Anadarko, NASA complete first phase of probabilistic risk assessment of generic 20K BOP
Study highlighted dearth of reliability data available for key components such as shuttle valves and blind shear rams
David Kaplan, NASA Johnson Space Center, and James Raney, Anadarko Petroleum Corp
In 2015, Anadarko Petroleum Corp was engaged in an appraisal drilling program in the Shenandoah Field in the Gulf of Mexico. The Shenandoah Field is located in deepwater (approximately 6,000 ft) and is considered high-pressure, high-temperature (HPHT) because the mud line shut-in pressure exceeds 15,000 psi. Anadarko had completed an analysis in 2013 on the 15,000-psi blowout preventer system (15K BOP) using the external hydrostatic pressure of seawater at 6,000 ft and found that the existing 15K BOP system equipment could meet the drilling mode load requirements. However, a 20,000-psi blowout preventer (20K BOP) would eventually be required for subsequent completion and intervention work. Anadarko set out to develop this new 20,000-psi BOP equipment.
The new technologies required for this challenging operating environment also needed a new look at risk assessment. Anadarko approached NASA for outside verification where risks could be analyzed in more detail than current industry tools allowed and appropriately mitigated.
WHY NASA?
On initial thought, one might not suspect how much the International Space Station has in common with the operations of a deepwater drilling vessel. Yet, both are extremely complex engineering structures. Both exist in a hostile environment. Both operate in remote locations where movement of crew and supplies must be carefully choreographed. Human reliability plays a critical role on both. The oil and gas industry, as well as the aerospace industry, has a deep commitment to personal and process safety. Both have onboard crews and “onshore” support experts, which NASA calls “Mission Control.” And frankly, for both, a catastrophic failure is not an option.
At NASA, qualitative techniques – such as failure modes and effects analyses (FMEA), hazard assessments, etc – are used to understand risk based on design characteristics, experience and failure reporting systems. Similarly, the oil and gas industry uses qualitative tools, such as HAZIDs, HAZOPs, bow-tie charts, etc, to assess risk. However, at NASA, these qualitative approaches are augmented by a quantitative risk management technique called probabilistic risk assessment (PRA), which helps to uncover and mitigate low-probability sequences of events that can lead to high-consequence outcomes.
In October 2015, NASA and Anadarko signed a Space Act Agreement to perform a PRA analysis of a generic BOP. NASA provided analysts and modelers with extensive PRA knowledge; Anadarko provided subject matter experts with detailed knowledge of BOPs. The team worked together to produce a PRA model of a generic BOP, which was completed in January 2017.
OVERVIEW OF THE BOP PRA Process
PRA is a tool that is used extensively in the nuclear power industry and in human spaceflight. It is a comprehensive, structured and disciplined approach to identifying and analyzing risks in engineered systems and/or processes. It attempts to quantify rare event probabilities of failures and takes into account all possible events and influences that could reasonably affect the system or process being studied. Figure 1 provides an overview of the steps required to perform a PRA.
In PRA, numeric values are used for the probability of an occurrence and its consequence. In addition, PRA captures the compounding of effects between multiple scenarios or events. In essence, it allows an analyst to quantify failures and their impact on the overall system.
A PRA begins with a clear statement of the undesirable, high-consequence event to be avoided, which is termed “the end state.” For the BOP PRA model, the end state was loss of containment (LOC) that may result in a release of hydrocarbons to the environment.
Next, the scope of the PRA needed to be defined. The scope included the hardware systems, operations and human interactions associated with a typical subsea BOP (Figure 4). The physical boundary of the analyzed system is limited to the BOP and lower marine riser package (LMRP) equipment.
The functions that were modeled in this analysis were those performed by the annular BOPs, the blind shear ram, the casing shear ram, and the upper, middle and lower pipe rams. The model also included the blue and yellow pods, which contain the hydraulic valves and controls for the functions. The model was restricted to the BOP itself, control pods, stack mounted control components and the subsea components that are attached to it. The surface hydraulics and the electronic control portion of the system were not modeled. This PRA model was meant to be based on a generic BOP configuration similar to those currently in operation.
A review of initiating events that could lead to the activation of the BOP indicated that well kicks and loss of position disconnects represent the major challenges to the BOP. Consequently, “well kick” and “loss of position” were identified as the initiators. It was not in the scope of the analysis to assess the likelihood or causes of these initiators.
Two event trees were subsequently created. These event trees depict a series of actions in response to each initiator and form a sequence of events with branches representing success or failure paths. One event tree modeled the success or failure of the human operator and the BOP hardware to prevent loss of containment in the aftermath of a well kick. The second event tree modeled the success or failure of the human operator and BOP hardware to prevent loss of containment following an emergency disconnect in response to loss of position.
The event trees are supported by fault trees. The fault trees in the PRA model contain the majority of the failure logic and are made of basic events, which contain the failure calculations that are at the core of the analysis. In the BOP well kick and disconnect models, each top event in the event tree is linked to a particular fault tree.
All basic event probabilities are modeled as probability distributions, each with a mean value and a measure of uncertainly. The primary data sources used in this analysis were:
1. OREDA Offshore and Onshore Reliability Data 6th Edition;
2. The Foundation for Scientific and Industrial Research (SINTEF) Reliability Data for Safety Instrumented Systems 2013 Edition; and
3. Non-electronic Parts Reliability Data (NPRD)-2016 from Quanterion Solutions.
The first two are the preferred sources since they contain data specific to oil and gas operations.
Consideration was also given to common cause failures (CCF), which are dependent failures of (usually) redundant components. CCFs can occur due to many factors, including:
• Environmental factors (vibration, thermal stress, humidity, etc);
• Manufacturing defects;
• Human error (installation error, improper maintenance, etc); and
• Design error.
Based on the results, CCF turned out not to be a significant contributor to the overall risk of the BOP in this model. The risk turned out to be dominated by single-point failures and human errors.
Human performance is critical to the safe operation of the drilling rig and BOP. Human reliability analysis (HRA) is the predictive study of human errors in safety critical domains like nuclear power generation, human space missions and deepwater drilling operations. Human error, in this context, describes any person’s action or inaction that increases the likelihood of the loss of hydrocarbon containment.
Not all human activities result in scenarios that are significant risk contributors. Therefore, only human activities that contributed significantly to the total risk were modeled. In this case, four HRA items were identified to be significant enough to be modeled:
• Operator fails to shift from the yellow pod to the blue pod if there is a problem with the yellow pod;
• Operator fails to realize a kick has occurred or does not take correct action in time;
• Operator did not initiate planned disconnect successfully in time; and
• Operator fails to initiate emergency disconnect successfully.
KEY INSIGHTS FROM THE GENERIC BOP PRA MODEL
For the event tree where a well kick was the initiating event, results were dominated by a failure of the operator to take timely action. For this scenario risk, mitigating efforts may need to focus on the human response to the well kick. Careful training, with clear command responsibilities identified, combined with enhanced detection capabilities, would help to reduce the risk of human error. Automation would be helpful if it could be reliably and practically implemented. A key takeaway from the recognition of human error contribution was that reducing equipment failure rates may not materially reduce risk until human error can be substantially reduced.
For the event tree where a loss of position was the initiating event, human error was significant but not as overwhelming. Failures of blind shear ram and shuttle valves were important contributors.
Data was limited for some key BOP components, such as the shuttle valves and the blind shear ram, which are also single point failures in the generic design analyzed. This highlights the importance of high-quality reliability data in general and the need for an industry focus on collecting and maintaining databases for this data. Given that data used in this study is generic in nature, the current model results are viewed as preliminary at this time.
NEXT STEPS
Anadarko and NASA have agreed to expand the BOP PRA model to include:
• BOP surface control systems and control system sensors;
• Emergency disconnect sequence;
• Deadman and autoshear sequence;
• Hydraulic lines and MUX cables; and
• Mud system sensors, mud logger sensors, and driller shack sensors.
This next set of work began in July 2017 and is planned to be completed in 10 months. DC
This article is based on a presentation at the 2017 IADC Well Control Conference of the Americas, 29-30 August, Galveston, Texas.