H.
Helle / ICPVT-13 1
Integrity management beyond RBI
H.P.E. Helle*
CorrosionControl.Nu, Mauvestraat 5, 2596XN Den Haag, Netherlands
Abstract
RBI is an integrity management method based on a quantified probability of failure. Failure is the top-event of
the failure hazard. Is it feasible to make remotely quantitative predictions about the likelihood of top events?
Is it not more effective and accurate to analyze and monitor the root causes of the hazard? This paper
examines the basics of RBI and concludes it is a flawed method that cannot possibly deliver on its promises of
increased efficiency and safety. As an alternative an outline is given of an integrity management system based
on a comprehensive aggregate of corrosion management techniques.
Integrity management; RBI; API 581; IOW;
Background
Subsea production facilities, nuclear installations and low pressure cryogenic storage vessels are routinely left
in service permanently without examination of the internal surfaces. All this for different but very good
reasons. But if those reasons were applied more widely, numerous other pressurized systems in „clean and
non-corrosive‟ would qualify for uninterrupted service. On the judgment of a risk-based inspection (RBI)
assessment, however, this would not be allowed, especially if the consequences of failure are high. This
inconsistency has been the basis for a study of the logic of RBI and the reasons that it nominates equipment
with a stable and low rate of corrosion and a technical life prediction of thousands of years for periodic
internal inspection.
Small companies struggle to maintain the level of competence to make sound integrity management decisions.
RBI is supposed to alleviate that problem by guiding the less experienced technician through the decision
process towards effective and efficient integrity management. Does it really fulfil that role?
History of RBI
Internal inspection of pressure vessels was the first integrity management tool. In western Europe, since the
middle of the 19th century, legal requirements came in place that required the supervision of the technical
safety of steam boilers in order to reduce the number of accidents. The law nominated statutory authorities,
independent or semi-independent organizations, to execute this supervision. In the Netherlands, for instance,
the “Dienst Stoomwezen” ; in Germany “Dampfkessel-überwachungs-Vereine" (DüV), later changed to TüV.
These organizations held a prominent place assuring the safety of steam boilers and in the 20th century of
other pressure vessels as well. The mainstay of their work was internal inspection, and the inspection interval
was prescribed by law. By the 1990s, however, it was obvious to everyone that the uniformity of the
requirements was not rational. First, because technical progress and science made the phenomenon of
© CorrosionControl.Nu BV
� H. Helle / ICPVT-13 2
degradation increasingly rare and predictable, second, because the lengthy stops that were needed to
accommodate the internal inspections were increasingly disruptive to commercial operation. Around that time
a new methodology was conceived to prioritize inspection –I believe this was by Tischuk- and this method
was presented to the statutory authorities as a rational basis for a more flexible statutory inspection interval.
This method was the start of Risk Based Inspection method.
In Europe, intervals between visual internal inspections are still prescribed and regulated, but there is now
some leniency. In the Netherlands the interval from the first inspection after four years service to the second
inspection can be extended to a maximum of eight years on the basis of a RBI assessment and then 12 years if
a non-destructive examination is carried out. Italy requires internal and external examination after a maximum
of 10 years. The UK has a different regulatory regime. The equipment owners are responsible for assessing
the risk and for planning appropriate inspection under the control of a Competent Person[1].
In the USA the regulatory requirements for the inspection of pressure vessels and equipment are largely
determined by state jurisdictions. The National Board of Boiler and Pressure Vessel Inspectors exists to
promote greater safety through standardization of methods and practices of construction, repair, maintenance
and inspection for new and existing equipment. The National Board Inspection Code is an American National
Standard for inspection, repair and alteration of boilers and pressure vessels and is legally enforceable in a
number of states.
The American Petroleum Institute (API) is an industry body representing the interests of the oil and gas
upstream and refining sector in the US. One of its objectives is to share and promote good practice and
common standards across the industry, and to this end it publishes data, recommended practice and source
documents. Its technical committees largely comprise representatives of the major companies operating in this
sector.
API has been active in developing methods and procedures for applying risk-based inspection. A base
document for RBI was published in 1996, and revised in 2000 as API 580 [2]. Recommended practice for
implementing RBI followed as API 581 [3]. The use of RBI as a means to set inspection intervals and decide
the need for internal examination was subsequently incorporated into API 510[6].
Current RBI systems
The process industries are deeply committed to deliver responsible care for the safety of the community and
its workforce. In that respect, the regulators and statutory authorities tend to be followers rather than leaders.
The remarkable thing about RBI is that it derived its initial success from its role in convincing the statutory
authorities that extending the internal inspection interval is a responsible decision. Although it is a flawed
compromise to demonstrate accountability in regards of pressure vessel safety, RBI is now being applied
worldwide, also in countries where there is no statutory inspection and no obligation for internal inspection
per sé. Its success is so overwhelming that the term RBI is being used in other fields as well, for instance
education and food-safety, albeit with different methods.
RBI is normally implemented under the control of a dedicated RBI software package that calculates the risk
equation
RoF= PoF * CoF.
The software ranges from a basic spreadsheet to a comprehensive program, but the underlying methodology is
one of two somewhat different approaches.
The first approach, of which the API 580/581 method is the main user, is highly quantitative, almost entirely
pre-programmed and requires little or no engineering judgment. The program asks data and with the input,
risk is calculated to the penny. As was argued in an earlier paper[4], this method is based on a number of
serious misconceptions and as a result the calculated probability of failure (PoF) is entirely meaningless, and
the calculated „Risk of Failure‟ equally so.
The second approach is different in the sense that the probability of failure (PoF) that appears in the risk
© CorrosionControl.Nu BV
� H. Helle / ICPVT-13 3
equation RoF= PoF * CoF is not derived from input data but from a subjective assessment of remnant life
through:
the susceptibility to degradation and the degradation rate. DNV‟s RP G101 use actual data or
conservative estimates and acknowledged degradation models.
the detectability of degradation, and
the confidence in the assessments
If properly executed these methods should give a fair estimate of the remnant life. But, in the vast majority of
cases this remnant life is orders of magnitude larger than the economic life of the plant. Also, remnant life
generally considers the loss of the corrosion allowance. Although equipment may no longer be fit for purpose
at that point, a failure by loss of containment is not at all imminent. In other words, remnant ffp-life and time-
to-failure are only very loosely linked. Moreover, if remnant life can be determined with any degree of
accuracy, failure becomes a highly unlikely possibility
The Consequence of Failure (CoF) is calculated more or less in a comparable manner in all programs: the
direct financial losses, the environmental consequences and the injuries due to a failure are calculated
separately and an aggregate or the worst of the three is used. Some programs offer extremely sophisticated
consequence assessment tools, where others are more basic. Given the inherent inaccuracy of PoF, however,
there cannot be much benefit in a highly accurate CoF.
Risk is elusive
Both RBI methods, either based on calculated PoF or on remnant life, suffer from the same three flaws: The
first is the pretension that „risk of failure‟ can be truthfully assessed; two, the notion that the focus must be on
failure rather than on „unmanaged degradation‟; and three, that periodic internal inspection is a vital step in
failure prevention. Seen in a historical perspective, these notions are understandable. For well over a century,
failures were common, unexpected, poorly understood, and internal inspection was the only means available
to prevent them. Also, it must be recognized that the insight gained through internal inspection has been the
basis for the reliability of the industry today.
Risk, however, is an elusive thing, in particular the probability part. In order to estimate the risk of events
with grave or catastrophic consequences a credible assessment of the probability of the event must be
available. However, when the degradation processes and its potential rates are known the probability of
failure by that degradation process drops to nil, since the safe-life of the equipment can be assessed or
degradation monitored with considerable accuracy. The very assumptions that RBI is based upon make a
failure less likely. Reason: the very moment one considers the issue for a given item, its value changes
because causes, effects and, ultimately, remedies are being considered. Therefore, the value of „probability of
failure‟ (PoF) is paradoxical and difficult to quantify.
Failure analysis often shows that the responsible failure-inducing degradation processes were not known, not
monitored, and often the result of equipment or process changes. Degradation progressed unnoticed, often at a
considerable rate. The probability of failure by such „stealth‟ events can be higher in some environments than
in others. Still, after the fact, people often realize that the signs of something being wrong had been there.
Many new inspection and monitoring technologies have been developed over the years: radiography,
ultrasonic thickness measurements, in-situ materials identification, on line analysis, corrosion monitoring,
plus a deep understanding of the effects of the chemical and physical process conditions on degradation.
These new technologies allow a more varied, proactive and effective approach to integrity management: the
control of threats and root-causes rather than the reduction of a synthetic „risk of failure‟.
Admittedly, this is a highly deterministic approach. It implies that all potential threats and their management
are known and that a random search for unknown or overlooked degradation through internal inspection or
random high density UT-measurement can be abandoned. This is a rupture from tradition, but justifiable for
three reasons:
© CorrosionControl.Nu BV
� H. Helle / ICPVT-13 4
Unknown „new‟ forms of degradation are extremely rare. In the last half century about six new
cracking mechanisms have occurred. Most were detected after failures, despite internal inspection.
„Overlooking‟ known degradation mechanisms is unnecessary. For all but entirely new processes
comprehensive degradation descriptions are available.
Internal visual inspection and manual UT-measurements are poorly controllable and very inaccurate
tools respectively and an insufficient basis for integrity management.
Management of corrosion threats
Consider that the elusive „risk‟ concept is abandoned. That the risk matrix is simplified to a dichotomy
between „fix-on-failure‟ and „manage-all-threats‟. The division would be determined by cost: where the cost
of corrosion management over the life of the equipment exceeds the cost of a single failure, it would be the
former; otherwise, the latter. In practice this means that the majority of failures is unacceptable. All potential
integrity threats to the equipment thus selected are managed.
Degradation registers give the nature of the degradation, probable location, areas of vulnerability, materials
factors and parameters, all based on theory and experience. Each identified degradation threat would require
the following information, in order to be manageable:
The possibility of a detectable degradation must be established. Without the guidance of a credible
degradation description, inspection programs are unfocused searches for unknown features.
The most effective technique(s) to detect or control an identified potential degradation should be used [5].
The rate of degradation must be known and sufficiently low to allow detection at reasonable inspection
intervals, unless permanent, continuous monitoring devices can be effectively applied.
The locations of degradation must be sufficiently predictable to enable focused inspection.
What if the degradation register is incomplete? Large scale non-intrusive inspection can be effective against
an „unknown‟ form of cracking or loss-of-thickness, which is, by any measure, an extremely remote
possibility. On the other hand, it must be stressed that a missed degradation threat, due to ignorance or
misunderstanding, is a valid threat. Some process environments are simply too complex or too new or too
unpredictable to be confident about. In those cases, internal inspection is the default corrosion management
method.
Specification and Compliance
What threats are there? Ultimately, there are only two types of threats:
1. Specification Deficit: a critical quality was not specified
2. Compliance Deficit: a specified quality was not delivered
Management of these threats requires a constant alertness of personnel involved. Do our specifications meet
the needs? Do they exceed the needs? Have the specifications been met? Are the specifications being met? In
integrity management, specific tools that should be used to repair any of the two deficits include:
Full awareness of the state-of-the-art and the relevant specifications.
A register of degradation-critical process parameters or Integrity Operating Windows (IOWs) and its
safe limits. Define and uphold IOWs, including off-design & start-up
Internal and external corrosion monitoring tools installed on selected susceptible locations.
Formation of multidisciplinary integrity-assurance teams that review the system, and evaluate
unusual occurrences and non-compliances in the plant.
© CorrosionControl.Nu BV
� H. Helle / ICPVT-13 5
Suitable non-intrusive inspection (N.I.I.) for identified threats. Monitoring of thickness requires
adequate resolution;
Periodic internal inspection during planned shutdowns or unplanned opportunity internal inspection
with the purpose to verify the predicted corrosion features and patterns.
Potential and actual degradation mapping and recordkeeping
Degradation signal identification and monitoring
Effective failure and anomaly analysis
Dedicated & effective corrosion monitoring and chemical analysis
In addition, management of these threats -an activity that used to be called „corrosion management‟- is a
formalized method rooted in management of change (MoC) and a data collection and processing management
system.
Finally, integrity management must be carried by a broad multidisciplinary team with a mandate to challenge,
review, audit, instruct and sanction.
.
References
[1] TWI and Royal & SunAlliance Engineering: “Best practice for risk based inspection as a part of plant
integrity management”. Report prepared for the HSE. 2001
[2] API Recommended practice 580 “Risk-based inspection”, 1st ed. May 2002
[3] API Recommended practice 581 “Risk-Based Inspection Technology”, 2nd ed., Sep. 2008
[4] H.P.E. Helle: “Five fatal flaws in API RP 581” NACE 13th Middle East Corrosion Conference, Bahrain,
2012
[5] Det Norske Veritas: “DNV-RP-G103 Non-Intrusive Inspection”, Jan. 2011
[6] API 510: Pressure Vessel Inspection Code, 8th Ed., American Petroleum Institute, 1997
© CorrosionControl.Nu BV
