GCPS 2010 __________________________________________________________________________

Utilizing Integrated Risk Assessment to Maximize

Asset Integrity Management

Ramanathan B T Viswanathan
Meridium International, Dubai
[email protected]

Steve Soos IV
Meridium Inc, Roanoke, US
[email protected]

[© Copyright Meridium Inc 2009]

Prepared for Presentation at

American Institute of Chemical Engineers
2010 Spring Meeting
6th Global Congress on Process Safety
San Antonio, Texas
March 22-24, 2010

UNPUBLISHED

AIChE shall not be responsible for statements or opinions contained

in papers or printed in its publications
GCPS 2010 __________________________________________________________________________

Utilizing Integrated Risk Assessment to Maximize

Asset Integrity Management

Ramanathan B T Viswanathan
Meridium International, Dubai
[email protected]

Steve Soos IV
Meridium Inc, Roanoke, US
[email protected]

Keywords: Risk Management, RCM, RBI, SIS, HAZOP, EAM

Abstract
The advent of various safety standards like ANSI /ISA 84, IEC 61511, API 14C, API 580 / 581,
SAE JA1011, IEC 60330 and PSM guidelines has been a good impetus in improving the
availability and reliability of safety systems and processes with an objective to meet the
requirements defined by OSHA, EPA, HSE and other governmental groups around the world.

Hazards analysis and risk assessments have become standard operating procedures in process
plants over the past decade. Many organizations are carrying out more detailed asset specific risk
assessments as part of Enterprise Asset Management programs. These risk assessments produce
risk rankings and recommendations to maintenance / QA programs to mitigate these risks.

This paper addresses the interaction between various risk assessment processes like Risk Based
Inspection (RBI), Reliability Centered Maintenance (RCM), Safety Integrity Level (SIL)
analysis and movement toward developing a comprehensive risk management strategy. This
paper envisages an asset integrity management approach to maintenance / QA programs wherein
the integration of these analytical processes will result in a unified risk ranking. The unified risk
ranking of assets can enhance safety, improve availability, reduce maintenance costs, and result
in better operability.

1. Introduction

Over the years many new developments have taken place in the field of maintenance engineering
and asset management and billions of dollars are spent on equipment maintenance around the
world. Even though plant maintenance has undergone impressive progress in maintaining the
equipment, still some challenges like cost, complexity, performance, environmental impact and
safety implications in balancing the operating margins and profitability are yet to be addressed in
achieving an effective asset management program.
GCPS 2010 __________________________________________________________________________

Many major companies have adopted asset integrity programs of staged reviews throughout the
plant life, to confirm all health, safety and environmental aspects have been identified and that
solutions are correctly actioned in a timely manner as part of enterprise-wide asset management.
The risk informed asset specific maintenance strategies are developed to address the equipment
maintenance (such as in Reliability Centered Maintenance, Risk Based Inspection and Safety
Instrumented System life-cycle management) which provides a comprehensive method of
organizing an efficient maintenance program. Although these analytical methods provide
function / asset specific maintenance strategies by evaluating the risk exposure, the balancing of
risk from an overall asset management perspective is always a challenge. An asset integrity
program without balancing the risks can lead to incorrect strategies which can increase the risk
exposure or maintenance costs. This paper specifically addresses balancing of risks to develop
effective asset performance management strategies which can result in critical success factors
such as safety, product quality, better operability, profitability and reliable processes.

2. Risk Management and Balancing of Risks

The history of tragic accidents in the process industries (chemical, petrochemical, oil & gas, etc)
in the late 70’s and 80’s has led to the development of various international safety and
environmental standards to address all facets of process plants viz. mechanical integrity (API-
570, API-580 / 581), reliability in design and maintenance engineering (SAE JA1011, IEC
60330), safety / protection systems (ISA-84-2004, IEC 61508, IEC 61511), etc. Many
government organizations have stepped in to define their national health and safety standards for
process industries like OSHA 29CFR 1910.119, the Seveso Directive, and UK HSE guidelines,
in order to improve the safety and reliability of the processes by knowing the inherent process
risk. These standards and guidelines have triggered the process of hazard identification and risk
assessment for the industries in identifying the potential threats / process hazards and their
impact on process safety / plant integrity.

2.1 Process Hazard Analysis

Hazard is defined as an inherent physical or chemical characteristic that is intrinsic to a material,

or its conditions of use which has the potential for an accident resulting in undesirable
consequences like fire, explosion or toxic release impacting the health, safety, environment and
economy. Process Hazard Analysis (PHA) uses a systemized approach to identify and analyze
hazards in a process. Process Hazard Analysis is a key requirement of the OSHA regulation
“Process Safety Management (PSM) of Highly Hazardous Chemicals" (29 CFR §1910.119) and
the USEPA’s rule, "Risk Management Programs (RMP) for Chemical Accidental Release
Prevention," (40 CFR Part 68). Process plants must identify the hazard scenarios in the process
and the associated consequences / impacts on health, safety and environment using any of the
following PHA methods:
1. What-If
2. Checklist
3. What-If/Checklist
4. Hazard and Operability Study (HAZOP)
5. Failure Mode and Effects Analysis (FMEA)
6. Fault Tree Analysis (FTA)
GCPS 2010 __________________________________________________________________________

Hazard and Operability analysis (HAZOP) is the most common and widely used PHA method. It
is a structured and systematic examination of a planned or existing process or operation in order
to identify and evaluate problems that may represent risks to people, the environment or
equipment, or efficient operation. HAZOP is a qualitative technique based on guidewords and is
carried out by a multi-disciplinary team (HAZOP team) during a set of meetings. This paper
discusses the risk-ranked HAZOP study (refer to Figure 1) on a process system that requires
documents such as Process Flow Diagrams (PFDs), Piping and Instrumentation Diagrams
(P&IDs), layout diagrams, Material Safety Data Sheets (MSDS), provisional operating
instructions, heat and material balances, equipment data sheets and start-up and emergency shut-
down procedures and involves systematic examination as follows:
1. Identify the process system
2. Divide system into subsystem / sections
3. Choose a node (specific location in the process) in the subsystem / section
4. Define the design basis and process parameters
5. Define the deviations by applying the guidewords to parameter
6. Identify the causes / initiating events for each deviation and the associated scenario
7. Determine the consequence for each cause
8. Determine the enabling conditions / consequence modifiers for each consequence
9. Evaluate cause and consequence pair to determine the unmitigated risk value
10. Define the existing safeguards for mitigation or prevention of hazard
11. Evaluate the safeguards to determine mitigated risk value
12. Identify recommendations to achieve the target safety level or risk value (viz. additional
layers of protection, increased system testing, procedural changes, changes to design)

Figure 1. HAZOP Workflow

The above method helps in prioritizing the recommendations and to determine the
implementation plan as part of planning and work management when integrated in an enterprise-
wide asset management system. Also, this forms a basic framework for further asset specific
GCPS 2010 __________________________________________________________________________

analysis like Layer of Protection Analysis (LOPA) for Safety Integrity Level (SIL) determination
and RCM-FMEA studies.

2.1.1 HAZOP Case Study

The sample HAZOP study for a chemical reactor - refer Figure 2 and Table 1 for details.

Figure 2. Case Study of Ethylene Reactor Process

GCPS 2010 __________________________________________________________________________

Table 1. Risk Ranked HAZOP Analysis

Site Petrochemical Co, USA

HAZOP# 113 HAZOP title Ethylene Process Sheet 1 of 4
Node # 01 P&ID / Drwg # P&ID/03003/PR- Date 28/10/2008
01.1
Node # Ethylene Reactor, PR-01 Rev 01

Deviation Cause / Scenario Consequence Enabling Unmitigated Safeguards Mitigated Recommendati

IE condition Risk Risk on
S L RV S L RV
High Feed Excess Loss of Wall 5 0 150 1. PSV 5 0 50 1. Overpress
Pressure valve feed to containment thinning 0 . 2. Hardwire 0 . SIF
fail Reactor leading to due to 0 3 Alarm 0 1 2. Inspection
open causing release of corrosion / Program
Overpress flammable Hydride
ure in material to attack
Vessel environment
Possible fire Presence 1 0 300 1. PSV 1 0 10
and of ignition 0 . 2. Deluge 0 .
exposure to source and 0 3 system 0 1
operators operators 0
Possible Presence 1 0 100 1. PSV 5 0 50
Explosion of ignition 0 . 2. Entry 0 .
and affect of source and 0 1 restricted 0 1
plant failure of 0
personnel fire
protection
systems
Run- Overpress Same as -do- 1 0 300 1. PSV 1 0 100 1. Overpress
away ure in Rx. above 0 . 2. BPCS 0 . SIF
reaction Vessel 0 3 3. Hardwire 0 1 2. Reaction
0 Alarm 0 killing
system

High Overpress Same as All of the 5 0 150 1. PSV 5 0 50 1. Overpress

Inlet ure in Rx. above above and 0 . 2. Hardwire 0 . SIF
pressure Vessel Failure of 0 3 Alarm 0 1
due to Rx inlet
compres pressure
sor control
malfunc
tion
BPCS Overpress Same as -do- 5 0 150 1. PSV 5 0 50 1. Overpress
Failure ure in Rx. above 0 . 2. Hardwire 0 . SIF
Vessel 0 3 Alarm 0 1
due to
large
overshoot
from the
set press.
GCPS 2010 __________________________________________________________________________

The HAZOP team selected the Ethylene Reactor system for study, and on review of the P&ID
the first node was the Reactor Vessel (PR-01). Possible deviations and causes were then
analyzed. “High Pressure” was selected as the first deviation and the team assessed the causes,
consequences, safeguards and risk for each scenario. The unmitigated risk before safeguards and
mitigated risk with safeguards are calculated using the 5x5 risk matrix as shown below to arrive
at the Risk Value (RV).

Figure 3. HAZOP Risk Matrix

The HAZOP study indicates that the highest risk related to a high pressure deviation is due to a
runaway reaction which leads to a risk value of ‘100’ (refer to Figure 3). An overpressure
protection function (SIF) is recommended to vent the reactor vessel in case of overpressure, as
well as a “kill system” to stop the reaction, to achieve the target limits for safety, environment
and economy.

In the HAZOP analysis many deviations, their causes, consequences, and safeguards were
analyzed along with the associated risks.

2.2 Reliability Centered Maintenance (RCM)

“If you want to change the way people act… you have to change the way that they think”
– John Moubray

The term “Reliability Centered Maintenance” appeared for the first time as the title of a report
prepared by United Airlines, on the processes used by the civil aviation industry to prepare
maintenance programs for aircraft. In 1999 the Society of Automotive Engineers, Inc. (SAE)
issued their Evaluation Criteria for RCM processes – SAE J 1011.
GCPS 2010 __________________________________________________________________________

Reliability centered maintenance is a systemic process used to determine the maintenance

strategy that has to be accomplished to ensure that any asset (equipment) is able to continuously
meet its designed functions in its current operating context. RCM is concerned more with
maintaining system function as opposed to maintaining individual component function. Thereby
it leads to maintenance programs that focus Preventive Maintenance (PM) on specific failure
modes likely to occur and is not equipment oriented, but rather is driven by its functions and
risks. The functional failure consequences and risks (safety, environment and economic) define
the maintenance priorities for a PM program.

Nowlan and Heap defined RCM as “A logical discipline for developing a scheduled-
maintenance program that will realize the inherent reliability levels of complex equipment at
minimum cost”.

The RCM seven basic questions outlined in SAE Standard JA1011 Evaluation Criteria for
Reliability Centered Maintenance (RCM) Processes are:
1. What are the functions and associated desired performance of the (asset/system) in its
present operating context (Functions)?
2. In what ways can it fail to fulfil its functions (Functional Failures)?
3. What causes each functional failure (Failure Modes)?
4. What happens when each failure occurs (Failure Effects)?
5. In what way does each failure matter (Failure Consequences)?
6. What should be done to predict or prevent each failure (Recommendations)?
7. What should be done if a suitable RCM task cannot be found (Default Actions)?

The risk associated with the failure effect is often assessed using a Risk Matrix or Risk Priority
Number (RPN). A RPN is a process for quantifying risk by assigning a numerical score for each
of three elements: criticality (or severity of a failure), failure frequency, and the probability of
detection.
RCM studies are usually conducted by the maintenance and reliability groups. The main
objective is to develop appropriate maintenance plans based on probability and consequence of
the analyzed failure modes.

2.2.1 RCM Case Study

In reference to the above case study on the Ethylene Reactor (refer to Figure 2), this system
comprises various RCM components (sub-systems) such as the feed gas compressor, etc which
are to be analysed for their functional failures, failure mode and effects along with the associated
risk to determine the appropriate maintenance tasks / plans for these assets.
GCPS 2010 __________________________________________________________________________

Table 2. RCM Analysis

RCM# 011 RCM title Ethylene Feed gas Sheet 1 of 8

Compressor
Site Petrochemical Co, P&ID / Drwg # P&ID/03003/PR- Date 05/12/2008
USA 01.1

System Sub-system / Function Function Functional Failure Failure Criticality /

Asset ID ID Failure Mode Effect Risk score
Ethylene Feed gas C1 Supply Fail to supply Compressor External B (150)
Reactor compressor compressed feed gas at a last stage seal leak
(FC-001) feed gas to pressure of failure leading to
ethylene 100 bar to fire
reactor ethylene
reactor.

Figure 4. RCM Risk Matrix

In the feed gas compressor RCM analysis (refer to Table 2), failure of the compressor to supply
feed gas at the required pressure was analysed and the predominant failure mode was found to be
“seal failure” which can result in an external leak and may lead to fire. The unmitigated risk
(refer to Figure 4) was assigned ‘High’ (500) from safety / environmental aspects after
considering the design aspects and material of the seals. The recommended maintenance tasks /
actions to mitigate this failure will bring the risk down to a value of ‘150’ (still ‘High Risk’).
GCPS 2010 __________________________________________________________________________

In full RCM analysis of the feed gas compressor, there are multiple functions / failures / failure
modes and effects with associated risks analysed to strategise the appropriate maintenance tasks /
actions to mitigate the failure risks.

2.3 Risk Based Inspection

A Risk Based Inspection (RBI) process is primarily focussed on maintaining the mechanical
integrity of pressure equipment items and minimizing the risk of loss of containment due to
deterioration. This is normally accomplished by inspection and testing programs which are
established to detect and evaluate deterioration due to in-service operation and may widely range
from reactive programs to proactive programs (time-based or calendar-based). RBI, as a risk-
based approach, focuses on static equipment and associated deterioration mechanisms
representing the most risk to the facility. Mitigation thereby provides a better linkage between
the mechanisms that lead to the failure (loss of containment) and the inspection approaches that
will effectively reduce the associated risks.

API RP-580 is the guideline specifically targeted at the application of RBI in the hydrocarbon
and chemical process industry. RBI is focussed on a systematic determination of relative risks to
rank the equipment or components so as to focus the risk management efforts on the higher
ranked risks.

Risk management programs viz. RBI; generally involve the following four-phase process:

1. Identify Specific Failure Modes or Deterioration Mechanisms - Different Failure Modes that
apply to individual equipment items or components are identified. Failure modes are defined
as the different mechanisms that may cause the equipment or component to deteriorate over
time and eventually lead to failure. Failure Modes are sometimes referred to as Damage
Types or Degradation Mechanisms.

2. Assess Risk - The deterioration rate and equipment tolerance to each deterioration
mechanism is ascertained. Assessments can be Quantitative, Qualitative, or a blend of the
two (semi-Quantitative). Quantitative assessments results in a Damage Factor for each
deterioration mechanism. The Cumulative Damage Factor is obtained by adding the
individual Damage Factors and is used to assess risk. Qualitative assessments depend on the
equipment history, plant experience, and largely the expertise of the analyst performing the
study.

3. Identify Risk Mitigation Alternatives – High risk equipment is examined and different risk
mitigation alternatives are investigated. These alternatives might include a more sensitive
Inspection Plan, Equipment Re-design, Equipment replacement, Equipment repair, or in
some extreme cases a Change in Process.

4. Develop an Action Plan – An action plan is established to carry out the recommended actions
that have been identified in phase three.
GCPS 2010 __________________________________________________________________________

RBI alone cannot adequately cover all aspects of risk management. It should complement
existing processes like PHA or HAZOP and RCM, but not serve as a substitute for them. RBI
compliments the PHA by focussing on the mechanical integrity related deterioration mechanisms
and risk management through inspection. For instance, an RBI assessment may define how
inspection activities could mitigate the risk associated with loss of containment for a piece of
equipment identified in HAZOP. However, when the same equipment neared the end of its life,
RCM could define an “end of life” strategy involving equipment replacement or repair. RCM
analyses are applied at a system level, and whenever a Loss of Containment function is subjected
to an RCM analysis, and inspection activities are planned to mitigate the risk associated with the
loss of containment, the RBI Analysis results could be used to complement the Equipment Plan.

2.3.1 RBI Case Study

The RBI study can include a review of the output from a HAZOP that has been conducted on the
process unit being evaluated. In this case consider the HAZOP conducted on the Ethylene
Reactor (refer to Figure 2 and Table 1). Hazards identified in HAZOP can be specifically
addressed in the RBI analysis.

Table 3. RBI Analysis

Risk Based Inspection (RBI) Worksheet

Site Petrochemical Co, USA Sheet No. 3 of 8
Units EO Process Unit Date 09/11/08
Asset Ethylene Reactor, PR-01 Ref Drawing: P&ID/03003/PR-01.1
RBI Component Reactor Vessel, PR-01
Rep. Fluid EO
Rolled Up COF C
Rolled Up POF 3
Overall Risk Medium (14)
Ranking

Probability of Consequence of
Degradation Mechanism Risk Ranking Inspection Priority
Failure (POF) Failure (COF)

Internal Corrosion 4 B Medium 15

External Corrosion 4 B Medium 15

Erosion 4 C Medium 18

Ext Chloride SCC 3 B Medium High 9

GCPS 2010 __________________________________________________________________________

RBI analyses are typically performed at a level of detail below that of the overall asset. This is
because potential degradation mechanisms, rates of degradation, material resistance,
consequences, etc are often different for the various portions of the equipment. These various
portions are referred to as RBI Components. The RBI analysis data sheet above shows the four
potential degradation mechanisms that were evaluated for the Ethylene Reactor (pressure vessel).
In the case above, past inspection data revealed that External Chloride Stress Corrosion Cracking
(SCC) and in turn, its Probability of Failure rating is driving the overall risk ranking of the
reactor vessel. Once the RBI Analyses are completed for the other relevant portions of reactor
vessel (viz. head, cylindrical shell, internals), an overall inspection strategy for the asset can be
effectively established to address the various degradation mechanisms and prevent unplanned
failures.

2.4 Safety Instrument System Life-Cycle Management

Safety Instrument System life-cycle management is the methodology to manage from

conception, design and engineering, operation and maintenance, until decommissioning of those
instrumented safety systems which perform the functions of protection or mitigation of process /
critical equipment, from undesired consequences / failures.

SIS Life-Cycle Management was formalized by (ISA) when it published the ANSI/ISA 84-01-
1996 ‘Application of Safety Instrumented Systems for Process Industries’. This standard was
developed to provide a standard process for assessing the requirements for applying a safety
instrumented system, designing the SIS and maintaining it. ISA superseded this standard in 2004
by the adoption the International Electro-technical Commission (IEC) 61511 Functional Safety –
Safety Instrumented Systems for the Process Industry Sector which is actually a subset of IEC
61508 ‘Functional safety of electrical/electronic/programmable electronic safety-related
systems’.
The new ANSI/ISA-84.00.01 2004 standard describes and defines the requirements for each of
the following SIS Life-Cycle phases:

1. Hazards and risk assessment

2. Allocation of safety functions to protection layers
3. Safety requirements specification for the safety instrumented system
4. Design and engineering of the safety instrumented system
5. Installation, commissioning and validation
6. Operation and maintenance
7. Modifications
8. Decommissioning
9. Verification
10. Management of functional safety and functional safety assessment and auditing
11. Safety life-cycle structure and planning

The allocation of safety functions to protective layers is the phase that defines the process of
assessing the risk and assigning a Safety Integrity Level (SIL) to a Safety Instrumented Function
(SIF). The Safety Integrity Level is a measure of the safety margin or reliability of the
GCPS 2010 __________________________________________________________________________

instruments in the safety loop and is expressed as average probability of failure of the instrument
loop.

A Safety Instrumented Function (SIF) is a safety function with a specific SIL that mitigates or
prevents a consequence of a hazard / failure. ISA/IEC has defined the specific ranges (PFDavg)
of safety integrity for each SIL. Table 4 represents the SIL levels for low demand operations.

Table 4. SIL Levels for Low Demand Mode

Low Demand Mode of Operation

Safety Integrity Target average probability of % Availability Risk Reduction
Level (SIL) failure on demand (PFD Avg) Factor (RRF)
4 ≥ 1x10-5 to < 1x10-4 > 99.99% > 10,000 to ≤100,000
-4 -3
3 ≥ 1x10 to < 1x10 99.9% to 99.99% > 1000 to ≤10,000
2 ≥ 1x10-3 to < 1x10-2 99% to 99.9% > 100 to ≤1000
-2 -1
1 ≥ 1x10 to < 1x10 90% to 99% > 10 to ≤100

2.4.1 SIL Assessment

A SIL Assessment is conducted to determine the appropriate assignment of the SIL for each SIF.
The standard allows for both qualitative and quantitative methods for selection of the SIL. Risk
Matrix, Risk Graph, Layer of Protection Analysis (LOPA) and Fault Tree Analysis (FTA) are all
acceptable methods. Risk Matrix (refer to Figure 5) is the most popular risk (SIL) assessment
method used in the process industries. An organization will define the risk matrix and add an
assignment of a SIL to all the risk levels that require an additional safeguard to achieve an
acceptable or tolerable risk.

Figure 5. SIL Assessment Risk Matrix

GCPS 2010 __________________________________________________________________________

In Layer of Protection Analysis (LOPA), the hazard and its cause frequency and its
consequences are determined and assigned a quantitative value as defined in their corporate Risk
Matrix. Then the existing safeguards / layers of protection (like process controller, process
alarms, relief devices, etc) for this event are determined and are assigned a failure probability to
calculate the value of mitigated risk and remaining unmitigated risk. The unmitigated risk or the
gap specifies the required safety integrity level for the SIF (refer to Figure 6).

Figure 6. Layer of Protection Analysis

Once a SIL has been selected for a SIF, an SIS will be designed to take the process to a safe state
based on the measurement of the initiating event as defined by the SIF. The design of the SIS
will be analyzed to insure it can meet the Probability of Failure on Demand Average for that SIL.
Higher SIL levels tend to cost more to implement and maintain because of the increase in
availability targets and requirements for redundancy of the SIS components.

2.2.2 SIL Assessment Case Study

This SIL Assessment study utilized the results of the HAZOP risk assessment (refer to Table 1)
for the possible release of the ethylene oxide to determine the SIL for the SIF that addresses that
risk. If the Risk Matrix were not the same, the SIL Assessment team would need to reconcile the
differences. Even less advantageous would be if the SIL Assessment team didn’t utilize the risk
assessment from the HAZOP or have a HAZOP to reference in an integrated fashion. Table 5
shows the SIL assessment for the ethylene reactor where SIF-2 and SIF-3 were assigned SIL 2
and SIF-1 was assigned SIL 1 (protection for feed gas compressor).
GCPS 2010 __________________________________________________________________________

Table 5. SIL Assessment

SIL Assessment
Site Petrochemical Co, USA Sheet No. 2 of 7
Units EO Process Unit Date 09/11/08
System Ethylene Reactor, PR-01 Ref Drawing: P&ID/03003/PR-01.1
SIF SIF Initiating Hazardous Consequence Assigned
Description Event Event SIL
SIF - 2 PR-1 High Feed valve failure / Overpressure of PR-1 Fire and/or 2
pressure run-away reaction explosion
shutdown
SIF - 3 PR-1 High Exothermic Overpressure of PR-1 Fire and/or 2
temperature reaction explosion
shutdown
SIF - 4 PR-1 Inlet High pressure due Possible overpressure Release of EO 1
pressure high trip to compressor leading to inlet line and/or fire.
failure rupture.

2.5 Assessed Asset Integrity Level Approach

The assessed asset integrity level is the process by which risk informed methodologies (HAZOP,
RCM, RBI, SIS) and deterministic / performance based information (Event history and reliability
analytics) are combined to establish appropriate levels of programmatic controls for systems,
equipment and components in order to provide necessary assurance that these items will operate
safely and activities are accomplished as prescribed.

The management and utilization of data for this process can be resolved if all these data are
managed in one comprehensive system or database. The prime requirement is to have the plant
equipment / assets identified in the HAZOP be defined in an equipment database / functional
location in the Computerized Maintenance Management System (CMMS) / Enterprise Resource
Planning (ERP) [SAP / Maximo] systems and be integrated with the risk assessment and
reliability tools as part of an Enterprise Asset Performance Management (EAM) framework. The
risk assessment definitions need to be uniform over all the methodologies (HAZOP / RCM / RBI
/ SIS), so that information or outcomes from one methodology can be mapped to other in order to
achieve the risk balancing. This improves consistency of risk assessment information between
these methodologies as well, and serves as an aid in compliance auditing and effective
recommendation management. For example, HAZOP results can be complimented with RBI /
RCM analysis outcomes to balance the risks and later can provide more qualitative support to the
decision making process of risk management. Similarly, information from a HAZOP study can
be directly mapped into a SIF during the process of SIL assignment which can reduce the effort
of SIL assessment to a larger extent. Moreover, this process aids in management of mechanical
integrity requirements for OSHA 1910 / PSM practices.

In the above case study of an ethylene reactor, an RBI study is conducted on the reactor vessel.
The RBI study assesses the risk of loss of containment at ‘Medium Risk’ based on the past
inspection information as well as the current inspection strategy being adopted. The Hazards
Analysis set the risk of loss of containment at ‘Medium High’. Based on HAZOP the SIL level
for the SIF is set to SIL 2. This result does not pose a safety concern, but it does lead to more
GCPS 2010 __________________________________________________________________________

capital and maintenance cost to maintain the SIL 2 function. Also SIL 2 mandates stringent
requirements on the frequency of functional tests / proof tests for the instrument loop which can
lead to further burdens on the operations. If the results of the RBI study could be fed back to the
hazards analysis team perhaps the risk in HAZOP would be reduced, which may lead to a lower
SIL (i.e. SIL1), in turn saving time, money and posing a lower burden on operations.

Another scenario is considering the RCM study conducted on the feed compressor. The RCM
study assesses all the functional failure modes and related consequences. The RCM study
concluded that there is a significant risk (Medium-High) due to a moderate probability of a high
consequence occurring. The Hazards Analysis set the probability of this consequence occurring
at Low. The SIL assessed for the related SIF in this case was set to a SIL 1, considering the
HAZOP output. In this case there could be a gap in the design of the SIF due to the lower-than-
expected frequency of occurrence of compressor failure. This would have exposed the process /
asset to an unmitigated risk leading to unreliable operation if the risk from the RCM study was
not considered for Safety Instrumented Function design.

The Figure 7 below defines the logic and workflow of the assessed asset integrity level process
in determining the appropriate level of program controls to be applied to plant assets. This
program has three graded levels of program control such as ‘Category-A’, ‘Category-B’ and
‘Category-C’.
GCPS 2010 __________________________________________________________________________

‘Category-A’ is for high integrity program controls that can be applied to systems / equipments
determined to have ‘High Risk’ significance after balancing the risks. These programmatic
controls are in full compliance with the HSE requirements and standards that they endorse.
These controls shall be prescribed in implementing procedures and are afforded multi-tiered
levels of oversight consisting of focused independent oversight in the form of audits,
performance monitoring, risk / reliability assessment, evaluation, inspection and testing, as
appropriate. These systems / equipment shall remain in this category, regardless of performance
measures, due to their high risk significance. The test/inspection intervals and methodologies as
well as PM tasks are to be strictly adhered to as recommended by the appropriate risk
management methodology without any deviation.

‘Category-B’ is for system specific program controls that can be applied to systems / equipments
determined to have ‘Medium Risk’ significance after balancing the risks. These are lower levels
of control and oversight, designed to maintain and/or preserve those identified critical attributes
of systems / equipment needed to support risk significant functions. They consider economical
and efficient business practices while maintaining compliance with the basic HSE requirements.
They do not reflect strict controls and potentially warrant a test / inspection interval extension or
change in PM interval, however their reliability must be assured via a compensatory measure
which can be a related testing or monitoring (condition / performance monitoring) function that
serves to prevent the hidden failure. The test/inspection intervals and methodology may be
modified based on the evaluation of design, service condition, performance history and
compensatory actions.

‘Category-C’ is for business-driven program controls that can be applied to systems / equipment
determined to have ‘Low Risk’ or ‘Non-Risk’ significance after balancing the risks. These are
lower levels of control and oversight, limited to good engineering and business practices while
maintaining the productivity targets and economics. They potentially warrant test / inspection
interval extensions/deferrals and modifications in PM tasks/methodology, based on the service
condition, failure modes and consequences, performance history and economics / production
objectives.

The Assessed Asset Integrity Level approach provides a comprehensive risk management
perspective throughout the operation and maintenance phase of the plant / process and covers the
complete asset management activities starting from criticality/risk assessment, performance
monitoring, equipment PM plans to in-service inspections/tests, surveillance tasks, corrective
actions, recommendation/change management and long-term planning.

3.0 Conclusion
The Assessed Asset Integrity Level approach maps all the outcomes of the risk assessment
methodologies to the corresponding assets / equipment to determine the overall asset criticality.
This determination of asset criticality will help to develop the comprehensive equipment / asset
strategies covering key aspects like maintenance tasks (PM / PdM/CM), PM templates,
maintenance scheduling, inspection priorities and plans, testing requirements, life-cycle
management and long-term planning. The Assessed Asset Integrity Level process assigns
classifications by focusing on the risk relative to process safety risk and high economic /
GCPS 2010 __________________________________________________________________________

production impact (tangible). When integrated to CMMS / ERP systems, this approach provides
maximum benefits (high return on assets) as the maintenance history and test / inspection records
can be used to validate the actual failure rates of the equipment and to verify whether they are in
line with the estimated failure rates that were used during the design/analysis phase.

In an integrated Asset Integrity Management process (refer to Figure 8), the risk results of all
methods can be easily presented and evaluated for overall balance. If a risk from one or more of
the analysis methods is not within expected limits a recommendation for reassessment or system
modification can be made. The expected benefits of the implementation of this process include
identification and ranking of components and thereby strengthening the focus on PM activities,
inspection plans, component reliability trending, performance monitoring and station budgeting.
It also helps to integrate, focus and streamline existing risk management processes to establish
long-range system reliability plans to achieve a goal of increased plant reliability and
availability.

Figure 8. Integrated Asset Integrity Management Framework

3.1 References
[1] SAE JA 1011, Evaluation Criteria for Reliability-Centered Maintenance (RCM)
Processes, issued in January 2002

[2] Occupational Safety and Health Administration, 29 Code of Federal Regulations (CFR)
1910.119 Process Safety Management of Highly Hazardous Chemicals, 1992

[3] ANSI/ISA-84.00.01, Functional Safety: Safety Instrumented Systems for the Process
Industry Sector, approved 2 September 2004

[4] API RP580 – Risk Based Inspection, American Petroleum Institute, May 2002