SPE

SPE 23491

Advanced Fault Tree Analysis in Offshore Applications

D.J. Burns, WS Atkins Engineering Sciences Ltd.

Copyright 1991, Society of Petroleum Engineers, Inc.

e Th e Neth er Ian ds, 10-14 November 1991.
This paper was prepared for presentation at the First International Conference on Health , Safety and Environment held in The Hagu,

.
f' f '
"
This paper was selected for presentation by an SPE Program Committee foil'
as pres~nted, have not been reviewed by the Society of Petroleum Engineerso:~~g:r~v:~j~~~;~~~~~~oc;,o~~a:~:d mt~n (a)bs.~ct SU~~i~ed by the author(s). Contents of t~e paper,
any position of the Society of Petroleum Engineers its officers or memb
P
.
au or s . e rna erla, as presented, does not necessarily reflect
of Petroleum Engineers. Permission to copy is restri~ted to an abstract of n~~or:~~~n~g~~~a~ls:E ~eetlngs a~ ~Ubjec.t to publication review by Editorial Committees of the Society
u
of where and by whom the paper is presented Write Librarian SPE POBox 833836 RI'ch'ard rna ITXons7m50aY8~3836e coPSled. The abstract should contain conspicuous acknowledgment
,so,
".
U. .A. Telex, 730989 SPEDAL.
.
"
. .

1--------::~:;:-------------------,r:::::::==:::=:=-;:":"":';:-:----7:""';------::-;-;;--:----:=--:----J
ABSTRACT
equipment must be shown to be acceptably low. Thus the next
section presents a schematic model for the main steps to be
employed in a QRA indicating where FTA is applied. While
this model.m~ an additional reference to reliability analysis,
the latter IS discussed separately, as is availability analysis
which includes safety related events and non-hazardous events:
These three types of analysis are finally combined under the
common factor of cost, in order to provide a model for
assessing the Life Cycle Cost of an installation.

The Offshore Industry is at present witnessing the emergence

of gUideline~ for Formal Safety Assessments, following the
Cullen InqUII!'. Two decades ago the Nuclear Industry
underwent a SI~ phase of evolution \n safety issues which
led to the Widespread application of Probabilistic Risk
Assessment (PRA). It is proposed that much benefit stands to
be gained by developing offshore safety and quality standards
along the same rigorous lines as has been done for nuclear
safety.

FTA IN HAZARD ANALYSIS

The essence of this type of study is to demonstrate that an
installation is safe by assessing the level of risk to the
operators, the environment and the equipment associated with
all identifiable major hazard events. The risk is generally
stated as an estimated frequency of occurrence for a certain
~evel of damage, the definitions of which are generally set out
m the Operator's Corporate Safety philosophy or some similar
document. FTA plays a major role in estimating the frequency
of defined damage levels, as indicated in Figure 1. Damage
levels are grouped into the following categories:

Any analytical tool which plays a major part in PRA is Fault

Tree Analysis, which has seen a limited application offshore
but s~ould, in the author's opinion, be used on a larger scal~
both m the assessment of safety and in the overall cost/benefit
philosophy.
TIlustrations of such applications are given from recent offshore
safety studies.
INTRODUCTION

fatalities
environmental
design load impairment

Among the numerous analyses which must be carried out on an

offshore installation to assure safe and economic operation
four are discussed in this paper, where Fault Tree Analysi~
<F!A). ~ be of gteat assistance. FTA was developed
pnmmly m the nuclear industry as a building block of the
PRA (probabilistic Risk Assessment). In the chemical and
offshore industries however, the term QRA (Quantitative Risk
Asses~ment) has become the convention, although there is
essentially no difference in approach.

Figure 1 shows the main building blocks of a QRA. After

ascertaining the functional make-up of the installation, the
accident initiating events are identified by various techniques
such as Hazard and Operability Study (HAZOP) , Failure
Modes, Effects and Criticality Analysis (FMECA) and surveys
of case histories.

The first analysis addressed in this paper is concerned with

hazards and specifically, the need to demonstrate that hazardous
eve~ts can be ~mised or safely contained by reliable
contingency operations and systems. The risk of damaging
consequences to human beings, the environment and installation

For each identified initiating event, an event tree is constructed

whereby the worst possible accident scenarios are postulated.
At each branch in the event tree, an event is defined which can
aggravate or mitigate the scenario if it occurs. Accident
699

ADVANCED FAULT TREE ANALYSIS IN OFFSHORE APPLICATIONS

scenarios leading to Major Catastrophes are said to be initiated

by Major Hazard Events. These are then quantified on two
counts: firstly that their damage effect is calculated by physical
models, and secondly that their frequency is estimated. This
is often achieved by FTA, when the event is broken down into
possible precursors, the estimated frequencies of which are
combined using Boolean logic.

SPE 23491

Each system failure is then made the top event of a separate

fault tree, and a break-down of system failures into component
failures carried out. As availability targets can be determined
for each system, in order to meet the total plant availability
target, it is possible to present vendors with availability targets
for their equipment. In some cases the initial target established
by the operator cannot be met by the vendor without extra cost,
and negotiations may result in a compromise being reached.

It has been noted that the event tree contains postulated

mitigating events, whose probability of occurrence needs to be
calculated in order to arrive at a final frequency estimation for
the catastrophic event. Again FTA is an ideal means of
arriving at branch probabilities.

The FTA is very useful here in demonstrating the sensitivity of

the total plant availability to each system's performance. Thus,
not meeting the original system availability target set by the
operator could result in;

The event tree analysis is carried out for several initiating

events, and the frequencies of all similar catastrophic events are
summed from all initiating events considered in order to make
a comparison with acceptance criteria. Plants which do not
meet ~e criteria will need to have some redesign or, if
operational, some back-fitting.

a)

b)
c)

resetting the target for the system availability

redesigning the system to meet the original
target
redesigning the plant to meet the availability
target.

Resetting the plant availability target is possible, but unlikely.

The above procedure would be repeated for each operational
mode.

FTA has recently been applied to the hazard analysis of an

offshore production platform. Figure 2 gives an example of
part of the fault tree for a Gas Release in the Export Area.

In calculating unavailability, both failure rates and failure

on demand, and down time of equipment are input
mto the fault tree programme for subsequent processing.
Preventive maintenance schedules are also included in the
overall assessment.

FTA IN RELIABILITY ANALYSIS

~robability

The reliability of critical safety systems such as Fire and Gas

and ESD (Emergency Shutdown) must be demonstrated to be
acceptably high.

Fault trees for 'Unavailability' are similar in appearance to

fault trees for 'Hazards' but will contain more basic events.

In the reliability analysis, the top event of the fault tree is

represented by fai~ure ~f the system to function when required
by ~ hazardous Sl~tion, and the tree is built up from the
poSSIble causes of thIS system failure, including the failure of
the opera~r to ~tiate man~ action. This type of analysis has
been mentioned m the preVIOUS section as one of the branch
events in the Event Tree Analysis.

FTA IN COST ANALysIS

In addition to demonstration of a particular vendor's system
availability, the operator will wish to calculate the total cost of
procuring equipment, running and maintaining the plant and of
production loss when the plant stands idle2-3
'

Figure 3 shows an example of the tree for the event 'Extra high
level in flare KO drum does not give ESD.'

System designers, reliability engineers and procurement staff

should work together to arrive at the cost-optimised availability
goal, taking into account initial equipment costs, levels of
redundancy, maintenance costs, and cash flow.

PTA IN AVAILABILITY ANALYSIS

Availability analyses of plant are often carried out as a function
of time by simulation techniques.
However mean
unavailabili~ ?Ver a period of time can be estima~ using
FTA, and thIS IS useful for vendors wishing to demonstrate the
to~ availability of their systems or to optimize redundancy in
eqUipment or spares holding3

The relationship between the parameters involved in Life Cycle

Cost considerations is shown in Figure 5.
Availability of operation can, in theory, be increased more and
more by investing in more and better equipment. Conversely,
at a low level of investment cost, more operational costs are
incurred due to plant breaking down. As investment increases
so the need for maintenance (operation costs) decreases. Thu~
the ~tal cost (LC9 passes through a minimum. The reliability
engmeer, as coordmator between design and procurement can
assist greatly in getting the availability target near ~ the
minimum LCC.

Figure 4 shows the scheme for applying FTA to availability

modelling. Starting with the plant model more than one
operational mode may be possible, the avaiiability target for
each operational model being different. For each operational
model, a fault tree top event will be defmable reflecting the
frequency of failure of the plant. A fault tree can then be
dra~n up to indicate the possible causes of total plant failure
which, when provided with failure and repair data for all basic
system failure events, will constitute the Integrated Plant
Unavailability Model.

The sUbJec~ ~f the three preceding sections-hazards, reliability

and aval1abillty-elearly have a significant impact on total costs

to the .~~tor. Together with the initial design, installation,
COmmlSSlOnmg, operating and decommissioning costs, they
700

SPE 23491
D J BURNS
form a complete Life Cycle Cost picture. While the last named
contributions are generally considered to be calculable, costs
associated with hazards, reliability and availability are subject
to gross uncertainties. Although it us usual to calculate full
LCC analysis such as this in military projects, the offshore
industry is not as yet generally adopting this approach.
However, articles on developments in this direction are
beginning to appear in the offshore press.
A programme which combines 'foreseeable' project costs with
estimates of 'unforeseeable' costs due to breakdown and
hazards has been developed, with the facility to address design
alternatives from an LCC viewpoint. Some examples of its
applications potential are the comparison between overall costs
of unmanned or manned platforms, and the relative costs of
subsea and platform developments.
CONCLUSIONS
The operation of an offshore installation is beset with a number
of risks. These can be subdivided into. safety and costs,
although the two are intrinsically linked. Safety-related
incidents will always affect cost, while down-time incidents
will always affect costs, but not always safety.
Examples have been given of the way in which Fault Tree
Analysis may be applied to the understanding and quantification
of the risks to safety and cost under the headings;
hazard analysis
reliability analysis
availability analysis
cost analysis
ACKNOWLEDGEMENT
The author would like to thank ABB Atom, Vasteras, Sweden,
for permission to publish this paper.
REFERENCES

1.

Hirschberg S, and Knochenhauer M. 'SUPER-NET, a

Multi-purpose Tool for Reliability and Risk
Assessment'. International Post-SMIRT 10 Seminar.
'The Role and Use of PCs in Probabilistic Safety
Assessment and Decision Making'. Beverley Hills,
California, August 21-22 1989.

2.

Bjore S, Hirschberg S, and Knochenhauer M. 'A

Unified Approach to Reliability Analysis'. Society of
Reliability Engineers Symposium, Vasteras, Sweden,
October 10-12, 1988.

3.

Knochenhauer M, Olsson L, and Alm S. 'Verification

of Availability Guarantees in HYDC Projects:
Estimation and Optimisation of the Impact from
Corrective and Preventive Maintenance". Reliability
Achievement: The Commercial Incentive. SRESymposium, Stavanger, Norway, October 9-11, 1989.

701

23491

$PE

PLANT MODEL

IDENTIFICATION OF
ACCIDENT INITIATING
EVENTS

EVENT FREQUENCY

FAULT
TREE
ANALYSIS

DEVELOPMENT OF
EVENT TREES

ANALYSIS OF
BRANCH EVENT
PROBABILITIES

FAULT
TREE
ANALYSIS

Al'l'ALYSIS OF

I
IIII
II
II

CONSEQUENCE
ANALYSIS

II
\

NO

DOES
PLANT
MEET
SAFETY
CRITERIA
?

YES
DEMONSTRATION OF
MEETING SAFE;T'(
CR!TERL4.
!

Figure 1

Use of Fault Tree Analysis in QRA

702

SPE 23,* 9

GAS REL. IN
EXPORT AREA

91-08-05 PAGE

: TREE-TOP

DATE
TIME
SIGN

91-08-05
12.10

GAS RELEASE IN EXPORT AREA

TIM

R_GASREL30

0GAS RELEASE
FROM SURFACE
VALVE ASSY

GAS RELEASE
FROM SURFACE
VALVES ASSY

GAS RELEASE
FROM SURFACE
VALVES ASSY

HV029 EXP.W.
V.LEAKS DfT
DROPPED DBJ.

GAS REL. FROM

iLr~(~5~~:S

GAS RELEASE
FROM SURFACE
VALVES ASSY

ESV014 EXTER
LEAKAGE DfT
SEAL DETER

R_GASREL34

R_GASREL31

R_GASREL32

H_G60.151

R_GASREL35

R_GASREL33

H_G60.2A

CLAMP ,UPPER
SPOOL TO
BLIND LEAKS

BLIND HUB
LEAKS DfT
INCORR.INST.

H_G60.11

H_G60.12

U
SPOOL 1 LEAKS

EX.W.SPOOL 11
HV029 CLAMP
LEAKS-SEAL

LEAKAGE FROM
CLAMP-ESV014
fTENS.SPooL

LEAKAGE FROM
HUB DUE TO
GASKET DAM.

LEAKAGE FROM
HUB DUE TO
INELAS.GASK.

R_G60.13

H_G60.14

H_G60.1

H_G35.1311

H_G35.1312

EXPORT WING

EXPORT WING
SPOOL1 LEAKS
DIT DROP .OBJ

H_G60.131

H_G60.132

.-

CLAMPS & EXP

WING SPooL3
LEAKAGE

CHECK V./EXP
WING SPooL2
CLAMP LEAK

EXPORT WING
SPooL2 LEAK.
D/T.O-STRESS

OUTLETS TO
TEMP. TAP &
HP FAILED

EXP.WING V.I
EXP.W.SPOOL2
CLAMP LEAK

R_G65-0PER

RG60.20-22

H_G60.18

H_G60.17

RG60.11I12

H_G60.16

Cr)

EXPORT WING
SPOOL3 OVERSTRESSED

EXPORT WING
SPooL31JUMP.
H. CLAMP LEAK

OUTLET TO
TEM. TAP LEAK
DfT O-STRESS

OUTLET TO HP
IC. FLAR. LEAK
-0 I STRESSED

H_G60.20

H_G60.21

H_G60.22

H_G60.11

H_G60.12

ENDING PART.
SEP .OF CARC.
IN OPERAT.

PRESSURE
SHEATH
RUPTURE

ARMOUR
LAYERS OVERSTRESSED

H_G65.2A

H_G65.3.1

H_G65.3.2

Cr)

EXPORT WING
SPooL3/CHECK
VCLAMP LEAK

EXP.JUMPER
HOSE FAILED
IN OPERATION

Cr)

H_G60.UIV8

EX.W.SPooL1
LEAKS DIT
FLANGE SEPAR

UIV LEAKAGE

CLAMP,L1VI

L1V DRAIN

UIV LEAKAGE

ASSY LEAKAGE

LEAKAGE FROM
CLAMP-PIGG.
TEE/LIV

PIGG. TEE

LEAKAGE FROM
CLAMP-PIGG.
TEEIESD V.

H_G60.7

H_G60.L1VD

H_G60.5

H_G60.4

H_G60.3

LEAKAGE FROM

0
SUPER'TREE/4. 6

Figure 2

Example of a Fault Tree for Gas Release Hazard

703

ABB Atom AB

SPE

SUPER-TREE/4.5
X-HIGH LEVEL
HP KO DRUM
NOT GIVE ESD

91-08-02 PAGE

: TREE-TOP

DATE
TIME
SIGN

: 91-07-31
: 13.59
: CAG

ESD RELIABILITY STUDY

R_TREE-l00

~~

NO SIGNAL AT

FAILURE IN

FAILURE IN

ESD SYSTEM

FIELD DEVICE

ESD SYSTEM

RA100l

RAl003

RA1002

Lt=~

FAILURE OF

FAILURE OF

ESD INPUT

ESO LOGIC

ESD DUPUT

pi H_LOGIC

P IH_DUPUT

H_INPUT

~
~~

~-----,

SOLENOID
VALVE
FAILURE

ACTUATOR
FAILURE

FAILURE OF
FAIL SAFE
MECHANISM

H_SOLENOIO

t~

~-----,

FAILURE OF

H_ACTUATOR

t~

I
~~-----,
AAl021

SIGNAL NOT
SENT TO ESD
SYSTEM

SIGNAL OOES
NOT REACH
ESD SYSTEM

RETURN
SPRING
FAILURE

SUPPLY

RAl061

RAl062

H_SPRING

t~

I
BREAK IN

BREAK IN

CABLE

CABLE

FAILURE

P IH_CABLE

P I H_F-CABLE

P IH]OIIER

t~

t~

t~

H_WIRING

~-----,

WORKING

SENSOR SET
AT WRONG
SIGNAL LEVEL

SENSOR NOT
RESET AFTER
TESTING

VALVE CLOSED

pi H_S-SIGNAL

H_S-FAIL

Figure 3

RAl041

1NCORRECTLY

-~

-r

SYSTEM WIRED

t~
SENSOR NOT

NO POIIER

H_S-RESET

ISOLATION

H_V-CLOSED

t~

Example of a Fault Tree for ESD Reliability

704

POIIER

SPE

~.

PL-\..t'{T MODEL

!
DEFINITION OF
OPERATIONAL MODES

!
P1AJ.'{T AVAILABILITY
TARGET FOR EACH MODE

!
INTEGRATED PLANT
UNAV?lLABILITY MODEL

FAULT TREE
ANALYSIS BY
CLIENT/OPERATOR

!
~

SYSTE~f

REPEAT FOR!

MODEL

~
~:

.L.
SYSTEM
UNAVAIUBILITY MODEL

NO

SYSTDI AVAILABILITY
TARGET FOR EACH MODE

~
~
SYSTE~[

EACH
OPERATIONAL
MODE

FAULT TREE
ANALYSIS BY
SUPPLIER

YES

MEET

TARGET

? YES TO ALL ,OPERATIONAL MODES

DE},[Qi'\STRATION OF MEETING
SYSTE~I AVAILABILITY TARGET

Figure 4

Use of FTA in Availability Target Calculations

705

I
I

I
II!I

23491

SPE

COST

LIFE CYCLE COST

OPERATION
COSTS

TARGET

Figure 5

Life Cycle Cost

706

PLANT
AVAILABILITY

23491