A Health Care’s Journey to the NFPA 99 Risk Assessment


At a recent Reliability Chapter meeting, a gentleman boldly stated, “If you threw all your preventative maintenance (PM) out the door, your productivity would shoot through the roof.” The reaction by most people in the room was to articulate why this is illogical. The NFPA 99: Health Care Facilities Code issued by the National Fire Protection Association (NFPA) has been steadfast, especially as it relates to health care facilities. It requires maintenance and repairs to be made in accordance with the manufacturer’s recommendations. Chapter 5.1 of NFPA 99 dictates that procedures established for the maintenance program of the medical air compressor system shall be in accordance with manufacturer’s recommendations. Chapter 5.3 further emphasizes the same for gas and vacuum systems. Additionally, Chapter 11.6 requires maintenance programs for piped gas systems to be administered in accordance with manufacturer’s recommendations. It also goes ahead to define the minimum testing requirements for generator sets and transfer switches, but further adds that the engine manufacturer’s recommendations should be followed. The NFPA 70E: Standard for Electrical Safety in the Workplace requires the same for electrical systems, while NFPA 72: National Fire Alarm and Signaling Code requires that all batteries are tested per manufacturer’s recommendations, to mention but a few. Maintenance is taken seriously by most institutions, which is why the gentleman’s remark incited anxiety.

But why would an obviously enlightened individual decide to make such a statement? The Uptime® Elements - A Reliability Framework and Asset Management System™ by Reliabilityweb.com® defines risk management as one of its Uptime Elements (Ri). It provides principles and generic guidelines on risk management and references ISO/IEC 31010 for the procedures. Chapter 4 of NFPA 99 defines building system categories based on their impact of failure to patients, staff and visitors. In this risk-based approach, a formal documented process is required and NFPA 99 further makes recommendations in the annex section on risk assessment procedures to establish these categories. Among the three popular procedures are those found in ISO/IEC 31010: Risk management – Risk assessment techniques, NFPA 551: Guide for the Evaluation of Fire Risk Assessments, and SEMI S10-0307E: Safety Guideline for Risk Assessment and Risk Evaluation Process. A sound and systematic risk assessment is inherent to any maintenance decisions in vital facilities, such as health care.

To preserve the efficiency, equity, quality and safety of health care, the Centers for Medicare and Medicaid Services (CMS) provides protective regulations, policy and guidance to hospitals. Compliance to this program may be achieved through accreditation by agencies, such as The Joint Commission (TJC). TJC sets standards known as the Elements of Performance (EPs), which are based on the CMS’s requirements, and packages them in the Environment of Care Standard. This standard is used by the TJC to survey member hospitals for eligibility and maintenance of accreditation.

Figure 1: Risk assessment task force formulation and process

One hospital from the Stanford Health Care system embarked on a journey to perform a risk assessment and establish NFPA 99 Chapter 4 categories for the asset inventory, as required by the Environment of Care standard EC.02.05.01. A collaborative effort was critical to the success of this process. As demonstrated in Figure 1, the process began with the establishment of an interdisciplinary team dubbed the NFPA 99 Risk Assessment Task Force. This team was comprised of members from various committees and departments, including the Environment of Care Utility Subcommittee; systems engineering; facilities management; resource management; infection prevention and control; clinical; and the frontline engineering staff. A risk assessment procedure to evaluate the categories would be developed and executed. In this regard, ASHE, the association for health care facility managers, engineers and other healthcare professionals, made a recommendation for a room-by-room assessment, which the team determined was inadequate for its needs. Further, NFPA 99 proposes a simplified risk assessment procedure, which fails to establish how the impact on patients, visitors and staff is determined, as shown in Figure 2. To fast-track the process, risk assessment criteria were established by the systems engineering team and proposed to the task force for review and approval.

Figure 2: Sample risk assessment (Source: NFPA 99, 2018)

To fully recognize the basis of the assessment process selected, it is necessary to quickly review the scope of NFPA 99. Chapter 4 Fundamentals define the four system risk categories as:

  • Category 1 – Facility systems in which failure of such equipment or system is likely to cause major injury or death of patients or caregivers shall be designed to meet system Category 1 requirements as defined in this code.
  • Category 2 – Facility systems in which failure of such equipment is likely to cause minor injury to patients or caregivers shall be designed to meet system Category 2 requirements as defined in this code.
  • Category 3 – Facility systems in which failure of such equipment is not likely to cause injury to patients or caregivers, but can cause patient discomfort, shall be designed to meet system Category 3 requirements as defined in this code.
  • Category 4 – Facility systems in which failure of such equipment would have no impact on patient care shall be designed to meet system Category 4 requirements as defined in this code.

Additionally, the minimum criteria for the performance, maintenance, installation and testing of the facility systems is defined in the subsequent chapters covering:

  • Chapter 5 – Gas and Vacuum Systems;
  • Chapter 6 – Electrical Systems;
  • Chapter 7 – Information Technology & Communication Systems;
  • Chapter 8 – Plumbing Systems;
  • Chapter 9 – Heating, Ventilation and Air Conditioning Systems;
  • Chapter 10 – Electrical Equipment;
  • Chapter 11 – Gas Equipment.

These facility systems in the health care world can generally be functionally categorized as:

  • Life support systems;
  • Utility infection control systems;
  • Environmental support systems;
  • Equipment support systems;
  • Communications systems and data exchange.

Thus, it was essential that the service locations for each of the assets under these categories were documented in order to perform a comprehensive risk assessment.

Back to the risk assessment journey, the task force was officiated with the establishment of a charter and management plan. The charter describes the purpose of the task force, its sponsorship, its goals, the guiding principles, scope of work, membership formulation and responsibilities, and meeting protocol. The management plan details process objectives, scope of implementation, the procedure itself and the plan to achieve the expressed objectives. A plan-do-check-act (PDCA) approach was adopted in the development of the management plan, and by extension the workflow, to successfully execute the risk assessment demonstrated in Figure 1. After establishing system types, as defined in NFPA 99, assigning service locations for each asset, as defined in the plan, creating schedules for each of the buildings, as well as rigorous investigations by the reliability engineers, the risk assessment criteria used to determine the system risk category was applied, as shown in Figure 3. A system function was determined for each asset, as defined by ASHE and related health care establishments. An infection risk assessment score, based on a well-defined institutional infection risk assessment criteria, was assigned. NFPA 101 Life Safety Code occupancy categories, namely health care, ambulatory health care, assembly, business and industrial, were assigned to the service locations, as defined in the fire life safety drawings. Objective data for each attribute was derived from this analysis. These attributes were then weighted and tallied in order to determine the risk category for the associated asset and space.

Figure 3: NFPA risk assessment procedure 

It is important to note that not all assets in the health care enterprise belong to a critical system, as defined in NFPA 99. Owing to the interdisciplinary nature of the task force, a somewhat subjective analysis was applied on noncritical systems to define their categories. A bulk of these were determined to be Category 4.

By the end of the exercise, a total of about 5,000 assets in over 30 facilities had been assessed and categorized. The end goal is to have these categories loaded into the enterprise asset management software (EAMS) and apply them in the optimization of the PM program.

The fundamentals of such a program will be based on decisions that are risk based. Thus, in the general sense, risk based decision-making offers more value and increases productivity than a traditional PM program for health care facilities.