dnv rp-g101 risk based inspection

RECOMMENDED PRACTICE

DET NORSKE VERITAS

DNV-RP-G101

RISK BASED INSPECTION OFOFFSHORE TOPSIDES STATIC

MECHANICAL EQUIPMENTJANUARY 2002

Comments may be sent by e-mail to [email protected] subscription orders or information about subscription terms, please use [email protected] information about DNV services, research and publications can be found at http://www.dnv.com, or can be obtained from DNV, Veritas-veien 1, N-1322 Hvik, Norway; Tel +47 67 57 99 00, Fax +47 67 57 99 11.

Det Norske Veritas. All rights reserved. No part of this publication may be reproduced or transmitted in any form or by any means, including pho-tocopying and recording, without the prior written consent of Det Norske Veritas.

Computer Typesetting (FM+SGML) by Det Norske Veritas.Printed in Norway by GCS AS.

If any person suffers loss or damage which is proved to have been caused by any negligent act or omission of Det Norske Veritas, then Det Norske Veritas shall pay compensation to such personfor his proved direct loss or damage. However, the compensation shall not exceed an amount equal to ten times the fee charged for the service in question, provided that the maximum compen-sation shall never exceed USD 2 million.In this provision "Det Norske Veritas" shall mean the Foundation Det Norske Veritas as well as all its subsidiaries, directors, officers, employees, agents and any other acting on behalf of DetNorske Veritas.

FOREWORDDET NORSKE VERITAS (DNV) is an autonomous and independent foundation with the objectives of safeguarding life, prop-erty and the environment, at sea and onshore. DNV undertakes classification, certification, and other verification and consultancyservices relating to quality of ships, offshore units and installations, and onshore industries worldwide, and carries out researchin relation to these functions.DNV Offshore Codes consist of a three level hierarchy of documents: Offshore Service Specifications. Provide principles and procedures of DNV classification, certification, verification and con-

sultancy services. Offshore Standards. Provide technical provisions and acceptance criteria for general use by the offshore industry as well as

the technical basis for DNV offshore services. Recommended Practices. Provide proven technology and sound engineering practice as well as guidance for the higher level

Offshore Service Specifications and Offshore Standards.DNV Offshore Codes are offered within the following areas:A) Qualification, Quality and Safety MethodologyB) Materials TechnologyC) StructuresD) SystemsE) Special FacilitiesF) Pipelines and RisersG) Asset Operation

DET NORSKE VERITAS

Recommended Practice DNV-RP-G101, January 2002Page 3

CONTENTS

1. GENERAL .............................................................. 51.1 Objective of this document .....................................51.2 Application ...............................................................51.3 Limitations ...............................................................51.4 Relationship to other codes and standards ...........51.5 Definitions, symbols and abbreviations.................51.5.1 Definitions of terms ............................................................ 61.5.2 Abbreviations...................................................................... 7

2. REFERENCES ....................................................... 7

3. RISK BASED INSPECTION CONCEPT ........... 83.1 Risk management ....................................................83.2 Inspection management ..........................................83.3 Fabrication inspection and in-service inspection .83.4 RBI team competence .............................................8

4. RISK TERMINOLOGY AND PRESENTATION....................................................................................9

4.1 General .....................................................................94.2 Risk ...........................................................................94.2.1 Risk definition .................................................................... 94.2.2 Risk acceptance criteria ...................................................... 94.2.3 Risk presentation ................................................................ 94.3 Qualitative and quantitative RBI...........................94.4 Probability of failure .............................................104.4.1 Probability of failure definition ........................................ 104.4.2 Probability of failure presentation ....................................104.4.3 Probability of failure modelling........................................ 104.5 Consequence of failure ..........................................104.5.1 Consequence of failure definition.....................................104.5.2 Consequence of failure presentation................................. 104.5.3 Safety consequence modelling .........................................104.5.4 Economic consequence modelling ...................................104.5.5 Environmental consequence modelling............................11

5. WORKING PROCESS........................................ 115.1 Objective.................................................................115.2 Outline of the process............................................115.3 Acceptance criteria ................................................115.4 Information gathering...........................................11

6. RISK SCREENING ............................................. 126.1 Working process ....................................................126.2 Screening team.......................................................126.3 Consequence of failure evaluation .......................126.3.1 Safety consequence...........................................................126.3.2 Economic consequence.....................................................126.3.3 Environmental consequence .............................................126.3.4 Other consequences ..........................................................126.4 Probability of failure evaluation ..........................126.4.1 Probability of failure internal.........................................136.4.2 Probability of failure - external.........................................136.4.3 Probability of failure - fatigue ..........................................136.4.4 Probability of failure - other .............................................136.5 Risk assessment......................................................136.6 Results of Screening ..............................................136.7 Revision of screening.............................................13

7. DETAILED ASSESSMENT ............................... 137.1 Objective ................................................................ 137.2 General ................................................................... 137.3 Detailed RBI: Analysis detail level ...................... 137.4 Consequence of failure modelling........................ 147.4.1 Objective........................................................................... 147.4.2 Working process ............................................................... 147.4.3 Establish the event tree ..................................................... 157.4.4 Ignited consequences........................................................ 157.4.5 Unignited consequences ................................................... 157.5 Probability of failure modelling........................... 167.5.1 Objective........................................................................... 167.5.2 Working process ............................................................... 167.5.3 Probability of failure acceptance limit.............................. 167.5.4 Allocation of degradation mechanisms ............................ 167.5.5 Internal damage systems/service/materials ................... 167.5.6 External damage ............................................................... 177.5.7 Mechanical damage .......................................................... 177.5.8 Lower limit on calculation of PoF.................................... 177.5.9 Insignificant model ........................................................... 177.5.10 Susceptibility model ......................................................... 177.5.11 Rate model ........................................................................ 177.6 Leak hole size......................................................... 187.7 Estimation of risk .................................................. 187.8 Reporting of the assessment ................................. 197.9 Revision of assessment with new information .... 19

8. USE OF INSPECTION AND MONITORING . 198.1 Use of inspection results ....................................... 198.2 Validity check for inspection data ....................... 198.3 Use of corrosion monitoring results .................... 208.4 Use of process monitoring .................................... 20

9. INSPECTION PLANNING ................................ 209.1 Inspection scheduling............................................ 209.2 Inspection procedures........................................... 20

10. FITNESS FOR SERVICE................................... 21

APP. ASCREENING ..................................................................... 22

A.1 Guidance for use....................................................... 22A.2 RBI Screening Form................................................. 23A.3 RBI screening briefing ............................................. 24A.3.1 Consequence of failure....................................................... 24A.3.2 Probability of failure .......................................................... 24

APP. BCONSEQUENCE OF FAILURE EVALUATION......... 25B.1 General ..................................................................... 25B.2 Introduction .............................................................. 25B.3 Use of QRA data ...................................................... 25B.4 Method of overview ................................................. 25B.4.1 General ............................................................................... 25B.4.2 Steps in consequence assessment....................................... 25B.4.3 Use of Event Trees ............................................................. 26B.5 System description ................................................... 26B.6 Mass leak rates for gas and oil ................................. 26B.7 Dispersion modelling ............................................... 27B.8 Effect assessment of flammable releases ................. 27B.8.1 Calculation method ............................................................ 27B.8.2 Step 1: Development of an event tree ................................ 27B.8.3 Step 2: Event tree branch probabilities .............................. 28

DET NORSKE VERITAS


B.8.4 Step 3: Consequence of failure for end events ................... 29B.8.5 Steps 4 and 5: Total consequence of failure ....................... 31B.9 Assessment of the effect of Toxic releases ............. 31B.9.1 General ............................................................................... 31B.9.2 Asphyxiating fluids ............................................................ 31B.9.3 Hydrogen sulphide.............................................................. 31B.10 References ................................................................ 32

APP. CPRODUCT SERVICE CODES, MATERIALSDEGRADATION AND DAMAGE MECHANISMS..... 33

C.1 Introduction .............................................................. 33C.2 Internal degradation.................................................. 33C.3 External degradation................................................. 33C.4 Materials definition .................................................. 33C.5 Product service code definition ................................ 34C.6 Degradation mechanisms and damage modelling .... 36C.6.1 Steps in modelling .............................................................. 36C.6.2 Degradation mechanisms - hydrocarbon systems .............. 36C.6.3 Degradation mechanisms - water systems.......................... 38C.6.4 Degradation mechanisms - chemicals ................................ 41

C.6.5 Insignificant ........................................................................ 41C.6.6 Unknown ............................................................................ 41C.6.7 Degradation mechanisms - vent systems............................ 41C.6.8 Degradation mechanisms water - injection systems........... 41C.6.9 Degradation mechanisms - external corrosion ................... 41C.6.10 Fatigue ................................................................................ 44

APP. DINSPECTION PLANNING AND DATA ANALYSIS... 45

D.1 Inspection planning .................................................. 45D.1.1 Definition of inspection effectiveness ................................ 45D.1.2 Inspection techniques ......................................................... 45D.1.3 Damage mechanism and inspection effectiveness ............. 45D.2 Inspection data analysis ........................................... 50D.2.1 Grouping of data................................................................. 50D.2.2 Data quality checks ............................................................ 50D.2.3 Degradation mechanisms/morphology............................... 50D.2.4 Inspection method .............................................................. 50D.2.5 Corrosion monitoring data.................................................. 50D.2.6 Statistical evaluation of data............................................... 50D.2.7 Application of mata between corrosion circuits ................. 50

DET NORSKE VERITAS


1. General1.1 Objective of this documentThe objective of this recommended practice is to describe amethod by which a risk based inspection (RBI) plan may be es-tablished for offshore production systems. The document out-lines methods for evaluating probability and consequence offailure, making an assessment of the risk level, and concludingon the appropriate actions such as inspection that can be takento manage that risk. These activities have been carried out byinspection engineers for many years, and this document there-fore describes a quantification and systematisation of workingmethods rather than a new process. It should be noted that RBIis an inspection planning tool.The reasons for selecting a risk based approach to inspectionplanning are:

to focus inspection effort on items where the safety, eco-nomic or environmental risks are identified as being high,whilst similarly reducing the effort applied to low risk sys-tems

to ensure that the overall installation risk does not exceedthe risk acceptance criteria, set by the operator, at any time

to identify the optimal inspection or monitoring methodsaccording to the identified degradation mechanisms.

The RBI assessment should assess all relevant degradationmechanisms. This document addresses the most commonly ex-perienced degradation mechanisms found on offshore installa-tions, but the user should make themselves aware of anyspecial circumstances that are relevant to an individual instal-lation and that are not included in this recommended practice.These special circumstances must be treated separately.

1.2 ApplicationThis recommended practice is primarily intended used for theplanning of in-service inspection for offshore topsides staticmechanical pressure systems when considering failures by lossof containment of the pressure envelope. The system bounda-ries for applicability of the methods are the Christmas treewing valve through to the export pipeline topsides ESD valve.These systems involve the following types of components:

piping systems comprising straight pipe, bends, elbows,tees, fittings, reducers

pressure vessels and atmospheric tanks pig launchers and receivers heat exchangers unfired reboilers valves

pump casings compressor casings.

1.3 LimitationsExcluded from the scope of the recommended practice are:

structural items including supports, skirts and saddles seals, gaskets, flanged connections plate and compact-type heat exchangers failure of internal components and fittings instrumentation.

Failure modes, such as failure to operate on demand, leakagethrough gaskets, flanged connections, valve stem packing, to-gether with valve passing and tube clogging are not addressedin this document. The probability of such failures is not expect-ed to be affected by inspection, and so should be addressed asa part of a reliability centred maintenance (RCM) assessmentof the systems. Note that the consequences of failure deter-mined using this recommended practice can be useful in suchRCM analyses.

1.4 Relationship to other codes and standardsRisk based inspection methods and applications are describedin documents prepared by ASME and API /1/2/. Inspectionplanning and execution standards and recommended practicesare published by ASME.There are a number of design codes covering pressurised pip-ing, vessels and heat exchangers, and these should be soughtwhere needed. A number of codes have also been developedregarding the assessment of fitness-for-service and remaininglife, and these may be used to justify continued service whendamage is found during inspection.It should be noted that the use of risk-based principles ac-knowledges explicitly that it is cost-effective to allow somesystems to fail as long as the consequences of that failure arelow. This also implies that some systems may have such highconsequences of failure that failure is wholly unacceptable,and therefore these should receive most attention. This princi-ple challenges some accepted design codes based on determin-istic design and fitness-for-service codes, particularly whereworst-case scenarios are used in the calculations. It is likelythat a discrepancy in the requirements for inspection and reme-dial action will arise if risk-based and deterministic methodsare directly compared.

1.5 Definitions, symbols and abbreviationsThe following terms are used in this document with the specif-ic definitions as listed in 1.5.1 and 1.5.2.

DET NORSKE VERITAS


1.5.1 Definitions of terms

Term DefinitionComponent The individual parts that are used to con-

struct a piping system or item of equipment,such as nozzles, flanges, elbows, straightpieces of pipe, tubes, shells, and similar.

Condition Monitor-ing

Monitoring of plant physical conditionswhich may indicate the operation of givendegradation mechanisms. Examples are vis-ual examination of painting, corrosion mon-itoring, crack monitoring, wall thicknessmonitoring.

Confidence CoV A quantitative description of the uncertaintyin the data used in analyses, indicating thespread in the distribution of values. A dataset in which the assessor has high confidencecan be given a low CoV.

Consequence of fail-ure (CoF)

The outcomes of a failure. This may be ex-pressed, for example, in terms of safety topersonnel, economic loss, damage to the en-vironment.

Consequence of fail-ure ranking

A qualitative statement of the consequenceof failure. Often expressed as a textual de-scription (High, medium, low) or numericalrank (1, 2, 3).

Consequence of fail-ure type

The description of consequences of failureexpressed as safety, environment or eco-nomic consequence.

Corrosion Group A group of components or parts of compo-nents that are exposed to the same internaland/or external environment and made of thesame material, thus having the same poten-tial degradation mechanisms.Groups should be defined such that inspec-tion results made on one part of the groupcan be related to all the parts of the samegroup.

Coefficient of Varia-tion(CoV)

The CoV indicates the spread of a distribu-tion. The greater the CoV the greater the dis-tribution is spread and therefore the greaterthe uncertainty in any value within that dis-tribution. CoV is calculated as the standarddeviation of a distribution divided by themean value of that distribution.

Damage (type) The observed effect on a component of theaction of a degradation mechanism. Thedamage type gives rise to the failure mecha-nism of a component. Examples of damageinclude cracking, uniform wall thinning, andpitting.

Damage model A mathematical and/or heuristic representa-tion of the results of degradation. This mayexpress the accumulation of damage overtime as functions of physical or chemical pa-rameters, and normally includes the estima-tion of the conditions that give rise to failure.

Damage rate The development of damage over time.Degradation The reduction of a components ability to

carry out its function.Degradation mecha-nism

The means by which a component degrades.Degradation mechanisms, may be chemicalor physical in nature, and may be time orevent driven. The degradation mechanismscovered by this recommended practice are:

internal and external corrosion sand erosion fatigue stress corrosion cracking.

Economic risk An expression of the occurrence and out-come of a failure given in financial terms,with units of (currency per year). This is cal-culated as the product of the probability offailure and the financial consequences ofthat failure, and can include (but is not limit-ed to) the value of deferred production, thecost of repairs to equipment and structure,materials and man-time used in repair.

Environmental risk An expression of the occurrence and out-come of a failure given in terms relevant toenvironmental damage. This may be ex-pressed in units relevant to the installation,such as volume per year or currency peryear.

Equipment Equipment carries out a process function onoffshore topsides that is not limited to trans-port of a medium from one place to another,and therefore comprises but is not limited to:pressure vessels, heat exchangers, pumps,valves, filters.

ESD segment See Segment.Failure The point at which a component ceases to

fulfil its function and the limits placed on it.The failure condition must be clearly definedin its relationship to the component. Failurecan be expressed, for example, in terms ofnon-compliance with design codes, or ex-ceedance of a set risk limit, neither of whichnecessarily imply leakage.

Failure mechanism The means by which a component fails dueto the progression of damage beyond the setlimits imposed by the operator (such as a riskacceptance limit) or by physical limits suchas a breach of the component wall.

Failure mode The method by which failure occurs. Exam-ples are: Brittle fracture, plastic collapse andpinhole leak.

Fatal Accident Rate(FAR)

Potential loss of life per 100 000 000 hours.

Hot spot A location on pipe or equipment where thecondition being discussed is expected to bemost severe. For example, a hot spot formicrobial corrosion is an area of stagnantflow.

Inspection An activity carried out periodically and usedto assess the progression of damage in acomponent. Inspection can be by means oftechnical instruments (NDT) or as a visualexamination.

Inspection effective-ness

A description of the ability of the inspectionmethod to detect the damage type inspectedfor.

Inspection methods The means by which inspection can be car-ried out such as visual, ultrasonic, radio-graphic.

Inspection pro-gramme

A summary of inspection activities mainlyused as an overview of inspection activityfor several years into the future.

Inspection plan Detail of inspection activity giving the pre-cise location, type and timing of activity foreach individual inspection action that isplanned.

Inspection tech-niques

A combination of inspection method and themeans by which it is to be applied, concern-ing surface and equipment preparation, exe-cution of inspection with a given method,and area of coverage.

Limit state A mathematical description where the lossof pressure containment is calculated. This isan expression involving consideration of themagnitude of the applied loading in relationto the ability to resist that load.

Term Definition

DET NORSKE VERITAS


1.5.2 AbbreviationsThe following abbreviations are used in this document:

API American Petroleum InstituteASME American Society for Mechanical EngineersASNT American Society for Non-destructive TestingCoF Consequence of failureDNV Det Norske VeritasESD(V) Emergency shut down (Valve)FAR Fatal accident rateFORM First order reliability methodPFD Process flow diagramPLL Potential loss of lifePoD Probability of detectionPoF Probability of failureP&ID Piping and utilities diagramQRA Quantitative risk analysisRBI Risk based inspectionRCM Reliability centred maintenanceUFD Utilities flow diagram

2. References/1/ "Fossil Fuel Fired Electric Power Generating Station

Applications, Risk-Based Inspection Development andGuidelines" ASME Research Report, CRTD, Vol. 20-3. ASME, New York,1994.

/2/ API 579; Recommended Practice for Fitness-for-Serv-ice evaluation. January 2000.

/3/ API 510; Pressure Vessel Inspection Code; Mainte-nance Inspection, rating, Repair, and Alteration.8th ed., January 1999.

/4/ API 570; Piping Inspection Code; Maintenance Inspec-tion, rating, Repair, and Alternation. 2nd ed., February2000.

/5/ API 581, Base Resource Document - Risk Based In-spection, 2nd Edition, May 2000.

/6/ API 574: Inspection Practices for Piping System Com-ponents, 2nd Edition, June 1998

/7/ Accidents; DNV Technical report C3560/1./8/ Dow Fire and Explosion Index. Hazard Classification

Guide, 6th ed. 1987./9/ Technical Elements of Risk-Informed Inspection Pro-

grams for Piping. Draft Report, U.S. Nuclear regulatoryCommission. Nureg-1661.

/10/ OREDA: Offshore Reliability Data Handbook, DNV,1999.

/11/ API RP 580 "Risk Based Inspection 4th draft.

Limit state design Limit state design identifies explicitly thedifferent failure modes and provides a spe-cific design check to ensure that failure doesnot occur. This implies that the componentscapacity is characterised by the actual capac-ity for each individual failure mode (i.e. limitstate) and that the design check is more di-rectly related to the actual failure mecha-nism.

Monitoring An activity carried out over time wherebythe amount of damage is not directly meas-ured but is inferred by measurement of fac-tors that affect that damage. An examplewould be the monitoring of CO2 content in aprocess stream in relation to CO2 corrosion.

NDT Non-destructive testing. Inspection of com-ponents using equipment to reveal the de-fects, such as magnetic particles orultrasonic methods.

Operator The organisation responsible for operationof the installation, and having responsibilityfor safety and environment.

Potential loss of life(PLL)

Potential loss of life is expressed as thenumber of personnel who may lose theirlives as a consequence of failure of a compo-nent.

Probability A quantitative description of the chance ofan event occurring within a given period.

Probability of Detec-tion (PoD)

Probability that a given damage in a compo-nent will be detected using a given inspec-tion method. PoD usually varies with the sizeor extent of damage and inspection method.

Probability of Fail-ure (PoF)

The probability that failure of a componentwill occur within a defined time period.

Probability of failureranking

A comparative listing of probability of fail-ure for one item against another, without ref-erence to an absolute value for probability offailure.

Process monitoring Monitoring of process conditions which maygive rise to given degradation mechanisms.Examples are monitoring of dew point in agas line, monitoring temperature, sand mon-itoring.

QRA Quantitative risk assessment: The process ofhazard identification followed by numericalevaluation of event consequences and fre-quencies and their combination into an over-all measure of risk.

Risk Risk is a measure of possible loss or injury,and is expressed as the product of the inci-dent probability and its consequences. Acomponent may have several associated risklevels depending on the different conse-quences of failure and the different probabil-ities of those failures occurring.

Risk Based Inspec-tion (RBI)

A decision making technique for inspectionplanning based on risk comprising theprobability of failure and consequence offailure.

Risk type Risk expressed for a specific outcome, suchas safety for personnel, economic loss or en-vironmental damage.

Safety Risk Risk to personnel safety expressed in termsof potential loss of life (PLL) per year.

Term DefinitionSegment A number of components forming part of the

same pressure system, consisting of pipes,valves, vessels, etc., which can be automati-cally closed-in by emergency shut-downvalves. The segment defines the maximumvolume of fluid or gas that can released fromthat system in the event of a failure in any ofthe components. Some segments containboth liquid and gas which may be considereddifferently regarding consequence effects.Note that it is normal to assume that the ESDisolation functions on demand, but this maynot be applicable to all cases.

System A combination of piping and equipment in-tended to have the same or similar functionwithin the process. This may be, for exam-ple, instrument air supply, or low pressuregas compression.

Tag, tag number The unique identification of a part, compo-nent, pipe or equipment.

Time to failure The duration from a specified point in timeuntil the component suffers failure.

Term Definition

DET NORSKE VERITAS


3. Risk based inspection concept3.1 Risk managementRisk based inspection is based on the premise that the risk offailure can be assessed in relation to a level that is acceptable,and that inspection and repair, or other actions can be used tomanage the risk such that it is maintained below that accept-ance limit.The risk associated with a failure is calculated as the productof probability of failure and consequence of failure. Probabili-ty of failure and consequence of failure are defined inSection 4.4 and Section 4.5 respectively.Probability of failure and consequence of failure can be giveneither as a ranking (in qualitative RBI) or numerically (in quan-titative RBI). A combination of both can be used to quickly fo-cus on components where the risk levels are significant.The design and operation of offshore process systems is usual-ly based on the avoidance of degradation. This is achieved bythe combination of materials selection and dimensioning, useof chemicals, coatings and linings. Traditionally, design isbased on deterministic principles, where the worst case com-binations of corrosivity and loading are considered in the de-sign basis. Despite this, failures still occur, often as a result oferrors in the design, fabrication or operation of the system, ordue to changes in the operating conditions that were not fore-seen by the designer, with resultant unadvertised failure of cor-rosion control. Consequently, inspection has been specified inthe past to confirm whether the degradation rate is as expectedand that integrity can be maintained.The advantage of using risk-based principles over traditionalmethods is two-fold:

1) Probabilistic methods are used in calculating the extent ofdegradation and hence allow variations in process param-eters, corrosivity, and thus degradation rates, to be ac-counted for.

2) Consequences of failure are considered, so that attentioncan be focused where it will have significant effect.

One result is that the stipulated risk limit may be met before theend of the deterministic remaining life. This will depend on theuncertainty in the degradation of the component, and the con-sequence of failure for that component. In other cases the de-terministic remaining life may be used up before the risk hasapproached the acceptance limit. Both cases would indicatethat inspection is still required to monitor the process of degra-dation (as the inputs to the degradation models are often onlyapproximately known), but that the timing of that inspectionwould be different for the deterministic and probabilistic as-sessments.The process of estimating consequence of failure can highlightareas where measures can be taken that would reduce theseconsequences, thereby reducing risk levels. However, this isoutside the scope of this recommended practice.Consequence of failure values can also be used to focus atten-tion in areas where the probability of failure estimation is dif-ficult, indicating that alternatives to inspection should beconsidered to manage risk.

3.2 Inspection managementThe role of inspection in risk management is to confirm wheth-er degradation is occurring, and to measure the progress of thatdegradation. This has the effect of reducing uncertainty in theassessment of the condition of the component, thereby reduc-ing the estimated probability of failure. It is emphasised thatinspection on its own does not reduce the actual risks of failure,so risk management must include actions to repair or replacecomponents when inspection reveals that the risk is unaccept-able.

The objective of RBI is to aid the development of optimised in-spection, monitoring and testing plans for production systems.To get the best effect from RBI, inspection planning, executionand evaluation should be a continuous process where informa-tion and data from the process and the inspection / maintenance/operation activities are fed back to the planning, as indicatedin Figure 3-1.

Figure 3-1Inspection management process

Optimisation should take account of safety / environmentaland economic / financial risks, as well as the inspection costs.It should also be noted that degradation in many corrosion-re-sistant materials does not progress at a steady rate, but insteadinitiates and progresses quickly to failure once unfavourableconditions have become established. In addition, some degra-dation mechanisms give rise to damage that is not readily de-tected using conventional inspection methods. Consequently,the degradation mechanism and resulting probability of failurecan be used to indicate whether process monitoring or mainte-nance activity is a more cost-effective alternative to inspection.

3.3 Fabrication inspection and in-service inspectionThe quality control process in fabrication comprises control ofmaterials, components, consumables, fabrication processesand inspection and testing. The extent of fabrication inspectionis determined by the fabrication code, which may include alimited consequence assessment when specifying the extent ofinspection. The acceptance limit for defects that are detected isbased upon the ability of the inspection method to detect thatdefect type, and the extent of inspection is often adjusted to ac-count for historical experience as to the abilities of fabricatorsto deliver defect-free work.It must be recognised that not all defects are detected by fabri-cation inspection, and, although many fabrication defects canbe present without causing or contributing to a failure, anumber of failures can occur when bringing the system intoservice. Adoption of a risk-based approach to inspection at theearly design stage and carried through commissioning and intoservice would allow effective targeting of areas where materi-als verification and cross-check inspection should be carriedout. This approach would contribute to optimisation of whole-of-life costs.

3.4 RBI team competenceRBI and inspection management requires experienced person-nel at all levels as well as appropriate working routines for theexecution of the work. There are no formal requirements to theplanning function defined in any current standards, althoughrequirements for inspection execution are handled by the in-spector qualification schemes, such as those in accordancewith ASNT requirements, and the European standard EN 473.It must be understood that RBI analysis and inspection plan-ning is a multidisciplinary activity, and the following qualifiedand experienced disciplines should be involved:

Probability of FailureMaterials/Environment and Strength

Inspection Programme

Method, Timing, Coverage, Location,Cost

Consequence of Failure

Safety, Environment,Assets Loss

Owner goals

Inspection Plan

Inspection details, planning, logistics

Inspection and testing

Execution & Reporting

Inspection data evaluation

Analysis of results

Risk Evaluation

Inspection Management

Acceptance Criteria

DET NORSKE VERITAS


inspection engineers with hands-on experience of inspec-tion of piping, pressure vessels, heat exchangers, both in-service and during construction

materials/corrosion personnel with expertise in materialsselection, corrosion monitoring and control, chemicaltreatments, fitness-for-service assessments, coatings andlinings

safety/consequence personnel with experience in formalrisk analysis covering personnel safety, economic and en-vironmental disciplines

plant operation (process) and maintenance personnel withdetailed knowledge of the installation to be analysed.

Due consideration should be given to the wide background col-lated in such a team; for example, different aspects of the RBImethod will appear as obvious or difficult, depending onthe individuals previous training and experience.

4. Risk terminology and presentation4.1 GeneralThis chapter defines probability of failure, consequence of fail-ure and risk terms as used in this document, together with whatis involved in their estimation. Reporting methods are also giv-en. The following chapters give details of the working processfor estimating probability of failure, consequence of failure,risk and the resulting inspection plan.

4.2 Risk

4.2.1 Risk definitionThe risk associated with failure is defined as the product ofprobability of failure and consequence of failure. Consequenceof failure can be expressed in terms of different outcomes (CoFtypes), and risk types are defined similarly. The units of riskare the consequence units per unit time.

4.2.2 Risk acceptance criteriaRisk acceptance criteria are the limits above which the opera-tor will not tolerate risk on the installation. These criteria mustbe defined for each type of risk to be assessed.The risk acceptance criteria are used to derive the timing of in-spection, such that inspection is carried out prior to the accept-ance limit being breached. This would allow either thereassessment of the risk level based upon better information,detailed evaluation of any damage, or the timely repair or re-placement of the degraded component.Derivation of risk acceptance criteria is described inSection 5.3.

4.2.3 Risk presentationRisk is most conveniently presented as a matrix. This allowsthe relative contribution of both factors to be seen.Separate matrices for each risk type are required. The matrixshould be standardised for each operator/field in order to sim-plify communication and the decision process. To achieve ad-equate resolution of detail, a 5 x 5 matrix is recommended asshown in Figure 4-1.

Figure 4-1Example of risk matrix

The matrix has probability of failure on the vertical axis, andconsequence of failure on the horizontal. The divisions be-tween the categories of each should be chosen taking into con-sideration the absolute magnitude of the values, their ranges,and the need for consistent reporting when comparing differentinstallations.The matrix scales should be as described in sections 4.4.2 and4.5.2 of this recommended practice.

4.3 Qualitative and quantitative RBIQualitative or quantitative RBI are the extremes at which RBIcan be carried out, and the definition and advantages of eachare given below. In practice the distinction is not so clear cut,and most RBI is a blend of both.

1) Qualitative: A numerical value is not assigned, but insteada descriptive ranking is given, such as low, medium orhigh, or a numerical ranking such as 1, 2 or 3. Qualitativeranking is usually the result of using a judgement-basedapproach to the assessment.

2) Quantitative: A numerical value is calculated with units ofmeasurement. Quantitative values can be expressed anddisplayed in qualitative terms for simplicity by assigningbands for probability of failure and consequence of failure,and assigning risk values to risk ranks.

The advantage of using a qualitative approach is that the as-sessment can be completed quickly and at low initial cost,there is little need for detailed information, and the results areeasily presented and understood. However, the results are sub-jective, based on the opinions and experience of the RBI team,and are not easily updated following inspection. It is not easyto obtain results other than a ranking of items in terms of risk;the variation of risk with time allowing estimation of inspec-tion interval based on the risk acceptance limit is not possible.An example of qualitative RBI is the screening method, (albeitwith quantitative risk criteria) described in Chapter 6 of thisrecommended practice, which is used to quickly assign high,medium or low risk levels.The advantage of the quantitative approach is that the resultscan be used to calculate with some precision, when the risk ac-ceptance limit will be breached. The method is systematic,consistent and documented, and lends itself to easy updatingbased on inspection findings. The quantitative approach typi-cally involves the use of a computer to calculate the risk andthe inspection programme. This can be initially data-intensive,but removes much repetitive detailed work from the traditionalinspection planning process.An example of largely quantitative RBI is the method de-scribed in Chapter 7, which is used to calculate risk levels in aconsistent manner.

CAT ANNUAL PROBABILITY OFFAILURE

5 > 10-2 expected failure4 10-3-10-2 high

Consequence Category A B C D EConsequence of Failure

2 10-5 to 10-4 low1 < 10-5 virtually nil

3 10-4 to 10-3 medium

DET NORSKE VERITAS


4.4 Probability of failure4.4.1 Probability of failure definitionProbability of Failure (PoF) is estimated on the basis of thecomponent degradation. PoF is related to the extent of, and un-certainty in, the degradation related to the components resist-ance to its loading. PoF is the probability of an event occurringper unit time (e.g. annual probability).4.4.2 Probability of failure presentationQuantitative probability of failure values have a wide rangefrom zero to unity, and therefore a logarithmic scale is recom-mended for displaying the results graphically.The recommended probability of failure scale used in the con-text of this recommended practice is as shown in Table 4-1.The table also shows the recommended qualitative rankingscale assigned to the quantitative probability of failure values.

In the above table, a small population comprises in the orderof 20 to 50 components, a large population 200 to 500 com-ponents.

4.4.3 Probability of failure modellingDegradation models describe the damage incurred by a com-ponent. A number of models and their application to the esti-mation of probability of failure are described in Appendix C.These models have been classified with the following descrip-tions as shown schematically in Figure 4-2.

Rate model. Damage accumulates over time. This model isusually amenable to inspection as the relatively low dam-age rate often allows for a number of inspections beforefailure.

Susceptibility model. Damage occurs very quickly after adelay of unknown duration, and is triggered by an externalevent. This is not amenable to inspection, but instead mon-itoring of the key controlling parameter(s) is recommend-ed.

Insignificant model. No degradation is expected for thecomponent.

Figure 4-2Schematic of degradation modelling

4.5 Consequence of failure4.5.1 Consequence of failure definitionConsequence of failure is evaluated as the outcome of a failurebased on the assumption that such a failure will occur. Conse-quence of failure is defined for all consequences that are of im-portance to the operator, such as safety, economy andenvironment. Each should be assessed separately giving dueaccount to cases where leaks result in a fire or explosion (i.e.ignited leak) and those that do not (i.e. non-ignited leak).4.5.2 Consequence of failure presentationConsequence of failure values or rankings should be presentedseparately depending on the consequence type.Safety consequence should be expressed in terms of potentialloss of life (PLL) for personnel.Economic consequence should be expressed in financial termsusing appropriate currency units.Environmental consequences can be expressed in terms ofmass or volume of a pollutant released to the environment, orin financial terms as the cost of cleaning up the spill, includingconsideration of fines and other compensation.The consequence scale used in matrices and other presenta-tions is necessarily different for PLL and currency, and shouldbe selected to account for the full range of values. For consist-ency of approach, consideration should be given to adopting aharmonised scale for all installations located in one field, orowned by one operator.The consequence of failure scale should advance in decadesfor each category, where the lowest category includes valuesup to the risk acceptance limit assuming that probability offailure 1.0.

4.5.3 Safety consequence modellingThe evaluation of safety consequences comprise an estimationof the consequences to the safety of personnel on the installa-tion. For the purposes of RBI this should be expressed in termsof PLL given that a leak will occur.Safety consequence is usually estimated for failures that leadto fire, explosion or toxic release, with the effects of escalationincluded in the assessment. Failure of components containingany high pressure gases or fluids should also be considered.When estimating safety consequence, the changes in manninglevels that occur as a result of different phases of operationmust be considered.

4.5.4 Economic consequence modellingThe economic consequences of failure are calculated as thesum of the cost of repairs to equipment and structures damagedas a result of the failed component and the cost of productiondown-time.

Table 4-1 Probability of failure description

Cat Annual failure probability DescriptionQuantitative Qualitative

5 > 10-2 failure expect-ed

In a small population, one ormore failures can be expect-ed annually

4 10-3 to 10-2 highIn a large population, one ormore failures can be expect-ed annually

3 10-4 to 10-3 mediumIn a small population, one ormore failures can be expect-ed over the lifetime of theinstallation

2 10-5 to 10-4 lowIn a large population, one ormore failures can be expect-ed over the lifetime of theinstallation

1 < 10-5 negligible Failure is not expected.

PoF

TimeNowSusceptibilitySusceptibility

1.0

10-5

Rate modelRate model

InsignificantInsignificant

DET NORSKE VERITAS


When considering the cost of production down-time, the indi-vidual conditions for the installation and system should be con-sidered. Some systems have little or no effect on production, orhave at least a partial redundancy in capacity. Similarly, someinstallations are not required to produce continuously or havespare capacity that can be substituted. Oilfield economics us-ing discounted cash flows and assigned financial expectationsto an installation, usually imply that production deferredmeans production lost.The cost of repairs to the installation and equipment onboardshall also be considered, covering material cost, fabrication,installation and commissioning of the replacement equipment

4.5.5 Environmental consequence modellingThe evaluation of environmental consequence includes bothshort term (cleanup) and long-term effects both globally andlocally. Environmental issues may receive very high media at-tention that can affect an operator more than the real value ofthe damage caused, so this should be given consideration in theevaluation. An environmental assessment for RBI is intendedas a simplified and rational approach to include the effect with-in inspection planning and is not a substitute for a more thor-ough environmental analysis required by authorities.The definition of the units (financial, volumetric) for environ-mental consequence will depend on the operators philosophyand acceptance criteria.As a general principle, leaks arising from topsides process sys-tems, either gas or oil, are considered to represent a minorthreat to the environment due to the limited volume of hydro-carbons that can be released. However, releases from flowlines(live crude), drilling activities, and from storage vessels ortanks represent a larger problem, as the enclosed inventoriesare much larger.An oil spill onto the surface of the water is readily visible andmay result in punitive action by the regulator, as well as clean-up cost. Direct costs for oil releases are mainly related to theclean-up costs if the spill drifts towards shore. The actual effectwill then depend on the location of the field in relation to theshore, oil drift conditions, temperature and evaporation.Note that the regulator may give permission to discharge treat-ed produced water where the oil content is below a specifiedlevel, and therefore this liquid is not considered to be polluting.The loss of toxic chemicals into the environment must be con-sidered separately, as in some cases a small volume of chemi-cals can have a widespread effect on the environment. For thepurpose of inspection planning, environmental effects of gasreleases are considered insignificant. It should be noted thatthere may be financial consequences due to government im-posed CO2 taxation.

5. Working process5.1 ObjectiveThe objective of this working process is to lead the RBI teammembers through methods used to prepare a risk and cost-op-timised inspection plan. Figure 5-1 presents an overview of theworking process in the form of a flow chart. Section numbersare given to cross-refer to the activity descriptions.

5.2 Outline of the processThe working process has been divided into two stages:

1) Risk screening, which is intended to address risks per sys-tem and is aimed at sorting piping and equipment intohigh, medium and low risk, following the methods de-scribed in Chapter 6. Generally, low and medium riskitems will require minimal inspection supported by main-

tenance. High risk items will require a more detailed eval-uation which is the subject of the second stage.

2) Detailed quantitative analysis with methods that can be ap-plied at various level as considered appropriate for anygiven case; e.g. ranging from utilisation of generaliseddata for an entire system, to the specific evaluation of in-dividual, parts or inspection points.

The approach is also adaptable to cases where judgement mustbe used if controlling factors are not well defined. The methodsemployed in these step are given in Chapter 7, included guid-ance to selecting a suitable detailed level for analysis.This analysis provides a full inspection plan including inspec-tion methods, and timings, that is readily updated as inspectiondata becomes available.

Figure 5-1Overview of RBI working process

5.3 Acceptance criteriaTo be able to manage installation risk so that it lies below thelimits acceptable to the operator, the acceptance limits for eachtype of risk must be defined. The contribution to the total riskfrom inspectable events related to the systems undergoinganalysis should be found, and this divided over the componentat which the RBI is to be carried out, such as a piping system,process stream, process segment, pressure vessel or pipe tag.As there are several acceptance criteria, it is necessary to havea decision logic regarding the order of importance of these lim-its in deciding which limit is to govern the time to inspection.This order of importance should be recorded.The acceptance criteria must be the same for both stages of theprocess so that all the work refers to the same limits i.e. in bothscreening and detailed RBI. For presentation purposes it maybe useful to translate the numerical values into descriptive lim-its.

5.4 Information gatheringThe following sources of information should be available tothe engineers carrying out the RBI evaluations at the screening

Develop and agree riskacceptance criteria

(Chapter 5.3)

Gather information(Chapter 5.4)

Carry out screening(Chapter 6)

Risk level High

Risk levelMedium / Low

Adequate data availablefor detailed analysis? NoYes

PoF model available?

Yes

Detailed Quantitative analysis(Chapter 7)

Inspection Plan(Chapter 8, 9)

Maintenance actions

Set PoF to cat 5 & calculateCoFor

Set CoF to cat E and calculate PoF

Risk levelacceptable?No Yes

Inspection planacceptable ?No Yes

Execute plan

No

Create PoFModel

DET NORSKE VERITAS


and detailed RBI stages as noted in Table 5-1.The appendices show the details of the information required inorder to be able to estimate both the consequence and probabil-ity of failure for given degradation mechanisms and materials.In the absence of such information, assumptions may be basedon judgement and experience. All such assumptions must berecorded.

6. Risk screeningThe purpose of the screening process is to identify those sys-tems that are judged to give a significant contribution to the in-stallation risk levels. This ensures that further data gatheringand assessment efforts can be focused on these systems.

6.1 Working processScreening is carried out in a qualitative manner that involvesidentification of risk on a system by system, group by group ormajor equipment item basis. On the basis of knowledge of theinstallation history and future plans and possible components'degradation, the consequence of failure and probability of fail-ure are each assessed separately to be either high or low asdefined in 6.3.1 to 6.4.2 inclusive. The results of screeningshould be recorded; a recording proforma with guidance is giv-en in Appendix A. The actions required as a result of screeningare shown in Table 6-1.Inspection data is used only as general guidance, as the screen-ing is intended to identify systems, groups and equipmentwhere it is cost-effective to use more time-consuming detailedassessment.

6.2 Screening teamIt is essential that all necessary expertise is available to thescreening team, and therefore the personnel identified inSection 3.4 should be present.

6.3 Consequence of failure evaluationConsider the worst-case outcome of the likely failure, andcompare that against the risk acceptance limit making the as-

sumption that failure will occur, i.e. probability offailure = 1.0. If the outcome is greater than the acceptance lim-it, then rank the consequence of failure as high, otherwiserank it as low.

6.3.1 Safety consequenceAcceptance criteria at a tag level are not always intuitively as-sessable in the screening session: experience shows that theboundary between low and high safety consequence can betaken as the possibility of personnel exposure leading to injuryand a lost-time incident.

Guidance note:A release of a fluid that is normally accepted as being difficult toignite, such as diesel fuel, can still result in ignition due to im-pingement on hot surfaces. Also a high pressure leak may resultin formation of a mist that can readily ignite in the presence ofequipment or work that may generate sparks.

---e-n-d---of---G-u-i-d-a-n-c-e---n-o-t-e---

Typically the loss of any flammable or toxic fluid or gas wouldbe expected to give a high safety consequence.

6.3.2 Economic consequenceA production shut-down would normally be expected to give ahigh economic consequence. However, due considerationmust be given to the installation operational economics such asfield production profile, system redundancies and penaltiesthat might arise from contractual production guarantees.

6.3.3 Environmental consequenceThe release onto the sea of any hydrocarbon liquid or processchemical (unless specifically known to be benign, or of lowvolume) would be expected to give a high environmentalconsequence. Releases of gases into the air should be consid-ered in the light of local regulations.

6.3.4 Other consequencesIf required, other consequences can be assessed, such as thepolitical consequence (in terms of adverse press coverage orloss of share value) that could arise from a spill or fire. The def-initions of these other consequences must be discussed duringagreement of the acceptance criteria.

6.4 Probability of failure evaluationConsider whether there is any possibility of failure, under theknown operating conditions and taking into account the ap-proximate chemical composition, the temperatures of the flu-ids and the effects of time. The boundary between low and highprobability of failure has been set to approximately 10-5 peryear, i.e. no significant degradation is expected with PoF of10-5 or less.It is not the intention to carry out a detailed evaluation, but toassess whether these conditions are likely to give rise to negli-gible degradation (low) or degradation rates that are not neg-ligible (high).Care should be taken to ensure that the consideration of proc-ess conditions accounts for future variations as the reservoirbecomes depleted, such as increase in water cut, temperatures,or H2S evolution. It is important also to account for likely ex-cursions in process parameters due to upset conditions.

Guidance note:Data requirements and screening guidance for probability of fail-ure are given in the Appendices that treat each degradation mech-anism. Appendix C should be consulted for the applicablemechanism. Care should be taken when using the Appendices forguidance on probability of failure to ensure that the assumptionsmade regarding the conditions under which the components op-erate are applicable to the systems in question.

---e-n-d---of---G-u-i-d-a-n-c-e---n-o-t-e---

Table 5-1 Information requirements

Information source Screening DetailedRBICoating specifications xCorrosion protection philosophy xDesign accidental load analysis xDFI resume xEquipment data and vessel sheets xESD logic diagrams xInspection/failure/replacement details xInspection/failure/replacement historyknowledge x x

Insulation specifications xLayout drawings xMass balance sheets xMaterial design specification & selectionreport x x

Materials selection reports xP&IDs x xPFDs x xPiping data sheets xProduction data (past and future) xQRA x xSystem descriptions manual x xUFDs x x

DET NORSKE VERITAS


6.4.1 Probability of failure internalConsider the probability of failure due to combinations of ma-terials, fluids, gases, temperatures and pressures, also includ-ing degradation due to erosion and the passage of chemicalswithin the systems. Consider also likely changes in the use ofthe system such as use of water injection pipework for oilproduction.

6.4.2 Probability of failure - externalConsider the probability of failure for each material that mightarise as a result of the external environment, taking account oftemperatures, coatings, the presence of water-retaining insula-tion and the effects of time.

6.4.3 Probability of failure - fatigueThe possibility of failure due to fatigue can be considered. Ar-eas where there are known or suspected problems should beevaluated, for example small diameter side-branches of stain-less steel. The significance of vibration sources should also beconsidered, such as poor or damaged support systems, recipro-cating equipment, unbalanced rotating equipment and fluidhammer.

6.4.4 Probability of failure - otherAny other causes of failure can be included in the assessment.This can include any known or suspected abnormal conditionsthat can cause concern.

6.5 Risk assessmentAfter assignment of the probabilities and consequences, thesystem or vessel is assigned to detailed RBI or to maintenanceactivities as shown in Table 6-1. The most severe result for anyof the consequence categories taken with the most severe resultfor the probability categories is used to stipulate the final out-come.

It is essential to assess whether the piping and vessels within asystem experience different conditions, such as the possibilityof water condensation within a vessel but not in the piping sys-tems, and the effect of flow rates in piping and vessels on sanderosion.The recommendations for action as shown in Table 6-1 are de-veloped on the basis that inspection is only effective in reduc-ing the probability of failure. There may be other causes offailure with significant consequences that have not been con-sidered because they are not within the scope of inspection.

6.6 Results of ScreeningThe results of the screening process are that systems, groups orequipment items are assessed as having either, high, medi-um or low risk:

a) Items with high risk should be evaluated further using themore detailed method in Chapter 7.

b) Items with medium or low risk should be considered formaintenance activity as noted in Table 6-1.

c) High consequence items should also undergo checks fordegradation mechanisms not considered in the screening.

The consequence of failure evaluation can also be used as inputto RCM analyses and for additional consequence mitigationactivities, such as installation of dropped object protection.6.7 Revision of screeningThe screening process should be periodically revised as part ofthe overall inspection management process to ensure that theassumptions used in the evaluations remain valid. Changes inprocess or other conditions may result in systems or equipmentmoving to high risk and therefore should be subject to detailedRBI.

7. Detailed assessment7.1 ObjectiveThe objective of the detailed RBI assessment is to identify therelevant degradation mechanisms for each component, esti-mate the extent of damage, calculate when inspection shouldbe carried out, and propose what inspection technique shouldbe used to ensure that the risk level for that component does notexceed the acceptable risk limit.

7.2 GeneralThe process for detailed RBI evaluation is outlined below.This refers to the appendices of the recommended practice fordetailed estimation of probability of failure and consequenceof failure.As the analysis level becomes more detailed, it is clear that thenumber of calculations will also increase. For this reason, as

well as facilitating the updating of the analysis after inspection,the use of a computer is recommended.

7.3 Detailed RBI: Analysis detail levelDetailed assessment is based on defining groups of compo-nents so that the analysis for one component can be applied toall the others within that group. Grouping is typically carriedout with reference to PFDs and P&IDs. It is likely that differentgroups will be defined for the assessment of probability of fail-ure and consequence of failure.Before beginning the evaluations, the level of detail at whichthese evaluations are to be carried out should be established.This should account for the level of detail required by the in-spection planners who are to work with the results of the anal-ysis, as well as the amount and level of input data available.This is summarised in Table 7-1. The level of detailing will of-ten be increased for the high risk items, i.e. the analysis processwill start at systems level and proceed to tag level for selected

Table 6-1 Risk matrix for screeningProbability of Failure Risk Categories and Screening Actions

5

> 10-5Significant

probability offailure

Medium risk High risk4 Inspection can be used to reduce the risk, but is unlike-

ly to be cost-effective; the cheapest solution is often tocarry out corrective maintenance upon failure.

Detailed analysis of both consequence and proba-bility of failure.3

2

1 < 10-5 Negligible

Low risk Medium riskMinimum surveillance, with corrective maintenance,if any. Check that assumptions used in the damage as-sessment remain valid, e.g. due to changes in operat-ing conditions.

Consequence is high so actions (such as preventa-tive maintenance) should be considered to ensurecontinued low probability as small changes inconditions can increase PoF and give high risk.

Consequence category A B C D EAcceptable consequence of failure. Unacceptable consequence of failure

DET NORSKE VERITAS


items.It should be noted that inspection planning is concerned withthe smallest level of detail (inspection point) and so if the RBI

analysis is carried out at a system, segment or group level,more time will be used in the inspection planning process thanif the RBI is executed at detailed tag level.

7.4 Consequence of failure modelling7.4.1 ObjectiveConsequence of failure is calculated for each consequencetype to facilitate calculation of equipment and damage-specificrisk.

7.4.2 Working processIt is generally expected that consequence modelling can drawon the results of other analyses developed for the installation;typically QRA and RAM analyses. However, if these docu-ments are not available then the simplified methods given inAppendix B can be used. In all cases it is recommended thatrisk engineers are involved in this part of the RBI analysis.The consequences of a release that leads to a fire or explosiondemand different consideration from a release of a fluid or gasthat does not ignite. This section addresses the consequencecalculations for ignited and unignited releases separately and

hence their different outcomes with respect to safety, econom-ic and environmental consequences.For the purposes of RBI, the consequence of failure is definedas the outcome of a leak given that the leak occurs. The calcu-lation methods used in a QRA usually include generic proba-bility of leak data that are not necessarily specific to theinstallation, material or the degradation mechanisms. Thesedata must be removed and replaced with probability of failureof 1.0.Table 7-2 gives an overview of the factors to consider whencalculating the consequence of failure.Consideration should also be given to the probabilities of dif-ferent outcomes from each leak. This is best described using anevent tree, where the sequences of outcomes is given by appro-priate branch probabilities.The steps shown in sections 7.4.3 to 7.4.5.4 should be followedto estimate consequence of failure.

Table 7-1 Analysis detail levelSmallest component analysed Advantage Disadvantage

SystemESD segment

Relatively small amount of data required General data can be used Relatively few calculations, so can be done quickly Fits well with existing QRA analyses Low initial investment

May contain several corrosion groups, so beingoverlay conservative with regard to degrada-tion Lacks detail needed for inspection plan-ning.

May overlook some parts. Needs detailed review of components to ensure

worst case materials and dimensions have beenevaluated.

Output requires significant work in inspectionplanning to add the detail.

May be little gain when updating from inspec-tion findings.

Corrosion group

Relatively small amount of data required Relatively few calculations, so can be done quickly

Lacks detail needed for inspection planning. May overlook some parts. May infer excessive inspection in larger

groups. Needs detailed review of components to ensure

worst case materials and dimensions have beenevaluated.

Output requires significant work in inspectionplanning to add the detail.

Pipe tag, inspection point orVessel part (e.g. nozzle, weld)

All sizes of the part and materials are considered. Unlikely that parts will be overlooked. Output is directly useful to inspection planners. All parts of the vessel/tag are considered. Allows unusual cases, and well understood equip-

ment and degradation mechanisms to be includedseparately.

Identification of high risk parts of vessel may saveintrusive inspection.

Separate degradation mechanisms found in specificlocations in the vessel/tag are evaluated separately.

Greatest precision in updating analysis with inspec-tion findings.

Requires large amount of data. Computer calculation required. Data may not be available in physical or elec-

tronic format.

DET NORSKE VERITAS


7.4.3 Establish the event treeAn event tree describing the sequence of events following aleak should be established. Event trees are used to calculate theprobability of each end event occurring, and are commonlyfound in QRA or Safety Case documents. If these documentsare not available a simple version is given in Appendix B.The effects of the end events on the safety, economic or envi-ronment consequence should be chosen to reflect the particturcircumstances of the installation.

7.4.4 Ignited consequencesIgnited consequences consider the effects of an ignited gas orliquid release on personnel, the cost of damage to the installa-tion by fire and blast, the cost of deferred production, and sub-sequent environmental consequences. It is recommended thatthese consequence calculations are based on leak rates thattake account of the leak hole sizes that would be expected as aresult of the given degradation mechanism. This ensures thatthe calculated consequences can more fully reflect the actualcircumstances of the leak. Typical hole sizes are discussed inSection 7.6 and guidance about hole sizes is included in the ap-pendices for each degradation mechanism.

7.4.4.1 Personnel safety: Fire & BlastThe probability of ignition and probability of explosion, givena leak, should be calculated in each segment using the eventtree. The probability of the size of the resulting fire is used to-gether with the population density in the module to estimatethe loss of life. In the case of an explosion, the explosion over-pressure can be used to estimate the resulting loss of life. Thesedata should be contained within the QRA or Safety Case,though Appendix B can be used to determine approximate val-ues if they are otherwise unavailable.

7.4.4.2 Economic consequences: Damage to the installationDamage to the installation may be confined to a single module,or if the fire or blast is of sufficient magnitude, additional mod-ules or the whole installation may be damaged or lost.

In the case of a jet fire, it is expected that any items withinthe radius of the fire may be damaged or destroyed.

In the case of a pool fire, all equipment that stands withinthe pool should be considered damaged or destroyed.

Where equipment subject to fire loading also contains sig-nificant amounts of hydrocarbons, the effects of the fireloading and duration should be used to estimate knock-oneffects. In these cases, passive and active fire protectioncan be considered as mitigating factors.

The blow-down capability, i.e. reducing pressure and vol-ume of fluid available to fuel the fire, should be considered

for both the leaking equipment and other equipment sub-ject to fire loading; the effects of the fire should be adjust-ed accordingly.

Further mitigating factors, such as fire and gas detection,deluge and sprinklers, together with the philosophy fortheir use (e.g. deluge start on confirmed gas detection andbefore fire detection), should be taken into account.

These points may be contained within the QRA or Safety Case,though Appendix B gives simplified calculations where theseare needed.Assessment of the costs associated with repairs is described inSection 7.4.5.2 and Section 7.4.5.3.

7.4.4.3 Environmental consequencesIn the case of ignited leaks, it is not expected that significantvolumes of liquids will be deposited on the sea during the fire.However, the condition of the installation following an explo-sion or a severe fire may be such that wells or storage tankswill leak.In addition, the large amount of smoke generated by such firesmay be a concern. As yet there are no criteria developed or cal-culation methods for estimating the consequence; this willhave to be treated qualitatively. Financial penalties may be ap-plicable in certain cases.Further, there may be a political element to the environmentalconsequence once there has been press exposure. Considera-tion should also be given to loss of reputation and loss of sharevalue.

7.4.5 Unignited consequencesUnignited consequences consider the effects of any toxic re-lease on personnel, the economic costs of deferred productionand repairs, and the environmental consequence of a liquidspill on the sea.

7.4.5.1 Personnel safety: Toxic/asphyxiant releaseThis requires the estimation of the rate of build-up of toxic lev-els of gas within a module and consideration of the escape ofthose personnel working within the module. Mitigating factorssuch as toxic gas detectors and system blow-down should alsobe considered.It must be noted that the major toxic gas encountered offshore,H2S, has a greater explosive limit range than methane.The release of asphyxiant gas should also be considered. Sucha release may occur from a liquid nitrogen plant located withinthe hull space of an installation, resulting in undetected lowlevels of oxygen that may cause asphyxiation of personnel inthe vicinity.

Table 7-2 Factors to consider in consequence assessment.Ignited leakSafety Consequence Economic Consequence Environmental ConsequenceConsider loss of life due to:

burns to personnel direct blast effects to personnel indirect blast effects to personnel (mis-

siles, falling objects) injuries sustained during escape and

evacuation

Consider the costs of:

repair of damage to equipment and struc-ture

replacement of equipment and structuralitems

deferred production damage to reputation

Consider the effects of:

toxic gas release smoke

Unignited leakSafety Consequence Economic Consequence Environmental ConsequenceConsider loss of life due to:

Toxic gas release Asphyxiating gas release Impingement of high pressure fluids on

personnel

Consider the costs of:

deferred production repairs

Consider the effects of:

hydrocarbon liquids spilled onto the sea

DET NORSKE VERITAS


7.4.5.2 Economic consequences: Cost of deferred productionThe value of deferred production is calculated as the value ofproduction per hour multiplied by the number of hours at thereduced production rate. This can be expressed as a net presentvalue using a suitable discount rate, or as a fixed currency sum.The amount of deferred production will depend strongly on thedesign of the installation process system(s) and their interac-tion. Production systems with several parallel trains can usual-ly be operated with one train isolated so that the installationwill be able to produce at a reduced rate until the damaged trainis repaired and recommissioned. The value of deferred produc-tion will therefore be less than for a single-train installationwhere any leak will require full production stop during the en-tire extent of repair.The time-profile of deferred production for each part of thepressure-retaining systems should be defined so that it can beapplied to all parts of that system or part-system.The profile should take into account the time taken in repairand the individual process and well characteristics for restor-ing production from the stop or partial-production condition.

7.4.5.3 Economic consequences: Cost of repairsThe cost of repairs in terms of deferred production should becontained within the production loss profiles described in Sec-tion 6.3.3, making sure that the specific repair methods are ad-dressed where these will have an effect on the repair time. Inaddition, the costs of materials, man-time, mobilisation of per-sonnel and equipment to the installation, provision of specialistservices, cleaning of the work area, and similar, should be es-timated in financial terms and added to the cost of deferredproduction.

7.4.5.4 Environmental consequences: Liquid spillIn the case where environmental consequences are to be meas-ured in volume of liquids lost to the sea, then it is necessary toestimate this figure for each relevant system and segment.It will be necessary to determine the amount of liquid that willfall onto the sea and not be contained within bunding or byplated decks and drains; this will depend strongly on the designof the installation as well as the position of the leaking part, thepressure within the system, the monitoring devices, and thevolume that can be lost.A coarse approximation that can be used: Assume that all liq-uid contained within a system or segment is released by a leak,resulting in a pool of the same volume of liquid as was con-tained within the system or segment. An estimation of the ca-pacity of the drains to handle such a volume withoutoverflowing to the sea should be made if the decking in thearea is plated. Where the deck is made from grating, then theentire spilled volume should be assumed to fall through; ifplated deck is beneath, then estimate the drains capacity as pre-viously.Where the estimated volume of liquids reaching the sea is un-acceptable, then a more detailed estimation can be made on thebasis of expected leak size and location. This will couple theconsequence estimation to the degradation mechanism for leaksize and location, and can account for a slower leak rates thanthat used in the coarse approximation.

7.5 Probability of failure modelling7.5.1 ObjectiveThe purpose of probability of failure modelling is to determinewhich degradation mechanisms are likely to be found in eachpart, assess the current probability of failure for each relevantdegradation mechanism, and evaluate the development ofdamage, and hence PoF, with time.The objective is to derive a PoF limit that is used to indicate thetime interval in which inspection should be carried out and re-

vise these intervals as inspection and monitoring data becomesavailable.

7.5.2 Working processThe working process for detailed probability of failure calcu-lation is listed in Sections 7.5.3 to 7.5.11.The sections follow the process; determining the probability offailure acceptance limit based on the risk limit, determiningwhich degradation mechanisms are relevant to the part in ques-tion, and then calculating the probability of failure for thosemechanisms. The calculated probability of failure can be com-pared against inspection data and corrected if the data is foundto be valid. Finally, the change of probability of failure withtime is used to calculate when the risk acceptance limit will bebreached.Note that consequence of failure can depend on the hole sizeused in the leak calculation, and that the hole size depends onthe degradation mechanism.

7.5.3 Probability of failure acceptance limitTo allow the time to inspection to be calculated, the risk ac-ceptance limit must be converted to a probability of failure lim-it. This limit must be expressed for each type of riskconsidered.The PoF limit is given by:

Note that the same part may have more than one probability offailure limit depending on the consequence type.

7.5.4 Allocation of degradation mechanismsThe degradation mechanisms affecting a part depend on thecombination of the material of construction, the contents of thepart, the environment surrounding the part, the operating con-ditions and any protective measures.Internal and external degradation mechanisms should be de-fined for each part by reference to the tables in Appendix C.The degradation mechanisms are labelled as (see 4.4.3); insig-nificant model, susceptibility model or rate model. Their use incalculating probability of failure is discussed individually inSection 7.5.9, Section 7.5.10 and Section 7.5.11.The tables in Appendix C have a number of assumptions asso-ciated with them that shall be checked and confirmed to be ap-plicable for the circumstances related to the individual part. Ifthe assumptions are not valid, then specialist assistance shouldbe sought to evaluate the specific circumstances.The applicable degradation mechanisms shall be listed foreach part together with the reasons for selection.

7.5.5 Internal damage systems/service/materialsMechanisms are addressed according to groups of systemsthat define the overall product or media in that system. Thisconcept is essential to the selection of relevant mechanisms forthe analyses. The objective is to determine which degradationmechanisms are possible for each of the materials expectedused in a given service. This is an assessment that is based ongeneral experience and fundamental knowledge of materialsand service. The result is a listing of product/materials/possibledegradation mechanisms, that in practice will include moremechanisms than are actually expected in a specific analysis.Appendix C shows such a list of the most relevant services,materials and degradation mechanisms for internal damage.The list is based on general knowledge gathered among oper-ating companies and open literature. All combinations of ma-terials and services are not listed, and expert evaluations may

PoFLimit, TypeRiskLimit, Type

CoFType-----------------------------------=

DET NORSKE VERITAS


be needed where these are missing.Past inspection results and experienced failures from the spe-cific installation or any similar installations may add to the listof possible mechanisms.

7.5.6 External damageExternal damage is only related to the external environmentand condition of the surface protection. The damage can eitherbe of the type rate or susceptibility as described in 4.4.3.Appendix C describes the assessment for external damage.

7.5.7 Mechanical damageMechanical damage caused by vibration, ship/platform move-ment, flow effects, or other sources, may cause fatigue crackgrowth and fracture. For piping systems, the damage is oftenlocated in local hot-spots, such as welded connections, branch-es, clamps, or vessel nozzles, where the design gives a highstress concentration factor and restraint may also increaseloading locally.Fatigue in piping systems caused by high frequency vibrations(such as from reciprocating machinery) is expected to propa-gate rapidly to failure once a crack is initiated, and is thereforenot readily amenable to monitoring and control by inspection.In such situations, it is recommended that the local vibrationamplitude and the local stresses are measured, rather than cal-culating the crack growth.Where the source of vibration is low frequency, such as fromship motion, then inspection may be used to measure the devel-opment of damage.Appendix C describes the assessment procedure for mechani-cal damage.

7.5.8 Lower limit on calculation of PoFThe proposed scale for probability of failure is as shown in Ta-ble 4-1 and elsewhere in this document.A cut-off point is set for PoF below 10-5 as probabilities belowthis number are both very difficult to model and observe, andwill usually represent an insignificant risk.

7.5.9 Insignificant modelThis model is based on the expectation that no damage will oc-cur, yet it allows a risk value to be calculated. The model allo-cates a fixed probability of failure value, regardless of time, asbelow.

PoF = 10-5 per year.Inspection is not relevant for this model expect for checkingthat any premises remain valid.Appendix C should be consulted for guidance about typicalmaterials and fluids combinations where this model is expect-ed to be applicable.

7.5.10 Susceptibility modelThis model gives a value for probability of failure dependingon factors relating to operating conditions. For a given set ofconditions that are constant over time, the probability of failurealso remains constant over time. This implies that the onset anddevelopment of damage are not readily amenable to inspec-tion. However, actions can be related to monitoring of keyprocess parameters, such as excursions or a change of condi-tions, that can be used to trigger inspection.Appendix C provides guidance about typical materials and en-vironmental conditions where this model is expected to be ap-plicable and suggests values for PoF for typical conditions.If PoF > PoFlimit, type, then immediate action must be taken.This action may be one or a combination of:

assess and repair any damage change or treat the contents so that it is less damaging reduction of operating temperature exclusion of damaging environment (e.g. coating, lining,

exclusion of water from insulation) change of material type.

7.5.11 Rate modelThis model assumes that the extent of damage increases as afunction of time, and therefore probability of failure also in-creases with time. This implies that the development of degra-dation can be measured by inspection, and that the inspectionresults can be used to adjust the rate model to suit the actual sit-uation. The resulting damage is normally a local or generalwall thinning of the component.Appendix C should be consulted for guidance about typicalmaterials and fluids combinations where this model is expect-ed to be applicable. The appendix also suggests mean andstandard deviations for damage rates and the distribution typeto be applied for different degradation mechanisms.The failure probability increases over time as the wall thins andis dependent on the loading in the material. The controllingfactors include:

damage rate wall thickness size of damage material properties operational pressure (as the primary load).Additionally, each degradation mechanism is itself controlledby a number of factors, such as temperature and pH.All these factors vary somewhat, and a full probabilistic anal-ysis should consider every factor as a stochastic variable. Inpractice, however, the uncertainties associated with the dam-age rate, and any measured damage, tend to outweigh the un-certainties of the other variables. This allows somesimplification to be used without significant loss of precision.A more accurate calculation of probability of failure is ob-tained from First Order Reliability Methods (FORM) usingdistributions for all the most important factors. FORM is bestcarried out using computer techniques and is likely to requirea specialist in mathematical and statistical techniques to devel-op the algorithms. A number of suitable software tools areavailable that include these methods as part of RBI calcula-tions.A further simplification is outlined in the method given below.This uses pre-defined distributions, as referenced inAppendix C, and assumes that the mean damage rate is theonly uncertainty variable. For mechanisms other then CO2-corrosion, PoF scale factor curves are given for three coeffi-cients of variance (CoV) of corrosion rate only: 2.0, 1.0 and0.33, representing high, medium and low spread respectively.This method facilitates calculation of PoF at any point in time,based on the mean damage rate and the difference between agiven wall thickness and wall thickness at which a release isexpected.Rearranging the equations allows approximate results to be ob-tained for:

The latest time at which inspection should be carried outto check that risk acceptance limit is not exceeded.

Approximate results can be obtained for:

the current PoF expected defect size at any point in time timing corresponding to other action triggers, e.g. cor-

rosion allowance expected to be consumed;

dnv rp-g101 risk based inspection

Documents

foundation det norske

omission of det norske

provision det norske

foreworddet norske veritas

dnv offshore services

offshore codes

dnv services

offshore standards