MECHANICAL INTEGRITY AS AN ELEMENT OF PROCESS SAFETY MANAGEMENT Arturo I. Peon DuPont S.A. de C.V.

ABSTRACT In simple terms, Process Safety Management (PSM) can be seen as a mandated Quality program intended to: a) Make sure; b) the important things; c) are done right To prevent catastrophic events leading to loss of life, significant property loss, or damage to the environment. The mechanical integrity PSM element might be defined as the program that assures the system integrity to contain hazardous substances, and that is maintained throughout the life of the facility. Although this is a definition that is not shared by everybody (there is the idea to include a more general term, as reliability), the concept so defined forces us to focus in all the failures modes of the system (equipment, human, system) that could affect the safety of people and communities, the environment and the integrity of a facility. Although it is not easy or humble to say, as a company, “We will not make, handle, use, sell, transport, or dispose of a product unless we can do so safely and in an environmentally sound manner” it conveys a leadership message to all the organization that everybody must share. This implies that essentially all the failure modes are known, and a specific strategy to handle each of them should exist since the early design concept until a facility is dismantled. That is the scope of a Mechanical Integrity system should have. The main load of this safety effort relies on the design of the facility and is spelled out in the specifications of the equipment and the effort spent in the assurance of the quality of the equipment until its commissioning. Once built, operations and maintenance needs to understand the intent of the design and maintain this specification for the life time of the facility. In USA, since the PSM and the Mechanical Integrity aspects were regulated, about three or four round audits have been done in the majority of the facilities. In Latin-American countries not all of them have regulated PSM or MI in a comprehensive regulation. An important aspect to maintain the mechanical integrity of the facility relies on the regular audits that should be performed to the system. Audit protocols are usually based on statements to be assessed by an audit team. However a comprehensive management system, based in mechanical integrity sub - elements as should be applied to each PSM critical equipment would lead to assess the quality of the relationship among elements, trying to build a thorough protection layer. Such audits, made to several facilities in USA and Latin-American would reveal important areas of opportunity. The main purpose of this paper is to reduce to the greatest extend the consecutio temporum steps that comprises the PSM MI element and provide management ideas on how to improve a MI program as applies to a Latin-American industry that handles hazardous materials based on the experience gained in those audits.

INTRODUCTION Companies need to earn the right granted them by society to operate. Over time the demands of society in several areas are becoming more complex, demanding and challenging. Lawsuits and safety requirements, environmental, social responsibility, and other equally important matters that companies seeking the sustainability of its operations, serve and even seek to establish codes of conduct voluntarily before they are legally regulated. This paper focuses on two elements of the Process Safety Management System (PSM): Mechanical Integrity and Quality Assurance. Certainly PSM regulations have risen the bar and increased demand after catastrophic incidents coming from the chemical, oil and gas industries. DuPont has not been immune to this situation. Given the nature of its operations, over more than 200 years, the attitude towards safety has been one of its core values.

“Since its founding as an explosives company in 1803, DuPont has had a core value for safety and process safety, with E.I. DuPont noting that “we must seek to understand the hazards we live with.[Regarding Process Safety] The design of the first powder mills, for example, included consideration of the production facilities, minimization of ignition sources, blast – resistant construction and over-pressure venting, all intended to help minimize the effects of potential incidents”i.

Although throughout the article we will not be talking about the responsibilities of leadership, this does not imply that the sustainability of PSM and Mechanical Integrity (MI) systems are independent of the leadership and its support. This was soon discovered at DuPont:

“E.I. DuPont also established clear management accountability in terms of process safety in the operation of the powder mills, including a policy that line management was accountable and that “no employee may enter a new or rebuilt mill until a member of top management has personally operated it”ii

Just for the sake of completion, it is worth to mention some important milestones regarding PSM evolution within DuPont:

1915: Safe Operating Procedures, Management of Change 1950: Early application of the first computer to maintain records for

preventive maintenance of process equipment 1966 Introduction of Process Hazards Review wide company program. 1970 PSM is further developed, refined and in 1979 acquires its current

shape of 14 elements under the categories of technology, personnel and facility.

1990: New focus on Operating Discipline to ensure PSM systems are properly maintained and followed.

Given the diversity of processes and hazardous materials that are operated and handled in the company, a respectable amount of experience and knowledge has been accumulated. When working within the company, immersed in a culture of safety, it does happen what happens to people in the language they speak. Few people could track how they learned their native language. This same dilemma has been experienced in the safety business of DuPont (DuPont Safety Resources). A considerable amount of effort has been spent in the the task of sharing the company knowledge in the industrial environment (not just safety). So a vision that helps to better share and communicate the reliability and quality demanded from the Mechanical Integrity system, as an element of PSM, is the main purpose of this paper, based on the experience gained with the Latinamerica DuPont´s consulting business. Perhaps is human nature, but a rather successful starting point is the one that can be built from an auditor point of view. We are talking about a mechanical integrity audit looking into the whole system and focusing mainly on the quality of the interrelationships among elements or subelements. Each element considered as a process that connects its outcome to the next element. We will proceed through the sequence marked by time (Consecutio Temporum), in the way we would conduct an audit to the mechanical integrity system of a critical equipment family. This has the advantage to show how the system should perform to accomplish its intended function. An audit of this kind might be done in a day or a day and a half to a plant of the size you might find in a refinery, gas processing or chemical facility. At the end of this paper, briefly we will report the results of audits conducted in this way to several chemical and petrochemical plants, showing only averages, in order to maintain the confidentiality of data.

PROCESS SAFETY MANAGEMENT SYSTEM The intended objective of the Process Safety Management System is to help the occurrence of, or minimize the consequence of, catastrophic reseases of toxic or explosive materialsiii iv. In addition to that, OSHA 1910.119 also states that this regulation applies to a process which involves a chemical at or above the specified threshold quantities, and the ones listed in an appendix. When implementing a PSM or a MI system is convenient to keep this definitions at hand. Keeping requirements at the minimum is important because is a way to avoid discussion or confusion if something has to be done or the way to be done. Also helps to avoid a sense of leniency in management or the workforce regarding to what has to be done. You might find rather frequently an instilled cultural reluctance towards compliance with PSM or MI regulations. This is not to say that the scope of the underlying management system can´t be expanded towards reliability and productivity improvement. If it is decided to include these additional criteria, this makes bigger the inertia of the system, and in some cases, confuse or overwhelm the whole organization with the requirements and freedom degrees that other criteria might offer or accept when resources are scarce .

In order to obtain a firmly rooted PSM system is convenient to start with a philosophic statement like DuPont´s:

“We will not make, handle, use, sell, transport, or dispose of a product unless we can do so safely and in an environmentally sound manner.”

Process Safety Management is a comprehensive, integrated set of management systems designed to help manage chemical risk and other types of process hazards with the primary goal of preventing process related incidents and injuries. So PSM is directed toward preventing serious, process-related incidents which might affect plant personnel, off-site communities, the environment, or result in significant property loss or loss of business. It involves the application of systems and controls to chemical, O&G, and all the manufacturing processes in a way that hazards are identified, understood, and controlled. So PSM is a mandated Quality program intended to:

Make sure the important things

are done right

To prevent catastrophic events leading to loss of life, significant property loss, or damage to the environment. The 14 DuPont´s PSM system elements shown in the next figure, comprises the way we:

Make sure the sum of the managing systems (ticklers, audits, record keeping, management attention) The important things: Identification of PSM-critical equipment, processes, and tasks performed Are done right Job procedures, test & inspection methods, data collection, analysis, and follow-up

Mechanical Integrity. From Mechanical Integrity definitions we might findv that “MI means the process of ensuring that process equipment is fabricated from the proper materials of construction and is properly installed, maintained, and replaced to prevent catastrophic failures and accidental releases”. This might be spelled out as: All efforts focused on ensuring the integrity of the process system or equipment (fluid and pressure boundaries) that

Pre‐Start‐upSafety  Review

Emergency  Pl anning  & Response

Management of Change

Inci dent Investigation &  Reporting

Contrac tors

Management of  ChangeProcess Hazards Analysis

Process Technol ogy

Mechanical In

Quality AssuranceAudi ting

Training and Performance

Operating Procedures and Safe Practices

contains hazardous materials is maintained from the beginning to the end of life of the facility

“Containment” is the word that will be guiding the Mechanical Integrity management system-in this case. Containment of hazardous materials. So all the failure modes of the process and equipment, related to the containment of hazardous materials from cradle to grave (tomb) needs to be known and a specific strategy to handle each of them needs to be put in place before a facility is built. So, our purpose is to focus an organization in all efforts required to go, in engineering terms, from design to contruction, commissioning, prestart safety startup, operation, maintenance up to dismantling a facility and, if required, remediation –although this shouldn´t happen, it does usually in the case of dismantling old facilities. The following picture illustrates de DuPont’s way to structure the Mechanical Integrity System. Although in the remaining of the paper we will not focus specifically on the Computer Maintenance Maintenance System (CMMS), it ought to be obvious that such support is an important element to the MI System. And just to emphasize the point, a MI audit, due to the CMMS importance, will be too, in a direct or indirect manner an audit to the CMMS.

Copyright © 2009 DuPont. All rights reserved. The DuPont Oval Logo, DuPont™, The miracles of science™ and (product/brand name)® are registered trademarks or trademarks of DuPont or its affiliates.

8

MECHANICAL INTEGRITY AND QUALITY ASSURANCE

QA OF NEW EQUIPMENT

MAINTENANCE PROCEDURES

CAPACITACIÓN DE MANTENIMIENTO

CAPACITACIÓN DE MANTENIMIENTOSPARE PARTS QA

TRAINING

INSPECTIONS AND TESTINGS

REPAIRS AND ALTERATIONS

RELIABILITY ENGINEERING AUDITS

FOUNDATIONINTRODUCTION

We might divide the evaluation process of the MI System for the purposes of this paper, in the following major sequence: Technology, Ready To Run, Executing the MI activities, Non Conformances and System Continuous Improvement. Before we proceed with that sequence, a word needs to be said about the Operating Discipline System, then the paper will concentrate in the audit process, but please keep in mind that, there are several MI protocols already developed which are rather common to the industry, so this part of the paper will focus just in differences of the proposed approach, in

expanding some concepts that have proven to be valuable to assess the quality of the MI elements, due to the fact that they might represent areas of opportunity and enhancement in the MI realm of Latinamerica´s O&G and chemical facilities.

OPERATING DISCIPLINE (OD) Altough initially the Operating Discipline System was introduced in DuPont to help ensure that PSM systems are properly maintained and followed, it might be obvious that OD has expanded its role, and nowadays is an underlying system that supports all kinds of activities and operations. Procedures should evolve in the organization conception from been just a normative document that spells out how to do something to a Best Practice owned and shared by all the workers that are in “the need to know”. This means that the OD objective as reflected in each procedure focus in the best way to do something; the safest and simplest way to do something, including quality, legal, documentary, economic aspects of such activity. Just imagine the concept power: any change that might be introduced in the company can be quickly implemented, almost without inertia, once the change has been expressed in a procedure. ( By the way, note the gear that is behing the MI System picture; it is the OD icon). The OD system might be divided in four phases:

a) Availability, which is the phase where all activities to be done in certain area are listed and then evaluated to see if a procedure is required, and if that is the case, employees that will be using them are required to develop them. This has the added value that procedures are owned by them, in a form that is understandable to them. In Operations and or Maintenance is frequently that procedure development is just a matter of copying a company standard or procedure already developed and adapted to the particular activity and situation at hand.

b) Quality. This phase implies procedure reviews and aproval by supervisors and, as in the case of critical procedures (ie.the ones of the MI system) by Subject Matter Experts (SME)

c) Communication which is the phase where procedures are communicated to workers, and in critical procedures, usually a training package tied to each procedure is developed, usually known as a lesson plan. In PSM and MI procedures, special consideration is spent in reviewing that trainers have also their JCC´s for the procedures that they will be teaching.

d) Compliance. A matrix of procedures that needs to be known by each worker is developed. For each procedure, the worker´s supervisor or a SME conducts a Job Cycle Check (JCC) and extends a kind of an internal registry stating that the worker conducted the job in question step by step. Each JCC has a specified validity according to criticality before another JCC is conducted or retraining is needed. JCC for procedures that are not used regularly are normally conducted, for example, before shutdowns.

TECHNOLOGY The technology element of PSM is mainly integrated by the design basis of the process, the design basis for the equipment, and the Materials Safety Data Sheets. Although it is not a general rule, and at least in the area of concern, at the Latinamerica´s manufacturing facilities, we could say that it is rather usual to find two kinds of technical professionals: the ones that spent their working time in administrative roles and the technical ones. Among the technical professionals, some of them are the facility designers, and the others the ones that operates and maintains the facilityvi. As time goes on, the ones focusing on design are usually much more aware of design documents, regulations and standards. In order to design a proper Mechanical Integrity program, it is essential that the ones that will operate or maintain the process and equipment to understand in a rather profound manner the intent of the design. If we look at the reliability definition as ". . . the probability of a system or component to perform its required functions under stated conditions for a specified period of time”, we might conclude that quality (and the basis of quality assurance) might be seen as

compliance with an equipment specification, and reliability as the (organization) capability to maintain along the passage of time that specification. John Moubrayvii, for example, states that once manufactured, there is an inherent reliability of the equipment, and that it is not the maintenance function to improve it. Although this might be true, it is convenient to accept that operation and maintenance should focus in making an effective use of the equipment

capability as it is spelled out in the technology. If changes are required, that is the main focus of the Management of Change PSM element. Any required change must be reflected in the design of a chemical, O&G or other kinds of manufacturing facilities; this means, updating all the technological package. So, the PSM Technology element main objective is to spell out the main function and requirements to each equipment involved in the design. It spells out and takes into account the safety risks, as well as the operation, maintenance, quality, and environmental aspects of the facility. It reflects all the actions and considerations taken around all the identified risks of the facility. That is the main purpose of the Process Hazard Analysis PSM element. So the proposed audit protocol sketch to exhibit the quality of the relationship among PSM and MI elements would be, for a critical family of equipment (and we might think of Pressure Safety Valves as an example, unless other equipment family is specified), something likeviii:

C opyright © 2009 DuP ont. All rights r eser ved. The D uPont O va l Logo , D uPo nt™, Th e m iracles of science™ and ( produ ct /brand name) ® are r egiste red tr ademarks or trademarks o f DuP ont or it s affilia tes.

9

P & I

N

Design & QA Documents

Process & EqDesign Basis

Critical Equipment List

1.1

1.2

1.3

1.4

1.5

QADocuments

Taxonomy

Critical Eq. Criteria

CMMS

PHA

TECHNOLOGY

1.1 Let me see the Process and Instrument drawings (P&I) of the plant. 1.2 You would count how many pieces (N) of critical equipment are in those drawings. 1.3 May I see the critical equipment list? 1.4 & 1.5 Please, may I see N equipment document files, including calculation and

specification data sheets? Experience shows that the “Critical Equipment List” is a point where a lot of discussion and heat generates in many organizations. Some considerations around this point deserves emphasizing some points:

a) An equipment critical lists might be developed for safety, environmental, quality or production. It needs to be recognized that if an equipment is critical, this shouldn´t be a last minute decision by operations or maintenance professionals, neither this should lead to conclude that there are degrees of freedom to act or not act regarding an operations or maintenance task, or delay an inspection an undetermined amount of time.

b) Critical equipment that might affect MI of the plant is usually different than the one that might affect product quality or the production capability. The same difference is applicable to the respective failure modes. Each failure mode or each criteria of criticality usually leads to a different critical task and a different amount of times per unit of time that this critical task needs to be done.

c) You might define MI critical equipment based on a simple set of criteria, like DuPont´s: “all the equipment that is wetted by a hazardous substance, and all the equipment that provides you a safety margin, or is used to detect, control and aminorate a contingency … etc” or something more elaborated like using a risk based criteria like RBI (Risk Based Inspections). You may consider that some equipment has a higher risk than another and conclude that inspections and tests might be done at different time intervals. What it is important to recognize is that once defined, and the RAGAGEP´s (Recognized and Generally Accepted Good Engineering Practices) rational is documented, tasks and frequencies have been adjusted correspondingly so the organization should focus on compliance.

It might be advisable to keep the critical equipment list in a written form and attached as an appendix to a critical family MI procedure. If it is possible to rely on this list, the list could reflect the set of information for each equipment that is going later to be used by several professionals, and helps to identify when an equipment is introduced, modified, replaced or removed from the system, and it might be used too to audit the CMMS.

READINESS TO RUN If we recognize that the opportunity an O&M team has when a facility is being built, as a period of time to fully acquire the design intent of the facility, we could elaborate the many things that the team could develop along this one, two or three years period regarding Operations, Equipment, Safety, Health and Environment (SHE), Quality, Information Systems (In the MI arena, the CMMS), Organization, computers, etcix. Readiness to Run is the way this period is known. The main objective of this team during this period of time is the planning, assembly and development of a functioning manufacturing organization that is capable of safely and effectively starting up the new unit. From the MI System, this paragraph describes the most important tasks that should be done to better build and implement a MI program taking advantage of the benefits of working along this period of time: a) having access and manage to get a complete set of design information b) The possibility to influence the maintainability of the equipment, c) access to designers and manufacturers. This is the best period of time to develop a sound MI program: Failure Mode And Effects Analysis (FMEA), Maintenance procedures, Training and performance of maintenance personnel, Quality control procedures, Equipment tests and inspections, including predictive and preventive maintenance, and Reliability engineering. So the proposed audit protocol sketch for a critical family of equipment along this phase, could be drafted as:

2.1) Show me please N Catalogs and manufacturer manuals 2.2) Which are the critical spare parts? ¿For all the critical spare parts, has the

CMMS been linked to the manufacturers data base, so errors in spare parts specifications on future purchase orders are minimized? Have QA requirements of critical spare parts already been considered within the “red servicex” procedures and protocols?

2.3) Which are the failure modes for this critical equipment failures that could lead to a loss of containment or reduce the safety margin that should be provided? Which are the acceptance criteria(s) to be applied after an inspection, test or preventive or predictive maintenance task, according to applicable RAGAGEP´s? Have all failure modes been identified and coded (taxonomy)? Which are the reliability data quality criteriaxi? Each failure mode ought to have a strategy to cope with the envisioned risk or damage.

C opyright © 2009 DuP ont. All rights r eser ved. The D uPont O va l Logo , D uPo nt™, Th e m iracles of sc ience™ and ( produ ct /brand name) ® are r egistered tr ademarks or trademarks o f DuP ont or it s affiliates.

10

READINESS TO RUN

“Planning”Procedure and

Registry

2.1

2.2

2.3

2.4

2.5WO

RCM

Equipment Catalog & Manuals

Critical Spare Parts

MIFailure Modes

JTA

Reliability Data, Quality

Criteria (Taxonomy)

Acceptance Cr iteria

Appx, Cri teria, Frequ ency & Critical Data QA cri teria

Criteria & Frequency

CMMS

Red Service

2.4) Is there a procedure for planning all the inspections and maintenance tasks for each of this failure mode? Which are the criteria’s used to establish the frequency? Is there an appendix that registers the reasons why frequencies and tasks have been assigned to cope with each failure mode of the equipment, and that will be used in the future to capture all the wisdom gained when reviewing the effectiveness of the MI Program for the critical equipment family at hand? What are the professional credentials of the SME developing this analysis? Which are the codes and editions referenced that will be the basis for inspections, procedures, data, reports, that will be registered for each equipment with the passage of time? Which is the basic structure of the specific Work Order (CMMS) that will be used when performing the intended task? What information and data will have to be reported or gathered each time the inspection or test task is performed? Is QA spare parts tracking information required? Are inspections to be done by operators already defined? Have infrastructure elements already considered and inspected? Does the equipment file contents already defined? Have codes and revisions documented so changes in them can be identified?

2.5) Have O & M personnel already developed a Job Task Analysis (JTA) to define the knowledge, skills and abilities for properly executing the intended tasks? Which are the materials that should be used as procedure´s lesson plans? Which is the required functional capacity – Personnel Protective Equipment, Inspection and Testing equipment, tools, etc.? Is this a work that is going to be done by in-house personnel or a contractor? Which are the certification or JCC qualifications required to assure the quality of this jobxii?

After reviewing the previous paragraphs it might be obvious the importance of this phase to build a quality MI program. Please note that it is at the 2.3 paragraph where usually we come back when improving the critical family MI process.

MANAGING AND EXECUTING A MI PROGRAM Once the previous foundation blocks have already been constructed, the next phase is the execution of the MI program. Please keep in mind that this paragraph focus in the structural column to perform the usual MI tasks which are mainly inspections and tests. Some variations are needed for certain MI critical families like PPE, safety equipment, Safety Interlocks Systems, etc. Following the pattern of the previous MI audit draft to test the quality of the relationship among elements:

3.1) Has the procedure on how to perform the task made by the operators that will be using it? Has this procedure taken into account all the information generated in the 2.4 stepxiii? Has the procedure been reviewd and authorized by a SME?

3.2) Review the functional capacity for inspections and testing. Is the equipment the proper one to perform an inspection or testing for MI critical equipment (for example the type and capacity of a PSV testing banks)? Is the equipment in good condition and its calibration is not outdated?

3.3) Does the plan for all the critical equipment list being developed (Cf CMMS)? Are frequencies consistent with the outcome of 2.4? Which is the average time to get spare parts? At least for the acquisition time, have all the required spare parts for the plan being or in the process to be acquired? Are the requirements for “red service” of this critical parts defined and followed? Are the conditions for keeping quality and traceability of this type of spare parts specified and followed?

Copyright © 2009 DuPont. All rights reserved. The DuPont Oval Logo, DuPont™, The miracles of science™ and (product/brand name)® are registered trademarks or trademarks of DuPont or its affiliates.

11

Managing and Executing a MI Program

3.1

3.4

3.5

3.6

3.8

Procedure

Plan*

FunctionallyCapacity

WHO*

WO1*

Execution And Documentation*

Acceptance Criteria*

3.7

3.2

Schedule*

* CMMS

Spare Parts & QA (Red Service)3.3

3.4) Which has been the schedule for the last N critical Equipment? Has it been

accomplished within the defined time?

3.5) May I See the last N workorders for all this critical family equipment? ¿Who are the persons who performed this job? Is their JCC complete and on time before scheduling process took place? Is it normal for the maintenance scheduler verify training or retraining in the procedure before assigning workers to execute this work order?

3.6) Are all the N workorders completely filled according to the outcome of paragraph 2.3 and 2.4? Are all failure modes being reported?

3.7) Is it possible to observe the execution of one of this jobs? Is information about the condition of equipment reported? For traceability purposes, when required, has the information being recorded? Are Work Orders (WO) technically closed?

3.8) As rather frequently there are instruments and equipments that could mechanically gather information on the condition of the equipment to be inspected, is necessary to verify that work order information is complete and that the Acceptance criteria is observed. A proper qualified or certified professional needs to review and accept that the equipment fulfills MI requirements to continue its operation, Fitness For Purpose (FFP), so the “legal” aspects of the inspection or test are fulfilled. So, does the Acceptance Criteria of the last N inspections have been reviewed by a SME ? Does the SME has its JCC made on time and aware of the last procedures or code changes? As a result of the evaluation, sometimes it is just to report and make set point’s adjustment (cathodic protection), in some other cases: ¿does critical spare parts needs to be replaced –for example, the procedure might ask that, if the pre-pop test of a PSV is not within 2% of the required pressure, have springs, etc. been replaced-?

NON CONFORMITIES When inspections, tests or predictive maintenance tasks for critical equipment doesn’t

comply with the acceptance criteria we face a non conformity. The process described in this paragraph recognizes that it might be rather frequent that the responsibility, the administrative or the authority span of technical professionals or SME´s is limited. That is the reason why special mechanisms are necessary when, for example, is necessary to define temporary or special permits to operate the equipment in a derrated form, or when an equipment deficiency requires to

shutdown a facility and allocate the necessary resources to solve the non conformances, which might be in a temporary or definitive manner, replacement in kind or an equipment modifications is required, that is fundamental to involve business and plant managers. Any way, non conformances is something that needs to be managed, tracked and solved. Due to the fact that temporary fixes tends to become “permanent”, and, in the past, that kind of things has led to catastrophic incidents, a strict tracking

C opyright © 2009 DuP ont. All rights r eser ved. The D uPont O val Logo , D uPo nt™, Th e m iracles of science™ and ( produ ct /brand name) ® are r egistered tr ademarks or trademarks o f DuP ont or it s affiliates.

12

Non Conformance

4.1

4.3

4.4

4.5

WO2

Non Conformance

MOC/QA

WHO

Documentation and Equipment

File4.6

4.2

Inspector

mechanism involving management until deficiencies are corrected in a permanent manner is necessary. So a formal mechanism to clearly communicate to managers all non conformances and allocate to them the responsibility of resource allocations, to make the necessary arrangements to plan and schedule a shutdown, and finally verify the complete elimination of the equipment deficiency. It is rather usual, for example, that an insurance company auditor asks for the non conformances that a facility have had, and then, with the objective of evaluating the capability the MI system has to eliminate all equipment or process non conformances, the auditors ask for the complete Management Of Change document package conforming to the PSM and MI regulations intent. There is another important item. If an inspection or test is overdue, should it be considered a nonconformity? Several families of critical equipment requires a shutdown to complete the MI program. In these cases it might be expected to find delays, and reality has shown us that those delays might be in the order of years. This situation compromises the whole MI system, so a simple and clear criteria of how much time might an inspection or test be overdue before is considered the delay itself a nonconformity. So, the audit protocol that focus on the quality of the interrelationship of this elements, could be drafted in this manner:

4.1) Review if the information of the N inspectionsxiv or test work orders have documented that the MI acceptance criteria is fulfilled. For those that don´t (N2), could you show N2 work orders (or depending the magnitude of the deficiency, scopes of work) been issued to correct the deficiency? Has the damage been evaluated and the repair scope clearly defined? Is the due date of the repair clearly spelled out? Is the information of the first work order linked to the second work order o scope of work (traceability)?

4.2) Is there a procedure to elaborate a weekly or monthly non conformance report? Is the responsibility to elaborate it clearly stated? Is this report distributed to plant managers and supervisors, and equipment deficiencies are maintained in this report until they are satisfactorily solved?

4.3) Has Root Cause And Failure Analysis been done for this failure? Is the management of change document elaborated before the repairs are done? Are the SME involved and they have reviewed and authorized all the modifications? Are the scope of work, equipment and personnel or contractors qualification or certification stated? Does PHA’s or other legal requirements specified? Have the technology documents already been updated? Procedures and CMMS?

4.4) For the repairs done, are the personnel or contractors qualifications or certifications as required in the previous point? Are procedures and QA documents complete?

4.5) Who was the inspector that witnessed the repair and certifies that all requirements are fulfilled? Which are the personnel records that demonstrates that trained people has done the repair job, including inspector certifications? Do we have N2 nonconformance closures? Are all them within the due dates specified by the SME in point 4.1 above?

C opyright © 2009 DuP ont. All rights r eser ved. The D uPont O val Logo , D uPo nt™, Th e m iracles of science™ and ( produ ct /brand name) ® are r egistered tr ademarks or trademarks o f DuP ont or it s affiliates.

13

MI System Improvement

5.1 5.2

AuditsAnalysis, Reliability

and Continuous Improvement

CAR System

Resource Requirements

MOC

2.4

WeybullAnalysis

Improving PPM

MOC

2.3

Replacement

3.2

Redesign

MOC

1.5

3.8

CONTINUOUS IMPROVEMENT PROCESS The process of improvement the MI system has two sources of information.

5.1) Are 1st or 2nd part audits performed to the MI system? Are recommendations written and its fulfillment tracked through a Correction and Action Request (CAR) System?.

5.2) Does SME and or Reliability Engineers reviewing the effectiveness of the MI System? Does the rate of deterioration of the equipment calculated? Are the construction materials capable of accepting the different failure modes? Have

spare parts been available? How easy have the repairs been done? Which is the remaining life of the equipment? Have operation conditions changedxv? Have environmental conditions changed? Are there new techniques that could lead to a better and more economic way to assure the FFS of the equipment? Are Mean Time Between Failures (MTBF) of one area comparable to another area? Are equipment MTBF’s comparable to the manufacturers specifications? Are the environment conditions as stated in the specification the same conditions where the equipment is performing its intended function? Are the recommendations obtained from this analysis employed to enhance the performance of the Mechanical Integrity System? Does Root Cause and Failure Analysis been done for critical equipment performance versus its specifications?

THE RELIABILITY OF THE MI SYSTEM Each of the described phases of the MI system could be measured in terms of the probability that the work to be accomplished in each phase is capable to maintain the inherent reliability of the equipment. The reliability of the four phases would be: λ = λ1 λ2 λ3 λ4 Having the purpose of defining how many pieces of equipment form a critical family you could assure that have gone through all the previous steps in a satisfactory manner, the following table gives you a glimpse of 14 audit results done to a total of 296 PSV (Pressure Safety Valves) from Chemical and O &G plants, the following table gives you a glimpse of what this numbers might look:

PHASE  % OK TECHNOLOGY  27 READINESS TO OPERATE  57 EXECUTION  66 NON CONFORMANCES  NA  The word “glimpse” was used because there is no traceability of what happens to individual PSV´s, along the whole MI audit. In addition to that several MI System Areas of opportunity were discovered that could affect the whole phase, and in an effort to make a positive evaluation this were the overall results. Making audits in this manner looks at “aligned holes” across the several layers of the MI elements, and as you might suppose, this kind of audits generates many recommendations. However we will briefly name some of the most common issues. Some of the major lessons learned in the technology are:

1) For example, just defining N you might find that compared to the original design, you have, for a plant: 138 +7 -17. This means: the P&I shows 138 PSV, 17 have been eliminated, and 7 have been replaced and no documentation guarantees that the equipment fulfills the spec. A root cause analysis of this failure discovered that for these facilities was easier to buy another whole PSV than just to replace the internals, and selection was done under an economic criteria.

2) There are not calculations to select the proper valve. Several plants initiated an effort to redo their design basis of their pressure relief valves. Several facilities showed that there have been pressure sources that have changed the flows and pressures, invalidating the original PSV selection.

3) It happened that PSV were tested and calibrated to pressures that were not the ones stated in the technology phase. Frequently that pressure was lower than required and no MOC document indicated the reason.

Some of the major lessons learned in the readiness to operate are:

1) In several critical families was found that codes have changed, and consideration for new failure modes are not taken into account. That is the case, for example, in critical pipes: as compared to old codes, now an estimation of pressure or temperature cycles is needed (as in compressor heads or dehydrator equipment) in order to assess the possibility of metal fracture, or other failure modes that require a more systematic follow up to include all applicable onesxvi.

2) Testing of electrical protection was done injecting signals directly to the relays, however it was discovered during an audit that the ground conductor and the phase conductor were passed through the Current Transformer hole, rendering useless the whole failure to ground protection which is the most common.

3) For PSV there was no acceptance criteria. Some lessons from the execution phase:

1) Functional capacity might be a source of problems. In the PSV case it was found that the testing bench had not the capacity required to calibrate gas PSV´s, and frequently, the when testing opening/resettin pressure of a gas PSV, the equipment did it that with liquids instead of gases.

2) Talking about PSV´s. 17% of PSV´s, and about 10 % of them were completely out of control, and had not been tested at the corresponding intervals at least in the last 15 years.

3) Some other times, Inspection and Test procedures were carried incompletely. That is the case of pressure vessels. In some plants they had 100% external inspections, but non of them had been internally inspected.

4) Some other times there was not an acceptance critiria. In some other cases, no minimum thickness requirements were established for critical pipes.

However, in a strict sense, what we can say from the above results, is that we cant assure that the audited equipment will maintain its inherent reliability.

CONCLUSIONS It has been shown the value of making MI system audits looking for the quality of the interrelation among MI subelements, in the quality that needs to be instilled in each of them and the information that should be shared among different organizations and PSM, MI phases, elements or subelements. Depending on the development stage of a company, it might be wise that focusing in developing a MI system considering only in maintaining the integrity of all the hazardous materials boundaries or the pressure ones, helps to instill an almost military discipline to the organization, focusing on the most critical tasks to accomplish that integrity. There is no doubt that once the organization is capable of maintaining the integrity of the MI Management system, the vision and experience gained in implementing and sustaining it can be applied towards improving the effectiveness of companies’ assets. i Two Hundred Years of PSM at DuPont. James A. Klein, C. Curtis Clements, and David E. Cummings.Risk Management: the path Forward, 20th Annual CCPS International Conference, April 11-13, 2005. ii Cf. Idem. iii OSHA 1910.119: Stated purpose. This section contains requirements for preventing or minimizing the consequences of catastrophic releases of toxic, reactive, flammable, or explosive chemicals. These releases may result in toxic, fire or explosion hazards iv Cf. API 750 v Cf 40 C.F.R. § 68.3 Definitions. vi This is not to say that O&M personnel shouldn´t participate in the project team. vii Cf RCMII, Reliability Centered Maintenance, John Moubray. McGraw Hill. 1999. viii Please keep in mind that in order to maintain generality, when applying the proposed protocol, natural variations should occur, like if we are talking about electrical matters we might be talking of Control or One line Diagrams, or as in the case of Safety Instrumented Systems we might be talking of Logic and loop diagrams (or equivalent). ix Manufacturig Practices for Business Excellece. Readiness to Operate. DuPont Asset Productivity Team. AR 1999-ENGR-85, Versión 1.

x Brifly stated the scope of the “red service” procedure for spare parts is: to specify, request, purchase, manufacturing and inspection, transporting, receiving, storing, inspecting, install and use of critical spare parts (AQ). xi Handbook on Quality of Reliability Data. Statistical Series No. 4. An ESReDA working Group Report. DNV. 1999. xii DuPont´s Common Maintenance Skills. The underlined procedures are the ones that are PSM related. xiii Appendix B: Common Points of API, OSHA, EPA. Guidelines for Writing Effective Operating and Maintenance Procedures. American Institute of Chemical Engineers. 1996. xiv We might be talking of inspector reports. xv Expanded Risk Based Inspection - Corrosion Operating Windows, Keith F. Briegel, Rohm and Haas Company, CORROSION 2008, March 16 - 20, 2008. New Orleans LA2008. NACE International. xvi API 571