RISK, RELIABILITY AND AVAILABILITY

Presented by Ewan Rowel, Subsea & Pipelines Manager, Chevron Australia Pty Ltd.
in his capacity as an SUT volunteer presenter

Society for Underwater Technology

Perth Branch Inc.
What is Risk?

• “The chance of something happening that will have an

impact on the objective”
• Frequency x Consequence
• “Expected value of an unwanted outcome measured in
dollars”
What is Risk?

• “Expected value of an unwanted outcome measured in

dollars”
– Injury or death of personnel
– Damage or destruction of the environment
– Excessive production costs
– Reduction or loss of production
– Project delays
Consequence

Likelihood
Typical Risk Matrix

Likelihood -> Never heard of Has occurred Has occurred Occurs often Occurs often
Consequence in industry in industry in company in company at site

No Injury LOW LOW LOW LOW LOW

Slight injury LOW LOW MED MED MED

Minor injury LOW MED MED HIGH HIGH

Major injury MED MED HIGH HIGH VERY HIGH

Fatality MED HIGH HIGH VERY HIGH VERY HIGH

Multiple fatality HIGH HIGH VERY HIGH VERY HIGH VERY HIGH

VERY HIGH Rectify immediately

HIGH Rectify with urgency, unless clearly impracticable
MED Reduce risk as far as practicable
LOW Accept, but manage through competency and awareness
 Threat to Enterprise
ENTERPRISE- (Catastrophic)
(1)
WIDE RISK PERSONNEL – Multiple (five or
RANKING APPENDIX A
more) fatalities.
COMMUNITY – Widespread
MATRIX impact to nearby communities.
ENVIRONMENTAL – Long term
environmental impact, and/or
Enterprise-Wide Risk Ranking Matrix
adverse, worldwide publicity.
SEVERITY OF FACILITY – Total destruction to
CONSEQUENCES installation(s) estimated at a
cost greater than $100,000,000;
Extended facility shutdown,
and/or potential for permanent
closure.
LIKELIHOOD OF For floating production systems,
OCCURRENCE loss of floating structure.
Frequent 1 2
(1)
Incident is very likely to occur at
this facility. Possibly several
times during its life time.
Statistical probability P> 10-2
Major
(2)
 PERSONNEL – One or
several fatalities, limited to more severe injuries,
--immediate
ENTERPRISE-WIDE
area of incident.
 COMMUNITY - One or
more severe injuries.
 ENVIRONMENTAL -
Significant release with
serious off-site impact and
more likely than not to cause serious off-site impact.
immediate or long-term
health effects.
 FACILITY – Damage to
installation(s) estimated at a than $1,000,000 but
cost greater than
$10,000,000 but less than
$100,000,000; downtime in
excess of 90 days.
Serious Minor
(3) (4)
 PERSONNEL - One or  PERSONNEL - Single
injury, not severe, possible
RISK permanently
including RANKING MATRIX
lost time.
disabling injuries.  COMMUNITY - Odor or
 COMMUNITY - One or
more minor injuries.
 ENVIRONMENTAL -
noise complaint from the
public.
 ENVIRONMENTAL -
Significant release with Release which results in
Agency notification or Permit
 FACILITY - Damage violation.
to process area(s) at an  FACILITY - Some
estimated cost greater equipment damage at an
estimated cost greater than
less than $10,000,000; $100,000 but less than
10 to 90 days of $1,000,000; 1 to 10 days of
downtime. downtime.
2 3
Incidental
(5)
 PERSONNEL – Minor or
no injury, no lost time.
 COMMUNITY - No injury,
hazard, or annoyance to the
public.
 ENVIRONMENT -
Environmentally recordable
event with no Agency
notification or Permit
violation.
 FACILITY - Minimal
equipment damage at an
estimated cost less than
$100,000; negligible
downtime.
5

Occasional 2 2 3 4 6
(2)
Incident may occur at this facility
some time during its life time.
Statistical probability:
10-2 > P > 10-3

Seldom 3 3 4 5 6
(3)
Incident has occurred at a similar
facility and may reasonably
occur at this facility.
Statistical probability:
10-3 > P > 10-4

Unlikely 4 4 6 6 6
(4)
Given current practices and
procedures, this incident is not
likely to occur at this facility.
Statistical probability:
10-4 >P > 10-6

Remote 4 5 6 6 6
(5)
Highly unlikely, although
statistics show that a similar
event has happened.
Statistical probability P< 10-6

PRIMARY DRIVER ENTERPRISE RISK SAFETY MANAGEMENT OCCUPATIONAL HEALTH AND SAFETY DRIVEN
MANAGEMENT DRIVEN SYSTEM DRIVEN
Risk Assessments
QRA – Quantitative Risk Assessment

1. Identifying what could go wrong

2. Estimating the likelihood of these
events occurring Risk Analysis
3. Examining the possible
consequences of these events

4. Deciding which risks are tolerable Risk Assessment

and which aren’t

5. Modifying the activity so the Risk Management -

intolerable risks are reduced or changes to design and
eliminated. operational practice
Worked Example with the White Star Line

Objective – “Reach New York”

Uncertainty – “Iceberg Impact”
Captain Edward J. Smith

• A captain in whom passengers and crews had

great confidence.
• A natural leader and a fine seaman
• Popular alike with officers and men.
• Undertook a daily safety tour of the vessel with
key officers.
• “I never saw a wreck and have never been
wrecked, nor was I ever in any predicament that
threatened to end in disaster of any sort. You
see, I am not very good material for a story.”
• Many passengers would not dream of crossing
the Atlantic on a liner commanded by anyone
other than Edward John Smith.
• “EJ was no fool, nor was he reckless” - U.S.
Congressman, William Alden Smith
• “He never took a risk.” - Bishop of Willesden
Likelihood of Incident

Although Smith was found to be at fault for not changing course

or slowing down, he had not been negligent because he had
followed long-standing practice which had not previously been
shown to be unsafe.
Smith had merely done “only that which other skilled men would
have done in the same position.”
There was nothing unusual in Smith's behaviour. The majority of
captains, faced with increasingly tight schedules preferred to
forge ahead in the face of possible adversity. Those who erred
on the side of caution were treated with disdain. Captain James
Barr of the Caronia was nicknamed “Foggy” because of his
tendency to reduce speed at the first hint of haze
• No ship had ever hit an iceberg.
• British ships alone had carried 3.5 million passengers over the
previous decade with the loss of just 10 lives.
Consequence of Incident

“I cannot imagine any condition which would cause a ship

to founder. I cannot conceive of any vital disaster
happening to this vessel. Modern shipbuilding has gone
beyond that .”

“The Olympic is unsinkable, and Titanic will be the same

when she is put in commission. Either of these two vessels
could be cut in halves and each half would remain afloat
almost indefinitely. The non-sinkable vessel has been
reached in these two wonderful craft. Even if the engines
and boilers of these vessels were to fall through their
bottoms, the vessels would remain afloat.”

The lack of equipment for saving lives was not due to a

desire of the steamship owners to save money, but rather
because they believed their ships to be safe.

Damage to the Olympic from the Risk had been designed out
HMAS Hawke impact 1911
The cleverest minds believed that the new technology
would behave like the old technology.
Fatal Accident Rates
Implied Cost of Averting a Fatality (ICAF)
58. In making an assessment of reasonable practicability, there is a need to set criteria on the value of a
life or implied cost of averting a statistical fatality (ICAF). HSE’s ‘Reducing Risks Protecting People’
document sets the value of a life at £1,000,000 and by implication therefore the level at which the
costs are disproportionate to the benefits gained. In simplistic terms, a measure that costs less than
£1,000,000 and saves a life over the lifetime of an installation is reasonably practicable, while one
that costs significantly more than £1,000,000, is disproportionate and therefore is not justified.
However case law indicates that costs should be grossly disproportionate and therefore costs in
excess of this figure (usually multiples) are used in the offshore industry. In reality of course there is
no simple cut-off and a whole range of factors, including uncertainty need to be taken account of in
the decision making process.

59. In the offshore industry there is a need to take account of the increased focus on societal (or group)
risk, i.e. the risk of multiple fatalities in a single event, as a result of society's perceptions of these
types of accident. Therefore the offshore industry typically addresses this by using a high proportion
factor for the maximum level of sacrifice that can be borne without it being judged ‘grossly
disproportionate’; this has the effect of increasing the ICAF value used for decision-making. The
typical ICAF value used by the offshore industry is around £6,000,000, i.e. a proportion factor of 6.
HSE considers this to be the minimum level for the application of Cost Benefit Analysis (CBA) in the
offshore industry.

60. Use of a proportion factor of 6 ensures that any CBA tends towards the conservative end of the
spectrum and therefore takes account of the potential for multiple fatalities and uncertainty. Although
a proportion factor of 6 tends to be used, there are no agreed standards and it is for each duty holder
to apply higher levels if appropriate, for example in very novel designs.
Extract from Assessment Principles for Offshore Safety Cases (APOSC)
Issued March 2006
UK Health and Safety Executive
Safety Terminology
• Risk Assessment - a subjective evaluation, involving judgment,
intuition and experience, where the level of risk is classified in
four levels and their associated measures of
Fatalities/Person/Year
– 1) Tolerable Risk - level prepared to accept but will continue
to seek reduction. 10-3 to 10-5
– 2) Acceptable Risk - level prepared to accept without seeking
further reduction. 10-5
– 3) Unacceptable Risk - level prepared to reject for oneself
and others. 10-3
– 4) ALARP - As low as reasonably practicable.
• The usual measure of risk at a global level is
Fatalities/Person/Year, but for the local view, i.e., for your
immediate corporate mission, risk can be viewed as simply the
“failure of your product.”
• The usual format for the analysis of Risk Assessment is a “Cost-
Benefit” Analysis, lives saved versus monetary costs.
What is Risk Management?
Risk Management is the effective identification, assessment and
control of Risk

• Establish Context and Scope

• Identify the Hazards
• Assess the Risk
– frequency
– consequences
– safeguards
• Rank the Risks
• Eliminate / Minimise the Risk
• Ongoing review and monitoring
How is Risk Managed?

• Useful Tools:
– QRA
– RAM studies
– FMECA
– HAZID \ HAZOP
– Audits
• Best implemented during design
• Qualitatively first, then quantitatively
Why is Risk Management needed?
• Legislation \ Standards
• Control of Major Hazard Facilities
• Pipeline Acts
• OS&H Regulations 1984
• AS/NZS 4360 Risk Management
• Necessary for business optimisation ($)
• Increase value by:
– minimising loss ($)
– maximising opportunity ($)
• Optimises the performance of the facility
• Reduces probability of becoming:
– Piper Alpha
– Longford
– Exxon Valdez
History of Major Hazards Control
1960’s Flixborough UK (explosion and fire)
Prescriptive
• Recommendations for design and operation
• (USA) style statutory provisions
• Consideration of the operation of safety procedures

1970’s Alexander L. Kielland (accommodation platform capsize)

The “Safety Report” approach.
• Operator has to describe safety management to the Regulator.

1980’s Bhopal India (toxic release)

• Concept Safety Evaluations based on Quantified Risk Analysis Techniques QRA
• Aims to identify and quantify risks to an acceptable level

1990’s Piper Alpha oil platform (explosion and fire)

The “Safety Case” approach.
• Operator has to convince Regulator on safety management.
• Companies now responsible for their Actions - Must assess and determine the level of Risk

2000’s Bombay High North platform (explosion and fire)

Control of Major Hazards
• Safety SILs
Bowtie Diagram

Critical
Events leading to critical event Events following critical event
Event

A process of risk analysis,

with a sequence of events
leading to a hazardous
situation (critical event),
followed by a series of
events leading to a variety
of possible consequences
Identify the Control Measures
Proactive Controls Reactive Controls

Causes Hazards Incidents Outcomes

Reduction
measures Emergency Response

Prevention Mitigation Prevention of

Elimination measures measures escalation
measures
Safety Case
“A documented body of evidence that provides a convincing and
valid argument that a system is adequately safe for a given
application in a given environment”
To implement a safety case we need to:
• make an explicit set of claims about the system
• produce the supporting evidence
• provide a set of safety arguments that link the claims to the
evidence
• make clear the assumptions and judgments underlying the
arguments
The Safety Case must demonstrate that the control measures are
adequate to eliminate or reduce as far as practicable risks
associated with Major Incidents
Demonstration is typically achieved through:
• Reference to Codes of Practice, Standards, Guidance, etc.
• Through risk assessment (qualitative or quantitative)
The safety case is a “living document” which evolves over the safety
life-cycle.
Reliability
Some opinions…
Some opinions…

George Trowbridge, Senior Consultant at oil &

gas technology specialists OTM Consulting:

With oil prices having risen dramatically the

drivers for subsea processing have changed.
Whilst in the past, the drivers that have
encouraged interest in this area have been
evenly spread between certain technical,
production and financial factors, production
related drivers (increased production rate,
increased ultimate recovery, etc.) are now seen
as being much more important. “Changes have
also been identified in oil companies’
perceptions of the barriers preventing the
uptake of subsea processing. Whilst both
psychological hurdles (e.g. the naturally risk
averse nature of oil companies) and financial
hurdles (e.g. capital costs) are still high on the
list of barriers to the uptake of subsea
processing, there has been a shift in
operator opinions so that now equipment
reliability and operability is now seen as the
highest ranked barrier.
Some opinions…
Some opinions…

API RP 17N
2009

Poor reliability can have a

major financial impact for all
organizations involved in
designing, manufacturing,
installing and operating
subsea equipment.
RAM DEFINITIONS
• RAM – Reliability, Availability, Maintainability
• Reliability - The ability of an item to perform a required function
under stated conditions for a stated period of time (BS4778) –
UPTIME
• Failure – The termination of the ability of an item to perform a
required function (BS4778) - FAILURE EVENT
• Maintainability - The ability of an item, under stated conditions of
use, to be retained in, or restored to, a state in which it can
perform its required functions, when maintenance is performed
under stated conditions and using prescribed procedures and
resources (BS4778) - DOWNTIME
• Availability - The ability of an item (under combined aspects of its
reliability, maintainability and maintenance support) to perform a
required function at a stated instant of time or over a stated
period of time (BS4778) - UPTIME / (UPTIME + DOWNTIME) or
MTTF / (MTTF + MTTR)
• Deliverability – The ability of a system to deliver gas to the LNG
plant (under combined aspects of availability and capacity)
understated conditions and at a stated instant of time or over a
stated period of time – (AVAILABILITY * CAPACITY)
RAM

Time to failure

working

not working

Time to repair

Take averages
MTTF MTTR

Mean Time to Failure Mean Time to Repair

Expressed in days or Expressed in hours or
years days
RAM
working

not working

MTTF MTTR

Mean Time to Failure Mean Time to Repair

Expressed in days or Expressed in hours or
years days

1
Failure Rate = called λ (lambda)
MTTF
Expressed in failures/year or failures/106 hours

Time-dependent Time-independent

-λt MTTF
For a constant failure rate λ… R = e Availability =
MTTF + MTTR
i.e. Reliability changes (reduces) with time

1
Re
Unavailability = 1 - Availability

MTTF 2 MTTF 3 MTTF

Reliability: Key Design Requirement

• Reliability is as fundamental a design requirement as function and

performance
• For every Functional requirement a Reliability requirement can (in
principle) be specified
– Function: Seal A must not leak
– Reliability: P(seal A does not leak) > 0.99

• For every Performance requirement a Reliability requirement can

(in principle) be specified
– Function: Valve must close in less than 10 seconds
– Reliability: P(time to close < 10) > 0.99
Failure Characteristics
• Different components fail in different patterns
– Flow components, chokes & valves - wear out
– Mechanical components, wellheads – long life
– Electronic components - fail early or last a long time
– Pressure containment, pipes – system fails pressure
test, or long life
– Environmental influences, CO2, H2S, chlorides, over-
protective CP and H2 build-up – corrode progressively
or induce rapid cracking failures
• These create various distribution, Normal, Exponential,
Weibull, etc.
• Simple Prediction uses Exponential = e ^ (t/mttf) as
approximation for linear failure rates
• Complex Simulation programs use distributions matched
to components
Factors influencing failure rate

In general the failure rate of a component or element

depends on four main factors:
(a) Quality
(b) Temperature
(c) Environment
(d) Stress

These factors are influenced by:

• the design process
• manufacture
• the way the system is operated
Probabilistic Design

Probability Distribution Function of Load and Resistance

Probabilistic Design of Pipelines

• DNV-OS-F101

• ALS Accidental Limit State

• FLS Fatigue Limit State
• SLS Serviceability Limit State
• ULS Ultimate Limit State
Availability
Availability Improvement
• Availability = MTTF / (MTTF+MTTR)

• It is express as a fixed ratio, NOT time dependent

• Availability can be achieved in 2 ways:

– Extend failure free operating period (reliability)

– Reduce time to restore system (maintainability)

• Subsea time to repair must include; Detection,

Location, Analysis of repair, Spares / repair kit,
Qualification, Mobilisation, Deployment, Repair
execution, Commissioning.

• Increased value in driving for Reliability rather than

Maintainability to achieve Availability
 Reliability & Repair Data

Reliability / Availability of Repairable Items

Assessment Period (t) 30 years

ITEM REPAIRABLE MTTF FAILURE RATE QUANTITY RELIABILITY UNRELIABILITY MTTR REPAIR RATE AVAILABILITY UNAVAILABILITY
ITEM X OF ITEMS OVER PERIOD OVER PERIOD u PROPORTION PROPORTION
years years^-1 No. Re=exp^(-Xt) 1-Re days years^-1 A=u / (X + u) 1-A
Hydraulic System Elements
1 Production Pipiing 10000 0.0001 1 0.99700 0.0030 100 3.650 0.999973 0.000027
2 Test / Vent Piping 5000 0.0002 1 0.99402 0.0060 100 3.650 0.999945 0.000055
3 10 inch 10 kpsi gate valve Isolation function 1000 0.0010 1 0.97045 0.0296 70 5.214 0.999808 0.000192
4 10 inch 10 kpsi gate valve HIPPS function 250 0.0040 1 0.88692 0.1131 20 18.250 0.999781 0.000219
5 1/2" Test Valve 250 0.0040 1 0.88692 0.1131 20 18.250 0.999781 0.000219
6 1/2" Vent Valve 250 0.0040 1 0.88692 0.1131 20 18.250 0.999781 0.000219
7 PZT Sensor 50 0.0200 1 0.54881 0.4512 20 18.250 0.998905 0.001095
8 HIPPS Hydraulic Module 210 0.0048 1 0.86688 0.1331 20 18.250 0.999739 0.000261
9 Check valve 500 0.0020 1 0.94176 0.0582 20 18.250 0.999890 0.000110
10 HIPPS SEM 42 0.0238 1 0.48954 0.5105 20 18.250 0.998697 0.001303
Types of Redundancy
• Classified on how the redundant elements are introduced into the circuit
• Active or Static Redundancy
– External components are not required to perform the function of
detection, decision and switching when an element or path in the
structure fails.
• Standby or Dynamic Redundancy
– External elements are required to detect, make a decision and switch
to another element or path as a replacement for a failed element or
path.
• Generally subsea systems (e.g. umbilicals, the MCS) use active
redundancy – hot standby

• As an alternative to redundancy, consider Diversity

– using alternative arrangements of a different kind
– e.g. the Back-Up Intervention Control system (BUICS) available on
Snohvit, in case the umbilical fails
Simple Parallel Redundancy
Active - Type 1

In its simplest form,

redundancy consists of a
simple parallel combination
of elements. If any element
fails open, identical paths
exist through parallel
redundant elements.
Bimodal Parallel Redundancy
Active - Type 3

(a) Bimodal Parallel/

Series Redundancy
A series connection of parallel
redundant elements provides
protection against shorts and
opens. Direct short across the
network due to a single element
shorting is prevented by a
(b) Bimodal Series/ redundant element in series. An
Parallel Redundancy open across the network is
prevented by the parallel element.
Network (a) is useful when the
primary element failure mode is
open. Network (b) is useful when
the primary element failure mode
is short.
Series and Parallel Availability Calculations

SAP Series - Availabilty - Product

Availability 72.000%
Umbilical Subsea
UnAvail 28.000%
Av 90.000% Av 80.000%
UnAv 10.000% UnAv 20.000%

PUP Parallel - Unavailability - Product

SCM A

Av 90.000%
UnAv 10.000% OR Availability 99.000%
MTTF yrs 4.5 UnAvail 1.000%
MTTR years 0.5

SCM B

Av 90.000%
UnAv 10.000%
MTTF yrs 4.5
MTTR years 0.5
Maintainability
Maintainability

• Philosophy - preventative, corrective, opportunistic

• Actions to demonstrate function is in good condition
– In service monitoring, testing and footprinting
– Corrosion monitoring
– Noise / vibration monitoring
– Fluid monitoring, sand detection, SRBs, chlorides, scale
• Repair planning and contingencies, pipeline repair systems,
spares stock holding, stand-by or call-off intervention contracts,
alternative temporary systems
• Access systems and tooling
• All aim to reduce MTTR
• Reliability Centred Maintenance
• Historic records, Trends, Predictive capability & feed back loops
Maintenance Philosophy

• Subsea  Excess Capacity (typical)

• Subsea  High Redundancy (typical)
– spare wells
– valves
– spare control systems
• Mobilise maintenance when…?
Maintaining the Gorgon Field
Deliverability
Deliverability

• Deliverability = Availability * Capacity

• Useful terms
– DCQ, Daily Contract Quantity
– Shortfall, Quantity not supplied
• Security of supply
• Contract shape and style
• Business Risk and Exposure
• Best Programs focus on the issue
• Used to understand, Quantify risk & contract accordingly
• Shapes contract terms DCQ to rolling 24 hour average quantity
Deliverability
• How to get high deliverability
– System analysis & engineering
– Understanding frequency & duration of failures
– Standard sizes and component rating at no extra cost
– De-bottlenecking & tuning capacity of system
– Line pack and storage
– Ability of downstream to respond to peak turn-up rates
– Capacity and ullage as pressure drops due to well failure
– Temporary increase of flow velocity / erosion limits wrt life
– N out of M philosophy and sparing insurance
• Operability studies & modelling
• Supply chain models based on “Just In Time” logistics
• Define value of Re Av De in relationship to project
Risk-Based Inspection (RBI)
RBI Philosophy
Typical Pipeline Breakdown
Pipeline RBI Plan

Hazard Mitigation Likel. Cons. Inspection Freq Likel. Cons.

Internal Corrosion All pH stabilisation 4 1 Corr Spools x 2 Alarm, monthly record 6 1

Iron counts & returns Monthly record

Probes Alarm, Monthly record

Coupons 6 monthly pull

Intelligent Pig 5 yearly

UT ROV Tool TBC

External Corrosion Subsea Coating, Anodes 5 1 ROV GVI FGCP 2 - 5 yearly 6 1

HDD Coating, IC system 4 1 Sys. parameters, CP Alarm, 6 monthly record 5 1

Buried Coating, IC system 4 2 Sys. parameters, CP Alarm, 6 monthly record 5 2

Exposed Coating 4 2 Visual, Guided wave Annual / 3 year 6 2

In Summary ...
The cost of failure - BP experience

These are the direct costs only, Foinaven also incurred:

• FPSO demurrage charges
• NPV of production (20% * 80,000 bbl/d * 300 days * 25USD / bbl) 120MUSD
• Share value erosion and significantly lower dividends for period
• Loss of public / shareholder confidence in BP abilities to manage
technology
• Reputation damage
• Tangible losses > 250MUSD, Measurable losses at least the same again
• Changed BP contracting philosophy, EPC to EPCM Managed Engineeirng
• Schiehallion SCM were run at single high pressure but DCV pilots were
not requalified and subsequently overstressed and leaked.
The BP Bathtub Curve
Value of Performance
An interesting echo from the 1970’s

or SAFETY