Interval Safety Valves

Check out more papers on Risk Risk Management Safety


In this master thesis the effects of changing the test interval of the land based safety critical valves have been highlighted


Production assurance: Also referred to as regularity, is a term used to describe how capable a system is to meet demand for deliveries or performance (Norsok Z-016, 1998).

Availability: The ability of an item to be in a state to perform a required function under given conditions at a given instant of time or during a given time interval assuming that the required external resources are provided.

Production Availability: The ratio of production to planned production, or any other reference level, over a specified period of time (Norsok Z-016, 1998)

Failure: Termination of the ability of an item to perform a required function.

Note 1: After failure the item has a fault.

Note 2: “Failure” is an event, as distinguished from “fault”, which is a state.

Failure mechanism: The physical, chemical or other processes which lead or have led to a failure.

Failure mode: The effect by which a failure is observed on the failed item.

Safety system: A system which realises one or more active safety functions

Safety functions: Physical measures which reduce the probability of a situation of hazard and accident occurring, or which limit the consequences of an accident.


Modern production systems are large, complex, automated, and integrated. Failures occur more or less frequently in these complex and large systems. For a production plant, the consequences of failure include high maintenance cost, possible loss of production, and exposure to accidents. It can also lead to annoyance, inconvenience and a lasting customer dissatisfaction that can play havoc with the responsible company’s marketplace position (Croarkin and Tobias, 2007)

So, it is important for the plant engineers and managers to make decisions that can reduce or eliminate the probability of failures or/and their consequences as well as uncertainties in production processes to get better production assurance.

Production Assurance (PA) is introduced by the Norwegian oil and gas industry, which plays a significant role in supporting the decision-making process for managers and engineers dealing with the challenges of meeting various customer requirements as well as production control needs. Therefore, there has recently been a high degree of interest in use of the production assurance concept. (J. Barabady, 2007)

Production assurance (also referred to as regularity) is a term used to describe how capable a system is to meet demand for deliveries or performance (Norsok Z-016, 1998). Production assurance may be quantified by various measures like production availability, throughput capacity, deliverability, or demand availability. The PA concept includes several other concepts, such as reliability, maintainability, availability, and maintenance support performance. Some of these concepts, and their relationships, are illustrated in Figure 1. In the following section, different concepts, of production assurance are briefly reviewed and discussed.

Effective maintenance is necessary to ensure the reliability of plant/equipment. If equipment is unreliable, the profitability of a business can be greatly decreased. Therefore, the benefits of employing the efficient maintenance strategies cannot be underestimated.

Effective equipment maintenance ultimately dictates plant reliability and has great impact on the success and profitability of a Business Unit. There is an increasing industry focus on safety, risk avoidance and environmental awareness, which emphasises the importance of avoiding failure through successful maintenance. As a consequence, maintenance practices often account for an overwhelming percentage of budget expenditure. The financial and safety benefits of employing efficient and effective maintenance strategies for equipment cannot be underestimated.

The Norwegian safety regulations have two kinds of requirements related to maintenance:

  • High level requirements stating that installations, systems and equipment should be maintained in a prudent manner.
  • Detailed and prescriptive requirements for a system or a piece of equipment to be tested or inspected at certain intervals. (The Maintenance Baseline Study; Operation & Maintenance Compendium)
  • Introduction

According to PSAN (Petroleum Safety Authorities Norway) ‘‘Requirements for testing of safety critical valves’’ emphasizes that there should be annual testing of all safety critical valves and intervals for verification have to be established based on; requirements to reliability, knowledge about failure conditions, knowledge about possible consequences from failure conditions, and knowledge about valve characteristics (T.E. Nøkland, H.S. Wiencke, T.Aven ; Identification of safety critical valves – a risk based approach)

In testing of safety critical valves means that production must be shut down, the valve must be closed, pressure downstream the valve is bled off, and pressure build-up is measured.

It has been observed that often these tests are carried out during turnarounds, not influencing production downtime, Even though test are labour intensive, costs related to such test are limited but sometimes the situation is different. Some platforms do not perform turnarounds each year and production may have to be shut down for hours because of these tests. In most cases these shut downs are also affecting other installations. This is of course an expensive operation that the operators want to limit to what is needed to maintain the required safety level; not only because of the loss of production and loss of income, but also because a shut down of the process and manual intervention into the hydrocarbon system has a negative effect on the safety level in it self (PSAN, 2004) ;T. Aven, H.S. Wiencke, T.E Nøkland (2006)

For instance, If we focus on the barrier functions of the valves, and If we prove the same safety level with alternative test procedures or risk reducing measures then we could be able to justify an increase of test intervals of safety critical valves; T. Aven, H.S. Wiencke, T.E Nøkland (2006)

Thesis objective/Problem Statement:

This thesis is a part of RAMONA project which focuses on regularity and deliverability of the Norwegian gas transport system.

In production plants, generally incidents and events occur from both safety-related and technical integrity-related concerns. “Safety integrity related incidents are those endangering harm to people. Working without Personal Protective Equipment (PPE), personal injuries, and fire and explosions are some of the examples that come under safety integrity-related incidents. Technical integrity-related incidents on the other hand, refers to a wide area of technical incidents arising from day to day operations, and those resulting in the possible reduction or loss of daily production’’; see (J. Raza & J.P. Liyanage)

The main objective of this thesis is to ‘‘discuss the effects of changing the test interval of land based safety critical valves in hydrocarbons transport systems’’.

Changing test interval means increase or decrease of the interval period compare to current standard test interval (which is one year) followed by industry.

Working method

Analytical Learning Framework:


Among other factors that had influence on this project in terms of delimiting it in some way, can be mentioned available time, available literature and language skills of author.

1.5 Regulations/ Standards:

This chapter is about different Regulations/standards presented by the authority of the Norwegian Petroleum Directorate (NPD) and the Petroleum Safety Authority Norway (PSA) related to maintenance program and further related to safety critical systems.

The legislation consists of a two parts; resource management or ‘‘Resource hierarchic’’ part and a health, environment and safety (HES) or ‘‘HES hierarchic’’ part; which further display different legislation levels.

In the HES area, the Norwegian Pollution Control Authority, the Norwegian Social and Health Directorate and the PSA (former NPD) co-operate on joint, total regulations relating to health, environment and safety on the Norwegian continental shelf. Hence, the HES regulations are issued in pursuance of the Petroleum Act, the Pollution Act, the Product Control Act, the Health Personnel Act, The Patients' Rights Act, The Communicable Diseases Control Act and Health related and Social Preparedness Act. The regulations are the framework regulations (Royal Decree), the management regulations, the information duty regulations, the facilities regulations and the activities regulations. Guidelines to the regulations have been prepared by:

Regulations are connected together as shown in figure; Some points related to above figure is explained below.

Acts and Regulations come on the first and second level in hierarchy. Then are the guidelines to regulations for detail explanation and similarly these guidelines showed some specific requirement which is called standards.

->Petroleum Activities Legislation (Acts and Regulations)

For example, Petroleum Activities Act § 9-1 says ‘‘The petroleum activities shall be conducted in such manner as to enable a high level of safety to be maintained and further developed in accordance with the technological development’’

->Guidelines to Regulations

These are guidelines to different regulations relating to management, information duty, facilities and activities under the ‘‘Joint Regulations’’. E.g. OLF (Norwegian Oil Industry Association)g recommended guidelines for the application of IEC 61508 and IEC 61511 in the petroleum activities on the Norwegian Continental Shelf,

->Standards: The guidelines to the regulations often refer to recognized standards as a way to fulfill the functional requirements in the regulations. International Standards like ISO, API, IEC, OLF guidelines, EN and NORSOK standards are often used.

->Industry internal governing documents like ‘‘Testing of safety critical valves in gas/condensate pipeline system’’.

In NORSOK standards Z – 008, maintenance defined as –

“The combination of all technical, administrative and managerial actions, including supervision actions, during life cycle of an item intended to retain it in, or restore it to, a state in which it can perform the required function” (PrEN 13306)

Maintenance includes activities such as monitoring, inspection, testing and repairing. This means, that is all what is required to keep or to get the item or system back into desired operating condition.

According to §7 of The Activities Regulations; the safety functions at all times will be able to provide functions and should be designed so that they can be tested and maintained without impairing the performance of the function.

Similarly under the §32 of the Activities Regulations, it says that ‘’Facilities shall have an emergency shutdown system which is able to prevent situations of hazard and accident from developing and to limit the consequences of accidents, on safety functions. The system shall be able to perform the intended functions independently of other systems’’.

Moreover, the emergency shutdown system shall be designed so that it will go to or remain in a safe condition in the event of a failure which may prevent the functioning of the system.

More specifically, ‘’Emergency shutdown valves shall be installed which are capable of stopping streams of hydrocarbons and chemicals to and from the facility, and which isolate the fire areas on the facility’’

In §44 (maintenance programme) under the Activities Regulations states that the emergency shutdown system should be verified in accordance with the safety integrity levels stipulated on the basis of the IEC 61508 standard and OLF's Guidelines 070. In addition to that plants which are not included by this standard and these guidelines, the operability should be verified through a full-scale function test at least once each year.

The test should cover all parts of the safety function, including closing of valves. The test should also include measurement of interior leakage through closed valves. Recording of the plant's or equipment's functionality in situations where the function is triggered or put to use may replace testing of the plant or the equipment,

The OLF (Norwegian Oil Industry Association) recommended guidelines for the application of IEC 61508 and IEC 61511 in the petroleum activities on the Norwegian Continental Shelf, says that Periodical functional tests shall be conducted using a documented procedure to detect covert faults that prevent the SIS (Safety Instrumented Systems) from operating according to the Safety Requirement Specifications. The entire SIS shall be tested including the sensor(s), the logic solver, and the final element(s) (e.g., shutdown valves, motors). (OLF 070)

In addition, It is recommended to record and analyse activation of SIS functions to include the activation as part of the functional testing. If proper operation and documentation thereof exist for a period, the manual proof test for that period may be omitted. Observe that the spurious activation of an ESV due to a PSD, does not test the entire function of the same valve during an ESD action.

Moreover, In OLF guidelines it is mentioned that, some periodic interval (determined by the user), the frequency(s) of testing for the SIS or portions of the SIS shall be re-evaluated based on historical data, installation experience, hardware degradation, software reliability, etc. Change of interval is handled as a modification. Any change to the application logic requires full functional testing, and shall be treated as a modification. Exceptions to this are allowed if appropriate review and partial testing of changes are done to ensure that the SIL has not been compromised.

3. Basics of valves

Valves are mechanical devices specifically designed to direct, start, stop, mix, or regulate the flow, pressure, or temperature of a process fluid. Valves can be handle either liquid or gas applications; Philip L. Skousen (2004)

Valves are used in pipeline systems to control the flow rate, the pressure, or the flow direction of a fluid. They can turn on, turn off, regulate, modulate or isolate the fluid.

3.1 Valve Types

3.1.1 Gate valves:

Gate valves are designed to operate fully open or fully closed; when fully opened, there is very little pressure drop across a gate valve, and when fully closed there is good sealing against pressure.

With the proper mating of a disk to the seat ring, very little or no leakage occurs across the disk when the gate valve is closed. However, some leakage may occur under very low back pressures. Another positive feature of gate valves is that they usually open or close slowly, which prevents fluid hammer and subsequent damage to the piping system.

The main limitation of gate valves is that they are not suitable for throttling applications. When gate valves are used in throttling applications, the flow tends to have high speeds near the gate seat, which leads to erosion. Also, in the partially open state, the valve is prone to vibrate, which can lead to damage. In general gate valves are more subject to seat and disk wear than globe valves, and repairs, such as lapping and grinding, are more difficult to accomplish.

3.1.2 Ball valves:

This rotational-motion valve uses a ball-shaped disk with a hole bored through to stop or start fluid flow. When the valve handle is turned to the open position, the ball is rotated so that the hole lines up with the valve body’s inlet and outlet. When the ball is rotated so the hole is perpendicular to flow, the valve is closed.

Advantage of ball valve is ease of operation, high flow capacity, and a high pressure and temperature tolerance. In addition, they have the ability to provide fire-safe protection, and they can handle severe service chemicals. Ball valves typically have lower cost and weight, and provide tight shutoff and low stem leakage. They can be adapted to for use in multiple port configurations.

3.1.3 Check valves:

The purpose of a check valve is to allow fluid flow in one preferred direction and to prevent back flow or flow in the opposite direction. Ideally, a check valve will begin to close as the pressure drops in a pipeline and the fluid momentum slows. When the flow direction reverses, the check valve should close completely. Check valves can be of the following types: swing, lift and tilting disk.

3.2 Why Testing of Valves/equipment:

In NORSOK standards Z – 008, maintenance defined as –

“a combination of all technical, administrative and managerial actions, including supervision actions, during life cycle of an item intended to retain it in, or restore it to, a state in which it can perform the required function” (PrEN 13306)

According to above definition, that is all what is required to keep or to get the item or system back into desired operating condition.

In §7 of the Activities Regulations it is stated that Facilities shall be equipped with necessary safety functions which at all times are able to:

a)  Detect abnormal conditions,

b)  Prevent abnormal conditions from developing into situations of hazard and accident,

c)  Limit harm in the event of accidents.

Similarly under the §32 of the Activities Regulations, it says that ‘’Facilities shall have an emergency shutdown system which is able to prevent situations of hazard and accident from developing and to limit the consequences of accidents, on safety functions. The system shall be able to perform the intended functions independently of other systems’’

More specifically, ‘’Emergency shutdown valves shall be installed which are capable of stopping streams of hydrocarbons and chemicals to and from the facility, and which isolate the fire areas on the facility’’

No more than a few decades ago, maintenance function was considered as an unwanted necessity, which is almost impossible to manage. This vision changed with time and maintenance became a separate service that had the centre attention on technical aspects, with the weight on specialization and efficient working methods. More recently, the progress was the realization that there were more efficient ways in terms of optimizing use of the means and more effective ways in terms of achieving the desired results and it was positive cooperation with other operating functions (Internal partnership). (Compendium op&maint. Page 2)

In IAEA-TECDOC-1200 is stated that the purposes of monitoring, testing and other preventive maintenance actions are the detection of the degradation and prevention from the failure of the safety functions of systems and equipment and the assurance of prompt correction and restoration of these safety functions.

PRA/PSA can be used in order to optimize the level of inspection and maintenance activities correspondingly to them and risk.

To evaluate ageing effects of an equipment

Check corrosion

To prevent accidental events and damage

To analyse dynamic degradation and failure mechanism.

To estimate the probabilities of degradation.

To access the consequences of different degradation cases and evaluate their severity according to the probabilities of the worst consequences due degradation.

To perform the risk ranking for each component.

To make appropriate recommendations, based on results in order to improve the operation and maintenance.

To keep regularity flow constant , we need to test valves and other equipment periodically.

To check the reliability and availability of the equipement.

From (Working Document, governing doc.)

3.3 Safety Critical valves:

The emergency shut down system (ESD system) is a safety system that constitutes an important barrier (the ESD barrier). Fundamental tasks for the ESD barrier are to stop streams of hydrocarbons and chemicals to and from the facility, and isolate the fire areas on the facility. To manage to do this the ESD barrier are depending by the functionality of ESD valves. (Sverre Viland, 2004; Identifying Safety Critical valves – A Risk Based Approach)

Based on current industry practice, to define whether or not a valve is safety-critical is determined on an evaluation of the safety importance, i.e. how important it is for safety point of view. Therefore an analysis/assessment is needed to demonstrate how the risk level could be affected to the following failure modes:

  • Valve fails to close on demand
  • Valve fails to close within the specified time
  • That it leaks

To identify safety critical valves; the required analysis/assessment is performed in to three steps:

1 – To Identify and illustrate the functions of the valve

Valve functions that are important to safety are identified, i.e. the functions whose failure could result in an unacceptable risk, e.g. failure to close, leakage through closed valve.

A safety critical valve normally has more than one function, these are as follows:

  • Does it have an ESD or PSD function?
  • Is the valve part of an overpressure protection system?
  • Is it designed to close/seal off the flow in both directions?
  • Is the valve part of a double block and bleed setup?
  • Other functions.

2 – To explain the effects on safety of the above failure modes

.3 – To Classify critical/unacceptable leakage rate through the valve

In the onshore plants, acceptable leakage rates generally set higher than for an offshore installation, the main reason for this is due to lower human risk exposure in onshore plants.

The acceptance criteria is determined on the basis of whether the contribution to risk of a leakage through the valve is acceptable, required some measures or not acceptable. According to the performed analysis of some onshore terminals and gas transportation systems, recommended reference values for leakage rates are established in table:

Leak rate [kg/s]


< 0.05


0.05 – 1.0

Perform specific evaluations, Plan for repair.

> 1.0

Not acceptable - repair

Table: Acceptance criteria for leakage through closed valves

The wide range between the lower and upper limits, i.e. from 0.05 kg/s to 1.0 kg/s, is calculated and mainly based on practical considerations. Current industry experience shows that most valves (>99 of 100) satisfy the lower limit requirement i.e. <0.05 kg/s.

3.3.1 Testing Methods:

Testing of safety critical valves can be testing of function (close) or testing of leakage (including interior leakage or leakage through closed valve). The various testing methods are different with respect to the required performance in real shut-down situations.

  • Testing of the function (close) with real shut-down case
  • Testing of the function (close) with plant shut down

This test is not considered complete since the forces acting on the valve body and valve internals are different from the real case. Thus the test does not disclose all relevant failure mechanisms.

  • Partial stroke testing

The main advantage with this test is that one can avoid shut-down of the plant, therefore it is only relevant while the plant it normal operation; but this test is not considered complete because the test does not demonstrate full closure of the valve. Thus the test does not disclose all relevant failure mechanisms.

It is preferred that, a test should reflect the intended function in a real situation. According to industry practice; for an emergency shutdown (ESD) valve, this sort of testing should normally be complete closing of the valve with the system under pressure and in operation.

However, in some cases there may occur unwanted effects of these ideal tests, like economic consequences related to lost production, but also sometimes negative effects on safety and environment.

Based on the industry experience, the optimal system for testing therefore may well be one that applies different test methods, and combinations of tests, in a consistent program, individually tailored to the specific safety critical valve.

Testing methods of leakage through valve

Different testing methods are used to observe the leakage through the safety critical valve:

  • Leakage test through closed valve with full pressure differential across the valve.
  • Leakage test through closed valve with different pressure levels up- and downstream of the valve
  • Leakage test through closed valve, by measurement of leak rates into the valve body/cavity.
  • Leakage test with valve in open position

When we talk about testing of leakage rate through a closed valve; acceptance criteria for leakage rates through the valve at normal full differential pressure across the valve should be defined.

4.1 What are the affects of changing the test interval of safety critical valves?

Changing test interval means increase or decrease of the interval period compare to current standard test interval (which is one year) followed by industry. In usual practical applications testing and inspection is the most relevant and effective means of deterioration control.

The observed failure frequency, together with a criticality evaluation, will be a basis for prioritizing the maintenance work and optimization of test intervals; Aven and vinnem (2007)

In fact cost, the level of risk and the benefits from risk control are closely linked see fig.

We can say increase in benefit from a decision may increase the risk if cost are kept constant or any reduction in risk may reduce the benefits as cost may increase.

  • Test interval for test of function close
  • Test interval of leakage in valve

Test interval> 1 year

Test interval < 1 year

Positive effects

Negative effects

Positive effects

Negative effects

  • Save economic cost
  • Reduction in maintenance cost
  • Avoidance of production loss
  • Less number of process shut downs
  • May cause higher risk related to safety level
  • Performance issues
  • May cause higher frequency of occurrence of failure
  • High reliability and functionality of equipment
  • Improved safety level
  • Higher maintainability and availability
  • May increase leakage
  • Maintenance cost increased
  • More production shut downs may affects other installations
  • Labour intensive

Table 1: Different dilemmas of changing test interval of Safety Critical Valve

4.2.1 Discussion:

There are some advantages and disadvantages related to each dilemma; see table 1.

Firstly, we see that current industry practice about testing of safety critical valve which is once a year; is quiet satisfactory. In the Gassco document TEKD-PR-021/5/; is mentioned about safety critical valve that: ’’The reference value for test interval is 1 year. The program may deviate from this, provided that adequate and documented grounds for this are stated’’

There are many critical factors involve in each dilemma.

Followings are the some ‘‘critical factors and their impacts’’ involved in changing the test interval of ESV. Table 2:

Critical Factors


Interval <1 year

Interval =1 year

Interval >1 year

Failure Probability

Very Low


Relatively high


Very high


No big effects

Maintenance Cost


Relatively high


Internal leakage











Should observed






No effects

Minimum Effects

Relatively High eff.

Secondly, if we set test interval test interval greater than one year then what would be the effects:

In this scenario most important factor which is probability of failure, increases gradually by the passé of time, According to Table 2; there would be relatively high probability of failure in this case; as compare to other dilemmas. We can observe the probability of failure from the table below:

Valve #

Date of Failure

Cause of Failure

Maintenance Action

Date of Valve installation or last recondition

Age at Failure




When we analyse reliability, in terms of availability of safety critical valve, we can see from table 2, there are not so big effects on the equipment.

As we know land based critical safety valves are installed in corrosive environment, so this is also one of the important factor to analyse whether the effects of corrosion is ‘minimum’ or ‘relatively high’ in each dilemma. In this dilemma (test interval > 1 year) , we can say effects related to corrosive would become relatively high.

Another factor is the maintenance cost, if after analysis we see that the maintenance cost is almost same after increasing the test interval, then we can say there would be lower maintenance cost (as a whole) needed ; so it means this factor gives support to increase test interval.

Besides other factors , safety is also very important factor, in current practice there are no concerns related to safety issues, but if we set test interval less one year; then there are chances to have more internal leakage because of more process shut downs; as compare to other dilemmas. Safety issues of having test interval greater than one year is underconsideration.

The main advantage of having test interval greater than one year is the reduction in n maintenance cost and besides that regularity is also one of the most important benefit in this scenario. Because not in all platforms testing or inspection work is done during turnarounds. there are some platforms, where production may have to be shut down for hours because of these tests. In many cases these shut downs are also effecting negatively to other installations.

Therefore, this is obviously an expensive operation. In this scenario due to shut downs, we loose regularity and similarly there is a loss of production and also loss of cost. In short by increasing test interval, one the one hand; we can avoid shutdowns/downtime and hence can improve regularity and on the other hand we can avoid negative effects on the safety level caused by shut down of the process and manual interference into the hydrocarbon transport system.

According to API Specification 6D ‘‘The purchaser should examine the valve design for compatibility with pigging operations when ordering valves for use in pipelines requiring pigging.’’

’Pig’ is now the most widely accepted term for any device which is inserted into a pipeline and which travels freely through it, driven by the product flow.

During operation cleaning is an important factor. Products pipelines need cleaning to remove fine solids that may have settled from the product as it traversed the pipeline. Also, some foreign material such as water may have separated from the product and are collected in low points in the pipeline. Water can cause corrosion so it is important to remove it. Any pig that seals in the pipe can be used to remove the water from the pipelines.

An often-used pig for cleaning a product pipelines is a pig with cleaning device attached, and usually these are brushes. Pigs should be selected for the specific application, such as the product and the type of cleaning needed, as well as taking into account the length and the other parameters of the pipeline.

Natural gas pipelines sometimes need cleaning to remove dust particles that are often produced with the natural gas. This dust along with oil that may come from the compressor may create an internal coating that will reduce the efficiency of the gas flow. The type of cleaning pig will be determined by the internal coating of the pipe.

Regular pigging to remove the water is therefore essential because once this type of corrosion has formed, the pig seals will be unable to get into these crevices to sweep the water out and the corrosion rates will increase very rapidly. Inhibitors are often used to prevent corrosion. But if pigs are not used to remove the surface debris such as dirt, sand, wax, corrosion products etc. then water will collect under it and it will prevent the inhibitors from properly treating the active corrosion area. For dewaxing, any type of pig will remove some of the wax, but unless the right type of cleaning pig is used, a lot of it will be left behind and simply smeared on the inside of the pipe wall.

Cost of testing a safety critical valve:

Normally 3 tonn gas releases during testing of safety critical valve: (e.g. ÅT valve on Kalstø)

From above statistics we can calculate the cost of testing safety critical valves by:

Total cost of testing = 3 * current price (of one tone gas)

5. 1 Failure modes

A failure mode is a description of a fault. To identify the failure modes it is necessary to study the outputs of various functions. Some functions may have several outputs. Some outputs may be given a very strict definition, such that it is easy to determine whether the output requirements are fulfilled or not. In other cases the output may be specified as a target value with an acceptable deviation. (See Figure) (Rausand, M. and Høyland, A. (2004). “System Reliability Theory: Models, Statistical Methods and Applications”, 2nd ed., Wiley InterScience, Chapter 3: Qualitative system analysis)

When considering a process shutdown valve, it should be designed a specified closing time, for example, 10 seconds. If the valve closes too slowly, it will not function as safety barrier. On the other hand, if the valve closes too fast, it can probably cause pressure shock destroying the valve or the valve flanges. Closing time between 6 and 14 seconds may, for example, be acceptable, and it can be stated that the valve is functioning as long as the closing time is within the interval. The criticality of the failure will obviously increase with the deviation from the target value. (Rausand, M. and Høyland, A. (2004). “System Reliability Theory: Models, Statistical Methods and Applications”, 2nd ed., Wiley InterScience, Chapter 3: Qualitative system analysis)

It is important to understand that a failure mode is a expression of the failures as seen from the outside, that is, the termination of one or more functions. “Internal leakage” is thus a failure mode of shutdown valve, since the valve looses its required function to “close flow”. Wear of the valve seal, however, represents a cause of failure and is hence not a failure mode of the valve.

A classification scheme for failure modes has been suggested by Blanche and Shrivastava (1994)

  • Intermittent failures: Failures that result in lack of some function only for a very short period of time.
  • Extended failures: Failures that result in lack of some function that will continue until some part of the functional block is replaced or repaired. Extended failures may be further divided into:
  • Complete failures: Failures that cause complete lack of a required function
  • Partial failures: Failures that lead to a lack of some function, but do not cause a complete lack of a required function.

Both the complete and partial failures may be further classified:

  • Sudden failures: Failures that could not be forecast by prior testing.
  • Gradual failures: Failures that could be forecast by testing. A gradual failure will represent a gradual “wearing out” of the specified range of performance values.

The extended failures are split into four categories; two of these are given specific names:

  • Catastrophic failures: A failure that is both sudden and complete.
  • Degraded failure: A failure that is both partial and gradual.

The failure classification described above is illustrated in Figure which is adapted from Blanche and Shrivastava (1994) (Rausand, M. and Høyland, A. (2004). “System Reliability Theory: Models, Statistical Methods and Applications”, 2nd ed., Wiley InterScience, Chapter 3: Qualitative system analysis)

5.2 Failure causes and failure effects

The function of a system usually consists of several sub functions. Failure modes at one level in the hierarchy will often be caused by failure modes on the next lower level. It is important to link failure modes on lower levels to the main top level responses, in order to provide traceability to the essential system responses as the functional structure is refined. This is illustrated in Figure for a hardware structure breakdown. (Rausand, M. and Høyland, A. (2004). “System Reliability Theory: Models, Statistical Methods and Applications”, 2nd ed., Wiley InterScience, Chapter 3: Qualitative system analysis)

(Rausand, M. and Høyland, A. (2004). “System Reliability Theory: Models, Statistical Methods and Applications”, 2nd ed., Wiley InterScience, Chapter 3: Qualitative system analysis)

According to IEC (International Electrotechnical Commission) failure cause is “the circumstances during design, manufacture or use that has led to a failure.” The failure cause is necessary information in order to avoid failures or reoccurrence of failures.

Failure causes may be classified in relation to the life cycle of a functional block as illustrated in Figure, where the different failure causes are defined as:

  • Design failure: A failure due to inadequate design of a functional block.
  • Weakness failure: A failure due to a weakness in the functional block itself when subjected to stress within the stated capabilities of the functional block.
  • Manufacturing failure: A failure due to nonconformity during manufacture to the design of a functional block or to specified manufacturing processes.
  • Ageing failure: A failure whose probability of occurrence increases with the passage of time, as a result of processes inherent in the functional block.

Misuse failure: A failure due to the application of stresses during use that exceed the stated capabilities of the functional block

  • Mishandling failure: A failure caused by incorrect handling or lack of care of the functional block. (Rausand, M. and Høyland, A. (2004). “System Reliability Theory: Models, Statistical Methods and Applications”, 2nd ed., Wiley InterScience, Chapter 3: Qualitative system analysis)

(Rausand, M. and Høyland, A. (2004). “System Reliability Theory: Models, Statistical Methods and Applications”, 2nd ed., Wiley InterScience, Chapter 3: Qualitative system analysis)

These various failure causes are not necessarily separate; there could be overlap between some of them. For example, there is an obvious overlap between “weakness” failures and “design” and “manufacturing” failures.

Failure mechanisms are, according to IEC, the “physical, chemical or other processes that has led to a failure.” These processes can, for example, be wear, corrosion, hardening, pitting, oxidation etc.

This level of failure cause description is, however, not sufficient to evaluate possible remedies. Wear can, for instance, be result of wrong material specification (design failure), usage outside specification limits (misuse failure), poor maintenance (mishandling failure), and so forth. These fundamental causes are referred to as root causes (see above Figure), the causes upon which remedial actions can be decided.

A general picture of the relationship between cause and effect is that each failure mode can be caused by several different failure causes, leading to several different failure effects. To get a broader understanding of the relationship between these terms, the different levels of see above Figure should be brought into account.

Above Figure shows that failure mode on the lowest level is one of the failure causes on the next higher level and the failure effect on the lowest level equals the failure mode on the next higher level. The failure mode “leakage from sealing” for the seal component is, for example, one of the possible failure causes for the failure mode “internal leakage” for the pump, and the failure effect on the next higher level “internal leakage” resulting from “leakage from sealing” is the same as the failure mode “internal leakage” of the pump.

Case Study

Case study is related to Assgard Transport and main foculs is on Kårstø gas processing plant north of stavanger. The Kårstø processing plant plays a key role in the transport and treatment of gas and condensate (light oil) from important areas on the Norwegian continental shelf.

The Statpipe trunkline system carries gas from the North Sea to Kårstø. The Kårstø facility also receives gas from Åsgard and other fields in the Norwegian Sea through the Åsgard Transport trunkline. In opertion since 1 October 2000, the Åsgard section of the plant processes this gas to meet sales specifications.

Dry gas is exported from Kårstø through the Europipe II trunkline to Dornum in Germany and through the Statpipe/Norpipe system to Emden, which is also on the north German coast. Roughly four million tonnes of stabilised condensate are shipped annually from Kårstø by sea.

From above statistics we can calculate the cost of testing safety critical valves by:

Total cost of testing = 3 * current price (of one tone gas)


Risk: basic expression

Risk can be defined as a combination of the probability of occurrence of harm and the severity of that harm. Risk may be expressed qualitatively as well as quantitatively.

The definition implies that risk aversion (i.e. an evaluation of risk which places more importance on certain accidental consequences than on others, where risk acceptance is concerned) should not be included in the quantitative expression of risk. It may be relevant to consider on a qualitative basis certain aspects of risk aversion in relation to assessment of risk and its tolerability.

The implication of the definition is further that perceived risk (i.e. subjectively evaluated risk performed by individuals) should not be included in the expression of risk (Norsok Z-013)

1.1.2. Dimension of risk

When accident consequences are considered, these may be related to personnel, to the environment, and to the assets and the production capacity. These are sometimes called “dimension of risk” (Vinnem, J.E and al, 2006).

1.2. Risk Analysis objectives and criteria

1.2.1. Objectives

The main objectives of risk analysis are:

- To ensure adequate safety, value adding and cost effectiveness for existing and future petroleum industry developments.

- To prevent all events or chain of events that may cause loss of life, or damage to health, the environment or assets.

1.2.2. Criteria

Criteria are used to express a risk level that is considered tolerable for the activity in question. Risk analysis criteria (RAC) are used in relation to risk analysis and express the level of risk which will be tolerable for the activity.

1.3. Risk Management

1.3.1. General

Risk management has the following set of goals:

• Identify, assess and control risks that threaten the achievement of the defined project objectives, like schedule, cost targets and performance of project delivery. These risk management activities should support the day-to-day management of the project as well as contribute to efficient decision making at important decision points.

• Develop and implement a framework, processes and procedures that ensure the initiation and execution of risk management activities throughout the project.

• Adapt the framework, processes and procedures so that the interaction with other project processes flow in a seamless and logical manner.

Risk Management:

It is acknowledged that the ability to define what may happen in the future, assessment of risk and associated uncertainties, and to select best alternative lies at the heart of the risk management system, which helps in many range of decision-making, from allocating wealth to safeguarding public health, from exploring new reservoirs to decommissioning/disposal of a project, from paying insurance premiums to wearing a seat belt etc.

For instance, exploring and producing oil involves risky investments. When petroleum executives make investment decisions on petroleum projects, they face several uncertainties including future oil prices, reserves, environment, petroleum prospectiveness, fiscal terms, current degree of exploration and operational peculiarities. How can the petroleum industry cope to these and other challenges, and making decision on the allocation of capital among competing projects in diverse geographical areas.

1.3.2. Risk management process

The risk management process will remain constant over the different project phases throughout the life-cycle of a field development project. The different risk management techniques for assessing day-to-day risks, calculating the ability to meet defined project objectives and the ranking different decision alternatives will also remain the same.

Risk management process is performed in a structured way and it’s often broken down into the following 5 general steps (figure 1).

1) Initiation & Focusing; initiate risk management process including identify project objectives. The initiation should also assign personnel to the main risk management roles such as risk manager.

2) Uncertainty Identification; identify risks affecting the project objectives. Assign responsibility for assessing and mitigating each risk.

3) Risk Analysis; assess for each risk the probability of occurring and the corresponding objective consequences, given that the risk occurs. Based on the risk assessment, classify each risk in terms of criticality.

4) Action Planning; identify risk mitigating actions so that the most critical risks are mitigated. Assign responsibility and due dates for each action.

5) Monitoring & Control; re-view and, if necessary, update risk assessments and corresponding action plans once new and relevant information becomes available.

Decision Making and Risk Management

Now a days, there is a great need and importance for the implementation of Risk Management in various industries and in society. We all agreed that Risk cannot be eliminated but must be reduced and managed. It seems to be high expectations, that risk management is the proper framework for obtaining the proper balance between benefits and burdens, i.e. exploring opportunities on the one hand and avoidance of accidents and catastrophes on the other.

Decision making is obviously not about making decisions, but making good decisions. Risk management involves decision making in situations involving high risks and large uncertainties, and such decision-making is difficult as it is hard to predict what would be the consequences (outcomes) of the decisions. A number of tools are available to support decision making in such situations, such as cost-benefit analyses, cost-effectiveness analyses, Bayesian decision analysis, risk and uncertainty analyses and risk acceptance criteria. Indeed, to obtain a certain level of consistency in decision making and confidence in getting desirable outcomes needs more better guidance and a structure for decision making in situations involving high risk and certainties.

Decision Supporting Tools

There are several different views regarding decision making and all have their pros and cons. Here I would like to give brief overview of some of the approaches:

Expected utility paradigm suppose if a person is coherent in his preferences among consequences and his opinions about uncertainty quantities, then expected utility approach is attractive as it provides recommendations based on a logical basis. On the other hand in expected utility approach preferences have to be specified for all consequences, which is a difficult task in practice, moreover, almost no role of management in this case.

When we see cost benefit analysis, it requires us to indicate the value of a statistical life, not the value of a life. As we acknowledge that a life has in principle an infinite value. So, there should be no amount of money that a person would find sufficient to compensate the loss of life. While a statistical life has a finite value, considering that point; decisions need to be taken that balance benefits and risks for loss of life. It means we are willing to accept the value of loss, given that this benefit is present.

In many cases, we perform a multi-attribute analysis without any explicit trade-offs and is rather easy to conduct and works in practice. After assessing the various attributes, costs, safety, environment, political aspects, etc., separately then it is a management task to make a decision by balancing the costs and benefits and thus we gain flexibility in situations involving many stakeholders. But again in some cases it lacks coherency in decision making.

We can say, when we have number of factors (related to decision problem) relevant to cost, safety, environment, many decision alternatives, many stakeholders, complexity, and political issues then ideal is not always achievable. As a result we need to make decisions under uncertainty and in this scenario we need some guidelines and proper structure to make a good decision in situation involving risk and uncertainty.

Such a frame work has introduced by Aven ( 2003) comprises problem definition (challenges, goals and alternatives),stakeholders, concerns that affect the consequence analyses and the value judgments related to these consequences and analyses (frame conditions and constraints), identification of which consequence analyses to execute and the execution of these, managerial review and judgment and the decision.

For making a good decision, focus should be on situations characterized by a potential of rather large consequences and large associated uncertainties which relate to economic performance, possible accidents leading to loss of lives or environmental damage, etc. Risk and decision analyses plays very important role to support good decision making in these situations and according to the present risk analysis regime in Norway, risk acceptance criteria is being used together with the results from these analyses as input to risk evaluation.

Well, here the approach which T. Aven, J.E. Vinnem, H.S. Wiencke (2005) suggested is without the use of Risk acceptance Criteria. The main point in this approach is that it is based on the idea that that risk considerations (aspects and attributes related to risk) should be included actively in the decision process and not only be viewed as a frame condition for other business activities.

Before going into elements of decision frame work, it is very necessary and prerequisite for further process and good decision making that there should be clear perspective about Risk. Defined by Aven and Vinnem (2007) as combination of possible consequences and associated uncertainties (quantified by probabilities). One can not necessarily say that low uncertainty means low risk or high uncertainty means high risk. For example in a specific diving activity in offshore involves two possible outcomes say (0, 1) and similarly two fatalities (0,1), have two alternatives A &B.

It has uncertainty (probability) distribution (0.6, 0.4) and (0,1) respectively. Hence for alternative ‘A’ there is higher uncertainty and lower risk to initiate activity while alternative ‘B’ shows highest risk because of certain fact that if a person start this activity he/she will get accident. So as a result we can say that for understanding clear perspective about risk, it is necessary to see both dimensions. This clear perspective about risk helps in decision frame work elements which are:

1.2. Planning, Execution, and use risk analysis in life cycle phases of the offshore activities

The offshore activities may be divided into different lifecycle phases. The use of risk analyses will naturally vary according to which phase of the activity is being considered.

The main objective is to increase the likelihood of attaining these project objectives by providing a systematic approach for analyzing, controlling and documenting identified threats and opportunities both during the planning and execution of a project.

Risk analysis will addresses all the different phases of an offshore field development project, being the Pre-study Phase, Feasibility Phase, Execution Phase and Operation Phase, as shown in Figure 2 with defined milestones.

The structure of using risk analysis is applied in the following presentation of the lifecycle phases.

1.2.3. Operation phase Normal operation

Regular activities which are required in order to operate an installation are all considered as normal operation. This will usually include maintenance and inspection and the implied activity level.

The risk level in the operations phase is usually a function of the design and the technical, operational and organizational premises that were established for the operation (Table 2). The design of the installation will normally limit the extent to which risk reduction in the operations phase may be achieved, even though a program for continuous risk reduction is required.

It is required that the risk level in the operations phase is monitored in order to identify how the risk level develops. The risk analyses should therefore be capable of identifying the parameters or indicators which have a strong impact on the risk level and also the effect that changes will have on the risk level. This will enable an effective monitoring of changes of the risk level in relation to the RAC. Special operation

These are operations that are not covered by the base case risk analysis as they are usually carried out during limited periods in the operations phase. Such operations may be special lifting operations, drilling or other well activities, manned underwater operations, shut down periods for maintenance purposes, etc.

The RAC are usually based on an average level through one year, and are therefore not suited for evaluation of risk associated with short duration operations during which the risk levels may be higher globally or locally. Risk acceptance for such conditions will have to reflect:

• The duration of the period with increased risk.

• The peak level of risk during this operation.

• Whether the risk increase is local or global for the installation.

• Whether the risk increase affects the different personnel groups in the same way or differently.

(Table 2)Main risk analyses during operations phase



Main purpose

Main focus

Detailed risk

analysis and

analyses in


with design

change proposals,

handling of


and project

phases (TRA


After concept risk analysis

• Evaluate special risk aspects on the basis of performed risk analysis in order to give design


• Evaluate how changes etc. affect risk

• Evaluate effects of deviations from statutory requirements


• Reflect design details/specifications

• Reflect detailed/special

analysis performed

• Provide operational


• Update DAL (if required)

• Assessment of compliance with acceptance and design criteria

• Input to DSHA (when






HAZOP, etc)

When appropriate or requested during engineering phases, in order to evaluate systems designs

• Identification of required

improvements in

system design

• Processing systems

• Utility systems

• Drilling fluid systems

• Essential safety systems

• Loss of barriers

• Human factors


risk and EPA of fabrication and installation

Prior to decision on concepts for fabrication and


• Provide input to concept and methods for fabrication and installation

• Identify operational

limitation and environmental

envelops to be observed during fabrication and installation

• Fabrication of equipment and structures, hooking up, towing of modules, installation, commissi-oning and start-up


• All installations and vessels engaged in the installation and hook-up operations

• Nearby installations and vessels, if they are close

enough to be affected by

accidental effects

• Aspects of the fabrication and installation that may severely affect the entire installation and/or risk to personnel

• Determine the emergency preparedness level for the fabrication, installation and commissioning work Inspection and maintenance

Inspection and maintenance form an integrated part of normal operations, including preventive and corrective maintenance as well as routines for condition monitoring and inspection program.

Separate risk analyses are usually not conducted for regular inspection and maintenance, neither will particular RAC apply. These activities are implicitly part of the overall risk analysis, usually based on compliance with established procedures and standards for such activities.

Therefore, the execution of maintenance and inspection should normally not be subject to risk analysis. Such studies should however be used in the establishment of programs for inspection and maintenance, in order to achieve a cost effective program for these activities and to ensure priority to risk critical equipment.

Identification of critical equipment may be performed in relation to RAC for the installation, but risk analyses are usually not suited for establishing the criteria for choosing inspection and/or maintenance program.

Change of program for inspection or maintenance should be analyzed in relation to the assumptions made with respect to inspection and maintenance in the overall risk analysis, to ensure that such changes do not affect the risk level in an unacceptable way.

3.2. Pros and Cons of a functional, risk based set of regulations

3.2.1. Risk based regulation

Risk-based regulation is the utilization of the modem PSA tool in order to better distribute the resources of both the regulator and the petroleum industry. More specifically, resources would be distributed according to risk significance. Those items or events that have high risk significance would receive the most attention, while those with little risk content would command fewer resources.

Risk-based regulation has the potential of both improving petroleum activities safety and reducing oil and gas operating costs. This modem form of regulation could be applied to present operating oil and gas and to advance designs. In fact, it would help to quantify the safety improvements of advanced designs.

The application of PSA technology to the regulatory process can reduce public risks in several ways: by finding design weaknesses, by improving oil and gas operations, and in developing severe accident management programmes.

3.2.2. Benefits and disadvantages of risk based regulation

Although some countries, are strongly discussing a proposed transition process from deterministic to risk-based regulation, the pros and cons of risk-based regulation including challenges of such a transition process should be taken into account which are summarized in the following.

Main benefits of a risk-based regulation are:

To have a cost-effective approach to regulation,

To assure that resources are focused on essential safety issues,

To have a methodology that can be used to both enhance safety and manage operability,

To be able to communicate results and decisions on a clearly defined basis,

To attain an open, fair, and predictable regulatory framework.

On the other hand, there are a lot of disadvantages and difficulties which are posed by such a goal-setting approach:

To place very heavy reliance upon the exercise of regulatory personnel in judging whether standards have been complied with, whether risks have been properly identified and quantified, and whether enough preventive or mitigatory measures have been taken to satisfy the proper balancing of costs and risks,

To ensure that the regulator's forces are extremely well-informed scientifically and technologically in order to produce consistent application of standards,

To be relatively time-consuming in ensuring a sound data-base for decisions about risk and methods of control in assessing safety,

To impart a high degree of uncertainty into computations of whether risks have been reduced in a sufficient manner which might be a fertile ground for endless debate with the regulator.

Challenges which are associated with developing and implementing risk-based approaches to regulation are:

To obtain an acceptable methodology for risk assessments that is commensurate with the decisions to be made,

To perform the needed, relevant risk assessments,

To focus regulatory questions so that risk assessments can be useful,

To have a regulatory structure that encourages risk-based methods,

To perform the necessary regulatory research that assures a robust, stable approach to risk based regulation,

To effectively communicate the process, risks, and decisions to the public.

Did you like this example?

Cite this page

Interval Safety Valves. (2017, Jun 26). Retrieved February 29, 2024 , from

Save time with Studydriver!

Get in touch with our top writers for a non-plagiarized essays written to satisfy your needs

Get custom essay

Stuck on ideas? Struggling with a concept?

A professional writer will make a clear, mistake-free paper for you!

Get help with your assignment
Leave your email and we will send a sample to you.
Stop wasting your time searching for samples!
You can find a skilled professional who can write any paper for you.
Get unique paper

I'm Chatbot Amy :)

I can help you save hours on your homework. Let's start by finding a writer.

Find Writer