Escolar Documentos
Profissional Documentos
Cultura Documentos
Kevin Mullen
Risk
1
What is Risk?
What is Risk?
2
Consequence
Likelihood
Likelihood -> Never heard of Has occurred Has occurred Occurs often Occurs often
Consequence in industry in industry in company in company at site
Multiple fatality HIGH HIGH VERY HIGH VERY HIGH VERY HIGH
3
Threat to Enterprise Major Serious Minor Incidental
ENTERPRISE- (Catastrophic) (2) (3) (4) (5)
(1) PERSONNEL – One or PERSONNEL - One or PERSONNEL - Single PERSONNEL – Minor or
WIDE RISK PERSONNEL – Multiple (five or several fatalities, limited to more severe injuries, injury, not severe, possible no injury, no lost time.
RANKING APPENDIX A
more) fatalities. --immediate
ENTERPRISE-WIDE
area of incident. RISK permanently
including RANKING MATRIX
lost time. COMMUNITY - No injury,
COMMUNITY – Widespread COMMUNITY - One or disabling injuries. COMMUNITY - Odor or hazard, or annoyance to the
MATRIX impact to nearby communities.
ENVIRONMENTAL – Long term
environmental impact, and/or
Enterprise-Wide Risk Ranking Matrix
more severe injuries.
ENVIRONMENTAL -
Significant release with
COMMUNITY - One or
more minor injuries.
ENVIRONMENTAL -
noise complaint from the
public.
ENVIRONMENTAL -
public.
ENVIRONMENT -
Environmentally recordable
adverse, worldwide publicity. serious off-site impact and Significant release with Release which results in event with no Agency
SEVERITY OF FACILITY – Total destruction to more likely than not to cause serious off-site impact. Agency notification or Permit notification or Permit
CONSEQUENCES installation(s) estimated at a immediate or long-term FACILITY - Damage violation. violation.
cost greater than $100,000,000; health effects. to process area(s) at an FACILITY - Some FACILITY - Minimal
Extended facility shutdown, FACILITY – Damage to estimated cost greater equipment damage at an equipment damage at an
and/or potential for permanent installation(s) estimated at a than $1,000,000 but estimated cost greater than estimated cost less than
closure. cost greater than less than $10,000,000; $100,000 but less than $100,000; negligible
LIKELIHOOD OF For floating production systems, $10,000,000 but less than 10 to 90 days of $1,000,000; 1 to 10 days of downtime.
OCCURRENCE loss of floating structure. $100,000,000; downtime in downtime. downtime.
excess of 90 days.
Frequent 1 2 2 3 5
(1)
Incident is very likely to occur at
this facility. Possibly several
times during its life time.
Statistical probability P> 10-2
Occasional 2 2 3 4 6
(2)
Incident may occur at this facility
some time during its life time.
Statistical probability:
10-2 > P > 10-3
Seldom 3 3 4 5 6
(3)
Incident has occurred at a similar
facility and may reasonably
occur at this facility.
Statistical probability:
10-3 > P > 10-4
Unlikely 4 4 6 6 6
(4)
Given current practices and
procedures, this incident is not
likely to occur at this facility.
Statistical probability:
10-4 >P > 10-6
Remote 4 5 6 6 6
(5)
Highly unlikely, although
statistics show that a similar
event has happened.
Statistical probability P< 10-6
PRIMARY DRIVER ENTERPRISE RISK SAFETY MANAGEMENT OCCUPATIONAL HEALTH AND SAFETY DRIVEN
MANAGEMENT DRIVEN SYSTEM DRIVEN
Risk Assessments
QRA – Quantitative Risk Assessment
4
Fatal Accident Rates
5
Safety Terminology
• Risk Assessment - a subjective evaluation, involving judgment,
intuition and experience, where the level of risk is classified in
four levels and their associated measures of
Fatalities/Person/Year
– 1) Tolerable Risk - level prepared to accept but will continue
to seek reduction. 10-3 to 10-5
– 2) Acceptable Risk - level prepared to accept without seeking
further reduction. 10-5
– 3) Unacceptable Risk - level prepared to reject for oneself
and others. 10-3
– 4) ALARP - As low as reasonably practicable.
• The usual measure of risk at a global level is
Fatalities/Person/Year, but for the local view, i.e., for your
immediate corporate mission, risk can be viewed as simply the
“failure of your product.”
• The usual format for the analysis of Risk Assessment is a “Cost-
Benefit” Analysis, lives saved versus monetary costs.
6
How is Risk Managed?
• Useful Tools:
– QRA
– RAM studies
– FMECA
– HAZID \ HAZOP
– Audits
• Best implemented during design
• Qualitatively first, then quantitatively
7
History of Major Hazards Control
1960’s Flixborough UK (explosion and fire)
Prescriptive
• Recommendations for design and operation
• (USA) style statutory provisions
• Consideration of the operation of safety procedures
Bowtie Diagram
Critical
Event
8
Identify the Control Measures
Proactive Controls Reactive Controls
Reduction
measures Emergency Response
Safety Case
“A documented body of evidence that provides a convincing and
valid argument that a system is adequately safe for a given
application in a given environment”
To implement a safety case we need to:
• make an explicit set of claims about the system
• produce the supporting evidence
• provide a set of safety arguments that link the claims to the
evidence
• make clear the assumptions and judgements underlying the
arguments
The Safety Case must demonstrate that the control measures are
adequate to eliminate or reduce as far as practicable risks
associated with Major Incidents
Demonstration is typically achieved through:
• Reference to Codes of Practice, Standards, Guidance, etc.
• Through risk assessment (qualitative or quantitative)
The safety case is a “living document” which evolves over the safety
life-cycle.
9
Reliability
RAM DEFINITIONS
• RAM – Reliability, Availability, Maintainability
• Reliability - The ability of an item to perform a required function
under stated conditions for a stated period of time (BS4778) –
UPTIME
• Failure – The termination of the ability of an item to perform a
required function (BS4778) - FAILURE EVENT
• Maintainability - The ability of an item, under stated conditions of
use, to be retained in, or restored to, a state in which it can
perform its required functions, when maintenance is performed
under stated conditions and using prescribed procedures and
resources (BS4778) - DOWNTIME
• Availability - The ability of an item (under combined aspects of its
reliability, maintainability and maintenance support) to perform a
required function at a stated instant of time or over a stated
period of time (BS4778) - UPTIME / (UPTIME + DOWNTIME) or
MTTF / (MTTF + MTTR)
• Deliverability – The ability of a system to deliver gas to the LNG
plant (under combined aspects of availability and capacity)
understated conditions and at a stated instant of time or over a
stated period of time – (AVAILABILITY * CAPACITY)
10
Reliability: Key Design Requirement
• Reliability is as fundamental a design requirement as function and
performance
• For every Functional requirement a Reliability requirement can (in
principle) be specified
– Function: Seal A must not leak
– Reliability: P(seal A does not leak) > 0.99
Failure Characteristics
• Different components fail in different patterns
– Flow components, chokes & valves - wear out
– Mechanical components, wellheads – long life
– Electronic components - fail early or last a long time
– Pressure containment, pipes – system fails pressure
test, or long life
– Environmental influences, CO2, H2S, chlorides, over-
protective CP and H2 build-up – corrode progressively
or induce rapid cracking failures
• These create various distribution, Normal, Exponential,
Weibull, etc.
• Simple Prediction uses Exponential = e ^ (t/mttf) as
approximation for linear failure rates
• Complex Simulation programs use distributions matched
to components
11
Factors influencing failure rate
Probabilistic Design
12
Stress and Strength
13
Availability
Availability Improvement
• Availability = MTTF / (MTTF+MTTR)
14
Reliability & Repair Data
ITEM REPAIRABLE MTTF FAILURE RATE QUANTITY RELIABILITY UNRELIABILITY MTTR REPAIR RATE AVAILABILITY UNAVAILABILITY
ITEM X OF ITEMS OVER PERIOD OVER PERIOD u PROPORTION PROPORTION
years years^-1 No. Re=exp^(-Xt) 1-Re days years^-1 A=u / (X + u) 1-A
Hydraulic System Elements
1 Production Pipiing 10000 0.0001 1 0.99700 0.0030 100 3.650 0.999973 0.000027
2 Test / Vent Piping 5000 0.0002 1 0.99402 0.0060 100 3.650 0.999945 0.000055
3 10 inch 10 kpsi gate valve Isolation function 1000 0.0010 1 0.97045 0.0296 70 5.214 0.999808 0.000192
4 10 inch 10 kpsi gate valve HIPPS function 250 0.0040 1 0.88692 0.1131 20 18.250 0.999781 0.000219
5 1/2" Test Valve 250 0.0040 1 0.88692 0.1131 20 18.250 0.999781 0.000219
6 1/2" Vent Valve 250 0.0040 1 0.88692 0.1131 20 18.250 0.999781 0.000219
7 PZT Sensor 50 0.0200 1 0.54881 0.4512 20 18.250 0.998905 0.001095
8 HIPPS Hydraulic Module 210 0.0048 1 0.86688 0.1331 20 18.250 0.999739 0.000261
9 Check valve 500 0.0020 1 0.94176 0.0582 20 18.250 0.999890 0.000110
10 HIPPS SEM 42 0.0238 1 0.48954 0.5105 20 18.250 0.998697 0.001303
Types of Redundancy
• Classified on how the redundant elements are introduced into the circuit
• Active or Static Redundancy
– External components are not required to perform the function of
detection, decision and switching when an element or path in the
structure fails.
• Standby or Dynamic Redundancy
– External elements are required to detect, make a decision and switch
to another element or path as a replacement for a failed element or
path.
• Generally subsea systems (e.g. umbilicals, the MCS) use active
redundancy – hot standby
15
Simple Parallel Redundancy
Active - Type 1
16
Series and Parallel Availabiity Calculations
Availability 72.000%
Umbilical Subsea
UnAvail 28.000%
Av 90.000% Av 80.000%
UnAv 10.000% UnAv 20.000%
SCM A
Re 90.000%
UnRe 10.000% OR Re 99.000%
MTTF yrs 4.5 UnRe 1.000%
MTTR years 0.5
SCM B
Re 90.000%
UnRe 10.000%
MTTF yrs 4.5
MTTR days 0.5
Maintainability
17
Maintainability
Maintenance Philosophy
18
Maintaining the Gorgon Field
Deliverability
19
Deliverability
Deliverability
• How to get high deliverability
– System analysis & engineering
– Understanding frequency & duration of failures
– Standard sizes and component rating at no extra cost
– De-bottlenecking & tuning capacity of system
– Line pack and storage
– Ability of downstream to respond to peak turn-up rates
– Capacity and ullage as pressure drops due to well failure
– Temporary increase of flow velocity / erosion limits wrt life
– N out of M philosophy and sparing insurance
• Operability studies & modelling
• Supply chain models based on “Just In Time” logistics
• Define value of Re Av De in relationship to project
20
Safety Integrity Levels
21
PFD
• Risk reduction requiring a SIL 4 function should not be implemented. Rather, this
should prompt a redistribution of required risk reduction across other measures.
22
SIL 3 HIPPS example
Risk Reduction
23
Risk Reduction
Layers of Protection
24
Equipment Failure Rates
Equipment PFDs
25
PFD as a function of Test Interval
Probability PFDAVG = ½ λ τ i
of Failure
on Demand
PFDavg
Test TIF
Independent
Failure
Time, Test Interval τ i
Proof Test = 1 yr
PFDSE = 0.22 x 10 -3
PFDLS = 3.5 x 10-3
PFDFE = 1.75 x 10-3
PFDAVG = 5.5 x 10-3
≡ Safety Integrity Level 2
26
Layered Protection System
Subsea Control Module
Single layer
PFDAVG = 1.1 x 10-2 ≡ Safety Integrity Level 1 (annual testing)
Dual layers
PFDAVG = (1.1 x 10-2) x (1.1 x 10-2) ≡ 1.2 x 10-4
(assuming no common mode failure)
≡ ”Safety Integrity Level 3”
(annual testing)
Conclusion
27
The cost of failure - BP experience
28
Value of Performance
An interesting echo from the 1970’s
or SAFETY
29