Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
A R T I C LE I N FO A B S T R A C T
Keywords: Well plugging and abandonment are necessitated to ensure safe closure of a non-producing offshore asset. Little
Bayesian network or no condition monitoring is done after the abandonment operation, and data are often unavailable to analyze
Decommissioning the risks of potential leakage. It is therefore essential to capture all inherent and evolving hazards associated
Plugging and abandonment with this activity before its implementation. The current probabilistic risk analysis approaches such as fault tree,
Well barrier failure
event tree and bowtie though able to model potential leak scenarios; these approaches have limited capabilities
to handle evolving well conditions and data unavailability. Many of the barriers of an abandoned well dete-
riorates over time and are dependent on external conditions, making it necessary to consider advanced ap-
proaches to model potential leakage risk. This paper presents a Bayesian network-based model for well plugging
and abandonment. The proposed model able to handle evolving conditions of the barriers, their failure de-
pendence and, also uncertainty in the data. The model uses advanced logic conditions such as Noisy-OR and
leaky Noisy-OR to define the condition and data dependency. The proposed model is explained and tested on a
case study from the Elgin platform's well plugging and abandonment failure.
1. Introduction Statoil [39], noncompliance with procedures was the primary cause of
the leakage of oil, gas and flammable liquids. Primary barriers capable
The ultimate goal of a plugged and abandoned well is to provide of being displaced by internal fluids pressure were installed instead of
permanent containment of the formation fluids migrating from the re- deep-set plugs. On 25 March 2012, the Elgin well plugging, and
servoir to the seabed. Many of these hydrocarbon-containing reservoirs abandonment operation failed to lead to an uncontrollable gas release
have unknown characteristics during the end-of-life phase. The geolo- to the seabed. The well was successfully killed after seven weeks of the
gical forces within the wellbores can vary from layer-to-layer with leak with remediation cost of over $2.09 m and accumulated loss of
devastating consequence. These uncertainties make leakage route of the around $109 m [40]. The failure was attributed to a unique corrosion
oil and/or gas wells complex and unpredictable. The leakage of hy- event in the casings within the wellbore. One common challenge in
drocarbon can be initiated through a compromised well barrier either both cases is that the complete knowledge of the uncertainties asso-
by degradation overtime or natural seepage, or both. Also, little or no ciated with decommissioning, especially, plugging and abandonment of
condition monitoring of the abandoned wells can lead to eventual wells, is lacking. Also, the sequence of occurrence of these hazards
failure of the well. The failure of one barrier can lead to subsequent leading to well failure is not entirely known, making the application of
failure of surrounding barriers, leading to cascading of failures until the Boolean logic gates such as AND/OR insufficient in estimating the exact
formation fluids reach the mudline. risk value. Therefore, a safety methodology capable of addressing these
Many accidents emanating from plugging and abandonment op- concerns is essential to enable the prediction of leakage probability
erations have been recorded, some of which resulted in the release of oil with consequent reduction of risk.
or gas in enormous quantities. For example, on 15 October 2016, the The analysis of accident scenarios is characterized by risk [17] and
plugging and abonnement (P&A) operation in the G-4 well of the Troll all probabilistic risk assessment (PRA) tools such as fault tree analysis
Field on the Norwegian Continental Shelf (NCS) operated by Statoil, (FTA), event tree analysis (ETA), layer of protection analysis (LOPA)
failed and was classified by highest degree of severity. As reported by and bowtie (BT) aim at analyzing the safety and reliability of systems.
⁎
Corresponding author.
E-mail address: fikhan@mun.ca (F. Khan).
https://doi.org/10.1016/j.ress.2019.03.027
Received 7 August 2018; Received in revised form 17 January 2019; Accepted 10 March 2019
Available online 11 March 2019
0951-8320/ © 2019 Elsevier Ltd. All rights reserved.
A.O. Babaleye, et al. Reliability Engineering and System Safety 188 (2019) 133–141
However, these methods are limited in their ability to assess and ac- logics in the model to obtain significant improvement in the level of
commodate dynamic variations in complex engineering systems such as uncertainty. Following this introduction, Section 2 presents a brief
a reservoir. Forms of probabilistic risk assessment have been developed description of FT, BN, mapping of FT into BN and the N-OR/LN-OR
to assess accidents scenarios and events sequence modelling. For ex- logics. An application of the methodology is presented as a case study in
ample, Sklet [38] investigated hydrocarbon release accidents on off- Section 3. Model description emanating from the case study is offered
shore platforms using barrier block diagrams. Nivolianitou et al. [28] and analyzed in Section 4 while Section 5 is dedicated to the conclu-
compared fault trees, event trees and Petri nets for investigating acci- sions drawn from the study.
dents in an ammonia storage plant. The work examined the sequence of
events leading to failure, event dependencies, and appropriate model- 2. Proposed safety methodology
ling considerations. Gowland [8] used the layer of protection analysis
process in the ARAMIS project to assess the sequence of operation of 2.1. Dynamic safety model
safety barriers. Delvosalle et al. [4] developed a bowtie to identify
significant and interacting accident scenarios in process plants appli- 2.1.1. Fault tree (FT)
cation. Paltrinieri et al. [32] introduced a dynamic approach to atypical The FT is a deterministic, deductive and graphical technique cap-
scenarios identification (DyPASI) to identify and assess early signals of able of estimating the probable cause or combination of causes of an
risk related to past events as the development of bow-tie identification undesired top event (TE) and their criticalities. Typically, the top event
technique. is the major accident that can initiate hazards especially, when the
Although, few types of research have been conducted to assess the safety barriers implemented are insufficient or deteriorate over time. To
safety risks of well P&A [14,31]. However, most of these previous develop the FT, the top event must be recognized and identified. The
works have focused on data mining or on pilot experiments to describe common events (IEs) leading to the top event are then systematically
the well characteristics whereas no consideration was given to data categorized in a top-down approach until the causal events (CEs) are
uncertainty and events dependencies. Also, most of the probabilistic identified. It is worth mentioning that, the complete knowledge of the
risk analysis (FTA, ETA, and BT) techniques applied to the previous process operation and the failure rate (or frequency/probability) of the
studies cannot flexibly adapt to new information, or handle uncertain CEs must be known. The CEs are the minimum faults that can initiate a
data including the dependencies of events [45,46]. FTA as a risk ana- potential fault or harm to the subsystems of a component. The IEs are
lysis tool, albeit its drawbacks, has been widely applied in diverse fields sets of faults in the subsystem capable of causing a potential accident.
to estimate the safety risks and reliability of mooring systems [26], The analysis of an FT can be performed both qualitatively and quanti-
complex process systems [5,6,18], and fault diagnoses of industrial tatively. For qualitative analysis, algebraic equation containing the
processes [1,15,19]. Where interacting basic events are few, FTA can be combinations of CEs as independent variables is developed regarding
solved with ease. Whereas, FTA cannot cope with complex and overly TE, based on Boolean logic. In the quantitative analysis, the occurrence
dependent systems, redundant failures or common cause failures by probabilities or the minimum cut-sets (MCs) of the CEs are used to
itself unless additional information is incorporated with the model. obtain the occurrence probability of the TE.
Furthermore, each basic event in a fault tree (FT) model is often as- The static nature of FT is based on its application domain where
sumed to be statistically independent, but in practice, events are in- every component of a system is believed to be either reliable or non-
teractively dependent [2,16,37]. Many researchers have developed reliable over time. The FT model formulation does not take into con-
different forms of FTA to cope with these drawbacks. For example, sideration the possibility of a reliable system degradation when subject
Markowski et al. [24] applied fuzzy and evidence theory to account for to operation. Also, FT can only handle binary logic operations without
data uncertainty from expert judgements and similar accidents. Shalev the possibility of accommodating intermediate states [16,35]. For these
and Tiran [36] developed a methodology for dynamic FTA by coupling reasons, this paper relies only on the logical representation of the ac-
FTA with condition monitoring. A complete framework to conduct cident model within FT and all computation are performed within BN.
qualitative and quantitative risk analysis within temporal FTA were Furthermore, uncertain conditions coupled with limited data can be
developed by Kabir et al. [13] and Walker and Papadopoulos [41]. This problematic for FT analysis. Some modifications have been developed
temporal FTA was applied to capture temporal dependence among to address these concerns such as fuzzy set and evidence theory
faults and events by Palshikar [33]. Lefebvre et al. [22] extended the [21,44].
temporal FTA model to include time dependency among failures for
avionics applications. Although, these methods aim at updating static
FTAs to cope with dynamic safety analysis; however, none of the pro- 2.1.2. Bayesian network
posed methods is capable of independent analysis without adding ad- BN is a probabilistic tool capable of handling multi-variable systems
ditional gate(s) to the existing FTA. and their dependencies under uncertainty. BN consists of a directed
To improve these limitations, Bayesian network (BN) have been acyclic graph (DAG) used to represent events. The nodes within the
adopted by researchers in recent times due to its flexible nature and DAG represent variables, and the arcs denote the causal relationships
capability to assess risks under uncertainty. BN has been demonstrated amongst the connected nodes. The relationships between these vari-
to thrive in fault diagnosis [10,34], reliability assessment [20,23,42] ables are specified within conditional probability tables (CPT) to in-
and probability updating [3,7]. FTAs have been mapped into BNs in dicate the strength of influence among the interacting nodes. Consider
different forms with the primary goal of relaxing its limitations. For Fig. 1 with a set of variables Yi. Y1 and Y2 are root nodes; Y3 and Y4 are
instance, static FTAs have been mapped into BNs [2,9,25,37], and dy- the intermediate nodes, and Y5 is the leaf node. The root nodes corre-
namic FTAs into DBNs, accordingly [3,27]. BNs also offer superior sponding to CEs in an FT are assigned marginal prior probabilities. The
multi-variable handling ability. However, a significant amount of intermediate and leaf nodes are given CPTs based on the level of in-
computation is required to represent dependencies among the inter- fluence of their parent nodes. The theory and practice of BN is not the
acting events. This drawback can only be addressed with the help of focus of this present paper but its applicability to the task under con-
advanced logics such as Noisy-OR (N-OR) and leaky Noisy-OR (LN-OR), sideration. Comprehensive information regarding BN can be found in
which have not been applied in the risk analysis of well P&A until now. the literature [2,12].
The present work focuses on the application of advanced modelling Binary outcomes yi and ȳi represent each state Yi. The BN, joint
logics (N-OR and LN-OR) for estimating the leakage probability of probability distribution, follows the chain rule as given in Eq. (1).
formation fluids during P&A operation. This is achieved through the 5
mapping of P&A FTA into BN and incorporating the N-OR and LN-OR
P (yi ) = ∏i =1 P (yi |yμ (i) ) (1)
134
A.O. Babaleye, et al. Reliability Engineering and System Safety 188 (2019) 133–141
2.1.3. FT to BN mapping algorithm The advantage offered by the Noisy-OR model is observed from the
The causal, intermediate and top events of the FT are transformed to considerable decrease in the number of conditional probabilities re-
the BN structure to represent its root, intermediate and leaf (or pivot) quired to represent the cause-consequence relationship within the CPT
nodes, respectively. The logic relationship among the interacting events completely.
in the FT is assigned similarly to the interacting nodes within the BN
(Fig. 2). The failure prior probabilities of the causal events become the
marginal prior probabilities of the root nodes. The probabilities as- 2.2.2. Leaky Noisy-OR formalism
signed to the intermediate and leaf nodes are based on the logic gates The LN-OR gate is an extension of the N-OR model. It is used to
relationship of the FT and are specified within the CPTs of the BN de- address scenarios where a consequence still exists even in the absence
pending on the degree of belief or knowledge of the new observations. of any cause. This model is especially applicable to accident models
where all potential causes are not identified. In practice, most risk
2.2. Modelling interactions with advanced logic identification model falls short to capture hazards specific to a scenario,
in its entirety, making the Noisy-OR with leak model an essential pre-
In the decommissioning operation, cost reduction is one of the cision risk analysis tool. The principal argument is that there exists a
major concerns. For this reason, it is necessary to model the accident leak (common cause) probability l, which describes the overall con-
scenarios accurately such that the cost of implementing safety measures sequence of all causes not captured in the event of an accident
is not over- or under-estimated. The logic gates of AND and OR utilized [2,12,29]. Fig. 1 can demonstrate the applicability of the common
by FT are sometimes not enough to predict the actual scenarios, leading cause probability, l where 0 ≤ l < 1, such that P (y5 | y¯4 , y¯3, L) = l . Here,
to a conservative analysis of risk. To overcome this notion, Noisy-OR L is the uncaptured cause of the occurrence of y5, and Eq. (6) can be
and leaky Noisy-OR gates are explored. rewritten to accommodate this extra term, thus,
135
A.O. Babaleye, et al. Reliability Engineering and System Safety 188 (2019) 133–141
136
A.O. Babaleye, et al. Reliability Engineering and System Safety 188 (2019) 133–141
Table 1 Table 3
Failure probabilities of leak causal events [30,43]. CPT for the leak through mudline failure with the N-OR approach.
Symbol FAILURE DESCRIPTION Failure probabilities State B1 B2 E2 Pf 1 − Pf CPT of leak through mudline
Non-sour well Sour well 1 No No No 0.000 1.000 0.0000(1 − PB1)(1 − PB2)(1 − PE2)
2 No No Yes 0.7500 0.2500 0.7500(1 − PB1)(1 − PB2)PE2
B1.1 Pressure build-up effect 1.65E−01 3.25E−01 3 No Yes No 0.6500 0.3500 0.6500(1 − PB1)PB2(1 − PE2)
B1.2 Injection into nearby wells effect 2.20E−02 3.10E−02 4 No Yes Yes 0.9130 0.087 0.9130(1 − PB1)PB2PE2
B1 Leak through zone isolation plug OR-gate OR-gate 5 Yes No No 0.7000 0.3000 0.7000PB1(1 − PB2)(1 − PE2)
B2 Leak through lower plug 1.30E−02 2.60E−02 6 Yes No Yes 0.9250 0.0750 0.9250PB1(1 − PB2)PE2
B3 Leak through upper plug 1.00E−02 2.00E−02 7 Yes Yes No 0.9700 0.0300 0.9700PB1PB2(1 − PE2)
B4 Leak through production casing 1.00E−03 2.00E−03 8 Yes Yes Yes 0.9750 0.0250 0.9750PB1PB2PE2
B5 Leak through casing hanger 1.05E−02 2.10E−02 P(leak to mudline) = ∑Pi = 0.00218537
B6 Leak through surface casing 1.00E−03 2.00E−03
B7 Leak through casing hanger 1.25E−02 2.50E−02
E1 Leak thru mudline (TE) And-gate And-gate
minimal cut-sets, prior occurrence TE probability and prior importance
E2 Leak thru upper casing- production casing OR-gate OR-gate
E3 Leak thru production casing-casing And-gate And-gate measures, respectively. Also, the data used to analyze the case study is
hanger limited and uncertain. Therefore, this work adopts BN to validate the
E4 Leak thru casing hanger-casing hanger OR-gate OR-gate data while N-OR and LN-OR relaxation formalisms are used to model
E5 Leak thru surface casing-casing hanger And-gate And-gate the deviations from uncaptured causes of well P&A failure.
137
A.O. Babaleye, et al. Reliability Engineering and System Safety 188 (2019) 133–141
analysis, BN can yield varying but promising results depend on the Table 4
conditional dependencies that exist among causal events. Here, one or CPT for the leak through mudline failure with the LN-OR approach.
more of the CEs occurrence probabilities can be instantiated to obtain State B1 B2 E2 Pf 1 − Pf CPT of leak through mudline
new and up-to-date information about the occurrence of the TE. In the
diagnostic analysis, the TE occurrence probability can be set as evi- 1 No No No 0.010 0.990 0.01(1 − PB1)(1 − PB2)(1 − PE2)
dence to provide updated information about the CEs, accordingly. Also, 2 No No Yes 0.7600 0.2400 0.7600(1 − PB1)(1 − PB2)PE2
3 No Yes No 0.6600 0.3400 0.6600(1 − PB1)PB2(1 − PE2)
the availability of accident precursor data during the well P&A opera-
4 No Yes Yes 0.9230 0.077 0.9230(1 − PB1)PB2PE2
tion can be directly fed into the BN to perform probability updating and 5 Yes No No 0.7100 0.2900 0.7100PB1(1 − PB2)(1 − PE2)
sequential updating (adaptation). This information can help to update 6 Yes No Yes 0.9350 0.0650 0.9350PB1(1 − PB2)PE2
the knowledge of the inherent risks and evolving ones in real-time. 7 Yes Yes No 0.9800 0.0200 0.9800PB1PB2(1 − PE2)
8 Yes Yes Yes 0.9850 0.0150 0.9850PB1PB2PE2
Although, the aim of probability updating within BN is to reduce data
P(leak to mudline) = ∑Pi = 0.00855457
uncertainty, primarily, because the updated probabilities are believed
to be a better reflection of the well P&A failure when compared to the
prior probabilities. However, two important issues relating to BN introduction of the LN-OR formalism within the BN yields a prior oc-
modelling is that the size of the CPTs and model parameters. The size of currence probability of TE as 8.55E−3 for non-sour well.
CPTs, typically, increases exponentially as the number of finite parent
variables rises. Also, the model parameters are associated with own
uncertainties as expert judgements can be quite subjective. This study, 3.4. Dynamic safety analysis
therefore, adopts N-OR and LN-OR within the BN to address these
concerns. 3.4.1. Prognostic analysis
In prognostic (forward propagation) analysis within BN, some
knowledge of the causal events is gathered and feed into the BN to
3.3.2. Noisy-OR analysis
investigate their influence on the top event. This modelling can provide
The N-OR approach is used to relax the model parameters based on
up-to-date information about the current state of the leakage potentials.
the explanation in Section 2.2.1. Since the occurrence of the TE relies
For example, instantiating the occurrence probabilities of causal events
on the leak through the isolation plug, lower plug and upper plug-
P (B1.1) = P (B3) = P (B5) = 1. The BN can then be reassessed using
production casing failures. The number of parameters needed to model
P (B1.1 = {T }, B1.2 = {F }, B2 = {F }, B3 = {T }, B4 = {F }, B5 = {T }, B6
the TE is shown in Table 3. Pf and (1 − Pf ) are the noisy occurrence (and
non-occurrence) probability of the TE. The introduction of the N-OR = {F }|TE ).
formalism within the BN yields a prior occurrence probability of TE as The posterior occurrence probability of the leak through mudline (TE)
2.19E−3 for non-sour well. is seen to be higher than the priors in both the similitude mapping of
FTA, N-OR and LN-OR cases (Table 5).
3.3.3. Leaky Noisy-OR analysis
For the sake of simplicity, an uncaptured hazard in the case of LN- 3.4.2. Diagnostic analysis
OR is introduced with a leak probability, l = 0.01. The prior occurrence In diagnostic (backward propagation) analysis within BN, the de-
probabilities of the root nodes are unchanged, except that the next sired information meaningful to decision-makers offshore are the up-
nodes leading to the top event are linked with an LN-OR condition and dated (posterior) probabilities, reflecting the specific features of the
their interactions reflected in the TE's CPT. The model parameters are accident under investigation and, the most probable causes (MPCs) of
assigned as explained in Section 2.2.2 and are presented in Table 4. The well P&A failure. To determine the posterior probabilities of the CEs, a
138
A.O. Babaleye, et al. Reliability Engineering and System Safety 188 (2019) 133–141
Table 5 0.4
The posterior probability of TE for non-sour well based on forwarding propa- 0.35
gation.
0.3 Prior
Events Probability
Event MAPPED FT N-OR LN-OR Mapped FT
0.25 N-OR
PRIOR POSTERIOR PRIOR POSTERIOR PRIOR POSTERIOR
LN-OR
0.2
TE 2.39E−5 1.30E−2 2.19E−3 5.90E−3 8.55E−3 1.05E−1
0.15
0.1
new observation of the overall leak through mudline is necessary. For
0.05
instance, given that it becomes certain that the well P&A fails, the oc-
currence probability of the TE is instantiated to unity, i.e. 0
P (leak thru mudline) = 1. The updated failure probabilities of the CEs B1.1 B1.2 B2 B3 B4 B5 B6 B7
are then reassessed using P (CEi |TE = {T }) . The results obtained from Causal Events
the FTA, N-OR and LN-OR logics modelled through BN are presented in Fig. 6. Comparison between prior and posterior probabilities (non-sour).
Table 6, show that events B1.1, B1.2, B2 and B3 have the largest posterior
occurrence probabilities in all cases. To estimate the MPCs, the weakest 18
routes among interacting events are assessed where all the identified
16
largest causal events are assumed to be true while other events are false Mapped FT
( )
14
i.e. N-OR
P (B1.1 = {T }, B1.2 = {T }, B2 = {F }, B3 = {T }, B4 = {F }, B5 = {F }, B6 . 12
LN-OR
Sensitivity ratio,
= {F }|TE = {T }) 10
The values of the MPC computation when ran through different re- 8
laxation approaches yield up-to-date top event probabilities of 1.00E 6
+00, 2.37E−05 and 2.40E−05, respectively. 4
2
3.4.3. Sensitivity analysis 0
To examine in more detail how small changes in the causal events B1.1 B1.2 B2 B3 B4 B5 B6 B7
influence the overall leak probability of the hydrocarbon to mudline Causal Events
(TE), sensitivity analysis, ηs is conducted for both cases involving sour-
Fig. 7. Sensitivity analysis of causal events (non-sour).
and non-sour fluids within the wellbore. First, the data shown in
Table 6, are used to compare the prior and posterior probabilities under
all the relaxation conditions (Fig. 6). Then, Eq. (10) is used to compute updating their probabilities repetitively produce similar outcomes. The
the contribution of each CE to provide an informed decision on the effect of an injection into nearby wells (B1.2) tend to increase steadily as
sensitivity of each event to the well ultimate failure (Fig. 7). Further- the leak through mudline becomes imminent. To a lesser degree, the
more, the sensitivity analysis is validated by repetitive substitution of leak through seal assembly (B5) and that between the annulus of the
the posterior occurrence probabilities within BN to provide up-to-date conductor and surface casing (B7) rise with the top event. Leak through
information on the uncertainty, as shown in Fig. 8. For each increment, the surface casing (B4) and leak through the conductor casing (B6) are
the updated TE occurrence probability of the TE is recorded. not sensitive to the occurrence of the top event, as evident by Fig. 6.
ϑ(Bi) − θ (Bi)
ηs (Bi) = 4. Results and discussion
θ (Bi) (10)
where ϑ(Bi) and θ(Bi) are the posterior and prior probabilities for From the fault tree analysis of the causal events, it can be inferred
nodes Bi. The trends obtained from the sensitivity analysis are depicted that the critical leakage route to the well P&A failure is B1.1B2B3 with a
in Fig. 6. combined failure probability of 2.15E−3 leading to an overall top
Fig. 7 indicates that it is important to focus on the criticality of event failure probability of 2.39E−5, in the case of non-sour oil or gas
events based on sensitivity analysis, rather than simply comparing the well. The sequence of occurrence of this route is not as important as the
magnitudes of posterior against prior probabilities. significance of damage their combination would contribute to the ac-
A closer examination of Fig. 8 revealed that events B2 (leak through cident. It is worth observing that B1.2B2B3 leakage route also has a
the lower casing plug) and B3 (leak through surface plug), albeit their higher potential to lead to the accident and must, therefore, be equally
progressive increment with the top event, overlap. This indicates that controlled. Although the minimal cut-sets provide valuable knowledge
Table 6
Failure probabilities comparison of CEs based on backward propagation.
Events MAPPED FT N-OR LN-OR
139
A.O. Babaleye, et al. Reliability Engineering and System Safety 188 (2019) 133–141
give an accurate risk value, hence, the need for sensitivity analysis.
5. Conclusion
140
A.O. Babaleye, et al. Reliability Engineering and System Safety 188 (2019) 133–141
analysis. Process Saf Environ Prot 2007;85:70–80. [27] Montani S, Portinale L, Bobbio A, Codetta-Raiteri D. RADYBAN: a tool for reliability
[6] Ferdous R, Khan FI, Veitch B, Amyotte P. Methodology for computer-aided fuzzy analysis of dynamic Bayesian networks. J Reliab Eng Syst Saf 2008;93:922–32.
fault tree analysis. Proc Saf. Environ. Prot 2009;87:217–26. [28] Nivolianitou ZS, Leopoulos VN, Konstantinidou M. Comparison of techniques for
[7] Giribone R, Valette B. Principles of failure probability assessment (PoF). Int J Press accident scenario analysis in hazardous systems. J Loss Prev Process Ind
Vessels Pip 2004;81:797–806. 2004;17:467–75. (2004).
[8] Gowland Richard. The accident risk assessment methodology for industries [29] Onisko A, Druzdzel MJ, Wasyluk H. Learning Bayesian network parameters from
(ARAMIS)/layer of protection analysis (LOPA) methodology: a step forward to- small data sets: application of noisy-or gates. Int J Approx Reason 2001;27:165–82.
wards convergent practices in risk assessment. J Haz Mater 2006;130(3):307–10. [30] OREDA. Offshore and onshore reliability data handbook. Hovik, Norway: Det
2006. Norske Veritas; 2015.
[9] Graves TL, Hamada MS, Klamann R, Koehler A, Martz HF. A fully Bayesian ap- [31] Ouyang S, Allen E. Offshore well abandonment: challenges and approach with DNV
proach for combining multi-level information in multi-state FT quantification. J GL guideline of risk-based abandonment. Offshore Eng Technol 2017;1(1):71–83.
Reliab Eng Syst Saf 2007;92:1476–83. [32] Paltrinieri N, Tugnoli A, Buston J, Wardman M, Cozzani V. Dynamic Procedure for
[10] Huang Y, McMurran R, Dhadyalla G, Jones RP. Probability-based vehicle fault di- Atypical Scenarios Identification (DyPASI): a new systematic HAZID tool. J Loss
agnosis: Bayesian network method. J Intel. Manuf 2008;19:301–11. 2008. Prev Process Ind 2013;26(4):683–95.
[11] HUGIN. Hugin expert software version 8.6. 2018http://www.hugin.com. [33] Palshikar GK. Temporal fault trees. Inf Softw Technol 2002;44(3):137–50.
[12] Jensen FV, Nielsen TD. Bayesian networks and decision graphs. 2nd ed. New York: [34] Przytula KW, Thompson D. Construction of Bayesian networks for diagnostics.
Springer; 2007. Proceedings of IEEE aerospace conference. 5. 2000. p. 193–200.
[13] Kabir S, Walker M, Papadopoulos Y. Quantitative evaluation of Pandora temporal [35] Rausand M, Høyland A. System reliability theory. models, statistical methods, and
fault trees via Petri nets. 9th IFAC symposium on fault detection, supervision and applications. 2nd ed Hoboken, NJ: John Wiley & Sons Inc.; 2004.
safety for technical processes, SAFEPROCESS 2015. 48. 2015. p. 458–63. September [36] Shalev DM, Tiran J. Condition-based FT analysis (CBFT): a new method for im-
2-4. proved fault tree analysis, reliability and safety calculations. J Reliab Eng Syst Saf
[14] Kaiser MJ. Rigless well abandonment remediation in the shallow water U.S. Gulf of 2007;92:1231–41.
Mexico. J Pet Sci Eng 2017;151:94–115. [37] Simon C, Weber P, Levrat E. Bayesian networks and evidence theory to model
[15] Kavcic M, Juricic D. CAD for fault tree-based diagnosis of industrial processes. J Eng complex systems reliability. J Comput 2007;2:33–43.
Appl Artif Intell 2001;14:203–16. [38] Sklet. Hydrocarbon release on oil and gas production platforms: release scenarios
[16] Khakzad N, Khan F, Amyotte P. Safety analysis in process facilities: comparison of and safety barriers. J Loss Prev Process Ind 2006;19:481–93.
fault tree and Bayesian network approaches. J Reliab Eng Syst Saf 2011;96:925–32. [39] Statoil. https://www.equinor.com/content/dam/statoil/documents/statoil-
[17] Khan FI. Use maximum-credible accident scenarios for realistic and reliable risk investigation-report-songa-endurance.pdf; 2017 (accessed on July 20, 2018).
assessment. Chem Eng Prog 2001;11:56–64. 2001. [40] Total. http://www.elgin.total.com/elgin/pressrelease.aspx?contentid=640; 2013
[18] Khan FI, Sadiq R, Husain T. Risk-based process safety assessment and control (accessed on July 20, 2018).
measures design for offshore process facilities. J Hazard Mater 2001;A94:1–36. [41] Walker M, Papadopoulos Y. Qualitative temporal analysis: towards a full im-
[19] Khoo LP, Tor SB, Li JR. A rough set approach to the ordering of basic events in a plementation of the fault tree handbook. Control Eng Pract 2009;17(10):1115–25.
fault tree for fault diagnosis. Int J Adv Manuf Technol 2001;17:769–74. [42] Wilson AG, Huzurbazar AV. Bayesian networks for multilevel system reliability. J
[20] Langseth H, Portinale L. Bayesian networks in reliability. J Reliab Eng Syst Saf Reliab Eng Syst Saf 2007 2007;92:1413–20.
2007;92:92–108. 2007. [43] Woodyard AH. Risk analysis of well completion systems Society of Petroleum
[21] Lavasani SM, Ramzali N, Sabzalipour F, Akyuz E. Utilisation of fuzzy fault tree Engineers, 9414 J Pet Technol1982(April):713–20.
analysis for quantified risk analysis of leakage in abandoned oil and natural-gas [44] Yuhua D, Datao Y. Estimation of failure probability of oil and gas transmission
wells. Ocean Eng 2015;108:729–37. pipelines by fuzzy FT analysis. J Loss Prev Process Ind 2005;18:83–8.
[22] Lefebvre A, Simeu-Abazi Z, Derain JP, Glade M. Diagnostic of the avionic equip- [45] Pasman HJ, Rogers WJ. Risk assessment by means of Bayesian networks: A com-
ment based on dynamic fault tree. International conference on cost-effective au- parative study of compressed and liquefied H2 transportation and tank station risks.
tomation in networked product development and manufacturing. 12. 2007. International Journal of Hydrogen Energy 2013;37(22):17415–25. https://doi.org/
[23] Mahadevan S, Zhang R, Smith N. Bayesian networks for system reliability assess- 10.1016/j.ijhydene.2012.04.051.
ment. J Struct Saf 2001;23:231–51. [46] Pasman HJ, Jung S, Prem K, Rogers WJ, Yang X. Is risk analysis a useful tool for
[24] Markowski AS, Mannan MS, Bigoszewska A. Fuzzy logic for process safety analysis. improving process safety? Journal of Loss Prevention in the Process Industries
J Loss Prev Process Ind 2009;22:695–702. 2009;22(6):769–77https://doi.org/10.1016/j.jlp.2009.08.001.
[25] Marsh W, Bearfield G. Representing parameterised fault trees using Bayesian net- [47] MMS, 2000. Risk assessment of Temporarily Abandoned or Shut-in Wells. United
works. Lect Notes Comput Sci 2007;4680:120–33. States Department of the Interior, Minerals Management Service. Report prepared
[26] Mentes A, Helvacioglu I. An application of fuzzy fault tree analysis for spread by C-FER Technologies. Contract No. 1435-01-99-RP-3995.
mooring systems. Ocean Eng 2011;38:285–94.
141