Post on 08-Nov-2020
1
PETROBRAS Rio, November 2014
TC67
WG4
ISO/TR 12489: Reliability modelling & calculation of safety systems.Presentation and applications
Jean-Pierre SIGNORETISO/TR 12489 project leader
Reliability expert, TOTAL
Jean-Pierre SIGNORETISO/TR 12489 project leader
Reliability expert, TOTAL
PETROBRAS Rio, November 2014
TC67
WG4
Presentation of ISO/TR 12489
TR prepared by ISO TC67 WG4/Project Group 3PG3 leader : Jean Pierre Signoret (Total)WG4 Convenor: Runar Østebø (Statoil)
TR prepared by ISO TC67 WG4/Project Group 3PG3 leader : Jean Pierre Signoret (Total)WG4 Convenor: Runar Østebø (Statoil)
2
3- PETROBRAS Rio, November 2014TC67/ WG4
Background
Numerous safetysystems (SS) in
industrialinstallations
Numerous safetysystems (SS) in
industrialinstallations
Needs for accurate
reliability models & probabilistic
calculations
Needs for accurate
reliability models & probabilistic
calculations
More than 50 years of research & development
More than 50 years of research & development
ISO TC 67/WG4Reliability
Engineering and
Technology
ISO TC 67/WG4Reliability
Engineering and
Technology
IEC TC 65Functional Safety
standards
IEC TC 65Functional Safety
standards
Extensive expertiseexists in the field ofreliability modelling
& probabilisticcalculations
Extensive expertiseexists in the field ofreliability modelling
& probabilisticcalculations
Need to share expertise to fill the gaps and fulfill the
needs
Need to share expertise to fill the gaps and fulfill the
needsNo standardsfocused on
safety system
No standardsfocused on
safety system
Over simplifiedapproaches (*)
Over simplifiedapproaches (*)
Plenty ofavailable accurate
approaches
Plenty ofavailable accurate
approaches
(*) this has been improved in new editions (*) this has been improved in new editions
ISO/TR12489
ISO/TR12489
With regard tosafety
With regard tosafety
With regard toproduction
With regard toproduction
Launched in2008
Launched in2008
Developedfrom scratchDeveloped
from scratchDeveloped in parallelof the maintenance
of IEC 61508and IEC 61511
Developed in parallelof the maintenance
of IEC 61508and IEC 61511
FRFRNONO
UKUK
BRBR
BEBE
NINICHNCHN
USUS
NENE
Proposed andachieved by ISOTC67/WG4/PG3
Proposed andachieved by ISOTC67/WG4/PG3
ITIT
SPSP
Published inNov. 2013
Published inNov. 2013
Keptin line withIEC 61508-6
annex B
Keptin line withIEC 61508-6
annex B
4- PETROBRAS Rio, November 2014TC67/ WG4
ISO/TR 12489 outline
Reliability modelling & calculation of safety systems
This document dealswith reliability modelling
& calculations
This document dealswith reliability modelling
& calculations
This document dealswith safety systems
This document dealswith safety systems
Simplified &non-simplified
approaches
Simplified &non-simplified
approaches
SafetyInstrumented
Systems(SIS)
SafetyInstrumented
Systems(SIS)
This is aTechnical Report
This is aTechnical Report
Onlyinformative
matters
Onlyinformative
matters
Atechnical reportis obviously"technical"!
Atechnical reportis obviously"technical"!
OrdinarySafety
Systems
OrdinarySafety
Systems
Spurious actionsSpurious actions
Implementation of systemic approaches
Implementation of systemic approaches
Impact onDependability
Impact onDependability
Aims toprovide guidelines
Aims toprovide guidelines
Mathematical development of
formulae
Mathematical development of
formulae
Not explainedelsewhere
Not explainedelsewhere
Not developedelsewhere
Not developedelsewhere
Failure of safety actions
Failure of safety actions
Impact onsafety
Impact onsafety
Production availability
(ISO 20815)
Production availability
(ISO 20815) Simple& complexsystems
Simple& complexsystems
Reliabilitydata collection
(ISO 14224)
Reliabilitydata collection
(ISO 14224)
3
5- PETROBRAS Rio, November 2014TC67/ WG4
Overall framework of ISO/TR 12489
Risk management
Risk assessment
With regards to:safety,environment,production,operations,etc.
With regards to:safety,environment,production,operations,etc.
Risk identificationRisk identification
Risk analysis
Modelling& calculations
Modelling& calculations
ISO/TR12489
ISO/TR12489
Reliability analysis
Risk evaluationRisk evaluation
ISO 31000ISO 31000
6- PETROBRAS Rio, November 2014TC67/ WG4
GeneralmattersGeneralmatters
General &methodological
matters
General &methodological
matters
Target users of ISO/TR 12489
ManagementManagement Technical staff
Technical staff
OperatorsOperators
ManufacturersManufacturers
ConsultantsConsultants
Reliability engineersReliability engineers
Various stakeholders
Various stakeholders
Certification bodies
Certification bodies
Safety authoritiesSafety authorities UniversitiesUniversities
Teachers & students
Teachers & students
Coreof the
document
Coreof the
documentAnnexesAnnexes
4
7- PETROBRAS Rio, November 2014TC67/ WG4
Some examples of safety systems covered by ISO/TR 12489 (instrumented or not)
Emergency / Processshutdown
Emergency / Processshutdown
Overpressureprotection systems
Overpressureprotection systems
Fire & gassystems
Fire & gassystems
Process controlsystems
Process controlsystems
Public alarmsystems
Public alarmsystems
Emergencypreparedness systems
Emergencypreparedness systems
Marineequipment
Marineequipment
Electrical & telecom.systems
Electrical & telecom.systems
Other utilitiesOther utilities
Drilling & wellsDrilling & wells
SubseaSubsea
ESDESDPSDPSD EDPEDP
HIPSHIPS HIPPSHIPPS Pressurerelief
Pressurerelief
Gasdetection
Gasdetection
Fire fightingsystem
Fire fightingsystem
Fire watersystem
Fire watersystem
Control &monitoringControl &
monitoringChemicalinjection
Chemicalinjection
Emergencycommunication
Emergencycommunication
Evacuationsystem
Evacuationsystem
Discon-nectionsystem
Discon-nectionsystem
StationkeepingStationkeeping Ballast
waterBallastwater
UPSUPS Telecom.Telecom.
FlaresystemFlare
systemHVACHVAC
MaterialhandlingMaterialhandling
Wellintegrity
Wellintegrity
Wellcompletion
Wellcompletion
ESDESDPSDPSD
HIPPSHIPPS
IsolationIsolation DivingDiving
Etc.Etc.
31 systemsidentified inthe TR
31 systemsidentified inthe TR
8- PETROBRAS Rio, November 2014TC67/ WG4
Part 7Part 7
ISO/TR 12489 versus IEC 61508/511 and IEC TC56
ISO/TR12489
ISO/TR12489
IEC61508IEC
61508
IEC61511IEC
61511
IEC TC65Process Sector - Safety Instrumented Systems
IEC TC65Process Sector - Safety Instrumented Systems ISO TC 67/WG4
Reliability Engineeringand Technology
ISO TC 67/WG4Reliability Engineering
and Technology
Part 1Part 1Part 2Part 2
Part 3Part 3
Part 4Part 4
Part 5Part 5
Part 6Part 6
Part 1Part 1
Part 2Part 2
Part 3Part 3
Part 6annex B
Probabilisticcalculations
Part 6annex B
Probabilisticcalculations
Part 3annex J
Probabilisticcalculations
Part 3annex J
Probabilisticcalculations
Approximatedformulae
Approximatedformulae
"Alternative"approaches
"Alternative"approaches
Multiplesafety systems
Multiplesafety systems
Bring the methodology to the state of the art
Bring the methodology to the state of the art
Detailed explanations of proposed solutions to reliability engineers
Detailed explanations of proposed solutions to reliability engineers
Identification and explanations of weaknesses
Identification and explanations of weaknesses
Consolidation of simplified approaches
Consolidation of simplified approaches
Demystification of systemic approaches & provision of
extensive solutions
Demystification of systemic approaches & provision of
extensive solutions
In line withIEC 61508 &IEC 61511
In line withIEC 61508 &IEC 61511Extension
to spuriousfailures
Extensionto spurious
failures
Any kindof safetysystems
Any kindof safetysystems
Self containeddocument
Self containeddocument
Extension tocomplex systems
Extension tocomplex systems
IEC TC56Dependability
IEC TC56DependabilityMethodsMethods
Link with
ISO 20815
Link with
ISO 20815
5
9- PETROBRAS Rio, November 2014TC67/ WG4
Distribution of the topics within the 260 pages of ISO/TR 12489
GeneralmattersGeneralmatters
ApproachesApproachesMiscellaneousMiscellaneous
Typicalapplications
Typicalapplications
FormulaFormula
BooleanBooleanMarkovMarkov
Petri netsPetri nets
DefinitionsDefinitions
GeneralanalyticsGeneralanalytics
Human factor
Human factor
CCFCCF
Monte CarloMonte Carlo
UncertaintyUncertainty
SafetysystemsSafety
systems
Reliability dataReliability data
41%
32%
21%
6%
5%
28%
7%
8%
34%3%
14%5%
30%
26%
29%
26%
OverallcontentOverallcontent
ApproachesApproaches
GeneralmattersGeneralmatters
More than 30safety systemsare identified
More than 30safety systemsare identified
PETROBRAS Rio, November 2014
TC67
WG4
Introduction to functional safety concepts
6
11- PETROBRAS Rio, November 2014TC67/ WG4
3rdProtection
layer
3rdProtection
layer
RRF = 10 to 100RRF = 10 to 100
ALARP : Minimumneeded reductionALARP : Minimumneeded reduction
SIL Principle: identification of Risk Reduction needed
44
33
22
11
Dangerous event
frequencies
Dangerous event
frequencies
Processrisk
ProcessriskTolerable
riskTolerable
risk
1stProtection
layer
1stProtection
layer2ndProtection
layer
2ndProtection
layer
Risk Reductionwith conventional means
Risk Reductionwith conventional means
Dangerous events
consequences
Dangerous events
consequences
Risk without SISRisk without SIS
R2R2 R1R1
RRF = 100 to 1000RRF = 100 to 1000
RRF = 1000 to 10 000RRF = 1000 to 10 000
RRF > 10 000RRF > 10 000
RiskReductionFactor: R1/R2
RiskReductionFactor: R1/R2
SafetyIntegrityLevel: SIL
SafetyIntegrityLevel: SIL
HIPSHIPS
Con
sequ
ence
Frequency
Maxreduction
allowable ifnon SIF
=> 10
Maxreduction
allowable ifnon SIF
=> 10
4 sets ofrequirements
4 sets ofrequirements
12- PETROBRAS Rio, November 2014TC67/ WG4
From conventional Safety system to Safety Instrumented System
PT3
PT2
PT1
L1 L2
Over-
PressureOver-
Pressure
IEC 61508IEC 61511IEC 61508IEC 61511API 14CAPI 14C
Relief ValveRelief Valve
SafetyInstrumented
System
SafetyInstrumented
System
CostCost
SizeSize
HighIntegrity
(Pressure)ProtectionSystem
HighIntegrity
(Pressure)ProtectionSystem
Conventionalsafety
system
Reliability?Reliability?
7
13- PETROBRAS Rio, November 2014TC67/ WG4
Low demandmode of operation
Low demandmode of operation
PFDavgPFDavg
Types of Safety Instrumented Systems (SIS)
Demand frequency1 Year1 Year
Average of theProbability ofFailure onDemand
Average of theProbability ofFailure onDemand
High demand or continuous mode of operation
High demand or continuous mode of operation
Continuousmode of operation
Continuousmode of operation
High demandmode of operation
High demandmode of operation
PFHPFH
Probability ofFailure perHour
Probability ofFailure perHour
Functionalsafety
standards
Functionalsafety
standards
Averageunavailability
U(T)
Averageunavailability
U(T)
Reliabilityengineering
Reliabilityengineering
Averagefailure frequency
w(T)
Averagefailure frequency
w(T)
14- PETROBRAS Rio, November 2014TC67/ WG4
SIL
PFH
(SIL0)SIL1SIL4 SIL3 SIL2
SIL- summary & difficulties
Applies toSafetyInstrumentedFunction
Applies toSafetyInstrumentedFunction
Deterministicconstraints
10-4/h10-8/h 10-7/h 10-6/h 10-5/h
10-010-4 10-3 10-110-2
PFD
SFF
HFT
SFF
HFT
Relevancefor safety?Relevance
for safety?
SimplifiedcalculationsSimplifiedcalculations
Definitions Definitions
RRFRRF
links withPFD/PFHlinks withPFD/PFH
Splittinglow / highdemandmodes
Splittinglow / highdemandmodes
SafeFailureFraction
SafeFailureFraction
HarwareFaultTolerance
HarwareFaultTolerance
Spuriousfailures
Spuriousfailures
Proposed clarifications, explanations & improvements in ISO/TR 12489
Proposed clarifications, explanations & improvements in ISO/TR 12489
Organizationof the worksthrough the
life cycle
Organizationof the worksthrough the
life cycle FormalProcess
8
PETROBRAS Rio, November 2014
TC67
WG4
Introduction to the methods developed into ISO/TR 12489 for
PFDavg calculations
Lowdemand
mode safetysystems
Lowdemand
mode safetysystems
Average of theProbability ofFailure onDemand
Average of theProbability ofFailure onDemand
Functionalsafety
standards
Functionalsafety
standards
Reliabilityengineering
Reliabilityengineering
Averageunavailability
U(T)
Averageunavailability
U(T)
16- PETROBRAS Rio, November 2014TC67/ WG4
Formulae
Taylor'sexpansionTaylor's
expansion
FTRBD
State Transition models(finite state automata)
Probabilistic models overviewProbabilistic models overview
Analyticalmethods
Analyticalmethods
Monte Carlosimulation
Monte Carlosimulation
Generictools
Generictools
SpecificformulaeSpecificformulae
Behavioralmodels
Behavioralmodels
PetrinetsPetrinets
FormallanguagesFormal
languages
50 years of
experience
50 years of
experience
Markovianapproach
Markovianapproach
BooleanapproachBooleanapproach
State ofthe art
State ofthe art
Developedwhen
computersdidn't exist
Developedwhen
computersdidn't exist
Computeroriented
Computeroriented
FT / RBDdriven Markov
processes
FT / RBDdriven Markov
processes
RBDdriven
Petri Nets
RBDdriven
Petri Nets
9
PETROBRAS Rio, November 2014
TC67
WG4
Simplified analytical approach
18- PETROBRAS Rio, November 2014TC67/ WG4
2 parameters:λλλλ : Failure rateττττ : test interval
2 parameters:λλλλ : Failure rateττττ : test interval
OKOK KOKO
τ / 2τ / 2τ / 2τ / 2
ττττ
ButBut
2
τλτδ .≈unv
Proba. ofhiddenfailures
Proba. ofhiddenfailures
Averagehidden failure
duration
Averagehidden failure
duration
2
λττ
δ=≈ unv
avgPFD
Simplest approximation of the PFDavg
00
=→
avgLim PFD τ
22
11 2
0
λτλττ
δλδτ
ττ
==≈= ∫ dUavg .)(PFD
τ << 1/λτ << 1/λτ << 1/λτ << 1/λτ << 1/λτ << 1/λτ << 1/λτ << 1/λ
Unavailabilityduration
Unavailabilityduration
AA
The mostfamous formula
in functionalsafety
The mostfamous formula
in functionalsafety
Notrealistic!
Notrealistic!
λδλδδ ≈−−= )exp()( 1U
10
19- PETROBRAS Rio, November 2014TC67/ WG4
3 parameters:λλλλ : Failure rateττττ : test intervalµµµµ : repair rate
3 parameters:λλλλ : Failure rateττττ : test intervalµµµµ : repair rate
KOKO
ττττ
ButBut2
τλτδ .≈unv
µλλτ
τδ
+=≈2
unvavgPFD
Approximation of the PFDavgfrom IEC 61508
µλτ 1
.+
τ << 1/λτ << 1/λτ << 1/λτ << 1/λτ << 1/λτ << 1/λτ << 1/λτ << 1/λ
Unavailabilityduration
Unavailabilityduration
AA
1/µµµµ
Averagerepair
duration
Averagerepair
duration
Proba. ofhiddenfailures
Proba. ofhiddenfailures
1/µ << τ1/µ << τ1/µ << τ1/µ << τ1/µ << τ1/µ << τ1/µ << τ1/µ << τ
IEC 61508formula
IEC 61508formula
Influentparametersare missing
Influentparametersare missing
OKOK
Uof revealed
failures
Uof revealed
failures
τµ
τ ≈− 1
20- PETROBRAS Rio, November 2014TC67/ WG4
Parameters:λλλλ : failure rateττττ : test intervalµµµµ : repair rateγ γ γ γ : prob. failure
due to a demandππππ : test durationψ ψ ψ ψ : reconfiguration error
Parameters:λλλλ : failure rateττττ : test intervalµµµµ : repair rateγ γ γ γ : prob. failure
due to a demandππππ : test durationψ ψ ψ ψ : reconfiguration error
ττττ
τψπµ
γµ
λττλτδ ... ++++≈ 11
2unv
ψτπ
τµγ
µλλτ
τδ
++++=≈.
PFD2
unvavg
Approximation of the PFDavg with more parameters (ISO/TR 12489) τ << 1/λτ << 1/λτ << 1/λτ << 1/λτ << 1/λτ << 1/λτ << 1/λτ << 1/λ
Unavailabilityduration
Unavailabilityduration
AA
1/µµµµ
1/µ << τ1/µ << τ1/µ << τ1/µ << τ1/µ << τ1/µ << τ1/µ << τ1/µ << τOKOK
ττττ
ππππKOKO
π << τπ << τπ << τπ << τπ << τπ << τπ << τπ << τ
ττττ
ππππ
etc.etc.
Taylorexpansion formore complex
cases
Taylorexpansion formore complex
cases
γγγγ
ψψψψ
OKOK KOKO
KOKOτπτ ≈−
11
21- PETROBRAS Rio, November 2014TC67/ WG4
Test interval ττττTest interval ττττ
Average unavailability U ≡≡≡≡ PFDavgAverage unavailability U ≡≡≡≡ PFDavg
1
0
Limit average unavailability versus test interval
ττττ1ττττ1 ττττ2
ττττ2
OptimumOptimumττττo ≈≈≈≈ 2222γγγγ/(/(/(/(λµλµλµλµ))))
γγγγ increases
γγγγ increaseslog-loggraphiclog-loggraphic
Flat in thevicinity of
the minimum
Flat in thevicinity of
the minimum
Not enoughtests
Not enoughtests
Too muchtests
Too muchtests
Two testintervals
for the sameU
Two testintervals
for the sameU
Parameters:λλλλ : failure rateττττ : test intervalµµµµ : repair rateγ γ γ γ : prob. failure due to a demand
Parameters:λλλλ : failure rateττττ : test intervalµµµµ : repair rateγ γ γ γ : prob. failure due to a demand
AA
Need fordata collectionto estimate γγγγ
Need fordata collectionto estimate γγγγ
22- PETROBRAS Rio, November 2014TC67/ WG4
2 parameters:λλλλ : Failure rateττττ : test interval
2 parameters:λλλλ : Failure rateττττ : test interval
Simplest approximation of the PFDavg for redundant systems
22
11 2
0
λτλττ
δδλτ
ττ
==≈= ∫ dUavg ..)(PFD A
τ << 1/λτ << 1/λτ << 1/λτ << 1/λτ << 1/λτ << 1/λτ << 1/λτ << 1/λ
AA
OKOK KOKO
τ / 2τ / 2τ / 2τ / 2
ττττ
OKOK KOKO
τ / 3τ / 3τ / 3τ / 3
ττττAA
BB
44
11 343
0
3 )().()(PFD ABC
λττλτ
δδλτ
ττ
==≈= ∫ dUavg
OKOK KOKO
τ / 4τ / 4τ / 4τ / 4
ττττ
AA
BB
CC
Even for simplest systems, each case implies specific
Taylor expansion development
Even for simplest systems, each case implies specific
Taylor expansion development
Averagehidden failure
duration
Averagehidden failure
duration
Taylor expansionλδλδλδλδ <<1
Taylor expansionλδλδλδλδ <<1
)().().()(),().()( CBAABCBAAB τττττττ UUUUUUU ≠≠
Notpossible to
combineformulae!
Notpossible to
combineformulae!
Catalog ofad hoc formulae
Catalog ofad hoc formulae
33
11 232
0
2 )().()(PFD AB
λττλτ
δδλτ
ττ
==≈= ∫ dUavg
Effect of systemicdependencies
Effect of systemicdependencies
Not in linewith reliability
analysisphilosophy
Not in linewith reliability
analysisphilosophy
12
PETROBRAS Rio, November 2014
TC67
WG4
Multi-phase Markovian approach
24- PETROBRAS Rio, November 2014TC67/ WG4
Multi phase Markov model
)(*])[*()( 0ii MEXP PrPrPrPr
PrPrPrPr
δδ =
∫=τ
δδτ0
d).()( ii PrPrPrPr
AST
AST
AST
AST
τττ /)(1)( Aavg AST
AST
AST
AST
−== UPFDλλλλ
µµµµA
DU
R
A
DU
R
A
DU
R
1
1
1
Linkingmatrix
[C]
Linkingmatrix
[C]
ττττ δδδδ
3 parameters:λλλλ : Failure rateττττ : test intervalµµµµ : repair rate
3 parameters:λλλλ : Failure rateττττ : test intervalµµµµ : repair rate
AA
AvailableAvailable
Dangerousundetected
failure
Dangerousundetected
failure
RepairRepair
Markovmatrix[M]
Markovmatrix[M]
Behaviorduring test
intervals
Behaviorduring test
intervals
Effect ofthe test
Effect ofthe test
λλλλ
µµµµA
DU
R
A
DU
R
A
DU
R
11
1
AccumulatedSojournTimes
AccumulatedSojournTimes
TestTest
)(].[)( τ10 −= ii PrPrPrPr
CCCCPrPrPrPr
)()()( A δδδ PrPFD −== 1U
Repairstarts as soonas the fault is
detected
Repairstarts as soonas the fault is
detected
13
25- PETROBRAS Rio, November 2014TC67/ WG4
Typical saw-tooth curves for a singleperiodically tested component
Classical saw-tooth curve
Classical saw-tooth curve
λ λ λ λ ����λ λ λ λ ����
1/µ 1/µ 1/µ 1/µ ����1/µ 1/µ 1/µ 1/µ ����
1/µ 1/µ 1/µ 1/µ ��������1/µ 1/µ 1/µ 1/µ ��������
τ τ τ τ ����τ τ τ τ ����
ττττ ����0Idem revealed
faults
ττττ ����0Idem revealed
faults
AA
τ << 1/λτ << 1/λτ << 1/λτ << 1/λτ << 1/λτ << 1/λτ << 1/λτ << 1/λ
1/µ << τ1/µ << τ1/µ << τ1/µ << τ1/µ << τ1/µ << τ1/µ << τ1/µ << τ
U(t)
U(T)
T
U(t)
U(T)
T
U(t)
U(T)
T
Ut)
U(T)
T
U(T)
U(t)
T
Parameters:λλλλ : failure rateττττ : test intervalµµµµ : repair rateγ γ γ γ : prob. failure
due to a demandππππ : test duration
Parameters:λλλλ : failure rateττττ : test intervalµµµµ : repair rateγ γ γ γ : prob. failure
due to a demandππππ : test duration
26- PETROBRAS Rio, November 2014TC67/ WG4
U(t)
T
U(T)
γγγγ
1 - γγγγ
Modeling the probability of failure due to the demand itself and the test duration
γγγγA
R
DU
A
R
DU
Test
1U(t)
ππππ
Failure dueto tests ( γγγγ)
Failure dueto tests ( γγγγ)
Testduration
Testduration
T
14
PETROBRAS Rio, November 2014
TC67
WG4
Fault tree approach
28- PETROBRAS Rio, November 2014TC67/ WG4
Indisponibilitédes feuilles
Indisponibilitédes feuilles
Fault tree driven Markov processes: principle for unavailability calculation.
Top
E1
E2 E3
t
U1(t)
t
U2(t)
t
U3(t)
t
US(t)
ti
ti
titi
Calculate N results distributedover the time interval [0, T]
Calculate N results distributedover the time interval [0, T]
Calculate the systemunavailability at ti (Top)Calculate the system
unavailability at ti (Top)
Select an instant tiSelect an instant ti
Calculate each leaf unavailability of at ti
Calculate each leaf unavailability of at ti
Systemunavailability
Systemunavailability
US(t)US(t)FT driven Markov
processesFT driven Markov
processes
Establish Uk(t) foreach leaf.
Establish Uk(t) foreach leaf.
Independentcomponents Independentcomponents
Markovprocesses
Markovprocesses
Leavesunavailabilities
Leavesunavailabilities
15
29- PETROBRAS Rio, November 2014TC67/ WG4
1 2
TOP
1 2
TOP
λλλλ : 1e-4ττττ : 1000 λλλλ : 1e-4ττττ : 1000 Max : 1.81 10 -1
Mean : 9.37 10 -2Max : 1.81 10 -1
Mean : 9.37 10-2Max : 1.39 10 -1
Mean : 9.01 10 -2Max : 1.39 10 -1
Mean : 9.01 10-2
1 2
1 2
Hips Unavailability
0 1000 2000 3000 4000
1e-1
0 1000 2000 3000 4000
5e-2
0 1000 2000 3000 4000
5e-2
Hips Unavailability
0 1000 2000 3000 4000
1e-1
0 1000 2000 3000 4000
5e-2
0 1000 2000 3000 4000
5e-2
Staggering
5e-2(λτλτλτλτ/2)5e-2(λτλτλτλτ/2)
9.75 10-29.75 10-2
5e-2(λτλτλτλτ/2)5e-2(λτλτλτλτ/2)
• No Max value• Staggering not
possible
• No Max value• Staggering not
possible
• Conservative• Conservative
UsualCalculations
UsualCalculations
CorrectCalculations
CorrectCalculations
PFDi(t)PFDi(t)PFDavgPFDavg
Becautious
Becautious
Independentcomponents
PFD(t)PFD(t)??!??!
OR gate
PFDavgPFDavg
1 2
TOP
30- PETROBRAS Rio, November 2014TC67/ WG4
2
1
UsualCalculations
UsualCalculations
5e-2(λτλτλτλτ/2)5e-2(λτλτλτλτ/2)
2.25 10-32.25 10-3
5e-2(λτλτλτλτ/2)5e-2(λτλτλτλτ/2)
1 2
TOP
Non conservativeNon conservative
λλλλ : 1e-4ττττ : 1000 λλλλ : 1e-4ττττ : 1000
11 22
No max valueNo max valueCorrect
CalculationsCorrect
Calculations
Max : 9.05 10 -3
Mean : 3.13 10 -3
Max : 9.05 10 -3
Mean : 3.13 10 -3Max : 4.6 10 -3
Mean : 1.92 10 -3
Max : 4.6 10 -3
Mean : 1.92 10 -3
1 2
TOP
1 2
TOP
0 1000 2000 3000 4000
5e-2
0 1000 2000 3000 4000
5e-2
0 1000 2000 3000 4000
5e-2
0 1000 2000 3000 4000
5e-2
Unavailability
0 1000 2000 3000 4000
5e-3
Unavailability
0 1000 2000 3000 4000
2e-34e-35e-3
Staggering
Staggering not possible
Staggering not possible
PFD(t)PFD(t)PFDavgPFDavg
Be verycautiousBe verycautious
PFD(t)PFD(t)
PFDavgPFDavg
Independentcomponents
AND gate
16
31- PETROBRAS Rio, November 2014TC67/ WG4
Parameters of a periodically tested component (dangerous undetected failures)
DU Failurerate
DU Failurerate
Failure rateduring testFailure rateduring test
Repairrate
Repairrate
TestdurationTest
duration
TestintervalTest
interval
Date of 1st testDate of 1st test
Probabilityof failure dueto the test
Probabilityof failure dueto the test
Availabilityduring testAvailabilityduring test
TestcoverageTest
coverageProba. of
reconfigurationfailure
Proba. ofreconfiguration
failure
ClassicalparametersClassical
parameters
Teststaggering
Teststaggering
Big PFDcontributor
when unavailable
Big PFDcontributor
when unavailable
Genuine PFDGenuine PFD
GenerallyneglectedGenerallyneglected
Smallcontributor
Smallcontributor
Failuresnever tested
Failuresnever tested Should be
discovered atthe next test
Should be discovered atthe next test
Generallyignored
Generallyignored
Simplestmodels
Simplestmodels
IEC61508
IEC61508
32- PETROBRAS Rio, November 2014TC67/ WG4
FT driven Markov processes:application to safety systems.
E1, E2 & E3reasonably
independent
Top
E1
E2 E3
0
0.025
0.075
0.1
0 10000 20000 30000 40000
t
U1(t)
0
0.4
0.81
0 10000 20000 30000 40000
t
U2(t)
00.04
0.12
0.2
0 10000 20000 30000 40000
t
U3(t)
0
0.1
0.2
0.3
0 10000 20000 30000 40000
t
US(t)
Multi-phaseMarkov processes
Multi-phaseMarkov processes
Fault treeinputs
Fault treeinputs
- On demand failure ( γγγγ)- Test coverage ( σσσσ) - On demand failure ( γγγγ)- Test coverage ( σσσσ)
-Test duration ( ππππ)- unavailable during tests-Test duration ( ππππ)- unavailable during tests
Simplesaw-tooth curve
Simplesaw-tooth curve
Systemunavailability
Systemunavailability
PFDavgPFDavg
Describedin IEC
61508 Ed2
Describedin IEC
61508 Ed2
17
PETROBRAS Rio, November 2014
TC67
WG4
RBD driven Petri net and Monte Carlo simulation
approaches
34- PETROBRAS Rio, November 2014TC67/ WG4
Simulation of any probability law
1
0
F(x)
x
F(x)=P(X≤x)
X: wanted distribution
(cdf)
X: wanted distribution
(cdf)
0 z
P(Z ≤ z)
Z: Uniform distributionZ: Uniform distribution
1
1
1
2
3 1
Randomnumber
Randomnumber
x = F-1(z) distributedalong to F(x)
x = F-1(z) distributedalong to F(x)
λδ )(zLN−=
ex: delay δδδδexponentiallydistributed
ex: delay δδδδexponentiallydistributed
Cumulateddistribution
function(cdf)
Cumulateddistribution
function(cdf)
18
35- PETROBRAS Rio, November 2014TC67/ WG4
Random number generators
PhysicalmethodsPhysicalmethods
Decimals of ππππDecimals of ππππ
Pseudo randomnumber generators
Pseudo randomnumber generators Xn+1= (a.Xn+b) mod mXn+1= (a.Xn+b) mod m
Linear congruential generators
Linear congruential generators
3,1415926535897932384626433832795028841971693993751058209749445923078164062862089986280348253421170679 82148086513282306647093844609550582231725359408128 ...
3,1415926535897932384626433832795028841971693993751058209749445923078164062862089986280348253421170679 82148086513282306647093844609550582231725359408128 ...
ComputerComputer
J. Von Neumann
Trajectoryof the bouleTrajectory
of the boule
Zenerdiode
Thermalnoise
Thermalnoise
Several billons are known
Several billons are known
Length ofone revolution
Length ofone revolution
Widelyused
Widelyused
36- PETROBRAS Rio, November 2014TC67/ WG4
Periodically tested component
OKOK
DUDU
RR
??MT==true !Ci=false
AvailableAvailable
Non detectedfault
Non detectedfault
RepairRepair
!!Ci=true
Assertion:State of thecomponent
Assertion:State of thecomponent
µµµµ
δ= τδ= τδ= τδ= τ−−−− t mod(τ(τ(τ(τ))))
DDDD
Detectedfault
Detectedfault
!! MT=false
!!MT=true
FailureFailure
TestTest
Start ofrepair
Start ofrepair
End ofrepair
End ofrepair
δ= 0δ= 0δ= 0δ= 0
Predicate:availability of the
maintenance team
Predicate:availability of the
maintenance team
Place:local state
Place:local state
Transition:event
Transition:event
Token:actual local
state
Token:actual local
state
Arcs:links place/transitions
Arcs:links place/transitions
Statevariable Ci
Statevariable Ci
19
37- PETROBRAS Rio, November 2014TC67/ WG4
OK
DU
R
??MT==true
DD
!! MT=false
!!MT=true
test
Repair team mobilization
nM
MOL
ωωωω
OK
DU
R
DD
test
2/3 O1
A
BE
FDO1 O2 S
C
RBD driven PN modelling: applicationto SIL calculations
Simple periodicallytested component
Simple periodicallytested component
SIS modelSIS model
O1=A.B+A.C+B.C
O2= O1.D
S= O2.(E+F)
!-A
! A
IEC 61508ISO/TR 12489
IEC 61508ISO/TR 12489
•Reliability•Availability•Frequency
•Reliability•Availability•Frequency
StatisticsStatistics
-PFDavg-PFH-PFDavg-PFH
GlobalassertionGlobal
assertion
!-E
! E
Monte carlosimulation
Monte carlosimulation
VirtualRBD
VirtualRBD
Statevariable A
Statevariable A
Statevariable E
Statevariable E
λλλλDDµµµµ
DD
OK
!-D
! D
Statevariable D
Statevariable D
Simple componentwith revealed failuresSimple component
with revealed failures
!!NbR=NbR+1
!!NbR=NbR-1
OL
M
??NbR>0
??NbR==0
- Nb. component failed: !NbR- Repair resources on location: OL- Repair team mobilized: M
- Nb. component failed: !NbR- Repair resources on location: OL- Repair team mobilized: M
Simple periodicallytested component with
repair team mobilization
Simple periodicallytested component with
repair team mobilization
SS
38- PETROBRAS Rio, November 2014TC67/ WG4
Parameter calculations: The magic sub PN!
OK
KO
AvailabilityAvailability
UnavailabilityUnavailability
UnreliabilityUnreliability
MTTFMTTF
Detectionof the first
failure
Detectionof the first
failure
PFDavg =Mean markingPFDavg =Mean marking
PFD(t) =KO marked at tPFD(t) =KO marked at t
PFH = failure frequency
(not ultimate layer)
PFH = failure frequency
(not ultimate layer)
PFH≈≈≈≈ 1/MTTF
(ultimate layer)
PFH≈≈≈≈ 1/MTTF
(ultimate layer)
Single shotSingle shot PFH≈≈≈≈ F(T)/T
(ultimate layer)
PFH≈≈≈≈ F(T)/T
(ultimate layer)
?? S=0?? S=0
?? S=1?? S=1
S=1S=1S=0S=0S=1S=1
Beware
of this
formula
Beware
of this
formula
VirtualRBD
output
VirtualRBD
output
20
39- PETROBRAS Rio, November 2014TC67/ WG4
Example of Monte Carlo output(50 000 histories)
2/3 O1
AA
BBEE
FFDDO1 O2 S
CC O1=A.B+A.C+B.CO1=A.B+A.C+B.C
O2= O1.DO2= O1.D
S= O2.(E+F)S= O2.(E+F)Sensors availability
0.4
0.6
0.8
1
0 5000 10000 15000 20000 25000 30000 35000
Time
Availability of 3 sensors in 2oo3
0.4
0.6
0.8
1
0 5000 10000 15000 20000 25000 30000 35000
Time
Logic solver with revealed failures
0.9984
0.9988
0.9992
0.9996
1
0 5000 10000 15000 20000 25000 30000 35000
Time
Avalability of safety valves
0.4
0.6
0.8
1
0 5000 10000 15000 20000 25000 30000 35000
Time
SIS availability
0.4
0.6
0.8
1
0 5000 10000 15000 20000 25000 30000 35000
Time
SIS unavailability – PFD( t)
0
0.2
0.4
0.6
0 5000 10000 15000 20000 25000 30000 35000
Time
Not SNot S
PFDavgPFDavg
SS
40- PETROBRAS Rio, November 2014TC67/ WG4
Monte Carlo simulation uncertainties
90%confidence
interval
90%confidence
interval
Unavailability(500 histories)
0
0.1
0.2
0.3
0.4
0.5
0.6
0 5000 10000 15000 20000 25000 30000 35000
Time
A(t)A(t)
PFDavgPFDavg
21
41- PETROBRAS Rio, November 2014TC67/ WG4
Other possible outputs
Unreliability
0
0.2
0.6
1
0 5000 10000 15000 20000 25000 30000 35000
Time
Time to failure
0
2000
4000
6000
0 5000 10000 15000 20000 25000 30000 35000
Time
Accumulated number of failures
0
2
4
6
0 5000 10000 15000 20000 25000 30000 35000
Time
Average failure frequency
0
0.00004
0.00012
0.0002
0 5000 10000 15000 20000 25000 30000 35000
Time
Average failure frequency
0.00016
0.000162
0.000166
0.00017
0 5000 10000 15000 20000 25000 30000 35000
Time
MTTFMTTF
PETROBRAS Rio, November 2014
TC67
WG4
Multiple safety systems
22
43- PETROBRAS Rio, November 2014TC67/ WG4
Two simple SIS acting in sequence
SIS1SIS2 Situation
Perfect functioningYes
Hazardous eventNo
NoYes
Degraded functioning
Processdemand
Safestates
ww
demandfrequency
F1(t)= λλλλ1111tF1(t)= λλλλ1111tww
λλλλ1111, τ, τ, τ, τλλλλ1111, τ, τ, τ, τ
λλλλ2222, τ, τ, τ, τλλλλ2222, τ, τ, τ, τ
U1(t)≈λλλλ1111 ....t
U2(t)≈λλλλ2222t
F2(t)= λλλλ2222....tF2(t)= λλλλ2222....t3
)()(2
221
τλλδδλλτ
δδδτ
ττ 210
210
11wdwdw == ∫∫ FFHEFS
ww PFD1= λλλλ1111τ τ τ τ / 2PFD1= λλλλ1111τ τ τ τ / 2 PFD2= λλλλ2222τ τ τ τ / 2PFD2= λλλλ2222τ τ τ τ / 24
..2
21τλλ 21ww == PFDPFDHEFS
Simplistic calculation(e.g. LOPA)
Simplistic calculation(e.g. LOPA)
Notconservative
Notconservative
Multiple SISMultiple SIS
Probabilityof failure at δδδδProbability
of failure at δδδδ
Probability offailure at t
Probability offailure at t
HazardousEventFrequency
HazardousEventFrequencyAverage
probabilityof failure
Averageprobabilityof failure
Riskreduction
over estimatedby 25%
Riskreduction
over estimatedby 25%
Effect dueto systemic
dependencies
Effect dueto systemic
dependencies
44- PETROBRAS Rio, November 2014TC67/ WG4
U2(t)≈(λλλλ2222 ....t)2
Two Redundant SIS acting in sequence
SIS1SIS2 Situation
Perfect functioningYes
Hazardous eventNo
NoYes
Degraded functioning
Processdemand
Safestates
ww
demandfrequencydemand
frequency
F1(t)= (λλλλ1111t)2F1(t)= (λλλλ1111t)2ww F2(t)= (λλλλ2222....t)2F2(t)= (λλλλ2222....t)2
5)()()(
44
21τλλδδλλ
τδδδ
τττ 2
22
12
0 210
11wdwdw == ∫∫ FFHEFS
ww PFD1= (λλλλ1111ττττ)2 / 3PFD1= (λλλλ1111ττττ)2 / 3 PFD2= (λλλλ2222τ τ τ τ )2 2 2 2 / 3PFD2= (λλλλ2222τ τ τ τ )2 2 2 2 / 39
..4
21τλλ 2
22
1ww == PFDPFDHEFS
Simplistic calculation(e.g. LOPA)
Simplistic calculation(e.g. LOPA)
Notconservative
Notconservative
Multiple SISMultiple SIS
Probabilityof failure at δδδδProbability
of failure at δδδδ
Probability offailure at t
Probability offailure at t
HazardousEventFrequency
HazardousEventFrequencyAverage
probabilityof failure
Averageprobabilityof failure
λλλλ1111, τ, τ, τ, τλλλλ1111, τ, τ, τ, τ
λλλλ1111, τ, τ, τ, τλλλλ1111, τ, τ, τ, τ λλλλ2222, τ, τ, τ, τλλλλ2222, τ, τ, τ, τ
λλλλ2222, τ, τ, τ, τλλλλ2222, τ, τ, τ, τU1(t)≈(λλλλ1111 ....t)
2
Riskreduction
over estimatedby 44%
Riskreduction
over estimatedby 44%
The effectof systemic
dependenciesincreases when
redundancyincreases
The effectof systemic
dependenciesincreases when
redundancyincreases
23
45- PETROBRAS Rio, November 2014TC67/ WG4
PDFavgPDFavg
Scenariosprobabilities
Initiatingevent
Protectionlayer 1
Protectionlayer 2
Protectionlayer 3
yes
Noyes
No yes
No
p1(t)
1-p1(t)
p2(t)
1-p2(t)
p3(t)
1-p3(t)
Event tree (multiple SIS) or fault tree (redundant SIS) calculation difficulties
1-p11-p1
p1(1-p2)p1(1-p2)
p1.p2.p3p1.p2.p3
p1.p2(1-p3)p1.p2(1-p3)
CommonCause
Failures
CommonCause
Failures
Constantprobabilities
Constantprobabilities
AsymptoticprobabilitiesAsymptoticprobabilities
Instantaneousprobabilities
Instantaneousprobabilities
Averageprobabilities
Averageprobabilities
Popularcalculation
Popularcalculation
p1(ττττ).p2(ττττ).p3(ττττ).dττττp1(ττττ).p2(ττττ).p3(ττττ).dττττ1
T 0
T
1-p1(t)1-p1(t)
p1(t) [1-p 2(t)]p1(t) [1-p 2(t)]
p1(t).p 2(t).p 3(t)p1(t).p 2(t).p 3(t)
p1(t).p 2(t) [1-p 3(t)]p1(t).p 2(t) [1-p 3(t)]
Nonconservative
results
Nonconservative
results
Explained in IEC 61511and ISO/TR 12489
Explained in IEC 61511and ISO/TR 12489
Systemicdependen-
cies
Systemicdependen-
cies
46PETROBRAS Rio, November 2014
Application in TOTAL
Jean-Pierre SIGNORETISO/TR 12489 project leader
Reliability expert, TOTAL
Jean-Pierre SIGNORETISO/TR 12489 project leader
Reliability expert, TOTAL
Pierre-Joseph CACHEUXReliability expert, TOTALPierre-Joseph CACHEUXReliability expert, TOTAL
24
PETROBRAS Rio, November 201447-
From pencil andpaper to computer !
Emergency safety featuresPressurized water reactorsEmergency safety featuresPressurized water reactors
Gulf of Biscaye drilling platform
Gulf of Biscaye drilling platform
Mediterranean deep sea drilling
Mediterranean deep sea drilling
19801980
Drilling with H2S near PAUDrilling with H2S near PAU
19791979
Survey and analyze of reliability tools
Survey and analyze of reliability tools
SKULD(subsea platform)
SKULD(subsea platform)
19811981
Decision to developthe 1st version ofour software tools
Decision to developthe 1st version ofour software tools
19841984
19821982
Safety instrumented systemsNuclear submarines
Safety instrumented systemsNuclear submarines
19711971
19741974 19811981
Reliabilitystudies
Reliabilitystudies
Toolsimprovement
Toolsimprovement
Pencil, paper &formulae
Pencil, paper &formulae
1stsoftware
tools: ADDMarkov
1stsoftware
tools: ADDMarkov
Grondin north eastGrondin north east
19751975 Safety studiesmust be
conservative
!!!
Safety studiesmust be
conservative
!!!
20142014SécuritéSécuritéProductionProduction
ISO/TR12489ISO/TR12489
Result of40 years of
R&D
Result of40 years of
R&D
HIPSHIPS
ADD,BDF
Markov,RdP
ADD,BDF
Markov,RdP
PETROBRAS Rio, November 201448-
Preferred techniques
RBDRBD
FTFT
MarkovMarkov
PNPN
Preferred representation of engineersPreferred representation of engineers
Systemic method generally known by contractorsSystemic method generally known by contractors
Beloved by universitiesBeloved by universities
Used by ELF and TOTAL for 30 yearsUsed by ELF and TOTAL for 30 years
Has allowed to solve all our problems all over 30 y earsHas allowed to solve all our problems all over 30 y ears
Easy jump to flow diagramsEasy jump to flow diagrams
Known by some contractorsKnown by some contractors
FT or RBD drivenMarkov processesFT or RBD drivenMarkov processes
StochasticRBD
StochasticRBD
Petro moduleProductionavailability
Petro moduleProductionavailability
FormulaeFormulae
• Very difficult to establish and understand
• PFD(t) not provided (pb for permanent SIL)
=> Not recommended by TOTAL e&P headquarters
• Very difficult to establish and understand
• PFD(t) not provided (pb for permanent SIL)
=> Not recommended by TOTAL e&P headquarters
SILmodule
SILmodule
SoftwareworkshopSoftwareworkshop
25
PETROBRAS Rio, November 201449-
Choosing the right technique
Fault
Tree Petri nets
Reliability
Block
Diagram
Markov
graph
Start
No
No
No
Yes
Yes
Yes
Yes
Yes
Yes
No
No
Yes
No
Yes
No No
Dynamic ModelsStatic Models
Constant Transition Rates ?
Repairable Components ?
Can dependencies be neglected or conservative approximation?
Is a simple Series-Parallelmodel usable ?
Method to be used
Number of relevantstates manageable ?
Dependent Components ?
single repair team,Stand-by,
spare parts, ... ?
Exponentiallaws only?
<100 : Handmade <106 : Automatic
TopsideHIPS
TopsideHIPS
SubseaHIPS
SubseaHIPS
Smallcomplexsystems
Smallcomplexsystems
FT drivenMarkov
processes
FT drivenMarkov
processes
Periodicallytested
components
Periodicallytested
components
PETROBRAS Rio, November 201450-
Staggering testsStaggering tests more CCF testsmore CCF tests
Components tested at the same timeComponents tested at the same time
SIL3
SIL3
Design versus operation risks
SIL2
0 2000 4000 6000 8000 10000 12000 14000 16000 18000 20000 22000 24000 26000
5.0e-4
1.0e-3
1.5e-3
T=8760
28.1%71.9%
6300h
0 2000 4000 6000 8000 10000 12000 14000 16000 18000 20000 22000 24000 26000
2.0e-4
4.0e-4
6.0e-4
8.0e-4
1.0e-3T=8760
4.46e-4
6.94e-4
Time spentSIL zonesTime spentSIL zones Maximum
valueMaximum
value
2460h
Permanent SIL3
Permanent SIL3 SIL3SIL3
Designer
point
of view
Designer
point
of view
Worker
point
of view
Worker
point
of view
"PFD avg""PFD avg"
PFD(t)
PFD(t)
"Permanent" SILis safer for operators
"Permanent" SILis safer for operators
26
PETROBRAS Rio, November 201451-
ISO14224
Background &general philosophy
IEC61511
IEC61508
ISO20815
Maximizing Productionunder safe conditionsMaximizing Productionunder safe conditions
Safety
RAM
ISO/TR12489
SILSIL
IEC60300-1
IEC62551
IEC TC56 / UTE UF56 (FR)
"Dependability"
ChairmanChairman
Standardi-
sation
Compromise
Safety Production
ReferentialReferential
SafetyInstrumented
Systems
SafetyInstrumented
Systems
ProductionAssurancePlan
ProductionAssurancePlan
DataCollection
DataCollection
SafetyRelatedSystems
SafetyRelatedSystems
SafetySystemsSafetySystems
ProjectleaderProjectleader
Dependabilitymanagement
Dependabilitymanagement
PetriNetsPetriNets
Design ofsafety
Design ofsafety
Design of DependabilityDesign of
Dependability
VerificationVerification
Terminology•Methodology •Availability•Maintenance•Human factor•Software•etc.
Terminology•Methodology •Availability•Maintenance•Human factor•Software•etc.
Functional safety
IEC60300-3-1
Guide ondependability
Guide ondependability
IEC61703
Mathematicalformulae
Mathematicalformulae
IEV191
TerminologyTerminology
CompatibilityCompatibility
IEC61025
FaulttreeFaulttree
IEC61078
ProjectleaderProjectleader
RBDRBD
Methods& tools
Methods& tools
≈≈≈≈ 80stds≈≈≈≈ 80stds
ProjectleaderProjectleader
IEC/ISO31010Risk
managementRisk
management
OREDA
PETROBRAS Rio, November 201452-
Reliability data
IEC 61511IEC 61511
IEC 61508IEC 61508
Norequirement aboutdata collection in
1st editions
Norequirement aboutdata collection in
1st editions
15 years lost fordata collection
15 years lost fordata collectionButButProbabilistic
standardsProbabilistic
standards
Insinuation of the ideathat data collection
is not importantor not possible
Insinuation of the ideathat data collection
is not importantor not possible
Data beingbullshit … any
simplisticcalculations are
well enough
Data beingbullshit … any
simplisticcalculations are
well enough
Wrong
reasoning
!!!
Wrong
reasoning
!!!Weak PointWeak Point
It is not legitimate to add
uncertainty to uncertainty byusing rough simplistic calculations
It is not legitimate to add
uncertainty to uncertainty byusing rough simplistic calculations
Don't count too much on data from others
Don't count too much on data from others
Progress to be done to collect
own field feedback
Progress to be done to collect
own field feedback
OREDA :
Offshore Reliability Data BankOREDA :
Offshore Reliability Data Bank
Preferreddata set
Preferreddata set
30 yearsof data
collection
30 yearsof data
collection
Valid forE&P
studies
Valid forE&P
studies Input for accurate or conservative resultsInput for accurate or conservative results
Comparisons/ sensibility studies
Comparisons/ sensibility studies
usefulness of accurate
calculation tools
usefulness of accurate
calculation tools
SideeffectSideeffect
ISO14224
Conserva-
tiveness
Conserva-
tiveness
27
53- PETROBRAS Rio, November 2014TC67/ WG4
Formulae
Taylor'sexpansionTaylor's
expansion
FTRBD
State Transition models(finite state automata)
Probabilistic models overviewProbabilistic models overview
Analyticalmethods
Analyticalmethods
Monte Carlosimulation
Monte Carlosimulation
Generictools
Generictools
SpecificformulaeSpecificformulae
Behavioralmodels
Behavioralmodels
50 years of
experience
50 years of
experience
Markovianapproach
Markovianapproach
BooleanapproachBooleanapproach
Graphicalrepresentations
Graphicalrepresentations
PowerfulalgorithmsPowerful
algorithms
Soundmathematics
Soundmathematics
ApproximationsApproximations
UnderlyinghypothesisUnderlyinghypothesis
Lack offlexibilityLack of
flexibility
Progress directionProgress direction SystemicApproaches
SystemicApproaches
SimplifiedapproachesSimplified
approaches
SafetysystemsSafety
systemsRAM
& safetysystems
Conservatism?
Conservatism?
A single framework
for safety & dependability
A single framework
for safety & dependability
Goodunderstanding
of models
Goodunderstanding
of models
54- PETROBRAS Rio, November 2014TC67/ WG4
DetailedsolutionsDetailedsolutions
Conclusions
ISO/TR12489
ISO/TR12489
In line with IEC 61508-6In line with IEC 61508-6
Identification of difficultiesIdentification of difficulties
Consolidationsimplified
approaches
Consolidationsimplified
approachesDangerous
failuresDangerous
failures
Spurious failures
Spurious failures
Raising ofwarnings
Raising ofwarnings
Should be usedas a reference
for SIL calculation
Should be usedas a reference
for SIL calculation
Should be used as areference for developingSIL software packages
Should be used as areference for developingSIL software packages
Should be usedby anybody involved inprobabilistic calculation
of safety systems
Should be usedby anybody involved inprobabilistic calculation
of safety systems
Systemic approachesdescribed in ISO/TR 12489
are used dailyin TOTAL
Systemic approachesdescribed in ISO/TR 12489
are used dailyin TOTAL
RAMstudiesRAM
studiesSafetystudiesSafetystudies
HIPSHIPS
They are very effective
They are very effective
They are very easy to handleThey are very easy to handle
Providedrelevant tools
are used
Providedrelevant tools
are used
Provided agood
knowledgeof models
Provided agood
knowledgeof models
Provideaccuratemodels &
results
Provideaccuratemodels &
resultsFeasibilityis done
Feasibilityis done
Commonsafety
systems
Commonsafety
systems
Detailedexplanations
Detailedexplanations
Demystification of systemic approaches
Demystification of systemic approaches
28
55- PETROBRAS Rio, November 2014TC67/ WG4
That's allFolks...
That's allFolks...
Anyquestions
?...
Anyquestions
?...
PETROBRAS Rio, November 201456-
SIL Bridge ! PFDavg is not reallya good indicator for worker in operation
PFDavg is not reallya good indicator for worker in operation
29
PETROBRAS Rio, November 201457-
• Spare Slides
PETROBRAS Rio, November 201458-
Technologicalwatch
Technologicalwatch
Safety, Reliability and Integrity department (E&P b ranch)
You want the
result next
week, really?!!
You want the
result next
week, really?!!
Reliabilityteam
RAMstudiesRAM
studies
SafetystudiesSafetystudies
ConsultingConsulting
R&DstudiesR&D
studies
Methods & tools
Methods & tools
Study coordination
Study coordination
Interface with contractors
Interface with contractors
TrainingTraining
Reliabilitydata
Reliabilitydata
HotlineHotline
Joint ventureJoint venture
PublicationsDisseminationPublications
Dissemination
StandardizationStandardization
Anticipate future needsAnticipate
future needs
MaintainknowledgeMaintain
knowledge
Satisfactionof project needs
Data collectionData collection
IEC 61508/511ISO/TR 12489
IEC 61508/511ISO/TR 12489
Dependability(IEC TC56)
Dependability(IEC TC56)
Adaptationto functional
safety
Adaptationto functional
safety
OREDAOREDA
Preferreddata set
Preferreddata set
Contractors"encouraged" to
use our tools
Contractors"encouraged" to
use our tools
30
PETROBRAS Rio, November 201459-
Examples of HIPS studies
• AKPO anti surge
•OFON2
• OML 58
• BUFALO
• PECIKO
• BULISAA
• KAOMBO
• etc
• AKPO anti surge
•OFON2
• OML 58
• BUFALO
• PECIKO
• BULISAA
• KAOMBO
• etc
• ABK
• AL KHALIJ
• L4G
• OFON 2
• OML 100 WH
• MOHO BILONDO
• SP 11
• TP1 by pass
• AL JURF
• GIRASSOL
• etc.
• ABK
• AL KHALIJ
• L4G
• OFON 2
• OML 100 WH
• MOHO BILONDO
• SP 11
• TP1 by pass
• AL JURF
• GIRASSOL
• etc.
Studies managed byHeadquarters
Studies managed byHeadquarters
AtypicalstudiesAtypicalstudies
KO-DrumoverflowKO-Drumoverflow
• AKPO
• DALIA
• FORVIE
• HILD
• JAFRA
• ROSA-LIRIO
• KHARIR
• TIGF
• SHAH DENIZ
• etc.
• AKPO
• DALIA
• FORVIE
• HILD
• JAFRA
• ROSA-LIRIO
• KHARIR
• TIGF
• SHAH DENIZ
• etc.
Expertise& advicesExpertise& advices
Studies managed byHeadquarters
Studies managed byHeadquarters
Classicalstudies
Classicalstudies
Most of theseHIPSare
HIPPS
Most of theseHIPSare
HIPPS
PETROBRAS Rio, November 201460-
Examples of RAM studies
• KASHAGAN
• MOHO BILONDO
• QATAGAS
• DOLPHIN
• FLNG
• ICHTHYS
• JOSLYN
• LAGGAN
• TORMORE
• YAMAL LNG
• etc.
• KASHAGAN
• MOHO BILONDO
• QATAGAS
• DOLPHIN
• FLNG
• ICHTHYS
• JOSLYN
• LAGGAN
• TORMORE
• YAMAL LNG
• etc.
• ABK
• AHNET
• ANGUILLE
• BUL HANINE
• DALIA
• KAOMBO
• KHARYAGA
• MARTIN LINGE
• MLJ
• MOHO
• MTPS
• PNGF
• South SULIGE
• TEMPA ROSSA
• VEGA PLEYADE
• ABK
• AHNET
• ANGUILLE
• BUL HANINE
• DALIA
• KAOMBO
• KHARYAGA
• MARTIN LINGE
• MLJ
• MOHO
• MTPS
• PNGF
• South SULIGE
• TEMPA ROSSA
• VEGA PLEYADE
• ADC
• AL JURF
• CLOV
• EGINA
• K5
• KCTS
• NKARIKA
• NKOSSA
• OML 100
• OML 58
• PAZFLOR
• PECIKO
• TIGF
• USAN
• YLNG
• PECIKO
• ADC
• AL JURF
• CLOV
• EGINA
• K5
• KCTS
• NKARIKA
• NKOSSA
• OML 100
• OML 58
• PAZFLOR
• PECIKO
• TIGF
• USAN
• YLNG
• PECIKO
Managed byHeadquartersManaged byHeadquarters Expertise
& advicesExpertise& advices
Managed byHeadquartersManaged byHeadquarters
31
PETROBRAS Rio, November 201461-
A systems analysis software for determiningthe key indicators of dependability:
Reliability – Availability – Frequency – Performance – Safety.
A systems analysis software for determiningthe key indicators of dependability:
Reliability – Availability – Frequency – Performance – Safety.
http://grif-workshop.fr/
Fault tree
Fault tree
MarkovMarkov
Petri netsPetri nets
RBDRBDPetroPetro
SILSIL
PFDavgPFDavg PFHPFH
Generaltechniques
Generaltechniques
SpecificmodulesSpecificmodules
Spuriousfailures
Spuriousfailures
PETROBRAS Rio, November 201462-
Enables to choose the most suitable modelling technique.
Includes pre-configured architectures, making modelling all the easier.
GRIF software packages Three
Packages
Three
Packages
Boolean packageBoolean package
Simulation packageSimulation package
Markovian packageMarkovian package
32
PETROBRAS Rio, November 201463-
Fault Trees
Reliability Block Diagrams
ALBIZIA
Events Tree
SIL
Boolean package
Developedfor the refining
branch
Developedfor the refining
branch
Calculationengine
Calculationengine
Forthose who
don't want touse faulttrees !!!
Forthose who
don't want touse faulttrees !!!
Allowing using asystemic approachinstead of formulae
Allowing using asystemic approachinstead of formulae