Risk-Based Maintenance (RBM):
A New Approach for Process Plant
Inspection and Maintenance
Faisal I. Khan and Mahmoud Haddara
Faculty of Engineering and Applied Science, Memorial University of Newfoundland, St. John’s Newfoundland A1B 3X5, Canada;
fkhan@engr.mun.ca (for correspondence)
Published online 16 November 2004 in Wiley InterScience (www.interscience.wiley.com). DOI 10.1002/prs.10010
This paper discusses recently proposed methodology
for the design of an optimum maintenance manage-
ment program. The methodology is based on integrat-
ing a reliability approach and a risk assessment strat-
egy to obtain an optimum maintenance schedule. The
method is called risk-based maintenance (RBM). First,
the likely equipment failure scenarios are formulated.
Out of the many likely failure scenarios, the ones that
are most credible are subjected to a detailed study.
Detailed consequence analysis is done for the selected
scenarios. Subsequently, a fault tree analysis is per-
formed to determine the probability of failure. Finally,
risk is computed by combining the consequence anal-
ysis and the probability analysis results. The calculated
risk is compared against known acceptable criteria.
The frequency of maintenance tasks is obtained by
minimizing the estimated risk. The proposed method-
ology is used to answer two questions: Which equip-
ment should be included in a scheduled maintenance
program? When should the maintenance be scheduled?
Offshore oil and gas process facilities involve haz-
ardous chemicals (highly flammable and toxic) at ex-
treme conditions of temperature and pressure. Proper
maintenance of process equipment is one of the impor-
tant activities to ensure safe and continuous operation
of the facility. RBM methodology has been used to
develop a detailed maintenance plan for safe and fault
free operation of the facility. © 2004 American Institute
of Chemical Engineers Process Saf Prog 23: 252–265,
2004
Keywords: maintenance planning, risk, risk-based
maintenance, risk assessment, reliability
Presented at the 37th Annual Loss Prevention Symposium, March 31–April 3,
2003, New Orleans, LA.
© 2004 American Institute of Chemical Engineers
252 December 2004
INTRODUCTION
Plant safety is directly linked to the reliability of its
operation. Higher reliability may be achieved through a
robust inspection and maintenance program. This is of
particular importance in process industries because
they deal with hazardous substances under severe op-
erating conditions. For achieving safe and efficient pro-
cess plant performance, it is essential to minimize and,
if possible, to eliminate unscheduled breakdowns (fail-
ures). This could be achieved through an effective and
efficient inspection and maintenance management pro-
gram. In addition to the safety and reliability issues, the
importance of effective and efficient maintenance man-
agement planning cannot be overemphasized. In a
span of 50 years, maintenance policies underwent a
paradigm shift. The concept of maintenance manage-
ment changed from a necessary evil, performed primar-
ily as corrective action, into an integrated part of a total
management system, actively participating in the
achievement of the organization’s main objectives
[1, 2].
At the beginning of the twentieth century, the ASME
Code focused principally on performance criteria to
improve safety and reduce the frequency of failure,
addressing pressure vessel and piping systems in par-
ticular. Later, the importance of risk (event probability
multiplied by the consequences) was recognized as an
important measure of system safety, and it was seen
that risk analysis could be applied to design, material
selection, defect criteria, fabrication, operation, main-
tenance, and inspection. The risk has been, typically,
calculated in terms of cost (economic loss) and human
injury/death per unit time or cycle. The event proba-
bility value can be calculated by considering a number
of influencing variables such as system characteristics
(design, material selection, material defects, fabrica-
Process Safety Progress (Vol.23, No.4)
Table 1. Risk matrix used by ASME SC6000 code.

Event Probability*
Consequence
Severity 100 ⬎ Event Probability ⬎ 10⫺2 10⫺2 ⬎ Event Probability ⬎ 10⫺4
Category Description Frequent (A) Probable (B) Occasional (C) Remote (D)
I Catastrophic 1 1 2 3
II Critical 1 2 3 4
III Marginal 2 3 4 5
IV Negligible 3 4 5 6

*1: high risk; 2: medium risk; 3: low risk; 4, 5, 6: tolerable risk.

tion), human factors, inspection, media, operation, and
maintenance [3– 6].
The ASME tentative standard SC6000 Hazardous Re-
lease Protection provides a risk-based criterion to pro-
tect personnel from hazards where both the probability
of failure of a system or one of its components and the
consequences of personal injury resulting from such
failure are judged [7, 8]. Protection can take many forms
such as remote locations, barriers, containment, con-
trolled venting or suppression, chemical inerting, or
neutralizing. Protection methods usually affect conse-
quences of component failure and performance meth-
ods typically affect event probability of failure. The
proposed ASME SC6000 Hazardous Release Protection
Standard (ASME, tentative standard) was discussed by
Brown [9]. Brown and Brown [7] suggest guidelines
with respect to procedures and criteria in determining
what can be considered a suitable protection from
hazardous release. SC6000 provides risk criteria only
for hazards to personnel (primary receptors); however,
it may also be used to assess risk associated with
economic loss and environmental damage (secondary
and protective receptors). No system limits are im-
posed by SC6000 except as specified by the system
standards and design [3].
The ASME SC6000 involves six main steps [8]. These
are: (1) identification of hazards from pressure systems;
(2) estimate of the magnitude of hazards; (3) perfor-
mance criteria for personnel according to severity cat-
egories; (4) risk assessment using two levels: Level
I—without protective systems and Level II—inclusion
of protective methods; (5) optional redesign of the
source system or an iterative redesign of the protective
system if the risk is not tolerable; and (6) repeat steps 1
to 5 for each hazard and type of receptor as identified.
ASME SC6000 quantifies risk on a scale of 1 to 6
based on a 4 ⫻ 4 matrix of event probability (A, B, C,
D) vs. consequence severity (I, II, III, IV) as shown in
Table 1 [8]. A risk of 3 or greater is considered a
tolerable risk (Table 1).
The concept of risk-based inspection and mainte-
nance (RBI) was developed to achieve tolerable risk
criteria. In this policy, the high-risk components are
inspected and maintained with greater frequency than
that used to inspect components associated with lower
risk. RBI is a part of a broader risk management pro-
gram that considers not only the assessment of on-site
safety issues, but also takes into account other factors
such as the off-site risk to the surrounding communi-
ties, environment, and the costs associated with busi-
ness interruption. In applying the RBI process to a
plant, the facility needs to be considered in terms of
individual process units, systems within these units,
and components that constitute these systems. The
extent of the breakdown in process, system, and com-
ponent depends on the particular system being consid-
ered [2, 3, 6].
The proposed RBM methodology aims at optimizing
maintenance tasks while maintaining a high level of
equipment availability. This is achieved by a study of
all possible failure modes, determining a realistic esti-
mate for the level of risk associated with each failure
mode, and designing a maintenance strategy that min-
imizes the occurrence of the high-risk failure modes.
This paper has two main objectives: (1) to present a
brief description of the methodology and (2) to discuss
its application to an offshore process facility. This case
study serves to illustrate the methodology and shows
the type or results that can be expected from such a
method.
THE RISK-BASED MAINTENANCE METHODOLOGY
The recently proposed risk-based maintenance
(RBM) methodology aims to reduce the overall risk of
the operating facilities [6]. In areas of high and medium
risk, a focused maintenance effort is required, whereas
in areas of low risk the effort is minimized. RBM sug-
gests a set of recommendations on how many preven-
tive tasks (the type and frequency) are required. The
quantitative value of risk is the basis for prioritization of
inspection and maintenance activities. Detailed de-
scription of the methodology is presented in the sub-
sequent sections.
The RBM methodology is composed of three mod-
ules that are interactively linked. The RBM process
starts with dividing the complete system under study
into small manageable units. Each unit is subjected to
the different steps shown in Figures 1, 2, and 3. The
risk, computed for a specific failure scenario(s) of a
unit, is compared against the acceptance criteria. If the
risk exceeds the criteria, the failure scenario is revalu-
ated for optimal maintenance/inspection duration that
would bring down the exceeded risk to an acceptable
level. This process is repeated for each unit. Results

Process Safety Progress (Vol.23, No.4) December 2004 253

Figure 1. Description of risk estimation module.
obtained for all units are combined to develop an
overall maintenance plan for the system. Detailed de-
scription of each step of RBM methodology is pre-
sented in a subsequent section.
Module I: Risk Estimation
This module is composed of four steps that are
logically linked, as shown in Figure 1. A brief descrip-
tion of each step is presented below.
Step I.1: Failure Scenario Development
A scenario is a description of a typical situation (a set
of possible events or situations) that leads to failure event.
It is the basis of risk study; it tells us what may happen so
that we can devise ways and means of preventing or
minimizing the possibility of its occurrence. The expecta-
254 December 2004
tion of a scenario does not mean it will indeed occur, but
that there is a possibility of its occurrence. Failure scenar-
ios are generated based on the operational characteristics
of the system, physical conditions under which operation
occur, geometry of the system, and safety arrangements.
Recently Khan [10] proposed a systematic procedure—
maximum credible accident scenario (MCAS)—to eval-
uate failure (accident) scenarios in a process system.
The developed failure scenarios may be screened to
shortlist those that are more relevant for the scope of
the study. This approach optimizes the effort without
compromising the accuracy of the overall study results.
It is advisable to consider one or two most appropriate
failure scenarios for each unit. MCAS may be used as a
tool to shortlist (screen unimportant scenarios) failure
scenarios.
Process Safety Progress (Vol.23, No.4)
Figure 2. Description of risk evaluation model.
Step I.2: Consequence Assessment
The objective here is to quantify the potential con-
sequences of the credible failure scenario. Initially,
consequences are quantified in terms of damage radii
(the radius of the area in which the damage would
readily occur), damage to property, and toxic effects
(chronic/acute toxicity). The calculated damage radii
are later used to assess human health and environmen-
tal and production losses (in terms of dollars). This
allows one to distinguish between prioritization per-
formed on each category. It is of great practical benefit
to separate the consequences of failure analysis from
the consequences of failure mode analysis.
The assessment of consequences involves a wide
variety of mathematical models. For example, source
models are used to predict the rate of release of haz-
ardous materials, the degree of flashing, and the rate of
evaporation. Models for explosions and fires are used
to predict the characteristics of explosions and fires.
The impact-intensity models are used to predict the
Process Safety Progress (Vol.23, No.4)
damage zones attributed to fires, explosion, and toxic
load. Finally, toxic gas models are used to predict
human response to different levels of exposures to
toxic chemicals. There are many computational tools
available to conduct this step such as WHAZAN-II,
PHAST, SAFETI (DNV, The Netherlands), OHRA toolkit
(DNV, Norway), RISK (AEA technology, UK), and
SQRM (Electrowatt Ltd., UK), and MAXCRED (CPET,
India). A review of these software capabilities and de-
tails of MAXCRED are discussed in Khan and Abbasi
[11]. MAXCRED is one of the recent tools that uses the
latest models of fires, explosions, and toxic release and
dispersion [11] to calculate damage radii. The main data
inputs required by MAXCRED are: operating tempera-
ture, operating pressure, physicochemical properties
(phase, heat of combustion, densities, etc.), atmo-
spheric conditions (temperature pressure, wind speed),
and level of confinement. MAXCRED is available from
the author (Faisal Khan) for academic use.
December 2004 255
Figure 3. Description of maintenance planning module.
The total consequences assessment is a combination
of four major categories of consequences (described
below). The method of quantification of these four
categories may change according to the scope of the
study undertaken. In the present context—process op-
eration—these are defined as follows.
System performance loss. Factor A accounts for the
system’s performance loss resulting from failure of the
system or part of the system. This is estimated in terms
of dollars lost using the following equation:
A i ⫽ total time lost ⫻ loss rate (1)
Loss rate ($/time) depends on the importance of the
unit to the production system.
256 December 2004
Financial loss. Factor B accounts for the damage to
the property of asset lost and may be estimated for each
accident scenario using the following relation:
B i ⫽ damage area ⫻ asset density (2)
B⫽ 冘B
i⫽1,n
i (3)
where i denotes the number of events, such as fire,
explosion, toxic release, and the like. Asset density is
measured in terms of $/area.
Human health loss. Similar to the factor for financial
loss, the human health loss factor is estimated in terms
Process Safety Progress (Vol.23, No.4)
Figure 4. Simplified process flow diagram of process operation on a typical offshore platform.
of dollars for each accident scenario using the follow-
ing equation:
C i ⫽ damage area ⫻ population density ⫻ PDF (4)
⫻ dollar value of human health
C⫽ 冘C
i⫽1,n
i (5)
The PDF defines the population distribution factor,
which reflects the heterogeneity of the population dis-
tribution. If the population is uniformly distributed in
the region of study (⬃500 m radius), the factor is
assigned a value of 1; if the population is localized and
away from the point of accident occurrence the lowest
value 0.2 is assigned. Values for this parameter have
been adapted from the latest work of Hirst and Carter
[12]. Population density is measured in terms of popu-
lation per unit area. The dollar value of human health
will change from place to place and will also depend
on the extent of the work stress. In the present work a
value of 1.0E⫹6, is used.
Environment and/or ecological loss. Factor D ac-
counts for ecosystem damage, which can be estimated
as
D i ⫽ damage area ⫻ IM ⫻ environment media (6)
⫻ dollar value of environmental damage
冘D
D⫽ i (7)
i⫽1,n
Process Safety Progress (Vol.23, No.4)
IM is the importance factor and ranges from 0.1 to 1.0.
If the damage radius is higher than the distance be-
tween the accident location and the location of sensi-
tive ecosystem, a value of 1.0 is taken. This parameter
is quantified with the help of earlier work of Khan and
Abbasi [13]. The following values are suggested for the
environment media: 0.1 for air (coastal zone), 0.5 for
water body, and 0.8 for soil.
Step I.3: Probabilistic Failure Analysis
Probabilistic failure analysis is conducted using fault
tree analysis (FTA), which is an analytical tool that uses
deductive reasoning to determine the occurrence of an
undesired event. One can use a fault tree analysis along
with component failure data and human reliability data
to determine the frequency of occurrence of an event
or probability of failure for defined period of time.
In this step of RBM, fault trees are constructed for
various likely initiating events, which may eventually
lead to the “top” event or the failure scenario. To
facilitate probabilistic fault tree analysis a methodology
designated “analytical simulation” and a complete au-
tomated tool—PROFAT—was also developed. It is be-
yond the scope of this paper to discuss details of
methodology and the automated tool. Interested read-
ers may see details in Khan and Abbasi [14, 15]. PRO-
FAT is available from the author free of charge for
academic use.
Step I.4: Risk Estimation
Based on the results of the consequence analysis
and probabilistic failure analysis, the risk posed by
each unit was estimated. The consequence analysis
December 2004 257
Table 2. Failure scenarios and their likely consequences in terms of dollars lost.

Accidence Consequences**
Section Scenario* Accidence Scenario Description (million dollars lost)
Separation BLEVE Explosure release of crude oil from 186.12
section followed by any of the unit which on burning
fire ball causing heat, shock wave, and toxic
load
Low-pressure BLEVE Release of hydrocarbon gas from any 40.74
compression followed by of the unit which on burning
section fire ball causing heat, shock wave, and toxic
load
Medium-pressure BLEVE Instantaneous Release of hydrocarbon 382.17
compression followed by gas from any of the unit which on
section fire ball burning causing heat, shock wave,
and toxic load
High-pressure BLEVE Explosive release of hydrocarbon gas 814.70
compression followed by from any of the unit which on
section fire ball burning causing heat, shock wave,
and toxic load

*BLEVE, boiling liquid expanding vapor explosion.

**Appendix I provides an illustrative example of how the consequences are converted to dollar values.

encompasses factors of fatality, economics, the envi-
ronment, and the system performance losses. Thus, the
level of risk calculated reflects the total risk for the
system. The computed risk will be evaluated against
the acceptance criteria in the next module.
Module II: Risk Evaluation
This module of RBM is aimed to evaluate the earlier
computed risk through the algorithm shown in Figure
2. This module consists of two steps as detailed below.
Step II.1: Setting Up Acceptance Criteria
As acceptance of risk may be different from one
organization to another and from one system to an-
other; the present authors have suggested an open-
ended methodology. In this step the user sets up risk
acceptance criteria that depend on the scope of the
study, the criticality of the system, and the policy or
strategy of the organization. Some of the commonly
used risk criteria are ALARP (as low as reasonably
possible), HSE land use planning criteria, Dutch crite-
ria, and Advisory Committee on dangerous substances
(ACDS) risk criteria. For example, according to Dutch
risk criteria, risk of one or less fatality, having proba-
bility of occurrence 10⫺5 (per year), is acceptable.
Step II.2: Risk Comparison against Acceptance Criteria
The risk computed in Module I is compared against
the risk acceptance criteria setup in the previous step.
A unit/component whose risk exceeds the acceptance
criteria is marked for further analysis to reduce its risk.
The exercise is repeated for all the units/components
of the system. The marked units are subsequently pro-
cessed in Module III for maintenance planning.
Module III: Maintenance Planning
Units marked in Module II are studied in detail to
reduce the risk through optimal maintenance planning.
This module consists of two steps, which are logically
linked, as shown in Figure 3. A brief account of each
step is discussed below.
Step III.1: Estimation of Optimal Maintenance Duration
Units whose risk exceeds the acceptance criteria are
each subjected to detailed investigation. The investiga-
tion includes identification of basic causes of failure
and their functions. Using these details a reverse fault
tree analysis is conducted for a targeted value of top
event (component failure probability/rate). This analy-
sis gives an optimal maintenance time for the compo-
nent under study. This process is repeated for all units/
components in this category. A maintenance plan can
then be developed based on maintenance times arrived
at in the previous step.
Step III.2: Reestimation and Reevaluation of Risk
This is an optional step and aimed at verifying that
the maintenance plan developed will produce an ac-
cepted risk level for the complete system. In this step,
step 4 of Module I and step 2 of Module II are repeated
using revised values for the failure probabilities. The
result of this step will clearly determine whether the
developed maintenance plan is effective in the manag-
ing risk.
Application of RBM to an Offshore Process
Facility
Process Description
The above methodology has been used to develop a
maintenance plan for a process facility on an offshore

258 December 2004 Process Safety Progress (Vol.23, No.4)

Table 3. Results of consequence (output of MAXCRED) for probable failure scenario of separation section.

Parameter Value
Explosion: BLEVE
Total energy released, kJ 7.0E⫹06
Peak overpressure, kPa 199.00
Variation of overpressure in air, kPa/s 136.00
Shock velocity of air, m/s 511.00
Duration of shock wave, ms 37.0
Missile characteristics
Initial velocity, m/s 39.00
Kinetic energy of fragment, kJ 1.47E⫹03
Fragment velocity at study point, m/s 38.00
Penetration ability at study point (based on empirical models)
Concrete structure, m 0.005
Brick structure, m 0.007
Steel structure, m 0.003
Damage radii (DR) for various degrees of damage due to overpressure
DR for 100% damage, m 20
DR for 100% fatality or 50% damage, m 30
DR for 50% fatality or 25% damage, m 44
Damage radii (DR) for various degrees of damage due to missile
DR for 100% damage or 100% fatality, m 1046
DR for 50% damage or 100% fatality, m 1131
DR for 100% fatality or 10% damage, m 1208
Fire: fireball
Radius of the fireball, m 245.00
Duration of the fireball, s 100.00
Energy released by fireball, kJ 8.85E⫹08
Radiation heat flux, kJ/m2 337,993.00
Damage radii (DR) due to thermal load
DR for 100% fatality/damage, m 177
DR for 50% fatality/damage, m 222
DR for 100% third degree of burn, m 256
DR for 50% third degree of burn, m 329
Toxic release and dispersion
Box instantaneous model: evevated source
Concentration at distance of 200 m, kj/m3 2.56E-01
Heavy gas puff characteristics
Ground level concentration of puff, kg/m3 1.52E-01
Ground level concentration on puff axis, kg/m3 1.52E-02
Cloud radius, m 5.51E⫹02
Maximum distance traveled by the cloud, m 6.56E⫹02
Maximum ground level concentration, kg/m3 2.91E⫹02
Damage radii (DR) for various degrees of damage
DR for 100% lethality, m 6084
DR for 50% lethality, m 7820
DR for 10% lethality, m 14,011

Process Safety Progress (Vol.23, No.4) December 2004 259

Figure 5. Fault tree for failure scenario in separation section; basic events (numbers in circle) are explained in
Table 4.
platform. The purpose of the offshore production plat-
form is to operate the wells, and to separate the fluid
produced from the wells into oil, gas condensate, gas,
and water. The well fluid passes through separators
where it is separated into the four major components.
The oil and gas condensate are subsequently pumped
to an onshore facility. Gas is compressed using centrif-
ugal compressors. Compressed gas is passed through
the flash drum where the pressure is reduced. The
resulting condensate is separated out. The gas is sub-
sequently dried and purified. It is further compressed
to higher pressure using reciprocating compressors.
Part of the gas is used at the wells and for power
generation on the platform. The remaining gas is
pumped back with a small amount being flared. A
simplified process flow diagram is presented in Fig-
ure 4.
Module I: Risk Estimation
Failure scenarios. The complete process system has
been divided into four functional subsystems according
to their operational characteristic (Figure 4). The most
credible failure scenarios developed for each sub-
260 December 2004
system (section) are listed in Table 2. These failure
scenarios have been subjected to consequence assess-
ment.
Consequence analysis. Consequence analysis has
been carried out for all envisaged failure scenarios for
each of the four subsystems. Because most of the units
involve processing of chemicals at extreme operating
conditions (high temperature and pressure), the con-
sequences of any failure would be extensive. Table 3
shows the results of a typical failure scenario (results of
MAXCRED) in the separation section. It is evident from
the table that release of crude oil and its combustion
would cause severe consequences. A devastating
shock wave can be expected to cover an area of more
than 40 m radius, a lethal heat load would be operative
over an area of more than 325 m radius, and a toxic
load is likely to build up over an area of 14 km radius.
These consequences clearly indicate that most of the
facilities and personnel on board are likely to be af-
fected by any such eventuality. This indicates that the
consequences will result in human fatalities as well as
environmental damage. To homogenize the conse-
quences and bring them to the same scale, we have
Process Safety Progress (Vol.23, No.4)
Table 4. Details of separation section.

Unit Number in Failure Revised Failure

Figure 5 Unit Name Frequency* (h⫺1) Frequency** (h⫺1)
1 High-pressure separator 1.50E-05 7.50E-06
2 Valve 100 5.70E-5 4.60E-5
3 Mixer 100 1.50E-4 1.50E-4
4 Medium-pressure separator 3.30E-5 1.50E-5
5 Valve 101 2.50E-4 2.24E-5
6 Mixer 101 1.57E-4 1.50E-4
7 Heater 100 4.60E-5 2.32E-5
8 Low-pressure separator 6.35E-6 3.20E-6
9 Valve 102 1.56E-4 1.84E-5
10 Cooler 101 7.1E-5 7.1E-5

Safety Arrangements Installed (Figure 6)

11 Distributed node for 9.71E-5 9.71E-5
hydrocarbon detection
12 Flame detector 7.36E-6 7.36E-6
13 Fire suppression system 5.00E-6 5.00E-6
14 Distributed emergency 1.39E-4 1.39E-4
shut down system

*Failure data obtained from OREDA [16].

**Failure frequencies calculated on the basis of target risk value.

Table 5. Typical out from PROFAT software.

Event Not Improvement

Occurring Failure Frequency (h⫺1) Improvement Index
0 5.232692e-04 0.000000e⫹00 0.000000
1 5.083382e-04 5.972394e-05 2.856901
2 4.663616e-04 2.276302e-04 10.88871
3 5.233288e-04 2.383895e-07 0.011403
4 4.903674e-04 1.316071e-04 6.295438
5 2.673715e-04 1.023591e-03 48.96358
6 5.232692e-04 1.455192e-10 0.000007
7 5.233288e-04 2.383895e-07 0.011403
8 5.169809e-04 2.515325e-05 1.203208
9 3.673881e-04 6.235243e-04 29.82635
10 5.233288e-04 2.383895e-07 0.011403

expressed all losses (functionality, assets, human, and
environment) in terms of dollars. The last column of
Table 2 illustrates the results of consequences analysis
in terms of lost dollars. How these are calculated is
shown with help from an example in Appendix A. It
may be concluded from this analysis (Table 2) that the
high-pressure compression section is likely to cause
maximum damage, whereas the low-pressure com-
pression section is likely to cause the least conse-
quence. It is worth mentioning that each section con-
sists of a set of units, and the consequences are
estimated for the most credible accident scenario in the
section.
Probabilistic failure analysis. To calculate the risk
factor for each processing section, it is necessary to
know the probability of occurrence of the envisaged
failure scenario. This will be done in this step. First, a
fault tree is developed for the failure scenario in a
particular processing section. Figure 5 illustrates the
typical fault tree for separation section. The developed
fault trees are subsequently simulated using analytical
simulation approach and PROFAT software. The failure
data for basic events (causes) used in the simulation
study are adopted from OREDA [16]. Table 4 lists the
failure data adopted from OREDA [16] and Lees [17] for
the separation section. Typical output of PROFAT for a
failure scenario in the separation section is shown in
Table 5. The right-hand column of the table indicates
the importance factor, which illustrates the percentage
contribution of each basic event in producing this sce-
nario. It may be seen from Table 5 that event 5 (Valve
101) is contributing about 48% to the accident followed

Process Safety Progress (Vol.23, No.4) December 2004 261

Table 6. Results of risk estimation and evaluation module.
Failure Frequency
of Envisaged
Section Scenario (h⫺1)
Separation 5.23E-4
section
Low-pressure 3.59E-4
compression
section
Medium-pressure 1.34E-07
compression
section
High-pressure 1.02E-06
compression
section
*Details of how these numbers (risk) are derived are shown in Appendix A.
by event 9 (valve 102), event 2 (valve 100), and event
4 (moderate pressure separator). Controlling or main-
taining these events will significantly reduce the total
probability of occurrence of failure. Similar studies
were conducted for the other units.
Risk computation. In this step, the results of conse-
quence and probabilistic analyses are combined to
quantify the risk factors. The risk factor for each pro-
cess section is shown in Table 6. It is evident from the
table that the separation section has the maximum risk
factor of 973.4E⫹2 $/h, and the medium compression
section has the lowest risk factor of 51.3 $/h. The
acceptable risk criterion for the present problem is
considered as 1.0 $/h; any value higher than this is
unacceptable.
Module II: Risk Evaluation
By studying the risk factors estimated for the differ-
ent sections, it is evident that the estimated risk factors
for all units exceed multiple times the acceptance level.
This indicates that maintenance and inspection plan
alone may not be sufficient to reduce risk, and thus
additional safety measures are needed. In consider-
ation of these facts, additional safety measures have
been suggested for the most vulnerable units of each
section (see last four columns of Table 4) and a new
maintenance schedule was developed. The details are
discussed in next section.
Module III: Maintenance Planning
As a first step of this study, additional safety mea-
sures are suggested for each section according to its
requirements. Table 6 lists the suggested safety mea-
sures. An effective maintenance and inspection plan is
developed for each section. To illustrate the procedure,
262 December 2004
Risk Factor* Suggested Additional
($/h) Safety Measures
9.73E⫹4 • Distributed node for
hydrocarbon detection
• Flame detector
• Fire suppression
system
• Distributed emergency
shutdown system
1.45E⫹4 • Fire suppression
system
• Distributed emergency
shutdown system
51.28 • Fire suppression
system
529.11 • Fire suppression
system
• Distributed emergency
shutdown system
the details of the study for the separation section are
given as follows:
• A fault tree for the separation section failure sce-
nario is redeveloped after implementing addi-
tional safety measures, as shown in Figure 6.
• A reverse fault tree analysis is conducted by as-
signing a desired failure probability to the top
event (failure scenario of the unit). This assigned
value for the failure probability is estimated con-
sidering acceptable risk value. For example, for
the separation section it is calculated as 5.373 ⫻
10⫺9.
• The reverse fault tree analysis gave the optimal
times at which maintenance/inspection is to be
performed. For example, the optimal mainte-
nance/inspection duration of Valve 101 is esti-
mated as 32 days. Details of the steps involve in
estimating maintenance/inspection intervals with
example are presented in Appendix B.
• Using the revised failure frequency (rightmost col-
umn of Table 6) obtained by adding the safety
measures and maintenance plan, fault tree analy-
sis is reconducted. The failure probability is cal-
culated as 1.928 ⫻ 10⫺9. Using this value and
dollar consequences value (186.12 ⫻ 106) the risk
factor is calculated as 0.36 $/h. This value if far
less than 1 $/h (target risk value); therefore, it is
safe to say the developed maintenance plan along
with safety measures are able to maintain the risk
in acceptable region.
• These steps are repeated for each unit of the
system to estimate the optimal maintenance
and/or inspection times. The detailed results for
all four sections and their units are shown in Table
Process Safety Progress (Vol.23, No.4)
Figure 6. Revised fault tree for failure scenario in separation section after taking into account additional safety
measures.
7. How these maintenance/inspection intervals
are calculated is shown in Appendix B with illus-
trative examples.
Revised risk factors for all four sections have been
calculated using the results of the previous section. The
values for the revised risk factors are shown in the last
column of Table 7. It is seen that the revised risk factors
are well within acceptable limits.
DISCUSSION AND CONCLUSIONS
In this paper we have briefly discussed the recently
proposed methodology for a risk-based maintenance
strategy. The methodology is more comprehensive and
Process Safety Progress (Vol.23, No.4)
quantitative than available methodologies and is com-
posed of three main modules: (1) risk estimation mod-
ule, (2) risk evaluation module, and (3) maintenance
planning module.
The paper illustrates the applicability of the meth-
odology to an offshore process facility. Among the four
sections of the system, the separation section was iden-
tified to have the highest risk factor. Additional safety
measures are suggested and implemented to reduce
the probability of failure occurrence. A maintenance
program is designed by using the revised system. It has
been demonstrated that this strategy reduces the high
level of risk to an acceptable level.
December 2004 263
Table 7. Results of risk estimation and evaluation • How frequent should inspection/maintenance
module.* tasks be to control these failures?
Such a maintenance planning approach is expected
Maintenance Revised Risk to provide a cost-effective maintenance program. The
Schedule Factor** risk-based approach minimizes the consequences (re-
Section and Units (days) ($/h) lated to safety, economics, and environment) of a sys-
Separation section tem outage/failure. This will, in turn, result in a better
Valve 101 32 asset and capital utilization. A risk-based maintenance
Mixer 100 270 plan can be used to improve the existing maintenance
High-pressure 365 policies through optimal decision procedures in differ-
separator ent phases of the life cycle of a system.
Medium-pressure 165 The failure of a system is rarely the result of a single
separator failure, but rather the result of a combination of a series
Valve 100 30 0.36 of interacting events. As a result, risk-based mainte-
Mixer 101 270 nance must not be perceived as a static exercise to be
Heater 100 365 performed once. It is a dynamic process, which must
Low-pressure 365 be updated and upgraded as additional information
separator becomes available. In other words, risk-based mainte-
Valve 102 43 nance must be performed iteratively using new infor-
Cooler 101 365 mation that becomes available with time.
Low-pressure
APPENDIX A
compression
section Consequence Analysis
Low-pressure 98
scrubber General Input Data
Cooler 98 0.035
Low-pressure 37 • Loss rate: 1000 $/h
compressor • Asset density: 500 $/m2
Mixer 190 • Total population on the platform: 50 people
Medium-pressure • PDF: 0.2
compression • Environmental loss value: 100,000 $/km2
section • Human health loss value: 1.0 ⫻ 106 $/person
Medium-pressure 88
Specific Data for Separation Section
scrubber
Cooler 365 0.013 • Hours lost: 500 h
Medium-pressure 42 • Damage radii: 329 m
compressor • Environmental damage radii: 14 km
Mixer 106 • Importance factor: 0.1
High-pressure • Functionality loss (A) ⫽ 500 ⫻ 1000 ⫽ 0.5 ⫻ 106
compression • Asset loss (B) ⫽ ␲ ⫻ 329 ⫻ 329 ⫻ 500 ⫽ 170.02
section ⫻ 106
High-pressure 37 • Human health loss (C) ⫽ 50 ⫻ 0.2 ⫻ 1 ⫻ 106 ⫽
scrubber 10.0 ⫻ 106
High-pressure 18 0.64 • Environmental damage (D) ⫽ ␲ ⫻ 14 ⫻ 14 ⫻ 0.1
compressor ⫻ 100,000 ⫽ 6.1 ⫻ 106
Cooler 365 • Total loss ⫽ 186.12 ⫻ 106
Mixer 190 • Failure frequency ⫽ 5.230 ⫻ 10⫺4/h
• Consequences ⫽ 186.12 ⫻ 106
*Sample calculations are shown in Appendix B. • Risk factor ⫽ 5.230 ⫻ 10⫺4 ⫻ 186.12 ⫻ 106 ⫽
**Risk factors after incorporating additional safety mea- 97,340 $/h
sures and maintenance schedule.
APPENDIX B

Maintenance/Inspection Interval Calculations

Risk assessment integrates reliability analysis with
safety and environmental issues. Risk-based mainte- Separation Section
nance uses the answers to the five following questions
• Risk factor without safety measures and mainte-
in developing an optimum maintenance strategy:
nance plan ⫽ 97,340 $/h
• What can cause the system to fail? • Target risk factor ⫽ 1 $/h
• How can it cause the system to fail? To achieve this target risk, two major steps are taken
• What are the consequences of failure? to improve the probability of occurrence of the failure
• How probable is the failure? scenario:

264 December 2004 Process Safety Progress (Vol.23, No.4)

 1. Safety measures are design and implemented:
There are four safety measures suggested, the de-
tails of which are given in Tables 4 and 6.
2. Maintenance and inspection plan is developed
based on optimal interval (details of this are given
below).
• Target failure frequency (based on target risk) ⫽
1/186.12 ⫻ 106 ⫽ 5.37 ⫻ 10⫺9/h
• Annual failure probability related to this target
frequency (8760 h) ⫽ 4.70 ⫻ 10⫺5
• This failure probability is used as target failure
probability in the fault tree (top event probabil-
ity), and a reverse analysis is conducted to calcu-
late failure probability of basic units such as
valves (100, 101, 102), mixer, etc. The details for
valve 101 and mixer are given below.
Valve 101
• Earlier failure frequency ⫽ 2.56 ⫻ 10⫺4/h
• Annual probability of failure (8760 h) ⫽ (1 ⫺
⫺4
␭t ⫺2.56⫻10 ⫻8760
e ) ⫽ (1 ⫺ e ) ⫽ 0.8938
• Required annual failure probability that helps to
achieve the target failure probability of this sec-
tion (separation section, 4.70 ⫻ 10⫺5) ⫽ 0.1787
• Maintenance and inspection interval required to
achieve this target probability
⫺ln关1 ⫺ p兴 ⫺ln关1 ⫺ 0.1787兴
⫽ ⫽ 32 days
␭ 2.56 ⫻ 10⫺4
Mixer
• Earlier failure frequency ⫽ 1.5 ⫻ 10⫺4/h
• Annual probability of failure (8760 h) ⫽ (1 ⫺
␭t ⫺4
⫺1.5⫻10 ⫻8760
e ) ⫽ (1 ⫺ e ) ⫽ 0.7312
• Required annual failure probability that helps to
achieve the target failure probability of this sec-
tion (separation section, 4.70 ⫻ 10⫺5) ⫽ 0.6216
• Maintenance and inspection interval required to
achieve this target probability
⫺ln关1 ⫺ p兴 ⫺ln关1 ⫺ 0.6216兴
⫽ ⫽ 270 days
␭ 2.56 ⫻ 10⫺4
LITERATURE CITED
1. E.G. Frankel, System reliability and risk analysis, Klu-
wer Academic, Dordrecht, The Netherlands, 1998.
2. S. Apeland and T. Aven, Risk based maintenance
optimization: Foundation issues, Reliability Eng
Syst Safety 67 (2000), 285–292.
3. S.J. Brown and I.L. May, Risk-based hazardous re-
Process Safety Progress (Vol.23, No.4)
lease prevention by inspection and maintenance, J
Pressure Vessel Technol 122 (2000), 362–367.
4. F.I. Khan and S.A. Abbasi, Safe maintenance prac-
tice, Chem Ind Digest March (1998a), 91–105.
5. F.I. Khan and S.A. Abbasi, Risk assessment in
chemical process industries: Advanced techniques,
Discovery Publishing House, New Delhi, India,
1998b.
6. F.I. Khan and M. Haddara, Risk-based maintenance
(RBM): A quantitative approach for maintenance/
inspection scheduling and planning, Transaction of
IChem Process Safety and Environmental Protec-
tion, 82(B6), 1–14.
7. S.J. Brown and T.J. Brown, Hazardous release pro-
tection: Code and standard considerations for pres-
sure systems, Proc Safety Prog 14 (1995), 244 –256.
8. American Society of Mechanical Engineers (ASME),
American Society of Mechanical Engineers Code
Committee SC6000, Hazardous release protection,
ASME, New York, 2000.
9. S.J. Brown, An overview of the proposed ASME Code
BPTC/HPSC SC6000, Hazardous release protection,
Process Safety Symp, 1994, Vol. 1, Feb.–Mar.
10. F.I. Khan, Maximum credible accident scenario for
realistic and reliable risk assessment, Chem Eng
Prog November (2001), 55– 67.
11. F.I. Khan and S.A. Abbasi, MAXCRED—A new soft-
ware package for rapid risk assessment in chemical
process industries, Environ Model Software 14
(1999a), 11–25.
12. I.L. Hirst and D.A. Carter, A “worst case” method-
ology for risk assessment of major accident instal-
lations, Proc Safety Prog 19 (2000), 78 – 82.
13. F.I. Khan and S.A. Abbasi, Accident hazard index:
A multi-attribute scheme for process industry haz-
ard rating, IChemE Environ Protect Safety 75B
(1997), 217.
14. F.I. Khan and S.A. Abbasi, PROFAT: A user-friendly
system for probabilistic fault tree analysis, Proc
Safety Prog 18 (1999b), 42– 49.
15. F.I. Khan and S.A. Abbasi, Analytical simulation
and PROFAT II: A new methodology and a com-
puter automated tool for fault tree analysis in
chemical process industries, J Hazard Mater 75
(2000), 1–27.
16. Orissa Renewable Energy Development Agency
(OREDA), Offshore reliability data handbook, 3rd
ed., DNV Veritasveien 1, N-1322 Hovik, Norway,
1997.
17. F.P. Lees, Loss prevention in CPI, Butterworths,
London, 1996.
December 2004 265