Emergency Generator FMEA Example

Rig 1 – Emergency Generator FMEA Report

Ref: S1266, Rev 1

Rig 1 – FMEA Studies – Emergency Generator Abstract

Project Title Rig 1 – FMEA Study – Emergency Generator

Client Name

Job No. S1266

Team Leader Alastair Krebs

Project Analyst (s)

Report Author (s)

ABSTRACT

A Failure Mode & Effects Analysis (FMEA) study was conducted with respect to the Emergency Generator system of the semi-submersible drilling rig Rig 1. The FMEA study was conducted at the Company project offices in JSL Shipyard, Singapore.

FMEA is a methodology used for analyzing potential reliability problems of systems, with a view to enhancing reliability through design. The FMEA approach has three basic elements when reviewing potential failure modes. These are the SEVERITY of the event, the likelihood of OCCURRENCE and the DETECTABILITY during the design phase of the failure event.

Based on these elements, the FMEA process calculates a Risk Priority Number (RPN) for each individual Potential Cause of Failure. The aggregate RPN for each Potential Failure Mode (which may be comprised of a number of individual Potential Causes of Failure) is then presented in a graphical format for review.

The study team identified 5 subsystems of the Emergency Generator system for review. These were the starting, fuel, emergency stop, fire damper and synchronisation / control subsystems. A total of 26 discrete failure modes were identified and analysed.

Recommendations were developed for the critical and high risk failure modes which, if implemented, will reduce risk to an acceptable level. Revised RPN’s were calculated to demonstrate the expected reduction in risk for these elements.

Key Words: (e.g. Industry category, study type)DRILLING, FMEA

Release No.

Date of Issue Reviewed by Approved by Client Approval

Draft

Ref: S1266 Rev 1 Page 2 of 13

Rig I – FMEA Studies – Emergency GeneratorTable of Contents

TABLE OF CONTENTS

1. EXECUTIVE SUMMARY....................................................................4

2. ACRONYMS & GLOSSARY................................................................6

3. DISCUSSION..................................................................................7

4. FMEA STUDY TEAM........................................................................9

5. FMEA METHODOLOGY...................................................................10

6. DISTRIBUTION.............................................................................13

ATTACHMENTS:

1. FMEA RISK PRIORITY NUMBER (RPN) GRAPH2. FMEA WORKSHEETS3. PHOTOGRAPHS


Rig 1 – FMEA Studies – Emergency Generator Executive Summary

1. EXECUTIVE SUMMARY

A Failure Mode & Effects Analysis (FMEA) studies was conducted with respect to the Emergency Generator system of the semi-submersible drilling rig Rig 1. The FMEA study was conducted at the Company project offices in JSL Shipyard, Singapore.

This report covers the Emergency Generator system. Five subsystems of the Emergency Generator system were identified for review. The identified subsystems were:

Starting subsystem

Fuel subsystem

Emergency Stop subsystem

Fire Damper Subsystem

Synchronisation / Control subsystem

Potential failure modes for each subsystem were then identified and the severity, occurrence and detectability assessed for each potential cause of those failure modes.

The Fire Damper subsystems were identified as having a significant Risk Priority Number (RPN) value. The Potential Causes of Failure which resulted in high RPN values for the Fire Damper subsystem were:

Failure of Fire Dampers to close on signal

Failure of Fire Dampers to seal properly upon closure

The RPN is derived as a mathematical calculation of Severity x Occurrence x Detectability.

An aggregate RPN is calculated for each of the 26 Potential Failure Modes identified and is presented in a graphical format for review. The calculation of RPN values serves to prioritise responses to the findings of the FMEA study (Refer Attachment 2).

Review of the RPN aggregate graph led to the establishment, by Pareto Analysis, of two levels where response activities would return significant risk reduction. These were established at RPN values of 200 and 350 (respectively) for this study.

It should be noted that these RPN values are specific to this FMEA only and are not absolute values which can be compared to other RPN values in other FMEA studies (Refer Attachment 1).


Rig 1 – FMEA Studies – Emergency Generator Executive Summary

Potential Failure Modes with an RPN value in excess of 350 have been ranked as “Risk Reduction Measures Required”. These can also be viewed as critical risks.

There were two Potential Failure Modes identified by the team as having an RPN value in excess of 350. Both of these identified items related to the Fire Damper subsystem.

Potential Failure Modes with an RPN value in excess of 200 but less than 350 have been ranked as “Risk Reduction Measures Recommended”. That is to say, these risks were recommended for action but such action was not seen to be mandatory.

There were two Potential Failure Modes identified by the team as having an RPN value in excess of 200 but less than 350. Two of these items related to the Fire Damper subsystem and one item related to the Starting subsystem.

Potential Failure Modes with an RPN value less than 200 have been ranked as “Continuous Improvement”. These are items which have no immediate impact on the operability and safety of the system and thus can be dealt with in due course, as resources become available to do so.

There were twenty items identified over the range of subsystems which fell into this category.

Recommendations to mitigate the critical risks were identified by the team. These recommendations were compiled during the FMEA study and were included in this report at the Client’s request.

For the Fire Damper subsystem the following was recommended to mitigate the risks to an acceptable level:

Adopt planned maintenance routine to periodically clean and check louvre’s clean of debris

Periodic maintenance of the main, auxiliary and emergency switchboards.

Include periodic maintenance of emergency starting batteries in planned maintenance program.

Ensure that regular emergency exercises are held and crew are made aware of the emergency generator room fire damper system limitations.

The study showed that the Emergency Generator system was a fit-for-purpose design provided that the appropriate asset integrity activity recommendations such as maintenance, testing and inspection, are carried out during the life of the system.


Rig 1– FMEA Studies – Emergency Generator Acronyms & Glossary

2. ACRONYMS & GLOSSARY

ACRONYMSAC Alternating currentALARP As Low As Reasonably PracticableBHPB BHP BillitonFMEA Failure Modes & Effects AnalysisHAZID Hazard IdentificationHp Horse PowerL LikelihoodM Marginal RiskN Negligible RiskNDT Non Destructive TestingOcc OccurrencePM Preventative MaintenanceRPN Risk Priority NumberSev SeveritySOP Standard Operating ProcedureE-Stop Emergency StopU Unacceptable Risk


Rig 1 – FMEA Studies – Emergency Generator Discussion

3. DISCUSSION

3.1. Background

The emergency generator system is a critical piece of equipment on every vessel as it provides ongoing power to those systems required for the management of emergency situations.

3.2. Analysis

The results of this FMEA are supported by industry data. The DNV Offshore Reliability Data handbook provides specific data relating to reliability of emergency generator systems. The following empirical data with respect to worldwide experience of emergency generator reliability was extracted as part of the FMEA study:

Number of failures per 1 x 106 hours of operation = 685

Number of critical failures per 1 x 106 hours of operation = 120(This includes 100 ‘failure to start’ events and 19 ‘failure while running’ events.)

Mean number of manhours to repair a critical failure = 16.2 hours

Number of overheating related failures per 1 x 106 hours of operation = 9.57.

(This failure mode is often related to fire damper operation and is of major concern as the mean number of hours for repair of such failure stands at 82.5)

Number of degrading events per 1 x 106 hours of operation includes the following:

- Leakage on auxiliary systems = 9.5 - Faulty output frequency = 4- Fail to synchronize = 14.32- Fail while running = 5

In line with the above reliability data, the FMEA study for the Emergency Generator on Rig 1 resulted in high RPN levels for the following Potential Failure Modes:

Failure to start

Failure of fire dampers to operate correctly

3.3. Recommendations

The analysis showed that the Fire Damper posed significant risks. In this failure mode one casual mode was identified as significantly high; debris jammed in the louvres. Recommendations to mitigate the risk were identified by the team. Recommendations were compiled during the FMEA study and were included in this report at the Clients request. For the Fire Damper subsystem the following was recommended to mitigate the risk to an acceptable level:


Rig 1 – FMEA Studies – Emergency Generator Discussion

Adopt planned maintenance routine to periodically clean and check louvre’s clean of debris

Periodic maintenance of the main, auxiliary and emergency switchboards.

Include periodic maintenance of emergency starting batteries in planned maintenance program.

Ensure that regular emergency exercises are held and crew are made aware of the emergency generator room fire damper system limitations.


Rig 1 – FMEA Studies – Emergency Generator FMEA Study Team

4. FMEA STUDY TEAM

For the purposes of this FMEA study, Contractor utilised the following personnel:

Table 4.1: FMEA Team Members

Name Company

These team member’s backgrounds covered areas such as Electrical Engineering, Subsea Engineering, Marine Engineering, Petroleum Engineering and Process Engineering.


Rig 1 – FMEA Studies – Emergency Generator FMEA Methodology

5. FMEA METHODOLOGY

FMEA is a methodology Contractor use for analyzing potential reliability problems of systems, with a view to enhancing reliability through design. The FMEA approach has three basic elements when reviewing potential failure modes. These are the SEVERITY of the event, the likelihood of OCCURRENCE and the DETECTABILITY during the design phase of the failure event.

The FMEA process delivers a Risk Priority Number (RPN) for each Potential Cause of Failure. The aggregate RPN for each Potential Failure Mode is then presented in a graphical format for review.

A crucial step is anticipating what might go wrong with a product. While anticipating every failure mode is not possible, the development team should formulate as extensive a list of potential failure modes as possible.

The study used the following methodology:

Prepare Technical, failure and reliability data (e.g. drawings and manuals)

Site visit to the rig

Identify a discrete system for review (Emergency Generator)

Identify assessable functional subsystems of the Emergency Generator system

Identify the Potential Failure Modes of each subsystem

Identify the Potential Effects of Failure for each Potential Failure Mode

Assess and rank the severity criteria of each Potential Effect of Failure

Identify the Potential Causes of Failure for each of the Potential Effects of Failure

Assess and rank the Occurrence and Detectability criteria levels for each Potential Cause of Failure

Quantify the risk by generating a Risk Priority Number (RPN) for each Potential Cause of Failure.

Prepare and issue draft report of the study with appropriate recommendations for comment.

Issue final report

The aggregate RPN for each Potential Failure Mode is presented in a graphical format for review and serves to allow a prioritisation of response to the findings of the FMEA study.



The following tables provide the criteria used to ranking the elements of Severity, Occurrence and Detectability during the FMEA study:

Severity

1 None No effect on vessel or drilling program2 Very Slight Negligible effect on vessel or drilling program. Client

not affected.3 Slight Slight effect on vessel or drilling program.4 Minor Minor effect on vessel or drilling program. Client

slightly dissatisfied.5 Moderate Reduced performance of vessel or drilling

equipment. Client dissatisfied.6 Moderately High Vessel and drilling equipment operable and safe but

performance degraded. Client dissatisfied but no downtime occurred.

7 High Vessel and/or drilling equipment severely affected. Client very dissatisfied. Downtime is expected.

8 Very High Vessel and/or drilling equipment inoperable but safe. Client very dissatisfied and contractor on downtime. Drilling program in jeopardy.

9 Extremely High Vessel and/or drilling equipment failure resulting in hazardous effects highly probable. Compliance with statutory and/or industry standard in jeopardy. Contractor on downtime. Drilling program suspended.

10 Maximum Vessel and/or drilling equipment failure resulting in hazardous effects is almost certain. Non compliance with statutory and/or industry standards. Contractor on downtime. Drilling program suspended.

Occurrence

1 Extremely Unlikely

Failure highly unlikely.

2 Remote Rare number of failures likely.3 Very Low Very few failures likely.4 Low Few failures likely.5 Moderately Low Occasional failures likely.6 Medium Medium number of failures likely.7 Moderately High Moderately high number of failures likely.8 High High number of failures likely.9 Very High Very high number of failures likely.

10 Extremely Likely Failure almost certain.



Detectability during design process

Detection Likelihood of DETECTION by Design Control Ranking

Almost Certain Design control will detect potential cause/mechanism and subsequent failure mode

1

Very High Very high chance the design control will detect potential cause/mechanism and subsequent failure mode

2

High High chance the design control will detect potential cause/mechanism and subsequent failure mode

3

Moderately High Moderately High chance the design control will detect potential cause/mechanism and subsequent failure mode

4

Moderate Moderate chance the design control will detect potential cause/mechanism and subsequent failure mode

5

Low Low chance the design control will detect potential cause/mechanism and subsequent failure mode

6

Very Low Very low chance the design control will detect potential cause/mechanism and subsequent failure mode

7

Remote Remote chance the design control will detect potential cause/mechanism and subsequent failure mode

8

Very Remote Very remote chance the design control will detect potential cause/mechanism and subsequent failure mode

9

Absolute Uncertainty

Design control cannot detect potential cause/mechanism and subsequent failure mode

10

FMEA Worksheets

Following is an example of a completed worksheet from the FMEA study. The Risk Priority number is used to prioritise the process of addressing the findings of the FMEA study.

Table 5.2 FMEA Worksheet Example

Potential Failure Mode

Potential Effects of

FailureSeverity

Potential Causes of Failure

OccurrenceDetectability

during design process

Risk Priority Number

1. Start motor failure

1. Generator does not start upon receiving start signal

7 1. Age of motor 1 1 7

2. Ingress of moisture to motor winding

2 3 42

3. Low voltage/high amperage starts

3 2 42

4. Excessive number of starts (short cycling of engine)

4 1 28

Table 5.3 FMEA Response Criteria Levels



Criteria RankingRisk Reduction MeasuresRequiredRisk Reduction MeasuresRecommended


Rig 1 – FMEA Studies – Emergency Generator Distribution

6. DISTRIBUTION

The FMEA study report distribution is as follows:

Copy No. Owner1 Paper2 CD3 Contractor Library System


Rig 1 – FMEA Studies – Emergency Generator Attachment 1: FMEA RPN Graph

ATTACHMENT 1

FMEA RISK PRIORITY NUMBER (RPN) GRAPH

Ref: S1266 Rev 1

Rig 1 – FMEA Studies – Emergency Generator Attachment 1: FMEA Risk Priority Number (RPN) Graph

1. FMEA RISK PRIORITY NUMBER (RPN) GRAPH

DD1 FMEA - Emergency Generator

050

100150200250300350400450500

Emergency Generator Failure Modes

RP

N

(Ris

k P

rio

rity

Num

be

r)


Rig 1– FMEA Studies – Emergency Generator Attachment 2: FMEA Worksheets

ATTACHMENT 2

FMEA Worksheets

Ref: S1266 Rev 1

Rig 1 – FMEA Studies – Emergency Generator Attachment 2: FMEA Worksheets

2. FMEA WORKSHEETS

System: 1. Emergency Generator

Subsystem: 1. Starting


Potential Effects of Failure

SevPotential Causes of

FailureOcc

Detectability during design

processRPN Recommendations

After Actions Taken

Sev Occ Detectability RPN%

Reduction

1. Start motor failure (air/electrical)


7 1. Age of motor 1 1 7

2. Ingress of moisture to motor air/electric

2 3 42


3 2 42


4 1 28

5. Incorrect application of motor

1 1 7

2. Start power failure (battery/air failure)


7 1. Lack of maintenance (dry batteries)

4 2 56

2. Low air pressure 3 2 42

2. Battery explosion 4 1. Shorting of terminals

2 1 8

2. Insufficient insulation

1 1 4

3. Cable damage 2 2 16

3. Fire 6 1. Internal cell collapse

1 4 24

2. Excessive current delivery

2 2 24








FailureOcc



After Actions Taken


Reduction

3. Terminal corrosion


7 1. Lack of maintenance

3 1 21

2. Poor installation 1 1 7

3. Choice of material 1 1 7

4. Moisture 2 2 28

4. Solenoid failure


7 1. Excessive number of starts (short cycling of engine)

2 1 14


2 1 14

5. Flywheel burr 1. Generator does not start upon receiving start signal

7 1. Damage during commissioning

3 1 21

2. Control system errors causing start signals while engine running

3 2 42

2. Emergency generator downtime

5 1. Inability to start due to flywheel excessively burred/damaged.

1 1 5

6. Automatic controller failure


7 1. Poor terminal connections

2 3 42

2. Maintenance personnel not resetting controller

2 1 14

3. Drift of control parameters

1 3 21








FailureOcc



After Actions Taken


Reduction

4. Failure of monitoring circuit

1 2 14

7. Manual override not deactivated


7 1. Maintenance personnel not resetting controller

3 1 21

2. Wiring errors 2 1 14

2. Emergency generator does not receive start signal

5 1. Switch left in manual position

2 1 10

8. Fuel shut off closed


7 1. Fuel supply valve closed causing zero fuel supply to engine

2 2 28

2. Fuel starvation, requiring re-bleed of systems and downtime

7 1. Engine starting with fuel valve closed

1 2 14

2. Fuel valve not fully opened

2 1 14

9. Fire dampers closed

1. Emergency generator overheats

7 1. Fire damper left in closed position

1 1 7

2. Inadvertent operation of damper

1 2 14

3. Compressed air system failures

2 3 42

2. Oxygen starvation to emergency generator

6 1. Operating engines whilst fire dampers closed

1 2 12

10. Fuel inventory (day tank empty or


7 1. Stale fuel (non circulation of fuel stocks)

3 1 21








FailureOcc



After Actions Taken


Reduction

contaminated) 2. Shipyard blasting grit

7 1 49

2. Fuel starvation, requiring re-bleed of systems and downtime

6 1. Clogged filters 2 1 12

2. Air in system 1 1 6

3. Premature shutdown 6 1. Engine runs out of fuel

2 1 12

11. Battery charger failure


7 1. Main bus failure (blown fuse)

3 2 42 2. Periodic maintenance of the main, auxiliary and emergency switchboards.

7 3 1 21 50.00

2. Maintenance check failures

1 2 14

3. PM system does not cover monitoring of charging amps

1 1 7

2. Flat batteries 6 1. Extended non charging periods

2 2 24


2 1 12

3. Faulty battery 1 1 6

4. Poor battery maintenance

4 3 72 3. Include periodic maintenance of emergency starting batteries in planned maintenance program.

6 4 2 48 33.33

3. Reduced battery life 3 1. Poor quality battery

1 1 3








FailureOcc



After Actions Taken


Reduction


4 3 36


2 1 6

4. Insufficient design charging current

1 1 3

4. Reduced cranking amp availability

3 1. Poor quality battery

1 1 3


2 3 18


2 1 6

4. Insufficient design charging current

1 1 3

12. Alarm malfunction


7 1. Alarm state inhibits start signal

2 1 1

2. Alarm flooding 3 1. Poor design of alarm systems

1 2 2

3. False alarms 4 1. Poor maintenance 1 3 3

2. Low quality alarm systems

1 1 1

3. Inadequate alarm check procedures

2 1 1

4. Premature shutdown 6 1. False alarm 3 2 2








FailureOcc



After Actions Taken


Reduction

5. Failure to shutdown 2 1. Failure to recognize alarm state

3 1 1


Subsystem: 2. Fuel Systems




FailureOcc



After Actions Taken


Reduction

1. Hose/fuel line failure

1. Fuel leak/spill - environmental release

2 1. Leaking connection

5 2 20

2. Fractured pipe 3 1 6

2. Fire 7 1. Contact with exhaust - leak

2 1 14

2. Fuel leak contacting turbo charger

2 1 14

3. Premature shutdown 7 1. Fuel starvation 6 2 84

2. Fuel filter blockage


3. Fuel quality 1. Covered under starting system

4. Fuel inventory inadequate

1. Covered under starting system

5. Fuel pump failure

1. Generator does not start

7 1. Mechanical breakdown

2 1 14




Subsystem: 2. Fuel Systems




FailureOcc



After Actions Taken


Reduction

2. Poor maintenance 2 2 28

3. Inadequate design

1 1 7



Subsystem: 3. Emergency Stop (Estop)




FailureOcc



After Actions Taken


Reduction

1. Inadvertent operation

1. Unwarranted emergency stop

4 1. Sabotage 1 8 32

2. Unprotected Estop buttons

2 2 16

2. Degradation engine/electrical system

2 1. Short cycling (loading and unloading of system)

2 2 8

3. Loss of emergency power systems

6 1. Emergency generator shutdown

3 3 54

2. Failure To Operate

1. Damage to generator electrical systems

3 1. Incorrect voltage 2 2 12

2. Loss of control 1 2 6

3. Overload 2 2 12


2. Damage to bus electrical systems

3 1. Incorrect voltage 1 2 6

2. Overload 1 2 6




Subsystem: 3. Emergency Stop (Estop)




FailureOcc



After Actions Taken


Reduction

3. Asynchronous operation

1 2 6

3. Damage to motor 2 1. Overspeed 2 2 8

2. Overload 2 2 8

3. Incorrect operation

1. Estop fails to trip circuit breaker

4 1. Circuit breaker failure

2 3 24

2. Poor design of Estop system

2 3 24

2. Estop fails to trip air intake

2 1. Poor design of Estop system

2 3 12

2. Mechanical failure of air intake

2 2 8

3. Estop fails to initiate Estop alarm

3 1. Poor design of Estop system

2 3 18





Subsystem: 4. Fire damper




FailureOcc



After Actions Taken


Reduction

1. Failure to close on signal

1. Non extinguishing of fire

7 1. Debris jammed in louvre

7 7 343 1. Adopt planned maintenance routine to periodically check louvres are clean of debris.

7 3 3 63 81.63

2. Seizure due to lack of maintenance

3 1 21

3. Poor design of fire damper control

1 1 7

4. Loss of air system 2 3 42

2. Escalation of fire 7 1. Non exclusion of air

2 3 42

2. Failure to reset (open)

1. Inability to operate emergency generator

7 1. Poor design of fire damper control

1 1 7

2. Lack of maintenance

2 1 14

3. Lack of awareness of procedure

5 5 175 4. Ensure that regular emergency exercises are held and crew are made aware of the emergency generator room fire damper system limitations.

7 3 3 63 64.00

4. Loss of air system 2 3 42

3. Failure to seal upon closure

1. Non extinguishing of fire

7 1. Debris jammed in louvre

7 7 343 1. Adopt planned maintenance routine to periodically clean and check louvres clean of debris

7 3 3 63 81.63




Subsystem: 4. Fire damper




FailureOcc



After Actions Taken


Reduction

2. Lack of maintenance

2 1 14

3. Poor design of damper

1 1 7

2. Escalation of fire 7 1. Non exclusion of air

2 3 42

4. Inadvertent operation

1. Unplanned shutdown of generator

7 1. Loss of Emergency Power

2 7 98




Subsystem: 5. Synchronization / Control




FailureOcc



After Actions Taken


Reduction

1. Fails to synchronize to main bus (if applicable)

1. Inability to return to main power without power interruption

4 1. Design of control system

1 1 4

2. Control system component failure

2 2 16

2. Fails to reach synchronize speed

1. Inability to synchronize to main bus

5 1. Design of control system

1 1 5


2 2 20

3. Problems with main bus (e.g. main bus voltage incompatible)

4 4 80

2. Voltage/frequency dependant loads receiving incorrect power supply (EG AC motors)

6 1. Generator damage

2 3 36

2. Fuel system impairment

2 2 24


2 2 24

4. Fire damper malfunction

3 3 54

3. Generator attempts asynchronous closure

1. Circuit breaker damage

7 1. Control system component failure

2 2 28

2. Personnel attempting manual closure of circuit breaker

3 7 147

2. Explosion/fire 7 1. Circuit breaker recoil on attempted closure to main bus

1 2 14








FailureOcc



After Actions Taken


Reduction

3. Blackout 5 1. Main bus protection operates in reaction to attempted emergency generator circuit breaker closure

2 4 40

2. Emergency generator protection operates

4 2 40

4. Generator damage 5 1. Inadequate protective systems

1 1 5

2. Extreme overload 1 7 35

5. Unplanned shutdown 4 1. Generator protective devices operate

4 2 32



2 2 20

4. Unstable voltage/frequency

1. Voltage/frequency dependent loads receiving incorrect power supply (EG AC motors)

6 1. Generator damage

1 3 18

2. Fuel system impairment

2 2 24


2 2 24

2. Inability to synchronize to main bus

4 1. Inappropriate voltage/frequency parameters

1 2 8

3. Generator damage 5 1. Inadequate protective systems

1 1 5








FailureOcc



After Actions Taken


Reduction

4. Unplanned shutdown 4 1. Emergency generator protection operates

4 3 48



2 2 20


Rig 1– FMEA Studies – Emergency GeneratorAttachment 3: Photographs

ATTACHMENT 3

Photographs


Rig 1 – FMEA Studies – Emergency Generator Attachment 3: Photographs

3. PHOTOGRAPHS

Emergency Generator - Air start system

Emergency Generator / Switchboard

Ref: S1266 Rev 1Page 1 of 3


Emergency Generator Fuel / Lube system

Emergency Generator Fuel / Lube system



Emergency Generator Alarms / Protection

Emergency Generator Starting Batteries


Documents

Emergency Generator FMEA Example