implementation of compliance sampling using rbi parameters … · 2010-01-12 · 3. implementation...
TRANSCRIPT
Implementation of Compliance Sampling using RBI Parameters for Partial Equipment
Inspection
Peter VAN DE CAMP, Sieger TERPSTRA, Fred HOEVE, Agnieszka OSTROWSKA, Shell Global Solutions International, Amsterdam, The Netherlands
Abstract. It is quite common to inspect equipment where damage is not (yet) measurable. When only part of the equipment has been inspected, as is the case in many non-intrusive inspections, including pipework, it is difficult to determine how confident one can be that there is no damage. In statistical terms this is a compliance sampling problem. A statistical recipe is presented, based on a Bayesian scheme, to calculate the required area to be covered by inspection, aimed at detection (or proving the absence) of localized damage. The recipe is based on two input parameters: the risk of accepting equipment with a critical pit and the probability that a single pit has a critical depth. As these parameters are hard to estimate by an inspector in the field, it is shown how these can be derived from Risk Based Inspection parameters. Some examples will be given. Some issues and shortcomings with the way we have implemented this recipe will be discussed that will require further work.
1. Introduction
The presence of general (uniform) and localised (pitting) corrosion in static equipment, such as pressure vessels and piping systems, indicates ongoing degradation which may ultimately lead to a leak or rupture of the pressure envelope. Inspection is carried out to mitigate the risk of failure in such systems. Current practice is that often the vessels are opened and visually inspected from the inside. This requires significant preparation costs (isolation of the equipment, opening of equipment, cleaning) and only marginal inspection costs. Inspection can be the driver for the length of a shut-down and then directly result in significant costs related to lost production time. Moreover, opening a pressure vessel can lead to additional health, safety and environmental risks. The industry is therefore trying to reduce these intrusive inspections and move to non-intrusive inspections.
In order to accept that non-intrusive inspection techniques can be applied it is necessary to accept that 100% confidence in the asset integrity cannot be gained without 100% inspection. In the process industry practice it is often impossible and not necessary to inspect 100% of a structure and a sample inspection approach is chosen. In many cases where statistical methods are used to analyse the sample inspection data, the emphasis is on estimating parameters in a distribution (e.g. as applied in extreme value analysis). To determine required sample sizes, prior estimates of these parameters have to be given. There are many conditions in which no corrosion damage is expected to develop and the purpose of inspection is then to establish whether this is (still) the case. Hence, the purpose of an inspection can be translated into an acceptance sampling problem, where the whole system is either accepted (declared fit for purpose) or rejected (requiring further testing, maintenance, and replacement). For instance, it may be necessary to check whether the
4th European-American Workshop on Reliability of NDE - We.2.A.2
1
ww
w.ndt.net/index.php?id=
8316
proportion of defective units in a system is below a specified fraction. A special case is so called compliance sampling, where the stratum is rejected if any defective items are found in the sample. In this paper we will present the implementation of a compliance sampling scheme when inspecting for localized corrosion.
2. Description of Compliance Sampling Recipe
In this compliance sampling recipe, we will determine the required inspection coverage (e.g. as a percentage of total equipment area) to determine with a certain degree of confidence, whether or not the entire equipment contains critical pits. It is assumed that the entire equipment is equally susceptible to pitting. If that is not the case, the equipment can be split in strata where this criterion will be fulfilled.
Here are the steps required to go through a compliance sampling process: 1. Define a “pit” and a “critical pit”. The definition of a pit can be based on the detection
threshold of the technique, to avoid the inclusion of non-corrosion related indications, e.g. anything deeper than 1.5 mm. The definition of a critical pit can be based on certain fitness for service criteria. In its simplest case it may be anything deeper than the corrosion allowance, say 3 mm.
2. Define the acceptable risk, γ, of not rejecting a degraded system. A degraded system is a system that contains one or more critical pits. Another way to interpret this risk is that the value 1-γ is the confidence level of the statistical test.
3. Define the probability, ϕ, that a single pit has a critical depth. This value ϕ can also be regarded as the expected proportion of pits that will be critical.
4. Calculate the required coverage, C, from equation (1) and inspect this area. In order to check the uniformity of corrosion, it is recommended to inspect several smaller regions of the surface area with a total coverage C.
5. If no pits are found in Area C, than we can say with confidence (1-γ) that the entire area S of the equipment does not contain critical pits. However, if pits are found, we have to reject the hypothesis that the equipment is not degraded. More inspection is required to assess equipment integrity.
The equation for the required coverage C, then becomes: 1
)1ln()1ln()1ln(ln
)1ln(ln)1ln(11
−
−+−−
⎥⎦
⎤⎢⎣
⎡−
−−≅−>
φγγφγ
φγ
eC (1)
The mathematical derivation of this equation is presented in Appendix 1. The main steps to arrive at this equation are: 1. Assume an equipment with total surface area S and we have inspected part of it with
area T (i.e. C=T/S) and no pits are found in this area. 2. As in many reliability studies, we assume pitting is a Poisson process with an unknown
rate, λ, an expression can be derived to calculate the prior probability of finding k pits in a certain area T.
3. In a Bayesian way, we can then derive the posterior expression for the probability of exactly k pits in equipment area S given that an inspection of T showed no pits.
4. Using the probability, ϕ that a single pit is critical, an expression is derived for the risk that a structure S with exactly k pits contains a critical pit (given that an inspection of T showed no pits).
5. The expected average risk, γ, that a critical pit is present in S is calculated by taking the sum from k=0 to infinite and it depends on C and ϕ only. This expression can be rearranged into a requirement for C depending on ϕ and γ.
6. The required coverage C in equation 1 is even more conservative in the sense that it is
2
not based on the expected risk, but instead on a 100(1-γ)% upper-bound of the posterior distribution over k.
In figure 1 the required coverage is presented as function of γ and φ.
1.E-03
1.E-02
1.E-01
1.E+00
1.E-10 1.E-08 1.E-06 1.E-04 1.E-02 1.E+00
Area Coverage, C
Critical pit probability, φ
g = 1E-1g = 1E-2g = 1E-3g = 1E-4g = 1E-5
Figure 1, Area coverage as function of critical pit probability for different risk levels (10-5 - 10-1)
As an example, for a critical pit probability of 1/1000 and a risk of 1/100 (i.e. 99% confidence), the required inspection coverage is 31% of the total area. The figure indicates that critical pit probabilities have to be low in order to achieve a low area coverage requirement.
When trying to implement this recipe in practice by inspectors in the field, several issues were raised: • The definition of a pit seems rather arbitrarily. It can be increased to avoid detecting
pits. • Trying to give an estimate for the probability that a pit is critical is difficult for
inspectors and/or corrosion engineers • The risk of missing a critical pit is also difficult to estimate. It may depend on the depth
of a critical pit but may also be determined by consequence of failure of the equipment.
3. Implementation via RBI Parameters
We have addressed these issues by linking the compliance sampling parameters to a semi-quantitative risk based inspection framework as used in Shell, called S-RBI. Besides well-known parameters such as probability of failure, consequence of failure, and corrosion rate it also has a parameter called “Confidence Rating”.
This factor is an indicator for the confidence in forecasting the degradation. Aspects such as stability and control of the degradation mechanism, availability and reliability of inspection data and ability to monitor relevant process parameters are assessed to determine confidence rating. In the statistical framework of S-RBI the confidence rating and corrosion rate are used to model the corrosion rate distribution, see figure 2. These two inputs are sufficient to model
3
two parameter distribution functions such as the normal, lognormal and gamma distribution.
0
0.5
1
1.5
2
2.5
0 0.5 1 1.5 2 2.5 3
CR(x)/CRs
LMH
Figure 2, Gamma Probability Distribution Function (PDF) of the corrosion rate for different confidence rate values (L,M,H). The corrosion rate CR(x) is normalised to the S-RBI selected corrosion rate, CRs.
When pit and critical pit sizes are established, the probability of a critical pit can be calculated from the distribution as the ratio between occurrences of these sizes, see figure 3.
PitCritical Pit
Defect depth
CA
PitCritical Pit
Defect depth
CA
Figure 3, Defect depth distribution where the number of critical pits is represented by the dark grey area and number of pits by the dark/light grey area under the curve. Pit and Critical pit depth are smaller than the
allowable depth or corrosion allowance, CA.
The acceptable risk, γ, or more precise the probability of not rejecting a degraded system is linked to the RBI parameter Consequence of Failure (CoF). Values are chosen with a factor of 10 difference and decreasing with increasing CoF values. As these CoF values also differ by a factor of 10, the residual risk after sampling inspection (which is γ*CoF) remains constant.
4
The size of a critical pit is derived from the expected corrosion rate and inspection-planning scenario, which can be visualised by setting up a remnant life plot, see figure 4. At the time of inspection, Tinspect, we should identify any damage that is beyond the minimum wall thickness now or could grow to that level before the next inspection at Tfuture (indicated by the red circle) assuming a constant rate in time. The corrosion rate associated with the critical depth is indicated by the blue line in the graph.
WTnom
WTmin
TInspect
TimeTRL
CR
TFuture
WT
TLast
“Critical” defect depth
Not acceptableat inspection
WTnom
WTmin
TInspect
Time
WT
TRL
CR
“Critical” defect depth
TFuture
Not acceptableat inspection
TLast
Figure 4, Graphical representation of critical defect depth in relation to current and future inspection time.
The size of a “pit” can now be determined by choosing a value that is well below the critical depth, has a high enough POD value for the NDT technique that is selected. In other words, the size of a critical pit defines requirements for the detection threshold of the NDT techniques. Whether a certain POD is high enough depends on the number of pits expected if the degradation mechanism is active, as explained in the overview paper of S. Terpstra [1].
At the time of inspection, pit size and critical defect depth have corresponding corrosion rates. The probability of a critical pit can therefore be calculated with the corrosion rate cumulative distribution (as illustrated in figure 3):
)(1
)(1
pit
pitcrticial
CRCRCDFCRCRCDF
−
−=φ (2)
Here CRCDF(x) indicates the cumulative distribution function of the corrosion rate. The value 1-CRCDF(x) therefore represents the probability that the corrosion rate exceeds the value x.
In summary we have now embedded the compliance sampling recipe in our S-RBI framework by: 1. Modelling a corrosion rate distribution from the estimated corrosion rate and
confidence rating, 2. Defining an acceptable risk of not rejecting a degraded system that depends on
Consequence of Failure, 3. Establishing critical pit size from allowable defect depth and inspection planning
information, 4. Choosing a pit size well below critical depth and with sufficiently high POD. 5. Calculating probability of a critical pit from the modelled corrosion rate distribution.
5
The compliance sampling recipe is incorporated in our software package called S-IDAP; Shell Inspection Design, Analysis and Plotting, see our other paper for more information [2]. It will get all the necessary RBI information to model corrosion rate distributions and can perform the complicated calculations given above.
3.1 Practical Example
The typical behaviour of the required sampling coverage as function of time is illustrated in the following example. Let’s assume a corrosion rate that follows a gamma distribution. Main advantage of using gamma over the well-known normal distribution is that it assigns zero probability to corrosion rates smaller or equal to 0, i.e. only metal loss is possible.
We will calculate the required coverage, C at Tinsp and assume that the next inspection takes place at 2* Tinsp , i.e. critical pit depth is equal to 0.5*(WTnom-WTmin). Tinsp is then varied between 0.05 and 0.4 of the remnant life (Remnant Life=RL=(WTnom-WTmin)/CRs). In this example a zero detection threshold is used, i.e. all defects will be detected. Critical pit probability can now be calculated with equation 2 for a certain value of the Confidence Rating. At a given Consequence of Failure we can then calculate inspection area coverage for different confidence ratings, see Figure 5. Corrosion rate is not an input anymore as we have normalized time by Remnant Life. It shows that area coverage remains very low until a certain time but increases very rapidly hereafter. For example, with Confidence Rating = High and CoF=High, Figure 5 shows that around 0.25*RL, the area coverage requirement increases rapidly.
0%
20%
40%
60%
80%
100%
0 0.1 0.2 0.3 0.4
Time/RL
Insp
ectio
n A
rea
Cov
erag
e
LMH
Figure 5, Inspection Area Coverage for different Confidence Ratings and with CoF=High
Some salient aspects of this example are: • Figure 5 shows that sampling inspection is only effective early in the life of equipment
as also highlighted in the overview paper of S. Terpstra (Ref. 1). It should be noted that the time at which 100% inspection is required is always before the required inspection due date as calculated by the RBI system. However, this calculated inspection interval is usually “capped” to a certain maximum value because of statutory or company
6
policies. Hence a sampling inspection would be useful in such a case. • It also shows that sampling inspections become more effective for high confidence
ratings. This agrees with inspector’s intuition that when a good understanding of degradation mechanism and rate through multiple reliable inspections is achieved, sampling inspection may be justified. This may seem to contradict the previous point but it should be noted that the remnant life cycle is effectively “reset” after a thorough (i.e. 100%) inspection.
• An unrealistic zero detection threshold has been used but from additional calculations it can be shown that actually coverage is not very sensitive to the selected definition of a pit provided it is not too close to the critical pit depth. In this case it meant that for values up to 0.3*(WTnom-WTmin) there was no significant difference. Again it is referred to the overview paper of S. Terpstra [1] for a more thorough review
of implications and limitations of a compliance sampling approach.
4. Current Issues for Improvement
While working with this recipe a number of issues became apparent that require further development work: • The recipe is very conservative in the sense that it is already valid when there is only
one critical pit in the system. If it were likely that the corrosion mechanism, when active, would result in numerous critical pits the required area coverage would be a lot smaller. There should be a way to incorporate this knowledge, possibly as an additional parameter, in the recipe. S.P. Kuniewski who worked on this subject with Shell support, provides some insights on how to achieve this [3]
• The population of detectable pits is estimated by 1-CRCDF(CRpit), see equation 2. However, the corrosion rate distribution as used in our approach is the distribution of the maximum corrosion rate and does not represent the whole population. This is especially clear for the higher confidence ratings as can be seen from Figure 2. Therefore 1-CRCDF(CRpit) is not a true representation of the population of detectable defects. This is also addressed in the paper of Kuniewski [3].
• The statistical confidence level in our implementation model is now simply related to the Consequence of Failure, which is conservative if the critical pit size is not related to failure but an intermediate depth level, such as a corrosion allowance or a fitness for purpose based minimum thickness. More work is required to relate the chosen value of critical pit depth to the confidence level in order to get a better estimate of residual risk after inspection.
• When compliance sampling fails, i.e. when pits are found in the inspected area, one should be able to move to estimation sampling using extreme value theory. It is necessary to come to an approach where compliance and estimation sampling are integrated in a seamless way. The ability to calculate a distribution of both the maximum and detectable defects population will be a crucial element.
6. Conclusions
A statistical recipe is presented, based on a Bayesian scheme, to calculate the required area to be covered by compliance sampling inspection, aimed at detection (or proving the absence) of localized damage. The required input parameters are the probability that a pit is critical and the acceptable risk of not rejecting a degraded system.
7
As these input parameters are difficult to estimate by practitioners in the field, a framework has been developed to help determine these from RBI parameters. In this way more objective input parameters are obtained which will ensure more consistent use of the recipe and will make its results easier to accept by users and legislators. However, accurate sampling predictions require the input parameters for the recipe to be representative for the actual corrosion parameters and risk levels allowed; this leads to quite demanding functionality in the risk based inspection planning systems.
Acknowledgements
This recipe and its mathematical derivation was developed in 1995 by Shell Staff Mark van Pul, Cees den Heijer and Brian Twaddle.
References
[1] Use of Statistical Techniques for Sampling Inspection in the Oil and Gas Industry, S. Terpstra, 4th European-American Workshop on Reliability of NDE, Berlin, 24-26 June 2009. [2] Tools and methodologies for pipework inspection data analysis, P.B.J van de Camp, A.A. Hoeve and S. Terpstra, 4th European-American Workshop on Reliability of NDE, Berlin, 24-26 June 2009. [3] Sampling inspection for the evaluation of time-dependent reliability of deteriorating systems under imperfect defect detection, Sebastian P. Kuniewski, Johannes A.M. van der Weide and Jan M. van Noortwijk, Reliability Engineering & System Safety, Volume 94, Issue 9, September 2009, Pages 1480-1490. Shell disclaimer:
The companies in which Royal Dutch Shell plc directly and indirectly owns investments are separate entities. In this publication the expressions “Shell”, “Group” and “Shell Group” may sometimes be used for convenience where references are made to Group companies in general. Likewise, the words “we”, “us” and “our” are also used to refer to Group companies in general or those who work for them. These expressions are also used where there is no purpose in identifying specific companies.
8
Appendix 1, Mathematical derivation of inspection sample area coverage requirement
Suppose we have a structure (one stratum!) with total surface area S and suppose we have inspected part of it with surface area T. In this inspected region, no pits were detected; that is n(T)=0. In general, n(A) denotes the number of pits present in A. We assume that pitting is a Poisson process, that is for a (unknown) rate λ>0, we have a probability of
( ) ( ){ } ( )( )f A k A kA Ak
Pk
, Prexp
!= = =
−n
λ λ
to find k pits in the subset A of the structure S. To obtain the required coverage C=T/S, we have to define a value γ for the acceptable (un)reliability of the whole structure, that is the probability that there are critical pits within S. We assume that a given pit is critical with probability φ. First we will derive an expression for the probability of exactly k pits in the structure S (given that an inspection of T showed no pits): ( ) ( ) ( ){ }g S k T n S k n T, ; Pr= = = | 0 . Let
( ) ( ){ } ( )h T n Te T
eT
T; Pr!
λ λ λλλ
λ= = = = =−
−00
0
|
and assuming a non-informative prior for λ we get: ( ) ( ){ }f T n T Tepost Tλ λ λ λ; Pr= = = − | = 0 . PROOF : Let ( ) { }f Lprior λ λ λ λ= = = < <−Pr , ,1 0 for L then
( ) ( ){ } ( ){ } { } ( )h n n d h ; f ( ) priorT T T TL L
= = = = = = =∫ ∫Pr Pr Pr0 00 0
λ λ λ λ λ λ λ λd
= = −⎡
⎣⎢⎢
⎤
⎦⎥⎥
=−− − −
− −
∫L e d L eT
eLT
TT L LTL
1 1
00
1λλ
λ .
Using that for events A and B Pr(A|B) = Pr(A) Pr(B|A) / Pr(B) we get:
9
( ) ( ){ } { } ( ){ }( ){ }
( ) ( )( )f T n T
n T
n Tf h T
h Tpost
prior
λ λ λ λ λλ λ λ λ
; Pr PrPr
Pr;
= = = = == =
== |
| 0
0
0
( )=−
=−
< <− −
−
−
−L ee LT
Tee
LT
LT
LT
LT
1
1 10
λλ, . for
Note that for L → ∞, fpost (λ;T) converges to: ( )f T Tepost Tλ λ; ,= − for 0λ .>
� END OF PROOF Using the fact that for integer k and real s:
λ λλk ske d k
s−
+
∞
=∫!1
0
,
we can now derive the probability of exactly k pits in S: ( ) ( ) ( ){ } ( ) ( ){ }g S k T n S k n T n S T k n T, ; Pr Pr= = = = − = = | | 0 0
( ){ } ( ){ }= − = = = =∞
∫Pr Prn S T k n T d | | λ λ λ λ λ00
( ) ( )( ) ( )( )
= − =−∞ − −∞
−∫ ∫f S T k h T de S T
kTe dp
S T kT, ; ;
!λ λ λ
λλ
λλ
0 0
( ) ( )=
−=
−= −⎛
⎝⎜⎞⎠⎟
−∞
+∫T S T
ke d
T S Tk
kS
TS
TS
kk S
k
k
k
! !! .λ λλ
01 1
Writing C=T/S for the coverage, the probability of exactly k pits in the structure (given that an inspection coverage of C showed no pits) becomes: g(k;C) = C(1-C)k, for 0<C≤1. Using that for 0<a<1:
( )
ka aa
k
k
=−=
∞
∑1 2
0
,
we get the following expression for the expected number of pits in S:
( ) ( ) ( ){ } ( ) ( ){ } ( )m S T n S n T k n S k n T kg S k Tk k
; Pr= = = = = ==
∞
=
∞
∑ ∑Ε | | 0 00 0
, :
( )
= −⎛⎝⎜
⎞⎠⎟
=−
=−
= −=
∞
∑TS
k TS
TS
T ST S
S TT
ST
k
k
1 1 10
2 .
Again, it can be seen that the expected number of pits in S only depends on the coverage C=T/S of
10
inspection (with no pits found): m(C) = C -1 - 1. If φ is the probability that a single pit is critical, the risk that a structure S with exactly k pits contains a critical one is given by: r(k, φ) = 1 - (1- φ)k . Hence, the expected risk that a critical pit is present in S, given that an inspection coverage of C showed no pits, can be expressed as:
( ){ } ( ) ( ) ( ){ } ( )( ) ( ) ( )( )Ε R C r k n S k n T C C CCk
k
k
k; , Prφ φ φφ
= = = = − − − = −− − −
=
∞
=
∞
∑ ∑0 0
0 1 1 1 11 1 1
| .
Finally, the required coverage (assuming no pits will be detected) to make this expected risk smaller than some level γ:
( )( )( )C >
−− − −
φ γφ γ
11 1 1
.
The required coverage given in recipe 3 is even more conservative in the sense that it is not based on the expected risk, but instead on a 100(1-γ)% upper-bound. Firstly, a 100(1 - γ)% upper-bound K for m(C), the number of pits in S, can be found by solving
( )γ γk Ck
K
; = −=
∑ 10
for K. As for 0<a<1:
a aa
kK
k
K
=−
−
+
=∑ 1
1
1
0
,
it follows from
, ( ) ( ) ( )1 1 1 1
00
− = = − = − − +
==∑∑γ g k C C C Ck K
k
K
k
K
; 1
that
( ) .11lnln
−−
=C
K γ
Hence,
11
( )Rupper K= − −1 1 φ
will denote a 100(1-γ)% upper-bound for the risk R(C, φ) and the required coverage (assuming no pits will be detected) to make the upper-bound smaller than some level γ, is given by:
1)1ln()1ln(
)1ln(ln
)1ln(ln)1ln(11
−
−+−−
⎥⎦
⎤⎢⎣
⎡−
−−≅−>
φγγφγ
φγ
eC
12