What is meant by the term “critical utilities” when used in context with process safety?  I like to define the term as any utility that plays a safety role within the covered process.  Probably the most common “critical utility” is the use of nitrogen within a flammable liquid process, where nitrogen is used for blanketing tanks, inerting flammable atmospheres, blowing lines, etc.  But there are many others, some we may not even think of as a utility.  But this article is about the level at which we should be managing these utilities and OSHA's minimum expectations.

I guess the easy way to identify a critical utility is to review a Process Hazards Analysis (PHA).  Any utility that is claimed to be a “safe guard” within the PHA would most certainly be considered a critical utility.  And trust me when I say this, OSHA/EPA will use your PHA to identify components that need to be in a mechanical integrity program other than the components that actually are in contact with the HHC/EHS. 

But here are a few other scenarios we may wish to consider…

Electricity is often over looked as a critical utility as we have gotten so used to it being available.  But what if we lose electricity – what is the consequence?  If there is no EHS consequence, then it is not a critical utility; however, we have to view these consequences in two different modes.  First, will the loss of electricity initiate an unplanned event involving our process and second, will the loss of electricity cause one of our safety systems that are in place to PREVENT, PROTECT, or MITIGATE the outcomes from the unplanned event to fail.  For example, some batch processing plants have serious consequences with loss of electricity while in the middle of a batch.  With the loss of power, they lose their agitators in their reactors, as well as their cooling water pumps; which are very serious when the process involves chemical reactions with runaway potential!  In some plants, the loss of electricity will result in the loss of emergency ventilation of critical areas.  So we have to look at our utilities in different modes to determine if they are indeed “critical” to process safety.

As I stated earlier, Nitrogen is probably the most common critical utility used within PSM/RMP processed.   Nitrogen also falls under my personal category of a “hazardous utility”, which in my book gets treated as a “critical utility” merely because of the hazard it presents to workers.  When we look at nitrogen with our process safety glasses on, we see a tremendous aid in helping to improve process safety; however, when we look at nitrogen with our personnel safety glasses on, we see a tremendous hazard to workers.  Many accidents have occurred because we did not have 20/20 vision when assessing the risks of entering confined spaces where nitrogen is used!!!

Compressed air can be a critical utility!  We do not see this type of design much anymore, but if a valve within a safety system is to close via an interlock and this valve is closed using compressed air, then our compressed air system is now a critical utility.  I would HIGHLY RECOMMEND that if you still have this type of set up that it be modified ASAP.  Using a “fail-safe-close” valve that is held open by air has a MUCH HIGHER SIL than the other design where we rely on compressed air to close the valve.  Basically, with a fail-safe-close valve, the valve wants to close all the time, but is held open by compressed air.  The interlock will cause the loss of air pressure and the manual spring will close the valve.

Fuel to a safety system could be a critical utility!  This could include diesel fuel to a fire pump or a flammable gas to a flare system (either the pilot or as a feed stock to burn the material being sent to the flare). A tip, anytime we have a flammable material (liquid or gas) in close proximity to our covered process, this needs to be closely evaluated!  There are many scenarios where not only loosing the utility’s function can cause problems, but loss of primary containment of the flammable material can initiate/contribute to a process safety event so regardless if we determine it to be “critical” or not, the utility may end up having to be managed as a “critical” utility or some may even say the utility is a “covered process” via OSHA’s definition of a “process” in which they state…

Process means any activity involving a highly hazardous chemical including any use, storage, manufacturing, handling, or the on-site movement of such chemicals, or combination of these activities. For purposes of this definition, any group of vessels which are interconnected and separate vessels which are located such that a highly hazardous chemical could be involved in a potential release shall be considered a single process. 

So there are four examples of a “critical utility” within a PSM/RMP covered process.  But what does this actually mean to a facility that has a “critical utility”?  In flat out terms, it means we have another “covered process”.  Yes, it is my opinion – from a process safety aspect as well as compliance, that these critical utility systems meet the same criteria as the covered process it’s self.  Now I am not saying that all 14 elements of PSM will apply directly to the critical utility, but there will be MANY elements that will fully apply.  Looking at this through a process safety lens we have treat these systems just like our covered process.  In this spirit we need to:

• Establish the design parameters of the system(s) to ensure it will serve us in our worst case scenario (not the RMP WCS, but our design worst case). 
• Establish the safe upper and lower limits for the utility; ESPECIALLY if the utility itself has hazards associated with it (e.g. nitrogen, flammable gases, etc.). 
• Include the utility and study the consequences of “loss of the utility” in the PHA(s) it is associated with.  Include in this analysis the methods of loss of the utility (e.g. include in your facility siting to ensure that the utility is protected from vehicle damage).  Often times these utilities are generated or stored in a central location and travel great distances to its point of use.  In between the source and point of use there are often flaws in the design or siting.  How many have considered a BLEVE threat to their liquid nitrogen storage tank?
• Develop SOPs for the operation of the utility generation/storage and delivery system so that personnel can fully understand how to operate the system. 
  • Establish the consequences of deviation for the safe upper and lower limits of the system, with the steps to avoid/correct these deviations
    • Even include triggers for when the critical utility is outside its safe upper/lower limits that would initiate a shutdown of the covered process.  Yes - you read that correctly!  There are some processes that we work with, that when they lose their critical utility, the risk increases to a level that is unacceptable to the business and they will begin to shutdown their process, usually a normal shutdown; however, if the loss of the utility triggered some other deviation that would trigger an emergency shutdown, then they would utilize their emergency shutdown procedures.
• Ensure the utility system SOPs are trained on at least every three years, or more often if needed.
• Include the design, operation and maintenance of the utility within the scope of your Management of Change procedures.
• Include the utility within your Pre Start-Up Safety reviews.
• Include the utility storage and delivery systems in your Mechanical Integrity Program; this is especially true if the utility has properties that could impact the covered process in a negative way (e.g. LOPC of the flammable gas utility in close proximity to the covered process).
  • This could include safety systems associated with the utility (e.g. relief valves, safety interlocks, level control, etc.)

From OSHA’s viewpoint

So far everything I have shared with you regarding critical utilities is just good “process safety” practices.  But OSHA has a compliance position regarding “critical utilities” and although they do not provide as much detail in their expectations, they do agree with the concept.  In 2008 OSHA published a letter of interpretation which stated…

… it is OSHA's position that if an employer determines that a utility system or any aspect or part of a process which does not contain an HHC but can affect or cause a release of HHC or interfere in the mitigation of the consequences of a release, then, relevant elements of PSM could apply to these aspects. OSHA's position is that any engineering control, including utility systems, which meets the above criteria must be, at a minimum, evaluated, designed, installed, operated (training and procedures), changed, and inspected/tested/maintained⁴ per OSHA PSM requirements…

If an employer determines, through a PHA, that a component failure of a utility system can no longer affect or cause a release of HHC or interfere in the mitigation of the consequences of the release, then, the utility system, at that point, would no longer be considered part of the covered process. If an employer makes this determination, then, the employer must be able to proactively demonstrate why the utility system is no longer part of the covered process. 

If the employer takes credit for other credible safeguards in the process, which will prevent and mitigate a release of an HHC in lieu of the subject utility system, then, they must assure that those safeguards are adequate. For example, an employer determines, through its PHA, that its electrical utility system needs to be relied upon for the safe operation of their covered process. In response, the employer determines that an uninterruptible power supply (UPS) would be a safeguard against the loss of electrical utility to the process equipment. With respect to this example, one scenario the employer would need to account for would be the need to assure that the on-site electrical distribution system, from the main power supply and the UPS, would not be compromised by an explosion or some other reason. In this case, if the electrical utility cannot function to safely operate the process because the electrical distribution system is compromised, the UPS safeguard would not be a credible safeguard for the process. Again, for aspects which do not contain HHCs, OSHA expects those other credited safeguards would, at a minimum, be evaluated, designed, installed, operated (training and procedures), changed, and inspected/tested/maintained per OSHA PSM requirements. 

OSHA also makes mention of how a facility needs to include “utilities” within their process safety program in the Refinery PSM NEP.  Now before you skip down a few lines since you do not work at a refinery – BE CAREFUL, because the same rationale used in the Refinery PSM NEP will be used at your XYZ Process!!!  In the Refinery PSM NEP, OSHA states…

Listing of all sources of overpressure considered (API STD 521, Sections 4 and 5 contain examples of information on various sources of overpressure including utility/power failure – steam, electric and others (See Section 4, Table 1 – Possible Utility Failures and Equipment Affected); external fire; cooling water loss; failure of automatic controls; check-valve malfunction; etc.);

In this context OSHA is showing how the loss of the utility MUST BE considered in your Relief System Design Basis, an entirely different angle than I have discussed in this article, but a critical point to be made!

ESP [emergency shutdown procedures] are usually warranted during events that may include, but are not limited to, the failure of process equipment (e.g., vessels, piping, pumps,etc.) to contain or control HHC releases, loss of electrical power, loss of instrumentation or cooling, fire, explosion, etc. When EOP [emergency operating procedures]  do not succeed during upset or emergency conditions in returning the process to a safe state, implementation of an ESP may be necessary.

In this context OSHA is showing how the loss of a utility must be incorporated into our SOPs.

This entire topic can be wrapped up in a simple analogy.  If we expect a critical utility to function within our covered process, then we must take steps and measures to ensure it will do so.  In essence we are using the same methodology to ensure our utility function as we have been using to ensure our HHC/EHS stays within its cage!