This week’s Pipeliners Podcast episode features Jill Watson discussing the nuclear industry and their safety management, including probabilistic risk analysis and fault tree analysis.

In this episode, you will learn about how PRA is different from other approaches as well as how fault tree analysis works and why it is important, and ways to manage those systems.

This episode is part one of a two-part series focused on probabilistic risk analysis with Jill.  

Probabilistic Risk Analysis Show Notes, Links, and Insider Terms:

• Jill Watson is the manager for Technical Safety and Risk division at Xodus Group in Houston. She has over 25+ years of experience in process safety and risk analyses in the oil & gas, energy, and industrial sectors. Growing up as a daughter of a nuclear engineer, she gravitated to the nuclear industry with an expertise in Probabilistic Risk Assessment (PRA). Jill holds an MS degree in Chemical Engineering from the University of Colorado at Boulder and BS degrees in Chemical Engineering, Chemistry, and Applied Mathematics from North Carolina State University. Connect with Jill on LinkedIn.
  • Xodus Group is a global energy consultancy, in which unites unique and diverse people to share knowledge, innovate and inspire change within the energy industry. 
• Nuclear power is the use of nuclear reactions to produce electricity. Nuclear power can be obtained from nuclear fission, nuclear decay and nuclear fusion reactions. 
• PRA (Probabilistic risk analysis) is a systematic and comprehensive methodology to evaluate risks associated with a complex engineered technological entity or the effects of stressors on the environment.
  • Risk in a PRA is defined as a feasible detrimental outcome of an activity or action.
• The Reactor Safety Study (WASH-1400) estimated the probabilities and consequences of a major nuclear power plant accident.
• Fault tree analysis (FTA) is a type of failure analysis in which an undesired state of a system is examined.
• Monte Carlo method is defined as a statistical analysis based on artificially recreating a chance process with random numbers, repeating the chance process many times, and directly estimating the values of important parameters.
• Risk Informed Decision Making (RIDM) is a method of dam safety evaluation that uses the likelihood of loading, system response given the loading, and consequences of failure to estimate risk
• Risk Achievement represents how much the probability of critical failure increases when a particular element fails.
• Fussell Vesely measures the overall percent contribution of cut sets. containing a basic event of interest to the total risk. 
• PPIM (Pipeline Pigging & Integrity Management Conference & Exhibition) the largest technical exhibition of its kind in the world, designed to provide a comprehensive introduction to all aspects of utility and in-line inspection pigging.

Probabilistic Risk Analysis Full Episode Transcript:

Russel Treat: Welcome to the “Pipeliners Podcast,” episode 275, sponsored by Gas Certification Institute, providing standard operating procedures, training, and software tools for custody transfer measurement and field operations professionals. Find out more about GCI at GasCertification.com.

Announcer: The Pipeliners Podcast, where professionals, Bubba geeks, and industry insiders share their knowledge and experience about technology, projects, and pipeline operations.

Now, your host, Russel Treat.

Russel: Thanks for listening to the Pipeliners Podcast. We appreciate that you’re taking the time. To show our appreciation, we give away a customized YETI tumbler to one listener every episode. This week, our winner is Trish McIntosh with Plains All American. Trish, your YETI is on its way. To learn how you can win this signature prize, stick around till the end of the episode.

This week on the podcast, Jill Watson from Xodus Group joins us to provide an introduction to probabilistic risk analysis. Jill, welcome to the Pipeliner’s Podcast.

Jill Watson: Thanks, Russel. Thank you for that welcome. It’s a pleasure to be here today.

Russel: I am so very glad to have you on. I had a listener reach out and said, “Hey, why don’t you do something on probabilistic risk analysis?” I said, “I love to. Who do you know?” That’s how we got connected. 

Jill: That’s a great story.

Russel: Tell us, if you would, a little bit about yourself, your background, and what you do, how you got into being a probabilistic risk analyst.

Jill: Sure. I am the manager of the Technical Safety and Integrity Risk group at Xodus Group here in Houston. I’ve worked in the field of safety engineering and risk for the better part of 25 years, but I do have to say my early roots were based on my father.

My father is a nuclear engineer and a nuclear physicist. I really didn’t have an opportunity, growing up, to be anything other than an engineer. I credit him a lot to at least my background and what I’m doing now.

In addition to working in risk and safety, I did spend about 20 years working in the nuclear industry, on commercial nuclear power plants. Part of what I did do was I was a probabilistic risk assessment engineer. That is where I gained this expertise, coming straight out of the nuclear industry.

Russel: Interesting. This is a podcast for pipeliners. How is the nuclear industry unique in terms of how it approaches safety management.

Jill: I think they have a lot more on their shoulders, to be perfectly honest. They have a lot to prove as well. Obviously, in the nuclear industry, we want a lot of controls, but the nuclear industry has done some interesting things going forward.

They are big advocates of this probabilistic risk assessment, but what they’re starting to do now, from the regulatory standpoint, is move everything to more of a risk informed decision making. That’s a different approach to regulatory requirements.

In general, we’re used to being regulated by “You have to meet this requirement.” When you open the door and allow an operator to take the wheel himself and then use, again, say this probabilistic risk model to make better decisions, I see this as something that’s going to be emerging for lots of regulators going forward.

Russel: There’s certainly a lot of interest. I think what I would say about nuclear – and I don’t know a lot about it – what I would say is from inception, there’s been a great deal of concern about never, ever, ever having an event. Trying to manage to a zero outcome without any experience around those kinds of outcomes is a very unique challenge.

Jill: I would agree. Obviously, we’ve had incidents already. We have some black marks on some of the things we did early on. Of course, the good news is we always learn from our lessons.

Russel: I guess probabilistic risk analysis comes out of the nuclear industry and some of the learnings. Can you talk to us a little bit about what some of those key events are and how probabilistic risk analysis came out of that?

Jill: Yeah. Actually, you spoke to it earlier. PRA, probabilistic risk assessment, is an evolution that occurred. Early in the ’70s, one of the things that the nuclear industry wanted to do was they wanted to demonstrate to the public that a nuclear reactor, any catastrophic events that occurred with that, would be in line with some of the other natural disasters and what have you.

What the regulatory safety administration did was they commissioned a reactor safety study. That was in 1972. The purpose of this was just to do that, was to evaluate the risk to the general public from the potential losses from a nuclear reactor plant.

With that study, they did some unique things. It was the ’70s, but what they had to do was they had to leverage the computers. They used computers back in the ’70s. It was very novel. There were a lot of computational analyses that had to do. They leveraged computers. They also leveraged a new methodology. That is the fault tree analysis. That is what we currently use in the PRA space.

Also, they collected information from all of the industry. They were very data centric and forward looking in looking for more creative ways to demonstrate that they were safe to operate.

Russel: You used a term. I want to ask you to unpack that. Fault tree analysis. What is fault tree analysis? How is it that that lends itself to a computational approach?

Jill: What it is is it is a numerical method. What it does is it starts at the top, where you have a top event. That top event, in nuclear space, is core damage. That’s what we’re looking to avoid. What we’re doing is we’re looking for all of those things that can happen that would result in a reactor core damage.

In the pipeline industry, that top event would probably be maintaining your pressure boundary, so you’re not looking for your pipeline to break. What happened was, originally, all of the methods for confirming the safety of your system were based on “Here is a design basis accident. Go and make sure that you’re OK and that you’ve got all the measures in place to meet this kind of an event.”

How PRA flipped the script was they’re looking at it from a different side. They are trying to start maybe from the smaller systems and say, “I have this system. What happens if this system fails? How does that chain go all the way up?” It’s a backwards look, from what was being done earlier and before.

Russel: It’s bottom up versus top down.

Jill: Fault tree is actually top down, but when you look at it from the event tree, you’re right. You come from the bottom up.

Russel: So those support one another, I guess.

Jill: Yeah, exactly. I guess the reason why this happened was, again, going back to the reactor safety study that they did in the 1970s. They had little glitches with the outcome. One of the big finds was that they used this fault tree analysis. They got a wealth of information because the fault tree generates every unique scenario that could possibly happen.

They ended up with this wealth of information in these cut sets. That’s really what the impetus was going forward. They had all this new data. They had all these insights.

Russel: It’s interesting too. I think one of the things the nuclear industry has done well is collaborate around these kinds of models. There’s less concern about the uniqueness of my facility versus common understanding of the fault tree and the things that can happen and so forth.

Jill: Actually, in the nuclear industry, we do a lot of things that are very collaborative. In fact, when we do have a risk model, we bring our neighboring operators in. They sit down with us. They go through and vet our model. In the same way, we would reciprocate and go and look at their model. We are very collaborative.

Russel: The airline industry does that well. The nuke power industry does that well. I think there’s a lot of room for us in pipelines to improve that. Not that that doesn’t happen. It does, but there’s room to improve it.

I’m notionally familiar with risk analysis and various kinds of risk approaches. How is probabilistic risk analysis unique or different from other kinds of approaches?

Jill: There’s a lot of reasons why. I think, in general, when you talk about probabilistic risk assessment, people latch on to the probabilistic part of it. When you do a calculation, you can do something, and it’s deterministic. I say, “Your pressure is 120. The pipe diameter is five.” You run the calculation. You get a number.

In probabilistic space, we recognize that when we’re doing things like predicting failures, that there’s a lot of uncertainty in those numbers, primarily because of a lot of these events, we don’t get to observe them very often. Oftentimes, we are predicting events that we’ve never seen before. We call these rare events.

If it was something very frequently, like how often does the traffic light fail, we would have better numbers. We could predict the failures. Again, in nuclear space, we haven’t had a lot of opportunities. Again, the PRA became that venue that enabled us to look at these risks and still come out with these insights without having to go through all the effort of having those failures.

Russel: I know I’m pausing here for a second because I’m processing what you’re saying. To me, this gets really deep, really fast. Is it necessary, in order to do probabilistic risk analysis, to have all of the possible failure scenarios defined?

Jill: Yes. Right. There is a process of doing it. Again, we’ve collaborated. The process, in and of itself, allows you to predict events that have never occurred because we’re working through…When we talk about the event tree, you go, “Did it rain today? No/yes. Did I have my galoshes today? No/yes. Did I have my raincoat?”

You can see I’ve already generated six or seven scenarios for me going out in the rain. That’s what this is. Not all of these events would ever come to fruition, but we can postulate them. I think that’s, again, what’s required because we don’t have the opportunity to observe a bunch of events.

Russel: In the pipeline pace, this is like doing a comprehensive hazard analysis, but not stopping there, taking that and using that as a basis to build a risk model.

Jill: Exactly. That’s a good analogy.

Russel: That’s amazing I got there. Maybe I am following this conversation. I was beginning to wonder. The thing I know about, when you talk about the nuke power, the same thing is true in pipelining. We do occasionally have incidents.

We mine those for all the information we can learn from them, but they’re still rare in the context of the amount of pipelines we have and the amount of fluids that we move. How do you create this system for managing all these things, these outcomes, that are both very unique and very rare? You’re talking about that already, but if I were starting, how would I start?

Jill: First of all, you need your data. Then you’re looking for initiating events. This is anything that could upset your steady state operation per se. It could be third party damage. It could be an airplane crashing on your site. It could be overpressurization. It could be a corrosion defect.

The PRA model has the ability to aggregate all of those different threats and the associated risks with them as well and also take into account the mitigating system. If we look at a corrosion defect on a pipeline, yes, you’ve got your cathodic protection. What is the reliability of your cathodic protection system?

Then there’s often times where you turn it off right. There’s times when it wasn’t working there. It’s really digging deep into how you go about operating these things. Then that allows you to see flaws or weaknesses in the way your assets either managed or operated.

Russel: Would it be true to say that if I’m doing a good job of this and I’m building my fault tree, that those fault trees become quite large?

Jill: Absolutely. I can remember, early in my days, doing PRA in the nuclear space. We would have to put the run on, on Friday afternoon. We’d come in on Sunday morning to see if our results were done. That wasn’t that long ago.

Russel: I remember doing things like that early in my career too. That’s why I’m laughing. Computers are certainly faster and more capable now, but we’re throwing more data at them to crunch too.

Jill: I guess, when we looked back, but the other thing was to look forward. Also, what we’re seeing now is we’re in this age of digital transformation and digitization, digitalization. We’re wanting to apply it to our engineered systems.

The PRA, I call it the brain. You’ve done all of this work. Like I said, you have found every scenario. You’ve found all these threats. You know the systems that work and all that kind of stuff.

You have a lot of knowledge in the PRA that really becomes your brain of your digital twin. Because the digital twin is supposed to tell you, supposed to represent, your operations at any point in time. I think the PRA is a good step towards that direction.

Russel: That’s a fascinating concept. I’ve never heard that before. That’s new to me. The idea of having a very detailed fault matrix and understanding my current operating state by where I stand within that fault matrix, how I’m operating, the nature of the operations that are occurring, etc., that’s really interesting.

I’m positing this. I don’t know if it’s true. That could get down to very simple things, like did we do our daily job review, did everybody show up to work with all their proper PPE, those kinds of seemingly small but potentially leading indicators to bigger problems. Again, am I tracking?

Jill: It does, to some degree. In the nuclear space, we do not bring in so much of the program level stuff. The assumption is that you are maintaining your programs. One of the things you can do in a PRA model is…

Everything is quantifiable. If you put in a tag – you want to just say, “Over on this line right here, we missed our inspections three times this year” – it’s almost like putting a little sticky-note on that line. Then you run your model through it. That sticky-note will stay there.

When you’re looking at your results and if you see something that’s significant and you see that sticky-note on there, you might want to say, “Oh my gosh. We need to go do this, because, look, they’ve been dropping the ball over here.” That’s the other thing that the PRA model does. It gives you a lot of flexibility to make decisions and add content that really drives solutions for you.

Russel: So it’s not just about understanding your risk. It’s also about understanding your mitigations.

Jill: It is. You asked the question about what set PRA apart. I just spoke to because it’s a probabilistic solution. With that comes the uncertainty. In our model, because everything is probabilistic, every input has an error factor, and it’s different.

At the end, you can run the whole model and then run a Monte Carlo using your uncertainty. That gives you confidence that your model is well formatted and the mean is statistically distributed properly.

The other thing, the outcomes, we mentioned that there’s all these cut sets. When you have this kind of a model, the model also can calculate what they call risk importance measures. These are metrics that can be used during risk informed decision making. There’s some funny ways to look at it.

One of them is called the risk achievement worth. What it would be is…Like I mentioned, you go out. I’m going out. I’m walking in the rain. I’ve got my umbrella, my jacket, and my galoshes. I want to know, if I leave one thing behind, how wet am I going to get? How much more wet am I going to get if I just go with my galoshes and my umbrella?

Then there’s another one. It’s the Fussell Vesely, but I call it the yearbook kid. When I was in high school, senior year, this one kid showed up in all the yearbook pictures. We don’t know what he did there. The yearbook kid, this Fussell Vesely, is something that shows up in all these cut sets, all these risk and failure cut sets. You don’t know why it’s there.

What that tells you is you need to go find out why it’s here and confirm that it’s right to be there. Or, if it’s not, then maybe you want to look at that action because it’s so pervasive in your system.

Russel: Obviously, this podcast is for pipeliners. Are you aware of anybody taking this probabilistic risk analysis approach in the pipeline space?

Jill: I am, yes.

Russel: How are they using it? How is that unique or different to what we’ve been talking about so far?

Jill: I’m not sure I can speak to all of the solutions. I guess the one thing that I have heard that gave me maybe a little bit of a concern was the DNV. I believe that they have an approach where the mean distribution would be, say, your 50 percent, but when they have a lack of confidence in their data they change that and use a P90 on that.

Again, if you went with a probabilistic risk model, you wouldn’t necessarily have to do that. I feel like they’re like, “We don’t know enough here, so we’re automatically going to say it’s bad.” I don’t think that’s the intent, certainly not the intent in a probabilistic risk model, where it’s OK that you don’t have information.

We have several cases where we lack confidence in certain information. It just means, in your model, you don’t make decisions on that attribute because you don’t know enough about it.

Russel: This is one of those podcasts where you’re going faster than my brain can keep up.

That’s not a reflection on you. It’s much more a reflection on me. For every question I ask, I’m having like five more questions. I’m also a guy who likes to get hands-on with math. Sometimes the stuff is a little hard to visualize.

When I think about risk analysis in the pipelining space, most of that is done to help with the decision making about, “Well, here’s all the threats I found in my integrity management program. These are the ones I think I need to go take care of now.” It’s a way to allocate limited resources in the most effective way possible.

Jill: Agreed, yes.

Russel: What I’m hearing here, however, is it’s more of a way to understand the risk around the decisions you’re making. That’s different. Am I getting that right?

Jill: It’s the same concept. I think we’re getting more insights. If you’re comparing two pipelines and, say, you’re doing a corrosion burst pressure on those two pipelines and you can predict what that failure probability is, that’s easy to judge. It’s the highest risk or highest rate of failure. You’re going to go fix that one.

That’s just two pipelines. Again, in nuclear space or in the probabilistic space, you’ve got a hundred thousand. You need to look at it at a little bit higher level because you can’t look at every single segment or every single attribute in your model. Does that make sense?

Russel: Yes, it does, actually. It does. This is actually one of the things. I was recently at Pipeline Pigging & Integrity Management. I was talking to people about the new tools. One of the things that’s occurring is these inspection pigs that we run at pipelines, they’re capturing more and more and more data.

That reality is creating challenges for the analyst to know, “Which of this data do I care about? How do I find what I’m interested in and make decisions with that?” It’s one thing if I find 50 features in a 100 mile pipeline run. It’s another thing if I find 5,000.

You’ve got to look at these features and determine what they are. Are they a feature requiring further investigation, or are they just a feature? More data is good, but more data creates problems.

I guess, just in that kind of situation, if I could come up…These are all the different kinds of features I can find. I build a fault tree around those different features. Then it can help me surface more quickly the features I care about.

Jill: Exactly. We call it binning. The more you bin stuff, like your six inch pipeline, your eight inch pipeline, the more you can actually, quickly, identify where your real challenges are. Obviously, the more depth you go into, the better results you’re going to get, but it seems like it doesn’t take that much effort to do that. Because we’re already looking at those multitudes of defects.

Russel: I couldn’t even speak to that. I tend to get the elevation up. I’m like, “I’ve got all these things I found because of the tool run, but then I also have other things I need to worry about, related to slopes and drainage and all of these other factors that go to risk.” It gets quite complicated, quite quickly, I suppose.

Jill: It does.

Russel: Jill, I really want to spend more time and talk with you about how one goes about actually building a model. Maybe that’s a great tee up. We’ll have you come back for another follow up conversation. We’ll dig into that in more detail.

Jill: That would be great. Thank you.

Russel: All right. Thank you so much. I hope you enjoyed this week’s episode of the Pipeliners Podcast and our conversation with Jill. Just a reminder before you go. You should register to win our customized Pipeliners Podcast YETI tumbler. Just visit PipelinePodcastNetwork.com/Win and enter yourself in the drawing. 

If you have ideas, questions, or topics you’d be interested in, please let me know, either on the Contact Us page at PipelinePodcastNetwork.com, or reach out to me on LinkedIn. Thanks for listening. I’ll talk to you next week.

Transcription by CastingWords