Multi criteria risk analysis of a subsea BOP system

The Subsea blowout preventer (BOP) which is latched to a subsea wellhead is one of several barriers in the well to prevent kicks and blowouts and it is the most important and critical equipment, as it becomes the last line of protection against blowout. The BOP system used in Subsea drilling operations is considered a Safety – Critical System, with a high severity consequence following its failure. Following past offshore blowout incidents such as the most recent Macondo in the Gulf of Mexico, there have been investigations, research, and improvements sought for improved understanding of the BOP system and its operation. This informs the need for a systematic re-evaluation of the Subsea BOP system to understand its associated risk and reliability and identify critical areas/aspects/components. Different risk analysis techniques were surveyed and the Failure modes effect and criticality analysis (FMECA) selected to be used to drive the study in this thesis. This is due to it being a simple proven cost effective process that can add value to the understanding of the behaviours and properties of a system, component, software, function or other. The output of the FMECA can be used to inform or support other key engineering tasks such as redesigning, enhanced qualification and testing activity or maintenance for greater inherent reliability and reduced risk potential. This thesis underscores the application of the FMECA technique to critique associated risk of the Subsea BOP system. System Functional diagrams was developed with boundaries defined, a FMECA were carried out and an initial select list of critical component failure modes identified. The limitations surrounding the confidence of the FMECA failure modes ranking outcome based on Risk priority number (RPN) is presented and potential variations in risk interpretation are discussed. The main contribution in this thesis is an innovative framework utilising Multicriteria decision making (MCDA) analysis techniques with consideration of fuzzy interval data is applied to the Subsea BOP system critical failure modes from the FMECA analysis. It utilised nine criticality assessment criteria deduced from expert consultation to obtain a more reliable ranking of failure modes. The MCDA techniques applied includes the technique for order of Preference for similarity to the Ideal Solution (TOPSIS), Fuzzy TOPSIS, TOPSIS with interval data, and Preference Ranking Organization Method for Enrichment of Evaluations (PROMETHEE). The outcome of the Multi-criteria analysis of the BOP system clearly shows failures of the Wellhead connector, LMRP hydraulic connector and Control system related failure as the Top 3 most critical failure with respect to a well control. The critical failure mode and components outcome from the analysis in this thesis is validated using failure data from industry database and a sensitivity analysis carried out. The importance of maintenance, testing and redundancy to the BOP system criticality was established by the sensitivity analysis. The potential for MCDA to be used for more specific analysis of criteria for a technology was demonstrated. Improper maintenance, inspection, testing (functional and pressure) are critical to the BOP system performance and sustenance of a high reliability level. Material selection and performance of components (seals, flanges, packers, bolts, mechanical body housings) relative to use environment and operational conditions is fundamental to avoiding failure mechanisms occurrence. Also worthy of notice is the contribution of personnel and organisations (by way of procedures to robustness and verification structure to ensure standard expected practices/rules are followed) to failures as seen in the root cause discussion. OEMs, operators and drilling contractors to periodically review operation scenarios relative to BOP system product design through the use of a Failure reporting analysis and corrective action system. This can improve design of monitoring systems, informs requirement for re-qualification of technology and/or next generation designs. Operations personnel are to correctly log in failures in these systems, and responsible Authority to ensure root cause analysis is done to uncover underlying issue initiating and driving failures

A synthesis of logic and bio-inspired techniques in the design of dependable systems

Much of the development of model-based design and dependability analysis in the design of dependable systems, including software intensive systems, can be attributed to the application of advances in formal logic and its application to fault forecasting and verification of systems. In parallel, work on bio-inspired technologies has shown potential for the evolutionary design of engineering systems via automated exploration of potentially large design spaces. We have not yet seen the emergence of a design paradigm that effectively combines these two techniques, schematically founded on the two pillars of formal logic and biology, from the early stages of, and throughout, the design lifecycle. Such a design paradigm would apply these techniques synergistically and systematically to enable optimal refinement of new designs which can be driven effectively by dependability requirements. The paper sketches such a model-centric paradigm for the design of dependable systems, presented in the scope of the HiP-HOPS tool and technique, that brings these technologies together to realise their combined potential benefits. The paper begins by identifying current challenges in model-based safety assessment and then overviews the use of meta-heuristics at various stages of the design lifecycle covering topics that span from allocation of dependability requirements, through dependability analysis, to multi-objective optimisation of system architectures and maintenance schedules

Integrating model checking with HiP-HOPS in model-based safety analysis

The ability to perform an effective and robust safety analysis on the design of modern safety–critical systems is crucial. Model-based safety analysis (MBSA) has been introduced in recent years to support the assessment of complex system design by focusing on the system model as the central artefact, and by automating the synthesis and analysis of failure-extended models. Model checking and failure logic synthesis and analysis (FLSA) are two prominent MBSA paradigms. Extensive research has placed emphasis on the development of these techniques, but discussion on their integration remains limited. In this paper, we propose a technique in which model checking and Hierarchically Performed Hazard Origin and Propagation Studies (HiP-HOPS) – an advanced FLSA technique – can be applied synergistically with benefit for the MBSA process. The application of the technique is illustrated through an example of a brake-by-wire system

Use of COTS functional analysis software as an IVHM design tool for detection and isolation of UAV fuel system faults

This paper presents a new approach to the development of health management solutions which can be applied to both new and legacy platforms during the conceptual design phase. The approach involves the qualitative functional modelling of a system in order to perform an Integrated Vehicle Health Management (IVHM) design – the placement of sensors and the diagnostic rules to be used in interrogating their output. The qualitative functional analysis was chosen as a route for early assessment of failures in complex systems. Functional models of system components are required for capturing the available system knowledge used during various stages of system and IVHM design. MADe™ (Maintenance Aware Design environment), a COTS software tool developed by PHM Technology, was used for the health management design. A model has been built incorporating the failure diagrams of five failure modes for five different components of a UAV fuel system. Thus an inherent health management solution for the system and the optimised sensor set solution have been defined. The automatically generated sensor set solution also contains a diagnostic rule set, which was validated on the fuel rig for different operation modes taking into account the predicted fault detection/isolation and ambiguity group coefficients. It was concluded that when using functional modelling, the IVHM design and the actual system design cannot be done in isolation. The functional approach requires permanent input from the system designer and reliability engineers in order to construct a functional model that will qualitatively represent the real system. In other words, the physical insight should not be isolated from the failure phenomena and the diagnostic analysis tools should be able to adequately capture the experience bases. This approach has been verified on a laboratory bench top test rig which can simulate a range of possible fuel system faults. The rig is fully instrumented in order to allow benchmarking of various sensing solution for fault detection/isolation that were identified using functional analysis

Engineering failure analysis and design optimisation with HiP-HOPS

The scale and complexity of computer-based safety critical systems, like those used in the transport and manufacturing industries, pose significant challenges for failure analysis. Over the last decade, research has focused on automating this task. In one approach, predictive models of system failure are constructed from the topology of the system and local component failure models using a process of composition. An alternative approach employs model-checking of state automata to study the effects of failure and verify system safety properties. In this paper, we discuss these two approaches to failure analysis. We then focus on Hierarchically Performed Hazard Origin & Propagation Studies (HiP-HOPS) - one of the more advanced compositional approaches - and discuss its capabilities for automatic synthesis of fault trees, combinatorial Failure Modes and Effects Analyses, and reliability versus cost optimisation of systems via application of automatic model transformations. We summarise these contributions and demonstrate the application of HiP-HOPS on a simplified fuel oil system for a ship engine. In light of this example, we discuss strengths and limitations of the method in relation to other state-of-the-art techniques. In particular, because HiP-HOPS is deductive in nature, relating system failures back to their causes, it is less prone to combinatorial explosion and can more readily be iterated. For this reason, it enables exhaustive assessment of combinations of failures and design optimisation using computationally expensive meta-heuristics. (C) 2010 Elsevier Ltd. All rights reserved

Probabilistic Model-Based Safety Analysis

Model-based safety analysis approaches aim at finding critical failure combinations by analysis of models of the whole system (i.e. software, hardware, failure modes and environment). The advantage of these methods compared to traditional approaches is that the analysis of the whole system gives more precise results. Only few model-based approaches have been applied to answer quantitative questions in safety analysis, often limited to analysis of specific failure propagation models, limited types of failure modes or without system dynamics and behavior, as direct quantitative analysis is uses large amounts of computing resources. New achievements in the domain of (probabilistic) model-checking now allow for overcoming this problem. This paper shows how functional models based on synchronous parallel semantics, which can be used for system design, implementation and qualitative safety analysis, can be directly re-used for (model-based) quantitative safety analysis. Accurate modeling of different types of probabilistic failure occurrence is shown as well as accurate interpretation of the results of the analysis. This allows for reliable and expressive assessment of the safety of a system in early design stages

A controlled experiment for the empirical evaluation of safety analysis techniques for safety-critical software

Context: Today's safety critical systems are increasingly reliant on software. Software becomes responsible for most of the critical functions of systems. Many different safety analysis techniques have been developed to identify hazards of systems. FTA and FMEA are most commonly used by safety analysts. Recently, STPA has been proposed with the goal to better cope with complex systems including software. Objective: This research aimed at comparing quantitatively these three safety analysis techniques with regard to their effectiveness, applicability, understandability, ease of use and efficiency in identifying software safety requirements at the system level. Method: We conducted a controlled experiment with 21 master and bachelor students applying these three techniques to three safety-critical systems: train door control, anti-lock braking and traffic collision and avoidance. Results: The results showed that there is no statistically significant difference between these techniques in terms of applicability, understandability and ease of use, but a significant difference in terms of effectiveness and efficiency is obtained. Conclusion: We conclude that STPA seems to be an effective method to identify software safety requirements at the system level. In particular, STPA addresses more different software safety requirements than the traditional techniques FTA and FMEA, but STPA needs more time to carry out by safety analysts with little or no prior experience.Comment: 10 pages, 1 figure in Proceedings of the 19th International Conference on Evaluation and Assessment in Software Engineering (EASE '15). ACM, 201

Building safe software

Murphy is a set of techniques and tools under investigation for their potential in enhancing the safety of software. This paper describes some of the work which has been done and some which is planned