Documente Academic
Documente Profesional
Documente Cultură
Diploma thesis
By
stud.tech
Rune Vesterkjr
June 2002
Preface
This report presents the results of a diploma thesis by Stud. Techn. Rune Vesterkjr,
completed at the Department of Production and Quality Engineering, Norwegian University
of Science and Technology. The work has been performed from January 2002 through May
2002.
The evaluation, analysis and calculations performed have been subjected to a number of
assumptions, limitations and definitions of system boundaries, all of which are stated further
in the report.
The author will accept no liability for conclusions being deduced by readers of the report. The
results derived in this report are based on a limited amount of sources. Caution should be
taken when using the results from this report further. A greater amount of reliability data must
be gathered to make use of the values calculated in the report.
I would like to thank my supervisors Prof. Marvin Rausand, the Norwegian University of
Science and Technology and Geir-Ove Strand, ExproSoft AS for valuable comments and
contributions to this diploma thesis. I would also like to thank Stein Brre Torp at Statoil
sgard RESU for providing information concerning well intervention, Ivar Ove Endresen at
Statoil for providing HAZOP information, and the rest of the staff at ExproSoft AS for
helping me when needed.
Trondheim, 2002-06-05
Rune Vesterkjr
Norway and the United States of America have specific requirements of subsurface safety
devices like the DHSV. There are no specific requirements in the UK regulations for a DHSV.
The Norwegian Petroleum Directorate (NPD) requires that there at all times shall be at least
two independent and tested well barriers during well activities. Other countries have similar
requirements.
There are two main risk factors regarding oil/gas production, delays in time (lost production)
and the blowout risk. Lost production occurs when the well is unable to produce as expected
due to different problems, and is equal to economic loss in oil production. Risk related to the
installation and completion of a subsea oil/gas well is mainly related to blowout risk and time
delays. Production related risk comprises economic and environmental risk. The workover
risk is represented mainly by time delays and the blowout risk.
Fault trees display the interrelationships between a potential critical event in a system and the
reasons for this event. The TOP event of the fault tree analysis in this study is formulated,
Sustainable leakage to the surroundings through either the x-mas tree or the wellhead during
normal shut-in conditions.
Unavailability calculations are done in regard to the two exampled situations. The Mean
Fractional Dead Time (MFDT) model is applied in the calculations. MFDT can be given two
different meanings; the percentage of time where we are unprotected by the safety function, or
the probability that the safety function will fail on demand.
An introduction to well intervention methods and equipment is given in the thesis. There are
two types of well interventions, light and heavy (also known as workover). A blowout
preventer (BOP) system is a set of valves installed on the wellhead to prevent the escape of
pressure either in the annular space between the casing and tubing during drilling, completion
and workover operations.
HAZOP (Hazard and Operability analysis) is a method used to identify and assess problems
that may represent risks to personnel or equipment, or prevent efficient operation. Essentially
the HAZOP procedure involves taking a full description of a process or a procedure and
systematically question every part of it by the use of guide-words.
A HAZOP of the BOP handling procedure during workover is performed. The most frequent
finding in this HAZOP is the need for preparation before the different operations begin and
securing of the subsea equipment. The main hazards related to the BOP handling procedure
are delays in operation, dropped BOP and leakage to sea. If the operation is delayed it will
result in lost production and extra cost related to hiring of a workover rig and other
equipment. If the BOP is dropped this will always lead to a time delay, but more serious
scenarios may also occur.
Based on the quantitative findings in this study the DHSV reduces the risk of blowout. A
removal of the DHSV represents an increased failure probability, and two independent and
tested well barriers are not present in all cut sets. None of the cut sets do, however, violate a
required SIL3 level when the DHSV is removed from the completion.
The blowout frequency caused by the DHSV during workover is 1.7E-4 per well year, and
8.5E-5 per well year for a well without a DHSV. During production the blowout frequency is
found to be 4.47E-3 per well year for a well with a DHSV, and 1.85E-2 per well year when
the DHSV is removed. In addition to the blowout frequency during production and workover
a blowout frequency caused by accidental events should be included. The total blowout
frequency is found adding up the different contributions:
The DHSV blowout frequency contribution during installation is not included in this study.
There is no data revealing the changes in blowout frequency when the DHSV is removed for
the installation phase.
The blowout frequencies found in the calculations are of very high. In total a removal of the
DHSV increases the blowout frequency. It is reasonable to believe that the calculations in this
report are either based on insufficient data, a bad model or calculated errors. Other factors
may also have contributed to the high frequency.
An alternative calculation method based on the proportion of the frequencies of the TOP-
events, and the experience data found in ref.[7] is applied. In the new calculations a removal
of the DHSV will increase the blowout frequency of 3.0E-5 per well year. The author finds
this result more reasonable.
50% of the shut-ins of a well leading to a workover are caused by a DHSV failure. A DHSV
failure requires a workover generating a loss of oil production of up to $5,6 million. In
addition there will also be expenses concerning the rental of a workover rig. A total cost of 20
million dollars per intervention is therefore not unrealistic.
The author cannot recommend removing the Downhole safety valve (DHSV) from a subsea
oil/gas production well based on the findings in this thesis. Although there may be some
economic advantages in removing the DHSV the risk of blowout should be given the greatest
attention. In addition to causing pollution, the occurrence of a blowout may in severe cases
lead to a bad reputation among consumers and environmental organisations. The
consequences of a bad reputation are hard to estimate.
A set of recommendations for further work regarding the work done in this thesis is given at
the end of the report.
Contents
Preface.........................................................................................................................................I
Summary and conclusions......................................................................................................... II
List of Acronyms and Abbreviations ........................................................................................ V
Contents...................................................................................................................................VII
List of figures ........................................................................................................................... IX
List of tables ............................................................................................................................. IX
1 Introduction ........................................................................................................................ 1
1.1 Objectives................................................................................................................... 1
1.2 Limitations ................................................................................................................. 2
1.3 Report structure .......................................................................................................... 3
2 Rules and regulations ......................................................................................................... 4
2.1 Norway ....................................................................................................................... 4
2.2 United Kingdom......................................................................................................... 4
2.3 United States of America ........................................................................................... 5
2.4 Standard organizations ............................................................................................... 5
2.5 Regulatory challenges ................................................................................................ 5
3 Use of acceptance criteria .................................................................................................. 7
3.1 The ALARP principle ................................................................................................ 8
3.2 Safety integrity level (SIL)......................................................................................... 9
4 Overall risk assessment .................................................................................................... 11
4.1 Consequences ........................................................................................................... 11
4.1.1 Economic.......................................................................................................... 12
4.1.2 Blowouts........................................................................................................... 12
4.2 Installation related risk ............................................................................................. 14
4.3 Production related risk ............................................................................................. 14
4.4 Workover related risk............................................................................................... 15
5 Risk reducing effect of a DHSV ...................................................................................... 17
5.1 Case example............................................................................................................ 17
5.1.1 Production tree ................................................................................................. 17
5.1.2 Production well ................................................................................................ 18
5.2 Barrier analysis......................................................................................................... 21
5.2.1 Case example.................................................................................................... 21
5.3 Fault Tree Analysis .................................................................................................. 25
5.3.1 Case example.................................................................................................... 25
5.4 Unavailability calculations....................................................................................... 26
5.4.1 The Mean Fractional Dead Time calculation model........................................ 26
5.4.2 Calculations done in CARA............................................................................. 28
5.4.3 Calculations done by hand ............................................................................... 28
5.4.4 CARA calculation results................................................................................. 29
5.4.5 Hand calculation results ................................................................................... 30
5.5 Risk reducing findings in the Case example ............................................................ 33
5.5.1 Comments to the risk reducing findings .......................................................... 35
6 Well intervention.............................................................................................................. 36
6.1 Intervention types..................................................................................................... 36
6.1.1 Light intervention............................................................................................. 36
6.1.2 Heavy intervention (workover) ........................................................................ 36
6.1.3 Workover equipment........................................................................................ 36
List of figures
Figure 3-1 Levels of risk and the ALARP principle [32] .......................................................... 9
Figure 4-1 Consequence breakdown structure of the installation of a subsea production well11
Figure 4-2 Consequence breakdown structure of normal production on a subsea production
well ................................................................................................................................... 11
Figure 4-3 Consequence breakdown structure of a workover on a subsea production well .... 12
Figure 5-1 Horizontal X-mas tree from the sgard field [24] ................................................. 18
Figure 5-2 A sketch of the production well used as an example in this thesis......................... 20
Figure 5-3 Barrier diagram for an oil/gas producing well with a DHSV................................. 23
Figure 5-4 Barrier diagram for an oil/gas producing well without DHSV .............................. 24
Figure 5-5 A plot comparing the approximation and the general formula of unavailability. .. 27
Figure 5-6 The parallel structure of two tested barriers ........................................................... 29
Figure 5-7 A fault tree illustrating the scenario when the flow has to be shut in due to a crisis
.......................................................................................................................................... 32
Figure 5-8 Sensitivity analysis of the total blowout frequency at different frequencies of
accidental events per well year......................................................................................... 34
Figure 6-1 A conventional subsea blowout preventer stack .................................................... 38
Figure 6-2 Flow chart of a HAZOP examination procedure (based on [2]) ............................ 44
Figure 6-3 A typical blowout preventer used on subsea wells................................................. 46
List of tables
Table 3-1 Experienced overall FAR values for offshore workers in the UK, Norway, and U.S.
GoM OCS, January 1980-January 1994 [7]....................................................................... 8
Table 3-2 Safety integrity levels for safety functions operating on demand or in a continuous
demand mode from IEC 61508-1, Table 2 and 3)[28]..................................................... 10
Table 3-3 Minimum SIL requirements - global safety functions, an extract [28] ................... 10
Table 4-1 Blowout frequencies as input to risk analysis of offshore installations, both subsea
and platform wells [7] ...................................................................................................... 13
Table 5-1 The unavailability of the TOP-event for a well with and without a DHSV at
different points of time t and the annual average calculated in CARA............................ 30
Table 5-2 The unavailability of selected cut sets concerned by the presence of a DHSV....... 30
Table 5-3 Calculation result of the cut sets with an applied lifetime of t=5years, t=10years and
t=15years .......................................................................................................................... 31
Table 5-4 Increased unavailability of the different cut sets when the DHSV is removed ....... 31
Table 5-5 The blowout frequency per well year for a well with and without a DHSV, and the
risk reducing effect of the DHSV..................................................................................... 34
Table 6-1 Advantages and disadvantages with the HAZOP analysis [9] (with some
supplements of the author.) .............................................................................................. 43
Table 6-2 HAZOP work sheet of the BOP handling procedure............................................... 48
1 Introduction
Subsea installations are expensive to repair. If a failure occurs a workover rig is needed to
perform an intervention. The weather conditions in the area also affect the situation and repairs
may take a long time. Accidents have to be avoided, and the production loss kept to a
minimum for the situation to be viable. High reliability is therefore essential for all subsea
production systems.
According to regulations issued by the Norwegian Petroleum Directorate and the U.S. Mineral
Management Services (MMS), a Downhole Safety Valve (DHSV) is required in all production
and injection wells. The DHSV functions as a safety barrier. If a critical situation occurs the
DHSV may shut-in the flow from the reservoir and prevent a disaster.
The DHSV protects the surroundings when it functions as intended during production. Studies
have shown that 50% of all well interventions are caused by DHSV failure [25]. During well
intervention the risk of blowout is increased to an essential degree compared to the production
phase. The consequences related to subsea production blowouts are not of the same proportions
as for a platform well. Human risk is dramatically reduced when the well is not in direct
connection with the platform. All available reliability data is provided mainly from platform
wells. Due to the reduced human risk it is therefore reasonable to assume that subsea wells are
subject to a lower risk level.
Some experts say that the risks related to well intervention caused by DHSV failure is equal or
higher than the risk reduction a fully functioning DHSV represents. The need for a DHSV in a
subsea well is therefore not considered necessary in a subsea well. A paper was issued in the
Society of Petroleum Engineers (SPE) in 1999 [4] concerning this matter. The basis for the
statements made here is not well founded [19]. A better and more precise evaluation of the role
of the DHSV is needed before a conclusion can be stated.
1.1 Objectives
The overall objective of this diploma thesis is to develop an understanding of the contribution a
downhole safety valve (DHSV) represents to the overall risk in a subsea oil/gas well. This
diploma thesis will focus on the risk related to a DHSV at different phases during its lifetime.
The contribution the DHSV represents to the overall risk during installation, production and
well intervention is considered.
a) Give an overview of the requirements related to safety barriers and downhole safety
valves (DHSV), in Norway, the United Kingdom and the United States of America.
b) Introduce the reader to the use of acceptance criteria within offshore oil/gas production.
Explain the use of the ALARP-principle and the Safety Integrity Level (SIL) in
solving acceptable risk problems.
c) Find the risk reducing effect of a DHSV in a subsea oil/gas well. A case example will
be used to illustrate the effect. Barrier diagrams, fault trees and unavailability
calculations are used in the assessment.
d) Comment the consequences related to an unwanted event in the different life phases of
a well. Illustrate the economic and environmental effect in form of blowouts and lost
production.
e) Identify and describe risk related to the installation, production and workover phases of
a well.
f) Describe the different types of intervention and the most important intervention
equipment. This is done will be order to provide a basis for a HAZOP of the BOP
handling procedure in a workover situation.
g) Introduce the reader to the use of HAZOP as a risk assessment tool. Use the HAZOP
method to perform a detailed risk analysis on a part of a well intervention.
1.2 Limitations
The contents of System Reliability Theory [8] are assumed known to the readers of this report.
This includes the principles of fault tree analysis and reliability definitions. A limited
understanding of oil production is also required, although a brief introduction to subsea oil
production is given in appendix A.
The included rules and regulations concerning the presence of a Downhole Safety Valve
(DHSV) are limited to those of Norway, the United Kingdom and the United States of
America.
Due to lack of provided cost information from the operation companies, part four of the
diploma task is removed in agreement with Prof. Marvin Rausand, supervisor.
When identifying the risk reducing effect of a downhole safety valve (DHSV) is the case
example only the barrier situation to prevent leakage to the surroundings during a normal
shut-in will be modelled. External factors affecting the barrier situation like sabotage,
earthquakes and environmental influence on the well will not be applied to the barrier scenario.
The barriers analysed in the unavailability calculations are considered to be independent and
common failures are not included.
A HAZOP analysis of a well intervention is too extensive to be fully performed in this thesis.
Therefore the HAZOP is restricted to the BOP handling procedure, in understanding with Prof.
Marvin Rausand.
In chapter two overview of the different rules and regulations concerning the presence of a
Downhole Safety Valve issued in Norway, U.K. and the U.S. are presented.
The third chapter gives an introduction to the use of acceptance criteria in a risk assessment.
The ALARP-principle and use of a safety integrity level (SIL) are explained to perform a
evaluation basis for the assessment done in the following chapters.
A qualitative overall risk assessment with respect to the completion, production and workover
phase of a well is performed in chapter four. Chapter five presents the risk reducing effect of a
DHSV. Unavailability calculations are done to give quantitative results of the risk reducing
effect.
Chapter six looks into well intervention and provides a basis for an intervention where the
DHSV is replaced. A HAZOP analysis is carried though to reveal weaknesses in the BOP
handling procedure.
The final chapter, seven, concludes the thesis. The authors recommendation to whether or not
a DHSV should be present in a subsea well is given. Recommendations for further work are
also provided.
2.1 Norway
In Norway, the following requirements to well barriers are included in the regulations from the
Norwegian Petroleum Directorate (NPD):
Section 76:
During drilling and well activities there shall at all times be at least two independent
and tested well barriers after the surface casing is in place, cf. also the Facilities
Regulations Section 47 on well barriers.
If a barrier fails, no other activities shall take place in the well than those
intended to restore the barrier.[29]
Section 47:
Well barriers shall be designed so that unintentional influx, crossflow to shallow
formation layers and outflow to the external environment is prevented, and so that they
do not obstruct ordinary well activities. [30]
The NPD has also issued specific requirements related to the use of downhole safety valves
(DHSV):
Section 53:
Completion strings shall be equipped with downhole safety valves (SCSSV). If the
production annulus is used for gas injection, this equipment shall also be equipped with
downhole safety valve (SCSSV) to provide for annulus barrier testing. [30]
There are no specific requirements in the UK regulations for the installation of any type of
downhole valve in any type of well. The regulations, which do apply to this situation, are; The
Offshore Installations and Wells (Design and Construction etc,) regulations 1996, regulation
13.1:
and The Offshore Installations (Prevention of Fire and Explosion and Emergency Response)
regulations 1995, regulation 9.1 which requires installation owners to take appropriate
measures to prevent the uncontrolled release of flammable fluids. This regulation applies in
principle to subsea wells [31].
In practice the HSE would question any proposal to complete a production well without a
downhole safety valve but in some cases it might be possible for the company proposing the
well completion to argue that the inclusion of such valves was not reasonably practicable.
This would require a demonstration that the sacrifice (time, trouble and expense, including
increased risk) of installing the valve was grossly disproportionate to the benefit [31].
Paragraph 250.800:
Production safety equipment shall be designed, installed, used, maintained, and tested
in a manner to assure the safety and protection of the human, marine, and coastal
environments. [11]
Paragraph 250.801:
All tubing installations open to hydrocarbon-bearing zones shall be equipped with
subsurface safety devices that will shut off the flow from the well in the event of an
emergency unless, after application and justification, the well is determined by the
District Supervisor to be incapable of natural flowing. These devices may consist of a
surface-controlled subsurface safety valve (SSSV), a subsurface-controlled SSSV, an
injection valve, a tubing plug, or a tubing/annular subsurface safety device, and any
associated safety valve lock or landing nipple. (c) Surface-controlled SSSVs. All
tubing installations open to a hydrocarbon-bearing zone which is capable of natural
flow shall be equipped with a surface-controlled SSSV. [11]
During production activities at least two independent and tested barriers shall be
normally available between reservoir and environment in order to prevent an
unintentional flow from the well. The barriers shall be designed for rapid
reestablishment of a lost barrier. The position status of the barriers shall be known at
all times.[17]
Standards issued from the American Petroleum Institute (API) and the International
Organization for Standardization (ISO) refers to the DHSV as if the presence in an oil/gas well
is obvious. The standards include descriptions of design, installation, repair and operation of
the DHSV. The existing standards are more of technical character. None of the current API and
ISO standards, however, includes a demand for a DHSV in a subsea well.
question any proposal without a DHSV, but if the inclusion was not reasonably practicable
an assessment should be done. The author sees an opportunity to persuade the authorities if a
proper documentation of the needlessness of a DHSV is provided. In Norway the regulations
do, however, also require a minimum of two independent and tested barriers between the
reservoir and the environment. The DHSV is considered to be the primary barrier and the x-
mas tree to be the secondary barrier. A revision of the barrier formulation must be done if the
DHSV is to be removed from the completion. Considerations of making the x-mas tree either
the only barrier or implementing another and more reliable downhole barrier solution should be
taken. This thesis will consider the first alternative, making the x-mas tree the only barrier.
An acceptable level of risk in an activity is described by acceptance criteria. The criteria are
either based on standards, experience or theoretical knowledge. Acceptance criteria express the
probability and consequence of a hazardous event, and may either be qualitative or
quantitative. In a risk assessment the use of acceptance criteria is important to identify areas
that need risk reducing efforts. Acceptance criteria should be expressed in a way that makes
them applicable to the different areas of the assessment. The criteria should reflect the safety
goals of the operator and requirements set by the authorities. For an installation the acceptance
criteria perform a basis for what is consider acceptable at the present time. Formulation
accuracy may vary in accordance with the demand set by authorities and the operating
company. To verify whether the contents of the acceptance criteria are met, the values have to
be quantitative. In other cases the use of qualitative criteria are acceptable.
Acceptance criteria are established according to the extent and purpose of the assessment.
There are mainly three different ways to establish acceptance criteria.
In the Norwegian sector of the North Sea, all operators have to define risk acceptance criteria
according to requirements by the NPD. Different regulations are issued to standardize
acceptance criteria.
Many interest are involved when discussing acceptable risk problems: the interest of society,
the interests of employees, and the interests of the oil company [32]. An important issue of risk
analysis is to determine what hazards present more danger than society is willing to accept. A
level of acceptable risk can be hard to find. To find a balance between having guarantee for a
safe, environmental friendly and healthy focus and making a reasonable profit is sometimes
difficult. The use of the ALARP-principle (As Low as Reasonable Practicable) is one
method to set acceptance criteria. Personnel risk is often subject to the use of the ALARP-
principle. A further description of The ALARP-principle is given in section 3.1.
When dealing with quantitative criteria are set by different methods of measurement. The
Norwegian Oil Industry Association has in the latter times standardized acceptance criteria for
certain operations in the North Sea. A Safety Integrity Level (SIL) to provide a basis for the
evaluation of appropriate risk levels for different events. SIL will be discussed further in
section 3.2.
Human risk
The most common rating when dealing with personnel risk is the fatal accident rate (FAR) and
the PLL-rate (Potential Loss of Life). The PLL-rate presents the average fatal accident per
year. The FAR value is the most common and represents the predicted number of fatalities per
100 million hours exposed to the hazard [7]. The FAR value is a reasonable measure for risk
analysis and a useful indicator in an overall risk approach. It should be noted that FAR values
for specific installations could never be verified through experienced fatality statistics. Low
probability incidents with a high number of fatalities will have high influence on the estimated
FAR value. The Piper Alpha and the Alexander Kielland accidents completely changed the
FAR values for the entire North Sea. The FAR represents an average for all offshore workers;
it is obvious that the value will vary from the drilling crew to the catering personnel on the
platform. Table 3-1 presents the experienced FAR value for offshore workers.
Table 3-1 Experienced overall FAR values for offshore workers in the UK, Norway, and U.S. GoM OCS,
January 1980-January 1994 [7]
Environmental risk
The environmental risk is mainly expressed by a spill rate. The spill rate is denoted by
discharges per kg or m3 per ton produced material. A blowout in Nigeria (1980) is the most
severe incident reported of spills from an installation. 30,000 tons of crude oil polluted the
islands and channels of the Niger delta. In the North Sea or the U.S. GoM OCS there has been
no severe pollution caused by oil spills to sea.
Environmental acceptance criteria must consider the overall risk through the lifetime of a well.
An evaluation of the surrounding environment, the effect of other installations in the area and
the possibility for immediate help in case of emergency must be performed. The use of risk
matrixes and superior criteria, e.g. maximum blowout frequency, provide a basis in a
quantification of the environmental risk.
Financial risk
In a risk assessment the economic aspect will mainly be expressed by cost-efficient
evaluations. The evaluations include a series of important parameters like material loss, loss of
production and costs related to environmental damages. Compilation of acceptance criteria
concerning financial risk is problematic. The risk analysis should ensure that the installation
does not involve an unacceptable high financial risk as a result of an accident.
Combining the acceptance criteria with the ALARP-principle solves acceptable risk problems
[32]. It is compulsory for operating companies to define probability values for certain
Negligible risk
SIL is a discrete level for specifying the safety integrity requirements of the safety functions.
The SIL requirements are based on experience, with a design practice that has resulted in an
adequate safety level. This reduces the need for time-consuming SIL calculations on standard
solutions and ensures a minimum level of safety. Another advantage of using pre-determined
SIL is that these figures can be used as input to a Quantitative Risk Analysis (QRA) during
early design stages and thereby set between the risk analysis and the integrity levels for
important safety functions.
For several safety functions it is difficult to establish generic definitions. Due to process
specific conditions, design and operational philosophies etc., the number of final elements to
be activated will differ from case to case. Consequently, several of the requirements are given
on a sub-function level.
It is important to emphasise that SIL requirements are minimum values, and therefore need to
be verified with respect to the overall risk level. If the QRA reveals that the overall risk level is
too high, e.g. due to a particularly large number of high pressure wells or risers, then this could
trigger a stricter requirement to one or more of the safety functions. Table 3-2 is found in ref.
[28] and shows the quantification of the four different SIL levels. The SIL requirement applies
only to a complete function, i.e. the field sensor, the logic solver and the final element. It is
therefore incorrect to refer to any individual item or equipment having a safety integrity level.
Table 3-2 Safety integrity levels for safety functions operating on demand or in a continuous demand mode
from IEC 61508-1, Table 2 and 3)[28]
An extract of the minimum SIL requirements given in ref. [28] relating to the object of this
thesis is presented in Table 3-3. The SIL requirement concerning the shut-in of the flow in a
well (Wing valve, Master valve and DHSV) is set to 3. It is therefore reasonable to also require
a SIL3 for a well without a DHSV.
Table 3-3 Minimum SIL requirements - global safety functions, an extract [28]
Hazard identification performs a basis for the assessment. The frequency and the related
consequences are evaluated and employed to the problem in order to provide a solution or a
documentation of the potential danger.
The role of the downhole safety valve (DHSV) will be discussed in each of the well life
phases. In this study the completion, production and workover phases will be the main focus.
The DHSV is not present during the drilling phase; this phase is therefore excluded from the
study.
4.1 Consequences
The consequences related to the presence of a DHSV are equal to the ones of well without a
DHSV. The DHSV is rather the cause of either an improvement or deterioration of the failure
frequency.
The consequences relating to incidents occurring in the different life phases of the well can be
broken down as illustrated in Figure 4-1 to Figure 4-3.
Consequences
Consequences
Economic Environmental
Consequences
Each of the possible consequences should be subject to critical evaluation. The frequency
estimates are found either by statistical methods or by the use of engineering judgement. The
human risk may be neglected during the production phase when there are no personnel at the
subsea site.
Consequences related to the DHSV will be subject to further description. There are two main
risk factors to consider, delays in time (lost production) and the blowout risk. One is of
economic character and the other of a more complex character related both to economic and
environmental issues. These two factors are discussed in the following subsections.
4.1.1 Economic
The economic perspective is important in all businesses. For operating oil companies the
economic loss is related to not being able to produce as much as intended. Loss of production
occurs when the well is unable to produce as expected due to different problems.
To illustrate the economic loss a calculation from the sgard field is given.
The sgard field consists of 52 subsea wells producing 3.3 million cubic meters of gas,
200,000 barrels of oil and 65,000 barrels of condensate per day, [23]. If one single well were to
be closed in for a day, with an oil price of $20 per barrel (price today is about $25), the
economic loss would be of $76,920 per day. In addition to this the gas and the condensate that
contribute substantially to the earnings are left out here.
A failure of the DHSV would require a workover. A workover on one of the sgard Smrbukk
wells replacing a failed DHSV lasted for 43 days [35]. In addition there may be a waiting time
of e.g. 30 days or more to get a workover rig to the site. All in all this failure will generate a
loss of oil production of up to $5,6 million. In addition there will also be expenses concerning
the rental of a workover rig ($200.000 per day), operating equipment and personnel costs. The
authorities may also fine the operating company for any leakages that may occur. A total cost
of 20 million dollars per intervention is therefore not unrealistic.
4.1.2 Blowouts
A blowout is defined in ref. [7]
Blowouts are either caused by barrier failures, external factors or a combination of these two.
When all barriers in one or more leak paths fail in a shut-in system, it is considered to be a
blowout. The external factors leading to a blowout are more complex and difficult to explain.
Potential accidental events causing a blowout may be incidents like dropped objects, collisions,
or explosion loads.
The statistical numbers presented here are collected in the period from January 1980 through
January 1994. The latter years SINTEF has collected blowout data, but the data are not
publicly available yet. The results presented here have to go through minor changes to be up to
date. All theoretical considerations are, however, applicable for the scenario we have today.
Table 4-1 lists the blowout frequencies on offshore installations in the Gulf of Mexico outer
continental shelf (US GoM OCS) and the North Sea. A homogenous Poisson process is used to
describe the occurrences of blowouts, with blowout frequency . The blowout frequency is
estimated by [7]:
Number of blowouts n
= =
accumulated operating time s
Table 4-1 Blowout frequencies as input to risk analysis of offshore installations, both subsea and platform
wells [7]
Blowout frequencies
Recom- US GoM
North Sea
Phase mended OCS
frequency
frequency frequency
Completion Per well- completion 0.00023 - 0.00023
Production Per well- year 0.00005 0.00006 0.00005
Per well- year 0.00012 0.00006 0.00017
Workover Per workover (8 0.00093 0.00050 0.00136
years)
In addition to cause pollution the occurrence of a blowout may in severe cases lead to a bad
reputation among consumers and environmental organisations. The consequences of a bad
reputation are hard to estimate. If a boycott of the operating company is carried out it could
lead to greater economic losses.
The oil spill disaster of the Exxon Valdez tanker in 1989 is included to illustrate a possible
outcome of a major blowout. Although this is not an offshore installation the consequences
may be of the same proportions. The Exxon Valdez caused a spillage of over 40.000 ton of
crude oil. Rough estimates claim that 30.000 seabirds, 5.000 sea otters and 22 killer whales
were killed. In the aftermath of the Exxon Valdez disaster a 900 million dollar settlement with
Exxon was announced to settle all federal and state claims. In addition an extra 100 million
dollars in fines were given to cover any additional damage [18]. The negative publicity this
incident has caused Exxon (now Exxon Mobile) is hanging over them today. Negative
publicity not only affects the concerned company but the entire oil industry. The economic
losses related to this are impossible to estimate.
The risk of terror attacks on an oil installation is always present and represents an increasing
threat today. We have seen multiple terrorist-attacks on different target the latter years. The oil
and gas industry is very profitable and may very well be subject to a striking terror attack. The
fatal consequences related to such an attack might not be the major concern of the terrorist.
Completion blowouts occur during installation of downhole and subsea equipment. There have
been seven blowouts concerning the completion phase of the wells during the study in ref. [7].
Most of the blowouts resulted in flow through the tubing or drill string. Holand points out that
for several of these blowouts the BOP-stack (Blowout preventer) did not include a blind-shear
ram. The presence of a functional shear ram would have stopped many of these blowouts at an
early stage and thus prevented the blowout. None of the completion blowouts have caused any
casualties. One blowout caused severe damage when ignited; otherwise there have only been
minor spillage.
During installation the presence of a DHSV makes the procedure more complex. The DHSV
may be scratched or deformed by the pressure and not function. A hydraulic control line is
strapped to the tubing, which increase the installation time. This will not result in any
significant change of blowout risk. Other than the increased installation time the author cannot
se any other inconveniences with the installation of a well with the DHSV.
During normal production the DHSV may fail. The failures occurring are categorised into two
groups, critical and non-critical failures. Critical failures are fail to close (FTC), leakage in
closed position (LCP) or internal leakage (ITL). These failures will, however, not cause the
well to stop the production, but are significant if the DHSV is supposed to fulfil its task.
Premature closure (PC) and fail to open (FTO) will stop the production. If a failure occurs in
between the workover intervals the operating company must force open the DHSV by wireline,
proceed with a full workover or close in the well. The severity of this incident varies according
to when it occurs in the well lifetime. In some cases if failure occurs at the end of the lifetime.
The well pressure may be low and the well may be producing e.g. 80% water. An application
may than be sent to the governmental authorities obtaining a dispensation to produce without a
Diploma thesis, NTNU 2002 14
Is it necessary to install a downhole safety valve in a subsea oil/gas well?
functioning DHSV. In these cases a wireline intervention may be carried out providing a
locked open DHSV awaiting abandonment or a scheduled workover. This option is also
applicable if the DHSV fails with a FTC or LCP. The lost production may in these cases be
reduced by this option. An early DHSV failure, when the production is in its prime, will cause
a more substantial economic loss.
Recent studies show that 50 % of the shut-ins of a well leading to a workover is caused by
DHSV failure [25]. With a DHSV failure rate of 5.84E-6 [13] this means that the DHSV
causes a well workover approximately every 19.6 well year. At the sgard field there are 52
wells. Every 2.7 years they have to carry out an intervention. On the field the total loss of
production, equipment and rental cost will amount to approximately 20 million dollars (see
subsection 4.1.1). In a well lifetime (15 years), this will represent a total value of 111 million
dollars for the operating company. These numbers have not taken in account that the well may
have been abandoned as a consequence of DHSV failure.
A workover is more likely to cause severe pollution than the other stages of the well. The well
is perforated and the production zone is alive nearly all the time. During workover the
operators usually use solid-free workover fluids. A mud filter cake, which during drilling acts
as a seal against the formation, will not be created. As a result continuous losses of formation
occur and may lead to a loss of the well. The casings may have deteriorated due to the stress
they have been affected by in the well.
All blowouts cause economic losses. Downtime of the well involves lost production. Millions
of dollars may be lost if damage to well equipment or workover rigs also occurs. With such
large amounts of money at stake the prevention of a blowout is preferable in preference to
saving money during the completion phase.
None of the blowouts recorded in the SINTEF offshore blowout database has caused severe
pollution. The most severe blowout recorded in the period from 1980-94 of was an oil blowout
emitting 10 m3 into the ocean [7]. Out of the 41 workover blowouts after January 1970, there
have been two reported blowouts with large spills. The Bravo blowout in 1977, 20.000m3
spilled into the North Sea. The second one was in 1992 in the U.S. Timbalier Bays shallow
waters offshore Louisiana. 500m3 of oil drifted ashore and caused damage to the wildlife [7].
The role of a DHSV in the workover process is vague. During the workover the DHSV is
pulled together with the tubing. This process will last slightly longer than if the DHSV was not
present. The control lines strapped onto the tubing mainly cause the delay. During the tubing
retrieval process the straps must be removed and the control lines handled with care. For a
completion without a DHSV the amount of control lines is reduced. Therefore the presence of
a DHSV will result in a more complex workover situation. A DHSV will not cause any
significant change of blowout risk during workover.
The x-mas tree is covering an area of about 4 square meters on the seabed. This is about 0.2
percent of the area for the crane load and 5 percent of the area for the derrick. In total the
frequency of dropping something from a crane or a derrick and hitting the x-mas tree at the
seabed is 2.29E-8 per year.
These calculations have not considered the impact the hit will have and does not include the
effect of water currents. Currents contribute significantly to the total spreading. [3]. Although
the wellhead is hit, the impact may also vary. Not all hits end with a broken x-mas tree. If the
use of safety integrity level (SIL) (see section 3.2) for a low demand system is required, the
probability of dropping an object and hitting the something on the seabed is fulfilling the
requirements of SIL4. A dropped object damaging the x-mas tree and providing a need for the
DHSV to prevent a blowout is therefore by any means within the acceptance criteria.
To be able to calculate the risk with and without a DHSV in the well, the well lifetime is
assumed to be 15 years. This generates in most cases a conservative value for the non-tested
barriers. Periodic testing is carried out to reveal hidden failures in the system. For safety
reasons the most critical functions, including the DHSV, are tested every 6 months. Other parts
of the system are not tested.
In the risk assessment the failure modes, external leakage (EXL), fail to close (FTC), internal
leakage (ITL) and leakage in closed position (LCP) are considered for the different valves.
Figure 5-1 Horizontal X-mas tree from the sgard field [24]
In the example the most common components are included and listed below. Other well
equipment is neglected.
The system of the example well comprise the following main items:
Casing
hanger seals Wellhead seal
Tubing hanger
Hydraulic
control line Casing
hanger seals
DHSV
Seal
assembly
Production packer
Figure 5-2 A sketch of the production well used as an example in this thesis
An item that, by itself, prevents flow of the well reservoir fluids from the reservoir to
the atmosphere [26]
A well barrier system will vary depending on the operational phases of the well.
The barrier analyses are carried out to identify potential leakage paths and are based on barrier
diagrams.
Components provide safety barriers when working as supposed to. There are two main types of
barriers, dynamic barriers and static barriers. A static barrier is a barrier available over a long
period of time. A dynamic barrier is a barrier that varies over time. This will apply for drilling,
workover, and completion operations.
The barriers are normally denoted as primary, secondary and third barrier. It can be stated in
general that the primary barrier is the one in contact with the reservoir. For completion and
workover, in a shut-in well, the hydrostatic pressure is regarded as the primary barrier, and the
subsea equipment, usually a BOP, is regarded as the secondary barrier. During production the
downhole safety valve (DHSV) among others acts as the primary barrier and the x-mas tree as
the secondary.
Barrier diagrams are easy to understand and provide a good view of the barrier situation.
Possible leakage paths between the reservoir and the environment have to be identified to
establish a barrier diagram. The diagrams are read from the reservoir at the bottom and up
through to the surroundings. In the construction of barrier diagrams the safety barriers are
represented with rounded rectangles and connected with lines. To make the diagram easier to
understand triangles and colour codes are added representing different areas of the well.
Barrier ratings are also presented with a colour code. This is not standard, but gives the reader
a better overview of the diagram.
The leakage probability depends on each barrier and the structural relationship between the
barriers. If reliability data for the various components are added, a total leakage probability is
possible to assess from the diagram. The complexity in calculation increases with the
complexity of the situation. Therefore barrier diagrams are often transferred to fault trees; these
are commented in section 5.3.
Chapter two of this thesis deals with regulations regarding well barriers. The Norwegian
Petroleum Directorate states:
During drilling and well activities there shall at all times be at least two independent
and tested barriers after the surface casing is in place [29].
master production valve and the wing valve are ordered to close in and be tight. Only the static
barrier scenario of the production phase is included.
The master production valve, wing valve and the DHSV have been given a close
command from the surface control.
The system is shut-in.
Leakage through the tubing and back into the tubing is possible but not considered here.
The x-mas tree is not considered as a single barrier, but each main component is
regarded as a barrier.
The probability of leakage to the surroundings through the casings and cement is very
low and is not accounted for in the barrier- and fault tree analysis.
The leakage paths are illustrated in Figure 5-2. The reliability data dossiers in appendix D
include a column where the applied leakage modes of each valve are listed.
The barrier diagrams for the oil/gas production well with and without a DHSV are presented in
Figure 5-3 and Figure 5-4.
Surroundings
Production
swab valve,
ITL/EXL
Crossover
Production
Crossover
wing valve,
valve, EXL
ITL/EXL
Annulus Annulus
Crossover
master valve master valve
valve, ITL
EXL ITL
Wellhead
Production tubing
13 5/8" casing above DHSV
seal leak
Through
DHSV
A-annulus area A-
DHSV leak
Annulus
Through the DHSV or FTC
Wellhead area
Master production DHSV
EXL
valve ITL
Crossover line/
Production tubing
annulus area below DHSV
Production
packer leaks
Primary barrier
Secodary barrier
Reservoir
Third barrier
Figure 5-3 Barrier diagram for an oil/gas producing well with a DHSV
Surroundings
Production
swab valve,
ITL/EXL
Crossover
Production
Crossover
wing valve,
valve, EXL
ITL/EXL
Annulus Annulus
Crossover
master valve master valve
valve, ITL
EXL ITL
Wellhead
13 5/8" casing
seal leak
Above
tubing
A-annulus area A-
Annulus
Above tubing
Wellhead area
Master production
valve ITL
Crossover line/
annulus area
Production Production
packer leaks tubing
Primary barrier
Secodary barrier
Reservoir
Third barrier
Figure 5-4 Barrier diagram for an oil/gas producing well without DHSV
Fault tree analysis is a deductive technique that focuses on a particular unwanted system event
and provides a method for determining causes for that event. A risk analysis often includes the
fault tree analysis technique for evaluation of the individual component failure modes and their
impact on the system reliability.
The fault tree is constructed with the use of different logic gates and displays the
interrelationships between a potential critical event in a system and the reasons for this event.
The main logic elements are the TOP-event, the AND and OR gates, and the basic events.
The combination of the basic events and the system structure determines whether or not the
TOP-event will occur.
The fault tree provides a static picture of the combinations of failures and events that may cause a
TOP-event to occur. Fault tree analysis, as barrier diagrams, is thus not a suitable technique for
analysing dynamic systems.
The different components of the production well presented in subsection 5.1.2, are represent
basic events in the fault trees. The barrier diagrams, of subsection 5.2.1, provide the basis for
the fault tree construction. In order to simplify the construction of the fault tree, external stress
and common cause failures are not included.
The fault trees constructed for the oil/gas production well with and without a DHSV are
presented in appendix C. The CARA-fault tree program is used in the construction.
The MFDT formulas are based on a number of assumptions. The most distinctive are:
If based on the fault tree analysis, the Mean Fractional Dead Time (MFDT) of the different cut
sets determines the probability of the TOP-event.
The MFDT of a single barrier i is given by its unavailability qi(t). A single well barrier is tested
with regular intervals of length , and a constant failure rate i. The general formula is given:
1 1
MFDTi(t)= qi (t) = (1 - e iu du ) = 1 (1 e i )
0 i Equation 5-1
The unavailability of the safety barrier may also be calculated using the approximation formula
below. This approximation is based on Taylor series development of Equation 5-1. Practical
calculations often make use of this approximation. A rule of thumb is that when is small
(<10-2) the formula is considered valid.
i
MFDTi (t ) = qi
2 Equation 5-2
Cut set unavailability of a parallel structure of n tested barriers with constant failure rates i, is
found by deriving the reliability function, and given as:
n
Rs (t ) = 1 (1 Ri (t ))
i =1 Equation 5-3
The evaluated system also contains non-tested barriers. MFDT of a non-tested well barrier i
with constant failure rate i can be calculated by the use of Equation 5-1 when the exponential
distribution is applied.
q i (t ) = (1 - e i t ) Equation 5-4
If the unavailability of a barrier i is expressed by qi(t), which states the probability that basic
event i occurs at time t. Cut set unavailability can be calculated by the use of Equation 5-5:
Q(t ) = qi (t ) ,
iK j Equation 5-5
Equation 5-5 is also applied when combining tested and non-tested barriers in a cut set.
The approximation
Approximation of
2
Figure 5-5 A plot comparing the approximation and the general formula of unavailability.
Calculation uncertainties
In reliability studies of technical system one always has to work with models of the system. As
a rule to model construction, the models should be sufficiently simple to be handled by
available mathematical and statistical methods [8]. The reliability models are constructed by
applying generic data from existing systems. Models deduced from different formulas and
methods are never 100% correct. The value of expressing reliability values by decimals is
therefore limited. Failure rates and methods applied to determine reliability values have many
uncertainties and exact values are unlikely to be found.
Even if the mathematical model is correct the data applied will not be perfect for the specific
situation. Data books often pool data from a number of samples that all have individual
differences in construction and operating environment. These data are applied to the new
model and may not be valid there. Data books normally leave out environmental and
operational effects when assigning reliability values to components.
Reliability data
During the process of selecting a data set applicable for reliability quantification, the data
sources have been carefully examined. As a result of different data collection approaches,
reliability data often vary significantly from one data source to another. For some components
in the barrier system the data is scarce. An estimation is therefore done in understanding with
Marvin Rausand, supervisor [19]. The reliability input data used in the reliability calculations
are presented by data dossiers in appendix D. Reliability data used in this study mainly
originates from platform wells and are found in SINTEF reports and the OREDA handbook.
CARA calculates the unavailability of the TOP event by using approximation formula 5-2 for
tested barriers and Equation 5-4 for the non-tested barriers. The fault trees of appendix C, with
reliability values found in the data dossiers of appendix D, perform the basis for the
calculations. The results of the CARA-calculations are presented in subsection 5.4.4.
The non-tested barriers that are given a lifetime t=131400 hours (15 years). When applied to
the cut sets this generates the most conservative value of unavailability. Periodically tested
barriers are tested with time distribution =4380 hours (6 months). In these calculations
components are assumed to be as good as new when tested. The methods also consider the
barriers to have constant failure rates and be independent of each other.
Tested
barrier 1
The {MV, WV} cut set is calculated with WV =1.7E-6 hours and MV=2.0E-6 hours. Applying
these values in Equation 5-6 obtain the unavailability, 2.16E-5
q 1 (t ) = (1 - e 1t ) ,
Q(t ) = (1 - e 1t ) (1 - e 2t )
q 2 (t ) = (1 - e 2t ) Equation 5-7
The {AMVEXL, Tub} cut set is calculated with AMVEXL =0.6E-6 hours and Tub=0.4E-6
hours. Applying these values to Equation 5-7 obtain the unavailability, 3.88E-3.
Reliability data is inserted to the {DHSV, MV, SWAB} cut set, where DHSV =2.8E-6 hours
and MV=2.0E-6 hours and SWAB=2.2E-6 hours. Applying these values to Equation 5-8 obtain
the unavailability, 8.92E-6.
safety barrier due to an external event. This situation is used to calculate the accidental
frequencies in section 5.5.
Table 5-1 The unavailability of the TOP-event for a well with and without a DHSV at different points of
time t and the annual average calculated in CARA.
The blowout frequency during production is given by the frequency of the TOP-event and
represents the blowout frequency caused by intrinsic events. CARA calculates the frequency of
the TOP-event for a well with a DHSV of 4.47E-3 per year, and 1.85E-2 per well year
without a DHSV. The frequency of the TOP-event is 3.3 times higher for a well with a
without a DHSV compared to one without.
The Safety Integrity Level (SIL) level is set by the Norwegian Oil Industry Association (OLF).
The SIL expresses the average probability of failure to perform its design function on demand.
The author cannot find that any of the cut sets of a subsea production well violates a required
SIL 3 level even for the most conservative value (t=15years). Thus the reliability of a well
without a DHSV is considered to be acceptable.
Non-tested barriers
The failure probability of the non-tested components increases with time. To achieve a more
reasonable calculation result an applied lifetime of 10 years could be applied. This would give
a more realistic value for the non-tested barriers. This change would not affect the tested
barriers.
To gain an impression how these results change a calculation with lifetime t=43500 (5years) or
t=87600 (10 years) is done. A presentation of the results with different t-values is given in
Table 5-3.
Table 5-3 Calculation result of the cut sets with an applied lifetime of t=5years, t=10years and t=15years
The unavailability of the cut set with only tested components remain the same. The
unavailability of cut sets including non-tested barriers does increase with time. Table 5-4
presents the increased unavailability that is archived by removing the DHSV from the well
with different lifetimes t applied.
Table 5-4 Increased unavailability of the different cut sets when the DHSV is removed
And
f And
W M
And V V
House DHSV
1
Off
Figure 5-7 A fault tree illustrating the scenario when the flow has to be shut in due to a crisis
The risk related to this incident may be expressed as in the equations below.
R = R2-R1 = C(p2-p1) = Cp
A consequence C may either represent environmental damage, loss of human life, or economic,
loss due to an occurred event. R represents the risk of not including the DHSV in the
completion. The cut set in the flow direction consists of the barriers [DHSV, MV, WV].
Removing the DHSV increases the probability of not being able to shut in the well if crises
occur on the platform to 2.14E-5. The MFDT only tells us the percentage of the time where the
cut set function as a safety barrier. This means that the flow is unprotected 0.189 hours per well
year without a DHSV. If the DHSV were present this event would occur 0.0016 hours per well
year.
The required Safety Integrity Level (SIL) for the [DHSV, MV, WV] or [MV, WV] cut set is
SIL3 (10-4 to < 10-3) [28]. The results in show that the probability of not being able to close in
the well is increased when removing the DHSV. The SIL3 requirements are, however, still met
for all cut sets. The consequences of a leakage or a blowout are the same whether the DHSV is
present or not.
The events leading to a shut-in of the well, or the consequence of a blowout is not further
discussed in this thesis.
The blowout frequency during production is given by the frequency of the TOP-event (see
subsection 5.4.4) and represents the blowout frequency caused by intrinsic events. CARA
calculates the frequency of the TOP-event for a well with a DHSV of 4.47E-3 per year, and
1.85E-2 per well year without a DHSV. Sustainable leakage does not always classify as a
blowout, but this approximation is done here.
About 50% of the shut-ins of a well leading to a workover are caused by DHSV failure. The
blowout frequency during workover for a well with a DHSV is 1.7E-4 per well year (see
subsection 4.1.2). It is reasonable to assume that when the DHSV is removed the blowout
frequency will be reduced by 50%. The blowout frequency for a well without a DHSV during
workover is then 8.5E-5 per well year.
External factors have impact on the blowout frequency. The contribution remains the same
whether the DHSV is present or not. In this thesis the consequence of the external factor
comprise an accident where the x-mas tree is unavailable as a safety barrier due to impact by a
dropped object. The MFDT-contribution is found by removing the x-mas tree components in
the fault tree calculations (see subsection 5.4.5). The frequency causing an accidental event is
denoted, faccidential event. The blowout frequency caused by external factors is found in the
product of the accidental event frequency and the MFDT of the downhole barrier situation
(Unavailability without the x-mas tree). In these calculations the accidental event frequency is
2.29E-8 per well year. The contribution comprises dropping and hitting the x-mas tree from a
crane or a derrick (see section 4.4).
The total blowout risk is found by the use of Equation 5-9 and presented in Table 5-5.
Table 5-5 The blowout frequency per well year for a well with and without a DHSV, and the risk reducing
effect of the DHSV.
In total a removal of the DHSV will increase the risk of blowout due to the TOP-event by a
frequency of 1.13E-2 per well year.
A sensitivity analysis is performed to illustrate the accidental event contribution in the total
blowout frequency. Different frequencies of accidental events are applied to Equation 5-9. The
result of the sensitivity analysis is presented in Figure 5-8. The total blowout risk is always
higher for a well without a DHSV than for a well with a DHSV. Prior to the calculations the
author was assuming that for some values the blowout frequency was lower for a well with a
DHSV than for a well without a DHSV. The point where the two lines cross would represent
an equal blowout frequency in the sensitivity analysis.
Figure 5-8 Sensitivity analysis of the total blowout frequency at different frequencies of accidental events
per well year
Reliability data
The author has limited access to valid data. The reliability data used in the calculations is
gathered for both platform and subsea wells. Valid data only for subsea wells should be applied
in the calculations. Another problem is the age of the applied data. All data in this thesis is
more than five years old due to the confidentiality of the operating companies. Implementing
new up-to-date data may change the outcome of the total blowout frequency and is
recommended.
Calculation model
In the model of this thesis the blowout frequency during production is based on the assumption
that all leakage classifies as a blowout. This generates a very conservative value. The leakage
may in some cases be very small and not classify as a blowout. The frequency of the TOP-
event of the CARA calculations are assuming that a leakage in closed position and fail to close
failure of the wing valve leads directly to sea. If the safety barriers in the flow direction fail
there are still barriers further up the line that may prevent a blowout, e.g. the manifold,
separator or other equipment. The calculation methods used are, however, valid.
The frequency of the TOP-event in CARA is 3.3 times higher, for a well with than a well
without a DHSV (see subsection 5.4.4). It may therefore also be reasonable to operate with a
production blowout frequency 3.3 times higher. A blowout frequency of 5E-5 per well year
during production [7] is applied for a well with a DHSV. This results in a production blowout
frequency of 1.65E-4 per well year for a well without a DHSV. The same values for the
accidental event frequency and the well intervention frequency are applied.
In total a removal of the DHSV will then increase the blowout frequency of 3.0E-5 per well
year. This result sounds more reasonable than the one found in the other calculation.
6 Well intervention
6.1 Intervention types
In this subchapter a description of different intervention types and the most important
intervention equipment will be explained. The theory is based on ref. [14], [21], [33] and [34].
There are two types of well interventions, light and heavy (also known as workover). An
intervention requires a separate vessel or workover rig and is therefore complicated due to the
motion of the vessel. The subsea well intervention costs are very high especially when
operating in deep water. Equipment has to be rented and brought out to the location. Getting
the equipment out to the site requires a lot of planning and logistics. If a failure should occur in
between scheduled interventions it might take months before an intervention can be performed.
This could result in a production stop and be of great cost to the operating company.
Plugback operations
Coiled tubing operations
Fishing operations
Wireline operations
In some cases a failed DHSV can be repaired by a wireline operation if it is arranged for
insertion of an insert valve in the DHSV. An insert Wireline Retrievable Surface Controlled
SubSurface Safety Valve (WRSCSSV) can be installed as a backup inside the failed DHSV
and be activated by wireline. The insertion of an insert WRSCSSV reduces the diameter of the
production tubing and thus the production is reduced.
When the wireline method is applied a tool string attached to a wire is run by gravity force into
the well. Wireline methods are easy to operate and well known to the operating companies.
Short time is needed for the rigging and rig down. A problem may occur if the method is
applied in deviated and horizontal wells due to the dependability on gravity.
Risers
Several risers serve different purposes during the different stages of a workover. The
completion/workover riser is used for wireline intervention and retrieval of the x-mas tree.
Separate bores are included in the riser to provide communication with the tubing and the
annulus. The lower riser package is connected to the end of the riser and functions as a barrier
during workover. Riser pipes are used when running the blowout preventer (BOP) from the
workover rig. An iron roughneck screws new pipes on for every ten meters until the BOP
reaches the seabed.
The workover also included a replacement of the flow control module, pulling and milling of a
production packer to increase the production potential. These events are neglected from this
workover example.
The description is given by the use of short sentences. A full detailed description is too
extensive for the work of this thesis.
1) Anchoring procedure
A workover rig has to be put in transit to the site
The anchors are run to keep the rig at the site.
Guide wires are established to direct the workover tools to the seabed.
4) Kill well
Install tubing hanger isolation sleeve w/lockring
Bullhead 1,18 sg brine to kill well, this means that the production fluid is pushed back
into the reservoir so that the well can be killed.
Flow check the well for leakages.
Rig up wireline.
Run in hole and punch tubing above production polished bore receptacle (PBR)
Circulate out annulus fluid and flow check
Set back surface tree in moosehole.
Pull tree cap, workover riser, electric stab assembly.
Lay down surface tree on pipe-deck
6) Clean well
Run clean-out bottom hole assembly with a mill.
Pull x-mas tree bore protector on drill pipe.
8) Run tubing
In chapter 6.2.3 the role of the BOP will be analysed in a HAZOP study. The entire workover
process will not be analysed due to the limitation of time in this thesis.
The classical process HAZOP technique is based on assessing plants and process systems e.g.
in a chemical plant. The system is broken down into pipe segments and main plant items.
Guide-words are applied to different process parameters to identify derivations in the system.
Different failure modes of every system component are evaluated when employing the process
HAZOP. The components impact on system functionality is identified and preventive action is
performed.
The HAZOP technique has developed to be applied in many different areas today. Within the
oil industry a drillers HAZOP has been developed to enhance offshore drilling safety. Other
HAZOPs like Human HAZOP and Software HAZOP are developed to focus on their specific
area. When dealing with well operations and workovers the employment of a procedure
HAZOP is preferred. In subsection 6.2.3 a HAZOP of a BOP handling procedure will be
performed.
A procedure HAZOP is also called a Safe Operations Analysis (SAFOP) and may be applied to
all sequences of operations. Procedure HAZOP is a further development of the original
HAZOP method. Focus on both human errors and failures of technical systems are held
through the analysis. A procedure e.g. a workover situation is broken down into different sub
procedures and finally operational steps. An identification of the potential causes and
consequences related to the different steps are done. An outcome of the study may normally be
a list of preventive actions. The procedure HAZOP is best suited for detailed assessments, but
may also be used for coarse preliminary assessments. In order to have an effective and useful
procedure the work description should be clear and unambiguous. All relevant information
should be available prior to the study.
As in all risk assessment tools there are advantages and disadvantages in accomplishing a
HAZOP study, these are presented in Table 6-1.
Table 6-1 Advantages and disadvantages with the HAZOP analysis [9] (with some supplements of the
author.)
After finding appropriate the guide-words the procedure may begin by accessing each of the
different elements of the study. By making use of the flow diagram in Figure 6-2 the potential
problems can be identified.
The output of the study consists of a set of recommendations on how to approach a better
solution.
A HAZOP study is a team effort. The success is very much dependent on the team. To gain the
relevant information and a successful HAZOP analysis a reasonable composition by
experienced and contributing members must be established. Representatives of all disciplines
involved in the operations should be included in the team. Input based on their responsibility in
the performance of the operations is essential. The diversities in background help the different
members identifying all the important issues of the study and provide an ability to see the
scenario from different angles. A study will generally involve at least four and rarely more than
seven persons. The larger the team, the slower the process.
The need for an experienced HAZOP chairman is crucial. It is important that the chairman is
familiar with the type of work being analyzed and that sufficient authority is achieved to
control the discussion. During the team discussion the chairman should act as a catalyst and
guide the team in posing the appropriate type of questions. Finally the leader should draw the
conclusions from the discussion and propose the appropriate entry in the record sheet.
Select a procedure
NO
YES
YES
YES
The HAZOP of the BOP handling procedure provided in this thesis has not been subject to a
group discussion and a HAZOP team. The outcome will be fully dependent on the authors
understanding of the problem. Important issues might have been left out and the weighing of
criticality may not have been done to the satisfaction of all readers.
In the traditional HAZOP analysis the guide-words; NO, MORE, LESS, AS WELL AS, etc.
are used. In a procedure HAZOP these words are, from some point of views, not as well suited.
Instead a set of guide-words in interest for the specific analysis are developed for the specific
procedure. The author experimented with the use of such guide-words in the procedure
HAZOP without success. The traditional guide-words are of a general character and easier to
apply to the different procedures in the study of BOP handling. An understanding of why this
guide-word is applied is given for each of the steps in the causes-column of the HAZOP-
sheet. The need for more specific guide-words was therefore neglected. Traditional guide-
words are also more common and easier to understand. As a result the traditional guide-words
are applied in this thesis. The guide-words used and their meaning is presented in appendix E.
16. Riser pipes are unscrewed with iron roughneck and placed on rack until BOP is on
cellar deck.
To gain an insight into the dimensions and the extent of the procedure a picture of a BOP is
presented in Figure 6-3.
Table 6-2 presents the result of the HAZOP analysis on a BOP handling procedure. The
columns in the HAZOP sheet are based on ref. [2]. A column where existing safeguards are
listed is left out due to the authors limited knowledge of the procedure.
10 4 NO Riser pipes are not Delayed operation Make sure riser pipes are
present in the time of present
operation
11 5 OTHER The riser pipes are not This may lead to a delay in Check the programming of the
THAN connected; the roughneck the operation and in worst iron roughneck prior to
is screwing the pipe the case dropping the BOP operation
opposite direction.
12 5 REVER The riser pipes are not Delayed operation and Make sure the riser pipes are
SE connected, they are possibility dropping the stacked in the right direction
upside down BOP.
13 5 LESS Riser is not properly The riser is not screwed Use instruments to measure the
connected to BOP properly to the BOP. The torque and position
BOP may fall down
14 5 MORE Riser is screwed to tight Threads are damaged and Use instruments to measure the
to the BOP may not hold the BOP as torque and position
intended. BOP may fall
down
15 5 MORE Roughneck damages the The riser may leak or be Make sure the riser pipe is
rise by holding to tight damaged. controlled before the pipe is
lowered
16 5 PART The Riser pipe is The riser is not connected to Use instruments to measure the
OF lowered, but in the wrong the BOP position
position to be screwed on
17 6 LESS The riser flange The riser and BOP will fall Control dimensions prior to
dimension is too narrow down workover and use eye control
to hang on drilling deck. when operating
18 6 MORE The drilling deck does The riser and BOP will fall Check the drilling deck for
not hold the weight of the down corrosion and wear
BOP.
19 6 MORE The running speed of the Causing the drilling deck to Find a running speed that is
riser/BOP is too high crack and the BOP may ideal for this operation
swing and cause oscillating
20 6 PART The riser elevator is The assembly can not be
OF jammed lowered to the seabed
21 7 NOT The riser elevator is The assembly can not be Make sure elevator is
broken lowered to the seabed functioning prior to operation
22 7 LESS The assembly is lowered Causing the procedure to last Find a running speed that is
to slow too long ideal for this operation
23 7 MORE The assembly is lowered May cause the string to jerk Find a running speed that is
to fast when stopped to connect a ideal for this operation creating
new riser pipe and the a smooth stop when
assembly may swing connecting new pipes
24 7 LESS Riser is not properly The riser is not screwed Use instruments to measure the
connected properly on. The BOP torque and position
assembly may fall down
25 7 MORE Riser is screwed to tight Threads are damaged and Use instruments to measure the
may not hold the assembly as torque
intended. BOP may fall
26 7 NOT New riser pipes are not The operation is delayed Make sure that enough riser
present pipes are present
27 9 LESS The guidelines are not The BOP is not in the right
tightened enough position
28 10 MORE The BOP is attached to Stabs, AX-seal and locking Make sure the connection of
the Wellhead with to screws are damaged. the BOP is nice and steady
much force
29 10 NOT The BOP is not in The BOP may not connect to Use instruments to measure the
position with the the wellhead due to wrong exact position
Wellhead positioning
30 11 LESS The pressure is low The BOP is leaking Acceptable leakage must be
defined prior to operation
31 12 NOT The BOP is not working The operations may be
properly harder to perform or not able
to be performed
32 12 LESS Fluid is flowing from the The BOP is leaking
connection
33 13 NOT The BOP is jammed The BOP does not
disconnect
34 14 NOT The riser elevator is The BOP can not be lifted Make sure to have redundant
broken from the seabed lifting systems
35 14 MORE The riser/ BOP assembly The BOP can not be lifted Make sure the riser elevator
is to heavy to lift from the seabed and lifting gear is properly
proportionate for the job
36 15 NO The guidelines are not The BOP may not be moved
able to loosen away from the seabed
equipment and has to be
raised above the subsea
equipment
37 16 MORE Riser is screwed on to The pipes may not be able to Make sure to have cutting gear
tight demount present at the site
38 16 OTHER The roughneck is This may lead to a delay in Make sure the programming of
THAN screwing the pipe the the operation the iron roughneck is right
opposite direction. prior to operation
39 16 NO The riser pipe rack is not Operation will be delayed as Make sure the programming of
in the right position or the rack must be moved or is right prior to operation
the pipe handling system the roughneck be re-
is programmed wrong programmed
The most frequent finding in this HAZOP is the need for preparation before the different
operations begin. It is important that all steps are carefully planned and the testing of the
equipment is done properly. Another important issue is the securing of the subsea
equipment. This should be considered already when a new well is in the planning phase.
If the BOP should be lost, or any other equipment, and hit the subsea equipment the
consequences may be enormous.
A list of the most important recommended actions derived from this HAZOP analysis is
given below.
Based on the quantitative findings in this study the DHSV reduces the risk of blowout
with approximately 50%. A removal of the DHSV represents an increased failure
probability, and two independent and tested well barriers are not present in all cut sets.
None of the cut sets do, however, violate a required SIL3 level when the DHSV is
removed from the completion.
The blowout frequency caused by the DHSV during workover is 1.7E-4 per well year,
and 8.5E-5 per well year for a well without a DHSV. The blowout frequency during
production is based on the assumption that all occurrences of the TOP-event, leakage
to the surroundings, classify as a blowout. During production the blowout frequency is
found to be 4.47E-3 per well year for a well with a DHSV, and 1.85E-2 per well year
when the DHSV is removed. In addition to the blowout frequency during production and
workover a blowout frequency caused by accidental events should be included. The total
blowout frequency is found adding up the different contributions:
The DHSV blowout frequency contribution during installation is not included in this
study. There is no data revealing the changes in blowout frequency when the DHSV is
removed for the installation phase.
The blowout frequencies found in the calculations are of very high. In total a removal of
the DHSV increases the blowout frequency by 1.13E-2 per well year. It is reasonable to
believe that the calculations in this report are either based on insufficient data, a bad
model or calculated errors. Other factors may also have contributed to the high frequency.
50% of the shut-ins of a well leading to a workover are caused by a DHSV failure. A
DHSV failure requires a workover generating a loss of oil production of up to $5,6
million. In addition there will also be expenses concerning the rental of a workover rig. A
total cost of 20 million dollars per intervention is therefore not unrealistic.
The author cannot recommend removing the Downhole safety valve (DHSV) from a
subsea oil/gas production well based on the findings in this thesis. Although there may be
some economic advantages in removing the DHSV the risk of blowout should be given
the greatest attention. In addition to causing pollution, the occurrence of a blowout may in
severe cases lead to a bad reputation among consumers and environmental organisations.
The consequences of a bad reputation are hard to estimate. If a boycott of the operating
company is carried out it could lead to greater economic losses. Negative publicity not
only affects the concerned company but the entire oil industry.
Data accuracy
The author has limited access to valid data. The reliability data used in the calculations is
gathered for both platform and subsea wells. Valid data only for subsea wells should be
applied in the calculations. Another problem is the age of the applied data. All data in this
thesis is more than five years old due to the confidentiality of the operating companies.
Implementing new up-to-date data may change the outcome of the total blowout
frequency and is recommended. The presented approach is, however, valid and applicable
when new data is found.
Alternative solutions
In some cases alternative solutions may be more reliable than a DHSV. A further study
developing new solutions and examining other existing solutions is recommended. The
economic cost and the environmental risk related to a frequent workover rate caused by
the DHSV may be reduced.
8 References
1. Aleksandersen, J., Sangesland, S., Well intervention in subsea completed wells,
Department of Petroleum Engineering and Applied Geophysics, The Norwegian
Institute of Technology, The University of Trondheim, Trondheim, 1994
2. British Standard Institute (BSI), Hazard and operability studies (HAZOP
studies)- Application guide, 2001
3. Dovre Safetech, Dropped object analysis Large water depths SAGA, April 1995
4. Durham, C.J, Paveley, C.A., SPE 56934 Radical Solutions Required:
Completion Without packers and Downhole Valves Can Be Safe, Society of
Petroleum Engineers, Inc. Offshore Europe Conference, Aberdeen, Scotland, 1999
5. Goland, M., Whitson, C.H., Well Performance 2nd edition, Prentice Hall,
Trondheim, 1991
6. Herfjord, H. J., Brnnteknologi, NKI Forlaget, Larvik, 1988
7. Holand P., Offshore Blowouts Causes and Control, Gulf Publishing Company,
Houston, TX, USA, 1997
8. Hyland, A. and Rausand, M., System Reliability Theory - Models and
Statistical Methods, John Wiley & Sons Inc., New York, 1994.
9. Kirwan, B., Ainsworth, L.K., A guide to task analysis, Taylor & Francis Ltd.,
Great Britain, 1992
10. Kletz, T.A., HAZOP AND HAZAN Identifying and Assessing Process Industry
Hazards, The Institution of Chemical Engineers, Warwickshire, England, 1992
11. Minerals Management Service, Part 250-Oil and gas and sulphur operations in
the outer continental shelf,
12. Mobile E. & P Technical Center, Mobile completions handbook, Dallas, TX,
USA, 1996
13. Molnes E., Sundet, I., Reliability of well completion equipment Phase II
Report. (SINTEF report no. STF75 F95051, 1996, Safety and Reliability,
SINTEF, Trondheim)
14. Molnes E., Sundet, I., Vatn, J., Reliability of well completion equipment Main
Report. (SINTEF report no. STF75 F92019, 1992, Safety and Reliability,
SINTEF, Trondheim).
15. Molnes, E., Holand, P., Sundet, I., Vatn, J., Reliability of surface controlled Sub
Safety Valves- Phase III- Main Report. (SINTEF report no. STF75 F89030, 1989,
Safety and Reliability, SINTEF, Trondheim).
16. Molnes, E., Sundet, I., Vatn, J., Reliability of surface controlled Sub Safety
Valves- Phase IV. (SINTEF report no. STF75 F91038, 1992, Safety and
Reliability, SINTEF, Trondheim).
17. NORSOK, 1998, Subsea production systems, [online] Found at
http://www.nts.no/norsok/u/u00102/u00102.htm, 18.11.01
18. Offshore Technology, Exxon Valdez Oil Spill, [online] Found at
http://www.offshore-technology.com/contractors/environmental/exxon-
valdez.html, 02.05.02
19. Rausand M., Personal conversation, Institutt for Produksjons og
Kvalitetsteknikk, NTNU, Norway, 08.02.2002
20. Rausand, M., Vatn, J., Reliability modelling of surface controlled subsurface
safety valves, Reliability Engineering and System Safety, Vol. 61, 1998
9 Appendices
A production system is essentially a system that provides transportation of fluids from the
reservoir to the surface and separates it into oil, gas and water. The oil and gas streams are
transported from the field and prepared for sale. The water is treated and injected to the
reservoir or brought to disposal. A production system consists of different groups of
mechanical elements.
Subsea system components are normally exposed directly to the sea. The installation and
maintenance operations are carried out by specially designed manipulators, remote operated
vehicles (ROV), conventional divers, drill string from a vessel, or by recovering components
to the surface.
1. Casings
2. Tubing string
3. Production packer
4. Downhole Safety Valve (DHSV)
5. Subsea wellhead
6. Subsea x-mas tree
7. Control system
A-1
DHSV
A-2
A1.3 Well completion
A1.3.1 Tubing
The tubing is a string of pipes stretching from the reservoir and up to the wellhead. This is
where the produced fluid is led upward to the platform. Different accessories can be mounted
on the tubing to control the flow.
The main purpose of the x-mas tree is to provide an ability to shut in the well at the wellhead.
The x-mas tree also fulfils the following functions
The production master valve is located on the vertical production bore. The master
valve always remains open except for emergencies or during pressure tests of the tree.
The production master valve is a fail-safe-gate valve.
A-3
The wing valve is located on the horizontal outlet from the x-mas tree. If it becomes
necessary to close the well, the wing valve is the first to be closed. This is where the
produced fluid is flowing through.
The swab valve is located on the vertical bores of the tree above the wing valve. The
swab valve is used to perform safe vertical re-entries into the tree and well during
workover.
The crossover valve connects the production bore to the annulus bore via a crossover
service line.
The annulus master valve is located on the vertical annulus bore. It is normally closed
and opened only if fluid is to be injected to the annulus bore.
The annulus wing valve is normally closed. It closes the side outlet oft the tree block
to isolate the service line during production and intervention.
Gate valves are the most common type valves in the x-mas tree. The gate valves are normally
operated either hydraulically, by mechanical override or remotely operated vehicle (ROV).
The tubing head is attached to the uppermost casing head and supports the tubing string. The
tubing hanger is an integrated part of the wellhead. It seals and locks the tubing inside the
wellhead housing. Seals isolate the production and annulus fluids and prevent leakage. The
tubing hanger can either be locked to the wellhead housing or directly via a casing hanger
lock down profile, or locked in the last casing hanger suspended in the wellhead. Hydraulic
and electrical communication with downhole equipment requires the use of penetrators in the
tubing hanger and x-mas tree.
The casing head is attached to the wellhead on a casing hanger. A seal is provided to avoid
leakage of annulus fluids into the next casing or to the surroundings.
A-4
A1.5.2 Guidelineless system
Several manufactures have provided a guidelineless system for many years. Due to the
variation in equipment from the different manufacturers different methods are used for the
different manufacturer. One solution is described here. The guidelineless x-mas tree is run on
a completion riser. A sonar or TV tool is used to locate the wellhead and connect the x-mas
tree to it. Then the x-mas tree is oriented with reference to the tubing hanger. After the tree is
oriented in the right position, the pressure on 4 jack landing cylinders is bleed off and the x-
mas tree is landed.
The DHSV in the North Sea are set at up to 50 meters below the seabed. The hydrostatical
weight of the hydraulic control fluid set the depth in which the DHSV is set. The hydrostatical
weight is balanced by the use of a control line. If the pressure in the control line is increased
the DHSV will close.
A-5
DHSV and a low-pressure at 5.000psi activates the x-mas tree valves. Figure A-2 gives an
overview of the actuation process.
Platform
control system X-mas tree
gate valves
Umbilical
SEABED
Pilot DHSV
Hydraulic LOW valves
pressure Hydraulic
signal Pilot
HIGH
system valve
Figure A-2 An overview of a subsea control system provided with a pilot hydraulic system.
A1.8 Umbilicals
Electric and hydraulic umbilicals are needed for communication purposes. Depending upon
the control system configuration umbilicals are made for the specific need of the control
system.
A-6
Appendix B
In this appendix a figure of the well that provides the basis for the used in the case example in
the thesis will be given.
In the example the completion of the well, see subchapter 5.1.2, is based on an oil production
well from the Oseberg B field. The well data is provided from Wellmaster managed by
ExproSoft AS. Some of the components are left out in the report. The downhole components
included in the report are:
1. the tubing
2. the tubing hanger
3. one downhole safety valve (DHSV)
4. a seal assembly
5. a production packer
B-1
2
.
Figure B-1 A sketch of an oil production well from the Oseberg B field
B-2
Appendix C
Fault trees constructed for the oil/gas production well of this thesis are presented in
Figure C-1 and Figure C-2.
C-1
Leakage to the
surroundings
Or 1
And 1 And 2
DHSV failure LCP X-mas tree valves Leakage in the a Leakage regarding
or FTC fail to seal annulus the tubingstring
And 17 P2 Or 5 Or 3
DHSV failure LCP Leakage thrugh the Annulus master Leakage from the Leakage through The DHSV fails to Leakage in the DHSV failure EXL
or FTC annulus master valve EXL wellhead Production Packer close and the tubing tubing below the
valve above leaks DHSV
Leakage in the Annulus master Leakage to the Wellhead seal leak Leakage in the DHSV failure LCP DHSV failure EXL
x-mas tree annulus valve LCP wellhead area tubing above the or FTC
area DHSV
DHSV
Figure C-1 Fault tree of an oil/gas producing well with and without a DHSV, part 1
AMV WH TaDHSV And 20
Or 13 Or 7 EXL House 3
Annulus Wing Valve Annulus Swab Valve Crossover line EXL Tubing hanger Tubing hanger seal The 13 5/8" casing DHSV failure LCP
EXL/ITL EXL/ITL tubing seal leak production bore seal leaks or FTC
C-2
AWV ASWV XOL ThT ThPb 13 5/8" DHSV
House 2
P2
Or 2
And 4 MVEXL
MV
Or 4
Production Wing Crossover valve Production Swab Leakage through Production ving
valve ITL EXL Valve ITL/EXL the crossover valve valve EXL
XOVITL
Or 13
Figure C-2 Fault tree of an oil/gas producing well with and without a DHSV, part 2
C-3
Appendix D
Reliability data dossier
This appendix presents the data dossiers, which form a basis for the input to the reliability
calculations. Reliability data dossiers are databases where the information used in the
calculations are gathered to provide an easy access to the sources. Failure rates are found from
for each component included in the barrier system. The data collected are traceable and
testable for future work based on this thesis. To provide an overview over the leakage
situations of each component the dossiers of this report has included the leakage paths
concerning the TOP-event, leakage to the surroundings.
Note that the maintenance and test intervals are specific for this report (see subsection 5.4.2
for details).
The schemes are based on data from existing databases. The quality and quantity of the
provided data vary a lot. Many of the different components have got little or no documented
data available. For a wider quantitative study it is suggested that failure rates from several
more sources are supplied and even for the specific area the wells without a DHSV are to be
implemented. A weighing of the different sources according to their relevance for each
individual component is also suggested.
D-1
Reliability data dossier
Component: Production Packer
* The value does not include installation failures (i.e. failure occurring during the first six days
after installation).
D-2
Reliability data dossier
Component: DHSV (TRSCSSV flapper type)
D-3
Reliability data dossier
Component: Tubing hanger seals, wellhead seal and casing hanger seals
D-4
Reliability data dossier
Component: Production Master Valve and annulus master valve
D-5
Reliability data dossier
Component: Production wing valve
D-6
Reliability data dossier
Component: Swab valve, annulus swab valve, annulus wing valve and crossover valve
D-7
Reliability data dossier
Component: Crossover line
D-8
Appendix E
This appendix presents the four basic sequential steps of a HAZOP according to the
IEC 61882 [2]. Figure E-1 illustrates the basic steps.
Definition
Define scope and objectives
Define responsibility
Select team
Preparation
Plan the study
Collect data
Agree style of recording
Estimate the time
Arrange a schedule
Examination
Divide system into parts
Select a part and define design intent
Identify deviation by using guide-words on each element
Identify consequences and causes
Identify whether a significant problem exists
Identify protection, detection and indicating mechanisms
Identify possible remedial/mitigating measures (optional)
Agree actions
Repeat for each element and then each part of the system
E-1
Appendix F
The guide-words used in the HAZOP analysis provided in this thesis are based on the
guide words found in the IEC standard, Hazard and operability studies [2]. Table F-1
present the guide-words.
NO, NOT, DONT The intended activity does not occur, but no
direct substitute activity takes place.
MORE A greater activity than intended e.g. force,
pressure, weight, reaction and duration.
LESS A lesser activity than intended e.g. force,
pressure, weight, reaction, and duration.
OTHER THAN A totally different activity e.g. lifts instead of
roll.
PART OF One or more desired activities are missing e.g.
transfer instead of transfer and heat.
REVERSE The logical opposite to the desired activity e.g.
reverse chemical reaction, reverse direction of
flow.
F-1