Presentation quantitative risk assessment of BOP operations using BN

Programa de Atualização Profissional
Quantitative Risk Assessment of BOP
operations using Bayesian Networks
methodology summary
by Gláucio Bastos, M.B.A, Ch.E.

abstract
 target: presentation of a methodology for
application of Bayesian Networks (BN) in assessing
the likelihood of failures during operations of
subsea BOP closing, which can be generally applied
to offshore operations in the oil & gas industry

need
 accidents in the offshore oil & gas industry lead to
devastating consequences, as happened in 2010 when
failures at BOP closing may have occurred before blowout or
during operations prevented the isolation of the wells,
causing explosions aboard the rig Deepwater Horizon
 usually accidents in the offshore industry not only result
from a single failure but from the confluence of a number of
errors induced by various human, hardware, software,
mechanical and hidraulic factors
 human failures have proven origin in psychological, physical,
sociological and organizational factors

need
 while the hardware failures happen in electronic equipment
such as programmable logic controllers (PLC), distributed
discrete output (DO) modules, ethernet switches and other
electronic equipment used to control the operating systems
 sources of failures in software are developed programs such
as control logic implemented in PLCs and human machine
interface (HMI) running on computers
 mechanical and hydraulic systems are prime targets to be
controlled by hardware and software systems

methodology
 is based on techniques of quantitative risk analysis (QRA)
that have been used to reduce risk of failures during
offshore operations, including Markovian chains
implemented by BN, which allow the development of
versatile models for performance analysis of both
preventive (forward) and diagnostic (reverse)
 at he beginning models, such as flowchart or fault tree type
reliability algorithms, are converted directly into BN to risk
assessment, such as in the case discussed here, the
probability of failure of the subsea BOP closing function

methodology
 a flowchart represents an algorithm or process and shows
the steps of various events or transactions (represented in
the BN for its qualitative part of that are interconnected
parent and children nodes) whose connection through arches
define their order and causality (corresponding to the
probability table conditional - CPT which is the quantitative
part of the BN and is defined from historical data, expert
judgment or a combination of both)
 the 05 classes of risk factors examined - human, hardware,
software, mechanical and hidraulic - are combined in a BN to
assess their effects on the probability of failure during BOP
operation

methodology
 by the prediction function of BN, aiming to define the
system failure probability or reliability based on the
statistical data, the probability distribution of a variable is
calculated by marginalizing the joint probability distribution
of failure (product of the CPTs of all variables) regarding that
variable
 by the diagnostic function of BN, to define the influence of a
certain system variable in the occurrence of a failure, given
the observation (evidence) of a variable (or set of variables)
indicative of the occurrence of one or more failures in the
system, is computed the posterior probability distribution of
another variable, whose behavior is to be analyzed

methodology
 the last step of the methodology is the analysis of the model
by performing predictive and diagnostic functions of BN,
including sensitivity analysis of the system variables to
determine the class of the most influential risk factors for
failure in BOP closing and model validation from 03 axioms
to prove the correctness and rationality of the proposed BN

methodology
 the tool used in the sensitivity analysis of risk factors is the
influence strength - IS, based on entropy concept which
measures the relevance of the information stored in the
data, i.e. its potential to reduce uncertainty in the system
(measured by entropy) existing before the release of that
information
 the influence is evaluated between 02 interconnected nodes
of the chain by the value of IS measured on the arc
connecting the 02 nodes 02 which represents the strength
of information in both directions between these nodes

issue description
 the underwater BOP system consists of a control system and
a column as in following figure
 the control system includes electrical and fluid controls
 the surface components of the electrical control system
located in the rig make up the central control unit (CCU)
which provides full functional capability for BOP operations
 triple modular redundancy PLCs are used for transmitting
control signals from the CCU to the 02 subsea electronic
modules (SEM) located in the blue and yellow pods,
completely independents of each other

issue description
 the 02 SEMs control with full redundancy all operations of
valves and all communication with the CCU
 when a pod or the corresponding SEM fail, the other one is
used to operate the BOP without interference from the
inactive one
 fluid control systems consisting of high and low hydraulic
pressure systems are used to operate the BOP column
hydraulic system, consisting of pumps, accumulators, pipes,
hoses, etc.
 on drilling the primary barrier is the drilling mud while the
secondary is the BOP column, as it is designed to block the
well hole or the drill column

issue description
 02 types of shields are used: annular and ram
 during drilling BOP can be equipped with 01 or 02 annular
shields and with 04 or more rams, including 01 blind shear
and some pipe rams
 BOP is often tested according viable operating practices
 during the test or occurring a kick or blowout, the operator
shall promptly block the well hole through the annular or
ram BOP through similar operations for one or another type
 the case study considered here is the “subsea ram BOP“
operation which flow chart is as follows

issue description
 during normal operation, the blue and yellow pods are
energized although only 01 pod is hydraulically operated
 when the operator notices a kick or blowout from the HMI
screen he can send the command “block the subsea ram
BOP“
 when PLCs receive the signal the system checks which pod is
hydraulically activated
 in this case the blue pod is initially selected, so the yellow
pod is inactive and modules DO in blue SEM energizes the
blue solenoid direct drive valve (DDV) while the low hydraulic
pressure in blue pod drives the blue sub plate mounted valve
(SPM)

issue description
 after 10 sec. the system checks whether the SPM valve is
activated via a pressure fitting
 if so the system checks whether the ram BOP is completely
blocked by hydraulic high pressure after 20 sec.
 if ram BOP is closed, the operator sends the command “block
subsea ram BOP" and then the blue DDV valve is de-
energized and the blue SPM is disabled
 after 10 sec. disabling of blue SPM is checked
 if any checking fails, the control logic informs the operator to
hydraulically select the yellow pod
 the command “block subsea ram BOP" is run again but on
yellow pod
 when all checkings are successful, the operation is complete

issue description
 the flowchart of the command “block subsea ram BOP“ is
translated directly into a BN as shown in the following figure
 the flowchart represents the transactions processing while
the BN represents the relationship between events through
their occurrence probability
 in the flowchart the events of each column - left and right -
represent connectors of 02 parallel or redundant control
pods where one copy each other and therefore can not be
translated directly into a BN

issue description
 the failure of an event in each column causes the failure of
control pod with no provision for direct activation of another
pod in this case, so the BN information is sent to the node
"yellow | blue pod failure" and then representing the
activation of another pod by the operator, the node “pod
connector” receives this information
 as seen earlier this BN nodes are affected by 05 classes of
factors, each consisting of some risk factors or independent
faults affecting the operation performance, as shown in the
following figure

issue description

results
 according to the BN figure on slide 18 which depicts the a
priori and posterior probabilities in the 3rd month of the
facility operation, the success probability of the closing
subsea ram BOP operation is around 81% regarding the
redundancy imperfect coverage of hardware and software
factor as 95% and the probability of the result intrinsic error
being propagated from the uncertainties on data from expert
judgments and historical projections

results
 regarding risk factors sensitivity analysis, from the average IS
of each class its decreasing sequence in terms of degree and
significance for operation failure occurrence is as follows:
hidraulic ≈ mechanical >> human > software > hardware
 these results confirm that failures in the subsea BOP
operations are mainly caused by hydraulic and mechanical
factors
 the human factors contribution is low because the
submarine BOP column is not often operated since it is only
used for testing and during kicks and blowouts occurrence,
and its operation it is relatively easy for experienced
operators

results
 however when a major incident occurs involving a large
number of people, events and equipment then human
factors become relevant
 software and hardware factors have a smaller share in failure
occurrence thanks to the triple redundant control logic of
PLC and DO subsystems

results
 the figure above shows the result of variations on factors’ a
priori probability, confirming the higher sensitivity of the
system to failures from the first 02 factors classes while
showing light sensitivity to variations of the human factor
and insensitive to changes of software and hardware factors

results
 adjacent figure shows the analysis
repeating by BN over up to 06 months
operating time confirming increased
operation time leads to successful
operation probability decrease
 at the beginning the success probability is 96.1% instead of
100% for human and software factors out of these can cause
errors at any time while hydraulic, mechanical and hardware
start in perfect condition
 maintenance were not considered although in practice
maintenance of hardware, software and equipment
decreases the failure probability

resultado
 adjacent figure shows the time
influence on IS at 01, 03 and 05
operation months
 over time the effects of hydraulic
mechanical and hardware factors
increase out of they are used all the
time
 in the contrary the effects of human and software factors
decrease out of their a priori probabilities have uniform
distribution
 concluding, hydraulic and mechanical factors should receive
greater attention for improvement of the BOP performance,
including application of increased reliability redundancy
techniques

results
 human risk factors should receive more
attention in offshore operations analysis as a
whole, e.g. on drilling since it is proven that
human factors are generically the main
contributors to operational failures

model checking
 consists in proving that the model is a reasonable
representation of the real system
 the model should satisfy the 03 axioms:
 a slight increase / decrease in a priori probability of each
parent node should lead to a relative increase / decrease
in posterior probabilities of child nodes;
 the magnitude of variations influence in a parent node
probability should be consistent with that one of the child
node; and
 the total magnitude of variations influence in the
combination of 'x' attributes probabilities should be
always larger than that of a full set of 'x – y’ (y ∈ x)
atributes

model checking
 the exercise of increasing parent node probabilities of each
factor class and checking the influences result satisfies the 03
axioms, partially validating the model out of, e.g.:
 when the "Company_Polices" risk probability is 100%, the
success probability falls from 81% to 78%
 also when the "Company_Standards“ risk probability is
100%, the success probability drops to 73%
 finally when the "Organizational_Factor“ last parent node
together with the former 02, i.e. "Procedures“ node also has
risk probability of 100%, the success probability drops to 69%

Presentation quantitative risk assessment of BOP operations using BN

More Related Content

Viewers also liked

Similar to Presentation quantitative risk assessment of BOP operations using BN

More from Gláucio Bastos

Recently uploaded

Presentation quantitative risk assessment of BOP operations using BN