1 Introduction

Process industries involve numerous process susceptible to hazard that can cause accidents in the operational sequence. Risk and safety are two significant factors considered inevitable for any process in an industry for safe operation and achievement of desired targets. Risk is the probability of a hazard to cause an accident that could pose a threat to health, property or environment. The key focal components of that provide vital parameters for an effective risk assessment are risk identification, analysis & evaluation [1]. The procedure of risk identification helps to identify, isolate and describe the risks that could influence the target objectives. Risk analysis helps in understanding the nature, sources, causes of the risks that have been identified, and to quantify the level of risk. It is also used to study impacts and consequences. It is also a vital tool to examine the process controls that currently exist. Risk evaluation compares risk analysis results with risk criteria in order to determine whether or not a specified level of risk is acceptable or tolerable. Therefore it is pivotal to examine all possible risks of a condition, assess and formulate the preventive measures to avoid occurrence of an incident or control the intensity of the accident that may occur [2].

Process industries like oil and gas, more specifically offshore oil and gas exploration activities fall under high intensity risk criteria. An accident in offshore oil and gas industry can lead to devastating consequences and catastrophic effects to men, material & environment on top of the multitude of financial burden it can lead to. The accidents in oil and gas rigs have been occurring since hydrocarbon exploration started in mid nineteenth century. History has witnessed several such catastrophes in form of Piper Alpha in 1988 killing 167 personnel to the most recent Deepwater Horizon incident on April 20, 2010 that led to the largest accidental oil spill in history. The cause of Piper Alpha and Deepwater Horizon were both manifestation of a series of system or process failure. When insufficient management of change (MOC) procedure is largely speculated to have caused the dominos effect on Piper Alpha platform, failure of critical safety equipment namely subsea blowout preventer (BOP) led to Deepwater Horizon incident. Deviations from SOPs can also be regarded as primary initiating cause of both Piper Alpha and Macondo incident (Deepwater Horizon). It is a pertinent observation that human influence that led to changes in operating practices can be attributed to have played a major role in instigating the preliminary cause of accident. Oilrigs deal with extreme pressures, heavy machinery, constrained space and highly exothermic chemicals all in the vast expanse of seas that create a huge logistical constraint in itself. Hence, safety and risk management play a very crucial role is offshore oil and gas rigs.

2 Oil Well Drilling

The upstream oil and gas industry revolve around exploration and production of hydrocarbons. In spite of quantum leaps in field of seismic science, there is no substitute to drilling to positively determine presence of commercially viable hydrocarbons in the deepness of earth’s crust. Oil and gas wells are drilled using drilling rigs that are usually onshore or offshore. The present generation rigs are highly sophisticated machinery that can drill into the earth’s crust to depths of up to 30000 ft in water depths of upto 12000 ft. With more than a century since the first oil well was drilled, infusion of technology and thus inherent safety has gained substantial importance on the table. Drilling process involves planning and execution of creating a borehole to a target depth as per a laid out scientific plan. On a deepwater drilling rig, this involves components like station mooring of the rig, physical drilling machinery, medium to clean the cuttings generated & various safety barriers. The synchrony of all the aforesaid systems working in unison is the most desired process scenario [3].

3 Station Mooring

A floater deepwater rig can be broadly classified as Semi-Submersible and Drill Ships. The functionality & utilization is each type is based on several factors that focus on sea/weather conditions of the region. The primary requirement of such a drilling vessel is to ensure stability in position in the sea during almost all weather conditions within design parameters. The design capability of the rig to maintain position is known as station mooring capability. This is achieved by dependency on Global Positioning System (GPS), onboard Mechanical Thrusters & Feedback system.

Once drilling rig position itself and commences drilling well below seabed, under no circumstance can the drilling rig deviate beyond an acceptable design parameter away from the moored station. Once the drilling rig is connected by means of marine riser system to BOP and wellhead the design parameter for deviation reduces drastically. The rigs are also expected to operate Offshore Supply Vessels (OSV) and helicopters for supply & logistics of men and material. In a dynamic sea state, the rig is expected to maintain position to successfully work the vessels and chopper. There exists scenario of transfer of highly combustible fuel oil or oil base mud system from OSVs and hence margin of deviation from moored station further reduces. The complexity of operation and risk further increases as both rig and OSV are expected to maintain their mooring within limits. Failure of station mooring system can lead to catastrophic consequences.

The drilling rigs are equipped with inherent redundancy mechanism to address such scenario of equipment or process failure. Most modern rigs are equipped with Dynamic Positioning-Third level (DP-III) system that has not one but two levels of redundancy. The incidents that led to catastrophic disaster in ONGC owned BHN platform is a grim reminder about the need to DP-III system.

4 Drilling Process

Drilling process associates itself with a background of large scientific study that includes detailed geological prognosis based on seismic study & offset well data. Hydrocarbon wells are designed with safety parameters laid down based on technical analysis and historical experiences. In spite of all preparedness, several complications are experienced in drilling operations. These include stuck ups, downhole tool failures, surface equipment failures etc. The risk associated with drilling operation is substantial due to involvement of several components. The financial implication is very huge but the most dangerous of all these revolve around the human presence in the process or complication mitigation that could lead to personnel injury.

One of the most common procedures adopted by industry is the system of Management of Change (MOC), which deals with organizational or process change synchronization. An effective utilization of MOC is very crucial in a highly complex environment as in a drilling rig. The events on Piper Alpha platform put forward a big learning lesson as to the importance of such processes. Another critical component of the operations is the permit system. Permits are control measures designed to ensure multiple operations do not intersect or counter act to cause incidents. Permits are system requirements on any typical process that if over sighted can lead to significant events.

Drilling process typically involves highly pressurized environment, extremely combustible components, usage of radioactive sources, explosives meant for controlled explosion & high-speed moving components. These consolidated in space crunched offshore rigs mandate strict access control and barricade mechanism that forms the lifeline of system control to ensure safety. In a statistical survey conducted in US, about 70% of all fatalities in mining industry have occurred in Oil and Gas. The risks involved in drilling operation are multi-dimensional and highly cost implicated. The need for timely review and preventive intervention to mitigate such risks is largely adopted in drilling industry.

5 Well Barrier

As per API RP 96, a minimum of 2 tested & independent barriers are required for drilling a safe well. The primary barrier during a drilling operation is the drilling fluid that maintains well integrity in terms of well control. Advanced technology like MPD/UBD takes additional support of RCD, Auto Choke & NRVs. It is the first barrier against any well bore intrusion. Secondary well barrier come into picture when the primary barrier fails to maintain well integrity. Hence, primary well barrier is typically enclosed by secondary barrier. The most important form of secondary well barrier is well control equipment like BOP stack, Chokes, etc. The drilling process follows a set procedure of Safe Operating Practices that ensures that well barrier integrity is not compromised. SOPs and MOCs play a very important role in ensuring that complexity of operations does not fail this primary requirement. However, history has shown us instances in form of the Macondo Incident that primary barriers are under risk of compromise due to unforeseen circumstances followed by a sequence of process that materializes to failure of secondary barrier that leads to an Accident Event.

6 Risk Assessment

Drilling is a hazardous operation, and assessment of safety in processes associated is measured as a factor of risk. Risk is defined as probability of accident likelihood and the magnitude of loss to health, property or environment. Risk management system involves several major steps. The first step would be Hazard identification, which includes physical, mental, chemical or biological identifications. The second step is to decide who may be harmed and how. The third step would be assessing the risk and implementing control measures. Final step includes recording the findings and reviewing the control measures. Several qualitative and quantitative methods have been developed to assess risk management system in harsh environments. Qualitative risk assessment is intended to identifying likelihood and impact of risk event occurring on the overall process. On the other hand quantitative methods specify probability density of overall consequence of risk in the process. Among the various risk evaluation/analysis methods used in industry, the most widely used are Physical Inspections at various levels of assessment, Operational charts & flow charts for processes, safety review check list analysis, Relative ranking or “What if” analysis. Some of the focused methodology that involve case by case approach are Hazard and Operability Study (HAZOP), Failure Modes and Effect Analysis (FMEA), Fault Tree Analysis (FTA), Event Tree Analysis (ETA), Layer of Protection Analysis (LOPA), Cause Consequence Analysis (CCA) and Human Reliability Analysis (HRA) [4].

Bow-Tie diagrams have been considered as one among the best tools to demonstrate the behavior of a risk that can cause an accident to its further consequences. It describes the cause effect relationship of an accident by systematic work through hazard and its management. A typical Bow-Tie diagram is shown in Fig. 1. The left bow corresponds to all possible causes of a hazard or a top event that defines fault tree consisting of events and logic gates. These events can be primary or basic events, initiating events, external events, conditional events, undeveloped events and undesired or critical events. The fault tree is represented by Boolean logical AND and OR gates that interconnect events and specific conditions as shown in Fig. 2. Exclusive OR gates, Priority AND gate and Inhibit gates are also used in FTA. The top event will happen if output of AND gate goes high which means that all inputs to this particular gate should go high. However, the output of OR gate goes high if any one of the inputs goes high. The conditional probabilistic tables of AND and OR gates are given in Fig. 3.

Fig. 1
A bow-like illustration presents top event or incident at its center. The left bow displays fault tree analysis and the right bow displays event tree analysis. On the top, a left-facing arrow reads causes and a right-facing arrow reads consequences.

Typical bow-tie model

Full size image
Fig. 2
A circuit with logic gates has two sections connected by an AND gate, a fault tree analysis and an event tree analysis. The fault tree analysis comprises two OR gates, and an event tree analysis comprises safety barriers S B 1, S B 2, and S B 3. The safety barriers if successful, consequences are C 1, C 2, C 3, C 4, and if not C 1, C 2, etcetera.

Bow-tie model with events and logic gates

Full size image
Fig. 3
An illustration of nodes X, Y, and Z pointing at node O. An accompanying table presents the conditional probability values for OR and AND gates. The table comprises five primary columns: X, Y, Z, O (OR), and O (AND). The rows present the probability values.

Conditional probability tables for OR and AND gates

Full size image

The right bow of Bow-Tie indicates all possible consequences of top event which describes an event tree. Event tree analysis begins with an initiating event and ends in several consequences. The minor and major consequences of ETA can be classified according to their magnitude of affecting person, property or environment. The minor and major consequences depend upon the success or failure of safety barriers installed in the system of event tree. For example, during course of drilling operations, the consequences can be safe operation, kick, blowout, kill well, shutdown, catastrophic effects etc. [5]. As per Fig. 2, turning on safety barrier 1, 2 and 3 results in consequence C1. Similarly the consequence will be C2 if safety barrier 3 fails with SB1 and SB2 in successful state.

The fault tree, event tree and top event together contribute a Bow-Tie model. Bow-tie diagrams are also used to define proactive barriers to limit the occurrence of an accident and also reactive barriers to diminish the magnitude of its consequences. Oil & Gas Industry, specifically well control in the drilling industry leans on robust, certified & tested well control barriers as a primary defense. Reactive barriers include influx mitigation barrier, ignition prevention barrier, escalation prevention barrier, emergency management, management and organization barrier that assist is various escalated stages of a well control incident.

Even though Bow-Tie analysis is a powerful tool to determine causes and effects of a hazard or an accident and thus largely limited to a post incident analysis or for scholastic advantage rather that assisting in a reactive or dynamic incident prevention or mitigation. The key characteristics that drive this is the static nature of its fault and event tree. Hence it is handicapped in defining probability density and updating conditional dependency of risks of a process. Bayesian network or Belief networks overcame these limitations [6].

BN represents joint probability distribution of variables in the system. It is a graphical system having both qualitative and quantitative parts with nodes/variables and links connecting them. The qualitative part is that it has a Directed Acyclic Graph (DAG) in which each node represent system variable and arrows show the relationship between nodes. The directed arcs connect pairs of nodes that illustrate a cause effect relationship as shown in Fig. 3. A node is called a parent node if there is a directed arc connecting it to another node called the child node. Nodes, which have no parent, are known as root nodes as shown in Fig. 4. The quantitative part is the conditional probabilistic table (CPT) of each variable that defines the probability density [7]. The probability of child nodes is calculated by considering the probabilities of the parent nodes and conditional probability tables (CPT) by obeying the fundamental well-known “Bayes theorem” of conditional probability.

Fig. 4
A tree diagram presents the following from top to bottom: three nodes A, B, and C on the top, two nodes E and F in the middle, and one node H at the bottom. Besides the diagram, the labels read from top to bottom as root nodes, parent nodes, child nodes, and leaf node.

(Source 3: LPPI 50, p. 143)

A Bayesian network model

Full size image

In a typical Bayesian Network, the JPD (Joint Probability Distribution) of X = {A1, …., An}, is defined as shown by the equation:

$$P\left( X \right) = \mathop \prod \limits_{i = 1}^{n} P\left( {A_{i} |Pa\left( {A_{i} } \right)} \right)$$
(1)

where Pa(Ai) is the parent set of Ai.

BN helps to update the prior probability of events such that we have new information called evidence E thus giving an updated probability called posterior probability [8]. This is the conditional probability value that is available after taking into account the evidence of a process. The equation below represents posterior probability of variables

$$P\left( {X{|}E} \right) = \frac{{P\left( {X,E} \right)}}{P\left( E \right)} = \frac{{P\left( {X,E} \right)}}{{\mathop \sum \nolimits_{X} P\left( {X,E} \right)}}$$
(2)

These networks find application in human reliability analysis because of the fact that the model can perform both forward or predictive analysis as well as backward or diagnostic analysis. Predictive modeling is done when probability values are defined a priori for root nodes and calculated by inference for the other nodes. The diagnostic approach is when probability values of the nodes are calculated a posteriori when observations become available.

Bayesian Networks have the ability to handle probability variables, represent dependencies between them and update probability values over period of time. These advantages of BN make it superior over classical risk analysis methods such as BT analysis due their static nature.

7 Conclusion and Future Scope

This paper discusses an overview of aspects of drilling and its associated risks. Major risk assessment management systems and methods or strategies implemented to assess risks are also discussed. A Bow-Tie model system illustrating the cause effect relationship of a top event can be mapped into a graphical network with a set of variables called Bayesian Network. The occurrence probability of an event in harsh environment (drilling operation) can be predicted by monitoring the condition of data parameters in a process and their dependent relationships from process specific data. Data-driven risk assessment methodology provides an efficient approach for predicting a dynamic system risk profile of a drilling operation or its associated processes. The time dependent risk profile generated from this methodology can be used to activate safety measures at any time the risk predicted exceeds the acceptable level.