasize the point, a
MI audit, due to the CMMS importance, will be too, in a direct or indirect manner an
audit to the CMMS.
8

MECHANICAL INTEGRITY AND QUALITY ASSURANCE

QA OF NEW
EQUIPMENT

MAINTENANCE
PROCEDURES

INTRODUCTION

FOUNDATION

CAPACITACIN DE
TRAINING
MANTENIMIENTO

REPAIRS AND
ALTERATIONS

RELIABILITY
ENGINEERING

AUDITS

CAPACITACIN DE
MANTENIMIENTO
SPARE PARTS QA

INSPECTIONS AND
TESTINGS

Copyright 2009 DuPont. All rights reserved. The DuPont Oval Logo, DuPont, The miracles of science and (product/brand name) are registered trademarks
or trademarks of DuPont or its affiliates.

We might divide the evaluation process of the MI System for the purposes of this paper,
in the following major sequence: Technology, Ready To Run, Executing the MI
activities, Non Conformances and System Continuous Improvement. Before we proceed
with that sequence, a word needs to be said about the Operating Discipline System, then
the paper will concentrate in the audit process, but please keep in mind that, there are
several MI protocols already developed which are rather common to the industry, so
this part of the paper will focus just in differences of the proposed approach, in

expanding some concepts that have proven to be valuable to assess the quality of the MI
elements, due to the fact that they might represent areas of opportunity and
enhancement in the MI realm of Latinamericas O&G and chemical facilities.

OPERATING DISCIPLINE (OD)

Altough initially the Operating Discipline System was introduced in DuPont to help
ensure that PSM systems are properly maintained and followed, it might be obvious that
OD has expanded its role, and nowadays is an underlying system that supports all kinds
of activities and operations. Procedures should evolve in the organization conception
from been just a normative document that spells out how to do something to a Best
Practice owned and shared by all the workers that are in the need to know. This
means that the OD objective as reflected in each procedure focus in the best way to do
something; the safest and simplest way to do something, including quality, legal,
documentary, economic aspects of such activity. Just imagine the concept power: any
change that might be introduced in the company can be quickly implemented, almost
without inertia, once the change has been expressed in a procedure. ( By the way, note
the gear that is behing the MI System picture; it is the OD icon). The OD system might
be divided in four phases:
a) Availability, which is the phase where all activities to be done in certain area are
listed and then evaluated to see if a procedure is required, and if that is the case,
employees that will be using them are required to develop them. This has the
added value that procedures are owned by them, in a form that is understandable
to them. In Operations and or Maintenance is frequently that procedure
development is just a matter of copying a company standard or procedure
already developed and adapted to the particular activity and situation at hand.
b) Quality. This phase implies procedure reviews and aproval by supervisors and,
as in the case of critical procedures (ie.the ones of the MI system) by Subject
Matter Experts (SME)
c) Communication which is the phase where procedures are communicated to
workers, and in critical procedures, usually a training package tied to each
procedure is developed, usually known as a lesson plan. In PSM and MI
procedures, special consideration is spent in reviewing that trainers have also
their JCCs for the procedures that they will be teaching.
d) Compliance. A matrix of procedures that needs to be known by each worker is
developed. For each procedure, the workers supervisor or a SME conducts a
Job Cycle Check (JCC) and extends a kind of an internal registry stating that the
worker conducted the job in question step by step. Each JCC has a specified
validity according to criticality before another JCC is conducted or retraining is
needed. JCC for procedures that are not used regularly are normally conducted,
for example, before shutdowns.

TECHNOLOGY
The technology element of PSM is mainly integrated by the design basis of the process,
the design basis for the equipment, and the Materials Safety Data Sheets. Although it is
not a general rule, and at least in the area of concern, at the Latinamericas
manufacturing facilities, we could say that it is rather usual to find two kinds of
technical professionals: the ones that spent their working time in administrative roles
and the technical ones. Among the technical professionals, some of them are the facility
designers, and the others the ones that operates and maintains the facilityvi. As time goes
on, the ones focusing on design are usually much more aware of design documents,
regulations and standards. In order to design a proper Mechanical Integrity program, it
is essential that the ones that will operate or maintain the process and equipment to
understand in a rather profound manner the intent of the design.
If we look at the reliability definition as ". . . the probability of a system or component
to perform its required functions under stated conditions for a specified period of time,
we might conclude that quality (and the basis of quality assurance) might be seen as
9
compliance with an equipment
specification, and reliability as
TECHNOLOGY
the (organization) capability to
maintain along the passage of
P&I
time that specification. John
Moubrayvii, for example, states
N
that once manufactured, there is
Criti cal Equipment
an inherent reliability of the
List
equipment, and that it is not the
maintenance function to improve
it. Although this might be true, it
Process & Eq
Design Ba sis
is convenient to accept that
operation and maintenance
should focus in making an
effective use of the equipment
capability as it is spelled out in the technology. If changes are required, that is the main
focus of the Management of Change PSM element. Any required change must be
reflected in the design of a chemical, O&G or other kinds of manufacturing facilities;
this means, updating all the technological package.
CMMS

1.1

1.2

Taxonomy

1.3

Critical Eq.
Criteria

1.4

Design & QA
Docum en ts

QA
Documents

1.5

PHA

C opy right 2 0 0 9 DuP ont. All rights r e s er v e d. The D uPont O v a l Logo , D uPo nt, Th e m ira c le s of s c ie nc e a nd ( produ ct /bra nd na m e ) a re r e gis te re d tr a de m a rk s
or tra de m a rk s o f DuP ont or ti s a ffilia te s .

So, the PSM Technology element main objective is to spell out the main function and
requirements to each equipment involved in the design. It spells out and takes into
account the safety risks, as well as the operation, maintenance, quality, and
environmental aspects of the facility. It reflects all the actions and considerations taken
around all the identified risks of the facility. That is the main purpose of the Process
Hazard Analysis PSM element.
So the proposed audit protocol sketch to exhibit the quality of the relationship among
PSM and MI elements would be, for a critical family of equipment (and we might think
of Pressure Safety Valves as an example, unless other equipment family is specified),
something likeviii:

1.1 Let me see the Process and Instrument drawings (P&I) of the plant.
1.2 You would count how many pieces (N) of critical equipment are in those drawings.
1.3 May I see the critical equipment list?
1.4 & 1.5 Please, may I see N equipment document files, including calculation and
specification data sheets?
Experience shows that the Critical Equipment List is a point where a lot of discussion
and heat generates in many organizations. Some considerations around this point
deserves emphasizing some points:
a) An equipment critical lists might be developed for safety, environmental, quality
or production. It needs to be recognized that if an equipment is critical, this
shouldnt be a last minute decision by operations or maintenance professionals,
neither this should lead to conclude that there are degrees of freedom to act or
not act regarding an operations or maintenance task, or delay an inspection an
undetermined amount of time.
b) Critical equipment that might affect MI of the plant is usually different than the
one that might affect product quality or the production capability. The same
difference is applicable to the respective failure modes. Each failure mode or
each criteria of criticality usually leads to a different critical task and a different
amount of times per unit of time that this critical task needs to be done.
c) You might define MI critical equipment based on a simple set of criteria, like
DuPonts: all the equipment that is wetted by a hazardous substance, and all the
equipment that provides you a safety margin, or is used to detect, control and
aminorate a contingency etc or something more elaborated like using a risk
based criteria like RBI (Risk Based Inspections). You may consider that some
equipment has a higher risk than another and conclude that inspections and tests
might be done at different time intervals. What it is important to recognize is
that once defined, and the RAGAGEPs (Recognized and Generally Accepted
Good Engineering Practices) rational is documented, tasks and frequencies have
been adjusted correspondingly so the organization should focus on compliance.
It might be advisable to keep the critical equipment list in a written form and attached as
an appendix to a critical family MI procedure. If it is possible to rely on this list, the list
could reflect the set of information for each equipment that is going later to be used by
several professionals, and helps to identify when an equipment is introduced, modified,
replaced or removed from the system, and it might be used too to audit the CMMS.

READINESS TO RUN
If we recognize that the opportunity an O&M team has when a facility is being built, as
a period of time to fully acquire the design intent of the facility, we could elaborate the
many things that the team
could develop along this
READINESS TO RUN
one, two or three years
period regarding
Operations, Equipment,
Equipment
2.1
Catalog &
Safety, Health and
Manuals
Environment (SHE),
Critical Spare
Quality, Information
2.2
Parts
Systems (In the MI arena,
the CMMS),
MI
2.3
Failure Modes
Organization, computers,
etcix.
R ed Se rvice

CMMS

R CM

Acceptance
Cr ite ria

Cr iteria &
Frequency

Appx, Cri teria,

Frequ ency &
Critical Data
QA cri teria

2.4

Planning
Procedure and
Registry

Reliability
Data, Quality
Criteria
(Taxonomy)

Readiness to Run is the

way this period is known.
JTA
2.5
The main objective of
this team during this
period of time is the
planning, assembly and development of a functioning manufacturing organization that
is capable of safely and effectively starting up the new unit. From the MI System, this
paragraph describes the most important tasks that should be done to better build and
implement a MI program taking advantage of the benefits of working along this period
of time: a) having access and manage to get a complete set of design information b) The
possibility to influence the maintainability of the equipment, c) access to designers and
manufacturers. This is the best period of time to develop a sound MI program: Failure
Mode And Effects Analysis (FMEA), Maintenance procedures, Training and
performance of maintenance personnel, Quality control procedures, Equipment tests and
inspections, including predictive and preventive maintenance, and Reliability
engineering. So the proposed audit protocol sketch for a critical family of equipment
along this phase, could be drafted as:
WO

C opyright 20 09 DuP ont. All rights r e ser ved. The D uPont O va l Logo , D uPo nt, Th e m ira cle s of sc ienc e and ( produ ct /bra nd nam e) a re r egistered tr adem arks
or trade ma rks o f DuP ont or ti s affiliate s.

2.1)
2.2)

2.3)

Show me please N Catalogs and manufacturer manuals

Which are the critical spare parts? For all the critical spare parts, has the
CMMS been linked to the manufacturers data base, so errors in spare parts
specifications on future purchase orders are minimized? Have QA
requirements of critical spare parts already been considered within the red
servicex procedures and protocols?
Which are the failure modes for this critical equipment failures that could
lead to a loss of containment or reduce the safety margin that should be
provided? Which are the acceptance criteria(s) to be applied after an
inspection, test or preventive or predictive maintenance task, according to
applicable RAGAGEPs? Have all failure modes been identified and coded
(taxonomy)? Which are the reliability data quality criteriaxi? Each failure
mode ought to have a strategy to cope with the envisioned risk or damage.

10

2.4)

2.5)

Is there a procedure for planning all the inspections and maintenance tasks
for each of this failure mode? Which are the criterias used to establish the
frequency? Is there an appendix that registers the reasons why frequencies
and tasks have been assigned to cope with each failure mode of the
equipment, and that will be used in the future to capture all the wisdom
gained when reviewing the effectiveness of the MI Program for the critical
equipment family at hand? What are the professional credentials of the SME
developing this analysis? Which are the codes and editions referenced that
will be the basis for inspections, procedures, data, reports, that will be
registered for each equipment with the passage of time? Which is the basic
structure of the specific Work Order (CMMS) that will be used when
performing the intended task? What information and data will have to be
reported or gathered each time the inspection or test task is performed? Is
QA spare parts tracking information required? Are inspections to be done by
operators already defined? Have infrastructure elements already considered
and inspected? Does the equipment file contents already defined? Have
codes and revisions documented so changes in them can be identified?
Have O & M personnel already developed a Job Task Analysis (JTA) to
define the knowledge, skills and abilities for properly executing the intended
tasks? Which are the materials that should be used as procedures lesson
plans? Which is the required functional capacity Personnel Protective
Equipment, Inspection and Testing equipment, tools, etc.? Is this a work
that is going to be done by in-house personnel or a contractor? Which are the
certification or JCC qualifications required to assure the quality of this
jobxii?

After reviewing the previous paragraphs it might be obvious the importance of this
phase to build a quality MI program. Please note that it is at the 2.3 paragraph where
usually we come back when improving the critical family MI process.

MANAGING AND EXECUTING A MI PROGRAM

Once the previous foundation blocks have already been constructed, the next phase is
the execution of the MI program. Please keep in mind that this paragraph focus in the
structural column to perform the usual MI tasks which are mainly inspections and tests.
Some variations are needed for certain MI critical families like PPE, safety equipment,
Safety Interlocks Systems, etc. Following the pattern of the previous MI audit draft to
test the quality of the relationship among elements:
3.1)

3.2)

3.3)

Has the procedure on how to perform the task made by the operators that
will be using it? Has this procedure taken into account all the information
generated in the 2.4 stepxiii? Has the procedure been reviewd and authorized
by a SME?
Review the functional capacity for inspections and testing. Is the equipment
the proper one to perform an inspection or testing for MI critical equipment
(for example the type and capacity of a PSV testing banks)? Is the
equipment in good condition and its calibration is not outdated?
Does the plan for all the critical equipment list being developed (Cf
CMMS)? Are frequencies consistent with the outcome of 2.4? Which is the
average time to get spare parts? At least for the acquisition time, have all the
required spare parts for the plan being or in the process to be acquired? Are
the requirements for red service of this critical parts defined and followed?
Are the conditions for keeping quality and traceability of this type of spare
parts specified and followed?
11

Managing and Executing a MI Program

3.1

Procedure

3.2

Functionally
Capacity

3.3

Plan*

3.4

Schedule*

3.5

WHO*

3.6

WO1*

3.7

Execution And
Documentation*

3.8

Acceptance
Criteria*

Spare Parts & QA

(Red Service)

* CMMS
Copyright 2009 DuPont. All rights reserved. The DuPont Oval Logo, DuPont, The miracles of science and (product/brand name) are registered trademarks
or trademarks of DuPont or its affiliates.

3.4)

Which has been the schedule for the last N critical Equipment? Has it been
accomplished within the defined time?

3.5)

3.6)
3.7)

3.8)

May I See the last N workorders for all this critical family equipment? Who
are the persons who performed this job? Is their JCC complete and on time
before scheduling process took place? Is it normal for the maintenance
scheduler verify training or retraining in the procedure before assigning
workers to execute this work order?
Are all the N workorders completely filled according to the outcome of
paragraph 2.3 and 2.4? Are all failure modes being reported?
Is it possible to observe the execution of one of this jobs? Is information
about the condition of equipment reported? For traceability purposes, when
required, has the information being recorded? Are Work Orders (WO)
technically closed?
As rather frequently there are instruments and equipments that could
mechanically gather information on the condition of the equipment to be
inspected, is necessary to verify that work order information is complete and
that the Acceptance criteria is observed. A proper qualified or certified
professional needs to review and accept that the equipment fulfills MI
requirements to continue its operation, Fitness For Purpose (FFP), so the
legal aspects of the inspection or test are fulfilled. So, does the Acceptance
Criteria of the last N inspections have been reviewed by a SME ? Does the
SME has its JCC made on time and aware of the last procedures or code
changes? As a result of the evaluation, sometimes it is just to report and
make set points adjustment (cathodic protection), in some other cases: does
critical spare parts needs to be replaced for example, the procedure might
ask that, if the pre-pop test of a PSV is not within 2% of the required
pressure, have springs, etc. been replaced-?

NON CONFORMITIES
When inspections, tests or predictive maintenance tasks for critical equipment doesnt
comply with the acceptance criteria
we face a non conformity. The
Non Conformance
process described in this paragraph
WO
recognizes that it might be rather
Non
frequent that the responsibility, the
Conformance
administrative or the authority span
MOC/QA
of technical professionals or SMEs
WHO
is limited. That is the reason why
special mechanisms are necessary
Inspector
when, for example, is necessary to
Documentation
define temporary or special permits
and Equipment
File
to operate the equipment in a
derrated form, or when an
equipment deficiency requires to
shutdown a facility and allocate the necessary resources to solve the non conformances,
which might be in a temporary or definitive manner, replacement in kind or an
equipment modifications is required, that is fundamental to involve business and plant
managers. Any way, non conformances is something that needs to be managed, tracked
and solved. Due to the fact that temporary fixes tends to become permanent, and, in
the past, that kind of things has led to catastrophic incidents, a strict tracking
12

4.1

4.2

4.3

4.4

4.5

4.6

C opy right 2 0 0 9 DuP ont. All rights r es er v e d. The D uPont O v a l Logo , D uPo nt, Th e m ira cles of s c ie nc e a nd ( produ ct /bra nd nam e) a re r e gis te re d tr a de m a rk s
or tra de m a rks o f DuP ont or it s a ffiliates .

mechanism involving management until deficiencies are corrected in a permanent

manner is necessary. So a formal mechanism to clearly communicate to managers all
non conformances and allocate to them the responsibility of resource allocations, to
make the necessary arrangements to plan and schedule a shutdown, and finally verify
the complete elimination of the equipment deficiency.
It is rather usual, for example, that an insurance company auditor asks for the non
conformances that a facility have had, and then, with the objective of evaluating the
capability the MI system has to eliminate all equipment or process non conformances,
the auditors ask for the complete Management Of Change document package
conforming to the PSM and MI regulations intent.
There is another important item. If an inspection or test is overdue, should it be
considered a nonconformity? Several families of critical equipment requires a
shutdown to complete the MI program. In these cases it might be expected to find
delays, and reality has shown us that those delays might be in the order of years. This
situation compromises the whole MI system, so a simple and clear criteria of how much
time might an inspection or test be overdue before is considered the delay itself a
nonconformity.
So, the audit protocol that focus on the quality of the interrelationship of this elements,
could be drafted in this manner:
4.1)

4.2)

4.3)

4.4)
4.5)

Review if the information of the N inspectionsxiv or test work orders have

documented that the MI acceptance criteria is fulfilled. For those that dont
(N2), could you show N2 work orders (or depending the magnitude of the
deficiency, scopes of work) been issued to correct the deficiency? Has the
damage been evaluated and the repair scope clearly defined? Is the due date
of the repair clearly spelled out? Is the information of the first work order
linked to the second work order o scope of work (traceability)?
Is there a procedure to elaborate a weekly or monthly non conformance
report? Is the responsibility to elaborate it clearly stated? Is this report
distributed to plant managers and supervisors, and equipment deficiencies
are maintained in this report until they are satisfactorily solved?
Has Root Cause And Failure Analysis been done for this failure? Is the
management of change document elaborated before the repairs are done?
Are the SME involved and they have reviewed and authorized all the
modifications? Are the scope of work, equipment and personnel or
contractors qualification or certification stated? Does PHAs or other legal
requirements specified? Have the technology documents already been
updated? Procedures and CMMS?
For the repairs done, are the personnel or contractors qualifications or
certifications as required in the previous point? Are procedures and QA
documents complete?
Who was the inspector that witnessed the repair and certifies that all
requirements are fulfilled? Which are the personnel records that
demonstrates that trained people has done the repair job, including inspector
certifications? Do we have N2 nonconformance closures? Are all them
within the due dates specified by the SME in point 4.1 above?

CONTINUOUS IMPROVEMENT PROCESS

The process of improvement the MI system has two sources of information.
5.1)

Are 1st or 2nd part audits performed to the MI system? Are

recommendations written and its fulfillment tracked through a Correction
and Action Request (CAR) System?.
5.2) Does SME and
13
or Reliability
MI System Improvement
Engineers
reviewing the
effectiveness of
the MI System?
Audits
Does the rate of
deterioration of
CAR System
the equipment
calculated? Are
the construction
materials
capable of
accepting the
different failure
modes? Have
spare parts been available? How easy have the repairs been done? Which is
the remaining life of the equipment? Have operation conditions changedxv?
Have environmental conditions changed? Are there new techniques that
could lead to a better and more economic way to assure the FFS of the
equipment? Are Mean Time Between Failures (MTBF) of one area
comparable to another area? Are equipment MTBFs comparable to the
manufacturers specifications? Are the environment conditions as stated in
the specification the same conditions where the equipment is performing its
intended function? Are the recommendations obtained from this analysis
employed to enhance the performance of the Mechanical Integrity System?
Does Root Cause and Failure Analysis been done for critical equipment
performance versus its specifications?
3.8

5.1

5.2

Analysis, Reliability
and Continuo us
Improvement

Weybu ll
Analysis

Improving
PPM

R esource
Requirements

Replacement

Redesign

MOC

MOC

3.2

MOC

2.3

2.4

1.5

C opy right 2 0 0 9 DuP ont. All rights r e s er v e d. The D uPont O v a l Logo , D uPo nt, Th e m ira c le s of s c ie nc e a nd ( produ ct /bra nd na me ) a re r e gis te re d tr a de ma rk s
or tra de ma rk s o f DuP ont or it s a ffilia te s .

THE RELIABILITY OF THE MI SYSTEM

Each of the described phases of the MI system could be measured in terms of the
probability that the work to be accomplished in each phase is capable to maintain the
inherent reliability of the equipment. The reliability of the four phases would be:

= 1 2 3 4
Having the purpose of defining how many pieces of equipment form a critical family
you could assure that have gone through all the previous steps in a satisfactory manner,
the following table gives you a glimpse of 14 audit results done to a total of 296 PSV
(Pressure Safety Valves) from Chemical and O &G plants, the following table gives you
a glimpse of what this numbers might look:

PHASE
TECHNOLOGY
READINESSTOOPERATE
EXECUTION
NONCONFORMANCES

%OK
27
57
66
NA

The word glimpse was used because there is no traceability of what happens to
individual PSVs, along the whole MI audit. In addition to that several MI System
Areas of opportunity were discovered that could affect the whole phase, and in an effort
to make a positive evaluation this were the overall results. Making audits in this
manner looks at aligned holes across the several layers of the MI elements, and as you
might suppose, this kind of audits generates many recommendations. However we will
briefly name some of the most common issues.
Some of the major lessons learned in the technology are:
1) For example, just defining N you might find that compared to the original
design, you have, for a plant: 138 +7 -17. This means: the P&I shows 138 PSV,
17 have been eliminated, and 7 have been replaced and no documentation
guarantees that the equipment fulfills the spec. A root cause analysis of this
failure discovered that for these facilities was easier to buy another whole PSV
than just to replace the internals, and selection was done under an economic
criteria.
2) There are not calculations to select the proper valve. Several plants initiated an
effort to redo their design basis of their pressure relief valves. Several facilities
showed that there have been pressure sources that have changed the flows and
pressures, invalidating the original PSV selection.
3) It happened that PSV were tested and calibrated to pressures that were not the
ones stated in the technology phase. Frequently that pressure was lower than
required and no MOC document indicated the reason.
Some of the major lessons learned in the readiness to operate are:
1) In several critical families was found that codes have changed, and consideration
for new failure modes are not taken into account. That is the case, for example,
in critical pipes: as compared to old codes, now an estimation of pressure or
temperature cycles is needed (as in compressor heads or dehydrator equipment)
in order to assess the possibility of metal fracture, or other failure modes that
require a more systematic follow up to include all applicable onesxvi.
2) Testing of electrical protection was done injecting signals directly to the relays,
however it was discovered during an audit that the ground conductor and the
phase conductor were passed through the Current Transformer hole, rendering
useless the whole failure to ground protection which is the most common.
3) For PSV there was no acceptance criteria.
Some lessons from the execution phase:

1) Functional capacity might be a source of problems. In the PSV case it was found
that the testing bench had not the capacity required to calibrate gas PSVs, and
frequently, the when testing opening/resettin pressure of a gas PSV, the
equipment did it that with liquids instead of gases.
2) Talking about PSVs. 17% of PSVs, and about 10 % of them were completely
out of control, and had not been tested at the corresponding intervals at least in
the last 15 years.
3) Some other times, Inspection and Test procedures were carried incompletely.
That is the case of pressure vessels. In some plants they had 100% external
inspections, but non of them had been internally inspected.
4) Some other times there was not an acceptance critiria. In some other cases, no
minimum thickness requirements were established for critical pipes.
However, in a strict sense, what we can say from the above results, is that we cant
assure that the audited equipment will maintain its inherent reliability.

CONCLUSIONS
It has been shown the value of making MI system audits looking for the quality of the
interrelation among MI subelements, in the quality that needs to be instilled in each of
them and the information that should be shared among different organizations and
PSM, MI phases, elements or subelements. Depending on the development stage of a
company, it might be wise that focusing in developing a MI system considering only in
maintaining the integrity of all the hazardous materials boundaries or the pressure ones,
helps to instill an almost military discipline to the organization, focusing on the most
critical tasks to accomplish that integrity.
There is no doubt that once the organization is capable of maintaining the integrity of
the MI Management system, the vision and experience gained in implementing and
sustaining it can be applied towards improving the effectiveness of companies assets.
i

Two Hundred Years of PSM at DuPont. James A. Klein, C. Curtis Clements, and
David E. Cummings.Risk Management: the path Forward, 20th Annual CCPS
International Conference, April 11-13, 2005.
ii
Cf. Idem.
iii
OSHA 1910.119: Stated purpose. This section contains requirements for preventing or
minimizing the consequences of catastrophic releases of toxic, reactive, flammable, or
explosive chemicals. These releases may result in toxic, fire or explosion hazards
iv
Cf. API 750
v
Cf 40 C.F.R. 68.3 Definitions.
vi
This is not to say that O&M personnel shouldnt participate in the project team.
vii
Cf RCMII, Reliability Centered Maintenance, John Moubray. McGraw Hill. 1999.
viii
Please keep in mind that in order to maintain generality, when applying the proposed
protocol, natural variations should occur, like if we are talking about electrical matters
we might be talking of Control or One line Diagrams, or as in the case of Safety
Instrumented Systems we might be talking of Logic and loop diagrams (or equivalent).
ix
Manufacturig Practices for Business Excellece. Readiness to Operate. DuPont Asset
Productivity Team. AR 1999-ENGR-85, Versin 1.

Brifly stated the scope of the red service procedure for spare parts is: to specify,
request, purchase, manufacturing and inspection, transporting, receiving, storing,
inspecting, install and use of critical spare parts (AQ).
xi
Handbook on Quality of Reliability Data. Statistical Series No. 4. An ESReDA
working Group Report. DNV. 1999.
xii
DuPonts Common Maintenance Skills. The underlined procedures are the ones that
are PSM related.
xiii
Appendix B: Common Points of API, OSHA, EPA. Guidelines for Writing Effective
Operating and Maintenance Procedures. American Institute of Chemical Engineers.
1996.
xiv
We might be talking of inspector reports.
xv
Expanded Risk Based Inspection - Corrosion Operating Windows, Keith F. Briegel,
Rohm and Haas Company, CORROSION 2008, March 16 - 20, 2008. New Orleans
LA2008. NACE International.
xvi
API 571