Corrosion Management System Elements

The framework for a CMS is based on a series of central elements to ensure the effectiveness and consistency and communication of corrosion management processes. The implementation of corrosion management in a consistent and holistic manner in all stages of asset integrity management is an area where many organizations have identified the need for improved guidance. The following sections highlight the elements necessary for the development and implementation of an optimized CMS.

Corrosion Management Policy, Strategy, and Objectives

The corrosion management policy includes the principles and requirements used to manage the threat of corrosion over the life cycle of assets and asset systems. The corrosion management policy must be aligned with the organization’s mission and values through the organizational strategic plan. The policy lays the foundation for the corrosion management strategy, or long-term plan for managing corrosion over an organization’s assets and asset systems by way of specific and measurable objectives.

During the development of the corrosion management policy, strategy, and objectives, the internal and external context, or environments in which the organization seeks to achieve its objectives, must be considered. Examples of external context include the regulatory environment and the organization’s perceived reputation, while examples of internal context include an organization’s culture as well as internal standards and business models.

Although corrosion management policy, strategy, and objectives may be contained in standalone documents, they are ideally grouped with the policies, strategies, and objectives used to manage other threats to an organization’s assets or asset systems.

Some organizations understand the importance of the commitment of upper management.

A national oil company participant in one of the Middle East focus group meetings conducted during the IMPACT study said:

“Corrosion management is of paramount importance to senior management and is a tool to manage asset integrity. The company is structured in asset groups and each has asset standards to follow. The CEO signs an asset management policy.”

A senior manager of a major pipeline company in India said:

“Companies should have a robust corrosion management system comprising approved policy, plans, and targets; strategy; processes and procedures; controls and checks; structures; professionals; and resources.”

Enablers, Controls, and Measures


An optimized CMS requires defined and documented roles and responsibilities throughout an organization with respect to corrosion management. The defined roles and responsibilities should include personnel involved in the development, implementation, review, and continual improvement of the CMS, as well as personnel performing corrosion assessments and determining and prioritizing corrosion prevention and mitigation activities. Often, the roles and responsibilities are communicated internally through the use of organizational charts. Additionally, any applicable external personnel, such as contractors or consultants, should also be included in the organizational charts.

Contractors, Suppliers, and Vendors

When utilizing contractor services, the organization is responsible for verifying that the contractor services meet or exceed the requirements of the CMS. Additionally, the contractor(s) should be held responsible for meeting or exceeding the requirements of the CMS as defined by the organization. The same considerations should be applied to the qualification of any subcontractors used by the contractor.

Many organizations are indeed struggling with rolling out corrosion management principles to contractors, suppliers, and vendors.

This is underscored by a comment made during a Middle East focus group meeting:

“There are no clearly defined roles and responsibilities in the execution of CMP (corrosion management plan) – rollout to facilities and contractors is not being done.”


The organization should commit to determining and providing the resources required for developing, implementing, and continually improving the CMS. Resources include staffing, infrastructure, and equipment, such as inspection tools or repair equipment. Staffing requirements may be met by providing a combination of organization staff and contracted personnel; however, the organization must commit to ownership of the CMS and its processes.

Allocation of appropriate resources to deliver programs, which are consistent with the CMS, must be ensured. This is accomplished by allocating proper budgets, setting achievable staffing levels, and developing and implementing training programs to ensure the right amount and the right competence levels of staffing.

Resourcing is found to be a problem in implementing corrosion management.

Quotes made during a focus group meeting in China reflect a problem that most organizations have admitted to:

“We are missing the expertise to build corrosion SME (subject matter expert) teams. Non-experts cannot easily find hidden corrosion issues.”

“There is a shortage of corrosion experts to hire in China. We have to look for 3rd party experts; often is not local, so it creates inefficiencies and delays.”


The organization must create processes to establish and maintain internal and external communication processes associated with corrosion management. These processes include identification of the stakeholders and information that require communication. Channels should exist to allow communication to flow from management to project/field personnel and vice versa.

Internal Communication

Internal communication processes facilitate awareness of the CMS and corrosion processes throughout the organization, including awareness and understanding of the CMS policy, objectives, plans, processes, and procedures. Communication links management, employees, and other internal stakeholders and allows employees to give feedback and provide possible solutions to issues.

It is of particular importance to open up and maintain internal communication between all levels in the organization, as well as across the organization, since this is one of the means to incorporate corrosion management into an organization’s management systems.

Key internal communication processes include communication of the following:

  • Roles, authorities, and responsibilities.
  • Best practices.
  • Learning opportunities from ongoing activities, near-misses, and incidents, both internal and external.

Often information is not shared across an organization as is evidenced by a quote made during one of the focus group meetings by a staff member of a national oil company:

“There is a problem with communications; there are no communication protocols. If a corrosion engineer has an issue with corrosion and uses central engineering services, the solution/response goes only to the facility that had an issue – not to all who may have the issue or could have it.”

External Communication

External communication processes facilitate awareness, understanding, and acceptance of the CMS by contractors and other external stakeholders. As with internal communication, these processes include identification of the stakeholders and information that require communication. Additionally, the organization should make visible points of contact and exchange information regarding corrosion management with external stakeholders. This may include members of the public, regulators, industry organizations, emergency responders, and law enforcement. Adequate training in communication to external stakeholders is essential.

For contracted personnel, achieving buy-in of the CMS is crucial to the overall management of corrosion for an organization’s assets and asset systems. This is why clear communication of the CMS, expectations of the contractor, and responsibilities of the contractor within the CMS framework are essential.

Key external communication processes include communication of the following:

  • The CMS activities and processes to be conducted or reviewed by the external organization, including scope, boundaries, and applicable standards and procedures.
  • Roles, authorities, and responsibilities.
  • Best practices.
  • Learning opportunities from ongoing activities, near-misses, and incidents.
  • Management of change (MOC), including key contacts and elevation plans for technical and non-technical inquiries.
  • Approval processes for subcontracting or other contractual changes.

The importance of external communication is very important when the business is politicized and the media misrepresents the organization, as is evidenced by comments from the water distribution industry made during one of the group forum meetings:

“Management is very reactive to media/political winds.”

Risk Management

The risk management process coordinates activities to direct and control an organization with regard to risk. In the case of a CMS, the organization needs to establish, implement, and maintain documented processes and procedures for the ongoing identification and assessment of corrosion risks, as well as the identification and implementation of necessary control measures throughout the life cycle of the assets or asset systems.

A risk management approach is well suited to corrosion management where the final plan must include specific tasks and actions required to optimize costs, risks, and performance for assets and asset systems having a wide range of safety, environmental criticality, and business importance.

The ISO 31000 standard provides a useful reference in terms of the components and basic requirements for a consistent approach to risk management, but in general terms the organization’s methodology for risk management needs to be:

  1. Proportional to the level of risk under consideration.
  2. Defined with respect to its scope, nature, and timing to ensure it is proactive rather than reactive.
  3. Include where appropriate the assessment of how risk can change over time and service life.
  4. Provide the classification of risks and identification of those risks that are to be avoided, eliminated, or controlled by asset management.
  5. Be consistent with the organization’s operating experience and the capabilities of mitigation measures employed.
  6. Provide the monitoring of required actions to ensure both the effectiveness and timeliness of their implementation.

In terms of corrosion as a specific threat to the asset integrity or lifetime, the planning process described in ‎Figure 3-4 is a crucial step conducted by corrosion experts to establish the probability of credible corrosion-related events and the various options for mitigation to achieve the integrity or lifetime objectives of that specific asset. To complete the “risk picture,” the credible consequences of a failure or event as a result of this corrosion mechanism need to be determined. The type or context of the consequence will vary according to the asset type and criticality, but consideration should be given to safety, environment, reputation, and business loss. Applicable regulations or organization procedures may also require a “reverse” risk management process whereby the consequence criticality of a specific asset is determined first and then the corrosion threat analysis is only conducted for those assets with unacceptably high consequences.

Similar risk pictures will normally be established for other types of threats and then decisions about future investment and plans for asset management will be made based on the (risk) classification of a specific threat. ISO 31010 – Risk Assessment Techniques, which is a supporting standard to ISO 31000, provides guidance on the selection and applications of systematic techniques for risk assessment.

Management of Change

The MOC process is used to control, evaluate, and verify technical and non-technical changes to the corrosion management processes, CMS, assets, or asset systems. Each MOC request must be reviewed by appropriate subject matter experts to evaluate the effect of each proposed change or suite of changes based on the significance of the change, the need, technical basis, and expert evaluation of the risk associated with the change. Utilizing this information, authorization to proceed with the change should be determined.

It is critical that the MOC is effectively documented and communicated to all impacted parties throughout the organization.

Training and Competency

The organization is responsible for ensuring and documenting that personnel whose roles fall within the scope of the CMS have an appropriate level of competence in terms of education, training, knowledge, and experience. Training and competency requirements are applicable to both the organization’s staff and contractor personnel.

The organization should develop a process for training personnel on the organization-specific CMS processes and procedures. Additionally, competency evaluations for personnel, such as certifications, internal or external written or oral examinations, demonstrations of competence, previous job experience, or on-the-job evaluations, should be defined, implemented, and documented. It is important to consider the needs for re-training and evaluations, as well as the difference between training requirements for new and experienced personnel.

It is important to attract young and new talent and create an attractive career path for them. Several larger companies do have extensive training programs, but even the best programs have gaps:

“New graduates work with mentors for 10 to 15 years and have goals (CMAPs). On the not so good side, it was pointed out that mentors of people responsible for corrosion may not have any knowledge of corrosion themselves.”

“The company offers and underwrites advanced degrees, courses, and certifications, and they have internships.”

Moreover, globally and across industries it is a battle to create an attractive career path for engineers as shown with one quote from an employee of a Middle East national oil company:

“The field of corrosion is not made to be that appealing within the company, especially for young people. If someone in the corrosion group performs very well, they are made an attractive offer to move to another group. Salaries also favor moving out of a specialized group like corrosion control.”

Furthermore, it is essential that corporate knowledge stays with the company; however, often corporate knowledge disappears when senior staff leave.

quote by a senior engineer in a U.S. water distribution company underlines this concern:

“I have very specialized knowledge (water quality, chemistry, and corrosion) and have been in the business for 30 years. There’s no one being trained to replace me, and I am concerned about that.”

Incident Investigation (Lessons Learned)

Learning from both internal and external events is critical to the continuous improvement of a management system. Formal and consistent processes, such as incident investigations, are used to verify that a continuous improvement loop is in place to learn from events. In this context, “incident” is used to describe an undesirable event that affects the CMS, corrosion process, asset, or asset systems.

Examples of incidents include unintentional failure of an asset due to corrosion or failure to follow a defined CMS process or procedure. The goal of an incident investigation is to identify necessary improvements to the CMS, corrosion processes, or procedures. These improvements must be evaluated using the MOC process, communicated throughout the organization, and reviewed by management for effectiveness.


An organization is responsible for assembling, managing, and maintaining the documentation and records required to support and continually improve the CMS. The term “document” refers to plans or instructions for what actions will be performed; examples include the CMS policy, strategy, objectives, plans, procedures, and inspection forms. Alternately, a “record” refers to proof of compliance with a document’s requirements at a specific time. Examples of records include training records, corrosion inspection reports, and meeting minutes.

A needs analysis may be performed to determine which records and documents should be retained, both for regulatory or legislative reasons, as well as to conform to an organization’s requirements.


The corrosion management plans and work processes need to be audited periodically to ensure that they are being followed and adhered to and that they remain effective and consistent with the CMS strategy and objectives.

The audits can be performed by either the organization’s own staff or using a third-party consultant. The audit reports can serve as major input to the management review and continuous improvement process.

Management Review

A management review is an important aspect of a management system that demonstrates commitment from the organization for implementing, reviewing, and continually improving the management system and associated processes and documents. Management reviews are carried out at the optimized frequency determined by the organization to promote the continuing effectiveness of the CMS, examine current issues, and assess opportunities for improvement.

Typical information inputs for management reviews include:

  • Findings from non-conformances, incidents, and failures, both internal and external.
  • Status of preventive and corrective actions.
  • Follow-up actions from previous management reviews.
  • Changes in the organization’s operational environment that could affect the CMS including the requirements for additional or revised resources or changes to applicable regulations or standards.
  • Audit results, both internal and external.
  • Overall performance in terms of key performance indicators (KPIs).
  • Opportunities for improvement.

Typical outputs of the management reviews include:

  • Changes to policy, strategy, or objectives associated with the CMS.
  • Reallocation or supplementing of resources.
  • Changing organizational details, including staffing or responsibility updates.
  • Corrective and preventative measures.
  • Changes to the CMS processes, procedures, or documents.

A process should be implemented to track the completion of any required actions determined during the management review.

Continuous Improvement

In addition to formal processes that affect continuous improvement, including incident investigations and management reviews, informal opportunities, such as employee concerns and impromptu feedback, should be utilized in an appropriate manner to improve the CMS as well as the corrosion processes and procedures. Continuous improvement can be used to evaluate both the effectiveness of the CMS and its continued relevance to the organization’s goals and objectives. Improvements may take the form of changes to the overall policy, strategy, or objectives, or the individual elements of the CMS and their associated processes and procedures.