Improved methods for reliability assessments of safety-critical systems: An application example for BOP systems

The failure of the Deepwater Horizon drilling rig's blowout preventer has been pointed to as one of the main causes of the Macondo accident on April 10th 2010. The blowout preventer system is one the most important safety barriers in a hydrocarbon well. The accident has created a demand for improved methods of assessing the reliability of blowout preventer systems. The objective of this master thesis is to propose improvements to current reliability assessment methods for complex safety critical systems such as the blowout preventer. The report begins by describing the blowout preventer system. It is a system consisting of two main subsea parts containing the annular and ram blowout preventer valves which are used to seal off a well in the event of a subsea well kick. These annular and ram type preventers are governed by an electro-hydraulic control system which is operated by human interaction from control panels located on the rig floor. A functional analysis of the blowout preventer system is presented next. Essential functions are defined, and performance criteria for these functions identified. An approach to classification of blowout preventer functions is also presented, before the report moves on to the analysis of four main operational situations to which the blowout preventer is exposed, and whose characteristics have implications for the system's ability to act as a safety barrier. The pros and cons of different widely used blowout preventer system configurations is also discussed. Three main types of configurations are mentioned in the report; the \emph{modern} configuration, \emph{traditional} configuration and the Deepwater Horizon blowout preventer system configuration. A literature survey which documents previous blowout preventer reliability studies performed by Per Holand on behalf of SINTEF is presented. An evaluation of validity of the operational assumptions which have been made in these previous studies is also provided, such as such as assumptions regarding operational situations, failure input data, and several important assumptions regarding testing of blowout preventer systems. Regulations and guidelines which are relevant to blowout preventer reliability are also described here. The report further discusses how the blowout preventer may fail, and which types of failures modes are considered critical from a safety perspective. Some theoretic principles behind common cause failures are presented, along with a description of how com