GCPS 2017 __________________________________________________________________________

Using HAZOP/LOPA to Create an

Effective Mechanical Integrity Program

Steven T. Maher, PE CSP

Risk Management Professionals
Steve.Maher@RMPCorp.com

David J. Childs
Risk Management Professionals
David.Childs@RMPCorp.com

Prepared for Presentation at

American Institute of Chemical Engineers
2017 Spring Meeting and 13th Global Congress on Process Safety
San Antonio, Texas
March 26-29, 2017

AIChE shall not be responsible for statements or opinions contained

in papers or printed in its publications
GCPS 2017 __________________________________________________________________________

Using HAZOP/LOPA to Create an

Effective Mechanical Integrity Program
Steven T. Maher, PE CSP
David J. Childs
Risk Management Professionals

Keywords: PSM, RMP, CalARP, Mechanical Integrity, OSHA, EPA, Process Safety

Abstract
Many people view the conduct of a HAZOP/LOPA to address regulatory requirements as a chore,
and stop there. However, the implementation of a quality HAZOP/LOPA has the potential to
provide a framework for addressing numerous safety and operational optimization issues at plants,
including the formulation/refinement of the Mechanical Integrity Program. The purpose of this
paper is to focus on the mechanical integrity program, illustrate how a quality HAZOP/LOPA can
support the effective implementation of some of the new Damage Mechanism Review
requirements for California Refineries (e.g., 5189.1(k)), and optimize key elements of an effective
Mechanical Integrity Program, e.g.:

 Inspection/testing methods
 Testing intervals
 Maintenance outage periods
 Repair prioritization and allowable outage
 Identification of low priority equipment

1. Mechanical Integrity Defined

When you look at the parallel evolution of modern Safety Management Systems (SMS) (Figure
1.1), such as OSHA’s Process
Safety Management (PSM)
Program[1], U.S. EPA’s Risk
Management Program (RMP)[2],
and the Bureau of Safety and
Environmental Enforcement’s
(BSEE’s) Safety and
Environmental Management
Systems (SEMS) Program[3],
the same key Safety
Management System elements
are at the core of PSM, RMP,
and SEMS, spanning an
entire spectrum of facility FIGURE 1.1 – Evolution of Select SMS Guidelines
GCPS 2017 __________________________________________________________________________

types and geographic application. Although these regulatory programs were developed
independently, at different times, and
in different locations, industry and the
regulatory community noted the
importance of SMS application, and a
fundamental part of this has always
been maintaining the integrity of the
process and functionality of
equipment. As can be seen in Figure
1.2, “Mechanical Integrity” (MI) is a
critical part of any SMS application.

The core objective of MI is “to

maintain the on-going integrity of FIGURE 1.2 – Key PSM Elements (2016)
process equipment.” This includes the
integrity of the process boundaries as well as the reliability of operating/standby equipment. 29
CFR 1910.110(j) lays a foundation for:

 Typical process equipment to be included in the MI Program

 Written procedures to allow the program to function
 Training for process maintenance activities, with a focus on safety
 Inspection and testing, including procedures and definition of frequency
 Documentation of inspections and tests
 Correction of equipment deficiencies
 Quality assurance

Now that we have identified what MI is and what the requirements are, let’s take a look at
another key element of PSM.

2. Why do a Process Hazard Analysis (PHA)?

PSM is a performance-based standard, and as such, it is designed to focus on key objectives such
as minimizing potential hazards and
maintaining the desired level of
safety at the plant site. PHA is a key
early step in minimizing potential
hazards by first identifying and
understanding them in order to focus
management systems (e.g., MI) on
equipment/characteristics of
importance. There are numerous
PHA tools (see Figure 2.1) that have
various advantages / disadvantages
for different applications[4]. FIGURE 2.1 – Hazard Analysis Tool Spectrum
However, one of the more broad-
spectrum PHA techniques is the Hazard and Operability (HAZOP) Study.
GCPS 2017 __________________________________________________________________________

The guideword HAZOP technique is based on the premise that hazards and operability problems
originate from deviations from design intent when a process is running under normal operating
conditions. For example, adding the guideword “NO” to the parameter “FLOW” to get the
deviation “NO FLOW” would prompt the leader to ask the Team, “What causes could result in no
flow in this node or line segment?” The potential hazard scenarios that include possible “Causes”
and potential “Consequences” are documented in the report worksheets. The possible
“Safeguards” in place to reduce the risk associated with the specific cause/consequence scenario
are then discussed and documented.

The HAZOP Study proceeds sequentially, studying each piece of equipment contained in the
process. Thus, if applied comprehensively,
HAZOP systematically creates a roadmap of
key paths that lead to undesired events (hazards
or operability issues, depending on the study
objectives). Because this roadmap provides a
framework for assessing the likelihood and
severity of each path to an undesired event, the
importance of the contribution of causal events
and safeguards can be assessed, as well as the
need to prioritize reliable equipment function.

Since HAZOP is a scenario-based method that

explicitly identifies the failure of equipment that FIGURE 2.2 – HAZOP/LOPA Requires
can potentially lead to a hazardous condition a Multidisciplinary Approach
(cause), explicitly identifies and illustrates the
importance of active protection features (safeguards), and applies a measure of importance
(consequences) to their failure, it is a helpful platform for identifying important equipment
requiring prioritization of reliability. This information, derived from the contributions of diverse
technical disciplines (e.g., engineering, operations,
maintenance) is fundamental to the establishment
of a balanced MI Program. Reference 5 is a very
good source of pragmatic tips for the
implementation of HAZOP, and Reference 15
provides some general background on the HAZOP
method and its application during the design
process.

3. Using Layer of Protection Analysis

(LOPA) to Dig Further
Section 2 describes the essence of a PHA, which is
the identification of scenarios with sufficient detail FIGURE 3.1
to balance likelihood and severity to understand Scenario-Based Analysis Objectives
their risk contribution, and thus, the importance of
the scenario and associated equipment. Figure 3.1 graphically illustrates how the clarity provided
GCPS 2017 __________________________________________________________________________

by assessing both the likelihood and severity for different scenarios (1-5 for this example) provides
an improved perspective on the risk contribution of the scenario, and thus, the importance of
associated equipment reliability.

Since the 1980s, advances in electronics (see Figure 3.2) facilitated the application of more reliable
control/protection equipment that provided a platform for improved levels of safety and reliability.
For most facilities subject to PSM/RMP, these improvements are implemented in a “phased-

FIGURE 3.2 FIGURE 3.3

Tandem Advances in Protection System Control/Protection System Spectrum
Design Architectures & Analysis – BPCS & SIS/HIPS
approach,” as-needed, typically as part of capital projects. So, at any point in time, a facility has
a wide-spectrum of equipment applied to control/protection systems (Figure 3.3). The challenge
is applying a tool to evaluate their reliability contribution that can be scaled up/down, depending
on the level-of-detail needed, and that can build on all of the work done during a HAZOP. LOPA
is a tool that is well-suited for this challenge.

Like a HAZOP, LOPA is also a scenario-based tool that is often coupled with a HAZOP. The
primary difference is depth, specificity, and the ability to infuse more complex quantitative
information (see Table 3.1). References 6, 7 and 8 are very good sources of pragmatic tips for the
implementation of LOPA.

TABLE 3.1 - Defining the Scenario and Equipment Importance (Contrasting HAZOP & LOPA)
Likelihood Severity
HAZOP LOPA HAZOP LOPA
Cause Initiating Cause
Safeguards IPL & non-IPL
Likelihood Ranking Product of Initiating The severity value used for the HAZOP and LOPA
from a Risk-Ranking Cause Frequency, is typically the same, but an opportunity exists for
Matrix Enabling Condition LOPA to apply more quantitative differentiation.
Probability, Conditional
Modifiers, and the IPL
PFD
GCPS 2017 __________________________________________________________________________

LOPA typically applies representative order-of-magnitude quantitative values to the frequency of

causal events and the Probability of Failure
on Demand (PFD) to safeguards to provide
a frequency of reaching an undesired
consequence that can be compared to the
company target value to assess
acceptability (see Figure 3.4). LOPA also
drills a little deeper with respect to
understanding if a safeguard is an
“Independent Protection Layer” (IPL) and
the potential for common-mode failure.
LOPA can also apply various Enabling
Event Probabilities and Conditional
Modifiers to better characterize the
potential for reaching the Ultimate FIGURE 3.4 – LOPA Snapshot
Consequences (see Figure 3.5).

LOPA’s primary purpose is to determine the adequacy of existing IPLs and determine if
additional protection features are needed.
LOPA is also used to assign a target Safety
Integrity Level (SIL) value for a Safety
Instrumented System (SIS)[9, 10]. SIL
assignment is based on an instrument’s
likelihood to function upon demand. A higher
SIL level device has more “value” in risk
reduction and is determined based on the
specifications the instrument is manufactured
to meet. These applications identify one of
the other very useful functions for LOPA. It
is able to identify reliability targets for
equipment that might “cause” a potential FIGURE 3.5
hazard and identify reliability targets for Addressing Enabling Conditions &
equipment that can function as a protective Conditional Modifiers in LOPA
feature (safeguard). One can capitalize on these characteristics to fortify the structure of a MI
Program.

4. Pulling It Together

4.1 Basics

Section 1 defined MI and identified relevant regulatory requirements. Both MI and PHA are key
elements of PSM/RMP, and as such, properly structured, they can be mutually supportive. Critical
to effective implementation is an understanding of key MI Program Elements (see Figure 4.1). If
one were to create a wish list that could provide a basis for a MI Program, it might include:

 Accommodating both safety and operational issues

GCPS 2017 __________________________________________________________________________

 Identifying when a safety feature is needed

 Being able to scale up/down
 Provide optional quantification
 Scenario-based

When we look at these needs, it clearly points

towards PHA, specifically HAZOP/LOPA as
having the ability to provide the information
needed to define a good MI Program. Being a
performance-based standard, PSM doesn’t
provide an exact prescription for defining a MI
Program or its elements. Therefore, as long as
performance-based objectives are met, any FIGURE 4.1
number of ways to define the program and the MI Program Elements
various key elements, such as inspection
frequencies may be acceptable. However, diligent implementation of various elements of the MI
Program and HAZOP/LOPA can greatly increase effectiveness.

4.2 Desirable MI Program Characteristics

Figure 4.2 illustrates that there can be a very wide range of acceptable approaches to the
implementation of a performance-based
standards like PSM and RMP. However,
certain characteristics facilitate the effective
implementation of a MI Program, as well as
allowing constructive interface with other
PSM/RMP elements such as PHA:

 Configuration of a Computerized
Maintenance Management System
(CMMS) to allow for trending
 Programmatic checks/balances that
allow for consistent trending FIGURE 4.2
 Assign of allowable outage times MI Implementation Spectrum
 Communications with Operations, Safety, and other stakeholders if equipment is out-of-
service for maintenance, inspection, testing, or repair
 Assignment of maintenance, inspection, testing, or repair priorities
 Application of consistent equipment tag number patterning and utilization that matches
with other Process Safety Information (PSI)

4.3 Desirable HAZOP/LOPA Characteristics

The ability to utilize the results of a HAZOP/LOPA is greatly dependent on the quality of the
study and documentation, which is often linked to the experience and diligence of the
Facility/Scribe Team heading the effort. For this reason, inconsistencies in the HAZOP/LOPA
GCPS 2017 __________________________________________________________________________

results have often created a challenge. However, certain characteristics can facilitate the
effective utilization of the HAZOP/LOPA in support of the MI Program:

 Availability of a high quality HAZOP/LOPA (Reference 4 provides tips on the

implementation of high quality HAZOP/LOPA Studies)
 Documentation that consistently, accurately, and comprehensively applies equipment tag
numbers that match with other Process Safety Information (PSI)
 Clear documentation of safeguard functions
 Ready access to machine-readable HAZOP/LOPA outputs, for searching

4.4 Using HAZOP/LOPA to Formulate the MI Program

Many companies/individuals seem to struggle with identifying equipment to be encompassed by

the MI Program and frequency/scope of testing, inspection, and preventive maintenance to be
applied. Although there are a number of different ways to approach MI, since the purpose of the
MI Program is to support safe and reliable plant operation, using a high quality HAZOP/LOPA is
one straightforward way that can at least offer a good starting point and a defensible basis:

 If an active component is a safeguard identified by HAZOP/LOPA, then there is an implicit

or explicit reliability assumed by the Team. The MI Program needs to be designed to
support that reliability.
 If the failure of a piece of equipment is a causal event, there is an implicit/explicit
assumption of failure frequency. The MI Program needs to be designed to support that
reliability.

Thus, if a piece of equipment that is a safeguard in a HAZOP/LOPA is not at least defined in the
MI Program with a reasonable testing, inspection, and preventive maintenance assignment, this
would seem to be a deficiency and difficult to justify its absence. At the other end of the spectrum,
the plant maintenance department needs to be able to justify not tracking, testing, inspecting, and
maintaining every subcomponent. Again, the HAZOP/LOPA can help clarify that the objective is

TABLE 4.1 – Example Values Used for LOPA

Initiating Cause Likelihoods
Initiating Cause Events / Year
BPCS instrument loop failure 1 x 10-1
Regulator failure 1 x 10-1
Pumps and other rotating equipment failure 1 x 10-1
Safety valve opens spuriously 1 x 10-2
Pump seal failure 1 x 10-1
Independent Protection Layer (IPL) Probability of Failure on Demand (PFD)
IPL PFD
Basic process control system, if not associated with the initiating 1 x 10-1
event being considered
Safety valve fails to open on demand 1 x 10-2
Rupture disc fails to open on demand 1 x 10-2
SIL-1 IPL > 1 x 10-2 & ≤ 1 x 10-1
SIL-2 IPL > 1 x 10-3 & ≤ 1 x 10-2
SIL-3 IPL > 1 x 10-4 & ≤ 1 x 10-3
GCPS 2017 __________________________________________________________________________

to achieve the desired reliability of the equipment referenced in the HAZOP/LOPA (see Table
4.1), and if the subcomponent in question is implicit in that reliability, it does not need to be
independently tracked in the PSM MI Program.

In addition to defining the universe of components to be encompassed by the MI Program,

HAZOP/LOPA can be used to support prioritization. Equipment (and key failure modes)
encompassed by the MI Program can be divided into four main classes:

 Safety Instrumented Functions (SIF)

 Safety – High Priority
 Safety – Low Priority
 Operational

Although some expert judgment and experience can be used when classifying equipment (and
failure modes) into these categories, as a starting point, the results of the HAZOP/LOPA can be
helpful and provide a complimentary perspective to the expert judgement classically used:

 SIF – If a facility has committed to IEC 61508/61511, these are typically treated as the
highest priority with well-defined testing, inspection, and preventive maintenance
requirements.
 “Safety – High Priority” Equipment Considerations
o Equipment failure modes that can initiate a high consequence HAZOP/LOPA
scenario (if unmitigated)
o IPL Safeguards that could mitigate a high consequence HAZOP/LOPA event
o IPL Safeguards that could mitigate a HAZOP/LOPA event with a safety
consequence, and where that is the only protection feature for that safety scenario
o IPL Safeguards that could mitigate multiple scenarios associated with lower
consequence HAZOP/LOPA events
 “Safety – Low Priority” Equipment Considerations
o Other equipment failure modes that could result in a safety consequence (if
unmitigated) identified by the HAZOP/LOPA
o IPL Safeguards that could mitigate a lower consequence HAZOP/LOPA event
o Non-IPL Safeguards credited by the HAZOP/LOPA
 Operational Considerations for the MI Program

Binning equipment and the key failure modes of concern support meaningful prioritization by the
Plant Maintenance Department to ensure that the SIF and “Safety – High Priority” equipment and
failure modes receive the proper support and application of testing, inspection, and preventive
maintenance that meets or exceeds industry standards and best practices.
Other Tips:

 During the HAZOP/LOPA, avoid including safeguards that aren’t important IPLs, as their
inclusion into the MI Program, even as low priority items, can dilute the Plant Maintenance
Department’s efforts on more critical equipment.
GCPS 2017 __________________________________________________________________________

 Testing (functional) and inspection activities in the MI Program should focus on the failure
modes identified in the HAZOP/LOPA as important.
 Without the perspective of the HAZOP/LOPA, instrumentation designers can often
overdesign the protection features and include SIF where they may not be necessary. A
good use for the HAZOP/LOPA is to identify where a SIF could be converted to a BPCS,
so that the Plant Maintenance Department can focus resources in other, more critical, areas.
 Tracking and trending of failure data as part of the MI Program can be geared to the level-
of-resolution of the failure mode in the HAZOP/LOPA.

4.5 Using HAZOP/LOPA to Support the MI Program During Plant Operation

Whereas the previous subsections focus on the ability to utilize the HAZOP/LOPA to initially
formulate the MI Program, interaction between the MI Program and the HAZOP/LOPA models
can be useful during plant operation. Plant operations can be a quite dynamic environment with
priorities continually shifting as new challenges arise. If HAZOP/LOPA information is readily
available during plant operation, more effective decision-making and prioritization can be
accomplished:

 If diligently documented, the HAZOP/LOPA can be used to determine if out-of-service

equipment has a potentially critical safety impact.
 In a similar way, allowable outage time and repair priorities can to be geared towards an
understanding of the role equipment may play as a safeguard.

5. Complementary Methodologies
The approaches discussed in Section 4 address the majority of the needs of a PSM MI Program;
however, for some equipment and process configurations, especially those associated with high-
consequence potential hazards, additional tools may be required to define the associated
inspection, testing, and maintenance frequencies and activities.

5.1 API RP 581[11]

In 1993, the American Petroleum Institute (API) released Recommended Practice 581 which
provides guidance on performing a risk based, quantitative analysis to develop an inspection
program tailor-made to a facility based on facility conditions and company expectations of risk at
the facility. The practice includes calculations of probability of failure (POF) and the
consequences of failure (COF) similar to the methodology used in a HAZOP Study when looking
at potential consequences and likelihoods of failure within a process. By assigning a risk rank to
equipment individually, inspections and mechanical integrity programs can be tuned to provide
the level of attention necessary to equipment. In generalized or standardized programs, some
equipment may be serviced or inspected too infrequently resulting in higher risk whereas other,
lower risk equipment may be serviced or inspected at a rate above what would be necessary to
meet a company’s risk target.
GCPS 2017 __________________________________________________________________________

API RP 581 provides a comprehensive structure for analyzing equipment in the following groups:

 Pressure Vessels and Piping

 Atmospheric Storage Tank
 Pressure Relief Devices
 Heat Exchanger Tube Bundles

For each equipment group, specific methods for determining probability of failure, consequences
of failure and inspection planning guidelines are available. This process also allows for differing
levels of inspection which would facilitate effective implementation based on the size and
resources available at a facility.

5.2 Damage Mechanism Review (DMR)

The Richmond Refinery fire on August 6, 2012 triggered a fresh look at several SMS programs,
the application of hazards identification techniques (as applied to hazardous material containment
integrity), and resulted in several proposals for the modernization of PSM and RMP, including the
performance of a “Damage Mechanism Review.”[12,13] A key focus of DMR requirements is piping
systems, even though 29 CFR
1910.110(j)(1)(ii) identifies “Piping
systems” as types of process equipment
that for which a MI Program should be
applied.

The complete implementation of DMR

can require extensive resources, and
FIGURE 5.1 – DMR Implementation Spectrum
Figure 5.1 depicts the range of
approaches that can be used to address DMR requirements. In short, one of the most effective
approaches is to encompass DMR by the PHA and treat the failure of select piping as a causal
event, thus capitalizing on the insights from similar types of releases considered by the PHA Team.

The following resources clarify the challenge and provide some focused/practical approaches for
implementation:

 Maher, Nour, Schultz, “Using PHA as a Framework for Effectively Addressing Evolving
PSM/RMP Guidelines, Such As Damage Mechanism Hazard Reviews,” Global Congress
on Process Safety 2015[17].
 RMP/PSM Series Educational Webinars (March 26, 2015 and August 27, 2015)[14]

5.3 Effective Use of Standardized Maintenance Schedules

The aforementioned methods will provide a robust and focused MI Program for a facility. Based
on the size, complexity and level of risks at a given facility, these methods may be more or less
important. In many cases, facilities will use recognized standards within industry for maintenance
GCPS 2017 __________________________________________________________________________

intervals as a baseline. There are multiple groups that provide recommended maintenance and
inspection intervals. Some of the more commonly referenced ones are listed below:

 OSHA (Occupational Safety and Health Organization)

 Cal/OSHA (California Occupational Safety and Health Organization)
 ANSI (American National Standard Institute)
 IIAR (International Institute of Ammonia Refrigeration)
 IEC (International Electrochemical Commission)
 API (American Petroleum Institute)
 NBIC (National Board Inspection Code)
 CCPS (Center for Chemical Process Safety)
 Department of The Army Technical Bulletin

These organizations offer guidance on various equipment groups with information regarding
frequencies of maintenance and the types of actions that are to be taken within a time interval.
These actions will be independent of facility conditions (in some cases corrosion is taken into
consideration) and offer a standard for all facilities to follow. If a facility chooses to opt for a more
robust methodology (such as API 581), the recommended actions by these organizations can be
used as a “litmus test” to ensure the advanced methodology is achieving its goal. Table 1 shows
some examples of commonly-referenced standards for specific equipment groups:

TABLE 5.1 – Examples of Commonly-Referenced MI Standards

Maintenance
Description
Standard
API 510 Multiple equipment groups including pressure vessels and PRVs
API 570 & Piping Inspection, Repair and Corrosion Examination
ASME B31.1-
2007
IEC 61508 Functional safety of electrical /electronic/programmable electronic safety-
related systems
API 653 Tank Inspection, Repair, Alteration, and Reconstruction
IIAR 110 Shutoff and control valve maintenance, daily inspection recording,

Some of these standards such as API and IIAR are associated with a specific industry, however
they can act as a starting point for all facilities. These standards can also be used in conjunction
with manufacturer recommendations of maintenance intervals. A conservative method would be
to compare the manufacturers proposed actions and intervals to those offered by the organizations
and taking the more involved of the two.

6. Select Statistics to Optimize Your MI Program

The implementation of a real MI Program can be quite dynamic, and various issues may
materialize:

 Variance of inspection/testing intervals

 Variance of inspection/testing methods
GCPS 2017 __________________________________________________________________________

 Impact of maintenance outage time on equipment reliability

 Repair prioritization and allowable outage time
 Feedback of reliability observations back into the MI Program

Every component has a certain degree of uniqueness, and theoretical application of the bathtub
curve concept never exactly echoes component-specific performance; however, equipment in a
process facility is generally utilized during a period of its existence where it is not subject to burn-
in or wear-out failures, and the failure rates is generally constant (see Figure 6.1). However, during
this period, the inspection, testing, and preventive maintenance features of the PM Program impact
various categories of equipment differently, e.g.:

 Monitored-Repairable Components
 Unmonitored-Repairable Components
 Standby Components

Understanding these differences can provide

useful insights to optimize the PM Program
with respect to cost and equipment reliability.
This section is designed to convey basic
concepts behind the driving forces of
equipment reliability.

6.1 Monitored-Repairable Components

Examples in this category include active

valves, where a failure would be noticed, or
contemporary electronics with high-pedigree
self-diagnostics. In these cases, the failure
mode of interest would be revealed and can
then undergo repair. Note that not all failure
modes associated with a piece of equipment FIGURE 6.1
may be able to be monitored. A fundamental General Component Life Cycles
issue for any MI Program is the choice of
what failure modes can be monitored and what failure modes can be functionally tested. A brief
review of some key definitions is in order:

 Reliability – Probability that the component experiences no failures during time (0,t)
 Availability (A(t)) – Probability that the component is normal (available) at time “t” =
𝑇𝑜𝑡𝑎𝑙 𝑂𝑝𝑒𝑟𝑎𝑡𝑖𝑛𝑔 𝑇𝑖𝑚𝑒
𝑇𝑜𝑡𝑎𝑙 𝑇𝑖𝑚𝑒 𝑜𝑓 𝐼𝑛𝑡𝑒𝑟𝑒𝑠𝑡
𝑇𝑜𝑡𝑎𝑙 𝐷𝑜𝑤𝑛 𝑇𝑖𝑚𝑒
 Unavailability (Q(t)) =
𝑇𝑜𝑡𝑎𝑙 𝑇𝑖𝑚𝑒 𝑜𝑓 𝐼𝑛𝑡𝑒𝑟𝑒𝑠𝑡
 Mean-Time-To-Failure (MTTF) – Average time interval between failures
GCPS 2017 __________________________________________________________________________

 Mean-Time-To-Repair (MTTR, 1⁄𝜇) – Average time to repair a failed component

 Failure Rate (λ) = 1⁄𝑀𝑇𝑇𝐹

Figure 6.2 illustrates the time periods that

might contribute to the overall
availability/unavailability of a piece of
equipment and identifies the associated
calculations that can provide insights into
equipment availability/unavailability. Based
on the criticality of the equipment with
respect to its reliability and contribution to
plant safety via the HAZOP/LOPA, the Plant
Maintenance Department can use these
concepts, as well as MTTR and MTTF to
judge the need to invest in resources to
minimize MTTR (e.g., warehoused spares) or
to maximize MTTF (e.g., higher reliability
equipment replacements).

6.2 Unmonitored-Repairable Components

Examples in this category include pressure

safety valves (PSVs). Unmonitored FIGURE 6.2
components are subject to a similar relatively- Monitored-Repairable Components
uniform failure rate during the active life of
the equipment; however, it would be a covert failure, or unrevealed, until such time as a planned
test would identify that the component has
failed. This is illustrated by Figure 6.3 and
covers a wide range of safeguards in a typical
process unit. Based on the importance of
equipment function and functionality needed
(e.g., from the HAZOP/LOPA), the PM
Program can be tuned to optimize
testing/inspection intervals (i.e., cost-benefit)
and testing/inspection methods (i.e., to FIGURE 6.3
address the failure mode and functionality Unmonitored-Repairable Components
needed).

6.3 Standby Components

Standby components typically do not behave with only the simple parameters identified in
Section 6.2. Figure 6.4 illustrates the contributions of testing/inspection intervals,
testing/inspection durations, repair duration, and preventive maintenance duration on the
unavailability of a standby component. To add to the complexity, different failure modes or
piece of equipment may be unrevealed (covert) or revealed failures, and the different failure
modes may have a different importance with respect to plant safety/operability, as identified via
GCPS 2017 __________________________________________________________________________

the HAZOP/LOPA. The challenge of the PM Program is to optimize equipment reliability and
associated costs or achieving that reliability.
Whereas, there is no perfect solution, a clear
understanding of the need stemming from the
HAZOP/LOPA and understanding
fundamental reliability concepts can help
tune the PM Program to achieve the desired
degree of optimization.

6.4 Feedback of Reliability Observations

into the MI Program

Most CMMS provide an ability to log

equipment failures and support data trending.
There is a fundamental challenge associated
with carefully logging the information and
correlating the specific failure mode of the
equipment to a failure mode of importance to
the HAZOP/LOPA. Assuming that this has
been done diligently, various approaches[11]
(e.g., Bayesian statistics) can be used to
update manufacturer reliability data with the
FIGURE 6.4
specific experiences at the plant site. This
information can be fed back into the MI Standby Components
Program to further optimize testing, inspection, and preventive maintenance practices (see Figure
4.1) to optimize its cost-effectiveness. This feedback mechanism can often result in re-focusing
limited Plant Maintenance resources towards areas of greater importance.

7. Conclusion
Because they are core elements of PSM/RMP, the ties between the MI Program and
HAZOP/LOPA are very strong, but are typically underutilized. When formulating the MI
Program, there is a wealth of information that can be drawn from HAZOP/LOPA to focus and
enhance the effectiveness of the MI Program. This effectiveness can manifest itself in many ways,
e.g.:

 Ensuring that high-priority equipment gets the attention needed

 Optimizing inspection, testing, and preventive maintenance frequencies
 Identification of low-priority equipment, so that Plant Maintenance Department can focus
on high-priority equipment
 Identification of over-application of SIS, where a BPCS component can provide adequate
reliability with much lower recurring MI costs
GCPS 2017 __________________________________________________________________________

Similarly, during the course of plant operations, when the inevitable challenges occur that
compromise planned inspection, testing, and preventive maintenance activities, HAZOP/LOPA
can provide insight regarding importance and may identify desirable options.

8. References
[1] PSM – 29 CFR 1910.119, “Process Safety Management (PSM) of Highly Hazardous
Chemicals, Explosives and Blasting Agents,” 1992.
[2] RMP – 40 CFR Part 68, "Risk Management Programs (RMP) for Chemical Accidental
Release Prevention," 1996.
[3] SEMS Final Rule – Federal Register – Title 30, Code of Federal Regulations (CFR) Part
250 – “Oil and Gas and Sulphur Operations in the Outer Continental Shelf – Safety and
Environmental Management Systems,” Federal Register, Vol. 78, No. 66, April 5, 2013.
[4] http://www.RMPCorp.com/HAZOP-Study-series-module, HAZOP/LOPA Facilitation
Best Practices Webinar Series.
[5] CCPS “Guidelines for Hazard Evaluation Procedures, 3rd Edition, 2008.
[6] CCPS “Layer of Protection Analysis – Simplified Process Risk Assessment,” 2001.
[7] CCPS “Guidelines for Initiating Events and Independent Protection Layers in Layer of
Protection Analysis,” 2015.
[8] CCPS “Guidelines for Enabling Conditions and Conditional Modifiers in Layer of
Protection Analysis,” 2013.
[9] IEC 61508, "Functional Safety of Electrical/Electronic/Programmable Electronic Safety-
Related Systems."
[10] IEC 61511, "Functional Safety - Safety Instrumented Systems for the Process Industry
Sector."
[11] API Recommended Practice 581, "Risk-Based Inspection Technology."
[12] http://www.caloes.ca.gov/cal-oes-divisions/fire-rescue/hazardous-materials/california-
accidental-release-prevention, California Accidental Release Prevention (CalARP)
Program Proposed Updates, February 14, 2017.
[13] http://www.rmpcorp.com/wp-content/uploads/2014/08/15-day-Notice-Process-Safety-
Management-for-Petroleum-Refin.pdf, Proposed General Industry Safety Order (GISO)
§5189.1, Process Safety Management for Petroleum Refineries, February 10, 2017.
[14] http://www.RMPCorp.com/rmppsm-series/ - RMP/PSM Series Educational Webinars.
[15] Maher, Reyes, Vasudevan, "Assimilating Design Formulation and Design Review into a
HAZOP," Global Congress on Process Safety 2012.
[16] "Relief Valve Testing Interval Optimization Program for the Cost-Effective Control of
Major Hazards," Second Symposium on Preventing Major Chemical Accidents, Oslo,
May 1988.
[17] Maher, Nour, Schultz, “Using PHA as a Framework for Effectively Addressing Evolving
PSM/RMP Guidelines, Such As Damage Mechanism Hazard Reviews,” Global Congress
on Process Safety 2015.
[18] Clean Air Act (CAA) Section 112(r)(1) – General Duty Clause.
[19] http://www.CSB.gov – Source website for the Chemical Safety Board.
[20] http://www.CalEPA.CA.gov/Refinery/ – Source website for the Interagency Refinery
Task Force.
GCPS 2017 __________________________________________________________________________

[21] http://www.calepa.ca.gov/publications/Reports/2014/RefineryRpt.pdf, “Improving Public

and Worker Safety at Oil Refineries,” February 2014.
[22] http://www.RMPCorp.com/SMS_Regulatory_Updates/ - Website Tracking Safety
Management Systems U.S. Regulatory Updates.
[23] CCPS "Guidelines for Process Equipment Reliability Data with Data Tables," 2010.
[24] OREDA Handbook 2015, 6th edition – Volume I and II.
[25] IEEE-500-1984 - IEEE “Guide To The Collection And Presentation Of Electrical,
Electronic, Sensing Component, And Mechanical Equipment Reliability Data for Nuclear-
Power Generating Stations”.
[26] SINTEF “Reliability Data for Safety Instrumented Systems,” 2010.
[27] SINTEF “Reliability Data for Control and Safety Systems,” 1998.