New API publication gives IM guidance

March 26, 2007
API Publication 353, released in November 2006, provides an organized approach to facility integrity management and provides examples of two different methods for performing a risk assessment.

API Publication 353, released in November 2006, provides an organized approach to facility integrity management and provides examples of two different methods for performing a risk assessment. This article provides further guidance regarding weighting a risk assessment to reflect the core beliefs and corporate factors that affect a company’s decision making. It also presents guidance on the ranking and prioritization of risks inherent in any integrity-management program.

API Publication 340 provides a list of control measures a company may use to reduce the risks inherent in operating its facilities.


Risk management or integrity management provides the means to improve decision making by objectively defining the type and magnitude of the risks at facilities. It provides the tools to reduce the risks to the environment, population, and business from potential releases by applying mitigation strategies to those risks deemed by management to be unacceptably high.

Implementation of an overall integrity management plan designed to establish procedures and processes to identify, assess, analyze, mitigate, and manage the inherent risks in operating facilities accomplishes the provisions of these tools.

A risk assessment is the cornerstone of a program to identify, quantify and mitigate the likelihood of failure (LOF) and the consequences of failure (COF) from a specific piece of equipment (e.g., tank, piping, loading area) or from a specific operation.

API developed Publication 353, “Managing Systems Integrity of Terminal and Tank Facilities, Managing the Risk of Liquid Petroleum Releases,” to guide management of terminal and tank facilities in a manner allowing for cost-effective protection of the environment and safety of workers and the public. It is intended for petroleum terminal and tank facilities associated with marketing, pipeline, and other similar facilities covered by API Standard 2610, and may be used as a resource and management guide by those responsible for, or working at, such facilities.

The document presents an industry approach to the management practices necessary to implement principles of risk management and risk assessment at terminal and tank operations. It is intended to be consistent with, but not a substitute for, any applicable local, state, or federal regulations.

API Publication 353 provides an overall approach for risk management at aboveground liquid storage facilities. It describes the process elements that a user would need to follow to develop a risk management program at a facility, while at the same time providing flexibility to develop unique corporate risk-management programs.

Publication 353 does not require the user to proscriptively apply the programs and procedures it outlines. Instead it offers guidance by consolidating in one place the information necessary for a user to develop a program. Discussion of the principles of risk management, the elements of an integrity management program, the different approaches to risk assessment, the methods for risk prioritization, and mitigation of risk through application of risk-based decision making accomplish this goal.

API Publication 353 serves as an extension of an earlier document, API Publication 340. It therefore provides examples on mitigation of risk through selection of available control technologies presented in API Publication 340.

API Publication 353 addresses the major equipment at petroleum facilities, including aboveground and belowground piping, loading and unloading areas, aboveground storage tanks, and ancillary facility equipment.

This article discusses, as an example, one approach to computing the risk of a tank release using an approach described in API Publication 353. This article does not discuss in detail other aspects of a formal facility integrity management plan; e.g., integrity assessment plans, performance measures plans, etc.

This article’s approach can also compute the risk of releases from other facility equipment, including above- ground and belowground piping, or loading and unloading areas.

Risk concepts

Risk is the product of two factors: likelihood and consequence. Risk analysis evaluates two factors for discrete events: the likelihood of a specific event occurring (e.g., likelihood of a tank overfill) and the consequences of that event occurring.

Several different ways exist for displaying the results of this analysis. Two common approaches for computing risk are the qualitative approach and the quantitative approach.

The qualitative approach uses categorical values for likelihood and consequences. It could, for example, describe the likelihood of a tank overfill relatively as a 60% likelihood of occurrence when compared to other specific events. It could also describe the consequences of this event relatively as a 50% impact when compared to other specific events.

This approach uses variables defined categorically by the user. These values can be weighted numerical values or descriptive tags such as low, medium, and high. Analyzing these variables systematically develops a categorical result for overall risk for the specific event (e.g., low, medium, high).

Click here to enlarge image

Fig. 1 illustrates a qualitative risk matrix used to display risk results for different events using this approach.

The quantitative approach to computing risk uses specific numeric values for likelihood and consequences. This approach requires that specific numerical values be developed for each event. For example, for Event 1-Tank Overfill, the likelihood could be expressed as 1.0 × 10-4 events/tank fill/year/tank. The consequences of this event could be expressed as an $80,000 average cost for lost product, business effects, and environmental costs.

Click here to enlarge image

Fig. 2 illustrates a quantitative risk matrix for displaying risk results for different events using this approach.

A formal analysis of specific facility risks provides a means to measure the potential loss in terms of both the incident likelihood of occurrence and the magnitude of the consequences. Individuals can then use this analysis to create and manage facility integrity.

Integrity overview

A formal integrity management program (IMP) consists of a comprehensive suite of individual programs that work together to reduce or mitigate risks to the potentially affected local population (population risk), environment (environmental risk) and company (business risk).

A risk-assessment plan identifies the likelihood of failure and consequence of failure variables used in performing the risk assessment. It includes a plan for collecting and reviewing applicable system design, construction, operations, and integrity data and a plan for integrating this information into a risk model to analyze risk. Results of the risk analysis can guide the allocation of resources and the development of other plans aimed at reducing risk.

The integrity assessment plan evaluates the structural reliability of a pipeline, tank, pressure vessel, and piping system using integrity verification methods such as planned and documented inspections, hydrostatic testing, or other methods of inspection, testing, or evaluation.

Assessments using inspection or equivalent technology will likely generate lists of conditions that are likely to affect population, environment, or business. These conditions may require repair or monitoring to help improve protection of the public and environment. The repair and remediation plan specifies which conditions are to be repaired and within what time period these repairs are to be made. The plan includes:

  • Review and analysis of assessment results.
  • Qualification of personnel evaluating assessment results.
  • Discovery of conditions leading to repair.
  • Evaluation of repair results.
  • Repair-remediation scheduling requirements.
  • Repair-remediation criteria.
  • Repair methods.
  • Permitting and access requirements.
  • Documentation requirements.
  • Alterations to the plan based upon implementation feedback.

The reassessment plan involves integrity evaluations on the system; e.g., tank, piping, etc. Results of the evaluation support any reranking of these systems for assessment. The reranking will determine if a reassessment is warranted.

Trending and analysis of data gathered through integrity activities can improve the effectiveness of assessment plans. Key trends will provide guidance for plan development and will assist in the scheduling of integrity management activities.

The prevention plan looks at preventative and mitigative measures available to mitigate risk by reducing the likelihood of failure and-or consequence of failure; e.g. development of assessment and repair plans, corrosion mitigation plans, improved training, or a combination of these or other approaches.

The performance measures plan evaluates IMP performance and helps the company ask performance-based questions.

Performance measures fall into three groups:

  • Process measures evaluate prevention or mitigation activities.
  • Operational measures assess how well the system is responding to the IMP.
  • Direct measures rely on actual field data and include lagging and leading indicators, which are reactive and proactive, respectively, to IMP performance.

A lagging indicator, for example, could be the number of tank roof drain hose failures and a leading indicator could be measurement and trending of cathodic protection potential.

The quality control plan (QCP) provides documented confirmation that the company is meeting the requirements of its IMP. The requirements of a QCP include auditing the documentation, implementation, and maintenance of the IMP.

The management of change plan identifies and considers the effect of proposed changes to the systems and their potential effect on system integrity.

A management of change process includes:

  • Reason for the change.
  • Authority for approving changes.
  • Analysis of the implications of the change.
  • Acquisition of required permits.
  • Communication of the change.
  • Time limitations for the change.
  • Qualification of staff performing the review and implementing the change.

The documentation plan compiles a list of documentation required to fully implement the IMP, including type of documentation required, the location(s) of the records, responsibility for completion of documentation, and frequency of any required updates.

The communications plan keeps appropriate company personnel, jurisdictional authorities, and the public informed about the company’s efforts to help ensure the safety of the public and protection of the environment through its IMP activities.

Risk assessment

Performing a risk assessment provides a starting point for decision making in the facility integrity-management program. Risk assessments can follow many different forms and level of detail.

This section presents a relative risk approach to managing systems integrity of aboveground storage tanks, similar to the approach presented in API Publication 353.

In this approach, an individual or group of people with experience in risk analysis and knowledge of data pertaining to the facility assign scores. This example uses a facility aboveground storage tank as the object of a formal risk assessment.

Click here to enlarge image

Fig. 3 illustrates the approach used in computing the risk of a tank release. This illustration divides the likelihood of failure into different release scenarios (events).

It likewise divides the consequence of failure into different types of consequences.

To calculate the likelihood of failure, the user needs to develop or rely on data from others for the likelihood (probability) of a specific event occurring. API Publication 353 provides two methods for determining the likelihood of failure.

In Appendix A, for a tank release, Equation 1 (see equation box) expresses the LOF.

Click here to enlarge image

Users can apply API Publication 353 Appendix A or Appendix B methods, or they can develop any defendable approach that meets their needs.

The example used here-the LOF of an aboveground storage tank-applies a modification to the API Publication 353 Appendix A method.

This example illustrates an algorithm that applies a user-defined weighting factor to each category and subcategory for a specific event.

Equations 2-6 calculate the LOF of each category.

In this example, the user can define or apply a weighting factor to each subcategory and category. The application of the weighting factors allows the user to reflect the company’s operating experience and core values or tolerances to certain types of risks.

In order to calculate the COF, the user also needs to develop or rely on information from others for the consequences of a specific event occurring. API Publication 353 provides two methods for determining the COF. The user, however, can develop any defendable approach that meets its needs.

Equation 7 expresses API Publication 353 Appendix A COF for a tank release.

The example in this article computes the COF of an aboveground storage tank using an algorithm that allows a user to apply weighting factors to each category or subcategory for a specific event.

Equations 8-10 express the approach for computing the COF of an above- ground storage tank using these weighting factors.

Application of the weighting factors allows the user to reflect the company’s operating experience and core values or tolerances to certain types of risks.

The risk of failure is the product of the LOF and the COF. Equation 11 represents the overall risk of failure of an aboveground storage tank. Equations 12-15 express the specific risks for each scenario.

Risk results

Many ways of presenting the results of a risk analysis are available. Data can be looked at individually or in total. The organization and presentation of the data will depend upon the ultimate use of the data.

One method helpful in prioritizing maintenance, inspection, and mitigation activities is performance of a relative-risk ranking. This approach compares the risk of failure of each system to that of every other system at that facility, providing perspective on which system is at higher risk than another. A tank farm with multiple tanks could rank the various risks for specific events and then organize them to reveal the higher risk tanks.

Click here to enlarge image


Click here to enlarge image


Click here to enlarge image


Click here to enlarge image

Figs. 4-7 illustrate this approach for each tank-release event. Fig. 8 illustrates how the individual events can be combined to show a total risk of failure with respect to each system at that facility.

Click here to enlarge image

A similar approach can be used for piping systems, loading and unloading areas, and ancillary facility equipment.


API Publication 340, Liquid Release Prevention Measures for Terminal and Tank Facilities, October 1997.

API Publication 353, Managing Systems Integrity of Tank and Terminal Facilities, Managing the Risk of Liquid Petroleum Releases, November 2006.

The authors

Click here to enlarge image

Carl Mikkola (Carl.Mikkola is an engineering specialist with Enbridge Energy Co. Inc., Houston. He has 15 years’ experience in the oil and gas industry, including management of corporate risk and ensuring regulatory compliance as related to systems integrity for the natural gas business unit of Enbridge. Mikkola holds a BS in civil engineering from Michigan Technological University. He is a registered professional engineer in Texas, Illinois, and Indiana. He is a certified ANSI/API above- ground storage tank inspector and chairman of the API subcommittee on aboveground storage tanks and a member of the storage tank task force.

Click here to enlarge image

Joe Burke is the president of SPEC Consulting LLC. He has more than 20 years’ experience in the design, operation, and inspection of terminal and tank facilities. He has worked extensively in the petrochemical field, designing, inspecting, and auditing terminal and tank facilities. He serves as a consultant and technical writer to the oil industry and has developed several industry standards and publications. Burke holds a BS in civil-ocean engineering from the University of Rhode Island and an ME in civil engineering from Rensselaer Polytechnic Institute, Troy, NY. He is a licensed professional engineer in more than 20 states and US territories and is a board certified safety professional in engineering aspects.