Risk assessment for structural design criteria of FPSO systems. Part I: Generic models and acceptance criteria

Marine Structures 28 (2012) 120–133

Contents lists available at SciVerse ScienceDirect

Marine Structures journal homepage: www.elsevier.com/locate/ marstruc

Risk assessment for structural design criteria of FPSO systems. Part I: Generic models and acceptance criteria Michael H. Faber a, Daniel Straub b, E. Heredia-Zavoni c, *, R. Montes-Iturrizaga c a b c

Institute of Structural Engineering, ETH Zurich, CH-8093 Zürich, Switzerland Engineering Risk Analysis Group, TU München, Germany Instituto Mexicano del Petróleo, Eje Central Lázaro Cárdenas 152, México DF 07730, Mexico

a r t i c l e i n f o

a b s t r a c t

Article history: Received 9 November 2010 Received in revised form 16 November 2011 Accepted 6 May 2012

A generic framework for consequence assessment and risk analysis of FPSO systems for the purpose of establishing structural design criteria is introduced, taking basis in recent work by the Joint Committee on Structural Safety (JCSS) addressing the issue of system representation through exposure events, direct and indirect failure consequences. The scenarios considered for risk-based calibration of a design code safety format for FPSO systems are outlined. It is shown how these scenarios may be represented in a generic risk assessment model using Bayesian Probabilistic Networks (BPNs). Risk acceptance criteria related to consequences to humans are determined based on the Life Quality Index (LQI), which is outlined and discussed in this paper. The generic risk framework and acceptance criteria are then applied in a companion paper [1] to build consequence models and to determine target reliability indices for structural design of FPSO components. Ó 2012 Elsevier Ltd. All rights reserved.

Keywords: FPSO risk assessment Bayesian probabilistic networks Risk acceptance Life quality index FPSO design criteria

1. Introduction Risk assessment is considered an appropriate tool for the development of structural design criteria and guidelines for FPSO systems that are consistent with the relevant natural hazards, mainly meteorological and oceanographic site conditions, as well as operating conditions, production volumes and * Corresponding author. E-mail address: [email protected] (E. Heredia-Zavoni). 0951-8339/$ – see front matter Ó 2012 Elsevier Ltd. All rights reserved. doi:10.1016/j.marstruc.2012.05.006

M.H. Faber et al. / Marine Structures 28 (2012) 120–133

121

economics, and inspection/maintenance practices and philosophies. For that purpose, the risk assessment provides the basis for determining the optimal level of structural reliability for design; the corresponding design criteria for all relevant failure modes should be determined by consideration of the possible consequences of failures. The assessment of failure should consider all relevant causes of structural failures due to environmental extreme loading, degradation processes, accidental load events and operational errors. Taking basis in a discussion of best practices and more recent developments on systems risks, the present paper introduces a generic framework for consequence assessment and risk analysis of FPSO systems. Thereafter, the scenarios considered for the risk-based calibration of a design code safety format for the design of FPSO facilities are outlined. Furthermore, it is shown how these scenarios may be represented in a generic risk assessment model greatly enhanced by the utilization of hierarchical risk modeling procedures such as Bayesian Probabilistic Networks (BPNs). BPNs have several advantages when compared to traditional risk assessment tools. Foremost, the risk assessment methodology becomes more transparent because the considered events and their causal interrelations are represented graphically, which strongly facilitates communication of the model. Experts in design and operation of FPSOs with limited experiences in risk assessment techniques are able to contribute directly to the basis of the risk assessment. BPNs are used to assess expected consequences of failure, which along with risk acceptance criteria, provide the basis for determining optimal target reliabilities for structural design. Furthermore, BPNs may be developed generically such that they are valid for a given FPSO design concept (for example disconnectable or non-disconnectable turret, single or double hull, etc.). Information regarding specific design choices for any FPSO of the given concept type may then be introduced in the risk assessment through the nodes of the BPNs and the corresponding consequences and risk are immediately obtained without any further efforts. Finally, the BPNs greatly facilitate the identification of the weak spots in a given concept by allowing the identification of the most probable causes of adverse events leading to consequences. This can provide insightful information on how risks may be better reduced by optimization of the design parameters. In addition, to account for societal acceptance criteria of the risk associated with the operation of FPSOs, it is necessary to establish the optimal and acceptable level of reliability of the individual components of the FPSOs. A short outline and discussion of best practices in regard to risk acceptance criteria (RAC) and the more recent concept of the Life Quality Index (LQI) as a practically applicable means to determine how much should be invested into life saving activities, are therefore provided. The process of design optimization may then be efficiently facilitated by use of the developed risk models, the BPNs and the concept of the LQI. Applications of the generic risk assessment framework and the RAC to decision making on target reliability indices for structural design of components of FPSOs are presented in a companion paper [1].

2. On best practice risk assessment Most regulated risk assessments are built up around procedures such as the ones defined e.g. in the Australian New Zealand Standard AS/NZS 4360 [2], but also in the recently developed AS/NZS ISO 31000 standard [3] on “General principles on risk assessment for structures”. Following these procedures, risk analysis may be represented in a generic format, which is largely independent from the application, e.g., independent from whether risk analysis is performed in order to document that risks associated with a given activity are acceptable or whether it is performed to serve as a basis for management decision making. Reviews of present practice on engineering risk assessments and risk-informed decision making may be found in [4–8]. It is not within the scope of the present paper to outline best practice risk assessments in any detail. Instead, some of the more recent insights derived from practical applications as well as from research in the area of risk assessment are presented and discussed in the following. This discussion will then form part of the basis for the formulation of a risk assessment framework for FPSOs presented in this paper and its application to decision making on target reliability indices for structural design which is shown in a companion paper [1].

122

M.H. Faber et al. / Marine Structures 28 (2012) 120–133

2.1. On the identification of systems and scenarios Practical experience has shown that one of the main problems leading to inconsistent risk assessment originates from incomplete representations of the systems. Only too often it is seen that different risk assessments, even of the same system or activity, are implicitly or explicitly based on different basic assumptions. These concern particularly the modeling of consequences, where a clear definition as to what is to be included and what not is often missing. Furthermore, regarding the treatment of uncertainties and dependencies between failure scenarios and events leading to consequences, many risk assessments are performed on a highly diverging level of detail and accuracy. To counteract such problems, it has become best practice in many industrial risk assessments to perform risk screening meetings or workshops where a broad representation of expertise of relevance for the risk assessment is ensured. Their main purpose is to gather all available information and knowledge about the system under consideration on a subjective or semi-quantitative basis as well as to narrow down the scope of detailed quantitative risk assessment. System representation is a key factor in regulating risk assessment. The experience gained in the engineering profession during recent years indicates that risk assessment may effectively be regulated and homogenized through an appropriate definition of how to identify and represent the systems being analyzed. However, best practices in risk assessment do not appreciate this issue systematically and in different application areas there are diverging schemes for identifying and defining the system. In fact, so-called generic procedures for risk assessment, see e.g. [2], do not address the representation of the system at all. With this starting point, the Joint Committee on Structural Safety (JCSS) has developed a framework document on risk assessment in engineering with a special address on the specification of a generic framework for representation of systems subject to risk assessment [9]. Procedures and tools for risk assessment should thus be developed to support the consistent identification of a system and the relevant scenarios. 2.2. On the assessment of consequences In connection with assessing consequences of loss of lives, controversy and inconsistency is observed throughout the engineering profession, see e.g. [10]. For risk-based cost-benefit evaluations, loss of lives are typically accounted for by associating them with monetary values representing societal values of life assessed on very different basis. However, recent research has pointed to the perspective that this need not be done at all [11], considering that such monetary conversions are only relevant in situations where compensations, generally regulated by the practice of law [4], are to be paid. Another problem relating to consequence assessment concerns the modeling of especially rare events with potentially very large consequences. In risk assessment and regulation, it has been customary to weigh risks resulting from large consequence events over-proportionally relative to the risks associated with low consequence events. This increased weight of large consequences is typically referred to as risk aversion and unless the weighing is not based on detailed quantitative evaluations it may lead to significant inconsistencies in the assessment of risks and even to ethical inconsistencies when consequences are associated with loss of lives. To circumvent the need for and the use of risk aversion the concept of so-called indirect consequences was developed [12]. Such consequences aim at extending the traditional consequence analysis to consider specifically those consequences going beyond the traditional boundaries of the system under analysis in terms of time and space, but also accounting for possible consequences triggered by public opinion in the aftermath of severe events [10]. 2.3. On the analysis of probability Some discussions have taken place over the last decade on the treatment of uncertainties in risk assessment. This specifically concerns what is now referred to as aleatory uncertainty (natural variability) and epistemic uncertainty (lack of knowledge and data), see e.g. [13–16]. Within the area of probabilistic seismic hazard analysis, and more recently in the context of assessing the consequences of global warming, it is customary to account for the different types of uncertainty in order to

M.H. Faber et al. / Marine Structures 28 (2012) 120–133

123

systematically represent different expert opinions on relevant model hypothesis. It has been shown in numerous applications that differentiating between different types of uncertainties is crucial in the context of systems analysis, analysis of extreme events over time and space, portfolio risk management, and also in the context of risk-informed decision making where the option to collect additional knowledge is considered a potential risk reducing measure. In order to facilitate a consistent treatment of uncertainties, so-called hierarchical probabilistic models have been found appropriate, especially Bayesian hierarchical models, see e.g [17]. Compared to traditional quantitative risk assessments, Bayesian risk models facilitate straightforward updating based on new evidence or additional data, or by direct inclusion of subjective expert knowledge. 3. Generic models for consequence assessment Following the JCSS framework [9], a system is represented through three different characteristics: exposures, direct consequences and indirect consequences, as illustrated in Fig. 1. The technical and procedural components of a given system are represented by constituents who in their interaction provide the functionalities of the system itself, see Fig. 2. The potential hazards are modeled by different exposure events acting on the constituents of the facility. The constituents of the facility can be considered as the facility’s first defense in regard to the exposures. These constituents are represented by limit state functions that define the events of failure and survival. The damages of the constituents represent the state of damage of the system and are associated with direct consequences. Direct consequences may comprise different attributes of the facility such as monetary losses, loss of lives, damages to the qualities of the environment or just modified characteristics of the constituents. Based on the combination of constituent failure events and their corresponding consequences, indirect consequences may occur. Indirect, or follow-up, consequences are associated with losses of functionalities caused by the (combined) effect of constituent failures. Indirect consequences play a major role in risk assessment. Typically, indirect consequences unfold beyond the spatial boundaries of the facility and also have a certain, sometimes even delayed, development in time. In this framework, the vulnerability of a system is related to the direct consequences caused by the damages of the system constituents for a given exposure event. In risk terms the vulnerability of a system is defined through the risk associated with all possible direct consequences integrated (or summed up) over all possible exposure events. On the other hand, the robustness of a system is related to the ability of a considered system to sustain a given damage state subject to the prevailing exposure conditions and thereby its ability to limit the consequences of exposure events to the direct consequences. It is of importance to note that the indirect consequences for a system not only depend on the

Fig. 1. System representation proposed by the JCSS (2008).

124

M.H. Faber et al. / Marine Structures 28 (2012) 120–133

Exposure events

Constituent failure events and direct consequences

Follow-up consequences

Fig. 2. Logical representation of interrelation between exposures, constituent failures, and consequences.

damage state but also on the exposure of the damaged system. When the robustness of a system is assessed it is thus necessary to assess the probability of indirect consequences as an expected value over all possible damage states and exposure events. The system representation should be able to incorporate any information on measurable or observable variables which may characterize the exposure to hazards, the vulnerability or the robustness of the system, and thus have an influence on the risk assessment. In the JCSS formulation, any observable or measurable characteristic of the systems or its constituents containing information about the risk is understood as a risk indicator. For instance, for structural risk assessment of offshore facilities, the location of an structural element and the time since its last inspection may be indicators of its exposure to hazards such as dropped objects or ship impacts; a detected damage condition in a structural element is input information for assessing its capacity and therefore its reliability as a constituent of the structural system; the type of hydrocarbon transported by a submarine pipeline will establish the possible failure scenarios and economic consequences of failure; the volume of hydrocarbons handled by a facility will determine the economic consequences associated with production interruption in case of structural collapse. Risk indicators have been defined by Oien [18] as observable or measurable operational variables which describe risk influencing factors that, in principle, are regarded as theoretical variables that might not be directly measurable. Development of risk indicators and its application for health and safety in the offshore oil industry can be found in [19] and [20]. The generic indicator-based system-representation methodology described here has been utilized successfully in various offshore industrial applications such as repair planning for offshore platforms [21] and is used here for structural risk assessment of FPSO systems to formulate design criteria. 4. FPSO scenario and consequence modeling Taking basis in the generic indicator-based system representation by JCSS [9], an important task in the risk assessment is the identification of the system under consideration in regard to relevant scenarios and consequences. Risk screening meetings were conducted to identify the relevant scenarios and consequences, as discussed next. Failure events may be caused by the following types of exposure events: (1) Environmental loads on hull, mooring system and risers. i.e. loads from extreme and normal winds, waves and currents; (2) Operational loads in risers and on the hull, e.g. loads due to pressure and temperature, storage and offloading of tanks, and ballasting operations; and (3) Human

M.H. Faber et al. / Marine Structures 28 (2012) 120–133

125

and operational errors, regarding e.g. collisions with passing vessels, helicopter crashes, dropped objects, tank cleaning operations and hot works. Note that all of these are considered exposure events for the purpose of structural risk assessment of the FPSO system; however, a different classification might be appropriate for a risk assessment with a different focus. For instance the event of a helicopter crash would be considered a failure event if the system under consideration is the transportation system. Events originating from the processing operations in the vessel, which do not depend on the structural design of hull, moorings and risers, or on the FPSO concept chosen, are not considered here; thus no specific consequence model and detailed risk assessment are developed here for the risks associated with such events. In general, the immediate effect of the exposure events will be either structural damages, or the development of fires and explosions. These failure events are considered damage states in the risk modeling, i.e., states associated with direct consequences. The following direct consequences are considered: (1) cost of repair and replacement; (2) fatalities and injuries; and (3) release of hydrocarbons to the environment. Finally, as a consequence of the considered damage states, indirect consequences might occur. In the present context the following indirect consequences are considered: (1) oil production interruption; (2) loss of vessel; (3) damage to nearby facilities; and (4) loss of reputation. Monetary losses may be induced by material damages (including loss of facility), loss of production, compensation of fatalities and injuries, compensation due to damages to the environment as well as loss of reputation. Although fatalities, injuries and environmental damages lead to monetary consequences as well, they must also be considered separately because acceptance criteria are typically specified for each of these categories separately.

4.1. Scenarios related to extreme environmental load conditions For consequence assessments, multiple scenarios associated with a hurricane event are considered. These include: - Scenario I: Hurricane event, evacuation and well closure are successful; the mooring system does not fail - Scenario II: Hurricane event, evacuation and well closure are successful; the mooring system fails - Scenario III: Hurricane event, evacuation and well closure are not successful; the mooring system does not fail - Scenario IV: Hurricane event, evacuation and well closure are not successful; the mooring system fails The direct and indirect consequences associated with these scenarios are identified. Exemplarily, the consequences associated with scenario I are described in the following. In scenario I, the hull and mooring are generally intact but subject to effects of degradation, the vessel is subject to extreme environmental loads which depend on ballast and cargo, and the mooring system does not fail. The failure events associated with direct consequences are: a. local load effects cause failure of scantlings and/or global load effects exceed the sectional capacity of the hull, b. green water on deck with resulting damages on topside structures, c. cracks develop with resulting loss of containment between tanks or between tanks and sea, d. one or more risers fail due to combined effect of fatigue and extreme loads, e. due to evacuation and well closure the production is interrupted. These failure events lead to direct consequences in terms of monetary losses, damages to the qualities of the environment, fatalities and injuries. The consequences to personnel will depend on the availability and function of gas detection equipment, fire fighting system, evacuation and life saving systems.

126

M.H. Faber et al. / Marine Structures 28 (2012) 120–133

Follow-up events that characterize the robustness of the system are: f. due to local or global over loading the vessel is lost, g. due to crack growth in tank partitions, explosions in the cargo area occurs, which in turn leads to loss of vessel, h. due to damages and/or overloading of the topside structures modules might fall on deck, initiate explosions and lead to loss of vessel, i. due to large damages/loss of vessel and/or significant damage to the environment, the production on other vessels might be seized for a period of time while investigations are undertaken, j. after the hurricane due to damages and associated repair works the production will be delayed, k. major irregularities or environmental damages lead to loss of reputation. These follow-up events lead to indirect consequences which are in terms of monetary losses, damages to the qualities of the environment, fatalities and injuries. The consequences to personnel will also depend on the availability and function of gas detection equipment, fire fighting system, evacuation and life saving systems, etc. 4.2. Scenario related to normal environmental load conditions In this scenario, the vessel is subject to normal environmental loads combined with loads due to tank under full operation. The hull and mooring are generally intact but subject to effects of degradation. Failure events associated with direct consequences are: a. cracks develop undetected in hull (depends on detection system) with resulting loss of containment between tanks or between tanks and sea, b. cracks in hull are detected with subsequent repair (tank emptying and cleaning), c. one or more risers fail due to fatigue, d. one mooring line fails due to fatigue e. objects are dropped on deck or mooring/riser lines, f. vessel is impacted by ships, g. helicopter crashes on deck area, h. human or technical errors lead to overpressures in ballast/cargo tanks and vessel is damaged, i. corrosion through tank partitions facilitate communication between tanks and with the environment, j human errors in connection with maintenance and repair works (e.g. hot works, cargo emptying and cleaning) lead to fires and explosions. Follow-up events that characterize the robustness of the system are: k. due to crack growth in tank partitions explosions in the cargo area occurs which in turn leads to large damages or loss of vessel, l. due to large damages/loss of vessel and/or significant damage to the environment the production on other vessels might be seized for a period of time while investigations are undertaken, m. due to failure of risers, fires and explosions might occur in the turret/moon-pool area, which may lead to additional damages or loss of vessel, n. damages caused by ship impact lead to loss of cargo containment and possible fires and explosions, o. helicopter crash leads to fires or explosion in cargo tanks and the vessel is lost, p. dropped objects in the tank area penetrate into cargo tanks with subsequent explosion and fires and the vessel is damaged or lost. q. major irregularities or environmental damages lead to loss of reputation In the assessment of consequences caused by corrosion pits or cracks between tanks it is necessary to account for the following scenarios:
Cracks between cargo tanks above the crude might lead to explosions if the cracks occur above the cargo level and if there is no inert gas system.

M.H. Faber et al. / Marine Structures 28 (2012) 120–133

127


Cracks between cargo and ballast tanks lead to ingress of crude into the ballast tank. When the ballast is mixed with crude cracks in the ballast tanks above the ballast level can lead to explosions.
Cracks in the partitions to the slop tanks might lead to explosions.
Corrosion pits through the cargo bottom plate might lead to release of crude to the environment.
Corrosion pits between cargo and ballast tanks will lead to ingress of crude in the ballast tanks.
Corrosion pits between cargo tanks will allow for communication between cargo tanks. These different situations should be considered in the consequence assessment as relevant in connection with the scenarios defined in the above. Thereby, the effect of gas-detection systems must also be accounted for.

5. Bayesian probabilistic networks for risk assessment Bayesian Probabilistic Networks (BPNs), also known as Bayesian Belief Networks or Bayesian Networks, constitute a flexible, intuitive and strong model framework for Bayesian probabilistic analysis. BPNs are probabilistic models based on a directed graph, wherein the nodes represent the random variables of the problem and the links between nodes represent the dependence among the random variables. The graph structure allows decomposing complex problems, because the modeling can make use of causal relationships among the random variables of the problem. This has computational advantages, but also facilitates the modeling process. An introduction to BPN is provided in [22]. BPNs may replace both fault and event trees and can be used at any stage of a probabilistic analysis. Due to their mind mapping characteristic, they represent a useful tool in the early phases of a probabilistic analysis, where the main task is to identify the potential scenarios and the interrelation of events leading to adverse consequences. BPNs are ideally suited for assessing expected failure consequences because they allow modeling of scenarios by means of conditional probabilities of the individual failure events. Event trees that are typically used in QRAs for consequence assessment can be considered a special case of BPNs. However, in addition to the event tree modeling, the BPNs can be extended to modeling the joint effect of several failure events. Also, the representation of failure event sequences is more intuitive using BPNs, thus facilitating the communication of the models. Applications of BPNs for offshore engineering are described in e.g. [21,23,24]. Following [25], the general principle of BPNs employed for risk assessment in the present study is outlined in Fig. 3. The constituent failure events are described by the limit state functions, where the corresponding partial safety factors can be included as variables. Other decision variables include the system concept or inspection intervals. Also, a set of observable risk indicators can be included explicitly in a BPN. Financial consequences are then computed as the sum of the direct and the indirect consequences. To assess the risk related to a single constituent failure event, it is required to compute the expected consequences, involving both direct and indirect consequences. To assess the direct consequences, it is in most cases sufficient to consider a constituent failure event individually. To

Fig. 3. General format of bayesian probabilistic networks for risk assessment.

128

M.H. Faber et al. / Marine Structures 28 (2012) 120–133

determine the expected indirect consequences, however, it is generally necessary to assess the expected consequences for a combination of failure events, in particular when different failure events exhibit strong stochastic or functional dependence. Financial consequences include various types of economical consequences, such as lost production, repair/replacement cost, compensation payments, loss of reputation etc. These consequences are the economical costs arising to the operator, on the basis of which the optimization of the target reliability (and corresponding safety factors) is to be performed. In Fig. 4, a consequence model based on a Bayesian Probabilistic Network is shown, modeling the direct consequences of a fatigue failure in plates of cargo/oil tank that may lead to a leak. Note that such a leak could also be caused by corrosion or overloading, but the size of the leak will depend on the failure mechanism and, therefore, the consequences of the failure will be different for the different limit states. Note that the BPN shown can be collapsed into a simpler network that consists only of the indicators, the failure event, the vulnerability nodes and the consequence nodes, because the other nodes are generic, i.e., they apply to all leak failure events in cargo/oil tanks [26]. The different consequences of a given failure event are then assessed simply as a function of the indicators. Notice that no explicit modeling of the robustness is included. However, for the full consequence assessment, the indirect consequences must be included and it is, thus, required to extend the models typically applied in QRAs. To extend the above model to include the indirect consequences, nodes representing the follow-up events can be added to the network, in accordance with the scenarios given earlier. Such nodes would be: (1) Escalation of the fire to adjacent tanks and process equipment; (2) Ability to control and stop the fire; (3) Loss of structural integrity of the entire hull; (4) Evacuation of personnel from the FPSO; (5) Loss of the FPSO; (6) Ability of other installations in the field to take over the functions of the FPSO. Detailed examples of the implantation of BPN for risk assessment of FPSOs are presented in a companion paper [1]. Because the BPN assesses the expected utility, all consequence nodes must be in the same unit. This unit is typically a monetary value. For this reason, the consequences to personnel, which are fatalities and injuries, and damages due to oil spills, are translated to monetary values. However, compliance with risk acceptance criteria is verified in terms of number of fatalities or amount of oil spilled, i.e. these consequences must also be considered separately. To this end, the consequence nodes must be expressed in their respective units (e.g., number of fatalities for the “consequences to personnel” node) with all other consequence nodes set to zero. The BPN then gives the expected number of fatalities related to this constitutive failure event. The nodes in the BPN describing adverse events to personnel

Fig. 4. Example of BPN for consequence assessment of leak in cargo/oil tank.

M.H. Faber et al. / Marine Structures 28 (2012) 120–133

129

and to the environment, which are part of the indirect consequences, provide the necessary information to check acceptability of the safety factors or a target reliability index, in accordance with the overall risk acceptance criteria. In order to determine the acceptance criteria associated with injuries and fatalities, the approach based on the Life Quality Index is taken here. 6. Risk acceptance criteria – The life quality index The decision in regard to risk acceptability is often made by expert judgment and supported by costbenefit studies and comparisons with experience. Until recently the predominant approach has been to use the risks experienced and apparently accepted in the past as a guideline for making decisions on acceptable risks for the future. For calibration of structural design codes, choices of acceptable failure probabilities have been referred to reliability levels of existing structures with a long history and considered to have performed well. While this might be taken as an agreeable procedure, explicit probabilities or reliabilities that have been inferred from satisfying structural behavior reveal that there is great variation between different design practices [27]; furthermore for new extraordinary buildings the argument of a long history of satisfactory performance might not apply. As discussed in [27] it is hence difficult to ensure that past and present design practices produce structures which are economically optimal and simultaneously “safe enough”. Within the offshore industry, the Fatal Accident Rate (FAR) has been used as an acceptance criteria format related to life safety. It is defined in terms of the number of persons on a given offshore facility, the annual number of exposure hours, and the Potential Loss of Lives, which is the expected number of fatalities per year. Typical ranges of acceptable FAR lie in the interval 10–15. Risk acceptance criteria in the offshore industry have also been expressed in the form of the annual probability of a certain accidental event, or impairment of a safety function, not exceeding a given threshold. Other such formats to represent and document risk acceptance have been the so-called Farmers or FN diagrams, where three regions are defined: (1) a region of low risk considered negligible; (2) a region where risk is so large that it is unacceptable; and (3) an intermediate region where the generally applied philosophy is to implement risk reduction measures on the basis of cost efficiency considerations. A commonly used principle for this is the As Low As Reasonably Practically (ALARP), which simply implies that risk reduction should be performed as long as the corresponding costs are not disproportionally large compared to the risk reducing benefits. For a review and discussion of issues related to risk acceptance criteria in regulation of the UK and Norwegian petroleum activities regarding accidental events for people, the environment and for assets, we refer to [28] and [29]. Over the last 10–15 years, significant developments have been made to support regulation of risk criteria based on scientific socio-economical models, as discussed in [30] [31], and later in [32]. The Life Quality Index (LQI) principle has been proposed in [30] as a variant of the so-called marginal life saving cost principle [31]. The LQI takes basis in a modelling of societal preferences for investments into life safety considering macro-economical variables. Based on this preference it is possible to determine whether an activity or facility is acceptable or not, taking into account the efforts made to reduce life safety risks. The LQI models the preferences of a society quantitatively as a scalar valued social indicator in terms of the part of the Gross Domestic Product (GDP) per capita that is available for risk reduction purposes g, the expected life at birth l and the proportion of life spend for earning a living w. The Life Quality Index can be expressed in the following principal form:

LQIðg; lÞ ¼ g q l

(1)

In (1), parameter q is a measure of the trade-off between resources available for consumption and the value of time of healthy life. It depends on the fraction of life time allocated for economical activity and furthermore accounts for the fact that only part of the GDP is generated through work and another part through investment returns,

q ¼

1

w

l1w

(2)

130

M.H. Faber et al. / Marine Structures 28 (2012) 120–133

Fig. 5. Illustration of the use of risk acceptance criterion based on LQI.

where l is a constant taking into account that only part of the GDP is based on human labor. This equation is obtained by assuming that working time in society corresponds to the optimal trade-off between money earned and time available [32]. Conceptually, the LQI principle states that any investment in an infrastructure project or in life risk reduction measures should result in an increase of the LQI; thus, following from (1)

dg 1 dl þ 0 g q l

(3)

where dg can be taken as the economic cost of implementing a given safety regulation or the economic benefit of a given infrastructure, and dl is the associated change in life expectancy. Regulations or infrastructure projects which do not result in an increment of the LQI would not be acceptable. The criteria in (2) can be shown to lead to the following Risk Acceptance Criteria (RAC) [9]:



g dCy p   Cx NPE k dm p q

(4)

where p is the design variable, i.e., the possible decision alternatives for risk reduction, Cy ðpÞ are the annual investments which should be invested into life safety, mðpÞ is the failure rate, Cx is a demographical economical constant corresponding to a given scheme x for mortality reduction, NPE is the number of persons exposed to the failure, and k is the probability of dying given a failure. Eq. (3) states that risk reduction measures must be undertaken as long as the corresponding marginal risk reduction exceeds the marginal costs of risk reduction. In Fig. 5 it is illustrated how the failure rate mðpÞ as well as the normalized risk reduction costs Cy ðpÞ q=Cx NPE k g depend on p. In the illustration it is assumed that the cost of risk reduction is linear in the decision parameter p. The failure rate mðpÞ, on the other hand, is in general a non-linear function of p. The maximum acceptable failure rate is obtained for the minimum value of p for which the above inequality holds, assuming that the failure rate decreases continuously with increasing p. Any value of p larger than this value can be considered acceptable. An application example of the LQI principle is presented in a companion paper [1]. 7. Conclusions An integrated framework has been presented for the purpose of structural risk assessment of FPSOs. Special emphasis has been given to improve traditional approaches to quantitative risk assessment by

M.H. Faber et al. / Marine Structures 28 (2012) 120–133

131

utilization of recent advances in representation of systems, consequence modeling, and definition of risk acceptance criteria. To this end the indicator-based generic system representation recently developed by the Joint Committee on Structural Safety (JCSS) is used and applied to identify relevant failure scenarios. Representation of these scenarios in a generic risk assessment model, greatly enhanced by the use of Bayesian Probabilistic Networks (BPN), has been analyzed. The graph structure of BPNs allows modeling complex problems making use of causal relationships among the random variables of the problem, which has computational advantages and also facilitates the modeling process. For the assessment of expected failure consequences, scenarios can be modeled in BPN by means of conditional probabilities of individual failure events. Event trees typically used in QRAs can be considered a special case of BPN; however, the BPN can be extended to modeling the joint effect of several failure events. The assessed expected consequences can then be used in cost-benefit formulations to define target reliabilities for design criteria development. In order to handle the causal structure of consequence models, the BPN should be compact. The number of variables, states, and cause-effect links between them should be limited, otherwise managing the conditional probability tables becomes a complex task and furthermore does not facilitate the understanding and use of the model by non risk-experts such as stakeholders, decision makers or regulators. BPN are acyclic directed graphs, e.g. they can only represent one-way cause-effect relationships under steady-state conditions or within a given time frame. Thus, some limitations may arise if failure events follow a sequence where the state of damage of a subsystem in a child node yields some feedback on the failure of a constituent element in a parent node. Such a concern can be dealt with by proper consideration of the timescale. Dynamic BPN can be used to account for dependencies along different time frames, where variables are modeled by nodes at each time step and the probabilistic relationships between them need to be generated both within and across time steps. Their use requires substantially more data and even BPN of a compact size can become very large and complex. In addition to making decisions based on optimization of life-cycle costs and benefits, acceptability of risk should be viewed in the light of the risks of fatalities and injuries as well as potential environmental damages. In this paper, risk acceptance has been expressed from a societal approach in terms of the Life Quality Index. For societal decision making, a main issue is that of prioritizing between investments into different societal sectors, such as the health sector, the public transportation sector, infrastructure or the energy sector. Such decisions cannot be based on the safety of individuals alone, considerations must also be given to the general development of society and other factors which influence the quality of life of the individuals of society. This is a complex problem involving many aspects such as the availability of natural resources, wealth production, social stability and environmental boundary conditions. In deriving risk acceptability from a societal point of view it is considered that risk reduction is always associated with reallocation of societal economical resources. In the context of infrastructure it is therefore expedient that such economical resources be allocated with the highest possible efficiency. At the level of societal decision making, an efficient life saving activity may be understood as a measure which in the most cost effective manner reduces the mortality or equivalently increases the statistical life expectancy. Hence, risk acceptance may be established on the basis of socio-economical considerations. For the framework presented here, the risk acceptance criterion based on the Life Quality Index has been proposed. Some of the parameters involved in the acceptance criteria may not be readily available for some societies. The gross domestic product (GDP) per capita is a known indicator of the economic performance of countries. However, the fraction of the GDP available in a society for risk reduction measures requires a careful estimation and may be more difficult to assess for some countries. The fraction of time for paid work may be influenced by a number of variables. As discussed in [32] people tend to prefer less work-time in societies with a higher GDP; on the contrary people would prefer more work and thus more income in countries with lower GDP and possibly larger unemployment rate. Other factors that may determine the actual and preferred work load in different countries may include traditions, cultural aspects, strength and role of trade unions, shares of dependent employment and self-employment, legal conditions, and personal and societal preferences [32]. Estimates of the fraction of time for paid work in some countries can be found in [27]. Expert judgment and parametric analysis may then be needed in some cases for a judicious estimation of some socio-economical parameters. On the basis of the risk assessment framework and analyses using BPNs together with the Life Quality

132

M.H. Faber et al. / Marine Structures 28 (2012) 120–133

Index (LQI) principle, an application to consequence assessment, risk acceptance, and decision making on target reliability indexes for structural design of FPSO’s systems is given in a companion paper [1]. The paper offers an integrated framework for risk assessment which can be useful to regulators of the oil industry for code development and to operators in order to support compliance with some code requirements. The proposed framework is a systematic procedure to help the decision making process on issues already established by modern codes such as consequence classes or risk categories, target reliabilities and partial safety factors. In recent years, some offshore standards and recommended practices have been developed to prescribe design safety factors corresponding to a known target reliability for a given consequence class or risk category, see e.g. DNV-RP-E302 [33], DNV-RP-E303 [34], and DNV–OS–E301 [35]. ISO standards have also been developed under a philosophy that classifies systems into exposure levels which depend on life safety categories and failure consequences, see e.g. ISO 19904-1:2006 [36]. Higher exposure levels indicate greater risks and therefore higher safety must be required in the design. Such standards have been adopted as national standards by regulatory bodies such as BSI, see e.g. BS ISO 19901-7:2005 [37]. The International Maritime Organization (IMO) has established a procedure known as Formal Safety Assessment (FSA) which is described as a systematic process to guide the evaluation of risks associated with shipping activity and for costbenefit assessment of measures to reduce risks. IMO states that FSA can be used to help evaluate new regulations or to compare proposed changes with existing standards [38]. FSA requires following steps which involve identification of hazards, assessment of risks, devising regulatory measures to control and reduce risks, and cost benefit assessment of each risk control option. The framework developed here provides improved methodology for quantitative risk assessments that fully support approaches such as FSA applied for decision making regarding structural design of floating systems components. In the Mexican oil industry, risk-based standards have been developed for design and reassessment of fixed jacket platforms and submarine pipelines [39]. As future deep water developments take place in Mexico, regulations for floating systems could follow the same risk-based criteria already in place for shallow water infrastructure, and thus a framework such as the one discussed here could be adopted. The integrated framework presented in this paper provides a rigorous, rational and explicit way to assess expected failure consequences, use them as input for optimizing reliabilities in economic terms, and check its acceptability from the viewpoint of life safety investments. It is compatible with current and expectably future trends in code development, and can help support the decision-making process regarding risk assessment, acceptability and optimality for selecting target design reliabilities; for these reasons it can be expected to be useful to regulatory bodies as a tool for code development.

References [1] Heredia-Zavoni E, Montes-Iturrizaga R, Faber MH, Straub D. Risk assessment for structural design criteria of FPSO systems. Part II: Consequence models and applications to determination of target reliabilities 2012;28:50–66. [2] AS/NZS 4360. Risk management. Standards Australia; 2004. [3] AS/NZS ISO 31000. Risk management–principles and guidelines. Standards Australia; 2009. [4] Faber MH, Stewart MG. Risk assessment for civil engineering facilities: critical overview and discussion. Reliability Engineering & System Safety 2001;80(2):173–84. [5] Ale BJM. Risk assessment practices in The Netherlands. Safety Science 2002;40:105–26. [6] Ale BJM. Tolerable or acceptable: a comparison of risk regulation in the United Kingdom and in the Netherlands. Risk Analysis 2005;25(2):231–41. [7] Trbojevic V. Risk criteria in EU. Proceedings European safety and reliability conference, Tri City, Poland; 2005. [8] Vinnem JE. Offshore risk assessment: principles, modeling and applications of QRA Studies. Springer Series in Reliability Engineering, Springer; 2007. [9] JCSS. Risk assessment in engineering, principles, system representation & risk criteria; ISBN 978-3-909386-78-9; 2008. [10] Schubert M, Faber MH, Baker JW. Decision making subject to aversion of low frequency high consequence events. Special workshop on risk acceptance and risk communication, Stanford, USA; March 26-27, 2007. [11] Rackwitz R, Lentz A, Faber MH. Socio-economically sustainable civil engineering infrastructures by optimization. Structural Safety 2005;27(3):187–229. [12] Faber MH, Maes MA. Modeling of risk perception in engineering decision analysis. Proc. 11th IFIP WG7.5 working conference on reliability and optimization of structural systems; 2004. p. 95–104. [13] Helton JC, Burmaster DE. Guest editorial: treatment of aleatory and epistemic uncertainty in performance assessments for complex systems, special issue on treatment of aleatory and epistemic uncertainty. Reliability Engineering and System Safety 1996;54:91–4.

M.H. Faber et al. / Marine Structures 28 (2012) 120–133

133

[14] Faber MH. On the treatment of uncertainties and probabilities in engineering decision analysis. Journal of Offshore Mechanics and Arctic Engineering 2005;127(3):243–8. ASME. [15] Der Kiureghian A, Ditlevsen O. Aleatory or epistemic? does it matter? Structural Safety 2009;31:105–12. [16] Aven T, Zio E. Some considerations on the treatment of uncertainties in risk assessment for practical decision making. Reliability Engineering and System Safety 2011;96(1):64–74. [17] Nishijima K, Maes MA, Goyet J, Faber MH. Constrained optimization of component reliability of complex systems. Structural Safety 2009;31(2):168–78. [18] Øien K. Risk indicators as a tool for risk control. Reliability Engineering and System Safety 2001;74(2):129–45. [19] Vinnem JE, Aven T, Husebo T, Seljelid J, Tveit O. Major hazard risk indicators for monitoring of trends in the Norwegian offshore petroleum sector. Reliability Engineering and System Safety 2006;91(7):778–91. [20] Vinnem JE. Risk indicators for major hazards on offshore installations. Safety Science 2010;48(6):770–87. [21] Montes-Iturrizaga R, Heredia-Zavoni E, Vargas-Rodríguez F, Faber MH, Straub D, De la O J. Risk based structural integrity management of marine platforms using bayesian probabilistic nets. Journal of Offshore Mechanics and Arctic Engineering, ASME 2009;131(1). p. 011602-1 to 011602–10. [22] Jensen F. Bayesian networks and decision graphs. Springer; 2001. [23] Faber MH, Kroon IB, Kragh E, Bayly D, Decosemaeker P. Risk assessment of decommissioning options using bayesian networks. Proc. 20th conference on offshore mechanics and arctic engineering, Rio de Janeiro, Brazil, June 3–8, [OMAE2001/S&R-2115]; 2001. [24] Rø W, Mosleh A, Vinnem JE, Aven T. On the use of the hybrid causal logic method in offshore risk analysis. Reliability Engineering and System Safety 2009;94(2):445–55. [25] Montes-Iturrizaga R, Heredia-Zavoni E, Straub D, Faber MH. Optimum and minimum acceptable reliability indexes for mooring line design in FPSO systems. Proc. IFIP WG 7.5 Working conference on reliability and optimization of structural systems, Mexico; 2008. [26] Straub D, Der Kiureghian A. Bayesian network enhanced with structural reliability methods. Part A: theory. Journal of Engineering Mechanics 2010;136(10):1248–58. ASCE. [27] Rackwitz R. Optimization and risk acceptability based on the life quality index. Structural Safety 2002;24(2–4):297–331. [28] Aven T, Pitblado R. On risk assessment in the petroleum activities on the Norwegian and UK continental shelves. Reliability Engineering and System Safety 1998;61(1–2):21–9. [29] Aven T, Vinnem JE. On the use of risk acceptance criteria in the offshore oil and gas industry. Reliability Engineering and System Science 2005;90(1):15–24. [30] Nathwani JS, Lind NC, Pandey MD. Affordable safety by choice: the life quality method. Ontario, Canada: Institute for Risk Research, University of Waterloo; 1997. [31] Ramsberg J, Sjöberg L. The cost-effectiveness of lifesaving interventions in Sweden. Risk Analysis 1997;17(4):467–78. [32] Rackwitz R. The philosophy behind the life quality index and empirical verification. Updated memorandum to JCSS; 2005. [33] DNV. Design and installation of plate anchors in clay. Recommended Practice DNV-RP-E302; 2002. [34] DNV. Geotechnical design and installation of suction anchors in clay. Recommended Practice DNV-RP-E303; 2005. [35] DNV. Position mooring. Offshore Standard DNV-OS-E301; 2008. [36] ISO. Petroleum and natural gas industries-floating offshore structures- part 1: monohulls, semi-submersibles and spars. ISO 19904-1; 2006. 2006. [37] BSI. Petroleum and natural gas industries-specific requirements for offshore structures- part 7: stationkeeping systems for floating offshore structures and mobile offshore units. BS ISO 19901-7; 2005. 2006. [38] IMO. Guidelines for formal safety assessment (FSA) for use in the IMO rule-making process; 2002. MSC/Circ.1023, MEPC/ Circ.392. [39] PEMEX. Diseño y evaluación de plataformas marinas fijas en el golfo de México. NRF-003-PEMEX-2007, Comité de Normalización de Petróleos Mexicanos; 2008.