Facility siting under the OSHA PSM Standard 29 CFR 1910.119 (e) requires companies to evaluate the location of workers with respect to the hazards of the process and provide adequate protection. Facility siting studies use mature techniques to evaluate vapor cloud explosion hazards (blast effects), fire hazards (thermal radiation effects) and toxic gas hazards.   The goal is to provide occupants of process plant buildings with adequate protection from these hazards. Historically, this has required relocation of process-plant building, blast hardening of control buildings, or de-manning buildings.

Industry norms, API RP 752 and RP 753 guide the user on how to analyze hazards to process plant buildings and their occupants. By convention the facility siting analysis is either consequence-based (MCE approach) or risk-based approach (QRA approach). The hazard / risk analysis serves as a vehicle to calculate the critical loads on buildings, which are then subject to a building damage assessment and occupant vulnerability analysis. Buildings that do not perform adequately (as measured against siting criteria) are then subject to further evaluation and possible corrective actions to reduce hazard / risk to building occupants.

The most common method is to analyze the Maximum Credible Event (MCE), which is a hypothetical release resulting in an explosion, fire or toxic event that has the potential maximum consequence to the occupants of the plant building. In order to qualify as an MCE, a major hazard scenario must be credible and have a reasonable probability of occurring considering the chemicals, inventories, and equipment design. There are resources to guide in the determination of an MCE, but credible MCEs are typically:

  • Mechanical Integrity (MI) failure causing leak from process equipment and piping
  • Rupture of small-bore piping
  • Pump / compressor seal failure
  • Gasket failure
  • Transfer hose / flexible connection failure
  • Loss of containment from operational activities such as filter changing
  • Process upsets such as overfilling, overpressure, embrittlement etc.

MCE’s are credible events, but not necessarily worst-case events, which are of a higher severity. Instrumentation & controls can be effective in reducing the likelihood of a MCE’s and worst-case hazards. So, the question becomes, what is the role of instrumentation and controls in facility siting analysis, and – more broadly – protecting building occupants?

Maximum Credible Event (MCE) Approach

There is no simple answer to what qualifies as “credible” or “maximum” under MCE rules, but safety instrumentation can be impactful to this determination. What is clear is that instrumentation cannot eliminate the possibility of a major release; mechanical failures are credible and can only be prevented through proper ongoing mechanical integrity inspection & testing programs. However, functional-safety can be improved through proper application of safety-critical instrumentation & controls, and this can result in reduced chance of a major hazard event (reduced likelihood) and possibly even mitigate the severity of the event.

Process upsets are highly credible; and, instrumentation typically can respond with indications, alarms, and automated response to return the process to normal operation or effect a shutdown. However, engineers have taken a cautious view of instrument response to prevent a major accident. For example, the ASME Boiler and Pressure Vessel (BPV) Code historically has disallowed consideration of instrument response in determining the emergency relief sizing basis. Only recently have allowances been made under UG-140 (b) to allow safety-critical instrumentation to reduce the design basis load. Similar allowances have been introduced into in industry norm API 521 for sizing the relief and disposal system.   In following a similar historical arc, API RP 752 allows for instrument response, either in reducing the severity of the MCE or in conduct of QRA.

Quantitative Risk Analysis (QRA) Approach

If the MCE option provides results that are deemed overly conservative, RP 752 allows for QRA option to evaluate hazards, vulnerabilities, and risks to building occupants. This option provides even more sensitivity to using safety-critical controls.

Use QRA and Event Tree Analysis (ETA) to evaluate the benefit of safety-critical instrumentation in mitigating the hazard severity:

  1. VCE/Blast Hazards: Ignition probability reduction based on early detection of gas and electrical de-energization.
  2. Toxic Hazards: Detection at gas at HVAC air intake and sheltering in toxic gas situation
  3. Fire / Thermal Radiation Hazards: Detection of fire/flame and application of fire suppression to minimize the fire intensity.


Facility Siting studies are powerful tools to assist in critical decisions on how best to safeguard building occupants. In using either the MCE method or the QRA method, there are decision points on how to credit safety-automation equipment.

If you plan to use safety automation equipment to reduce the magnitude of a postulated MCE or the risk using QRA/ETA, then consider the following guidance:

  • Instrumentation and controls should be subject to mechanical integrity inspection and testing
  • The effectiveness of instrumentation and controls to reduce the scenario likelihood should be evaluated using Process Hazards Analysis (PHA) and Layer of Protection Analysis (LOPA)
  • To eliminate a scenario as a candidate MCE, safety automation equipment should reduce the probability of a hazard scenario to below the tolerable risk target for protection of building occupants.
  • Instrumentation and controls should be designed to industry standard ANSI/ISA 61511-2018 and verified to achieve the target Safety Integrity Level (SIL)

Make sure you conduct PHA-LOPA before beginning a facility siting analysis. Identify process upsets that can lead to major hazard events. Design safety automation equipment to reduce the probability to an appropriate tolerable risk target for major accident hazards (typ 1E-5). This provides a solid technical basis to eliminate these hazard scenarios from consideration under either MCE or QRA approaches.

Use caution if you desire to reduce the magnitude of a hazard scenario due to the presence of Fire & Gas detection equipment. Conduct fire & gas mapping per industry norm ANSI/ISA TR 84.00.07-2018 to ensure that both early stage (incipient) hazards as well as major hazard scenarios are detected and automatically mitigated wherever possible. Fire & gas mapping assures high confidence in flame and gas detection and the corresponding automated response.

Unfortunately, all too often we see facility siting studies that have made broad assumptions about the capabilities of instrumentation & controls to either prevent or mitigate the hazard scenario. This is not in line with industry norms, which require that all safety instruments be verified that they achieve a threshold amount of reliability and risk reduction capability. Those thresholds can be established by any number of engineering work processes, including the requirements to perform adequately to meet the technical criteria in an OSHA facility siting analysis.

Please contact Kenexis if you have any questions about how to best approach safety automation in facility siting, or have concerns about how your existing facility siting analysis has made unverified assumptions regarding instrument performance. Our staff have many years of experience in defining the technical requirements to ensure that safety automation will perform adequately and meet your siting criteria.