Modeling Blowouts During Drilling Using STAMP and STPA
MetadataShow full item record
The focus of this master thesis has been on modeling the risk of blowouts during drilling using System-Theoretic Accident Model and Processes (STAMP) and System-Theoretic Process Analysis (STPA). The world and technology are changing, but these changes are not reflected in our safety engineering approaches. Many of the basic assumptions of traditional techniques no longer hold for complex, high-technical systems being built today. STAMP is a new model based on systems theory rather than reliability. The STAMP model is based on three concepts - safety constraints, hierarchical safety control structures, and process models - together with system theory concepts. The systems are considered as interrelated components kept in a state of dynamic balance by feedback control loops. Systems are treated as dynamic processes that are frequently adjusting to attain their ends and to respond to internal changes, as well as changes to their environment. STPA is a hazard analysis technique, based on the STAMP model that assumes that accidents are caused by inadequate enforcement of constraints on component behavior more precisely than simple component failures. Accidents in complex systems are often caused by unsafe interaction between components that have not failed. STPA includes both component failure accidents and component interaction accidents and may find more causes of hazards than the older techniques. The first step in STPA is to identify the unsafe control actions that can result in hazards. The second step is to specify the potential causes of the unsafe control. The process of safely extracting hydrocarbons from a reservoir can be divided into three steps. The first step is drilling, where the hole is drilled and reinforced from the sea floor down through the trap layers and into the reservoir zone. The second step is completion, which begins by opening the well bore, this allows hydrocarbons to flow into it. The final step is production, wherein the hydrocarbons are extracted from the well. Formation flow during drilling operations is normally referred to as a kick. If a kick is not controlled, it may results in a blowout. Six well kick indicators have to be monitored during drilling; (1) drilling breaks, (2) increase in flow rate, (3) increase in pit volume, (4) variation in pump speed and pump pressure, (5) well flowing during connection, and (6) change of drilling fluid properties. The STPA model has its basis in the well kick indicators, whereas drilling breaks are the first indication of a well kick. When this is detected, the other five indicators have to be monitored closely to see if a well kick is the case or not. The sensors send information about the parameters to the control panel, where the driller and mud logger monitors the process. If some of the parameters are outside given limits, the pump is stopped to stabilize the process. In case the well condition does not change, the blowout preventer (BOP) is closed to get control over the situation. A lot of the identified errors are often the same for many of the different control actions. This includes among other control actions "inflow of mud does not stop when provided", "change in one of the control actions is discovered too late" and "misinformation about one of the parameters". There will be a great amount of work related to developing a STPA model. In order to utilize the method, one has to be familiar with the operation and organization. The organization has to be known to obtain a realistic hierarchical control structure and a control structure where the safety constrains to all controllers are identified. If one is unfamiliar with the actual system, some inadequate control actions might be overlooked. The STPA model is suitable for analysis of well kicks during a drilling operation. This approach is effective to give an understanding of why accidents happen, so that sufficient improvement measures can be implemented to prevent future accidents. A good basis for quantification of human error, together with organizational factors, is to use the Human Error Assessment and Reduction Technique (HEART) to set generic task types with their associated nominal error probability. The activities in the control loops will then be matched with to the generic tasks listed in HEART. Based on the numbers given by HEART, an event tree analysis can be used in modeling and analysis of different accident scenarios for a drilling operation.