Damage Mechanism Hazard Review
Damage Mechanism Hazard Review
Damage Mechanism Hazard Review
David J. Childs
Risk Management Professionals
David.Childs@RMPCorp.com
Keywords: PSM, RMP, CalARP, Mechanical Integrity, OSHA, EPA, Process Safety
Abstract
Many people view the conduct of a HAZOP/LOPA to address regulatory requirements as a chore,
and stop there. However, the implementation of a quality HAZOP/LOPA has the potential to
provide a framework for addressing numerous safety and operational optimization issues at plants,
including the formulation/refinement of the Mechanical Integrity Program. The purpose of this
paper is to focus on the mechanical integrity program, illustrate how a quality HAZOP/LOPA can
support the effective implementation of some of the new Damage Mechanism Review
requirements for California Refineries (e.g., 5189.1(k)), and optimize key elements of an effective
Mechanical Integrity Program, e.g.:
Inspection/testing methods
Testing intervals
Maintenance outage periods
Repair prioritization and allowable outage
Identification of low priority equipment
types and geographic application. Although these regulatory programs were developed
independently, at different times, and
in different locations, industry and the
regulatory community noted the
importance of SMS application, and a
fundamental part of this has always
been maintaining the integrity of the
process and functionality of
equipment. As can be seen in Figure
1.2, “Mechanical Integrity” (MI) is a
critical part of any SMS application.
Now that we have identified what MI is and what the requirements are, let’s take a look at
another key element of PSM.
The guideword HAZOP technique is based on the premise that hazards and operability problems
originate from deviations from design intent when a process is running under normal operating
conditions. For example, adding the guideword “NO” to the parameter “FLOW” to get the
deviation “NO FLOW” would prompt the leader to ask the Team, “What causes could result in no
flow in this node or line segment?” The potential hazard scenarios that include possible “Causes”
and potential “Consequences” are documented in the report worksheets. The possible
“Safeguards” in place to reduce the risk associated with the specific cause/consequence scenario
are then discussed and documented.
The HAZOP Study proceeds sequentially, studying each piece of equipment contained in the
process. Thus, if applied comprehensively,
HAZOP systematically creates a roadmap of
key paths that lead to undesired events (hazards
or operability issues, depending on the study
objectives). Because this roadmap provides a
framework for assessing the likelihood and
severity of each path to an undesired event, the
importance of the contribution of causal events
and safeguards can be assessed, as well as the
need to prioritize reliable equipment function.
by assessing both the likelihood and severity for different scenarios (1-5 for this example) provides
an improved perspective on the risk contribution of the scenario, and thus, the importance of
associated equipment reliability.
Since the 1980s, advances in electronics (see Figure 3.2) facilitated the application of more reliable
control/protection equipment that provided a platform for improved levels of safety and reliability.
For most facilities subject to PSM/RMP, these improvements are implemented in a “phased-
Like a HAZOP, LOPA is also a scenario-based tool that is often coupled with a HAZOP. The
primary difference is depth, specificity, and the ability to infuse more complex quantitative
information (see Table 3.1). References 6, 7 and 8 are very good sources of pragmatic tips for the
implementation of LOPA.
TABLE 3.1 - Defining the Scenario and Equipment Importance (Contrasting HAZOP & LOPA)
Likelihood Severity
HAZOP LOPA HAZOP LOPA
Cause Initiating Cause
Safeguards IPL & non-IPL
Likelihood Ranking Product of Initiating The severity value used for the HAZOP and LOPA
from a Risk-Ranking Cause Frequency, is typically the same, but an opportunity exists for
Matrix Enabling Condition LOPA to apply more quantitative differentiation.
Probability, Conditional
Modifiers, and the IPL
PFD
GCPS 2017 __________________________________________________________________________
LOPA’s primary purpose is to determine the adequacy of existing IPLs and determine if
additional protection features are needed.
LOPA is also used to assign a target Safety
Integrity Level (SIL) value for a Safety
Instrumented System (SIS)[9, 10]. SIL
assignment is based on an instrument’s
likelihood to function upon demand. A higher
SIL level device has more “value” in risk
reduction and is determined based on the
specifications the instrument is manufactured
to meet. These applications identify one of
the other very useful functions for LOPA. It
is able to identify reliability targets for
equipment that might “cause” a potential FIGURE 3.5
hazard and identify reliability targets for Addressing Enabling Conditions &
equipment that can function as a protective Conditional Modifiers in LOPA
feature (safeguard). One can capitalize on these characteristics to fortify the structure of a MI
Program.
4. Pulling It Together
4.1 Basics
Section 1 defined MI and identified relevant regulatory requirements. Both MI and PHA are key
elements of PSM/RMP, and as such, properly structured, they can be mutually supportive. Critical
to effective implementation is an understanding of key MI Program Elements (see Figure 4.1). If
one were to create a wish list that could provide a basis for a MI Program, it might include:
Figure 4.2 illustrates that there can be a very wide range of acceptable approaches to the
implementation of a performance-based
standards like PSM and RMP. However,
certain characteristics facilitate the effective
implementation of a MI Program, as well as
allowing constructive interface with other
PSM/RMP elements such as PHA:
Configuration of a Computerized
Maintenance Management System
(CMMS) to allow for trending
Programmatic checks/balances that
allow for consistent trending FIGURE 4.2
Assign of allowable outage times MI Implementation Spectrum
Communications with Operations, Safety, and other stakeholders if equipment is out-of-
service for maintenance, inspection, testing, or repair
Assignment of maintenance, inspection, testing, or repair priorities
Application of consistent equipment tag number patterning and utilization that matches
with other Process Safety Information (PSI)
The ability to utilize the results of a HAZOP/LOPA is greatly dependent on the quality of the
study and documentation, which is often linked to the experience and diligence of the
Facility/Scribe Team heading the effort. For this reason, inconsistencies in the HAZOP/LOPA
GCPS 2017 __________________________________________________________________________
results have often created a challenge. However, certain characteristics can facilitate the
effective utilization of the HAZOP/LOPA in support of the MI Program:
Thus, if a piece of equipment that is a safeguard in a HAZOP/LOPA is not at least defined in the
MI Program with a reasonable testing, inspection, and preventive maintenance assignment, this
would seem to be a deficiency and difficult to justify its absence. At the other end of the spectrum,
the plant maintenance department needs to be able to justify not tracking, testing, inspecting, and
maintaining every subcomponent. Again, the HAZOP/LOPA can help clarify that the objective is
to achieve the desired reliability of the equipment referenced in the HAZOP/LOPA (see Table
4.1), and if the subcomponent in question is implicit in that reliability, it does not need to be
independently tracked in the PSM MI Program.
Although some expert judgment and experience can be used when classifying equipment (and
failure modes) into these categories, as a starting point, the results of the HAZOP/LOPA can be
helpful and provide a complimentary perspective to the expert judgement classically used:
SIF – If a facility has committed to IEC 61508/61511, these are typically treated as the
highest priority with well-defined testing, inspection, and preventive maintenance
requirements.
“Safety – High Priority” Equipment Considerations
o Equipment failure modes that can initiate a high consequence HAZOP/LOPA
scenario (if unmitigated)
o IPL Safeguards that could mitigate a high consequence HAZOP/LOPA event
o IPL Safeguards that could mitigate a HAZOP/LOPA event with a safety
consequence, and where that is the only protection feature for that safety scenario
o IPL Safeguards that could mitigate multiple scenarios associated with lower
consequence HAZOP/LOPA events
“Safety – Low Priority” Equipment Considerations
o Other equipment failure modes that could result in a safety consequence (if
unmitigated) identified by the HAZOP/LOPA
o IPL Safeguards that could mitigate a lower consequence HAZOP/LOPA event
o Non-IPL Safeguards credited by the HAZOP/LOPA
Operational Considerations for the MI Program
Binning equipment and the key failure modes of concern support meaningful prioritization by the
Plant Maintenance Department to ensure that the SIF and “Safety – High Priority” equipment and
failure modes receive the proper support and application of testing, inspection, and preventive
maintenance that meets or exceeds industry standards and best practices.
Other Tips:
During the HAZOP/LOPA, avoid including safeguards that aren’t important IPLs, as their
inclusion into the MI Program, even as low priority items, can dilute the Plant Maintenance
Department’s efforts on more critical equipment.
GCPS 2017 __________________________________________________________________________
Testing (functional) and inspection activities in the MI Program should focus on the failure
modes identified in the HAZOP/LOPA as important.
Without the perspective of the HAZOP/LOPA, instrumentation designers can often
overdesign the protection features and include SIF where they may not be necessary. A
good use for the HAZOP/LOPA is to identify where a SIF could be converted to a BPCS,
so that the Plant Maintenance Department can focus resources in other, more critical, areas.
Tracking and trending of failure data as part of the MI Program can be geared to the level-
of-resolution of the failure mode in the HAZOP/LOPA.
Whereas the previous subsections focus on the ability to utilize the HAZOP/LOPA to initially
formulate the MI Program, interaction between the MI Program and the HAZOP/LOPA models
can be useful during plant operation. Plant operations can be a quite dynamic environment with
priorities continually shifting as new challenges arise. If HAZOP/LOPA information is readily
available during plant operation, more effective decision-making and prioritization can be
accomplished:
5. Complementary Methodologies
The approaches discussed in Section 4 address the majority of the needs of a PSM MI Program;
however, for some equipment and process configurations, especially those associated with high-
consequence potential hazards, additional tools may be required to define the associated
inspection, testing, and maintenance frequencies and activities.
In 1993, the American Petroleum Institute (API) released Recommended Practice 581 which
provides guidance on performing a risk based, quantitative analysis to develop an inspection
program tailor-made to a facility based on facility conditions and company expectations of risk at
the facility. The practice includes calculations of probability of failure (POF) and the
consequences of failure (COF) similar to the methodology used in a HAZOP Study when looking
at potential consequences and likelihoods of failure within a process. By assigning a risk rank to
equipment individually, inspections and mechanical integrity programs can be tuned to provide
the level of attention necessary to equipment. In generalized or standardized programs, some
equipment may be serviced or inspected too infrequently resulting in higher risk whereas other,
lower risk equipment may be serviced or inspected at a rate above what would be necessary to
meet a company’s risk target.
GCPS 2017 __________________________________________________________________________
API RP 581 provides a comprehensive structure for analyzing equipment in the following groups:
For each equipment group, specific methods for determining probability of failure, consequences
of failure and inspection planning guidelines are available. This process also allows for differing
levels of inspection which would facilitate effective implementation based on the size and
resources available at a facility.
The Richmond Refinery fire on August 6, 2012 triggered a fresh look at several SMS programs,
the application of hazards identification techniques (as applied to hazardous material containment
integrity), and resulted in several proposals for the modernization of PSM and RMP, including the
performance of a “Damage Mechanism Review.”[12,13] A key focus of DMR requirements is piping
systems, even though 29 CFR
1910.110(j)(1)(ii) identifies “Piping
systems” as types of process equipment
that for which a MI Program should be
applied.
The following resources clarify the challenge and provide some focused/practical approaches for
implementation:
Maher, Nour, Schultz, “Using PHA as a Framework for Effectively Addressing Evolving
PSM/RMP Guidelines, Such As Damage Mechanism Hazard Reviews,” Global Congress
on Process Safety 2015[17].
RMP/PSM Series Educational Webinars (March 26, 2015 and August 27, 2015)[14]
The aforementioned methods will provide a robust and focused MI Program for a facility. Based
on the size, complexity and level of risks at a given facility, these methods may be more or less
important. In many cases, facilities will use recognized standards within industry for maintenance
GCPS 2017 __________________________________________________________________________
intervals as a baseline. There are multiple groups that provide recommended maintenance and
inspection intervals. Some of the more commonly referenced ones are listed below:
These organizations offer guidance on various equipment groups with information regarding
frequencies of maintenance and the types of actions that are to be taken within a time interval.
These actions will be independent of facility conditions (in some cases corrosion is taken into
consideration) and offer a standard for all facilities to follow. If a facility chooses to opt for a more
robust methodology (such as API 581), the recommended actions by these organizations can be
used as a “litmus test” to ensure the advanced methodology is achieving its goal. Table 1 shows
some examples of commonly-referenced standards for specific equipment groups:
Some of these standards such as API and IIAR are associated with a specific industry, however
they can act as a starting point for all facilities. These standards can also be used in conjunction
with manufacturer recommendations of maintenance intervals. A conservative method would be
to compare the manufacturers proposed actions and intervals to those offered by the organizations
and taking the more involved of the two.
Every component has a certain degree of uniqueness, and theoretical application of the bathtub
curve concept never exactly echoes component-specific performance; however, equipment in a
process facility is generally utilized during a period of its existence where it is not subject to burn-
in or wear-out failures, and the failure rates is generally constant (see Figure 6.1). However, during
this period, the inspection, testing, and preventive maintenance features of the PM Program impact
various categories of equipment differently, e.g.:
Monitored-Repairable Components
Unmonitored-Repairable Components
Standby Components
Reliability – Probability that the component experiences no failures during time (0,t)
Availability (A(t)) – Probability that the component is normal (available) at time “t” =
𝑇𝑜𝑡𝑎𝑙 𝑂𝑝𝑒𝑟𝑎𝑡𝑖𝑛𝑔 𝑇𝑖𝑚𝑒
𝑇𝑜𝑡𝑎𝑙 𝑇𝑖𝑚𝑒 𝑜𝑓 𝐼𝑛𝑡𝑒𝑟𝑒𝑠𝑡
𝑇𝑜𝑡𝑎𝑙 𝐷𝑜𝑤𝑛 𝑇𝑖𝑚𝑒
Unavailability (Q(t)) =
𝑇𝑜𝑡𝑎𝑙 𝑇𝑖𝑚𝑒 𝑜𝑓 𝐼𝑛𝑡𝑒𝑟𝑒𝑠𝑡
Mean-Time-To-Failure (MTTF) – Average time interval between failures
GCPS 2017 __________________________________________________________________________
Standby components typically do not behave with only the simple parameters identified in
Section 6.2. Figure 6.4 illustrates the contributions of testing/inspection intervals,
testing/inspection durations, repair duration, and preventive maintenance duration on the
unavailability of a standby component. To add to the complexity, different failure modes or
piece of equipment may be unrevealed (covert) or revealed failures, and the different failure
modes may have a different importance with respect to plant safety/operability, as identified via
GCPS 2017 __________________________________________________________________________
the HAZOP/LOPA. The challenge of the PM Program is to optimize equipment reliability and
associated costs or achieving that reliability.
Whereas, there is no perfect solution, a clear
understanding of the need stemming from the
HAZOP/LOPA and understanding
fundamental reliability concepts can help
tune the PM Program to achieve the desired
degree of optimization.
7. Conclusion
Because they are core elements of PSM/RMP, the ties between the MI Program and
HAZOP/LOPA are very strong, but are typically underutilized. When formulating the MI
Program, there is a wealth of information that can be drawn from HAZOP/LOPA to focus and
enhance the effectiveness of the MI Program. This effectiveness can manifest itself in many ways,
e.g.:
Similarly, during the course of plant operations, when the inevitable challenges occur that
compromise planned inspection, testing, and preventive maintenance activities, HAZOP/LOPA
can provide insight regarding importance and may identify desirable options.
8. References
[1] PSM – 29 CFR 1910.119, “Process Safety Management (PSM) of Highly Hazardous
Chemicals, Explosives and Blasting Agents,” 1992.
[2] RMP – 40 CFR Part 68, "Risk Management Programs (RMP) for Chemical Accidental
Release Prevention," 1996.
[3] SEMS Final Rule – Federal Register – Title 30, Code of Federal Regulations (CFR) Part
250 – “Oil and Gas and Sulphur Operations in the Outer Continental Shelf – Safety and
Environmental Management Systems,” Federal Register, Vol. 78, No. 66, April 5, 2013.
[4] http://www.RMPCorp.com/HAZOP-Study-series-module, HAZOP/LOPA Facilitation
Best Practices Webinar Series.
[5] CCPS “Guidelines for Hazard Evaluation Procedures, 3rd Edition, 2008.
[6] CCPS “Layer of Protection Analysis – Simplified Process Risk Assessment,” 2001.
[7] CCPS “Guidelines for Initiating Events and Independent Protection Layers in Layer of
Protection Analysis,” 2015.
[8] CCPS “Guidelines for Enabling Conditions and Conditional Modifiers in Layer of
Protection Analysis,” 2013.
[9] IEC 61508, "Functional Safety of Electrical/Electronic/Programmable Electronic Safety-
Related Systems."
[10] IEC 61511, "Functional Safety - Safety Instrumented Systems for the Process Industry
Sector."
[11] API Recommended Practice 581, "Risk-Based Inspection Technology."
[12] http://www.caloes.ca.gov/cal-oes-divisions/fire-rescue/hazardous-materials/california-
accidental-release-prevention, California Accidental Release Prevention (CalARP)
Program Proposed Updates, February 14, 2017.
[13] http://www.rmpcorp.com/wp-content/uploads/2014/08/15-day-Notice-Process-Safety-
Management-for-Petroleum-Refin.pdf, Proposed General Industry Safety Order (GISO)
§5189.1, Process Safety Management for Petroleum Refineries, February 10, 2017.
[14] http://www.RMPCorp.com/rmppsm-series/ - RMP/PSM Series Educational Webinars.
[15] Maher, Reyes, Vasudevan, "Assimilating Design Formulation and Design Review into a
HAZOP," Global Congress on Process Safety 2012.
[16] "Relief Valve Testing Interval Optimization Program for the Cost-Effective Control of
Major Hazards," Second Symposium on Preventing Major Chemical Accidents, Oslo,
May 1988.
[17] Maher, Nour, Schultz, “Using PHA as a Framework for Effectively Addressing Evolving
PSM/RMP Guidelines, Such As Damage Mechanism Hazard Reviews,” Global Congress
on Process Safety 2015.
[18] Clean Air Act (CAA) Section 112(r)(1) – General Duty Clause.
[19] http://www.CSB.gov – Source website for the Chemical Safety Board.
[20] http://www.CalEPA.CA.gov/Refinery/ – Source website for the Interagency Refinery
Task Force.
GCPS 2017 __________________________________________________________________________