spe-23491-ms.pdf
TRANSCRIPT
-
SPESPE 23491
Advanced Fault Tree Analysis in Offshore ApplicationsD.J. Burns, WS Atkins Engineering Sciences Ltd.
Copyright 1991, Society of Petroleum Engineers, Inc.
This paper was prepared for presentation at the First International Conference on Health Safety and Environment held in The Hag e Th N th I d 10, u, e e er an s, -14 November 1991.
This paper was selected for presentation by an SPE Program Committee foil' . f' f' "as pres~nted, have not been reviewed by the Society of Petroleum Engineerso:~~g:r~v:~j~~~;~~~~~~oc;,o~~a:~:d mt~n (a)bs.~ct SU~~i~ed by the author(s). Contents of t~e paper,any position of the Society of Petroleum Engineers its officers or memb P . au or s . e rna erla, as presented, does not necessarily reflectof Petroleum Engineers. Permission to copy is restri~ted to an abstract of n~~or:~~~n~g~~~a~ls:E ~eetlngsa~ ~Ubjec.t to publication review by Editorial Committees of the Societyof where and by whom the paper is presented Write Librarian SPE POBox 833836 RI'ch'ardu rna ITXons7m50aY8~3836e coPSled. The abstract should contain conspicuous acknowledgment
. " . . ,so, ". U..A. Telex, 730989 SPEDAL.
FTA IN HAZARD ANALYSIS
The Offshore Industry is at present witnessing the emergenceof gUideline~ for Formal Safety Assessments, following theCullen InqUII!'. Two decades ago the Nuclear Industryunderwent a SI~ phase of evolution \n safety issues whichled to the Widespread application of Probabilistic RiskAssessment (PRA). It is proposed that much benefit stands tobe gained by developing offshore safety and quality standardsalong the same rigorous lines as has been done for nuclearsafety.
1--------::~:;:-------------------,r:::::::==:::=:=-;:":"":';:-:----7:""';------::-;-;;--:----:=--:----JABSTRACT equipment must be shown to be acceptably low. Thus the nextsection presents a schematic model for the main steps to beemployed in a QRA indicating where FTA is applied. Whilethis model.m~ an additional reference to reliability analysis,the latter IS discussed separately, as is availability analysiswhich includes safety related events and non-hazardous events:These three types of analysis are finally combined under thecommon factor of cost, in order to provide a model forassessing the Life Cycle Cost of an installation.
Any analytical tool which plays a major part in PRA is FaultTree Analysis, which has seen a limited application offshorebut s~ould, in the author's opinion, be used on a larger scal~both m the assessment of safety and in the overall cost/benefitphilosophy.
TIlustrations of such applications are given from recent offshoresafety studies.
INTRODUCTION
The essence of this type of study is to demonstrate that aninstallation is safe by assessing the level of risk to theoperators, the environment and the equipment associated withall identifiable major hazard events. The risk is generallystated as an estimated frequency of occurrence for a certain~evel of damage, the definitions of which are generally set outm the Operator's Corporate Safety philosophy or some similardocument. FTA plays a major role in estimating the frequencyof defined damage levels, as indicated in Figure 1. Damagelevels are grouped into the following categories:
Among the numerous analyses which must be carried out on anoffshore installation to assure safe and economic operationfour are discussed in this paper, where Fault Tree Analysi~
-
2 ADVANCED FAULT TREE ANALYSIS IN OFFSHORE APPLICATIONS SPE 23491
scenarios leading to Major Catastrophes are said to be initiatedby Major Hazard Events. These are then quantified on twocounts: firstly that their damage effect is calculated by physicalmodels, and secondly that their frequency is estimated. Thisis often achieved by FTA, when the event is broken down intopossible precursors, the estimated frequencies of which arecombined using Boolean logic.
It has been noted that the event tree contains postulatedmitigating events, whose probability of occurrence needs to becalculated in order to arrive at a final frequency estimation forthe catastrophic event. Again FTA is an ideal means ofarriving at branch probabilities.
Each system failure is then made the top event of a separatefault tree, and a break-down of system failures into componentfailures carried out. As availability targets can be determinedfor each system, in order to meet the total plant availabilitytarget, it is possible to present vendors with availability targetsfor their equipment. In some cases the initial target establishedby the operator cannot be met by the vendor without extra cost,and negotiations may result in a compromise being reached.
The FTA is very useful here in demonstrating the sensitivity ofthe total plant availability to each system's performance. Thus,not meeting the original system availability target set by theoperator could result in;
The event tree analysis is carried out for several initiatingevents, and the frequencies of all similar catastrophic events aresummed from all initiating events considered in order to makea comparison with acceptance criteria. Plants which do notmeet ~e criteria will need to have some redesign or, ifoperational, some back-fitting.
a)b)
c)
resetting the target for the system availabilityredesigning the system to meet the originaltargetredesigning the plant to meet the availabilitytarget.
FTA has recently been applied to the hazard analysis of anoffshore production platform. Figure 2 gives an example ofpart of the fault tree for a Gas Release in the Export Area.
FTA IN RELIABILITY ANALYSIS
The reliability of critical safety systems such as Fire and Gasand ESD (Emergency Shutdown) must be demonstrated to beacceptably high.
In the reliability analysis, the top event of the fault tree isrepresented by fai~ure ~f the system to function when requiredby ~ hazardous Sl~tion, and the tree is built up from thepoSSIble causes of thIS system failure, including the failure ofthe opera~r to ~tiate man~ action. This type of analysis hasbeen mentioned m the preVIOUS section as one of the branchevents in the Event Tree Analysis.
Figure 3 shows an example of the tree for the event 'Extra highlevel in flare KO drum does not give ESD.'
PTA IN AVAILABILITY ANALYSIS
Availability analyses ofplant are often carried out as a functionof time by simulation techniques. However meanunavailabili~ ?Ver a period of time can be estima~ usingFTA, and thIS IS useful for vendors wishing to demonstrate the
to~ availability of their systems or to optimize redundancy ineqUipment or spares holding3
Figure 4 shows the scheme for applying FTA to availabilitymodelling. Starting with the plant model more than oneoperational mode may be possible, the avaiiability target foreach operational model being different. For each operationalmodel, a fault tree top event will be defmable reflecting thefrequency of failure of the plant. A fault tree can then bedra~n up to indicate the possible causes of total plant failurewhich, when provided with failure and repair data for all basicsystem failure events, will constitute the Integrated PlantUnavailability Model.
700
Resetting the plant availability target is possible, but unlikely.The above procedure would be repeated for each operationalmode.
In calculating unavailability, both failure rates and failure~robability on demand, and down time of equipment are inputmto the fault tree programme for subsequent processing.Preventive maintenance schedules are also included in theoverall assessment.
Fault trees for 'Unavailability' are similar in appearance tofault trees for 'Hazards' but will contain more basic events.
FTA IN COST ANALysIS
In addition to demonstration of a particular vendor's systemavailability, the operator will wish to calculate the total cost ofprocuring equipment, running and maintaining the plant and ofproduction loss when the plant stands idle2-3 '
System designers, reliability engineers and procurement staffshould work together to arrive at the cost-optimised availabilitygoal, taking into account initial equipment costs, levels ofredundancy, maintenance costs, and cash flow.
The relationship between the parameters involved in Life CycleCost considerations is shown in Figure 5.
Availability of operation can, in theory, be increased more andmore by investing in more and better equipment. Conversely,at a low level of investment cost, more operational costs areincurred due to plant breaking down. As investment increasesso the need for maintenance (operation costs) decreases. Thu~the ~tal cost (LC9 passes through a minimum. The reliabilityengmeer, as coordmator between design and procurement canassist greatly in getting the availability target near ~ theminimum LCC.
The sUbJec~ ~f the three preceding sections-hazards, reliabilityand aval1abillty-elearly have a significant impact on total coststo the.~~tor. Together with the initial design, installation,COmmlSSlOnmg, operating and decommissioning costs, they
-
SPE 23491 D J BURNSform a complete Life Cycle Cost picture. While the last namedcontributions are generally considered to be calculable, costsassociated with hazards, reliability and availability are subjectto gross uncertainties. Although it us usual to calculate fullLCC analysis such as this in military projects, the offshoreindustry is not as yet generally adopting this approach.However, articles on developments in this direction arebeginning to appear in the offshore press.
A programme which combines 'foreseeable' project costs withestimates of 'unforeseeable' costs due to breakdown andhazards has been developed, with the facility to address designalternatives from an LCC viewpoint. Some examples of itsapplications potential are the comparison between overall costsof unmanned or manned platforms, and the relative costs ofsubsea and platform developments.
CONCLUSIONS
The operation of an offshore installation is beset with a numberof risks. These can be subdivided into. safety and costs,although the two are intrinsically linked. Safety-relatedincidents will always affect cost, while down-time incidentswill always affect costs, but not always safety.
Examples have been given of the way in which Fault TreeAnalysis may be applied to the understanding and quantificationof the risks to safety and cost under the headings;
hazard analysisreliability analysisavailability analysiscost analysis
ACKNOWLEDGEMENT
The author would like to thank ABB Atom, Vasteras, Sweden,for permission to publish this paper.
REFERENCES
1. Hirschberg S, and Knochenhauer M. 'SUPER-NET, aMulti-purpose Tool for Reliability and RiskAssessment'. International Post-SMIRT 10 Seminar.'The Role and Use of PCs in Probabilistic SafetyAssessment and Decision Making'. Beverley Hills,California, August 21-22 1989.
2. Bjore S, Hirschberg S, and Knochenhauer M. 'AUnified Approach to Reliability Analysis'. Society ofReliability Engineers Symposium, Vasteras, Sweden,October 10-12, 1988.
3. Knochenhauer M, Olsson L, and Alm S. 'Verificationof Availability Guarantees in HYDC Projects:Estimation and Optimisation of the Impact fromCorrective and Preventive Maintenance". ReliabilityAchievement: The Commercial Incentive. SRE-Symposium, Stavanger, Norway, October 9-11, 1989.
701
3
-
$PE 23491
PLANT MODEL
IDENTIFICATION OF Al'l'ALYSIS OF FAULTACCIDENT INITIATING EVENT FREQUENCY TREE
EVENTS ANALYSIS
ANALYSIS OF FAULT
IDEVELOPMENT OF BRANCH EVENT TREE
EVENT TREES PROBABILITIES ANALYSISIIII
I IIIICONSEQUENCE IANALYSISI
\DOES
PLANTNO MEET II
SAFETYCRITERIA
?
YES
DEMONSTRATION OFMEETING SAFE;T'(
CR!TERL4.
!
Figure 1 Use of Fault Tree Analysis in QRA
702
-
SPE 23,* 9 1
91-08-05 PAGE : TREE-TOPGAS REL. INEXPORT AREA GAS RELEASE IN EXPORT AREA DATE 91-08-05
TIME 12.10SIGN TIM
R_GASREL30
0-GAS RELEASE GAS RELEASE GAS RELEASE HV029 EXP.W. GAS REL. FROM GAS RELEASE ESV014 EXTERFROM SURFACE FROM SURFACE FROM SURFACE V.LEAKS DfT iLr~(~5~~:S FROM SURFACE LEAKAGE DfTVALVE ASSY VALVES ASSY VALVES ASSY DROPPED DBJ. VALVES ASSY SEAL DETERR_GASREL34 R_GASREL31 R_GASREL32 H_G60.151 R_GASREL35 R_GASREL33 H_G60.2A
0 0 ~ U ~ ~ UCLAMP,UPPER BLIND HUBSPOOL TO LEAKS DfTBLIND LEAKS INCORR.INST.H_G60.11 H_G60.12
U UEXPORT WING EX.W.SPOOL11 LEAKAGE FROM LEAKAGE FROM LEAKAGE FROM
HV029 CLAMP CLAMP-ESV014 HUB DUE TO HUB DUE TOSPOOL1 LEAKS LEAKS-SEAL fTENS.SPooL GASKET DAM. INELAS.GASK.R_G60.13 H_G60.14 H_G60.1 H_G35.1311 H_G35.1312
0 U U U UEX.W.SPooL1 EXPORT WINGLEAKS DIT SPOOL1 LEAKSFLANGE SEPAR DIT DROP.OBJ
.-
H_G60.131 H_G60.132
0 0EXP.JUMPER CLAMPS & EXP CHECK V./EXP EXPORT WING OUTLETS TO EXP.WING V.IHOSE FAILED WING SPooL3 WING SPooL2 SPooL2 LEAK. TEMP.TAP & EXP.W.SPOOL2IN OPERATION LEAKAGE CLAMP LEAK D/T.O-STRESS HP FAILED CLAMP LEAKR_G65-0PER RG60.20-22 H_G60.18 H_G60.17 RG60.11I12 H_G60.16
Cr) Cr) 0 0 Cr) 0EXPORT WING EXPORT WING EXPORT WING OUTLET TO OUTLET TO HPSPooL3/CHECK SPOOL3 OVER- SPooL31JUMP. TEM. TAP LEAK IC. FLAR. LEAKVCLAMP LEAK STRESSED H. CLAMP LEAK DfT O-STRESS -0 I STRESSEDH_G60.20 H_G60.21 H_G60.22 H_G60.11 H_G60.12
0 0 0 0 0ENDING PART. PRESSURE ARMOURSEP .OF CARC. SHEATH LAYERS OVER-IN OPERAT. RUPTURE STRESSEDH_G65.2A H_G65.3.1 H_G65.3.2
0 0 0UIV LEAKAGE CLAMP,L1VI L1V DRAIN LEAKAGE FROM LEAKAGE FROM LEAKAGE FROM
CLAMP-PIGG. CLAMP-PIGG.UIV LEAKAGE ASSY LEAKAGE TEE/LIV PIGG. TEE TEEIESD V.
H_G60.UIV8 H_G60.7 H_G60.L1VD H_G60.5 H_G60.4 H_G60.3
a a a 0 0 0SUPER'TREE/4.6 ABB Atom AB
Figure 2 Example of a Fault Tree for Gas Release Hazard
703
-
SPE
SUPER-TREE/4.5 91-08-02 PAGE : TREE-TOPX-HIGH LEVELHP KO DRUM ESD RELIABILITY STUDY DATE : 91-07-31NOT GIVE ESD TIME : 13.59+ IR_TREE-l00 SIGN : CAG
~~ ~NO SIGNAL AT FAILURE IN FAILURE IN
ESD SYSTEM FIELD DEVICE ESD SYSTEM
+ IRA100l + RAl003 + IRA1002Lt=~
~-----,
FAILURE OF FAILURE OF FAILURE OF
ESD INPUT ESO LOGIC ESD DUPUT
P IH_INPUT pi H_LOGIC P IH_DUPUT~ ~ ~~~ ~-----,
SOLENOID ACTUATOR FAILURE OFVALVE FAIL SAFEFAILURE FAILURE MECHANISM
P H_SOLENOIO P IH_ACTUATOR * IAAl021t~ t~ ~~-----,
SIGNAL NOT SIGNAL OOES RETURN NO POIIERSENT TO ESD NOT REACH SPRINGSYSTEM ESD SYSTEM FAILURE SUPPLY
+ IRAl061 + RAl062 P IH_SPRING + IRAl041I t~ -rSYSTEM WIRED BREAK IN BREAK IN POIIER
1NCORRECTLY CABLE CABLE FAILURE
P H_WIRING P IH_CABLE P I H_F-CABLE P IH]OIIER
t~ t~ t~ t~-~ ~ ~-----,
SENSOR NOT SENSOR SET SENSOR NOT ISOLATIONAT WRONG RESET AFTER
WORKING SIGNAL LEVEL TESTING VALVE CLOSED
P IH_S-FAIL pi H_S-SIGNAL P IH_S-RESET P IH_V-CLOSED~ ~ ~ t~
Figure 3 Example of a Fault Tree for ESD Reliability
704
-
I PL-\..t'{T MODEL~.
!DEFINITION OF
OPERATIONAL MODES
!P1AJ.'{T AVAILABILITY
TARGET FOR EACH MODE
! FAULT TREEINTEGRATED PLANT ANALYSIS BY
UNAV?lLABILITY MODEL CLIENT/OPERATOR!~ SYSTE~f MODEL REPEAT FOR!
EACH I~
IOPERATIONAL I
SYSTDI AVAILABILITY MODE~: TARGET FOR EACH MODE
.L.SYSTEM FAULT TREEANALYSIS BY
UNAVAIUBILITY MODEL SUPPLIER
~NO SYSTE~[ YESMEET~TARGET? YES TO ALL ,OPERATIONAL MODES
DE},[Qi'\STRATION OF MEETINGSYSTE~I AVAILABILITY TARGET
SPE 23491
III!I
Figure 4 Use of FTA in Availability Target Calculations
705
-
COST
Figure 5
OPERATIONCOSTS
Life Cycle Cost
706
LIFE CYCLE COST
TARGET
SPE 23491
PLANTAVAILABILITY
Image001Image002Image003Image004Image005Image006Image007Image008