GCPS 2017 __________________________________________________________________________

Using HAZOP/LOPA to Create an

Effective Mechanical Integrity Program

Steven T. Maher, PE CSP

Risk Management Professionals

Steve.Maher@RMPCorp.com

David J. Childs

Risk Management Professionals

David.Childs@RMPCorp.com

Prepared for Presentation at

American Institute of Chemical Engineers

2017 Spring Meeting and 13th Global Congress on Process Safety

San Antonio, Texas

March 26-29, 2017

AIChE shall not be responsible for statements or opinions contained

in papers or printed in its publications

GCPS 2017 __________________________________________________________________________

Using HAZOP/LOPA to Create an

Effective Mechanical Integrity Program

Steven T. Maher, PE CSP

David J. Childs

Risk Management Professionals

Keywords: PSM, RMP, CalARP, Mechanical Integrity, OSHA, EPA, Process Safety

Abstract

Many people view the conduct of a HAZOP/LOPA to address regulatory requirements as a chore,

and stop there. However, the implementation of a quality HAZOP/LOPA has the potential to

provide a framework for addressing numerous safety and operational optimization issues at plants,

including the formulation/refinement of the Mechanical Integrity Program. The purpose of this

paper is to focus on the mechanical integrity program, illustrate how a quality HAZOP/LOPA can

support the effective implementation of some of the new Damage Mechanism Review

requirements for California Refineries (e.g., 5189.1(k)), and optimize key elements of an effective

Mechanical Integrity Program, e.g.:

Inspection/testing methods

Testing intervals

Maintenance outage periods

Repair prioritization and allowable outage

Identification of low priority equipment

1. Mechanical Integrity Defined

When you look at the parallel evolution of modern Safety Management Systems (SMS) (Figure

1.1), such as OSHA’s Process

Safety Management (PSM)

Program[1], U.S. EPA’s Risk

Management Program (RMP)[2],

and the Bureau of Safety and

Environmental Enforcement’s

(BSEE’s) Safety and

Environmental Management

Systems (SEMS) Program[3],

the same key Safety

Management System elements

are at the core of PSM, RMP,

and SEMS, spanning an

entire spectrum of facility FIGURE 1.1 – Evolution of Select SMS Guidelines

GCPS 2017 __________________________________________________________________________

types and geographic application. Although these regulatory programs were developed

independently, at different times, and

in different locations, industry and the

regulatory community noted the

importance of SMS application, and a

fundamental part of this has always

been maintaining the integrity of the

process and functionality of

equipment. As can be seen in Figure

1.2, “Mechanical Integrity” (MI) is a

critical part of any SMS application.

The core objective of MI is “to

maintain the on-going integrity of

process equipment.” This includes the

integrity of the process boundaries as well as the reliability of operating/standby equipment. 29

CFR 1910.110(j) lays a foundation for:

Typical process equipment to be included in the MI Program

Written procedures to allow the program to function

Training for process maintenance activities, with a focus on safety

Inspection and testing, including procedures and definition of frequency

Documentation of inspections and tests

Correction of equipment deficiencies

Quality assurance

Now that we have identified what MI is and what the requirements are, let’s take a look at

another key element of PSM.

2. Why do a Process Hazard Analysis (PHA)?

PSM is a performance-based standard, and as such, it is designed to focus on key objectives such

as minimizing potential hazards and

maintaining the desired level of

safety at the plant site. PHA is a key

early step in minimizing potential

hazards by first identifying and

understanding them in order to focus

management systems (e.g., MI) on

equipment/characteristics of

importance. There are numerous

PHA tools (see Figure 2.1) that have

various advantages / disadvantages

for different applications[4].

However, one of the more broad-

spectrum PHA techniques is the Hazard and Operability (HAZOP) Study.

FIGURE 2.1 – Hazard Analysis Tool Spectrum

FIGURE 1.2 – Key PSM Elements (2016)

GCPS 2017 __________________________________________________________________________

The guideword HAZOP technique is based on the premise that hazards and operability problems

originate from deviations from design intent when a process is running under normal operating

conditions. For example, adding the guideword “NO” to the parameter “FLOW” to get the

deviation “NO FLOW” would prompt the leader to ask the Team, “What causes could result in no

flow in this node or line segment?” The potential hazard scenarios that include possible “Causes”

and potential “Consequences” are documented in the report worksheets. The possible

“Safeguards” in place to reduce the risk associated with the specific cause/consequence scenario

are then discussed and documented.

The HAZOP Study proceeds sequentially, studying each piece of equipment contained in the

process. Thus, if applied comprehensively,

HAZOP systematically creates a roadmap of

key paths that lead to undesired events (hazards

or operability issues, depending on the study

objectives). Because this roadmap provides a

framework for assessing the likelihood and

severity of each path to an undesired event, the

importance of the contribution of causal events

and safeguards can be assessed, as well as the

need to prioritize reliable equipment function.

Since HAZOP is a scenario-based method that

explicitly identifies the failure of equipment that

can potentially lead to a hazardous condition

(cause), explicitly identifies and illustrates the

importance of active protection features (safeguards), and applies a measure of importance

(consequences) to their failure, it is a helpful platform for identifying important equipment

requiring prioritization of reliability. This information, derived from the contributions of diverse

technical disciplines (e.g., engineering, operations,

maintenance) is fundamental to the establishment

of a balanced MI Program. Reference 5 is a very

good source of pragmatic tips for the

implementation of HAZOP, and Reference 15

provides some general background on the HAZOP

method and its application during the design

process.

3. Using Layer of Protection Analysis

(LOPA) to Dig Further

Section 2 describes the essence of a PHA, which is

the identification of scenarios with sufficient detail

to balance likelihood and severity to understand

their risk contribution, and thus, the importance of

the scenario and associated equipment. Figure 3.1 graphically illustrates how the clarity provided

FIGURE 2.2 – HAZOP/LOPA Requires

a Multidisciplinary Approach

FIGURE 3.1

Scenario-Based Analysis Objectives

GCPS 2017 __________________________________________________________________________

by assessing both the likelihood and severity for different scenarios (1-5 for this example) provides

an improved perspective on the risk contribution of the scenario, and thus, the importance of

associated equipment reliability.

Since the 1980s, advances in electronics (see Figure 3.2) facilitated the application of more reliable

control/protection equipment that provided a platform for improved levels of safety and reliability.

For most facilities subject to PSM/RMP, these improvements are implemented in a “phased-

approach,” as-needed, typically as part of capital projects. So, at any point in time, a facility has

a wide-spectrum of equipment applied to control/protection systems (Figure 3.3). The challenge

is applying a tool to evaluate their reliability contribution that can be scaled up/down, depending

on the level-of-detail needed, and that can build on all of the work done during a HAZOP. LOPA

is a tool that is well-suited for this challenge.

Like a HAZOP, LOPA is also a scenario-based tool that is often coupled with a HAZOP. The

primary difference is depth, specificity, and the ability to infuse more complex quantitative

information (see Table 3.1). References 6, 7 and 8 are very good sources of pragmatic tips for the

implementation of LOPA.

TABLE 3.1 - Defining the Scenario and Equipment Importance (Contrasting HAZOP & LOPA)

Likelihood Severity

HAZOP LOPA HAZOP LOPA

Cause Initiating Cause

Safeguards IPL & non-IPL

Likelihood Ranking

from a Risk-Ranking

Matrix

Product of Initiating

Cause Frequency,

Enabling Condition

Probability, Conditional

Modifiers, and the IPL

PFD

The severity value used for the HAZOP and LOPA

is typically the same, but an opportunity exists for

LOPA to apply more quantitative differentiation.

FIGURE 3.2

Tandem Advances in Protection System

Design Architectures & Analysis

FIGURE 3.3

Control/Protection System Spectrum

– BPCS & SIS/HIPS

GCPS 2017 __________________________________________________________________________

LOPA typically applies representative order-of-magnitude quantitative values to the frequency of

causal events and the Probability of Failure

on Demand (PFD) to safeguards to provide

a frequency of reaching an undesired

consequence that can be compared to the

company target value to assess

acceptability (see Figure 3.4). LOPA also

drills a little deeper with respect to

understanding if a safeguard is an

“Independent Protection Layer” (IPL) and

the potential for common-mode failure.

LOPA can also apply various Enabling

Event Probabilities and Conditional

Modifiers to better characterize the

potential for reaching the Ultimate

Consequences (see Figure 3.5).

LOPA’s primary purpose is to determine the adequacy of existing IPLs and determine if

additional protection features are needed.

LOPA is also used to assign a target Safety

Integrity Level (SIL) value for a Safety

Instrumented System (SIS)[9, 10]. SIL

assignment is based on an instrument’s

likelihood to function upon demand. A higher

SIL level device has more “value” in risk

reduction and is determined based on the

specifications the instrument is manufactured

to meet. These applications identify one of

the other very useful functions for LOPA. It

is able to identify reliability targets for

equipment that might “cause” a potential

hazard and identify reliability targets for

equipment that can function as a protective

feature (safeguard). One can capitalize on these characteristics to fortify the structure of a MI

Program.

4. Pulling It Together

4.1 Basics

Section 1 defined MI and identified relevant regulatory requirements. Both MI and PHA are key

elements of PSM/RMP, and as such, properly structured, they can be mutually supportive. Critical

to effective implementation is an understanding of key MI Program Elements (see Figure 4.1). If

one were to create a wish list that could provide a basis for a MI Program, it might include:

Accommodating both safety and operational issues

FIGURE 3.5

Addressing Enabling Conditions &

Conditional Modifiers in LOPA

FIGURE 3.4 – LOPA Snapshot

GCPS 2017 __________________________________________________________________________

Identifying when a safety feature is needed

Being able to scale up/down

Provide optional quantification

Scenario-based

When we look at these needs, it clearly points

towards PHA, specifically HAZOP/LOPA as

having the ability to provide the information

needed to define a good MI Program. Being a

performance-based standard, PSM doesn’t

provide an exact prescription for defining a MI

Program or its elements. Therefore, as long as

performance-based objectives are met, any

number of ways to define the program and the

various key elements, such as inspection

frequencies may be acceptable. However, diligent implementation of various elements of the MI

Program and HAZOP/LOPA can greatly increase effectiveness.

4.2 Desirable MI Program Characteristics

Figure 4.2 illustrates that there can be a very wide range of acceptable approaches to the

implementation of a performance-based

standards like PSM and RMP. However,

certain characteristics facilitate the effective

implementation of a MI Program, as well as

allowing constructive interface with other

PSM/RMP elements such as PHA:

Configuration of a Computerized

Maintenance Management System

(CMMS) to allow for trending

Programmatic checks/balances that

allow for consistent trending

Assign of allowable outage times

Communications with Operations, Safety, and other stakeholders if equipment is out-of-

service for maintenance, inspection, testing, or repair

Assignment of maintenance, inspection, testing, or repair priorities

Application of consistent equipment tag number patterning and utilization that matches

with other Process Safety Information (PSI)

4.3 Desirable HAZOP/LOPA Characteristics

The ability to utilize the results of a HAZOP/LOPA is greatly dependent on the quality of the

study and documentation, which is often linked to the experience and diligence of the

Facility/Scribe Team heading the effort. For this reason, inconsistencies in the HAZOP/LOPA

FIGURE 4.1

MI Program Elements

FIGURE 4.2

MI Implementation Spectrum

GCPS 2017 __________________________________________________________________________

results have often created a challenge. However, certain characteristics can facilitate the

effective utilization of the HAZOP/LOPA in support of the MI Program:

Availability of a high quality HAZOP/LOPA (Reference 4 provides tips on the

implementation of high quality HAZOP/LOPA Studies)

Documentation that consistently, accurately, and comprehensively applies equipment tag

numbers that match with other Process Safety Information (PSI)

Clear documentation of safeguard functions

Ready access to machine-readable HAZOP/LOPA outputs, for searching

4.4 Using HAZOP/LOPA to Formulate the MI Program

Many companies/individuals seem to struggle with identifying equipment to be encompassed by

the MI Program and frequency/scope of testing, inspection, and preventive maintenance to be

applied. Although there are a number of different ways to approach MI, since the purpose of the

MI Program is to support safe and reliable plant operation, using a high quality HAZOP/LOPA is

one straightforward way that can at least offer a good starting point and a defensible basis:

If an active component is a safeguard identified by HAZOP/LOPA, then there is an implicit

or explicit reliability assumed by the Team. The MI Program needs to be designed to

support that reliability.

If the failure of a piece of equipment is a causal event, there is an implicit/explicit

assumption of failure frequency. The MI Program needs to be designed to support that

reliability.

Thus, if a piece of equipment that is a safeguard in a HAZOP/LOPA is not at least defined in the

MI Program with a reasonable testing, inspection, and preventive maintenance assignment, this

would seem to be a deficiency and difficult to justify its absence. At the other end of the spectrum,

the plant maintenance department needs to be able to justify not tracking, testing, inspecting, and

maintaining every subcomponent. Again, the HAZOP/LOPA can help clarify that the objective is

TABLE 4.1 – Example Values Used for LOPA

Initiating Cause Likelihoods

Initiating Cause Events / Year

BPCS instrument loop failure 1 x 10-1

Regulator failure 1 x 10-1

Pumps and other rotating equipment failure 1 x 10-1

Safety valve opens spuriously 1 x 10-2

Pump seal failure 1 x 10-1

Independent Protection Layer (IPL) Probability of Failure on Demand (PFD)

IPL PFD

Basic process control system, if not associated with the initiating

event being considered

1 x 10-1

Safety valve fails to open on demand 1 x 10-2

Rupture disc fails to open on demand 1 x 10-2

SIL-1 IPL > 1 x 10-2 & ≤ 1 x 10-1

SIL-2 IPL > 1 x 10-3 & ≤ 1 x 10-2

SIL-3 IPL > 1 x 10-4 & ≤ 1 x 10-3

GCPS 2017 __________________________________________________________________________

to achieve the desired reliability of the equipment referenced in the HAZOP/LOPA (see Table

4.1), and if the subcomponent in question is implicit in that reliability, it does not need to be

independently tracked in the PSM MI Program.

In addition to defining the universe of components to be encompassed by the MI Program,

HAZOP/LOPA can be used to support prioritization. Equipment (and key failure modes)

encompassed by the MI Program can be divided into four main classes:

Safety Instrumented Functions (SIF)

Safety – High Priority

Safety – Low Priority

Operational

Although some expert judgment and experience can be used when classifying equipment (and

failure modes) into these categories, as a starting point, the results of the HAZOP/LOPA can be

helpful and provide a complimentary perspective to the expert judgement classically used:

SIF – If a facility has committed to IEC 61508/61511, these are typically treated as the

highest priority with well-defined testing, inspection, and preventive maintenance

requirements.

“Safety – High Priority” Equipment Considerations

o Equipment failure modes that can initiate a high consequence HAZOP/LOPA

scenario (if unmitigated)

o IPL Safeguards that could mitigate a high consequence HAZOP/LOPA event

o IPL Safeguards that could mitigate a HAZOP/LOPA event with a safety

consequence, and where that is the only protection feature for that safety scenario

o IPL Safeguards that could mitigate multiple scenarios associated with lower

consequence HAZOP/LOPA events

“Safety – Low Priority” Equipment Considerations

o Other equipment failure modes that could result in a safety consequence (if

unmitigated) identified by the HAZOP/LOPA

o IPL Safeguards that could mitigate a lower consequence HAZOP/LOPA event

o Non-IPL Safeguards credited by the HAZOP/LOPA

Operational Considerations for the MI Program

Binning equipment and the key failure modes of concern support meaningful prioritization by the

Plant Maintenance Department to ensure that the SIF and “Safety – High Priority” equipment and

failure modes receive the proper support and application of testing, inspection, and preventive

maintenance that meets or exceeds industry standards and best practices.

Other Tips:

During the HAZOP/LOPA, avoid including safeguards that aren’t important IPLs, as their

inclusion into the MI Program, even as low priority items, can dilute the Plant Maintenance

Department’s efforts on more critical equipment.

GCPS 2017 __________________________________________________________________________

Testing (functional) and inspection activities in the MI Program should focus on the failure

modes identified in the HAZOP/LOPA as important.

Without the perspective of the HAZOP/LOPA, instrumentation designers can often

overdesign the protection features and include SIF where they may not be necessary. A

good use for the HAZOP/LOPA is to identify where a SIF could be converted to a BPCS,

so that the Plant Maintenance Department can focus resources in other, more critical, areas.

Tracking and trending of failure data as part of the MI Program can be geared to the level-

of-resolution of the failure mode in the HAZOP/LOPA.

4.5 Using HAZOP/LOPA to Support the MI Program During Plant Operation

Whereas the previous subsections focus on the ability to utilize the HAZOP/LOPA to initially

formulate the MI Program, interaction between the MI Program and the HAZOP/LOPA models

can be useful during plant operation. Plant operations can be a quite dynamic environment with

priorities continually shifting as new challenges arise. If HAZOP/LOPA information is readily

available during plant operation, more effective decision-making and prioritization can be

accomplished:

If diligently documented, the HAZOP/LOPA can be used to determine if out-of-service

equipment has a potentially critical safety impact.

In a similar way, allowable outage time and repair priorities can to be geared towards an

understanding of the role equipment may play as a safeguard.

5. Complementary Methodologies

The approaches discussed in Section 4 address the majority of the needs of a PSM MI Program;

however, for some equipment and process configurations, especially those associated with high-

consequence potential hazards, additional tools may be required to define the associated

inspection, testing, and maintenance frequencies and activities.

5.1 API RP 581[11]

In 1993, the American Petroleum Institute (API) released Recommended Practice 581 which

provides guidance on performing a risk based, quantitative analysis to develop an inspection

program tailor-made to a facility based on facility conditions and company expectations of risk at

the facility. The practice includes calculations of probability of failure (POF) and the

consequences of failure (COF) similar to the methodology used in a HAZOP Study when looking

at potential consequences and likelihoods of failure within a process. By assigning a risk rank to

equipment individually, inspections and mechanical integrity programs can be tuned to provide

the level of attention necessary to equipment. In generalized or standardized programs, some

equipment may be serviced or inspected too infrequently resulting in higher risk whereas other,

lower risk equipment may be serviced or inspected at a rate above what would be necessary to

meet a company’s risk target.

GCPS 2017 __________________________________________________________________________

API RP 581 provides a comprehensive structure for analyzing equipment in the following groups:

Pressure Vessels and Piping

Atmospheric Storage Tank

Pressure Relief Devices

Heat Exchanger Tube Bundles

For each equipment group, specific methods for determining probability of failure, consequences

of failure and inspection planning guidelines are available. This process also allows for differing

levels of inspection which would facilitate effective implementation based on the size and

resources available at a facility.

5.2 Damage Mechanism Review (DMR)

The Richmond Refinery fire on August 6, 2012 triggered a fresh look at several SMS programs,

the application of hazards identification techniques (as applied to hazardous material containment

integrity), and resulted in several proposals for the modernization of PSM and RMP, including the

performance of a “Damage Mechanism Review.”[12,13] A key focus of DMR requirements is piping

systems, even though 29 CFR

1910.110(j)(1)(ii) identifies “Piping

systems” as types of process equipment

that for which a MI Program should be

applied.

The complete implementation of DMR

can require extensive resources, and

Figure 5.1 depicts the range of

approaches that can be used to address DMR requirements. In short, one of the most effective

approaches is to encompass DMR by the PHA and treat the failure of select piping as a causal

event, thus capitalizing on the insights from similar types of releases considered by the PHA Team.

The following resources clarify the challenge and provide some focused/practical approaches for

implementation:

Maher, Nour, Schultz, “Using PHA as a Framework for Effectively Addressing Evolving

PSM/RMP Guidelines, Such As Damage Mechanism Hazard Reviews,” Global Congress

on Process Safety 2015[17].

RMP/PSM Series Educational Webinars (March 26, 2015 and August 27, 2015)[14]

5.3 Effective Use of Standardized Maintenance Schedules

The aforementioned methods will provide a robust and focused MI Program for a facility. Based

on the size, complexity and level of risks at a given facility, these methods may be more or less

important. In many cases, facilities will use recognized standards within industry for maintenance

FIGURE 5.1 – DMR Implementation Spectrum

GCPS 2017 __________________________________________________________________________

intervals as a baseline. There are multiple groups that provide recommended maintenance and

inspection intervals. Some of the more commonly referenced ones are listed below:

OSHA (Occupational Safety and Health Organization)

Cal/OSHA (California Occupational Safety and Health Organization)

ANSI (American National Standard Institute)

IIAR (International Institute of Ammonia Refrigeration)

IEC (International Electrochemical Commission)

API (American Petroleum Institute)

NBIC (National Board Inspection Code)

CCPS (Center for Chemical Process Safety)

Department of The Army Technical Bulletin

These organizations offer guidance on various equipment groups with information regarding

frequencies of maintenance and the types of actions that are to be taken within a time interval.

These actions will be independent of facility conditions (in some cases corrosion is taken into

consideration) and offer a standard for all facilities to follow. If a facility chooses to opt for a more

robust methodology (such as API 581), the recommended actions by these organizations can be

used as a “litmus test” to ensure the advanced methodology is achieving its goal. Table 1 shows

some examples of commonly-referenced standards for specific equipment groups:

TABLE 5.1 – Examples of Commonly-Referenced MI Standards

Maintenance

Standard Description

API 510 Multiple equipment groups including pressure vessels and PRVs

API 570 &

ASME B31.1-

2007

Piping Inspection, Repair and Corrosion Examination

IEC 61508 Functional safety of electrical /electronic/programmable electronic safety-

related systems

API 653 Tank Inspection, Repair, Alteration, and Reconstruction

IIAR 110 Shutoff and control valve maintenance, daily inspection recording,

Some of these standards such as API and IIAR are associated with a specific industry, however

they can act as a starting point for all facilities. These standards can also be used in conjunction

with manufacturer recommendations of maintenance intervals. A conservative method would be

to compare the manufacturers proposed actions and intervals to those offered by the organizations

and taking the more involved of the two.

6. Select Statistics to Optimize Your MI Program

The implementation of a real MI Program can be quite dynamic, and various issues may

materialize:

Variance of inspection/testing intervals

Variance of inspection/testing methods

GCPS 2017 __________________________________________________________________________

Impact of maintenance outage time on equipment reliability

Repair prioritization and allowable outage time

Feedback of reliability observations back into the MI Program

Every component has a certain degree of uniqueness, and theoretical application of the bathtub

curve concept never exactly echoes component-specific performance; however, equipment in a

process facility is generally utilized during a period of its existence where it is not subject to burn-

in or wear-out failures, and the failure rates is generally constant (see Figure 6.1). However, during

this period, the inspection, testing, and preventive maintenance features of the PM Program impact

various categories of equipment differently, e.g.:

Monitored-Repairable Components

Unmonitored-Repairable Components

Standby Components

Understanding these differences can provide

useful insights to optimize the PM Program

with respect to cost and equipment reliability.

This section is designed to convey basic

concepts behind the driving forces of

equipment reliability.

6.1 Monitored-Repairable Components

Examples in this category include active

valves, where a failure would be noticed, or

contemporary electronics with high-pedigree

self-diagnostics. In these cases, the failure

mode of interest would be revealed and can

then undergo repair. Note that not all failure

modes associated with a piece of equipment

may be able to be monitored. A fundamental

issue for any MI Program is the choice of

what failure modes can be monitored and what failure modes can be functionally tested. A brief

review of some key definitions is in order:

Reliability – Probability that the component experiences no failures during time (0,t)

Availability (A(t)) – Probability that the component is normal (available) at time “t” = 𝑇𝑜𝑡𝑎𝑙 𝑂𝑝𝑒𝑟𝑎𝑡𝑖𝑛𝑔 𝑇𝑖𝑚𝑒

𝑇𝑜𝑡𝑎𝑙 𝑇𝑖𝑚𝑒 𝑜𝑓 𝐼𝑛𝑡𝑒𝑟𝑒𝑠𝑡

Unavailability (Q(t)) = 𝑇𝑜𝑡𝑎𝑙 𝐷𝑜𝑤𝑛 𝑇𝑖𝑚𝑒

𝑇𝑜𝑡𝑎𝑙 𝑇𝑖𝑚𝑒 𝑜𝑓 𝐼𝑛𝑡𝑒𝑟𝑒𝑠𝑡

Mean-Time-To-Failure (MTTF) – Average time interval between failures

FIGURE 6.1

General Component Life Cycles

GCPS 2017 __________________________________________________________________________

Mean-Time-To-Repair (MTTR, 1 𝜇⁄ ) – Average time to repair a failed component

Failure Rate (λ) = 1 𝑀𝑇𝑇𝐹⁄

Figure 6.2 illustrates the time periods that

might contribute to the overall

availability/unavailability of a piece of

equipment and identifies the associated

calculations that can provide insights into

equipment availability/unavailability. Based

on the criticality of the equipment with

respect to its reliability and contribution to

plant safety via the HAZOP/LOPA, the Plant

Maintenance Department can use these

concepts, as well as MTTR and MTTF to

judge the need to invest in resources to

minimize MTTR (e.g., warehoused spares) or

to maximize MTTF (e.g., higher reliability

equipment replacements).

6.2 Unmonitored-Repairable Components

Examples in this category include pressure

safety valves (PSVs). Unmonitored

components are subject to a similar relatively-

uniform failure rate during the active life of

the equipment; however, it would be a covert failure, or unrevealed, until such time as a planned

test would identify that the component has

failed. This is illustrated by Figure 6.3 and

covers a wide range of safeguards in a typical

process unit. Based on the importance of

equipment function and functionality needed

(e.g., from the HAZOP/LOPA), the PM

Program can be tuned to optimize

testing/inspection intervals (i.e., cost-benefit)

and testing/inspection methods (i.e., to

address the failure mode and functionality

needed).

6.3 Standby Components

Standby components typically do not behave with only the simple parameters identified in

Section 6.2. Figure 6.4 illustrates the contributions of testing/inspection intervals,

testing/inspection durations, repair duration, and preventive maintenance duration on the

unavailability of a standby component. To add to the complexity, different failure modes or

piece of equipment may be unrevealed (covert) or revealed failures, and the different failure

modes may have a different importance with respect to plant safety/operability, as identified via

FIGURE 6.2

Monitored-Repairable Components

FIGURE 6.3

Unmonitored-Repairable Components

GCPS 2017 __________________________________________________________________________

the HAZOP/LOPA. The challenge of the PM Program is to optimize equipment reliability and

associated costs or achieving that reliability.

Whereas, there is no perfect solution, a clear

understanding of the need stemming from the

HAZOP/LOPA and understanding

fundamental reliability concepts can help

tune the PM Program to achieve the desired

degree of optimization.

6.4 Feedback of Reliability Observations

into the MI Program

Most CMMS provide an ability to log

equipment failures and support data trending.

There is a fundamental challenge associated

with carefully logging the information and

correlating the specific failure mode of the

equipment to a failure mode of importance to

the HAZOP/LOPA. Assuming that this has

been done diligently, various approaches[11]

(e.g., Bayesian statistics) can be used to

update manufacturer reliability data with the

specific experiences at the plant site. This

information can be fed back into the MI

Program to further optimize testing, inspection, and preventive maintenance practices (see Figure

4.1) to optimize its cost-effectiveness. This feedback mechanism can often result in re-focusing

limited Plant Maintenance resources towards areas of greater importance.

7. Conclusion

Because they are core elements of PSM/RMP, the ties between the MI Program and

HAZOP/LOPA are very strong, but are typically underutilized. When formulating the MI

Program, there is a wealth of information that can be drawn from HAZOP/LOPA to focus and

enhance the effectiveness of the MI Program. This effectiveness can manifest itself in many ways,

e.g.:

Ensuring that high-priority equipment gets the attention needed

Optimizing inspection, testing, and preventive maintenance frequencies

Identification of low-priority equipment, so that Plant Maintenance Department can focus

on high-priority equipment

Identification of over-application of SIS, where a BPCS component can provide adequate

reliability with much lower recurring MI costs

FIGURE 6.4

Standby Components

GCPS 2017 __________________________________________________________________________

Similarly, during the course of plant operations, when the inevitable challenges occur that

compromise planned inspection, testing, and preventive maintenance activities, HAZOP/LOPA

can provide insight regarding importance and may identify desirable options.

8. References

[1] PSM – 29 CFR 1910.119, “Process Safety Management (PSM) of Highly Hazardous

Chemicals, Explosives and Blasting Agents,” 1992.

[2] RMP – 40 CFR Part 68, "Risk Management Programs (RMP) for Chemical Accidental

Release Prevention," 1996.

[3] SEMS Final Rule – Federal Register – Title 30, Code of Federal Regulations (CFR) Part

250 – “Oil and Gas and Sulphur Operations in the Outer Continental Shelf – Safety and

Environmental Management Systems,” Federal Register, Vol. 78, No. 66, April 5, 2013.

[4] http://www.RMPCorp.com/HAZOP-Study-series-module, HAZOP/LOPA Facilitation

Best Practices Webinar Series.

[5] CCPS “Guidelines for Hazard Evaluation Procedures, 3rd Edition, 2008.

[6] CCPS “Layer of Protection Analysis – Simplified Process Risk Assessment,” 2001.

[7] CCPS “Guidelines for Initiating Events and Independent Protection Layers in Layer of

Protection Analysis,” 2015.

[8] CCPS “Guidelines for Enabling Conditions and Conditional Modifiers in Layer of

Protection Analysis,” 2013.

[9] IEC 61508, "Functional Safety of Electrical/Electronic/Programmable Electronic Safety-

Related Systems."

[10] IEC 61511, "Functional Safety - Safety Instrumented Systems for the Process Industry

Sector."

[11] API Recommended Practice 581, "Risk-Based Inspection Technology."

[12] http://www.caloes.ca.gov/cal-oes-divisions/fire-rescue/hazardous-materials/california-

accidental-release-prevention, California Accidental Release Prevention (CalARP)

Program Proposed Updates, February 14, 2017.

[13] http://www.rmpcorp.com/wp-content/uploads/2014/08/15-day-Notice-Process-Safety-

Management-for-Petroleum-Refin.pdf, Proposed General Industry Safety Order (GISO)

§5189.1, Process Safety Management for Petroleum Refineries, February 10, 2017.

[14] http://www.RMPCorp.com/rmppsm-series/ - RMP/PSM Series Educational Webinars.

[15] Maher, Reyes, Vasudevan, "Assimilating Design Formulation and Design Review into a

HAZOP," Global Congress on Process Safety 2012.

[16] "Relief Valve Testing Interval Optimization Program for the Cost-Effective Control of

Major Hazards," Second Symposium on Preventing Major Chemical Accidents, Oslo,

May 1988.

[17] Maher, Nour, Schultz, “Using PHA as a Framework for Effectively Addressing Evolving

PSM/RMP Guidelines, Such As Damage Mechanism Hazard Reviews,” Global Congress

on Process Safety 2015.

[18] Clean Air Act (CAA) Section 112(r)(1) – General Duty Clause.

[19] http://www.CSB.gov – Source website for the Chemical Safety Board.

[20] http://www.CalEPA.CA.gov/Refinery/ – Source website for the Interagency Refinery

Task Force.

GCPS 2017 __________________________________________________________________________

[21] http://www.calepa.ca.gov/publications/Reports/2014/RefineryRpt.pdf, “Improving Public

and Worker Safety at Oil Refineries,” February 2014.

[22] http://www.RMPCorp.com/SMS_Regulatory_Updates/ - Website Tracking Safety

Management Systems U.S. Regulatory Updates.

[23] CCPS "Guidelines for Process Equipment Reliability Data with Data Tables," 2010.

[24] OREDA Handbook 2015, 6th edition – Volume I and II.

[25] IEEE-500-1984 - IEEE “Guide To The Collection And Presentation Of Electrical,

Electronic, Sensing Component, And Mechanical Equipment Reliability Data for Nuclear-

Power Generating Stations”.

[26] SINTEF “Reliability Data for Safety Instrumented Systems,” 2010.

[27] SINTEF “Reliability Data for Control and Safety Systems,” 1998.