Mobile Navigation

Process Safety Management

View Comments PDF

Implementing an ‘Integrity Operating Window’ Program

| By Russ Davis, Mistras Group Inc.

An effective Integrity Operating Window (IOW) program — which establishes safe operating limits and acceptable limits of process variation before an asset begins to degrade — can help operators stay ahead of potential repairs and reduce risk

A comprehensive asset-integrity management (AIM) program is essential to ensuring process integrity and reducing risk of operations to as low a level as practicable. Historically, these programs are based on a given set of operational parameters that were established during the implementation of the program. To develop these programs, process conditions — such as the various chemical components present in the process streams, temperature, pressure, and flowrates — are analyzed by mechanical integrity (MI) subject matter experts (SMEs). These experts identify the potential damage mechanisms associated with anticipated operating conditions, and help to establish inspection methods and testing frequencies. In the subsequent management of the AIM program, reliability and MI groups rely on these parameters and testing methodologies that were established during the program’s development.

But over time in a process facility, operational parameters change, and the rate of equipment degradation may change as well, causing the asset-integrity program to become ineffective. This can shorten equipment lifespans, raise costs, and greatly enhance potential risk to personnel, assets and the environment.

To maintain the integrity of process equipment in petroleum refining and petrochemical facilities, a comprehensive process safety management (PSM) system is required. Currently, most of these systems are oriented toward a rigorous mechanical integrity program that predicts or prevents failures of pressure equipment. Beyond this, however, the optimal PSM support systems include implementation of so-called integrity operating windows (IOWs; defined below) and management-of-change (MOC) programs, which are designed to monitor and control process variables that can impact the likelihood of failure.

The implementation and management of an effective IOW program is complex. It requires a multi-disciplinary team of engineering SMEs, with advanced knowledge of mechanical, corrosion, reliability and materials engineering disciplines; a multitude of inspection and maintenance services; and plant data-management software to store and trend data over the program’s lifetime. With such a wide range of SMEs and competencies required, operating companies may partner with an experienced third-party service provider with expertise in the full scope of asset-protection solutions, including inspection, engineering, maintenance, condition-monitoring, and mechanical integrity data management software. Through such a partnership, the stakeholders can develop, implement and manage an effective program.


Defining integrity operating windows

As defined by the American Petroleum Institute’s (API) RP 584, integrity operating windows are established limits for process variables (parameters) that can affect the integrity of the equipment if the process operation deviates from the established limits for a predetermined length of time [ 1]. In short, IOWs establish acceptable limits of process variations before an asset begins to incur damage.

The purpose of defining an IOW is to establish, implement and maintain a program to identify any potential damage mechanisms that may adversely affect the process, and then use that information to create a system where parameters can be modified as processes evolve over time. IOWs identify safe operating limits with the express purpose of avoiding equipment degradation that could lead to a loss of containment. The ultimate goal of IOWs is to lower the risk of operating plant process equipment.

Integrity operating windows are typically defined by their criticality. API RP 584 divides IOWs into three categories:

1. IOW critical limit

2. IOW standard limit

3. IOW informational limit

IOW critical limit. An IOW critical limit would be one that, if exceeded, could lead to rapid deterioration of process equipment. A critical limit requires immediate operator action to return the process variable to a predetermined parameter in order to prevent potential equipment damage in a short time frame. An example of a critical limit could be a pH excursion in a process stream, as an extremely low pH could quickly damage pressure equipment and could reasonably lead to loss of containment in a short time.

IOW standard limit. An IOW standard limit is an integrity parameter, which, if exceeded over a specific time frame, could cause increased corrosion rates or eventually lead to cracking or other damage to materials of construction. Standard limits are typically very time-based, in that the time required for equipment to be adversely impacted generally defines the response to a standard limit IOW. The consequence of damage to the equipment associated with the IOW will also influence an SME’s response to the parameter being exceeded. An example of a standard limit IOW could be an elevated temperature on a heater tube skin, which could lead to tube failure over time.

IOW critical limit. IOW informational limits are generally used by SMEs to predict the long-term integrity of equipment, or to analyze impact on the asset-integrity program. Informational IOWs are parameters that may or may not be affected by operations. These IOWs do not typically require operational responses but may be utilized to assess future repairs of turnaround and shutdown frequencies. Informational IOWs can be used to evaluate the process assumptions used to establish risk-based inspection (RBI) programs. An example of an informational limit would a temperature rise due to process creep, which could indicate to facility operators that the parameters that were defined during the AIM program development are misaligned with current operating processes.

These terms vary across companies and industries. Critical limit IOWs may also be referred to as safe operating or safety critical limits. Standard limit IOWs have been referred to as key operating limits or reliability limits, and informational limit IOWs may also be referred to as corrosion control limits, depending on the industry in which they are used.


IOW program-development overview

Step 1. The first step to developing an IOW program is to identify all potential damage or corrosion mechanisms that may adversely impact the process equipment. A diverse team of engineers will evaluate the operating parameters of each process condition to understand their potential corrosivities, and will evaluate their impacts on equipment materials of construction. The SME team will develop a damage or corrosion map, which will be used again later to evaluate what indicators are currently provided to detect exceedance of an IOW limit. SMEs can then define the IOW limits for each damage mechanism.

Step 2. After all damage mechanisms have been identified, the consequence of failure and the likelihood of failure need to be analyzed and understood. Consequence of failure data can be gathered from process hazard analysis (PHA) data or by consequence modeling. The equipment failures are then risk-ranked.

Step 3. The third step in IOW program development is typically an evaluation of alarms, indications, and procedures necessary to recognize exceedance of the IOW limit.

Step 4. Step four is to define the criticality of the operating limit and define the priority of the IOW limit. This is where SMEs determine whether the IOW is critical, standard or informational.

Step 5. The next step is the documentation of each IOW, and the development of proper responses to IOW alarms and notifications. Procedures or work instructions should define the roles and responses necessary to return the process to a reliably safe state, or to further assess the response to limit exceedance, depending on criticality.

Step 6. After IOWs and procedures have been properly documented, all personnel involved in the process operation must be trained in IOW implementation and timely responses to IOW indicators and alarms.

Step 7. Step seven is integrating the IOW program into the rest of the plant operations, maintenance and reliability programs, and plant data-management software. This is an essential step, to ensure that IOW program procedures are being uniformly practiced throughout a facility, and that any change to a process parameter is being catalogued alongside the rest of the facility’s integrity data.

Step 8.Finally, the last step to an IOW program is the revalidation of the IOWs, which consists of reviewing each IOW for effectiveness and avoidance of spurious alarms and notifications.


Damage or corrosion analysis

A comprehensive analysis must be performed by an engineering team with knowledge of the relevant processes, operating parameters, corrosion analysis and damage mechanisms. This team assesses potential damages that can adversely affect the equipment based on the material of construction. They will also assess the operating parameters of process conditions, such as temperature, stream constituents, pressure, vibration, abrasiveness and more. Once the team has identified potential corrosive streams and the equipment materials of construction, the limits associated with the damage mechanism are identified. The team may have an output report such as that shown in Figure 1.

FIGURE 1.  Damage mechanisms are established to identify the key controllable monitoring parameters, or variables that can be effectively adjusted to bring the process back within safe operating limits (*SCC = stress corrosion cracking; PWHT = post-weld heat treatment)

FIGURE 1. Damage mechanisms are established to identify the key controllable monitoring parameters, or variables that can be effectively adjusted to bring the process back within safe operating limits (*SCC = stress corrosion cracking; PWHT = post-weld heat treatment)

Once the potential damage mechanisms associated with the various process systems and limits have been identified, these data can be depicted on plant process flow diagrams (PFDs), such as the one shown in Figure 2. Process flow diagrams typically contain all major pieces of process equipment, identified by a unique number; all process flow streams, identified by a number and their chemical compositions; and control loops, or groups of equipment and piping with similar materials, operating conditions and degradation mechanisms.


FIGURE 2.  As shown in this sample process flow diagram,  process flow streams and control groups are often color-coded in accordance with the colors assigned to them on the damage-mechanism analysis table shown in Figure 1

FIGURE 2. As shown in this sample process flow diagram, process flow streams and control groups are often color-coded in accordance with the colors assigned to them on the damage-mechanism analysis table shown in Figure 1

Risk ranking

Risk profiles should be developed for each equipment item that has a potential influence on process safety. The risk-ranking process consists of analysis of the consequence of failure, and the probability of failure for the equipment within each system. Consequence-of-failure data may come from process-hazard analysis (PHA) data or consequence modeling, and analysis may be performed as an element of the risk assessment. Once a risk analysis is completed, ranking can be performed and the risk rank associated with each system or subsystem can be documented.

The risk-ranking data will be used to categorize the IOW limits, as shown in Figure 3. High-risk events will require a Critical IOW. Events with medium risk may require a Standard IOW, and low-risk events may be categorized as requiring an Informational IOW only.


FIGURE 3.  Risk-ranking data can be used to categorize the IOW limits, as shown here. High-risk events will require a Critical IOW. Events with medium risk may require a Standard IOW, and low-risk events may be categorized as requiring an Informational IOW only

FIGURE 3. Risk-ranking data can be used to categorize the IOW limits, as shown here. High-risk events will require a Critical IOW. Events with medium risk may require a Standard IOW, and low-risk events may be categorized as requiring an Informational IOW only

Evaluating alarms

By understanding the limits associated with potential damage mechanisms that may affect the equipment, SMEs can perform an evaluation of what alarms, alerts and notifications will be required for operations, reliability and mechanical integrity groups to recognize exceedance of an IOW limit.

Alarms are the typical indicators for critical limit IOWs, usually coming in the form of horns and flashing lights in the control room to denote that immediate action must be taken. Alerts and notifications can span from visual or audio signals to simple emails to operations and technical personnel, informing them that an IOW has been exceeded but without any urgent need for time-sensitive action to be taken.

The engineering team typically assesses process parameters such as the following:

  • Temperature
  • Pressure
  • Flow
  • Stream constituents
  • Water content
  • Chlorides
  • Sulfur
  • pH


Defining the IOW criticality

At this step, operators must determine IOW criticality limits and priorities, depending on potential damage severity and the expected time constraints before serious damage occurs.

  • Critical IOW — An alarm requiring a timely response by a facility operator or SME to bring the process back within IOW parameters
  • Standard IOW — Typically includes an alert to operations personnel and to the reliability SME. Standard IOWs usually have a timeframe associated with them. If an integrity limit is exceeded for a set time, equipment will suffer damage
  • Informational IOW — Information conveyed from field-gathered data to the reliability SME. This information may require changes to the RBI assumptions, frequency of inspection, or nondestructive evaluation (NDE) methodology considerations


Documentation and training

Just like every other aspect of a process safety program, documentation is critical. The IOW program must include documentation of each IOW and the proper response to IOW alarms, alerts and notifications. This information should be incorporated into the facility’s operating procedures as well as reliability program documentation.

Once all necessary IOW information has been documented, the facility must properly define the roles and responsibilities for operations, engineering, reliability and mechanical integrity personnel. All of this information should be proceduralized, and all responsible personnel should be trained in IOW implementation and the proper, timely response to IOW alarms, alerts and notifications.


IOW integration

The IOW program must be fully integrated into the plant’s operations and maintenance, reliability and mechanical integrity programs, and engineering processes. Changes in feedstock, temperatures and flow characteristics that impact individual assets can have an impact on the entire asset-integrity program. It is critically important for a facility to fully understand the information returned from the IOW program and to recognize the effects that changes in one process parameter can have on other equipment, as this information should inform operations from purchasing all the way through post-production.

This step can be time-consuming and meticulous. In order to maximize its effectiveness, an IOW program must be as integrated into plant operations as possible. Utilizing a comprehensive mechanical-integrity data-management software program, in which inspection, corrosion, and integrity data, MOC activities, RBI management and more are stored, organized, trended and analyzed — helps to ensure that IOW program data are centrally located and consistently updated.


Closing thoughts

Getting the longest, safest reliable life from each equipment component in the plant is critical to the profitability of any chemical process operation. Process safety is an evergreen management program, and changes that affect the program design must be monitored and properly responded to in order to maintain a risk rate that is as low as practicable.

When process changes occur, the asset-integrity group may not always be informed, or may be using an outdated frame of reference from the program’s original development. For example, a slight temperature elevation can raise a corrosion rate significantly. Changes in sulfur content in a crude stream can lead to sulfidation damage in areas the MI group had not anticipated.

The key for any facility is to control these variables before they start harming equipment and people. An effective IOW program — one that is fully integrated into plant processes, and implemented and managed by properly trained personnel — helps facilities to be informed when variables become unsafe, and lets them know the actions that must be taken to quickly reduce risk. An integrated IOW program is an essential component of any mechanical integrity program. ■

Edited by Suzanne Shelley



1. American Petroleum Institute, Integrity Operation Windows, RP 584, 1st Ed. May 2014.

2. Center for Chemical Process Safety (CCPS), Guidelines for Asset Integrity Management, John Wiley & Sons, Inc., Hoboken, New Jersey, 2017.


Russ Davis, CSP, is the National Asset Integrity Management Services (AIMS) & Mechanical Integrity (MI) Center of Excellence Manager for MISTRAS Group, Inc. (4000 Underwood Rd., La Porte, TX 77571; Phone: 281-478-1636; Email: [email protected]). Davis has several decades of experience in program design and implementation in the mechanical-integrity and asset-reliability industries. He has extensive experience in process safety management (PSM) and hazard assessment and consequence analysis. Davis has also served as both an internal and external consultant, directing the implementation of MI programs for companies throughout the global CPI.