IOW Lifecycle Management · From Extraction to Evidence

Auditable
Process Safety
Intelligence.

The system of record for Integrity Operating Windows.

Extracted automatically from your engineering corpus. Classified by a deterministic compliance engine grounded in API RP 584 and 571. Queryable across the entire facility — with a signed audit trail behind every claim.

Request Demo How it works

Built for ADNOC AIPSM Saudi Aramco PSM QatarEnergy HSE API RP 584 / 571

The Problem

IOW management is broken at every stage — and the consequences are not theoretical.

API RP 584 calls for 20–60 Integrity Operating Windows per process unit, each tier-classified and actively monitored. Today this work is done by hand, in spreadsheets and tribal memory. The cost shows up in audit findings. Sometimes it shows up in fatalities.

Per Process Unit

3 – 8 wks

Manual review of HAZOP worksheets, I/O lists, C&E matrices, and equipment datasheets — for a single unit, by a senior engineer.

Per Full Facility

60 – 160 wks

A 20-unit refinery or gas plant typically takes one to three years to complete a full IOW baseline. The cycle starts again before it ever ends.

Audit Trail

None.

Spreadsheets and institutional memory. No source traceability, no signed evidence, no defensible record. When the regulator asks, evidence is reconstructed in a panic.

The compliance window has closed.

GCC operators now sit under regulatory frameworks that mandate documented, current IOW registers across every process unit — with active enforcement, defined review cycles, and personal accountability. Spreadsheet workflows do not pass these audits.

ADNOC AIPSM Framework Operating Integrity Code of Practice · risk-based, actively audited across upstream and downstream operating companies.

Saudi Aramco PSM IOW management procedures embedded in mechanical-integrity standards · enforced across hydrocarbon assets.

QatarEnergy Corporate HSE Standards Process Safety Management acceleration with explicit IOW documentation, monitoring, and excursion-tracking requirements.

The deeper problem

Even a perfect IOW register is dead weight if it cannot be reasoned over.

IOW extraction is hard. But the larger failure mode is what happens after extraction: a register that nobody can query, that loses its expert context the moment a senior engineer retires, and that gives no answer when a Management of Change asks which equipment does this affect?

01 — Knowledge attrition

Critical context leaves with the engineer who held it.

Why a particular damage mechanism applies, why a tier was set where it was, what an excursion in 2017 actually meant — these answers live in the heads of senior process-safety engineers. When they retire, the IOW register survives but the meaning behind it does not.

02 — MOC blindness

Every change becomes a manual cross-asset audit.

A shift in feed composition, a setpoint adjustment, a new piece of instrumentation — each one demands an exhaustive trace through every IOW, damage mechanism, equipment tag, and downstream control it might affect. Today this is done by hand, takes weeks, and routinely misses interactions.

03 — No facility-wide reasoning

You cannot ask the register questions.

"Show me every IOW affected by H₂S partial pressure on austenitic stainless steel above 60 °C" is a one-line question that takes weeks of spreadsheet work to answer — assuming the register has the granularity to answer it at all. Most don't.

Reference incident

Tesoro Anacortes Refinery — April 2, 2010

7 fatalities · Heat exchanger E-6600E rupture · High-Temperature Hydrogen Attack (HTHA)

A naphtha hydrotreater heat exchanger ruptured during a startup operation, releasing flammable hydrogen and naphtha at over 500 °F. The U.S. Chemical Safety Board investigation found that the unit had been operating for years inside conditions for which the controlling integrity assumption — the API 941 carbon-steel Nelson curve — was simply not conservative enough.^CSB

"Tesoro did not monitor actual operating conditions of two of the exchangers, including the badly degraded one that ruptured, even though it would have been technically feasible to do so."

Inadequate IOW management is not a paperwork problem. It is the gap between what the equipment is rated for and what it is actually being asked to do — and when that gap stays invisible, people die. Every operator on the Gulf is one undetected damage-mechanism interaction away from its own version of this incident.

The Platform

One deterministic compliance engine — governing every claim, end to end.

Tarchon is built around a single architectural commitment: every output the platform produces — whether an extracted IOW, a Management of Change impact analysis, or a regulator-ready evidence dossier — must be bound to a named rule, an identifiable source passage, and a cryptographic signature. The compliance engine is what enforces that, on the way in and on the way out.

Lane 01 — Extraction Engineering corpus → signed IOW register Documents enter, candidates are generated, rules validate, humans approve.

Source Documents

HAZOP · I/O Lists · C&E Matrices · Datasheets · P&IDs

LLM Reader

Long-context, multimodal · candidate generation

Compliance Engine

API 584 / 571 rule system · 15 named damage mechanisms · deterministic

HITL Review

Reviewer-signed · Ed25519 · keyboard-driven UI

writes

Process Safety Knowledge Graph Apache AGE on PostgreSQL · signed nodes · source-bound edges · append-only audit log

reads

Lane 02 — Intelligence Question → signed answer Queries are parsed, traversals are rule-checked, answers carry their provenance.

Query

Natural-language or structured · domain-aware autocomplete

LLM Intent

Plans the candidate graph traversal in domain terms

Compliance Engine

Enforces semantic invariants on the traversal · same rule base as extraction

Signed Answer

Provenance chain per claim · regulator-defensible

Documents & data LLM reasoning Compliance engine (deterministic) Knowledge graph

Rule Base

API 584 / 571

15 named damage mechanisms · 80%+ Gulf hydrocarbon coverage

Source Binding

Per passage

Every claim resolves to its exact document line

Audit Signature

Ed25519

Append-only log · per-event signed

HITL Approval

Reviewer-signed

Optional 4-eye · keyboard-driven review UI

Every classification can be defended in front of a regulator. Each IOW is bound to its source passage, named damage mechanism, and HITL approval signature. No black-box reasoning. No reasoning loss. No audit gap.

Facility Intelligence

Extraction is the foundation. Reasoning is the product.

Every IOW Tarchon extracts becomes a node in your facility's process-safety knowledge graph. Every downstream answer carries the same audit trail as the extraction that produced it — because the same compliance engine powers both.

MOC change-impact analysis

Change a feed composition, a setpoint, or a single piece of instrumentation. Tarchon immediately traces every IOW, damage mechanism, equipment tag, and downstream control that the change touches — across the entire asset, in graph time.

The same compliance engine that classified the original IOW now reasons about the change. Nothing the engine was not allowed to assert during extraction is allowed during impact reasoning.

Weeks → days Cross-asset MOC collapsed

Natural-language query

Ask plain-English questions across the full process safety corpus. Domain-aware autocomplete, rule-validated traversal, every claim signed.

Source-bound Replayable Signed

Compliance evidence generation

One-click audit dossier. Every claim resolves to its rule, its source, its reviewer, and its signature.

APM-ready Cenosco-ready Regulator PDF

Also inside

Excursion event tracking IOW lifecycle & review scheduling KPI & leading-indicator dashboards Damage-mechanism interaction analysis AIM-system writeback (APM, Cenosco)

One compliance engine. End to end. The same deterministic rule system that classifies an extracted IOW also governs MOC reasoning, excursion classification, and evidence generation. The audit trail follows the data, not the workflow.

Why Tarchon

Three things you do not get anywhere else.

Regulatory confidence

Every IOW is tier-classified against a named API 584/571 damage mechanism, bound to its source passage, and Ed25519-signed. Built for regulators, not demo days.

100% Source traceable

Speed

What takes a process safety team three to eight weeks per unit, Tarchon delivers in hours. At facility scale, the gap is years.

~200× vs. manual baseline

Facility-wide reasoning

Every extraction writes to a process-safety knowledge graph from day one. Ask MOC change-impact questions across the entire asset and get answers in days.

6–10 wks → 2 days MOC impact review

Why Now

Three forces have converged. The window for incumbents to react is closing.

Force 01 — Regulatory

Enforcement is active. Personal accountability is named.

ADNOC's AIPSM Framework, Saudi Aramco's PSM and mechanical-integrity standards, and QatarEnergy Corporate HSE now require documented, current IOW registers with personal accountability assigned to operating-site leadership. Audit findings on IOW management have moved from "opportunity" to "finding" inside two reporting cycles. Manual workflows are out of compliance the day they are filed.

Force 02 — Capability

The reasoning step works — but only with a verifier.

200K-context, multimodal vision-language models can now reliably parse HAZOP worksheets, equipment datasheets, and P&ID legends. What changed in 2025 is the verifier: pairing LLM extraction with a deterministic compliance engine catches the residual hallucinations that blocked production deployment for a decade. Black-box AI alone still does not pass an audit. The combination does.

Force 03 — Sovereignty

Sovereign deployment is a procurement filter, not a feature.

Heightened regional tensions and intensifying state data-residency requirements have eliminated foreign-only SaaS from NOC procurement shortlists. Tarchon ships in three forms — UAE-sovereign cloud, customer-tenancy on-premises, and fully air-gapped appliance — because that is the boundary of what NOC procurement will sign for. The security boundary is the moat, not the model.

Deployment

Three deployment tiers. One platform.

From sovereign cloud to fully air-gapped facility appliances — Tarchon ships in the form your security and procurement teams already approve.

Cloud

Azure UAE North · Sovereign region

Multi-tenant Tarchon SaaS hosted in the UAE-North sovereign region. Data never leaves the region. SSO, SAML, audit logging, and customer-managed keys included.

RegionUAE North

EncryptionCMEK · TLS 1.3

IdentitySSO · SAML · SCIM

Sovereign Cloud

Customer Tenancy · On-Premises

Full Tarchon stack deployed inside your tenancy or on-premises infrastructure. Zero data egress. Operates inside your existing change-control and security boundary.

TenancyCustomer-owned

EgressNone

UpdatesAir-gap delivery

Air-Gapped Appliance

Dual NVIDIA H100 · Network-isolated

Self-contained inference appliance for fully air-gapped facilities. Ships pre-configured with dual H100-80GB GPUs. No outbound network connectivity required.

Compute2× H100-80GB

NetworkIsolated

Form FactorRack 4U

Request Demo

See the platform on your own documents.

In a 45-minute working session, we will run Tarchon on a representative HAZOP and equipment datasheet from your facility and walk through the resulting tier-classified IOW register, source traceability, and audit export.

Live extraction on your sample document — not a canned demo deck.
Walkthrough of the audit trail, signing, and HITL review surface.
Mutual NDA available before any document is shared.

Full name

Organization

Role

Work email

What would you like to see?

We respond within one business day.

Auditable Process Safety Intelligence.