DNV-RP-A203: Qualification Procedures For New Technology · Det Norske Veritas has in year 2000 and...

RECOMMENDED PRACTICE

DET NORSKE VERITAS

DNV-RP-A203

QUALIFICATION PROCEDURES FOR NEW TECHNOLOGY

SEPTEMBER 2001

Comments may be sent by e-mail to [email protected] subscription orders or information about subscription terms, please use [email protected] information about DNV services, research and publications can be found at http://www.dnv.com, or can be obtained from DNV, Veritas-veien 1, N-1322 Høvik, Norway; Tel +47 67 57 99 00, Fax +47 67 57 99 11.

© Det Norske Veritas. All rights reserved. No part of this publication may be reproduced or transmitted in any form or by any means, including pho-tocopying and recording, without the prior written consent of Det Norske Veritas.

Computer Typesetting (FM+SGML) by Det Norske Veritas.Printed in Norway by GCS AS.

If any person suffers loss or damage which is proved to have been caused by any negligent act or omission of Det Norske Veritas, then Det Norske Veritas shall pay compensation to such personfor his proved direct loss or damage. However, the compensation shall not exceed an amount equal to ten times the fee charged for the service in question, provided that the maximum compen-sation shall never exceed USD 2 million.In this provision "Det Norske Veritas" shall mean the Foundation Det Norske Veritas as well as all its subsidiaries, directors, officers, employees, agents and any other acting on behalf of DetNorske Veritas.

FOREWORD

DET NORSKE VERITAS (DNV) is an autonomous and independent foundation with the objectives of safeguarding life, prop-erty and the environment, at sea and onshore. DNV undertakes classification, certification, and other verification and consultancyservices relating to quality of ships, offshore units and installations, and onshore industries worldwide, and carries out researchin relation to these functions.

DNV Offshore Codes consist of a three level hierarchy of documents:

— Offshore Service Specifications. Provide principles and procedures of DNV classification, certification, verification and con-sultancy services.

— Offshore Standards. Provide technical provisions and acceptance criteria for general use by the offshore industry as well asthe technical basis for DNV offshore services.

— Recommended Practices. Provide proven technology and sound engineering practice as well as guidance for the higher levelOffshore Service Specifications and Offshore Standards.

DNV Offshore Codes are offered within the following areas:

A) Qualification, Quality and Safety Methodology

B) Materials Technology

C) Structures

D) Systems

E) Special Facilities

F) Pipelines and Risers

G) Asset Operation

Acknowledgement

Det Norske Veritas has in year 2000 and 2001 developed DNV RP-A203 "Qualification procedures for new technology" in co-operation with industry partners. The project was part of the Norwegian Research Council programme, DEMO 2000, and fundedby DEMO 2000, Norsk Hydro, Statoil, Norske Shell (via the field development license Ormen Lange), Kværner Oil and Gas,CorrOcean (with contribution from Marintec) and Det Norske Veritas.

DET NORSKE VERITAS

Recommended Practice DNV-RP-A203, September 2001

CONTENTS

1. OBJECTIVE........................................................... 5

2. SCOPE..................................................................... 5

3. APPROACH ........................................................... 5

3.1 Qualification (definition) ........................................5

3.2 Proven technology (definition) ...............................5

3.3 New technology (definition) ....................................5

3.4 Basis for the qualification .......................................5

3.5 Qualification results ................................................5

3.6 Use of results ............................................................5

3.7 Who performs qualification? .................................5

3.8 Motivation ................................................................5

3.9 Who benefits from the Procedure? ........................5

3.10 Development of the reliability ................................5

3.11 Qualification process ...............................................5

3.12 Procedure presentation ...........................................6

4. DEFINITIONS AND REFERENCES .................. 6

4.1 Definitions ................................................................6

4.2 References ................................................................7

5. GENERAL REQUIREMENTS ............................ 7

5.1 Objective...................................................................7

5.2 Planning....................................................................7

5.3 Philosophy ................................................................7

5.4 Principles ..................................................................7

5.5 Classification of Technology...................................7

5.6 Referencing standards ............................................8

5.7 Confidentiality .........................................................8

5.8 Documentation.........................................................8

5.9 Verification and third party engagements ...........8

5.10 Alternative methods ................................................8

6. QUALIFICATION BASIS .................................... 9

6.1 Objective...................................................................9

6.2 System descriptions and specification ...................9

6.3 Limiting parameter critical item list .....................9

7. RANKING OF FAILURE MODES ..................... 9

7.1 Objective...................................................................9

7.2 Introduction .............................................................9

7.3 Failure mode identification and presentation.......9

7.4 Determining risk....................................................10

8. MAINTENANCE AND MODIFICATIONS..... 12

8.1 Objective ................................................................ 12

8.2 Introduction........................................................... 12

8.3 Failure mode screening......................................... 13

8.4 Maintainability analysis ....................................... 13

8.5 Maintenance planning .......................................... 13

8.6 Modifications ......................................................... 13

9. RELIABILITY DATA COLLECTION............. 13

9.1 Objective ................................................................ 13

9.2 Introduction........................................................... 14

9.3 Priority ................................................................... 14

9.4 Parameter effect .................................................... 14

9.5 Data target ............................................................. 14

9.6 Planning of data collection ................................... 14

9.7 Tests........................................................................ 15

10. RELIABILITY..................................................... 16

10.1 Objective ................................................................ 16

10.2 General ................................................................... 16

10.3 Input data............................................................... 17

10.4 Methods.................................................................. 17

APP. ACHECKLIST - FAILURE MECHANISMS - DATA BASE ...................................................................... 19

A.1 Failure mechanisms checklist................................... 19

APP. BITEMS OF CONCERN – CAUSES OF FAILURE MECHANISMS – SOFTWARE QUALIFICATION .... 21

B.1 Introduction .............................................................. 21B.2 Qualification basis.................................................... 21B.3 Ranking of failure modes ......................................... 21B.4 Maintenance and modifications ............................... 22B.5 Computer software ................................................... 25

APP. CEXAMPLES IN THE APPLICATION OF DNV-RP-A203.................................................................... 26

C.1 Introduction .............................................................. 26C.2 A subsea booster pump, Framo ................................ 26C.3 Qualification of massproduced components ............ 34C.4 A subsea multiphase pump; Kværner Eureka .......... 34

DET NORSKE VERITAS


DET NORSKE VERITAS


1. ObjectiveThe objective of this procedure is to provide a systematic ap-proach to the qualification of new technology, ensuring thatthe technology functions reliably within specified limits.

2. ScopeThe procedure is applicable for components, equipment andassemblies, which can be defined as new technology, in hydro-carbon exploration and exploitation, offshore.

3. Approach

3.1 Qualification (definition)Qualification is a confirmation by examination and provisionof evidence that the new technology meets the specified re-quirements for the intended use.

Hence, qualification is a documented set of activities to provethat the technology is fit for purpose.

3.2 Proven technology (definition)In the field, proven technology has a documented track recordfor a defined environment.

Such documentation shall provide confidence in the technolo-gy from practical operations, with respect to the ability of thetechnology to meet the specified requirements.

3.3 New technology (definition)New technology is technology that is not proven.

This implies that the application of proven technology in a newenvironment or an unproven technology in a known environ-ment, are both new technology. The degree of new technology(see Sec.5.5) will be classified in categories to be used as inputto risk assessment (see Sec.7.4 ).

3.4 Basis for the qualificationThe qualification shall be based on specified performance lim-its, boundary conditions and interfacing requirements definedin the qualification basis (see Sec.6).

3.5 Qualification resultsThe result of the qualification is a statement and documenta-tion of fitness of purpose, implying:

— the lifetime probability density distribution and/or, — defined margins against specified failure modes.

3.6 Use of resultsThe qualification results can be used:

— as an acceptance for implementation of new technology— for comparison between alternative technologies— as input in the evaluation of the reliability of a larger sys-

tem that the qualified new technology may be a part of.

3.7 Who performs qualification?The owner, the buyer or a third party can perform the qualifi-cation.

3.8 MotivationA rational qualification philosophy and an approach with focuson a balanced use of reliability, ensures a cost effective imple-mentation of technology and increases the level of confidence.

3.9 Who benefits from the Procedure?The procedure sets the scene for qualification of a new technol-ogy and serves the following:

— The manufacturer, who offers the new technology to themarket and therefore needs to display a proof of fitness forpurpose.

— The company, who integrates the new technology into alarger system, and needs to evaluate the effect on the totalsystem reliability.

— The end-user of the new technology, who must optimisethe benefits of his investment through selection betweencompeting technologies.

3.10 Development of the reliabilityThe qualification process can be run throughout the develop-ment of the new technology, or be started at any time in the de-velopment. Figure 3-1 illustrates that the failure probability atthe service life target is reduced through the qualification workuntil a remaining failure probability is concluded.

Figure 3-1Illustration of the qualification process. Qualification is achievedwhen the acceptance percentile crosses the target level for theservice life.

A qualitative approach can be practical to use in the early de-velopment phase (conceptual). Quantitative measures are rele-vant in the later development phase.

3.11 Qualification processA risk-based approach is used to obtain the reliability goals inthe qualification. These goals shall be specified in the qualifi-cation basis, see Sec.6. The procedure specifies the philoso-phies, principles and methods to be used in the qualificationprocess. At each step of the process there is a need for docu-mentation making the process traceable. The qualificationprocess comprise the following main activities:

— Establish an overall plan for the qualification. This is acontinuous process and needs updating after each step us-ing the available knowledge on the status of the qualifica-tion.

— Establish a qualification basis comprising: requirements,specification and description. Define the functionality andlimiting parameters for the new technology.

— Screening the technology based on identification of failuremodes and their risk, and classification of the technologyin degree of newness to focus the effort where the relateduncertainty is most significant.

— Assess maintenance, condition monitoring and possiblemodification effects to reduce the risk.

Target

Concept Design Prototype manufacturing

Qualification phases

Ser

vice

Life

Compliance with target

Upperlimit

Lifetime ProbabilityDensity Distribution

Acceptance Percentile

Lower limit

Testing Pilot

DET NORSKE VERITAS


— Plan and execute reliability data collection. The data isused to analyse the risk for not meeting the specificationsthrough: experience, numerical analysis and tests.

— Analyse the reliability of the new technology, and therebythe risk of the failure modes related to the functional re-quirements of the new technology.

These logical steps in the qualification process are combinedand visualised in groups in Figure 3-2. The results from onestep are the input to the next step.

Figure 3-2Main qualification activities

Feedback loops between the steps implies that results that lieoutside the specified limits can lead to a design modification,specification modification or maintenance plan modification.

Software can be qualified according to the same process, butsince software is a universal concept, special procedures havebeen developed, that preferably, can be used. The main pointsin such a procedure are described in Appendix B.

3.12 Procedure presentationThis procedure is presented as follows:

— Introductory information is presented in Sec.1, 2, 3 and 4.— General requirements are presented in Sec.5.— Qualification of software is well described in existing

standards. The main points from the existing standards arepresented in Appendix B.

— Requirements for equipment and systems are presented inSecs. 6 to 10.

— The most detailed level, represented by examples, is pre-sented in the Appendices.

The procedure text states requirements, which have been sup-plemented with guidance to ease the understanding. Guidancehas been inserted in the text in the following way:

Guidance note:Text

---e-n-d---of---G-u-i-d-a-n-c-e---n-o-t-e---

4. Definitions and references

4.1 DefinitionsThe following definitions are based on generally recognisedstandards.

QUALIFICATIONBASIS

MAINTENANCE ANDMODIFICATION

EFFECTS

DATA COLLECTION,PLANNING AND

EXECUTION

RELIABILITYANALYSIS

QUALIFIEDTECHNOLOGY

RANKING OFFAILURE MODES

Pla

nnin

g Term DefinitionFailure Termination of the ability of an item to

perform the required (specified) func-tion.

Failure frequency The number of failures divided by the time(calendar or operational).

Failure mechanism The physical, chemical or other process which lead or have led to a failure.

Failure mode The observed manner of failure (on a specified level).

Failure probability The probability of failure occurring within a specified time period, or at a specified condition (e.g. at the start of an engine).

FME(C)A Failure modes, effect (and criticality) analysis

HAZOP Hazard and operability studyMargins The difference between the actual utili-

sation and utilisation at failureMTTF Mean Time To FailureNew Technology New technology is technology that is

not proven. Proven Technology Proven technology has a documented

track record in the field for a defined environment.

Qualification Qualification is a confirmation by ex-amination and provision of evidence that the new technology meets the spec-ified requirements for the intended use.

Reliability The ability of an item to perform a re-quired function under given conditions for a given time interval.

Risk The combined failure probability and consequence of failure, see Sec.7.4.5.

Technology The scientific study and use of applied sciences, and the application of this to practical tasks in industry.

Verification Confirmation by examination and pro-vision of objective evidence that speci-fied requirements have been fulfilled (ISO 8402:1994).

DET NORSKE VERITAS


4.2 References

4.2.1 Standards

4.2.2 Text Books

5. General requirements

5.1 Objective

This section represents general requirements related to thequalification of the new technology.

5.2 Planning

5.2.1 General

A plan shall be established for the qualification. This plan shallcontrol the qualification activities. The plan shall identify theoverall qualification process, using elements from Figure 3-2.At the appropriate phase a detailed plan shall identify the meth-ods to be used to assure the intended reliability and margin to-wards each failure mode, see Sec.9.6. The qualification planshall be revised at each phase of the development project, orwhen there is a major impact from the qualification process onthe expected results. A basis for the detailed data collectionplanning is described later in this document and in the Appen-dices.

Guidance note:It may be an advantage in the full-scale testing and later market-ing of the product, to include an end user in the complete quali-fication process.

There may be an advantage in defining milestones in the qualifi-cation plan. Milestones can be major steps in the qualificationprocess or activities or tests that will have a major impact on theresult. These can coincide with milestones in the developmentproject.

An example plan for qualification of a sub sea booster pump isshown in Appendix C.

For components produced in large numbers and used in differenttypes of systems, the need for standardisation and thereby costreduction often governs the qualification strategy, as indicated inAppendix C.


5.2.2 Lists of critical items

Lists of critical items provide a means of ensuring that all vitalaspects of the technology in the qualification process are ad-dressed. As part of the qualification process the following listsshall be provided:

— Limiting boundary conditions for the system, i.e. dimen-sioning loads and requirements to interface with the input.

— The failure mechanisms (Appendix A).

The latter shall be based on the methods described in Sec.7.

5.3 PhilosophyThe qualification shall be based on the following philosophy:

1) The qualification process shall be based on a systematicapproach.

2) Possible failure modes shall be identified, and their rele-vance shall be determined based on their risk, i.e. the com-bined probability and consequences of a failure modeoccurring. Risk in this context is related to the functional-ity of the new technology.

3) Theoretical analysis and calculations shall, when practi-cal, be used as the main tool to document fulfilment of thespecifications and margins against failures. The theoreti-cal calculations shall be verified by tests.

4) Measurements and tests shall be used as the main tools todocument that manufacturing and assembly fulfils thespecifications.

5.4 PrinciplesThe following principles shall control the qualification:

1) Specifications and functional requirements shall be quan-titative.

2) The margins for capacities and the margins to failure, shallbe established based either on recognised methods, stand-ards, or on combinations of all uncertainties used in the da-ta, operation, calculations and tests.

3) When experience is used as proof of fulfilment of the spec-ifications and reasonable “margins”, it shall be document-ed.

4) The limiting material and functional parameters to be usedin the analysis shall be identified through tests, see Sec.9.7or reference to recognised literature.

5.5 Classification of TechnologyNew technology aspects affect a risk determination. Sec.7.4describes general risk determination for failures for both prov-en and new technology. The following methodology facilitatesfollow-up of the risk of new technology by focusing on the de-gree of its newness and categorisation in classes.

This classification implies the following:

1) No new technical uncertainties.

2) New technical uncertainties.

Id. No. NameIEC 60300-1 Dependability management.BS 5760 Reliability of systems, equipment and

componentsPart. 5 Guide to failure modes, effect and crit-

icality analysis (FMEA and FMECA)Part 8 Guide to assessment of reliability of

systems containing softwareISO Guide to the Expression of Uncertainty

in Measurements (1995).IEC 61508 Functional safety of electrical/electron-

ic/programmable electronic safety re-lated systems, part 1-7 (International Electrotechnical Commission

ISO/IEC 9126 Information technology -- Software product evaluation – Quality character-istics and guidelines for their use.

Z-016 NORSOK STANDARD, Regularity Management & Reliability Technology

ISO 14224 Petroleum and gas industries - Collection and exchange of reliability and maintenance data for equipment.

Cooke, R., Experts in Uncertainty – Opinion and Subjective Probability in Science. Oxford University Press, 1991.

Høyland, A. & Rausand ,M. System Reliability Theory; Models and Statistical Methods. NTNU 1994.

Application area

TechnologyProven Limited field history New or unproven

Known 1 2 3New 2 3 4

DET NORSKE VERITAS


3) New technical challenges.

4) Demanding new technical challenges.

This classification applies to the totality of the applied technol-ogy as well as each separate part, function and subsystemforming it. It shall be used to highlight where care must be tak-en due to limited field history.

Technology in Class 1 is proven technology where provenmethods for qualification, tests, calculations and analysis canbe used to document margins.

Technology defined as Class 2 to 4 is defined as new technol-ogy, and shall be qualified according this procedure. The dis-tinguishing between 2, 3 and 4 makes it possible to focus onthe areas of concern. (Requirements for tracking the Class; SeeSec 7.4.5.1.)

5.6 Referencing standardsThe qualification shall preferably be performed with referenceto generally recognised and justified standards using the mar-gins as defined in such standards. For technology where thereis no standard available, one shall consider using standards de-scribing comparable technologies, in which case only the rele-vant parts that are applicable shall be used. Margins shall bedefined based on analysis and or tests in case the standard doesnot define such margins or there is no standard applicable.

The relation between margins and failure probability is dealtwith in Sec.7.4.3 and Sec.9.

Guidance note:Parts of standards:Standards for “topside” equipment and systems do not cover ap-plications “subsea” and “downhole”. Therefore, only relevantparts should be referenced. Failure probability and margins by use of standards:Standards applicable to material fatigue and other time depend-ent deteriorating mechanisms often indicates the failure probabil-ity both as Mean Time To Failure and as a lower band. Most standards, however, do not indicate any combination ofsafe margins in relation to the failure probability. Therefore, thefailure probability must be established based on a combination ofexperiences, analysis and testing.An example of a frequently used standard without any failureprobability estimate is the pressure vessel standard ASME 8 Div1 (99 issue). It indicates a margin to ultimate rupture of at least3.2. This margin includes mainly uncertainties related to the ma-terial quality and the conditions under pressure test. The uncer-tainties in materials can be reduced, such as specified in DNVOS-F101 for submarine pipelines. This standard for long pipe-lines indicates a margin to rupture of at least 1.43 for a pipelineclass defined by the failure probability less than 10-4 failure peryear.


5.7 ConfidentialityConfidentiality of the technology shall not limit the informa-tion made available for the qualification.

Guidance note:It is assumed that confidentiality between parties is arranged bycontracts to that purpose. The available documentation and in-sight into the qualification process for the client may follow threealternatives:

- An open qualification scheme. This implies that all informa-tion is available.

- A qualification open to a third party recognised by both par-ties.

- The original qualification documentation is not accessible.Full function and endurance tests according to the specifica-tions must document the qualification, in addition to the sup-plier’s statement of qualification.

The latter may imply more extensive testing than the former.These tests must in principle demonstrate acceptable margins forall conditions. For equipment, it further implies testing of a suf-

ficient number of units to develop statistical data. This method issometimes used for electronic systems.


5.8 Documentation

5.8.1 GeneralThe available documentation related to the qualified systemshall, when applicable, comply with the following:

System:

— description and specification (see Sec.6)— general arrangement drawings with position numbers re-

lated to part list and materials identification, and lay outdrawings.

— material specifications— detailed drawings of items subject to qualification— process and instrument diagrams— quality assurance plan.

The documentation of the qualification shall include the fol-lowing, when applicable:

Design criteria:

— references with justification to applied standards, rules andregulations

— reference to other criteria.

Documentation of key items in the qualification process de-scribed in this publication:

— failure mode analysis, including specification of personnelcompetence.

— list of all assumption made in the final failure mode assess-ment

— description and justification of methods (experience, anal-ysis and tests) applied for qualification

— resulting margins to failure modes— limit values (maximum or minimum) functions from anal-

yses and tests, such as the capacity for a pump— system reliability.

Manufacturing and installation:

— material certificates— manufacturing records— personnel qualification record— installation records.

Revisions:

— records of all document revision including content of revi-sion.

5.9 Verification and third party engagements A third party is typically used to:

— performing independent analyses and tests to improve thereliability as part of the qualification process

— assessing and witnessing the qualification process or spe-cific analyses and tests to confirm compliance with thisprocedure.

The latter item is termed verification. The verification shallfollow a plan and specify which part of the qualification proc-ess that is included. The verification shall be concluded by ver-ification reports or statements, for the issues described in thisprocedure.

5.10 Alternative methodsAlternative methods to those described in this procedure maybe used provided that they are supported by equivalent evi-dence of the suitability of their application.

DET NORSKE VERITAS


6. Qualification basis

6.1 ObjectiveThe objective of the following subsections is to define a basisfor the qualification process, detailing the requirements for theinformation describing the technology and its required func-tions. The qualification basis shall serve as input, defining thelimits, to the qualification activities.

6.2 System descriptions and specificationThe new technology shall be unambiguously and completelydescribed, through drawings, text, data, or other relevant doc-uments. The specification shall identify all phases of the newtechnology’s life and all relevant main parameters.

The specification with the available detail level at each phaseof the development process, is the input to the qualificationprocess.

It shall include at least the following items:

— general system description— functional limitations and main data— authority requirements — main principles for:

— storage— transportation— installation— operation and maintenance— abandonment

— interfacing system requirements— environment and loads— main principles for manufacturing and quality assurance — lists of assumptions and conditions to be fulfilled from the

qualification process (generated in the qualification proc-ess)

— reliability— health, safety and environment (HSE) requirements

The specification and functional requirements shall be quanti-tative and complete.

6.3 Limiting parameter critical item listKey issues such as dimensioning loads, capacities and func-tional requirements from the qualification basis shall be sum-marised in a limiting parameter critical items list to be used inqualification process. This ensures that the relevant input pa-rameters for analyses and tests are used and updated with pos-sible changes in design during the qualification process.

7. Ranking of failure modes

7.1 ObjectiveThe objective of the following sub-sections is to describe theprocess leading to identification, including a risk ranking, offailure modes with underlying failure mechanisms (seeFigure 7-1) for the new technology. Risk is the combined fail-ure probability and consequence of failure as detailed inSec.7.4 and explained in the following. The failure mode rank-ing is the basis for assessment of risk reducing measures; main-tenance and modifications (Sec.8) and reliability datacollection ( Sec.9), and reliability assessment (Sec.10).

7.2 IntroductionA failure mode assessment shall identify all possible failuremodes with underlying failure mechanisms, for the technolo-gy. The evaluation shall take into account each of the phases ofthe new technology’s service life. The failure modes shall be

ranked based on their risk (function of probability of occur-rence and consequence).

All failure modes shall be registered and handled through theuse of appropriate lists throughout the qualification processkeeping track of all changes, assumptions, risk category, cate-gory of new technology, probability of occurrence and safetymargins to failure (See Appendix A, for a proposed list).

The following diagram identifies the main activities of the fail-ure mode assessments:

Figure 7-1Failure mode identification and screening

7.3 Failure mode identification and presentation

7.3.1 General

Breaking the system down into manageable subsystems eitherbased on function or hardware will simplify the identificationof possible failure modes and failure mechanisms. For com-plex systems one shall apply a hierarchical structure to identifyfailure modes. The hierarchical structure shall be based onfunctions and sub-functions or a combination with hardwarecomponents.

This shall include all operational modes of the technology. Afunctional analysis shall be performed to identify all relevantfunctions of hardware components. The failure modes shall bepresented in a systematic manner.

Guidance note:The operational phases can be:

- transportation and storage- installation- activation and commissioning- operation- retrieval and abandonment.

A list of failure modes should preferably be established in theearly development phase and supplemented or updated duringfurther design, manufacturing and testing (See Sec.7.3.5). An ex-ample of a list is shown in Appendix A. This list is similar to tra-ditional FMECA tables, but includes additional relevantinformation.


SYSTEM ANALYSIS

FAIiLURE MODEIDENTIFICATION� Failure mode

PROBABILITY ESTIMATESBased on

RISK CLASSIFICATIONCombining

RISK RANKINGFocus on

CONSEQUENCE ESTIMATESFor the

� Sub-system/Components

� Technology itself� Surrounding system

� Experience� Analysis and tests

� Consequence� Probability

� Risky failure modes� New technology areas

� Functions/phases

� New technology areas

DET NORSKE VERITAS


7.3.2 System analysis using main functions and sub-func-tionsThe functions shall be classified into main and sub- functions,with further sub-division into units and components.

Guidance note:The main function is a fulfilment of the intended purpose of theequipment. The sub-functions are the functions that support oradd up to the main function.Each system is divided into a number of main functions, e.g.pumping, heat exchanging, containment, separation.The sub-functions are tasks which are necessary for the satisfac-tory implementation of the main function e.g. depressurisation,shutdown process, control, containment, monitoring, start-up.When defining both main-function and sub-functions the de-scriptions should provide answers to the following questions:

- What are the characteristic tasks? (Actions)- What is being treated, transported, monitored or stored? (Me-

dium)- If a process, where is the medium or energy delivered? (From

- to)- What are the performance requirements? (Requirements)- When is the function started up? (Mode of operation)


7.3.3 System analysis using hardware components and unitsThe hardware shall be subdivided into system, equipment, sub-unit and item, see definitions and Figure 7-2.

7.3.4 Failure mode identification Qualified personnel shall be used to identify potential failuremodes, including failure root causes and failure mechanisms.The persons' relevant qualification shall be documented. Thedocumentation shall identify the relevant technological areasthat the failure mode evaluation intends to cover.

A systematic for identification of possible failure modes andrelated failure mechanisms shall be established and described.

The initial failure mode identification shall consider conserva-tive case probability and consequence. The updating of this in-itial probability and consequence shall then consider theeffects from activities and features such as, maintenance pro-grammes, condition monitoring, and qualification activities asdescribed in Sec.8 and Sec.9.

Guidance note:This systematics can be based on traditional FMECA by individ-uals or in group work similar to HAZOP sessions. Group ses-sions will improve the identification of possible failure modes ina technology covered by several technological disciplines.For the purpose of avoiding unintentional mixing of effects fromassumed mitigating actions, it is recommended to clearly showand document an evolution of the failure modes.In general a failure might be identified as a failure mode, a failurecause, a failure effect, a failure mechanism and a root cause, seeFigure 7-2.

Figure 7-2Relationship between failure cause, mode and effect.

The identification is as shown in Figure 7-2 related to the level ofhardware assembly. The failure mode on one level is the failurecause on the next higher level, and the failure effect on the nextlower level. In the context of this document, it is important to per-form the system break down to the level of the failure mecha-nisms. This enables a systematic check of the margin to failure ascovered by Sec.9. These relations are documented in a FailureMode Effect Analysis (FMEA) sheet as shown in Appendix A. References for FMEA/FMECA:

- BS 5760, Part 5, Guide to failure modes, effects and criticalityanalysis

- IEC-60300-9, Part 3: Application guide - Section 9: Riskanalysis of technological systems.


7.3.5 Failure mode detection

Failure modes detected during the quality control at manufac-turing, the qualification tests, fabrication acceptance tests orlater operations shall be recorded and documented. The docu-mentation shall include the date detected, the description of thefailure mode, other observations and the identity of the origi-nator.

When a failure or failure mode is detected in the qualificationprocess, the occurrence of the failure mode shall be evaluatedwith regard to the three following cases:

1) Failure mode occurred within the expected frequency ofoccurrence according to the analysis

2) Failure mode occurred with a higher frequency of occur-rence

3) Failure mode has not been considered

In case 2 the basic assumptions for the frequency of occurrenceshall be re-evaluated. This re-evaluation shall include implica-tions for any models used. In case 3 there shall be an evaluationstating if this failure mode represents a set of failure modes notconsidered, or if this failure mode represents a unique modeleft out of the total evaluation.

7.4 Determining riskRisk is the combined failure probability and consequence offailure as detailed in Sec.7.4.5 and explained in the following.In this context, risk is the risk of a failure mode occurring withregard to the functionality of the new technology.

The risk estimates shall be updated during the qualificationprocess, utilising the information from mitigating actions,which is will be made available through the process.

The risk assessment shall be performed at the level of detailrelevant for the respective development phases.

Item level(seal)

Subunit(pump)

Equipment(pump withinstrumentslubrication)

No totalshutdown

Internalleakage

Leakagefrom sealing

FailureMechanism

RootCauses

Internalleakage

No totalshutdown

Leakage fromsealing

Internalleakage

FailureEffects

- Poor- usage outsidespecification- Wrongspecification

- Corrosion-- Hardening- Etc.

FailureCause

FailureCause

FailureEffects

FailureMode

FailureMode

DET NORSKE VERITAS


7.4.1 ConsequenceConsequences of failure shall, when relevant, be detailed for:

— the new technology— surrounding and interfacing systems— operation and repair— health, safety and environment, HSE.

Guidance note:One way to categorise the consequence groups follows:Consequence for new technology:

- insignificant- reduced part of main function- loss of parts of main function- loss of main function- loss of main function and damage to interfacing and surround-

ing systems.Consequences for surrounding and interfacing system:

- no effect on interfacing and surrounding systems- insignificant effect on interfacing and surrounding systems- shutdown of interfacing and surrounding systems- noticeable damage to interfacing and surrounding system - severe damage to interfacing and surrounding system.Further economical consequences are:

- lost production- repair options and spare parts- mobilisation and repair time.These are consequences for economy and enables cost estimates.The maintenance and repair, are results of the strategy covered inSec.8. A selection of a typical sample installation is beneficial fora cost example. Cost varies over time and location. For deep wa-ter and subsea well systems, the cost of the vessel hire will nor-mally dominate. The consequence classes for the HSE issue is normally catego-rised:

- Health & Safety – degree classes for potentials for personnelinjuries and fatalities.

- Environment – degree classes for the volume or rate of spill,or directly the degree of environmental effects when this is es-tablished.

Typical overall consequence classes used in the offshore industryare illustrated in Table 7-1, at the end of this document.


7.4.2 Failure Probability - GeneralA probability of failure shall be established for each failuremode as defined for the specified consequence category (seeSec.7.4.1). The early development phases (concept) could usequalitative measures. When the technology is qualified, thenquantitative measures shall be given for ”failure modes of con-cern” (see Sec.7.4.5.). Methods to use for documentation ofquantitative failure probability are detailed in Sec.9 and shallbe based on identified sources, such as:

— test results— numerical analysis based on recognised methods— relevant documented experiences— engineering judgement by qualified personnel.

Failure modes related to technology classed as new technologyshall be given particular attention and treated conservativelywhen the probability is assessed. The degree of conservatismshall increase the higher the new technology Class (2 to 4). Theconservative assumptions shall be justified and documented.

Guidance note:Expectations for target failure probability based on engineeringjudgement and information from databases, are commonly usedin the initial development phases. The offshore industry oftenutilises the following databases in the initial phase, before a fail-ure probability has been proven by actual experience, analysis ortest.:

OREDA – Offshore Reliability Data – The data are available ina handbook published 1997. Information is available on the In-ternet address: http://www.sintef.no/sipaa/prosjekt/oreda/hand-book.html.WELLMASTER – Reliability of Well Completion Equipment.Data can be made available on an electronic format via the fol-lowing Internet address: http://www.sintef.no/sipaa/prosjekt/wellcomp.html.PDS Handbook: 1999, Reliability Data for Control and SafetySystem Software. Internet address: www.sydvest.com/pds-data.Further databases are:HRD4, BRITISH TELECOMMUNICATIONS PLC. Handbookof reliability, Ascot: London Information (Rowse Muir).Failure probability based on information from databases oftenneed adjustments for application to new systems, different use,different environment etc. An example on such adjustments is il-lustrated in Table 7-2. It is of utmost importance to understandand identify if the reported data in the database can be used torepresent the new technology, or if some failure modes may beincorrectly represented due to differences in exposure.The failure probability based on such general databases or engi-neering judgement should be up-dated based on tests or docu-mentation in the later project qualification phases.Typical probability categories:

- Failure within the time reference is considered impossible.(Design life is more than 10x service life).

- Failure is considered possible within 10 x service life, but un-likely within the service life.

- Failure is considered likely within the service life.- Several failures are likely within the service life.- Frequent failures are likely within the service life.


The estimated time to failure shall be compared to the designtime reference, which is the overall (total) system lifetime orplanned time to maintenance.

7.4.3 Failure mode probability

The estimated failure probability of a failure mode shall besplit in failure probabilities related to each possible failuremechanism , see Figure 7-2.

The probability can be found from either:

— engineering judgement and statistical evidence from expe-rience

— probabilities defined through application of standards— probabilities found as the overlap of the load response and

failure response distributions.

Reference is made to Sec.9. Guidance note:There exist numerous analytical methods used to assure marginto failure mechanisms. These methods are used to establish safe-ty factors, safe operational time before risk of failure or safe op-erating conditions. Some methods can predict the probability of the critical failuremechanism developing.Other analytical methods, which are not related to a time or op-eration dependent deteriorating mechanisms, can normally notdirectly predict a failure probability. However, if the method isempirically justified to relate to probability, and is a generallyrecognised and accepted, a correct application of the method canbe used to determine a failure probability. An example of such analytical methods is mechanical stress cal-culation methods used for pressure vessels according to a pres-sure vessel standard. Provided there are no materialdeterioration- and material fatigue mechanisms, stress calculatedto be below the acceptance criteria assures a safe pressure vesselwithin the standard’s limitation and hence a probability of failureless or equal to that defined by the standard. In this case the pres-sure vessel will have infinite life and failure probability of 0.Failure mechanisms related to design, manufacturing, applica-tion and accidents, however, are still possible sources of failure.

DET NORSKE VERITAS


These probabilities may be reduced by quality control and veri-fication activities. The effects of these mitigating actions be in-cluded based on documented experiences or engineeringjudgement.


7.4.4 Failure probability figures

Normally the probability would be based on one of the follow-ing expressions:

— probability within service life— probability on system activation— mean time to failure (MTTF).

Failure modes of concern (Sec.7.4.5) shall be described by alifetime probability density distribution. Practical ways ofidentifying distributions are described in Sec.9.

7.4.5 Risk Classification

The risk is the combined probability, frequency and conse-quence. A semi qualitative method to determine the risk levelis illustrated in Figure 7-3. This has to be adjusted to fit the pur-pose. The adjusted matrix shall govern the qualification planswith respect to priority, with focus on the highest risk.

Figure 7-3Risk matrix

The Risk category for each failure mode shall be identified.Failure modes with medium and highrisk shall be investigat-ed further, and are defined as failure modes of concern. Failuremodes with low risk can be concluded based on a qualitativeassessment made by qualified personnel. Failure modes withlow risk shall not be deleted from the list of possible failuremodes.

7.4.5.1 Tracking failure modes

A system tracking each failure mode and failure mechanismsshall be established (See example in Appendix A). The pur-pose of this system is to store the initial probability assessmentand to update and verify the probability range and revise thisas the development proceeds. This system shall include:

1) List of failure modes and mechanisms.

2) Probability estimate for all failure modes/mechanisms.For failure modes/mechanisms in the Medium and HighRisk categories this shall be based on mean time to failureand failure time distribution around this.

3) Basis for the probability estimate (revisions of documen-tation for mitigating actions).

4) Plan for reduction of risk/verification of the probability.

5) The new technology (Class 2 to 4). This allows particularfollowing up of the various degree of new technology.

8. Maintenance and modifications

8.1 ObjectiveThe following subsections describes how maintenance andcondition monitoring is used actively in the qualification proc-ess to reduce the risk of failure modes of concern. Proposedmodifications to design as a consequence of findings in thequalification process is also described.

8.2 IntroductionThe term “Maintenance” is used to cover aspects of interven-tion, maintenance, inspection and condition monitoring. Thefollowing diagram illustrates the working process activities ofthe maintenance analysis:

Figure 8-1Schematic of the maintenance analysis, showing the link to theother qualification activities

The Maintenance assessment is closely related to the other ac-tivities in the qualification procedure, as illustrated in Figure 3-2.

Input data is the specifications, as well as the FMECA part ofthe failure mode assessment. The maintenance analysis activi-ty itself, gives input to the specifications, the risk assessmentof the failure modes and the qualification work process.

The Maintenance assessment is divided in three parts as illus-trated in Figure 8-1 and reflected in Sec.8.3 to Sec.8.5.

A maintenance analysis shall ensure that the new technologyincludes a sound maintenance and condition monitoring phi-

5

4

3

2

1 2 3 54

HighM

ediumLow

Risk

Pro

babi

lity

Consquence

Specificationsincluding

maintenancephilosophy

Failure mode andcriticality

assessment

Screening offailure modes wrtmaintenance and

CM

Maintainabilityanalysis

Planning andoptimisation

Yes/No

Yes/No

Continue thequalification

including CM andmaintenance

DET NORSKE VERITAS


losophy relevant for the application. The evaluation of themaintenance philosophy and condition monitoring elements inthe qualification process ensures that the mitigation actions arein accordance with their purpose, and that this is tested throughthe qualification process.

A modification assessment shall ensure that effects fromchanges in design and procedures are reflected in the risk as-sessment.

8.3 Failure mode screeningScreening of failure modes, as regards to maintenance, shall beperformed at an early stage, this is to allow maintenance to beimplemented in the design process.

Guidance note:The screening of the different failure modes can be performed ac-cording to Figure 8-2.

Figure 8-2Illustration of the failure mode screening process in the mainte-nance analysis for subsea/downhole equipment with typical ques-tions and actions depending on outcome

This is further described in Appendix B, with questions and ac-tions depending on the outcome.


8.4 Maintainability analysis

8.4.1 Initial planning

Failure modes with a significant risk and a defined need ofmaintenance shall be evaluated according to a maintenanceanalysis. The analysis shall focus on how to:

— fulfil the given requirements— ensure cost effective operation and maintenance through

the life cycle of the system.

The analysis shall make use of checklists to visualise and doc-ument application of a sound philosophy and to ensure that ap-propriate considerations are included.

Guidance note:To ensure that maintainability is considered in the conceptual de-sign phase, two checklists are made for subsea equipment, Ap-pendix B. One should be used for equipment, which has to be

pulled to ensure cost effective maintenance, while the othershould be used if the equipment does not have to be pulled duringmaintenance. The answers to the questions should be document-ed and updated every time the design is changed.


8.5 Maintenance planningThe optimisation is an analysis of possible effects and costfrom alternative maintenance and condition monitoring strate-gies. This is relevant in the later design phases. A decision log-ic shall be used in this process.

Guidance note:The decision logic in the scheme in Figure 8-3 should ensure thatthe optimal maintenance strategy is chosen for the different fail-ure modes.

Figure 8-3Decision logic to be used in the detailed maintenance optimisation

The questions to be shown in Appendix B, are related to the, theneed for spare parts, the use of condition monitoring, or the avail-ability of ageing models describing the degradation.

If the component does not have a predictable age, and conditionmonitoring is impossible, redesign must be considered. An alter-native is to alter the specifications, or to accept the calculatedrisk.


8.6 ModificationsEffects from modification of design and procedures shall beidentified, made traceable and concluded.

Guidance note:Modifications of a prototype will often be desirable due to theidentification of unnecessary large safety factors for some failuremechanisms. This can lead to change in dimensional tolerances,material selection and type of component selection. The effectsof such changes must be evaluated to avoid invalidating the qual-ification of the total technology. This will govern possible re-quirements for new tests/analysis.


9. Reliability data collection

9.1 ObjectiveThe objective of the following subsections is to describe theprocess of how margins to failure and the probability of occur-rence are determined through experience, analysis and tests.

NO

Qualification:� document assumptions

QualificationBasis

Areinterventionsacceptable?

Intervention / Maintenancecheck lists and decision logic

where system have to be pulled

Design/Qualification Basis

Failure modeoccur within the

lifetime ?

Possible torestore in situ?

Intervention /Maintenance check lists and decisionlogic where system not have to be pulled

Plan acceptable?

� which tests are required?� what is confidence level?

YE

S

NO

Is it sufficient tohave spare partsand necessaryspecial tools athand, and run to

failure?

Is failuredevelopmentdetectable by

conditionassessment

methods, andare thosemethodseffective?

Does thecomponent

havepredictable

age, and is atime based

task effective?

Evaluatemodification,

calculatedrisk etc.

Decide whichspare parts andspecial tools tohave, and wherethey should bestored (Run to

failure, but spareparts and special

tools must beconsidered.)

BDM-S

Decide conditionmonitoring

strategy(ConditionMonitoring/Inspection )

CBM

Decide Interval(Time basedpreventive

maintenance)TBM

YE

S

DET NORSKE VERITAS


9.2 IntroductionThe data collection comprises of the determination of marginsto failure and reliability data as follows:

— each failure mode identified in Sec.7, has a qualified mar-gin to failure, i.e. that the margin is established by recog-nised methods

— the lifetime probability density distribution for the highand medium risk failure modes is determined as far aspracticable by available methods

— assumptions and uncertainties are listed.

The critical item list, such as described in Appendix A, shall beapplied for control and updated throughout the qualificationprocess. Figure 9-1, illustrates the working process activitiesof the qualification process.

Figure 9-1Reliability data collection activities

9.3 PriorityThe main failure modes that can prevent the function of thenew technology within its intended life shall control the prior-ity in qualification issues. Failure modes of main concern, withhigh and medium risk, are given priority. These are identifiedaccording to Sec.5 and Sec.7.

One shall determine if the failure mechanisms of these failuremodes can be simulated by recognised and generally acceptedmethods. In the case where methods exist, a detailed plan forthe data collection can be established, otherwise the dominat-ing parameters for the failure mechanism must be determined.

9.4 Parameter effectIn case a recognised and established numerical or analyticalmodel does not exist, a model must be established for the func-tions and the margins to failures, if possible. The numerical oranalytical model shall be used to establish the parameters withthe highest impact to the life and reliability of the technology.The model correctness in describing the function shall be qual-ified.

In case a reasonable model cannot be established, conservativeengineering judgement and empirical data shall be used to es-tablish the driving parameters for the failure mechanisms. En-

gineering judgement requires qualified personnel according toSec.7.3.4.

For the analysis of software reliability, specific reliabilitymodels apply (See Appendix B).

The system sensitivity to variation of the most critical param-eters shall be established.

9.5 Data target

9.5.1 General

Targets for desired data shall be established based on the un-certainty in the governing parameter for the failure mechanismand the related consequence for the overall reliability target,Figure 3-1.

Guidance note:Uncertainties are typically related to the following parameters:

Robustness

- input parameters- erroneous human operation- interfaces - fluid flow and environment- loads- analysis- tests- fabrication tolerances- installation - operation- extreme limit- combined, overall margins and reliability.

Margins towards typical failure modes

- material degradation- exceeding tolerance limits- electrical insulation degradation- clogging- leak- rotor dynamics -failure- strength static - failure- strength dynamic - failure- impact resistance - failure- soil interactions - failuremechanisms - failure- function failure- power failure- control and sensor failures.


9.5.2 Failure mechanism probability target

The target for the system reliability is defined in Sec.6. The ac-tual system reliability is dealt with in Sec.10. The reliabilitytarget for each failure mode and underlying failure mechanismcan be derived by the methods presented in Sec.10.

The target for the probability of occurrence of the underlyingfailure modes and mechanisms must be lower than the overalltarget level or this must be compensated by redundancy.

9.6 Planning of data collection

9.6.1 General

The planning described in Sec.5.2 shall include the method tobe used to obtain the data, qualify the data and compare withthe target. The data collection shall be based on one of the fol-lowing alternatives and or a combination of them:

— documented and relevant experiences and statistical evi-dence

— numerical analysis— tests.

Priority from: Screening the failure modesand failure mechanisms

Parameter effects on: failure mechanismsestablished by rough numerical analyticalmodels

Data target: based on specification anduncertaintie/Inaccuracies

Planning of data collection based onrecognized methods for the following:

DocumentedExperiences

Numericalanalysis

Testing

Qualified reliabilitydata

DET NORSKE VERITAS


Guidance note:The selection of the data collection method should be based onoptimisation of related cost versus accuracy of the method.


9.6.2 Check-listsA system shall be used to follow up the data collection, i.e. thequalification of the technology.

Guidance note:An electronic database may be used for this purpose when thetechnology has many parts, sub-systems and or failure modes,i.e. in excess of 25. The purpose of this database shall be to:Keep track of the qualification development for each failuremode and for each part sub-system.An electronic database shall be arranged to allow for automaticsorting with the purpose of extract and presenting key data andissues in priority. This can include such items as:

1) The failure mechanisms within the medium and high risk ar-ea.

2) The failure mechanisms with shortest time to failure.

3) The parts or sub-systems with shortest time to failure.

4) Parts subject to similar type failure mechanisms.

5) Common mode failures.

6) The failure mechanisms related to new technology, and re-lated classification.

Appendix A illustrates a simple form of such an electronic data-base checklist based on a spreadsheet with data base facilities.This allows for sorting based on information in any of the col-umns.Each revision of the checklist shall be identified as well as thesources for input into the checklist.


9.6.3 Cost reduction of data collectionGuidance note:The main cost elements for the data collection scheme shall beestablished. Each cost shall be evaluated against the amount andimportance of the resulting information. Alternative methods forqualification against the failure modes, for which the qualifica-tion has the highest cost, shall be established. The resultant fail-ure probability for the alternative approach shall be estimated.

1) Least cost will mainly be obtained by the use of thoroughtheoretical analytical models. Thereby uncertainties can befocused and resolved by more rational tests. The alternativewould be more extensive tests to determine dependenciesand failure modes.

2) It would normally be beneficial to manufacturers to stand-ardise the qualification scheme for the small components.Thereby the margins for some application may be unneces-sary high, but justified by the total cost reduction. (E.g.: pipefittings, electronic components)


9.6.4 Analytical inaccuraciesInaccuracies in numerical calculations shall be estimated basedon the possible inaccuracies in the:

— input parameters— analytical method— result presentation.

The resulting inaccuracy of an analysis shall be determinedbased on recognised methods.

Guidance note:An example of inaccuracies, which can be dependent of a com-mon source, is the temperature. The temperature could affect

each part in a measurement set-up the same direction and therebycause a larger error than assumed by the above method.


9.6.5 Repeated measurementsUncertainties based on a range of measurements assumed tohave a normal probability distribution shall be expressed bystandard uncertainties” (standard deviations). Reference ismade to ISO’s “Guide to the Expression of Uncertainty inMeasurements” for further information.

9.6.6 Margins and probability of occurrenceRecognised conventional technological methods normally de-termine margins for:

— safe application, i.e. it already includes safety factors, or— most likely condition for failure.

In both cases shall the safe margin and uncertainty be deter-mined based on best available practice.

Guidance note:There are four approaches to determining the probability of oc-currence of a failure mechanism:

1) Engineering judgement.

2) Statistical evidence from testing or field experience.

3) Probabilities defined through application of standards.

4) Probabilities found as the overlap of the load and responsedistributions.

A probability based on engineering judgement will in some formbe based on statistical evidence through experience. It is hence ofimportance that this is done by qualified personnel as defined inSec.7.3.4. This implies that there is a significant uncertainty tothe estimated probability which shall be conservative.Statistical evidence from testing or field experience shall be han-dled according to ISO’s “Guide to the Expression of Uncertaintyin Measurements”.Probabilistic design is illustrated in Figure 9-2, where S is theprobability density distribution of the load, and R is the probabil-ity density distribution of the resistance. E.g. for a failure mech-anism; material plastic yield, S is the probability densitydistribution of the possible loads, and R is the probability densitydistribution of the strength capacity. Failure will occur in the areacovered by both distributions with the probability density distri-bution f R,S.

Figure 9-2The probability density distribution according to probabilisticdesign


9.7 Tests

9.7.1 GeneralThe extent of the tests required to obtain qualified data for newtechnology depends on the technology type, confidence inanalyses, and the extent of documented experience with simi-lar technology.

The test program shall be established based on this input.

fR,S (r,s)RS

R, S

Failure domain

DET NORSKE VERITAS


Tests are required:

— to obtain input data for analysis— to verify the analytical models— to verify function, and — to verify system reliability.

The test program shall determine:

— the tests to be carried out— the purpose of each test— the parameters to be measured and recorded— the expected outcome— the accuracy requirements to these measurements, and— type of analysis of the test results to enable correlation

with the design analysis and limiting design conditions.

Tests as described below, are used for materials, components,sub-assemblies and assemblies. The typical tests are termed:

1) Basic tests, such as testing of material properties

2) Prototype tests (qualification tests), of components, sub-assemblies and assemblies verify the functional require-ments of a new type design. Prototype test can be carriedout in phases including laboratory tests, and various de-grees of environmental and full service tests (e.g. shallowand deep water, hydrocarbon service).

3) Factory acceptance tests (FAT), of sub-assemblies and as-semblies verify the manufacturing and assembly of a sys-tem, which is already prototype tested.

4) Pre and post installation tests, of the full assembly verifythe soundness prior to and after the completed installation.

5) Pilot application, represent the first use and is thereforenormally regarded as an advanced test to gain more expe-rience with the system, ensuring that all aspects of a com-plex system has been taken into account.

Guidance note:The test hierarchy will normally consist of:

- material testing- component testing- sub-assembly testing- assembly testing.

Data from the first steps in the hierarchy, for instance from ma-terial testing, must have a higher reliability than the target on theoverall system.

Accelerated tests can reduce test time and cost. Such tests arebeneficial when a theory model as well as the related uncertaintyis established.


9.7.2 Basic tests

Basic tests shall establish the key parameters to be used in thedesign, when they are not available in recognised and acceptedliterature or from documented experience.

Further, basic tests shall be used for quality control to verifythe quality of supplied subsystems (components), when this isrequired as a critical parameter in the qualification process.(E.g. material properties, dimensional accuracy, contamina-tion level of hydraulic fluids, electrical resistance).

9.7.3 Prototype tests (Qualification test)

Tests in combination with measurements and numerical anal-ysis shall verify for the function of the system type:

— the system compliance with the specifications with a de-fined margin

— margin against identified failure modes which cannot besorted out more practically by other means

— assurance against probable unidentified failure modes byvarying the specified limitations i.e. by exceeding safemargins

— including simulation of control system specified possiblefailure modes.

9.7.4 Factory acceptance testFactory acceptance tests (FAT) shall be carried out for all sys-tems. This test shall show that the performance of new systemsis equal to that of the qualified system. This test represents apart of the quality control procedure. It shall verify that theprobability for manufacturing and assembly failures is accept-ably low. The items to be included in the test shall be thoseidentified in the qualification process to gain from a FAT, i.e.that the FAT reduces the uncertainty.

Guidance note:A factory acceptance test can be performed where practical in or-der to reduce damage probability or uncertainty in the qualifiedproduct.


9.7.5 Pre and post installation testsWhen required as an assumption through the qualificationprocess, tests should be performed prior to, during and after in-stallation to confirm its correctness.

9.7.6 Pilot application Pilot application are intended to increase the confidence in thereliability through documentation that all failure modes havebeen addressed appropriately in the prior qualification activi-ties as well as reducing the probability of undetected failuremodes.

9.7.7 Measurements during manufacturing and testsThe accuracy tolerance of each measurement result shall be es-tablished based on a list of the uncertainty for each componentthat may affect:

— calibration accuracy— sensor accuracy— signal processing accuracy— recording accuracy — reading accuracy.

For documentation of test result, see Sec.9.6.4.

10. Reliability

10.1 ObjectiveThe objective of the following subsections is to establish thereliability of the functionality of the new technology. The inputfor this shall be the data listed according to Sec.7 and updatedaccording to Sec.9.

10.2 GeneralThe overall failure probability of a system is governed by:

— the failure modes of the individual components in the sys-tem

— the probability of these failure modes— the lifetime probability density distribution, which is a

function of time, special operations or other parameters— any dependencies between components or common cause

that may lead to multiple failure modes— the consequence of failure modes on the system failure

rate taking into account redundancy.

Several established methods can be used to estimate reliability.They are briefly described in the following.

DET NORSKE VERITAS


10.3 Input dataThe reliability analysis shall be based on the failure modes es-tablished according to Sec.7, updated by data generatedthrough Sec.8 and Sec.9.

10.4 MethodsCommon methods for estimation of the system reliability are:

— reliability block diagram technique (RBD), which consid-er system with components in series and parallel

— fault tree analysis (FTA), which consider combinations ofsubsystems, lower level faults and component faults, as atop-down analysis, and therefore has to be repeated foreach top event.

The standard found best to describe these systems is: BS 5760:Part 2 (1994), Reliability of systems, equipment and compo-nents, Part 2. Guide to assessment of reliability.

Guidance note:A reliability goal could be 90% probability of no total functionfailure within the specified time. Many failure mechanisms will be related to time and operations.They will have an increasing probability of occurrence with

service life. In the analysis this effect is described by the proba-bility distribution. Hence it is of particular importance to estab-lish a distribution for the failure with highest risk.Failures occurring in the early phases of operation are often re-lated to manufacture or installation. A high quality of pre instal-lation checks and tests upon installation will in particular reducesuch risk. Therefore the analysis should in particular also includea focus on the effects of such checks and tests.For a complex system, the system reliability and its associateddistribution may be determined by simulation techniques. A complex system have many failure modes, each with its asso-ciated failure probability distribution. One simulation approachis a numerical statistical method. The system reliability is calcu-lated a large number of times. For each calculation a new failureprobability is determined for each failure mode drawn from thestatistical distribution of that particular failure mode. The result-ing system reliability values add up to form a failure probabilitydistribution for the overall system. The system mean time to fail-ure and other statistical parameters, such as lower acceptancefractile, say 90% probability of no failure, may be calculatedbased on this distribution.There is a range of computer programs on the market for this pur-pose.


DET NORSKE VERITAS


Failure frequency per 106 hrs

Table 7-1 Example on consequence categories for the surrounding systemConsequence category Class

Insignificant Low Significant Serious CatastrophicSafety & Health No injury Potential for minor

injuryPotential for serious injury

Potential for fatali-ties.

Potential for several fatalities.

No fire potential Potential for fire in non-classified area.

Potential for small fire in classified area

Potential for large fire in classified area

Environment (volume of pollution)

No pollution < 1 ton > 1 ton >10 ton > 100 ton

Production No effect on produc-tion within a defined period

Outage< 1 hours

Outage > 1 hours

Outage> 1 day

Outage > 1 week

Follow cost < 1000 USD > 1000 USD > 10,000 USD > 100,000 USD > 1 million USD

Limits should be adjusted according to project and company policy.

Table 7-2 Example on adjustment of failure frequency for given component (Example, transformer)Sub-component Reference data Data qualification

No. of failure Failure freq. Adjustment factor New failure freq. CommentsPenetrator 5 0.50 x5 2.50 New service with

higher pressure dif-ference.

Cooling system 3 0.30 x1 0.30 No differenceWinding 6 0.60 /3 0.20 Simpler system, thus

reduced failure fre-quency.

Switch 2 0.20 0 0 Failure mode not likely to occur in this situation

Other 10 1.00 x2 2.00 Conservative esti-mate as for new serv-ice.

Total 26 2.60 5.00

DET NORSKE VERITAS


APPENDIX ACHECKLIST - FAILURE MECHANISMS - DATA BASE

A.1 Failure mechanisms checklistTable A-1 represents a table layout combining data needed tofollow up failure mechanisms as well as general FMEA –FMECA data. It is practical to arrange this in a database to en-able automatic sorting and follow up the failure modes of con-cern, failure mechanisms, and items of new technology. TheFMEA – FMECA data are normally of interest in the early de-velopment phases, when risk is associated with categories forprobability and consequence.

The left part of the table relates to the reliability data collec-tion, when focus is on documenting lifetime for the failuremechanisms. The desirable degree of completeness when fill-ing out the table depends on the later use and the expected re-sults from automatic sorting. New lines need to be inserted inthe table during the development and qualification. The practi-cal identification of the lines will therefore be the part numberand failure mechanism type. The ID number only follows thesequence of inserts, unless it is decided to use a sequentialnumber linked only to the part number and failure mode.

Term DefinitionID Identification number

Failure Mecha-nism Type/Root cause

See RP

Part No The part number(s) identifying the parts on an arrangement drawing (position numbers) or subsystem identification on a schematic system arrangement

Risk Category Risk Category:

— L = Low— M = Medium or— H = High

Automatically calculated based on the frequency and consequence category at the end of the table.

Technical Cate-gory

Technology category for new technolo-gy: Ranging from 1 to 4 according to the Sec.5.5

MTTF Mean Time To Failure. The average time to failure, e.g. expectancy of a probability distribution, is a useful parameter from the probability distribution.

LCL Lifetime at the acceptable confidence level defined by the acceptance percen-tile, Fig.3-1. E.g. the lifetime at a confi-dence level, e.g. 95%, will change during the qualification as the lifetime probabil-ity density distribution is improved.

Margin Margin between operating condition and failure condition as determined in the re-liability data collection. This is in partic-ular relevant for failure mechanisms which are not due to degradation and for which “Failure Rate” becomes irrelevant.

Comments Comments needed to understand the in-formation given.

Source The source for Failure rates and Margin determination (document reference), as well as identification of the person mak-ing the last revision.

Rev. Last revision number for the particular failure mechanism.

Date Date of last revision.

Failure Mode Identification of the failure mode

Detection Possible method assumed for detection of the failure mode

Effect The effect on the overall system.

Operating phase The operational phase for which the fail-ure mode is assessed.

Service life Target service life for component/func-tion.

Revised Frequen-cy Category

An updated failure probability category defined according to the risk matrix. In-put information is from MTTF or LCL.

Revised Cons. Category

An updated consequence category ac-cording to the risk matrix.

Initial Frequency Category

The initial failure probability category. This is part of the quality control to track changes. A check to ensure that the fail-ure mode is considered after changes/modification.

Initial Cons. Cat-egory

The initial consequence category. Ref. Above.

Term Definition

Recomended Practice DNV-RP-A203, September 2001

DET NORSKE VERITAS

Tabl

e A

-1

Info

rmat

ion

for

the

reli

abili

ty d

ata

colle

ctio

nA

ddit

iona

l inf

orm

atio

n fo

r F

ME

CA

ID

Fai

lure

m

echa

nism

ty

pe /

Roo

t ca

use

Part No:

Risk Cat.

Tech Cat.

MTTF

LCL

Margin

Com

men

tSo

urce

Rev

Date

Fai

lure

Mod

eD

etec

tion

Eff

ect

Operating phase

Service life

Revised Frequency category

Revised Cons. category

Initial Frequency category

Initial Cons. category

DET NORSKE VERITAS


APPENDIX BITEMS OF CONCERN – CAUSES OF FAILURE MECHANISMS – SOFTWARE

QUALIFICATION

B.1 IntroductionListed in this appendix are checklists to be used as guidance todifferent sections of the qualification procedure. They aremeant to help the qualification process either by simple orleading questions, or defined issues that can easily be over-looked in a complex technology. The lists are meant as exam-ples and are therefore not complete.

A separate section is devoted to qualification of software.

The headings of the following main sections reflect the relatedheadings in the main procedure.

B.2 Qualification basisThe following is related to specifications of systems/compo-nents.

B.2.1 System description

B.2.2 UncertaintiesThe following checklist summarises items that should be con-sidered continuously throughout the design process with re-gards to inherent uncertainties.

B.3 Ranking of failure modes

B.3.1 Failure causes

The failure causes have been grouped in categories, like typeof equipment etc.

B.3.1.1 Materials

B.3.1.2 Mechanical equipment

Capacities(Capacity requirements and limit conditions shall be clearly stated in the specification for the system.) Certificates, approvalComponent listsConnections/InterfaceDelivery (Scope)DimensionsEnvironmental data of operationFailure rate, lifetime, availabilityFunction description I/O signalsInstallationInstrumentationLayout, drawingsMaintenanceMountingOperationOperation manual Operation limitsPID documentationPurpose of the systemSafety systemsStandards, rules and regulationsSystem specifications

Analysis

Dynamic responses Input parametersInstallation InterfacesLoadsSea bedTestsTime (to completion, lifetime, for operation)

Brittle fractureCathodic protectionCorrosionErosionExplosive decompressionFatigueH2S internal and externalMaterial compatibilityMaterial degradation and ageing — Metallic materials — Polymers — CompositesMechanical properties and temperatureMigration in thermal insulation and buoyancy materialsSwelling

BalanceBearings CavitationImpactMating/inter facingMigration causing leakOperationThermal expansionVibrationWater lockWear

DET NORSKE VERITAS


B.3.1.3 Electrical Power systems

B.3.1.4 Optical systems

B.3.1.5 Pneumatic systems

B.3.1.6 Hydraulic systems

B.3.1.7 Process

B.3.2 Functional elements

B.3.3 Interfacing power and control system failure

B.4 Maintenance and modifications

B.4.1 Failure mode screeningThe following questions can help the screening of the failuremode with regards to maintenance.

1) Do you expecte that the failure mode will occur at all,within the life time of the system?Answer: noThe assumptions for this answer must be qualified. Howthis qualification should be performed is described inSec. 9 - Reliability data collection.Answer: yesIt is necessary to consider how this failure mode could berestored (the following questions).In many cases it is difficult to answer yes or no to thisquestion. It may be more appropriate to estimate a signifi-cance level, which indicate what the probability for the oc-currence of the failure is.

2) Can the failure mode restored while the system is on or un-der the seabed? Does the system have to be pulled or re-trieved, in order to restore the failure mode?The major cost elements of such interventions are oftenconnected to the necessity to pull the system, and it istherefore important to consider this aspect as early as pos-sible in the design phase. If it is possible to restore the fail-ure mode at or under the seabed, it must be considered ifsuch interventions are acceptable. If for example one ofthe criteria for the design is that no interventions should beperformed, redesign is necessary. If such interventions areacceptable, a set of questions should be answered and doc-umented (see Sec.8.3) to ensure that maintainability andavailability are considered in the design phase.

3) Is a retrieval operation acceptable?Answer: noRedesign is necessary.Answer: yesAnother set of questions should be answered and docu-mented.

B.4.2 Maintainability analysis

B.4.2.1 General

For subsea equipment there is a fundamental difference be-tween in situ maintenance and systems that must be retrieved,described in Sec.8.4.

B.4.2.2 Check list A - Where the system has not to be pulled or retrieved

Are special tools required?

Is it possible to use a remote operated vehicle, a remote oper-ated tool or is a diver necessary?

What is the time estimate to restore the failure mode, meantime to restore (MTTR)?

What is the cost estimate of the intervention?

Is it much cheaper to do such an intervention if it is planned, orcould it easily be done as a corrective task? (Compare cost ofplanned action against unplanned action.)

Is the failure development detectable by condition monitoring,inspection or other condition assessment methods?

Is it natural to perform this maintenance action in connectionwith other maintenance actions, and should such a grouping of

AgeingConnectors (mating, malfunction)Electrical insulation degradationHigh voltageLow voltageMigrationTransmission losses

Cable breakCable lossConnectors lossesElectro-optical equipment malfunction

CloggingContamination and condensationControl system lossPressure loss

CloggingContaminationControl system lossHydraulic fluid degradation and ageingPressure loss

CloggingContaminationFluid flow changesHydratesInternal fluid phase changesLeakRemoval of clogsSandScalingWax

Rotor dynamicsSeals — Static soft seals — Dynamic soft seals — Static hard seals — Dynamic hard seals — Dynamic fluid sealsSoil interactionsStrength dynamicStrength static

Electric powerElectronic control and sensor failures

HydraulicManualSoftware

DET NORSKE VERITAS


maintenance actions have an influence on the design? E.g.,modularization to ease opportunity maintenance.

B.4.2.3 Check list B where the system has to be pulled or retrieved

Is the system designed for pulling of component or system?

What is the estimated time to restore the failure mode (MT-TR)?

What is the cost estimate of the intervention?

Is it much cheaper to do such an intervention if it is planned, orcould it easily be done as a corrective task? (Compare cost ofplanned action against unplanned action).

Could the ocean depth be a problem with respect to pulling?

Could the component or system geometrical shape or weightbe a problem with respect to pulling?

What kind of vessel or rig or crane is required to perform suchan intervention?

Is the failure development detectable by condition monitoring,inspection or other condition assessment methods?

Is it natural to perform this maintenance action in connectionwith other maintenance actions, and should such a grouping ofmaintenance actions have influence on the design? E.g., mod-ularisation to ease opportunity maintenance.

B.4.3 Maintenance planning

The following questions are related to the decision logic inSec.8.5.

1) Is it sufficient to have the necessary spare parts and specialtools at hand, and run to failure?Answer: yesThe quantity of spare parts and where they should bestored should be decided. Answer: noNext questionCan the failure be detected by condition monitoring meth-ods, inspection or other assessment methods? Answer: yesEvaluate if these methods are cost effective (see B.4.4.2),and if they are effective regarding probability of detection(PoD) and potential failure-functional failure (PF) inter-vals.Answer: noNext question

2) Does the component have a predictable age and if time-based maintenance is effective?

— If time based maintenance is chosen, a suitable inter-val for maintenance should be estimated and docu-mented.

— If the component does not have a predictable age, andcondition monitoring is impossible, redesign must beevaluated. An alternative is to alter the specifications,or to accept the calculated risk.

B.4.4 Method for cost benefit analysis for condition moni-toring

B.4.4.1 Application of the method

This method for cost and benefit analysis of condition monitor-ing systems, may be performed in two different situations:

1) Cost and benefit analysis of existing condition monitoringsystems, based on experience data.

2) Cost and benefit analysis of proposed condition monitor-ing systems based on estimated cost and benefit data.

This method may be used on condition monitoring systemsbased on both periodic and continuous measurements.

B.4.4.2 Overview of cost/benefit elements

B.4.4.2.1 Costs

The following list gives an overview of the cost elements,which are relevant for a condition monitoring system:

— investments (projects, purchasing, installation, training)— operation of condition monitoring system (measurements

and analysis, maintenance on condition monitoring sys-tem).

Each of these items are described more thoroughly in the fol-lowing sub-chapters.

Investements

Project costs should include all the costs related to:

— planning of the system— specifications, tenders and evaluation— projects regarding instruments that have to be designed es-

pecially for this system.

Purchasing costs should include all costs related to:

— purchasing of hardware and software— extra instrumentation.

Installation costs should include all costs related to:

— physical installation of instruments, cables and controlsystem

— testing and commissioning of the system.

Operation of the condition monitoring system

Measurements and analysis costs, represents the costs relatedto data collection, analysis and diagnosis. For online systems,the data collection will be automatic.

Maintenance cost of the condition monitoring systems shouldinclude all costs related to:

— maintenance of the hardware and software of the conditionmonitoring system

— maintenance of the instrumentation of the that is installedin addition because of the condition monitoring system

B.4.4.2.2 Benefits

The following list gives an overview of the benefit elements,which are relevant for a condition monitoring system.

— reduced periodic maintenance (longer maintenance inter-vals)

— reduced corrective maintenance (fewer unplanned break-downs)

— reduced down time costs— reduced energy costs (increased efficiency because of cor-

rect maintenance) (difficult to measure, not included in theanalysis)

— higher safety level (difficult to measure, not included inthe analysis).

Each of these items are described more thoroughly in the fol-lowing sub-chapters.

Reduced periodic maintenance

When preventive time based (periodic) maintenance is re-placed with condition based maintenance, the result is that theaverage time interval between maintenance increases. Thecosts associated with performing the maintenance, are more orless the same under both maintenance strategies, but since theaverage interval between the maintenance actions increases,the total maintenance and down time costs will decrease.

DET NORSKE VERITAS


Figure B-1 Statistical distribution of time to failure

Reduced corrective maintenance

When time based (periodic) preventive maintenance is used,there is always a risk for corrective unplanned maintenance.This risk will be reduced if condition based maintenance is in-troduced. The risk is however not eliminated, since all condi-tion-monitoring systems have a probability of detection. Thisprobability is an important input to the cost and benefit analy-sis.

Reduced down time

All kinds of maintenance involves down time, and when themaintenance (especially the corrective unplanned mainte-nance) is reduced, the downtime is reduced too. This reductionis often the major contribution to the benefit of condition mon-itoring systems.

B.4.5 Example of use of the method

B.4.6 Maintenance costs

Lost production, repair options, spare parts, mobilisation andrepair time (Sec.7.4.1) have consequences for economy andenables cost estimates. The maintenance and repair are resultsof the strategy covered in Sec.8. A selection of a typical sampleinstallation is beneficial for a cost example. Cost varies over

time and location. For deep water and subsea well systems, thecost of the vessel hire will normally dominate. For the purposeof enabling comparison of similar systems, the following unitprices are suggested: 1,000,000 US$ per week for a drillingvessel in the Norwegian Sea, 1000 m water depth and lost oilproduction based 15 $/barrel.

Maintenance intervalwithout conditionmonitoring

Maintenance interval with conditionmonitoring

MTTF

Investements: 100,000Operation costs: 15,000 per year MTTF: 60 monthsMaintenance interval without condition monitoring: 3 monthsAverage maintenance interval with condition monitoring: 5monthsPercent unplanned corrective actions without condition monitoring: 8%Percent unplanned corrective actions with condition monitoring (PoD = 98%)

2%

Cost preventive maintenance action: 10,000Cost corrective maintenance action: 6,000Down time cost preventive maintenace action: 50,000Down time cost corrective maintenace action: 200,000 Total life time of the system 60 Months

All prices in USD Costs during the life time of the system: 175,000Investment 100,000Operation 75,000 Benefit of CM during the life time of the system 833,600

without CM with CMPreventive maintenance 200,000 120,000 80,000Corrective maintenance 96,000 14,400 81,600 Down time preventive maintenance 1,000,000 600,000 400,000Down time corrective maintenance 320,000 48,000 272,000 Sum 1,616,000 782,400 833,600

DET NORSKE VERITAS


B.5 Computer software

B.5.1 General

Qualification of computer software is adequately described inexisting standards, although the general steps described in thisprocedure may be applied to computer software qualification.Since industrial standards exist it is recommend that they beused. Hence the following section is a summary of existingstandards for computer software qualification.

Guidance note:

The software engineering discipline differs from other engineer-ing disciplines in one important aspect: software does not in itselfproduce heat, have mass or any other physical characteristics.The software engineering activity is a purely intellectual activityand the principle output of the activity is documentation and coderesiding in a computer.

In modern technology software is used for the implementation ofhighly complex functions. The functions assigned to softwaremay be critical to the overall function of the technology.

As a result of the complexity of the functional and performancerequirements special measures and emphasis are required forsoftware verification and validation.


B.5.2 Software design

Whenever system analyses reveal that highly critical functionsare assigned to software, relevant standards e.g., IEC 61508will apply, (see also Sec.7.4).

In general there are two types of software:

— Software being fully developed as part of the developmentof the new technology: “Developed Software”.

— Reused software or COTS (commercial off-the-shelf)software. Reused and COTS software, do not in general,have visibility into the software development process, thedocuments produced or the methodology applied. ForCOTS in general even the source code may not be availa-ble.

For developed software it is required that the software life cy-cle follows distinct milestones:

— software requirements— software design— coding, and— verification and testing— software integration, and — software validation.

Guidance note:Software requirements my be structured according to the ISOIEC 9126 in functional requirements, maintainability require-ments, reliability requirements, portability requirements, usabil-ity requirements and efficiency requirements.


A software verification plan shall be established in conjunctionwith the establishment of the software requirements. The soft-ware requirements shall be analysed for criticality. Criticalitymay be expressed in terms of:

a) The potential of an undetected error in the system with re-gard to unwanted consequences.

b) The maturity of and risks associated with the softwaretechnology to be used.

c) The availability of funding and resources.

The software verification and validation plan shall – based onthe criticality analysis - identify the extent of verification andvalidation activities, and their degree of independence.

Guidance note:The degree of independence may range from the same person, adifferent person in the same organisation to a person in a differ-ent organisation.


The following are potential verification activities:

— verification of software requirements towards system lev-el requirements and project or organisational standards

— verification of software design versus software require-ments and design standards (C)

— verification of code versus software design (C)— verification of software integration versus software re-

quirements— verification of software documentation versus standards

(C)— verification of test requirements versus software require-

ments— problem and non-conformance handling.

Items marked (C) may not be feasible for COTS software.

The following are potential software validation activities:

— development of validation test specification based on sys-tem level requirements and software requirements

— conduction and documentation of validation tests— analysis of failure data in order to quantify reliability (e.g.,

MTTF) for the software.

Traceability shall be documented from system level require-ments, through software requirements to design, code and val-idation tests.

B.5.3 Software maintenance

Software will normally evolve during its lifetime due to cor-rection of revealed faults, and due to changes in the require-ments. Such changes shall be analysed with respect toconsequence for the verification and validation activities. Ap-propriate re-testing and regression testing shall be planned andperformed accordingly.

B.5.4 Definitions

Re-testing: is the testing necessary to ensure that the correc-tion of a fault or the introduction of a change to a software sys-tem is correctly implemented.

Regression testing: is the necessary testing to ensure that thecorrection of a fault or the implementation of a change has notlead to the introduction of new faults or other unwanted sideeffects.

B.5.5 Reliability

For assessment of reliability, reference is made to:

BS 5760, Part 8, Guide to assessment of reliability of systemscontaining software, IEC 61508 and

NORSOK STANDARD, Z-016, Regularity Management & Re-liability Technology.

DET NORSKE VERITAS


APPENDIX CEXAMPLES IN THE APPLICATION OF DNV-RP-A203

C.1 IntroductionThis appendix includes examples of the application of themethods described in the procedure for real equipment as anextended guidance:

— a subsea booster pump, Framo (installed on Lufeng)— qualification of a component to be mass-produced and

used in different systems— a subsea multiphase pump; Kværner Eureka (demonstra-

tor for the development project).

C.2 A subsea booster pump, Framo

C.2.1 Introduction

C.2.1.1 Example

This example pump is similar to a pump, which has been in op-eration since January 1998 in 330m water depth in the SouthChina Sea, on the field termed “Lufeng”. The pump has beendesigned and manufactured by Framo Engineering AS.

C.2.1.2 Applied data

The technical data used in this example is based on informationgenerally available on Internet. The real available data is there-fore limited. When supplementary data is needed to illustratethe application of the procedure, the data is based on assump-tions and best guesses. Hence, this example is not related to theactual case.

C.2.1.3 The example set in the development time frame

The example is assumed to have passed a concept phase and isinto the development and engineering phase. Throughout theexample, different stages in this phase have focused on how togive the best examples when using this procedure.

C.2.2 Qualification plan (Sec.5.2)The following overall plan is identified for the qualification.

Figure C-1 A schematic of the qualification plan with the headlines of theprocesses.

C.2.3 Qualification basis (Sec.6)

C.2.3.1 General

For a general arrangement of the pump see Figure C-3. Thepump consists of approximately 100 items and 500 parts (e.g.including number of bolts).

C.2.3.2 Contents of the specification

The data and documentation listed in Table C-1 must be madeavailable for the qualification process, and as the specificationof the subsea booster pump, qualified according to the proce-dure.

Time Axis

QualificationBasis

Qualifica-tion Team

Ranking offailure modes

QualificationBasis

Fail. mode update

Maintenance &modifications

Fail. mode update

Qualificationprocess continued/

tests on-going

Fail. mode update

Reliability datacollection

Reliability

Mile-stone

ManufactureDetail design

Table C-1 A table of typical required data for the different phases of operationBooster pump main technical data: Drawings

Method of operationFacts: Flow rate: 130 m3/h

Maximum pressure: 228 barPressure gradient: 35 barMax depth: 330 mService life: 7 yearsOperating temperature: 4°CMedium: Gas, oil, water mixture

pH level: 5-9Max GOR: 7%Max H2S: 5 ppmMax CO2: ZZ

Max particle size: XXMax particle rate: YY

Separate installation MethodMaximum loads:Maximum wave heights:Maximum sea currents:Maximum landing speed:Tool and vessel requirements

DET NORSKE VERITAS


C.2.3.3 Critical items list

The dimensioning loads and operational parameters are to beincluded in a list to be used to check that these have been con-sidered and addressed in the qualification tests, and any changeto these parameters is reflected in the qualification activities.

C.2.4 Ranking of failure modes (Sec 7.)

C.2.4.1 General

The ranking of failure modes is a process in steps. Updatesmust be carried out for all steps in the overall process. In thefirst step all failure modes are identified and their criticality isassessed based on as is, without taking into account any miti-gating measures, except normal engineering judgements forstandard technology. The procedure proposes two ways of sub-dividing the system; based on functions or based on hardwarecomponents. Both the proposed methods are shown below.The benefit of the functional approach is that early in the over-all process one identifies failure modes on a functional level.

C.2.4.2 Qualification team

The pump is to work in and consist of the following environ-ments and technology areas:

C.2.4.3 Functional system analysis (Sec.7.3.2)

The objective of the following is to identify failure modesthrough sub-sectioning the system into functions and sub-func-tions until the function depends on a component.

The pumps main function can be divided in three:

— transport and installation— operation— abandonment.

The three functions are further sub divided (not extensive) ac-cording to Table C-4 .

Operation Start LoadsValve statusFlow conditionsPower consumption

Stop (planned) LoadsFlow dataPower need

Shut-in operation Medium dataShut-in shock

Emergency shutdown PowerFlow properties

Variation of load Flow dataMediumPower

Pre-installation Full template descriptionMaintenance philosophy total

Interface Oil and lubricationPowerSealingSpecial toolsVessel requirementsMedium

Table C-1 A table of typical required data for the different phases of operation (Continued)

Table C-2 A list of technologies and environmentsItem Subject

1 Subsea operations (330 m depth, installations and re-treival )

2 Pump design3 Multi phase flow4 Electrically powered (from topsides unit, high volt-

age and electrical motor design)5 Control and Condition monitoring

Table C-3 The following team is assigned to establish the failure modes and failure mechanism. (See CV’s (not enclosed))Personnel Subject Items Years experience/

EducationMrs. Larsen Subsea engineer 1 12, EngineerMr. Olsen Process engineer 3 8, M.ScMrs. Hansen Electrical power sys-

tems4 10, Dr.Ing

Mr. Pedersen Maintenance and condition monitoring

5 6, B.Sc

Mrs. Halvorsen Materials engineer 2 15 Metallurgist

DET NORSKE VERITAS


Criticality assessment of the failure mode “2.1.1: F I” is shownin Table C-5.

C.2.4.4 Component and unit system method (Sec.7.3.3)

For relatively limited systems, as this pump, it may be practicalto initially consider the individual components and their failuremodes. A disadvantage of this approach can be that combinedand overall failure modes may be overlooked until late in thedesign process.

This method can be based on the item list from the general ar-rangement drawing of the pump motor assembly and a list ofpossible conditions and higher level and system failure modesthat can have a negative effect on the items.

The first step is to divide the system into the subdivisions, e.g.:

— pump unit— motor— lubrication system

— power transmissions.

Each subdivision is divided into sub-components, ‘items’, e.g.impeller, shaft, bearings, seals, and Casing etc.

Each component has its failure modes, which is shown in Ta-ble C-4. Each failure mode has several root causes or failuremechanism types as is further illustrated in the same table.

C.2.5 Maintenance and modifications (Sec.8)

C.2.5.1 General

Each failure mode with a medium to high risk is defined to beof concern (reference procedure). The maintenance and condi-tion monitoring alternatives, according to the procedure arepresented in the following. This implies that one uses the avail-able check lists and questionnaires. In the following subsection

Table C-4 Functional sub-sectioning of the pump down to failure mode and root cause. A hierarchical numbering system is used. This is not used in the FMECA table, Table C-11.

Function Subfunction Subfunction/ Component

Subfunction/ Component/Failure mode/Root cause Component/Failure mode/Root cause

Transport andinstallation 1

Sealing 1.1 Seal external 1.1.1

Leaking medium to external1.1.1: F I

Scratch in sealing surfaceWater pressure during installation unfolding seal

Guide 1.2Mateing 1.3Locking 1.4

Operation 2 Pump medium 2.1 Pressurise medi-um 2.1.1

No differential pressurisa-tion or reduced differential pressurisation2.1.1: F I

Broken impeller(s) 2.1.1: F I a)

Fracture fatigue

Unbalance 1Pressuresurge 2

Fracture collision 3Bearing failure 2.1.1: F I b)Blocked 2.1.1: F I c)Corrosion/erosion 2.1.1: F I d)

Reduced pressurisation 2.1.1: F II

ErosionCorrosionCloggingScale

Rotate impeller 2.1.2

Lubricate bearingCool bearingMotor operateConsume powerTransfere torque from motor to impellerStructural integrity

Seal medium 2.2 Internal seal 2.2.1

Seal between stagesSeal motor

External seal 2.2.3

Well mediumSeawater innCooling medium out

Abandonment

Table C-5 A detailed assessment of failure mode 2.1.1: FI from Table C-4

Failure mode Cause Root causeConsequence*)

Probability*)Local system Total system

No pressurisation 2.1.1: F I

Broken impeller 2.1.1: F I a)

Fracture fatigue Unbalance 1

5 5 4

Fracture fatigue Pressure surge 2

5 5 2

Fracture collision 3 5 5 2* The consequence and probability are ranged from 1 to 5 with 5 being the most severe consequence and the highest probability (see Sec.7.4 or Table 7-

1). These high probabilities are related to this example being in the development phase and to assure that they are given attention. It is anticipated that thehigh levels of consequence and probability will reduce as the qualification process proceeds.

DET NORSKE VERITAS


this has been done. For the failure mode 2.1.1: FI a) (seeTable C-4):

— Failure mode 2.1.1: FI a)1: Fatigue in the impeller because of unbalance.

— Failure mode 2.1.1: FI a)2:Fatigue in the impeller because of dynamic liquid pres-sure.

— Failure mode 2.1.1: FI a)3: Fracture of the impeller, because of foreign particles in thewell stream.

Reference is made to the questionnaires in Sec.8.3

C.2.5.2 Failure mode 2.1.1: FI a) 1

Table C-6 Failure mod screening for maintenance analysis 2.1.1:FI a)1

Fatigue in the impeller because of unbalanceQuestion Answer CommentWill the failure mode oc-cur within the lifetime of the field?

Yes

It is possible to restore the failure mode while the system is on/under the seabed?

No

To restore the failure mode, the pump must be pulled, and

the impeller must be re-placed.

It is acceptable to plan for such interventions? Yes Go through checklist B

( Appendix B Sec.B4.2.3)

Table C-7 Detailed maintenance analysis (Sec.8.4 and Appendix B)Checklist B (Appendix B Sec.B4.2.3) for failure mode 2.1.1: FI a)1 Fatigue in the impeller because of unbalanceQuestion Answer CommentIs the system designed for pulling of compo-nent/system?

Yes Test performed and verified. Resp: NN

What is the time estimate to restore the failure mode (MTTR)?

24 hours for retreival of the pump by the FP-SO, replace the impellers and reinstall.

An even faster solution (12 hours) would be to have one pump in spare.

What is the cost estimate of the intervention? Unplanned: 2 000 USD by use of the FPSOUnplanned: 110 000 USD by DSV to hire.

Estimates made by: NN and NN.

Is it much cheaper to do such an intervention if it is planned, or could it easily be done as a corrective task? (Compare cost of planned ac-tion against unplanned acction).

Not by the use of the FPSO,Yes, if a DSV has be chartered

Could the ocean depth be a problem with re-spect to pulling?

The pump is pulled with no problems up to 330 m water depth. For deeper waters tests should be done.

Could the component/system geometrical shape or weight be a problem with respect to pulling?

No

What kind of vessel/rig/crane is required to perform such an intervention?

Vessel with preferably with heave compensat-ed hoisting system teste up to 330 m water depth.

Is the failure development detectable by con-dition monitoring, inspection or other condi-tion assessment methods?

Failure could possibly be detected at an early stage by use of barrier fluid loss monitoring and vibration monitoring. Probability of De-tection is about 99%, by vibration monitoring which will reduce the frequency of the failure mode to category 1.

Resp: NNThe likelihood for instrumentation failure by vibration monitoring may be noticable. Barri-er fluid loss monitoring apperas more reliable

Is it natural to perform this maintenance ac-tion in connection with other maintenance ac-tions, and should such a grouping of maintenance actions have influence on the de-sign? (modularisation to ease opportunity maintenance)

Yes, should be considered before next design phase.

Resp. for further study: NN.

Table C-8 Detailed maintenance planning (Sec.8.5 and Appendix B)Decision of maintenance strategy for failure mode 2.1.1: FI a)1 Fatigue in the impeller because of unbalanceQuestion Answer CommentIt is sufficient to have spare parts at hand, and run to failure.

Yes, the cost and production is relatively small. It will only concern one well.

Is failure development detectable by Condi-tion monitoring, Inspections or other condi-tion assessment methods, and are those methods effective? (see appendix for method-ology on Cost/Benefit analysis)

Yes, the failure development is detectable by barrier fluid loss and by vibration monitoring, Cost/Benefit analysis performed, and Condi-tion monitoring is not Cost beneficial.

See Cost/Benefit analysis Report xxx

Conclusion: Operate until failure rather than use Condition Based Maintenance

DET NORSKE VERITAS


C.2.5.3 Failure mode 2.1.1: FI a)2

C.2.5.4 Failure mode 2.1.1: FI a)3

C.2.6 Reliability data collection (Sec.9)

C.2.6.1 Priority (Sec.9.3)

C.2.6.1.1 Screening

The subsea multiphase pump is composed of items normallyfound in standard pumps. The new technology class is 3 due tothe following: The pump type is recently put in use in a newapplication area (subsea).

The “new” and critical features are:

— high reliability is required. Thereby standard componentsrequire special considerations

— some areas (subassemblies) of the pump design are notstandard issue

— the maintenance philosophy is not standard (for a topsideapplication)

— the pumped fluid is not conventional, and may changeover time.

C.2.6.1.2 Conventional technology

Most of the items of the pumps can be termed as standard. Thehigh reliability requirements, however, leads to the classifica-tion of the items and sub assemblies into two categories:

a) Items with no deteriorating mechanisms provided they areprotected against corrosion and have sufficient strength.

b) Items with a operating life governed by wear, fatigue, er-rosion, changing of properties and other deterioratingmechanisms.

Category b), requires particular attention due to the high relia-bility requirement, and is therefore followed up as “new tech-nology” in the following.

These category items as well as assemblies and performancesshall be followed up by a “Quality plan”.

For Category a) the design standard and limiting conditionsshall be addressed.

Examples:

The enclosure for the electrical motor:

Its purpose is to maintain a pressure barrier, transfer forcesfrom installation tool, internal parts and induction forces, pro-

tect, and transfer heat. Further it shall keep the internal parts inposition, including when deflected.

These are items, which can be addressed in the quality plan andfollowed up according to standard used procedures. Therebythe limiting condition can be established by aid of generallyrecognised standards and margin to a limit that can be verified.

The main dimensioning and material selection is thereby gov-erned by a pressure vessel or structural standard with additionsfrom a corrosion protection standard (galvanic corrosion andhydrogen embritlement by cathodic protection) and related as-sumptions. The reliability of this item can be given the best rat-ing, class 1. The following up of the “quality plan” representsthe uncertainty area for this component.

Bolts

Bolts used for connecting the main components can be subjectto the same procedure as above. In addition the required pre-tension needs to be justified and addressed in the quality plan.

C.2.6.1.3 New technology

Based on the above screening and the items found critical, inregard to reliable service during their service life cycle. Theitems to be considered more thoroughly for qualification are:

a) Items subject to abrasive wear: Dynamic seals, bearings,matings surfaces.

b) Items affected by impact loads during installation.

c) Items subject to erosion: impeller, stator.

d) Items subject to fatigue: Ball and roller bearings, shaft.

e) Items subject to material property changes as function oftime and environment: polymer seals, electrical insulation

f) Items subject to leak: Mechanic seal system, polymer sealsystems, responses to conditions caused by expansions,tolerances, temperature, pressure, fluids, time.

Further, effects from the system response on each item and thesystem responses themselves to be qualified:

a) Pump capacity as function of fluid type.

b) Most extreme fluid conditions causing impacts, errosion,cavitation, corrosion.

c) Motor and pump temperature as function of normal andextreme operating conditions.

d) Wear rate of seals and bearing as function of lubricationnormal and extreme quality.

e) Leak rate of seals due to vibrations and wear.

f) Corrosive protection system including possible electro-magnetic effects from the power.

g) Electrical power extreme conditions.

h) Shaft unbalance and straightness.

i) Installation and replacement conditions considering ma-rine growth, water blocking, clearance tolerances, currentand wave conditions.

j) Protection from likely sizes of dropped and dragged ob-jects.

k) Likely operational failures.

l) Likely sensor and monitoring failures.

C.2.6.2 Parameter effects (Sec.9.4)

The critical parameters should be established based on the fol-lowing approach:

Table C-9 Failure mod screening for maintenance analysis 2.1.1: FI a)3Failure mode 2.1.1: FI a)2: Fatigue in the impeller because of dy-namic liquid pressure:Question Answer CommentWill the failure mode occur within the lifetime of the field?

No See qualification Re-port yyyy

Table C-10 Failure mod screening for maintenance analysis 2.1.1: FI a)3Failure mode 2.1.1: FI a)3: Fracture of the impeller, because of for-eign particles in the sell streamQuestion Answer CommentWill the failure mode occur within the lifetime of the field?

No See qualification Re-port yyyy

DET NORSKE VERITAS


Figure C-2 A flowchart to showing the approach to identify parameters thatare critical for a failure mode.

Many components with a service life limit are selected accord-ing to sub-supplier’s qualified methods, for specified condi-tions. The quality of such selection methods varies from typeof items and the sub-supplier.

Example:

Bearings

The pump selected as an example has a sliding thrust bearingbased on tilted pads. The lubrication quality, and running con-ditions and frequency of start and stop, govern its lifetime.

The life of ball and roller bearings can be determined based onformulas given by the sub-supplier, which includes: rpm,number of cycles, type of bearing, constant for dynamic andstatic load sensitivity, alignment, temperature, lubricationquality. Hence, the main parameter dependencies can be estab-lished.

Seals

Seal suppliers give selection criteria, but seldom formulas forlife estimation. Therefore this requires effort in assessment.Without formulas, it is possible to establish important parame-ters based on the selection criteria and engineering judgement.Thus, uncertainties are larger than for the above bearings.

Impeller wear

Material loss rates can be based on developed formulas and ex-periences, where such are available.

Pump performance

Literature and experiences establish formulas for pump per-formance. Multiphase requires particular experience, and for-mulas.

C.2.6.3 Margins (Sec.9.6.6)

C.2.6.3.1 Standard technology

Established standards specify design acceptance criteria,which include safety factors against common experienced un-certainties in materials and loads, e.g. for the enclosure for theelectrical motor. Following up a margin to these criteriathroughout the qualification process therefore assures that theitem remains with a probability of failure defined by the stand-ard, i.e. one may be justified to use probability class 1.

C.2.6.3.2 New technology

Example:Thrust bearing- Failure type: Wear for sliding bearings (Fora possible roller bearing: fatigue caused by rotation at load)

Sec.C.2.6.1.3 define new technology for this example, andwhy the thrust bearing is put in this category. The thrust bear-ing is of a sliding type.

If a roller or ball bearing type had been selected, the size canbe found in the bearing manufacturers manual, which normallywill comply with ISO 282:1990. Such a manual can state thatthe dynamic load and rotation capacity of the bearing is speci-fied as the 90% confidence interval, i.e. that 90% of a largenumber of bearings survive. Further it can state that 50% of thebearings experience approximately 5 times this specified rota-tional life.

Assuming that the failures follow a “Standard statistical distri-bution”, then the acceptance percentile as well as the meantime to failure (MTTF) can be established for the roller bearingfor the intended operational life. A specific “margin” is there-fore not relevant in this context. The margin is implicit givenin the percentile and MTTF.

C.2.6.4 Planning (Sec.9.6)

C.2.6.4.1 General

A qualification plan is developed based on experiences, nu-merical analysis and tests, concentrating most efforts on themain items identified in the process, C.2.6.1.

The main principles of the plan is e.g.:

To qualify each failure mode separately. Numerical analysisand the quality plan can qualify most of them. Thereby accel-erated tests of the pump assembly will not be used to simulatethe lifetime.

— To perform extended factory acceptance tests which in-cludes performance measurements as well as measure-ments of parameters that can cause deterioration of items.The latter can in submerged performance tests include lu-brication temperature, leak measurements, leak responseon shaft vibrations.

— Performance test of the pump with various gas oil ratiosand varying of the critical parameters.

— Installation test.

C.2.6.4.2 Check list (Sec.9.6.2)

The FMECA sheets are developed further for following up thequalification as shown in RP-A203-201.

C.2.6.4.3 Cost reduction

It is assumed that the main uncertainties are related to someitems and failure mechanisms, e.g., electrical coupling insula-tion resistance in salt water, impeller wear by sand productionand pump performances at high gas oil ratios and slugging.

Input:Type of failuremechanism

Parameterdependencies-Establish

Analytical toolavailable

Yes

Parameterdependenciesassessments forfeasibility ofanalytical modeldevelopment

No

Practical andFeasible

Applyengineeringjudgement/experiences forestimating theeffects form eachparameter.

Establishanalytical model,and qualify it

No

Yes

Establishparameterdependencies

Determine theparameters havingthe largest effect onuncertainties andcorrelations.

DET NORSKE VERITAS


The cost of possible uncertainty reduction, by further detailedqualification should therefore be evaluated.

C.2.6.4.4 Inaccuracies and uncertainties (Sec.9.6.4)

Each numerical analysis and test, which includes measure-ments of parameters, shall include an estimate of the magni-tude of inaccuracies.

C.2.6.5 Test (Sec.9.7)

The above indicates the need for all types of tests including,basic tests, prototype tests and factory acceptance tests. Thequalification process must be concluded before final tests ver-ifying the actual installation, and possible pilot application,which is represented by the earlier mentioned installation.

C.2.7 Reliability (Sec.10)

C.2.7.1 Pump reliability

Assuming that each separate failure mode will cause the pumpto stop or malfunction, then the pump reliability can be de-scribed by the sum of each of the probabilities for the failuremodes, i.e. by the “generic part method”. Both the sum of“mean time to failure” and the “lower confidence interval”should be calculated.

The assumption above will be conservative and to some extentmisleading. It is more appropriate to distinguish and deal sep-arately with:

— reliability related to failures caused by installation— failures that will not cause lost or reduced pump perform-

ance— reliability of pump unit based only on failure modes caus-

ing lost or reduced performance.

It is assumed that the field life is 5 years. A reasonable “lowerconfidence level” for the pump is assumed to be 10%, i.e. thatthe pump performs as intended is estimated with 90% reliabil-ity within this time period (one out of 10 failures within the pe-riod).

Assuming further that only the 10 most likely item and failuremodes contribute to this reliability, and that the contributionfrom the rest of the items are calculated to be insignificant.The reliability estimate consequently should also be used as aloop in the early phase of the qualification process. This will

facilitate a concentration on the most important items, thosewith least reliability and with most uncertainties.

Figure C-3 A cross section of the pump


DET NORSKE VERITAS

Tabl

e C

-11

Tab

ulat

ed in

form

atio

n , F

ME

CA

and

che

cklis

tsIn

form

atio

n fo

r fo

llow

ing

up b

y ch

eckl

ist

Add

ition

al in

form

atio

n fo

r F

ME

CA

IDF

ailu

re m

echa

nism

type

/ R

oot c

ause

Par

t No:

Risk Cat.

Tecn Cat.

MTTF

LCL

Margin

Com

men

tSo

urce

Rev

Dat

eF

ailu

re M

ode

Det

ecti

onE

ffect

Rev Fre

Rev Con

Init Fre

Init Con

1.1

Mat

eria

l fat

igue

, unb

alan

ced

case

d.Im

pelle

rM

1B

eMo

125

.08.

00C

rack

ing

No

pum

ping

pre

ssur

e2

52

5

1.2

Mat

eria

l fat

igue

, flu

id c

ased

.Im

pelle

rM

1B

eMo

125

.08.

00C

rack

ing

No

pum

ping

pre

ssur

e1

51

51.

3B

ritt

le f

ract

ure,

Uni

dent

ifie

d bo

dyIm

pelle

rM

1B

eMo

125

.08.

00B

ritt

le f

rac-

ture

No

pum

ping

pre

ssur

e1

51

5

1.4

Ero

sion

/cor

rosi

onIm

pelle

rM

2B

eMo

125

.08.

00M

ater

ial l

oss

Red

uced

pum

p pr

essu

re4

24

21.

5S

yste

m f

ailu

re, C

logg

ing

Impe

ller

L1

BeM

o1

25.0

8.00

Blo

ckin

gR

educ

ed p

ump

pres

sure

12

12

2.1

Inst

alla

tion

dam

age

Sea

l Pum

p-fl

uid

- se

aM

2B

eMo

125

.08.

00L

eak

Lea

k of

pum

p fl

uid

to

sea

24

24

2.2

Ext

rusi

onS

eal P

ump-

flui

d –

sea

M3

BeM

o1

25.0

8.00

Lea

kL

eak

of p

ump

flui

d to

se

a2

42

4

2.3

Age

ing

Sea

l Pum

p-fl

uid

- se

aL

1B

eMo

125

.08.

00L

eak

Lea

k of

pum

p fl

uid

to

sea

14

14

3.1

Wea

rD

ynam

ical

se

alM

1B

eMo

125

.08.

00L

eak

Lea

k of

lubr

icat

ion

into

pu

mp

flui

d4

34

3

3.2

Vib

rati

onD

ynam

ical

se

alM

2B

eMo

125

.08.

00L

eak

Lea

k of

lubr

icat

ion

into

pu

mp

flui

d3

33

3

3.3

Lea

kD

ynam

ical

se

alM

1B

eMo

125

.08.

00L

eak

Lea

k of

lubr

icat

ion

into

pu

mp

flui

d2

32

3

4.1

Fat

igue

, rot

atio

nal l

oad

Tru

st B

ear-

ing

M2

255

LC

L: 9

0%B

eMo

125

.08.

00C

rack

ing

No

pum

ping

pre

ssur

e2

52

5

4.2

Ove

rloa

d, s

tatic

Tru

st B

ear-

ing

M1

BeM

o1

25.0

8.00

Cra

ckin

gN

o pu

mpi

ng p

ress

ure

25

25

4.3

Wea

r, L

oss/

con

tam

inat

ion

of

lubr

icat

ion

Tru

st B

ear-

ing

M1

BeM

o1

25.0

8.00

Cra

ckin

gN

o pu

mpi

ng p

ress

ure

25

25

4.4

Wea

r, H

igh

lubr

icat

ion

tem

-pe

ratu

reT

rust

Bea

r-in

gM

1B

eMo

125

.08.

00C

rack

ing

No

pum

ping

pre

ssur

e2

52

5

Leg

end:

H=

Hig

h ri

sk c

ateg

ory

(ove

r 15

)M

=M

ediu

m r

isk

cate

gory

(be

twee

n 4

and

15)

L=

Low

ris

k ca

tego

ry (

unde

r 4)

DET NORSKE VERITAS


C.3 Qualification of massproduced components

C.3.1 Introduction

Some new type components are mass produced and intendedfor service in several types of systems. The qualification ofsuch a component requires a rational approach to cover a rangeof services, different load cases and environments.

The following is an example of such a qualification procedure.

C.3.2 The typical process of a component qualification

An example of component qualification includes:

1) Perform a component application review: Identification ofall loads, constraints and conditions that may have an im-pact on the component during its service life.

2) Establish a qualification strategy: Identify the best ap-proach for a thorough qualification.

3) Carry out a component classification: Based on the appli-cation review and assessments of future needs, classify thecomponent into standard application classes, for examplepressure, size, fluids.

4) Generate a qualification procedure.

5) Execute the qualification tests.

6) Generate a qualification report.

Items 1-6 above comprise the qualification plan ( Sec.5.2).

C.3.3 Overall planning through developing procedures

The development and qualification of components is an itera-tive process involving all stages from specification to accept-ance. Procedures to apply during the qualification processmust therefore be developed.

C.3.4 Requirement to documentation

The qualification procedures and reports shall include thecomponent classification data. Especially important is to high-light any changes to the classification as resulting from thetests. Before a component is approved for use, all the qualifi-cation reports shall be reviewed and approved. The require-ments for qualification testing given herein apply both tocompany components and to sub-vendor's components. Therequirements shall be considered for each component and ex-ceptions highlighted using the qualification notification sys-tem.

C.3.5 Accelerated testing

Since component expected service life is normally long, accel-erated life testing is required. Some guidelines related to accel-erated life testing shall be developed, but it must beemphasised that the engineer responsible for the qualificationtesting must review these on a case-to-case basis. Exceptionsshall, however, be documented in the qualification test proce-dure and report.

C.3.6 Fullscale testing

It is difficult to predict all operational constraints and condi-tions of a component due to a variety of applications, and sincesome systems are complex and as such have not yet beenplanned or designed. One basic requirement for qualificationtesting is therefore to test the component under conditions asclose to the real life as possible and practical, while applyingthe different accelerated loads in "real" succession. As an ex-ample, as part of qualifying a hydraulic coupling, this shouldbe mounted as in its intended life to reveal any adverse effectsfrom the locking system

All components shall as far as possible be qualified againststandard functional requirements compatible with the critical-ity of the component.

"Test to failure" should be performed whenever practical to es-tablish the real limitations of the component.

C.3.7 Summary of component testing

The qualification based on component testing as described inthis section applies to standard mass-products and simpleitems, i.e. hydraulic pipefitting. All of the parts describedabove are covered in the procedure, although the proceduredoes not fully cover the extensive development of a qualifica-tion basis, identifying all the different uses.

C.4 A subsea multiphase pump; Kværner Eureka

C.4.1 Multiphase pump

C.4.1.1 Example

This example focuses on different aspects of the qualificationprocess. The unit is installed on the seafloor for multiphase (ar-bitrary mix of gas and fluid) pumping from a hydrocarbon res-ervoir drained through subsea wells.

The pump is equipped with auxiliary components and systemssuch as a pressure and volume compensation system (a com-pensator), a cooling system, filters, instrumentation, penetra-tors, etc. All components are mounted on a skid and placed ina dedicated subsea module frame.

The selected example is qualification of the diaphragm in thecompensator. (In this case a steel bellows).

C.4.1.2 Scope of this example

The purpose of the following is to show typical examples ofapplication of the procedure for:

— check list for qualification basis— failure mode and mechanism identification for a limited

area (the bellows)— reliability data collection for the bellows.

The latter focus on alternative approaches is dependent on thetypes and quality of the available documentation.

C.4.2 Applied data

The technical data used is mainly based on general informationavailable in handbooks, on the internet and brochures.

C.4.3 Qualification basis Check list

The purpose of the checklist is to keep a clear trace of the pa-rameters to be used for the qualification, and including possi-ble changes.

The checklist should include all parameters that describe therequirements for the equipment. Examples of such parametersare:

— specifications (quantified) such as

— intended function of the equipment, e.g. capacity — lifetime, e.g. target service time, number of cycles be-

fore failure

— loads

— mechanical— thermal

— operating conditions

— operating pressure (range)— temperature (range)— environment.

Table C-12 illustrates a typical checklist for the qualifica-tion basis.

DET NORSKE VERITAS


C.4.4 Ranking of failure modes

C.4.4.1 Definitions of probability and consequence values

The subsea multiphase pump module has been subject to a fail-ure mode effect and criticality analysis (FMECA) using thefollowing categories:

Probability categories:

Consequence categories

For the purpose of this limited demonstration on the bellows,four categories were found to be practical.

C.4.4.2 Determination of risk

C.4.4.2.1 Failure of modes of concern

The analysis showed that the function of the compensator wascritical for the main functions of the module, and that the func-tion of a diaphragm located inside the compensator would becritical for the intended function.

Table C-14 shows the results of the FMECA of the bellows.

The consequence of failure of the bellows is that the pressurecompensator cannot perform its intended task, which in turncan lead to failure of the pump seal and break down of thepump, i.e. consequence category; 4 very high.

The probability that the identified damage mechanisms willoccur and will cause failure within the defined service life ofthe bellows is initially determined to be low to medium (prob-ability categories 1 low to 2 medium). There are several routesto go for obtaining the reliability data, and the uncertainty canbe reduced to arrive at an acceptable risk level, as shown in thefollowing, for the bellows.

C.4.4.2.2 Failure mechanisms of concern

Main failure mechanisms are governed by:

— material fatigue— buckling— corrosion— fretting— deposits.

The bellows are in general very sensitive to defects like dents,scores and to twisting. Handling during assembly can causethis. If defects or twisting exist, the probability that this willcause failure within the design lifetime of the bellows has beenjudged to be high, initial probability category; 3 high. Appro-priate procedures for handling, mounting and inspection andfor and qualification of personnel can reduce this category.

Other more general, but important aspects are:

— the damage tolerance of the design (robustness)— possible deviations from nominal conditions— the manufacturer's experience background — qualification effort put into the design and testing of the

design— the quality of standards applied in design and manufactur-

ing.

These are further dealt with in the following.

C.4.5 Reliability data collection

C.4.5.1 Planning

The objective is to provide sufficient data of good enoughquality for evaluating the system reliability with regard to themost critical failure modes and consequences.

Data collection will aim at collecting the data that describe theprobability that a failure mechanism will develop until dam-age. This implies also the aim at reducing the uncertainty indata or at getting a better understanding of how uncertain theactual data are.

A stepwise approach is applied with the aim to provide the nec-essary and sufficient basis with a minimum of efforts.

C.4.5.2 Qualification Basis for the Compensator - Bellows

C.4.5.2.1 Design

The following example will focus on the bellows, and considerthe rest of the pump module only as a set of boundary condi-tions.

The diaphragm consists of a bellows, springs, an end plate (pis-ton) and guiding.

The following figures are copied form the WitzenmannGMBH brochure. They illustrate typical use and design of bel-lows.

The bellows is made from 4 plies of Inconel 625 sheets of 0,3mm thickness, which are rolled and welded to cylinders that fitinto each other, and then expanded into the final corrugatedshape.

1 Low Failure within 10x service life unlike-ly.

2 Medium Failure within 10x service life possi-ble, but unlikely within service life.

3 High Failure within service life likely.4 Very High Several failures within service life

likely.5 (Not included) Frequent failures within service life

likely.

1 Low Equipment failure that does not cause production loss, - no pollution

2 Medium Equipment failure that is not critical, repair can wait until next interven-tion, - no or minor pollution.

3 High Equipment failure that is critical, re-quires controlled shut down. Produc-tion loss without equipment damage, - no or minor pollution.

4 Very High Equipment failure that is very critical, requires that the equipment must be replaced, production loss, possible pollution.

5 (Not included)

DET NORSKE VERITAS


Figure C-4 A sketch of a bellow installed in a pressure housing, and the clamping of the bellows to the solid structure.

C.4.5.2.2 Number of operations

There has been defined a target lifetime for the bellows interms of years in service and the anticipated number of typicalload cycles during that period. The design lifetime of the bel-lows in terms of load cycles is ten times the number of full loadcycles anticipated during its target lifetime. Two types of loadcycles have been defined, the full stroke cycle and the 10%stroke load cycle. For every full stroke load cycle one antici-pates that 20 load cycles of 10% of full stroke will occur. Thisdefinition is considered to cover actual strokes with respect tofatigue life.

C.4.5.3 Fatigue - The stepwise approach

The stepwise approach related to material fatigue damage con-sists of the following main sources of data:

1) Material fatigue strength represented by strain-number ofcycles curves or stress-number of cycles curves (S-Ncurves), in this case correlated with one actual test.

2) Crack initiation.

3) Crack growth.Further is considered:

4) Damage tolerance.

5) Deviations from nominal conditions.The alternative, which depends on its quality is represent-ed by

6) Standards and Experiences.

Design according to the above item 6 alone could give the de-sired reliability. Uncertainties with respect to the standardcould, however lead to separate investigations as indicated byitem 1 to 3 and supplemented with item 4 and 5.

The items are further detailed in the following:

Lifetime evaluation level 1

Fatigue lifetime evaluation based on S-N curves:

Lifetime evaluation level 1 - Fatigue lifetime evaluation basedon S-N curves:

S-N curves are usually based on data from fatigue test speci-mens, and represent a stated probability of specimen survivalat the strain-range and number of load cycles. For stresses be-low the yield limit, the strain-range is proportional to thestress-range. The observed fatigue life includes crack initia-tion, crack growth and final fracture of the specimens, whichoften are cylindrical rods of a diameter of 6.27 mm. Use of S-N curves has limitations for evaluation of fatigue lifetime ofactual constructions, in particular if the geometry is very dif-ferent from that of the test specimens, as the case with this mul-ti-layer bellows.

S-N curves can be used for evaluating if the probability of fa-tigue of the bellows is higher than desired under the given con-ditions.

If fatigue life of the bellows is infinite for the most severestrain-range encountered in use (full stroke), the probability offatigue failure is so low that the fatigue evaluation can be con-cluded at this level. The evaluation of damage tolerant design(see lifetime evaluation level 4) still has to be carried out. Oth-erwise the fatigue evaluation has to be continued by evaluatingthe probability of crack initiation (lifetime evaluation level 2).

Detailed example:

Stress and strain data for the bellows are not made available.Lifetime calculation by use of S-N data is thus not possible.However, one prototype bellows has been tested at full stroke,and survived 20 times the design number of full stoke cycleswith no indication of failure or fatigue crack initiation. Thistest result can be used in a lifetime evaluation, e.g., will moretests be required to ensure that the probability of fatigue failureunder defined service conditions is acceptable.

Figure C-5 S-N curve for Inconel 625 with test result and design value

The following information is available:

— S-N curve for Inconel 625 (in a Log S - Log N format):In the region of interest, the S-N curve is of the formLog (N) = Log a - m * Log (S)where

N = the mean number of cycles to failure under strain-range S

S = strain-range

1,E+02

1,E+03

1,E+02 1,E+03 1,E+04 1,E+05 1,E+06 1,E+07 1,E+08

No. of cycles

Strain

-rang

e

DET NORSKE VERITAS


— The scatter in the observed cycles to failure at a givenstrain-range can be described by a normal distribution onthe Log N axis, and the standard deviation of Log N isLog s

— DNV-RP-C203 - Fatigue strength analysis for mobile off-shore units - gives typical values for Log s in the range0.18 to 0.25. For the geometry of the bellows Log s = 0.2will be relevant.

— The prototype bellows has been tested at 20 times the de-sign number of full stroke cycles with no indication of fail-ure or fatigue crack initiation.Furthermore, the following assumptions are made:

— Tests of specimens of Inconel 625 would give a scatter inthe observed lifetimes similar to that of steel in cleaned,as-rolled condition, i.e. Log s = 0.2.

— Only full stroke cycles (as specified in the qualificationbasis) affect the fatigue life.

The S-N curve for Inconel 625 is shown in Figure C-5 withnumber of cycles N as x-axis and strain-range as y-axis. Thedesign number of cycles, 500 cycles, is marked with an opentriangle, and the prototype test result is marked with a filled tri-angle. Since there is only one test result available, the mean S-N curve is drawn through this point as a first assumption.

Figure C-6 Probability density diagram with Log s = 0.2 and test result atmean value + 3 * Log s

To get a better basis for evaluating, if more fatigue tests are re-quired, assume as shown in Fig.C-6 that the test result is muchbetter than average and corresponds to a lifetime three standarddeviations better than the mean lifetime. This is a very con-servative assumption, as it implies that the probability that thetest result is even better than assumed, at only 0.135%. Themean lifetime is then 2512 cycles (Log 10000 = Log N + 3 *Log s; Log N = 4 − 3 * 0.2 = 3.4). As shown in Fig.C-6 the de-sign number of cycles is well below three standard deviationsbelow the mean lifetime (Log (N − 3s) = Log N − 3 * Log s =3.4 − 3 * 0.2 = 2.8; N − 3s = 631 cycles). Based on the aboveassumptions, the probability of failure at 631 cycles will be0.135%, and the probability of failure at 500 cycles will beeven lower than that.

Based on the above reasoning, and the fact that the bellows sur-vived 10000 cycles without visible failure damage, one canconclude that failure of the bellows due to fatigue is very un-likely.

Guidance note: ISO FDIS 2394:1998(E) D.5.3 - Partial factor design: Bayesianmethod, describes a method for calculating the design value giv-en a desired probability of failure, one or more test results and aknown or, in case of more test results, calculated standard devia-tion.


General information:

A similar approach can also be applied for failure mechanismsdescribed by distribution functions visualised on graphs withlinear scales, or any type of scales, e.g. by the X axis as a lineartime scale and number of standard deviations with linear rela-tion. See “Guide to the expression of uncertainty in measure-ment, ISO 1995” which define “experimental standarddeviation” “st” from measurements as:

qk = measured value= mean value of measurements

n = number of measurementsk = measurement no

For information, a typical normal distribution function isshown in Fig.C-7.

Figure C-7 General diagrams showing: Probability density φ and ProbabilityΦ as function of standard deviations


Fatigue lifetime evaluation based on the probability of crackinitiation:

S-N curves for crack initiation are usually not available. Theapproximate position of such curves can be derived from basicknowledge of the material used and from crack growth data forthis material.

S-N curves for crack initiation can be used for evaluation if fa-tigue crack initiation is probable under the given conditions.

If crack initiation is probable for the most severe stress range,crack growth due to this stress range and also other relevantstress ranges must be evaluated.


Fatigue lifetime evaluation based on crack growth:

If crack initiation during the target lifetime has to be taken intoaccount, the probability of through cracks has to be evaluated.Both the most severe stress range and other relevant stressranges have to be considered.

Use of fracture mechanics and relations of the type can calcu-late crack growth

da/dN = C f(∆K)

where

a = crack length at the momentN = number of cyclesC = material constant∆K= cyclic stress intensity factor range

Several versions of such relationships exist, the most wellknown being the Paris equation, see e.g. H. O. Fuchs and R. I.Stephens "Metal Fatigue in Engineering" or other textbooks onfatigue.

a = a constant relating to the mean S-N curvem = the inverse slope of the S-N curve

0

0,1

0,2

0,3

0,4

1,00E+02 1,00E+03 1,00E+04 1,00E+05No. of cycles

Probability densi

st 2

qk( ) 1n 1–------------ qk q··–( )2

k 1=

n

�=

q··

DET NORSKE VERITAS


This allows calculation of the relative contribution to crackgrowth from other load cycles than the most severe load cycle,and, when the threshold for crack growth is known, determina-tion of the crack size at which crack growth changes fromcrack initiation to much faster fatigue crack growth.

Crack growth is an important aspect in determining the intervalbetween inspections, i.e. the safe period of operation after in-stallation or intervention (inspection).


Damage tolerance

Lifetime evaluation has been carried out for the bellows innominal condition, i.e. the geometry of the bellows, the loadsituation etc. are as given in the description of the bellows.

In addition to this, the damage tolerance of the design shouldbe checked. This means that the effect of possible flaws frommanufacturing and assembly are to be estimated, and also pos-sible damage during operation, e.g. formation of pits due tocorrosion, fretting, etc. that can act as initial cracks or stress-raisers.


Evaluation of deviations from nominal condition

The above evaluation is based on nominal conditions, i.e. thatthe geometry of the bellows, the load situation etc. is as are asgiven in the description of the bellows. The effect of possible(reasonably probable) deviations from this should also bechecked, e.g.

manufacturing and assembly tolerances, including deviationsfrom axi-symmetric conditions

excessive loads that can be caused by not typical operatingconditions, malfunction, etc. The latter shall be specified in the“qualification basis”.

Details of example:

The fabrication process should be reviewed with regard to tol-erances to be specified.

It is known that loading a bellows in torsion (twisting) in gen-eral produces extremely high shear stresses and can greatly re-duce both fatigue life and pressure capacity. The maximumallowable torsion moment should therefore be identified, andchecked that the possible actual torque is well below.

The design of the axial bellows guidance, effects from possiblesprings (including spring breakage) and the assembly proce-dure of the compensator should address the effect on thetorque. The above items will be input to the qualification of thedesign of the compensator and to the qualification other com-ponents of the compensator.


Evaluation of the manufacturer's data, criteria, calculations,testing, experience, standards used.

The design of the bellows can be based on a standard. In thiscontext the background for the standard with respect to lifetime estimates should be documented and qualified. If not,qualification of the standards with respect to the implicit prob-ability of failure must be carried out.

Details of example:

The manufacturer of the bellows for the compensator designsand manufactures bellows according to the “EJMA” standard(Expansion Joint Manufacturers Association, Inc. 1998). Thisstandard says that the average fatigue lifetime is equal to the orhigher than the design lifetime. DNV experience indicates thatthe lifetimes observed in fatigue tests of bellows are usuallywell above the design lifetime.

The compensator bellows can also designed according to aproprietary standard developed by the manufacturer. Accord-ing to this, the bellows has a calculated lifetime above the de-

sign lifetime. The manufacturer states that his standard isaccurate and more conservative than the EJMA standard. Sinceno documentation on this is available, it is difficult to evaluatewhat the calculated lifetime implies in terms of probability offailure, e.g. if this corresponds to 30%, 10% or some otherprobability of failure.

Consequently the additional evaluations given in level 1 is re-quired.

C.4.5.4 Buckling

Buckling of the bellows could cause functional failure of thecompensator by hindering the required motion of the bellows.Buckling is not acceptable within the lifetime of the bellows.

Specification of long lifetimes (high number of cycles) can re-sult in a bellows, which is highly flexible and could have re-duced stability under pressure.

The EJMA standard also addresses the stability of the bellowsby formulas and criteria. In this case a guide is used for pre-venting radial motion and thus buckling of the bellows.

The probability of failure due to instability is considered to below.

C.4.5.5 Corrosion

Pitting corrosion could be critical. The pits that can act as stressraisers and or initial cracks. Fatigue cracks can grow from suchpits. Because each ply is only 0.3 mm thick, corrosion pittingcan penetrate an outer ply of the bellows and allow corrosionattack of the inner plies as well, causing leakage.

Pitting corrosion is not acceptable within the lifetime of thebellows. Material selection and control of the environmentshould be used to control this failure mode.

Since both the system fluid and the fluid in the compensatorhousing have low corrosivity, the probability of corrosion at-tack on the bellows is evaluated as low under normal operatingconditions.

If the fluid in the housing is polluted by produced fluid, the flu-id outside the bellows will become corrosive. According to es-tablished service experience in H2S service, Inconel 625 hasproven not susceptible to corrosion when the surface hardness≤ 35 HRC. Pitting is not reported to be a problem.

The flange material is corrosion resistant. Further general cor-rosion of the flange is not a problem because of the thickness.

C.4.5.6 Fretting

Fretting could be critical since it can cause pits that can act asstress raisers and or initial cracks. Fatigue cracks can growfrom such pits. Fretting could occur between the plies and can-not be detected by visual inspection.

Fretting is not acceptable within the lifetime of the bellows.

Fretting wear occurs form repeated shear stresses that are gen-erated by friction during small amplitude oscillatory motion ofsliding between two surfaces pressed together in intimate con-tact. Surface cracks initiate in the fretting wear region. The rel-ative slip amplitude is typically less than 50 µm. Fretting wearincreases linearly with contact load.

There seems to be a possibility that conditions that can causefretting wear may exist somewhere in a multi-layer bellows.Data for evaluating this are not available, and criteria for fret-ting wear are vague. It is not possible to arrive at any conclu-sion based on available data.

Fretting is not addressed in the EJMA standard. DNV have notrecorded bellows failures due to fretting.

Fretting is most probably not a problem in bellows, but there issome uncertainty about this. This should be followed up by in-spections after test.

DET NORSKE VERITAS


C.4.5.7 Accumulation of deposits on/around bellows

Accumulation of deposits on or around the bellows can causefunctional failure of the compensator by hindering the requiredmotion of the bellows.

The effects form the environment must be examined. It is as-sumed that this is only of concern in case wax or hydrates canform, or sand settles on the one side of the bellow, or contam-ination of the clean fluid on the other side.

Therefore a study should be carried out for the purpose of de-termining that the risk for deposit accumulations is acceptablylow.

C.4.5.8 Conclusions

The above demonstration shows that conclusions regarding thereliability of components with regard to critical damage mech-anisms can be made even when data are sparse or lacking. Theevaluation points to areas where better data is required.

Standards used for designing may be based on reliability con-siderations or on experience regarding designs that have func-tioned acceptably in service. If standards are documented andverified, comparing with the standards can assess the reliabili-ty of the components. If such standards are proprietary or notverified they are of less value for reliability assessment.

Results of tests, even though the number of tests is far from sta-tistically significant, can facilitate sufficient background forreliability evaluation when combined with relevant other datathan those from tests alone.

C.4.6 Maintenance and modifications

The cost of an intervention of the subsea multiphase pumpmodule is so high that unscheduled interventions must beavoided. This means that all parts of the multiphase pumpmodule must have a minimum lifetime equal to or longer thanthe time between scheduled interventions. The cost of replac-ing parts and components at the intervention is marginal com-pared to the cost of carrying out the intervention. This meansthat the pump must be replaced with a new or overhauled pumpmodule. The overhauled module parts that are subject to wearor deterioration have been replaced. Because unscheduled in-tervention is extremely costly, it is of importance to detect con-ditions that could require intervention early to allow time forplanning. On the other hand, false indications cannot be ac-cepted because of the costs.

Because the subsea multiphase pump module is new technolo-gy in the sense that it has not a record of previous successfuluse subsea, intervention for replacement is planned at regularintervals. The design lifetime of the bellows is the same as thetarget interval between interventions.

The analysis of the bellows shows that the probability for fail-ure within this interval is so low that no additional inspectionor maintenance is required, provided that the bellows is assem-bled correctly according to the "right" procedures and that noindications of defects were found at the subsequent inspection.

The function of the compensator could be monitored by a sys-tem that continuously measures the position at the end of thebellows. This will also serve as condition monitoring of thebellows, since lack of movement or irregular movement willsignal that there is a problem. Higher sensitivity can probably

be achieved by correlating the movement of the bellows withother parameters such as pump inlet pressure.

Table C-12 Specifications for the subsea pump module

Specifications - Subsea Multiphase Pump Module1. Design life time pump moduleDesign life pump module years 25Design time between intervention years 5Design load full amplitude cycles of bellow between intervention

Cycles 500

Design load 10% amplitude cycles of bellow between intervention

Cycles 10000

2. Operating EnvironmentAmbient conditions –storageMinimum air temperature deg. C - 20Maximum air temperature deg. C + 40Ambient conditions –submerged testingMaximum water depth m 15Minimum water temperature deg. C + 1Maximum water temperature deg. C + 20Ambient conditions –at subsea location for operationMaximum water depth m 500Minimum water temperature deg. C + 1Maximum water temperature deg. C + 12InstallationWave height m 2,5Maximum landing velocity m/s 1,8Maximum horizontal acceleration g 0,53. Pumped medium specificationsMaximum fluid temperature at wellhead deg. C 85H2S content in gas phase ppm < 22Carbon dioxide in well stream mol % 0,3 – 1,3Oxygen % 0Acidity pH 5,5 - 6,5Average sand content (weight) ppm 20Maximum sand particle size mm XX5. Pump parametersDesign pointSuction pressure (for a specific application) barg 25Discharge pressure (for a specific application) barg 65Design pressure barg 250Hydrostatic test pressure barg 425Suction temperature (for a specific applica-tion)

deg. C 73

Gas flowrate (A - ambient) Am3/h 566Liquid flowrate Am3/h 374Total flowrate Am3/h 940Gas void fraction 0.60Gas density kg/m3 18,3Liquid density kg/m3 923Total density kg/m3 378,8Pump speed rpm 1800Pump shaft power kW 1330Maximum operating pointTotal flowrate at 40 bar differential. pressure Am3/h 1060Pump speed rpm 2000Pump shaft power kW 1480


DET NORSKE VERITAS

Tabl

e C

-13

Che

cklis

t –

Fai

lure

mec

hani

sm –

Dat

a ba

se

ID

Fai

lure

mec

h-an

ism

ty

pe /

Roo

t ca

use

Equ

ip-

men

t/

part

Risk Cat.

Techn cat

MTTF

LCL

Mar

-gi

nC

omm

ent

Sour

ce

Rev

Date

Fai

lure

M

ode

Fun

ctio

nR

isk

redu

c-in

g m

easu

reD

etec

tion

Eff

ect

Ope

rat-

ing

mod

e

Service life (Year)

Rev. Fre

Rev.Con

Init Fre

Init Con

1B

ello

ws

51.

1In

stab

ilit

y,

buck

ling

Bel

low

sL

2O

KC

an b

e an

inhe

rent

de

sign

pro

blem

at

long

life

times

Man

ufac

tur-

er, E

JMA

st

anda

rd

Bel

low

s st

uck,

bl

ocke

d

Allo

w

pist

on

mov

e-m

ent a

s in

tend

ed

Inte

rnal

gu

ide

fitt

ed.

Yes

, pos

ition

se

nsor

dur

ing

oper

atio

n

Los

s of

pr

essu

re

com

pens

a-ti

on

Nor

mal

op

erat

ion

51

42

4

1.2

Acc

umul

atio

n of

dep

osits

/ de-

bris

on/

aro

und

bell

ows

Bel

low

sL

2S

epa-

rate

ta

sk

Can

occ

ur if

pro

-du

ced

flui

d en

ters

co

mpe

nsat

or

Bel

low

s st

uck,

bl

ocke

d,

reta

rded

m

ovem

ent

Sam

e as

1.

1R

evie

w d

e-si

gn o

f co

m-

pens

ator

im

puls

e pi

pe, h

eate

r.

Indi

cati

ons

by p

ositi

on

sens

or

Los

s of

pr

essu

re

com

pens

a-ti

on

Nor

mal

op

erat

ion

51

42

4

1.3

For

mat

ion

of

wax

/ hy

drat

es

on/ a

roun

d be

l-lo

ws

Bel

low

sL

2S

epa-

rate

ta

sk

Can

occ

ur if

pro

-du

ced

flui

d en

ters

co

mpe

nsat

or

Bel

low

s st

uck,

bl

ocke

d,

reta

rded

m

ovem

ent

Sam

e as

1.

1A

s ab

ove

+

flus

hing

w

ith

met

ha-

nol..

Indi

cati

ons

by p

ositi

on

sens

or u

pon

rest

art

Los

s of

pr

essu

re

com

pens

a-ti

on

Shu

t-do

wn

51

42

4

1.4

Fat

igue

Bel

low

sL

25

Bet

ter

docu

men

ta-

tion

than

EJM

A

stan

dard

req

uire

d.

Pro

babi

lty

of f

ail-

ure

<<

0,2

7%, O

K

EJM

A &

Fatig

ue li

fe

revi

ewed

Def

orm

a-ti

on, d

isin

-te

grat

ion

of b

ello

ws

Sam

e as

1.

1N

ot re

quir

ed

if fa

tigu

e lif

e ca

n be

doc

u-m

ente

d

Indi

cati

ons

by p

ositi

on

sens

or

Los

s of

pr

essu

re

com

pens

a-ti

on, l

eak-

age

Nor

mal

op

erat

ion

51

42

4

1.5

Cor

rosi

onB

ello

ws

L2

OK

Bet

ter

docu

men

ta-

tion

of

corr

osio

n pr

oper

ties

of I

n-co

nel 6

25 r

equi

red

Inco

nel 6

25

OK

if s

urfa

ce

hard

ness

≤ 3

5 H

RC

Dis

inte

gra-

tion

of

bel-

low

s

Sam

e as

1.

1N

ot re

quir

ed

if c

orro

sion

pr

oper

ties

in

prod

uced

fl

uid

can

be

docu

men

ted

Indi

cati

ons

by p

ositi

on

sens

or

Los

s of

pr

essu

re

com

pens

a-ti

on, l

eak-

age

Nor

mal

op

erat

ion

51

42

4

1.6

Inst

abil

ity

due

to o

verp

res-

sure

Bel

low

sL

2O

K?

Pos

sibl

e du

ring

se-

vere

tran

sien

ts?

Tra

nsie

nts

and

criti

cal

valu

e to

be

docu

men

ted

Def

orm

a-ti

on o

f be

l-lo

ws

Sam

e as

1.

1dN

ot re

quir

ed

if tr

anis

ents

ca

n be

kep

t be

low

som

e cr

itic

al v

al-

ue

Indi

cati

ons

by p

ositi

on

sens

or

Los

s of

pr

essu

re

com

pens

a-ti

on

Sta

rt u

p,

shut

do

wn,

tr

an-

isen

ts

51

4

2B

ello

ws

25

2.1

Fat

igue

Bel

low

sL

25

See

4.4

See

4.4

Cra

ckin

g of

bel

low

s K

eep

sys-

tem

oil

and

iner

t oi

l (pr

o-du

ced

flu-

id)

sepa

rate

d

See

4.4

Not

unl

ess

crac

k hi

nder

s m

otio

n of

pis

-to

n

Lea

kage

, se

e al

so 4

.4N

orm

al

oper

atio

n5

14

24


DET NORSKE VERITAS

2.2

Cor

rosi

on (c

an

act a

s in

itial

fa-

tigu

e cr

acki

ng)

Bel

low

sL

2O

KS

ee 4

.5Se

e 4.

5, 6

25

not p

rone

to

pitt

ing

corr

o-si

on

Pitt

ing

of

bello

ws

poss

ibly

ca

usin

g cr

acki

ng

Sam

e as

2.

1S

ee 4

.5N

ot u

nles

s m

otio

n of

pis

-to

n is

hin

-de

red

Lea

kage

, se

e al

so 4

.5N

orm

al

oper

atio

n5

14

24

2.3

Fre

ttin

g (c

an

act a

s in

itial

fa-

tigu

e cr

acki

ng)

Bel

low

sL

2O

K?

Doc

umen

tatio

n th

at f

rett

ing

is n

ot

a pr

oble

m f

or b

el-

low

s (d

esig

n, m

a-te

rial

) re

quir

ed

EJM

A s

tand

-ar

d do

es n

ot

deal

wit

h cr

i-te

ria

for

fret

-tin

g

Cra

ckin

g of

bel

low

s S

ame

as

2.1

Not

requ

ired

if

low

pro

ba-

bili

ty o

f fre

t-ti

ng c

an b

e do

cum

ente

d

Not

unl

ess

crac

k hi

nder

s m

otio

n of

pis

-to

n

Lea

kage

, se

e al

so 4

.4N

orm

al

oper

atio

n5

14

14

2.4

Den

ts, s

core

(c

an a

ct a

s in

i-ti

al f

atig

ue

crac

king

)

Bel

low

sL

2S

epa-

rate

ta

sk

Mus

t be

avoi

ded

duri

ng f

abri

catio

nC

rack

ing

of b

ello

ws

Sam

e as

2.

1P

roce

dure

s fo

r fa

bric

a-ti

on a

nd in

-sp

ecti

on

mus

t be

wor

ked

out.

Not

unl

ess

crac

k hi

nder

s m

otio

n of

pis

-to

n

Lea

kage

, se

e al

so 4

.4N

orm

al

oper

atio

n5

43

4

2.5

Tw

isti

ng

(cau

ses

high

sh

ear

stre

sses

an

d w

ill a

ccel

-er

ate

fatig

ue

crac

king

)

Bel

low

sL

2S

epa-

rate

ta

sk

Doc

umen

tati

on o

f to

lera

nces

for

al

ignm

ent

Cra

ckin

g of

bel

low

s S

ame

as

2.1

Tol

eran

ces

and

asse

m-

bly

proc

e-du

re m

ust b

e w

orke

d ou

t. C

onse

-qu

ence

of

spri

ng f

ail-

ure?

Not

unl

ess

crac

k hi

nder

s m

otio

n of

pis

-to

n

Lea

kage

, se

e al

so 4

.4N

orm

al

oper

atio

n5

43

4

Tabl

e C

-13

Che

cklis

t –

Fai

lure

mec

hani

sm –

Dat

a ba

se (

Con

tinu

ed)

ID

Fai

lure

mec

h-an

ism

ty

pe /

Roo

t ca

use

Equ

ip-

men

t/

part

Risk Cat.

Techn cat

MTTF

LCL

Mar

-gi

nC

omm

ent

Sour

ce

Rev

Date

Fai

lure

M

ode

Fun

ctio

nR

isk

redu

c-in

g m

easu

reD

etec

tion

Eff

ect

Ope

rat-

ing

mod

e

Service life (Year)

Rev. Fre

Rev.Con

Init Fre

Init Con

DET NORSKE VERITAS


DNV-RP-A203: Qualification Procedures For New Technology · Det Norske Veritas has in year 2000 and...

Documents

Transcript of DNV-RP-A203: Qualification Procedures For New Technology · Det Norske Veritas has in year 2000 and...