Quantitative risk assessment (QRA) has been extensively employed in the design phase of hazardous process facilities to ensure compliance with safety requirements. These requirements may be defined as acceptance criteria that express a tolerable risk level. Conventional QRA studies provide risk estimates and support decisions that are related to the design of an industrial installation [1
]. The risk models applied to the design phase QRAs are suitable for reflecting the technical design of an installation. These models, however, have a limited focus on changes in the operating and environmental conditions and their potential impact on risk. As a result, new methods and models have been developed for the quantitative analysis of changes in risk levels, which is referred to as dynamic risk analysis (DRA) in the process industry. DRAs are performed in the operational phase to update the risk level over a certain interval based on operational experiences and field data or predict the risk level for the upcoming period based on precursor data [4
]. However, appropriate validation for DRA is still an unexplored domain. For this reason, this study aims to suggest a set of relevant approaches.
Numerous representative DRA methods have been developed for safety-critical sectors, such as the oil and gas (O&G) sector: The organizational risk influence model (ORIM) [5
], the barrier and operational risk analysis of hydrocarbon releases (BORA-release) [6
], and the risk modeling through integration of organizational, human and technical factors (risk-OMT) [8
]. These methods extend the existing QRA models by explicitly incorporating organizational and operational factors. They have proved useful in periodic updates of QRA results by reflecting changes in the parameters and assumptions of QRAs. Further developments of these methods employ machine learning techniques [9
]. However, a specific challenge when using these methods is the ability to provide relevant input data [10
], and therefore, the use of these models is difficult in practical cases. For this reason, a new DRA method named risk barometer (RB) was developed in the context of integrated operation (IO) concepts, also known by O&G companies as Field of the Future (BP), Smart Fields (Shell), eOperations and eField [12
]. These concepts refer to the integration of people, work processes and information technology to make smarter decisions and achieve extended operational lifetime, reduced costs, and improved safety, production and recovery rates. It is enabled by global access to real-time information, collaborative technology, and integration of multiple expertise across disciplines, organizations, and geographical locations [12
] representing virtual industrial clusters. IO concepts enable access to an increasing amount of real-time data related to safety barrier performance and operational conditions [14
], which underlie the Risk Barometer (RB) method [15
]. The RB method is mainly applied to O&G, but DRA is not limited to this domain [16
]. Analogously, safety barriers are not only widespread within O&G, but they are also becoming a pivotal concept for other industries [17
], as they are generically defined as physical or non-physical means that are planned to prevent, control, or mitigate undesired events or accidents [18
The primary aim of the RB method is to use this dataset as a basis for continuously capturing the changes in operational conditions and dynamic aspects of risk in an improved way. In many cases, a lack of detailed knowledge about the relation between the actual risk level and the associated causal factors may exist. For this reason, the risk level is calculated by considering the contributions from the involved safety barriers. In this way, time for processing information and calculating the risk can be reduced, which may enable a more frequent update of the risk [15
]. Note that the RB method emphasizes visualizing the results. Thus, the results are understood by the operational personnel [15
]. Despite these practical benefits, the RB method may disregard certain contributors to risk or be based on unrealistic assumptions [19
]. Therefore, investigating whether the RB method is suitable for quantitative analysis of risk in the relevant operational and decision context is essential.
This standpoint is particularly pertinent to the validity concept for risk analysis, which can be established based on an argument. It is referred to as cost-effective usefulness: Quantification of risk provides safety benefits compared with other methods that are based on qualitative approaches [20
]. For example, the existing QRAs used in design can provide quantitative risk measures, which are used to prove compliance to regulations that concern the safe design in the long term [20
]. New DRA methods, such as the RB method, can quantify the changes in the total risk level in a shorter time, which may not be obtained by traditional QRA. This finding provides decision support regarding barrier performances and safe operations [15
]. If we consider also the IO context in which the RB has been developed, the main issues concerning its validity are detailed as follows:
Is the method capable of identifying major accident scenarios and the critical safety barrier?
Is the modeling approach suitable for capturing the changes in the operations and updating the risk level over time based on the collected data?
Are the results similar compared with other recognized DRA methods?
Are the outcomes sufficiently realistic to be applicable for industrial cases?
Is the method functional to the achievement of sustainable integrated operations across systems?
As Cumming [23
] states, the validation procedures for risk analysis techniques are limited. For this reason, a set of fundamental validation approaches were selected from Suokas’ work [24
] to address DRA issues: (i) Reality check (comparison with operating experience of corresponding installations), (ii) benchmark (comparison with a parallel analysis of the same installation or activity), and (iii) peer review (examination of the output of the risk analysis by technical experts).
Goerlandt et al. [21
] present these approaches for establishing the pragmatic validity of risk analysis. The authors state that the first approach concerns the validity of a generic analysis method and can be applied to validate the results of a specific risk assessment. The second approach is primarily intended for evaluating the coverage of an analysis method and the reliability of the results in terms of analysis content and outcome [25
]. The third approach can be applied to specific risk analysis and builds on the personal experience of individuals having technical expertise on the considered phenomena, practitioners, or risk analysis experts [21
We illustrate how these approaches may be used to establish the validity of a DRA method when applied to a specific accident scenario. The RB method is considered for this purpose, but the approaches can be applied to any DRA technique.
After this introductive section, Section 2
describes the dynamic risk analysis method and the validation approaches. Section 3
illustrates the case-study used in this work. In Section 4
, we report the results from the validation process of the considered dynamic risk analysis method. Section 5
and Section 6
present the discussion and concluding remarks.
3. Case Study
The O&G industry is gradually implementing IO strategies to support work processes [12
]. This implies important changes compared to traditional operations where O&G production was almost totally managed by the platforms with little or no interaction with external parties. Now the boundaries of the system are reshaped by using available digital infrastructures and real-time data to monitor operations and control processes remotely. The exchange of information over large distances without significant delay and the use of high-quality collaboration technology connects different actors and increases access to expert knowledge.
This is particularly important in complex installations characterized by numerous wells connected through flowlines to a floating production storage and offloading (FPSO) unit. The FPSO exports to trading tankers and collaborates with nearby drilling platforms, onshore facilities to process and distribute the product, and a number of contractors collaborating and depending on each other within the operations (Figure 3
). Such installations may represent a virtual cluster of organizations with multiple expertise across disciplines, organizations, and locations [12
Although the geographical location has progressively become secondary for the abovementioned aspects, it is still critical for what concerns production. For instance, installations producing from oil wells in soft formations commonly require appropriate precautions, such as control of sand or fines with fluids [54
]. Sand does not have economic value and can plug wells, erode and corrode equipment, and reduce well productivity. In certain producing regions, sand control completions generate considerable operational expenses. Paltrinieri et al. [14
] have previously suggested DRA strategies to effectively control the potential loss of containment due to oil sands. Continuous monitoring is essential for providing effective management of the safety barriers in place, regardless of the managers’ physical location. Due to these specific criticalities, this case is considered for the validation of the RB. The case is based on the results from a project with a major oil company within the overall framework of the Center for Integrated Operations in the Petroleum Industries [55
]. Details are provided elsewhere [14
3.1. Description of the Installation
The case study is based on a sand erosion issue in a real offshore oil production installation with multiple topside modules. A multi-jointing yard and marine supply base support the FPSO operations from onshore. The production installation is located subsea and connected with a spread-moored FPSO, which is used as a hub to process and store the fluids produced from the subsea wells. Figure 3
shows a representation of the facility that is considered for the case study. The analysis focuses on the riser of the FPSO (highlighted in red in Figure 3
) and its material degradation due to the processes of erosion/corrosion. The riser is a piping system in which a multiphase stream (e.g., containing oil, gas, and water) is sent from the wells to the preliminary treatment on the on-board process facility.
An excessive sand production rate, i.e., an increase in both sand production and flow velocity that exceeds a critical threshold, causes pipeline material degradation. Sensors to detect oil sand are usually employed [14
An acoustic sand detector (ASD) performs online monitoring and provides immediate information. The ASD records the noise produced by sand carried in the process flow. The detectors are placed subsea on the outside of the flow line bends and detect the noise made when sand collides with the pipeline wall.
An erosion probe, i.e., a metallic surface inserted in the well stream is physically eroded by passing sand particles. This detector is placed topside and only reports accumulated effects over a longer time period.
One of the main safety measures that are used to prevent sand erosion at the root of the problem is the gravel pack. A gravel pack is a downhole filter that is held in place with a properly sized screen. In case the gravel pack is not sufficient and excessive sand production is detected, a specific sand response procedure should be performed.
A sand response procedure that is based on sensor-based monitoring [14
] is also employed as a prevention measure. This procedure implies that if sand is detected and its rate exceeds a specific threshold, the flow line should be choked back until the sand production rate is acceptable. Generally, the acoustic sand detector is used for dynamic monitoring, and the erosion probe represents subsequent confirmation of the results.
A corrosive environment and sand deposit may also cause pipeline material degradation due to corrosion. The gravel pack is a safety measure for this scenario, as it can prevent sand production and sand deposit where the flow is slowed by line bends. Injection of appropriate chemicals into the fluids to inhibit corrosion (chemical treatment) is another safety measure that is defined to prevent a corrosive environment, which may be based on sensor detection of oil corrosiveness. Moreover, cleaning pigs to run within the riser can be employed if a sand deposit is expected from the results of the sand detectors.
3.2. FPSO Lifecycle
The study focuses on the operations during the FPSO lifecycle, which is assumed to be 25 years. For this reason, the evolution of 87 items that describe the installation’s technical, operational and organizational factors was simulated within this period. To avoid specific organizational and maintenance management implications, the following main assumptions are considered in the application:
illustrates a selection of the simulated items, which are not indicators but details that describe the evolution of the technical, operational and organizational factors that represent the FPSO lifecycle for a period of 25 years (for this reason, no measuring time is reported). The definition of these items was inspired by the aspects considered by the REWI method [56
]. The DRA techniques that were considered in this study (RB and TEC2O) are based on indicators that are similar but not identical (e.g., they may be based on a different measuring time, the indicators are reported in Tables S1 and S2 in the Supplementary Materials
) and the items in Table 3
are the basis for their definitions. While most of the technical items are simulated based on literature and statistical sources [57
], the operational and organizational items are simulated using sinusoidal trends with a randomly changing mean value to reproduce the relative unpredictability. Time evolution is described using a hyperbola function and initial indicators values are set equal to the values reported by Øien and Sklet [59
4.1. RB Application
Step 1: Scenario definition. A hazardous event was defined as material degradation of the riser wall. The hazard is the presence of sand particles in the hydrocarbon flow from the well. The two identified events that cause degradation are (i) erosion due to excessive sand production with exceeding velocity, and (ii) corrosion due to sand under-deposit combined with corrosive environment.
After the identification of possible event sequences, barriers are considered. The existing proactive barriers include the gravel pack, the sand response procedure, pigging, and chemical treatment. Reactive barriers to degradation caused by erosion and corrosion are operational strategies and erosion/corrosion allowance. The final outcomes are listed as follows: (1) Loss of containment, (2) loss of production, and (3) unscheduled repair. The total result of Step 1 is presented in the bowtie diagram depicted in Figure 4
Step 2: Review of relevant information sources.
Specific information about the case was obtained from three workshops with the major oil company (participants listed in Table 4
), which enabled a set of indicators to be identified based on the barrier systems and their relative importance.
Furthermore, the generic information employed for this step includes studies of sand production during extrusion of hydrocarbon [54
], risk indicators [4
], and expression of barrier criticality [19
Step 3: Establishment of barrier functions and systems.
The first degradation event sequence refers to erosion caused by an excessive amount of sand in which the critical threshold velocity of the oil flow is exceeded (NSC1). The involved safety function is “prevent erosion”, which is achieved by two safety barriers: B1 filtering sand particles with a gravel pack, and B2 sand response procedure after the detection of excessive sand. Two barrier elements are used for sand detection, i.e., ASD and erosion probe. The second degradation event sequence refers to corrosion, which may occur with sand under deposit (NSC2) in a corrosive environment (NSC3). The safety function, in this case, is “prevent corrosion”, which is achieved by three safety barriers: B1 gravel pack, B3 cleaning pigs, and B4 corrosion inhibitor. The major event of loss of containment is prevented by B5 (erosion/corrosion allowance) and B6 (operational strategy). The results of this step are represented by the objective tree depicted in Figure 5
Step 4: Evaluation of relative importance of safety barriers. As the QRA is not available, the results from Steps 1–3 are used to perform a qualitative evaluation of the safety barriers and define their relative importance. A qualitative evaluation of the safety barriers is presented as follows:
The gravel pack (i.e., physically installed to prevent sand in the well fluid to flow to the production unit) is a passive barrier system. This system applies to the excessive sand production rate (NSC1) and sand deposit (NSC2).
The sand response procedure (i.e., operator intervention as a response to excessive sand production rate detected by ASD and erosion probe) consists of technical and operational barrier systems that apply to the sand production rate (NSC1) and can prevent sand erosion.
Pigging activity (i.e., the pigging equipment removes sand deposits in the riser) is a technical barrier that applies to the sand deposit (NSC3). However, it cannot prevent corrosion.
Inhibition (i.e., injection of corrosion inhibitors) is an operational barrier that applies to a corrosive environment (NSC2) but cannot prevent the corrosion phenomenon.
Pipe wall allowance (i.e., increased design thickness of the riser wall) is a passive technical barrier that can mitigate material degradation (CE).
Operational strategy (i.e., modification of production strategy) is an operational barrier that mitigates degradation (CE) and is the last barrier for preventing the final major events of release (ME1), loss of production (ME2), and unscheduled maintenance (ME3).
The following criteria are also considered for the definition of the barrier relative importance.
A safety barrier should be active (controllable) to be considered in the RB model. For simplicity, passive barriers are considered a constant factor as their degradation is not within the primary scope of the RB application. The RB primary scope is to provide operational support for actions that can directly control the process.
The relative importance of a safety barrier within the RB model increases with its proximity to the final major event. This importance is demonstrated by the sensitivity analysis performed on barrier i
by assessing its Birnbaum-like measure
), where R
is the total risk and FP is the barrier failure probability [15
]. The failure of a safety barrier at the beginning of a sequence of barriers can be considered relatively less critical than the failure of the last safety barrier that separates the target from a major accident.
The relative importance of a safety barrier within the RB model also increases with the number of unwanted events that it can address. This importance is demonstrated by the sensitivity analysis of barrier i
that was performed by assessing the Birnbaum-like measure [15
] (Figure 6
Based on the qualitative evaluation and the mentioned criteria, the relative importance of the barriers is defined and expressed by the ranking in Table 5
Step 5: Establishment of barrier performance indicators.
Sets of barrier performance indicators are defined based on the information collected during the workshops with the major oil company involved in the case study (Table S1
). For instance, the indicators defined for the barrier “sand response procedure” are shown in Table 6
. Due to the lack of frequency values for the NSCs, a constant status is assumed to focus on barrier performance variations.
Step 6: Establishment of a risk model.
The established risk model is based on the bowtie diagram in Figure 4
. For simplicity, indicator weights were considered uniform, but assessment using the analytical hierarchy process (AHP) based on personnel’s feedback is necessary for further refinement [71
]. Linear interpolation was used to obtain the indicator measure as the items mentioned in Section 3.2
were expressively simulated to facilitate the definition of indicators. However, other simulation functions may be used in case of sparse data. The gravel pack (B1) and erosion/corrosion allowance (B5) are passive barriers. For this reason, they were omitted (Step 4), as shown by Figure 7
. Moreover, the model focuses on the worst-case consequence: Loss of containment (ME1). Risk is defined as the risk of loss of containment.
Step 7: Visualization.
The total result of the RB application is the trend of the loss of containment risk for 25 years (300 months), as shown in Figure 8
, considering the FPSO lifecycle simulation (Section 3.2
4.2. Reality Check
Several queries were performed in the search and considered different combinations of the following keywords: “Corrosion”, “erosion”, “sand oil”, “hydrocarbon leak”, “hydrocarbon release”, “oil leak”, “oil leakage”, “offshore pipeline”, “oil pipeline”, and “pipeline”. In addition, the results were manually filtered based on their relevance to the case.
While the eMARS database [37
] did not provide relevant information, one relevant event was identified from a search on ARIA [38
]. The search on MHIDAS [39
] generated two relevant reports on corrosion events and two reports on offshore oil releases. However, the results from these databases provided only limited information about the purpose of this work.
The search on Google Scholar [40
] revealed further sources of information, such as the following reports on accidents in the petroleum offshore industry:
- Doc. 1.
“Riser and pipeline release frequencies” by the International Association of Oil and Gas Producers [72
- Doc. 2.
“Offshore hydrocarbon releases statistics and analysis” by Health and safety Executive [73
- Doc. 3.
“Hydrocarbon leak on Oseberg A on 17 June 2013” by the Norwegian Petroleum Safety Authority [74
Document 1 reports failure mechanisms and relative occurrence percentages for offshore pipelines. In 36% of the cases analyzed by the document, corrosion is the main failure mechanism. Document 2 does not specifically focus on one type of equipment, such as pipelines. However, the document reports a record of approximately 1600 equipment faults that occurred between 1 October 1992 and 31 March 2002. Almost 20% of the faults were caused by corrosion/erosion. Document 3 by Oseberg A focuses on a gas hydrocarbon leak that occurred on an offshore facility on 17 June 2013. This report indicates that sand production was the direct cause of the accident: “The main reason that the test manifold blown line was able to develop over time and eventually cause a gas leak was that an adequate review of the plant had not been conducted to verify that it could handle sand production”.
This past accident data analysis provides an overview of the sand production issues within the O&G sector. The collected data indicate the criticality of the causes and consequences of erosion/corrosion. These data match the scenario events identified by the RB, which confirm its ability to address major accident hazards. In particular, document 3 highlights the dynamic aspects of the hazardous event and implies that continuous monitoring of risk associated with erosion/corrosion risks is necessary.
Despite similar inputs for RB and the parallel method TEC2O, a comparison of their results may not be straightforward. The RB method provides an adimensional value of risk level, while the TEC2O final result is an updated leakage frequency associated with the FPSO riser. For this reason, the adimensional TEC2O frequency modification factor (FMF) was used to represent the method results:
shows the RB risk and TEC2O FMF for a period of 25 years. The results from both methods follow a total common trend, as most of the peaks match. Moreover, both curves have sinusoidal behavior, which is accentuated in TEC2O FMF. This finding reflects the contribution of operational and organizational indicators, which were simulated by sinusoidal curves. The percentage variations in the RB risk and TEC2O FMF confirm the trend conformity. Note that the RB expresses the risk level on a scale from 1 to 6, while TEC2O FMF can range from 10−1
. Considering these ranges, the RB results indicate a more conservative method, as TEC2O FMF eventually produces a negligible variation of the leakage frequency for the FPSO riser.
Considering that the two techniques have processed similar sets of input data, a kurtosis comparison shows how the techniques evaluate changes in controlling loss of containment. A pointed distribution suggests that the control of the loss of containment has a constant performance, as its risk or FMF are not subject to large variations. In this case, the RB kurtosis shows a situation that is less stable than that of TEC2O (Figure 9
and Table 7
The skewness comparison (Figure 9
and Table 7
) shows how the techniques evaluate the performance in the loss of containment control based on similar sets of input data. Positive skewness indicates a positive performance of loss of containment control, as the associated risk or FMF have relatively low values. In this case, the skewness values of both techniques are positive and similar, TEC2O is slightly higher.
Considering that TEC2O presents higher values of both kurtosis and skewness, we can affirm that the technique generally reports a more positive and stable evaluation for the case (despite a few higher peaks in its derivative, Figure 8
), which confirms that RB is a more conservative technique that flags higher levels of risk.
For both methods, the selected set of indicators (i.e., main model inputs) will affect the selection of data to collect during the operation on a daily basis. Despite the careful selection of the matching indicators for the RB and TEC2O, the methods have different approaches to the translation of physical parameters (e.g., pipeline thickness and age) and qualitative information (e.g., inspection effectiveness) to the standardized range (1–6). The RB presents the relative changes in the risk level, while TEC2O has greater relevance to the existing QRA results (i.e., last updated leak frequency) as a basis.
4.4. Peer Review
The pivotal elements in Table 2
are considered and critically discussed, assuming the perspective of peer reviewers.
Risk acceptance criteria for this case were initially established by the major oil company. However, an external requirement may be compliance with a decreasing trend in historical leak frequency with time for installations on the Norwegian continental shelf after year 2000 [75
]. Moreover, changes in practices, procedures, regulations, or emerging risks associated with design modifications (e.g., new technology) may produce alternative criteria. For this reason, assessment of the validity of the acceptance criteria needs to be iterated with a focus on the coherence between the objectives and the application of the RB in practical cases.
Hazards/set of events.
Identification of hazards and unwanted events included in the case study was also facilitated and subsequently validated by the company experts. However, changes to the equipment and plant during operations, such as the introduction of new technologies or the collection of previously disregarded risk notions, may require a review for completeness of hazard identification. Techniques such as the methodology for the identification of major accident hazards (MIMAH) [27
] may provide generic accident scenarios and establish a basis for peer review. In addition, dynamic procedure of atypical scenarios identification (DyPASI) [28
] can be adopted to consider atypical unwanted events.
The RB model is related to the bowtie diagram defined by the hazard identification phase. This structure is also the result of workshops and follow-up communications with the involved oil company. Further validation may be sought by the Norwegian Petroleum Safety Authority principles for barrier management in the petroleum industry [68
The accident investigation report of the Macondo blowout accident [76
] showed that some barriers had limited ability in performing the desired functions before the catastrophic event. The barrier structure should reflect the relationship between function and systems, which highlights its capabilities and limitations. The model is intentionally revisable to favor expert judgment input, but total coherence is needed. Sets of predefined indicators, such as the REWIs, may be used by peer reviewers for comparative assessment [62
]. The weights assigned to the indicators have been considered uniform in this work due to limited feedback from the company, and accurate weighing enables further model refinement. This weighing is possible via AHP, which is valid only if the weight judgment is coherent [71
Partial sets of risk indicators (input) can negatively affect the model and assessed risk. This work considers only a representative set of indicators and related values. A detailed integration is necessary for industrial applications. For instance, accurate human reliability indicators may be integrated by the SPAR-H (standardized plant analysis risk-human reliability analysis) method to estimate human error probabilities in the petroleum industry [77
RB enables drill-down capabilities, which indicates that the user can understand the cause of risk changes, which may reside in anomalous barrier performance. RB ensures that guidance given to operational staff and experts across systems pertains to parameters that can be directly controlled. The risk level is expressed by a barometer-type visualization and a trend over time. Results that accurately and proactively reflect critical conditions should not only be indicated by these risk indexes but also support user decision-making. The RB is explicitly designed to easily adapt to the user’s needs [32
] based on the feedback collected within the involved company.
In this work, an advanced approach to support the validation of DRA techniques dedicated to the process industry was illustrated. The validation approach relies on three parallel strategies: (i) Reality check, (ii) benchmark, and (iii) peer review.
The benefits of the suggested approach are the completeness and quality of the evaluation. These benefits are ensured by the application of different kinds of methods, which were previously proposed only for standard risk analysis. The effectiveness was demonstrated by a specific validation study. The RB, which is a novel method developed for DRA in the framework of O&G installations, was analyzed by the application of a case study to address sand erosion integrity in virtual O&G cluster, including an FPSO unit. The results from a past accident analysis confirmed the criticality of erosion/corrosion scenarios, as identified by the RB. Moreover, the dynamic nature of the event, which legitimizes the use of dynamic tools such as RB, was highlighted. The benchmark evaluation showed excellent conformity within the results from the RB and TEC2O factors, which validates the applicability of the RB indicators for the event with a loss of containment. A specific procedure for peer review that involves experts from the industrial domain confirmed the suitability of the RB in actual field applications.
This allows building consensus and trust in DRA techniques, as they represent a concrete solution for the implementation of integrated and safety-supported operations across the geographical, organizational, and disciplinary boundaries of the O&G industrial systems.