654 5 Safety and Risk i n Engineering Design The actual degree of safety—incidents: This is evaluated according to the contri- bution of the actual physical condition of the equipment to its safety, the actual downtime frequency,aswellastheactual reportable incident frequency,arising from the functional failure history of the equipment resulting in an asset loss conse- quence o f failure. Besides safety operational and physical consequences of failure, the other consequences (economic, environmental, systems and maintenance) are typically measured as the cost of losses plus the cost of repair to the failed item and to any consequential damage (although, in reality, all safety consequences are eventually also measured as a cost risk). These cost risks of failure are also defined as the result of multiplying the consequence of failure (i.e. the cost of losses plus the cost of repair), by the probability of its occurr ence. Reliability analysis in engineering design tends, h owever, to simplify these risks to the point of impracticality where, for example, consideration is given only to sin- gle modes of failure, or only to random failure occurrences, or to maintenance that results in complete renewal and ‘as new’ conditions. In reality, the situation is much more complicated with interacting multiple failure modes, variable failure rates, as well as maintenance-induced failures that influence the rates of deterioration, and subsequent failure (Woodhouse 1999). It is somewhat unrealistic to assume a specific failure rate of equipment within a complex integration of systems with complex failure processes. At best, the intrin- sic failure characteristics of components of equipment are determined from quan- titative probability distributions of failure data obtained in a somewhat clinical en- vironment under certain operating conditions. The true failure process, however, is subject to many other factors, including premature or delayed preventive mainte- nance activities conducted during shutdowns of process plant. It is generally accepted that shutdowns affect the failure characteristics of equip- ment as a whole, although it is debatable whether the end result is positive or nega- tive from a residual life point of view, where residual life is defined as the remaining life expectancy of a component, given its survival to a specific age. This is a concept of obvious interest, and one of the most important notions in process reliability and equipment aging studies for safety criticality analysis. Safety criticality analysis is thus always faced with combinations of interacting failure modes and variable failure r a tes, where the cumulative effects are much more important than estimates of specific probabilities of failure. Qualitative estimates of how long equipment might last in certain engineering processes, based on operating conditions and failure characteristics, are much more easily made than quantitative estimates of the chancesoffailure ofindividual equipment.These cumulative effects are represented in equipment survival curves where a best-fit curve is matched to specific survival data, and a pattern of risks calculated that would be necessary for these effects to be realised. In analysing survival data, there is often the need to determine not only the survival time distribution but also the residual survival time (or residual life) distribution. A typical equipment survival c urve and hazard curve are illustrated in Fig. 5.41a and 5.41b (Smith et al. 2000). Typical impact, risk exposure,lost performance, and direct cost patterns based on shutdown maintenance intervals for rotating equipment, as well as risk-based main- 5.2 Theoretical Overview of Safety and Risk in Engineering Design 655 Fig. 5.41 a Kaplan–Meier survi val curve for rotating equipment, b estimated hazard curve for rotating equipment tenance patterns based on shutdown maintenance intervals for rotating equipment are illustrated in Fig. 5.42a and 5.42b (APT Maintenance 1999). b) Risk-Based Maintenance Risk-based maintenance is fundamentally an evaluation of maintenance tasks, par- ticularly scheduled preventive maintenan ce activities in shutdown programs. It con- siders the impact of bringing forwards, or d elaying, activities that are directed at preventing cost risks to coincide with essential activities that address safety risk s.If the extent of these risks were known, and what they cost, the optimum amount of risk to take, and planned costs to incur, could be calculated. Similarly, better deci- sions could be made if the value of the benefits of improvedperformance, longerlife and greater reliability was known. These risks and benefits are, however, difficult to quantify, and many of the factors are indeterminable. Cost/risk optimisation in this 656 5 Safety and Risk in Engineering Design Fig. 5.42 a Risk exposure pattern for rotating equipment, b risk-based maintenance patterns for rotating equipment context can thus be defined as the minimal total impact, and represents a trade-off between the conflictin g interests of the need to reduce costs at the same time as th e need to reduce the risks of failure. Both are measured in terms of cost, the former being the planned downtime cost plus the cost of preventive maintenance in an at- tempt to increase perf ormance and reliability, and the latter being the cost of losses due to forced shutdowns plus the cost of repair and consequential damage. The total impact is the sum of the planned costs and failure costs. When this sum is at a minimum, an optimal combination of the costs incurred and the failure risks is reached, as illustrated in Fig. 5.43. Cost/risk trade-off decisions determine optimal preventive maintenance intervals for plant shutdown strategies that consider component renewal o r replacement cri- teria, spares requirements planning, etc. Planned downtime costs plus the costs of preventive maintenanceare traded-off against the risk consequences of premature or deferred component renewals or replacements, measured as the cost of losses plus 5.2 Theoretical Overview of Safety and Risk in Engineering Design 657 Fig. 5.43 Typical cost optimisation curve the cost of repair. In each of these areas, cost/risk evaluation techniques are applied to assist in the application of a safety-critical maintenance approach. Component renewal/replacement criteria are directly determined by failure modes and effects criticality analysis (FMECA), whereby appropriate maintenance tasks are matched to failure modes. In applying FMECA, the criticality analysis establishes a priority rating of components according to the consequences and mea- sures of their various failure modes, which helps to prioritise the preventive main- tenance activities for scheduled shu tdowns. An example of an FMECA for process criticality of a control valve, based on failure consequences (downtime) and failure rate (1/MTBF), is given in Table 5.16. Reliability, availability, maintainability and safety (RAMS) studies establish the most effective combination of the different types of maintenance (i.e. a maintenance strategy) for operational systems and equipment. The deliverable results are opera- tions and maintenance procedures and work instructions in which the different types of maintenance are effectively combined for specific equipment. Failure modes and effects criticality analysis (FMECA), as given in Table 5.16, is one of the most commonly used techniques for prioritising failures in equipment. The analysis at systems level involves identifying potential equipment failure modes and assessing the consequences of these for the system’s performance. Table 5.17 shows the designation of maintenance activities, the a ppropriatemain- tenance trade, and the recommended maintenance frequency for each failure mode, based on MTBF. It is evident that some activities need to be delayed to coinc ide with others. Different types and levels of maintenance effort are applied, depending upon the process or functional criticality (Woodhouse 1999): • Quantitative risk and performance analysis (such as RAM and FMECA) is war- ranted for about 5–10% of the most critical failure modes. This is where cost/risk optimisation is applicable for significant costs or risks that are sensitive to high- impact strategies. 658 5 Safety and Risk in Engineering Design Table 5.16 Typical FMECA for process criticality Component Failure description Failure mode Failure consequences Failure causes D/T (h) (plus damage) MTTR (h) (repair time) and damage MTBF (months) Process criticality rating Control valve Fails to open TLF Production Solenoid valve fails, failed cylinder actuator or air receiv er failure 9812Medium critical Control valve Fails to open TLF Production No PLC output due to modules electronic f ault or cabling 4 2 6 Medium critical Control valve Fails to seal/close TLF Production Valve disk damaged due to corrosion wear (same ‘ fails to open’) 5 4 6 Medium critical Control valve Fails to seal/close TLF Production Valve stem cylinders seized due to chemical deposition or corrosion 5 4 4 Medium critical Instrument loop (press. 1) Fails to provide accurate pressure indication TLF Maint. Restricted sensing port due to blockage of chemical or physical accumulation 013Low critical Instrument loop (press. 2) Fails to detect low pressure condition TLF Maint. Low pressure switch fails due to corrosion or mechanical damage 023Low critical Instrument loop (press. 2) Fails to detect low pressure condition TLF Maint. Pressure switch relay or cabling failure 084Low critical Instrument loop (press. 2) Fails to provide output signal for alarm TLF Maint. PLC alarm function or indicator fails 084Low critical 5.2 Theoretical Overview of Safety and Risk in Engineering Design 659 Table 5.17 FMECA with preventive maintenance activities Component Failure description Failure causes D/T (h) (plus damage) MTTR (h) (repair time) and damage MTBF (months) Maintenance activity Maintenance trade Maintenance frequency Control valve Fails to open Solenoid valve fails, failed cylinder actuatororair receiv er failure 9 8 12 Service control valve. Replace components and test PLC interface Instr. tech. 12 monthly Control valve Fails to open No PLC output due to modules electronic fault or cabling 4 2 6 Covered by control valv e service as above Instr. tech. 12 monthly Control valve Fails to seal/close Valve d isk d amaged due to corrosion wear (same causes as ‘f ails to open’) 5 4 6 Remove control valv e and check valv e stem, seat and disk or diaphragm for deterioration or corrosion and replace with overhauled valv e if required Fitter 6 monthly Control valve Fails to seal/close Valve stem cylinders seized due to chemical deposition or corrosion 5 4 4 Covered by control valve condition assessment and replace components Instr. tech. 6 monthly 660 5 Safety and Risk in Engineering Design Table 5.17 (continued) Component Failure description Failure causes D/T (h) (plus damage) MTTR (h) (repair time) and damage MTBF (months) Maintenance activity Maintenance trade Maintenance frequency Instrument loop (press. 1) Fails to provide accurate pressure indication Restricted sensing port due to blockage of chemical or physical accumulation 0 1 3 Remove pressure gauge and check for blocked sensing lines and gauge deterioration. Replace with new gauge if required Instr. tech. 3 monthly Instrument loop (press. 2) Fails to detect low pressure condition Low p ressure switch fails due to corrosion or mechanical damage 0 2 3 Verify correct operation of pressure switch and wiring. Test alarm’s operation Instr. tech. 3 monthly Instrument loop (press. 2) Fails to detect low pressure condition Pressure switch relay or cabling failure 0 8 4 Covered by switch operation verification Instr. tech. 3 monthly Instrument loop (press. 2) Fails to provide output signal for alarm PLC alarm function or indicator f ails 0 8 4 Covered by switch operation verification Instr. tech. 3 monthly 5.2 Theoretical Overview of Safety and Risk in Engineering Design 661 • Rule-based analysis methods (such as RCM and RBI) are more appropriate for about 40–60% of the critical failure modes, particularly if supplemented with economic analysis of the resulting impact strategies. This is where cost/risk op- timisation is applicable for the costs or risks for setting preventive maintenance intervals. • Review of existing maintenance (excluding simple FMEA studies) provides a simple check at the lower levels of criticality to verify that there is a valid reason for the maintenance activity, and that the cost is reasonable compared to the consequences. c) Safety Criticality Analysis and Risk-Based Maintenance Safety criticality analysis was previously considered as the assessment of failure risks. In this context, safety criticality analysis is applied to determine the essential maintenance intervals, and the impact of premature or delayed preventive mainte- nance activities where failure risks are considered to be safety critical. A safety/risk scale is applied, based on a specific cost benchmark (usually computed as the cost of output per time interval) related to the cost of losses and the likelihood of failure. A safety criticality model to determine the optimal main tenance interval, and the impact of premature or delayed preventive maintenance activities consider s the following: • A quantified description of the degradation process, using estimates wherever data ar e not available, as well as identification of failure mo des and related causes. • Cost calculations for material and maintenance labour costs for each failure mode, including possible consequential damage. • Cost/risk calculations for alternative preventive maintenance intervals based on a specific cost benchmark related to the cost of losses and the likelihood of fail- ure. • Cost criticality rating of failure modes, and sensitivity testing to the limits of the likelihood of failure under uncertainty of unavailable or censored data. • Identification of key decision drivers (which assumptions have the greatest effect upon the optimal decision), for review of the preventive maintenance program. In many cases, there are several interacting failure modes, causes and effects, all in the same evaluation. The preventive maintenance program or, in the case of continuous processes, the shutdown strategy thus becomes a compromise of scheduled times and costs. Some activities will be performed ahead of their ideal timing, whilst others will be delay ed to share the downtime opportunity determined by safety-critical shuts. The r isks and perfor mance impact of delayed activities, and the additional costs of deliberate over-maintenance in others, both contribute to the costs for a partic- ular shutdown program. The degree of advantage, on the other hand, is controlled 662 5 Safety and Risk in Engineering Design by the costs involved. The downtime impact (the cost of losses due to forced shut- downs as a result of failure, plus the cost of repair to the failed item and to any consequential damage) often dominates the direct cost advantage (planned shut- down lost opportunity costs, use of facilities, materials and labour costs, etc.) of shutting down and starting up again. Such a cost criticality analysis also reveals the scope for de-bottlenecking improperly evaluated reliability constraints by eliminat- ing frequent interim shutdowns and extending operational run lengths. The analysis process is also able to calculate the net payback f or such de-bottlenecking. The grouping and re-grouping of activities as well as re-programming the preventive maintenance program (i.e. combining activities in different bundles and moving the bundles to shorter or longer intervals) are fundamentally a scheduling problem, re- quiring the application of formalised risk analysis and d ecision criteria based on as- sessment scales, and the use of computer automated computation. Table 5.18 shows the application of cost criticality analysis to the FMECA for process criticality of the control valve given in Table 5.17. It indicates the cost criticality rating of each failure mode related to the cost of losses and the cost risk based on estimates of the likelihood of failure. Table 5.19 shows a comparison between the process criticality rating and the cost criticality rating of each failure mode of the control valve. In this case, the ratings correspond closely with one another. The maintenance freque ncies of the preventive maintenance activities that were typically based on the mean time between failures (MTBF) are, however, not rela- tive to either the process criticality rating or the cost criticality rating . The mainte- nance frequencies thus require review to determine the optimal maintenance inter- vals wher eby the impact of premature or delayed preventive maintenance activities is considered. This example of a r e latively important item of equipment, such as a process con- trol valve, is typical of many such equipment in p rocess plant where RAM, FMECA or RCM analysisdo notprovidesufficient information for decisive decision-making, as the equipment’s failure modes are not significantly high risk but rather medium risk. Where the criticality ratings are not significant (i.e. eviden ce of high critical- ity), as in this case of the control valve, maintenance optimisation becomes difficult, necessitating a review of the risk analysis and decision criteria according to qualita- tive estimates. d) Risk Analysis and Decision Criteria In typical process plant shutdown programs, decisions concerning the extent and timing of component renewal/replacement activities are generally determined by the dominant failure modes that, in effect, relate to less than a third of the program’s total preventive maintenance activities. Criticality ranking or prioritising of equ ip- ment according to the consequences of failure modes is essential for a risk-based maintenance approach, though comparative studies have shown that qualitative risk ranking is, in many cases, just as effective in identifying the key shutdown drivers, often at a fraction of the cost. Typically, these risks can be ranked by designating 5.2 Theoretical Overview of Safety and Risk in Engineering Design 663 Table 5.18 FMECA for cost criticality Component Failure description Failure mode Failure causes Defect. MATL & LAB ($)/failure (incl. damage) Econ. $/failure (prod. loss) Total $/failure (prod. and repair) Risk Cost criticality rating Control valve Fails to open TLF Solenoid valve fails, failed cylinder actuator or air receiver failure $5,000 $68,850 $73,850 6.00 Medium cost Control valve Fails to open TLF No PLC output due to modules electronic fault or cabling $2,000 $30,600 $32,600 6.00 Medium cost Control valve Fails to seal/close TLF Valve disk damaged due to corrosion wear (same causes as ‘ fails to open’) $5,000 $38,250 $43,250 6.00 Medium cost Control valve Fails to seal/close TLF Valve stem cylinders seized due to chemical deposition or corrosion $5,000 $38,250 $43,250 6.00 Medium cost Instrument loop (press. 1) Fails to provide accurate pressure indication TLF Restricted sensing port due to blockage of chemical or physical accumulation $500 $0 $500 2.00 Low cost . 654 5 Safety and Risk i n Engineering Design The actual degree of safety incidents: This is evaluated according to the contri- bution of the actual physical condition of the equipment to its safety, . to quantify, and many of the factors are indeterminable. Cost/risk optimisation in this 656 5 Safety and Risk in Engineering Design Fig. 5.42 a Risk exposure pattern for rotating equipment, b risk-based. effective in identifying the key shutdown drivers, often at a fraction of the cost. Typically, these risks can be ranked by designating 5.2 Theoretical Overview of Safety and Risk in Engineering Design