Purpose
To provide guidance to OSD
inspectors on pipeline riser system pressure containment, and on the
overpressure protection of riser systems by means of instrumented
systems which are remotely located on a normally unattended
installation (NUI) or subsea.
Action
OSD
inspectors should take account of the contents of this SPC when
undertaking the assessment of Safety Cases and the inspection of
pipeline riser systems.
Introduction
In
this SPC, the term riser system means the riser itself, associated
items such as the riser ESDV and bolted joints, and the adjacent
(possibly fortified) pipeline section within the installation’s 500m
zone.
This SPC addresses safety instrumented systems,
additional to the normal process trip/ESD function, where the plant is
not fully rated for the pressure to which it might be exposed in fault
conditions and either (1) there is no self-acting mechanical protective
system [e.g. bursting disc, relief valve] to prevent overpressure, or
(2) self-acting mechanical protection is present but by itself may be
inadequate in certain foreseeable circumstances [e.g. it is not sized
for the worst case].
Safe Instrumented Functions (SIFs)
occur in three instances; (1) a SIF which provides a layer of
protection but is not alone and is not the last to act, (2) a SIF which
provides a layer of protection and is the last to act, and (3) a SIF
which is the only layer of protection. This SPC addresses riser systems
and the safety instrumented systems (SISs) which protect them. The
subject SISs would normally be of type 2, here called final safety
instrumented system (FSIS), but some duty holders use alternative
terms, e.g. High Integrity Protection System (HIPS) High Integrity
Pressure Protection System (HIPPS), Over Pressure Protection System
[OPPS], or Secondary Protection System (SPS) – secondary in the sense
that this system acts after the corresponding ‘primary’ system.
Annexes
- Annex A gives some examples of plant configurations where remote FSIS may be a design option.
- Annex B provides information in respect of the design, operation and testing aspects of FSIS.
Pipelines and risers protected by HIPPS
The
implementation of FSIS subsea is relatively novel. HSE is aware of only
a small number of systems worldwide, some on the UKCS.
Some FSIS have been implemented in situations where the ratio between
the maximum pressure threat and system rated pressure is low (e.g. less
than 1.5) and the hydrotest pressure will not be breached. In such
situations, there may be a relatively low risk of loss of containment,
though overpressure protection is still required. However, where this
ratio is higher, the unprotected risk of a loss of containment is
likely to be unacceptable and protection is critical.
The critical plant protected by a pipeline FSIS is generally a high
inventory import riser system, the failure of which is a major hazard,
where self-acting full flow mechanical relief is impractical and it is
uneconomic to fully rate the pipeline and riser to the maximum pressure
(e.g. where the pipeline is so long that rating it for the maximum
pressure is feasible but renders the project uneconomic), or it is not
possible to fully rate the pipeline and riser.
Legal considerations
A
pipeline rupture is a major safety hazard only if it occurs near
people, though a pipeline rupture is likely to cause unacceptable
environmental and commercial losses. For pipeline sections remote from
offshore installations, shipping activity may be minimal and unlikely
to be threatened by any release. Thus only a rupture of a pipeline near
an installation or at the riser itself is addressed in this SPC as only
this would be an OSD matter; however, these wider issues should be
addressed by the duty holder [note that in the longer term, people may
have to do potentially dangerous things on or near the installation to
rectify any rupture, but this is beyond the current scope].
Pipelines Safety Regulations 1996 [SI 1996/825]
- Regulation
6: Provision of pipeline safety systems as are necessary SFAIRP. [This
would include the process trip/ESD and the FSIS.]
- Regulation
11(b): Operation of pipeline to be within the safe operating limits [ie
the ESD system and the FSIS must restrict the pipeline pressure to
within the safe operating limits in the event of any abnormal operating
conditions or faults giving rise to a potential for overpressure].
Offshore Installations (Prevention of Fire and Explosion, and Emergency Response) Regulations 1995 [SI 1995/743]
- Regulation 9(1)(b): Prevent the uncontrolled release of flammable or explosive substances.
Offshore Installations (Safety Case) Regulations 2005 [SI 2005/3117]
- Regulation 2(5)(a): SCEs to be suitable.
Note
that a FSIS on one installation protecting risers on another
installation is an SCE, but the practicalities of verifying such
elements are not simple, particularly when the installations concerned
have different operators.
A subsea FSIS is not an SCE
where it is part of the pipeline outwith 500 m of the installation
because this part of the pipeline is not part of the installation [see
SCR05 guidance para 85 and MAR Regulation 3(2)(f)]. A subsea FSIS is
not part of a well since its function is to protect the pipeline and
riser, not to contain the pressure in the well (see SCR05 Regulation 2,
the definition of a well). Thus the FSIS is not part of the
installation and hence not an SCE.
Safety case assessment
Any
use of a FSIS should be addressed within a Safety Case, and should be
assessed in the light of this SPC. Past experience indicates that
assessors should ask high-level questions during every Safety Case
assessment to establish (a) if any pressure containment system situated
on the installation is protected against over-pressurisation by remote
FSIS located subsea or on another installation, or (b) whether the
installation features any FSIS which protects any remote
installation(s) from over-pressurisation of a riser system.
Once the
principle of using FSIS has been demonstrated to be ALARP, the
Functional Safety Assessment of the implementation is the starting
point for assessment of the more detailed design.
SMS
assessment should address the operational maintenance and testing
philosophies to ensure adequate availability of FSIS. Where there is
more than one offshore installation involved it is necessary, in order
to ensure that the SMS measures are adequate for the FSIS protective
function as a whole, to consider whether the maintenance and testing
philosophies included in the Safety Cases for the other installation(s)
are sufficient.
Operational inspection
Riser
system FSIS are particularly critical to safety of persons and should
be identified for particular attention during inspection visits.
The requirements of BS EN 61511 (Refs 4-6) are considered as good
practice in the UK process sector; also note that there is a
forthcoming Energy Industry Council (EIC) guidance document (Ref 9)
which supports the interpretation of BS EN 61511. Duty holders should
demonstrably follow the recommendations for hardware and software
safety integrity, or employ other equally effective means. Duty holders
should comply with the safety management system requirements, as
specified in BS EN 61511, which are appropriate to the SIL of the FSIS.
Topics addressed in an inspection of FSIS should include:
- Audit and review carried out by the duty holder and ICP.
- Confirmation
that the duty holder is implementing a routine maintenance and proof
testing schedule for both the hardware and computer software components
in order to confirm availability.
- Confirmation that
any necessary operational procedures, including any emergency
procedures that are necessary in the event of a FSIS malfunction, are
in place on the installation and that personnel are familiar with them.
- For those FSIS which are remotely located on an
adjacent interconnected installation, confirmation that items a. to c.
above are satisfactory. This is especially important in a situation
where there is more than one duty holder involved.
- Confirmation
of the suitability of any transport arrangements that have been put in
place to secure timely access to remote FSIS locations for critical
manual intervention, maintenance or testing.
In
the event that an inoperative or inadequately proof-tested and
maintained FSIS is identified during an inspection, appropriate
enforcement action should be taken.
Well CITHPs are
likely to reduce over time and eventually may fall below the pipeline
or riser pressure rating, which may themselves fall due to corrosion -
the FSIS proof test and inspection plan should therefore be updated as
required.
References
Note – where references are made to undated documents the most recent published edition applies.
- BS PD 8010 Code of Practice for Pipelines: Subsea Pipelines.
- BS EN 14161 Petroleum and Natural Gas Industries: Pipeline Transportation Systems.
- BS EN 61508 Parts 1-7 Functional Safety of Electrical / Electronic / Programmable Electronic Safety Related Systems.
- BS
EN 61511-1 Functional Safety - Safety Instrumented Systems for the
Process Industry Sector – Part 1: Framework, definitions, system,
hardware and software requirements. BSI
- BS EN
61511-2 Functional Safety - Safety Instrumented Systems for the Process
Industry Sector – Part 2: Guidelines for the application of IEC
61511-1. BSI
- BS EN 61511-3 Functional Safety -
Safety Instrumented Systems for the Process Industry Sector – Part.3:
Guidance for the determination of the required safety integrity levels.
BSI
- API RP 14 C - Recommended Practice for
Analysis, Design, Installation, and Testing of Basic Surface Safety
Systems for Offshore Production Platforms.
- HSE ALARP Suite of Guidance.
- Guide
to the application of IEC 61511 to safety instrumented systems in the
UK process industries, Engineering Equipment and Materials Users’
Association, EEMUA 222
- BS EN 10418 Petroleum and natural gas industries – Offshore production installations – Basic surface safety systems.
Consultation
This SPC has been prepared jointly by OSD 3.5, HID SI3 and OSD3.4.
For further information contact OSD 3.5.
Annex A
Plant configurations where remote HIPPS may be a proposed design option
HSE
may encounter design configurations as depicted in Figs 1 to
4. Applications of the type depicted in Figs. 1, 3 and 4 have already
been encountered in practice.
Note that these figures
are schematic only, and do not indicate where above the water line any
topsides ESDV or FSIS valves are to be located.
Fig. 1
Subsea wells with subsea FSIS feeding directly to a manned installation, subsea pipeline/riser not fully rated.
Fig. 2
Subsea wells with subsea HIPPS feed directly to an NUI, the subsea pipeline/riser is not fully rated.
Fig. 3
Subsea
wells feed directly to an NUI. The NUI does not have full flow relief
and the NUI import pipeline is fully rated. The NUI exports to a manned
installation and the NUI export riser and the import riser on the
manned platform are not fully rated.
Fig. 4
Local
wells, with flowlines fully rated, feed an NUI and the NUI exports to a
manned platform. The NUI topsides are not fully rated. The NUI does not
have full flow relief. The export pipeline from the NUI and the riser
at the manned platform are not fully rated and are protected by HIPPS
on the NUI.
Annex B
System design, operation and testing
Background
An internet search was conducted to identify what has been achieved in relation to subsea wells without
resorting to subsea FSIS. The search found the Gyrfalcon single well
development, with an initial reservoir pressure of 14752 PSI, which has
the world's first 15,000 psi subsea tree. The field has a single well,
is located in 885 feet of water and is tied back 2.9 miles to Shell's
GC-19 Boxer facility in the Gulf of Mexico.
Gyrfalcon came on stream in
1999. The 6 inch flowline and riser system are rated to 12,200 psi. The
5 inch i.d. riser was tested to a burst pressure above 25,000 psi. This
development demonstrates that it can be reasonably practicable to use a
fully rated system without resort to a FSIS.
Pressure system design considerations
Several
riser system configurations are discussed below to illustrate what OSD
would consider to be appropriate overpressure protection arrangements
where there is a likelihood of say > 0.1 of multiple deaths of say
> 10 persons in the event of a riser system rupture. These
configurations are listed in a hierarchy of descending order of
inherent safety; note that HSE policy is a preference for inherent
safety, refer to APOSC Principle 16 and SCR05 guidance para 136. Also
note the PFEER ACOP reference to MHSWR para 38 which states that ‘it is
best if possible to avoid a risk altogether’, and ‘to combat risks at
source’.
The guidance to the COMAH Regulations also discusses the
‘inherently safer approach’ as an important focus. Hence, the
configurations higher in the list are recommended; an ALARP
demonstration should show that each inherently safer option is not
reasonably practicable before an option with less inherent safety is
considered. This hierarchy is based, with some modifications in the
light of experience, on that suggested by HSE Pipelines Inspectors
since late 2002.
Configuration 1:
Fully
rated riser system designed for the worst case fault conditions in
accordance with a recognised code such as BS EN 14161 (Ref 2) supported
by BS PD 8010-2 (Ref 1) – i.e. the riser system design pressure at or
above the maximum possible pressure (usually CITHP or pipeline maximum
burst pressure).
Adherence to such a code gives confidence that all of
the forces acting on the system have been considered and that the
design is conservative. A fully rated system does not require a FSIS or
any other instrumented trip function for overpressure protection,
though trip functions are likely to be required for other reasons.
Configuration 2:
Riser
system protected by a self-acting full-flow pressure relief system
(e.g. relief valve) plus an overpressure trip function set no higher
than the code rating of the protected system. Note that relief valves
deliver their primary safety function by different means than an
instrumented function, and therefore have different failure modes from
instrumented trips; this gives the combination of a process trip + RV a
useful degree of diversity lacking in a solution wholly dependent on
instrumented systems.
This configuration does not require an additional
FSIS, but the integrity of the process trip/ESD should formally managed
as discussed in BS IEC 61511 - in practice, a very low SIL, perhaps
below SIL 1, is to be expected of the process trip/ESD. Note that for
pipelines and risers designed to code, a riser designed for the same
rating as a pipeline will normally have a higher burst pressure, so
that in this configuration the pipeline may rupture preferentially,
rather than the riser, if both layers of protection fail on demand. It
is understood that the Kirstin installation in Norwegian waters uses a
PSV upstream of the riser ESDV (along with an SSIV which reduces the
volume requiring relief).
Configuration 3:
Riser
system designed to a ‘no damage’ criterion, i.e. by engineering
assessment is expected not be stressed beyond yield, and not to leak,
if subjected to the maximum possible pressure. The pipeline rating is
no higher than the riser system rating. Overpressure protection
provided by an appropriate FSIS as a backup to the process trip/ESD
system is required; each system is to be capable of independently
isolating the over-pressure hazard. The FSIS may have modest SIL, and
the additional layers of protection listed in para 38 should be
considered.
Configuration 4:
Riser system
designed to a ‘no burst’ criterion, i.e. by engineering assessment a
low probability of leak or rupture is expected, typically <0 .05="" 38="" a="" additional="" an="" and="" appropriate="" as="" backup="" be="" by="" capable="" each="" fsis="" have="" hazard.="" higher="" if="" in="" independently="" is="" isolating="" layers="" listed="" maximum="" may="" medium="" no="" of="" over-pressure="" overpressure="" p="" para="" pipeline="" possible="" pressure.="" process="" protection="" provided.="" provided="" rating.="" rating="" required="" riser="" should="" sil="" some="" subjected="" system="" than="" the="" to="" trip="">
Configuration 5:
The
maximum possible pressure exceeds the pipeline burst pressure, but a
riser rupture is not expected as it has a somewhat higher burst
pressure than the pipeline. The FSIS will have a very high integrity
requirement, partly to protect the pipeline for commercial and
environmental reasons. Many of the additional layers of protection
listed in para 38 should be provided. This configuration is considered
to have poor inherent safety and should be avoided unless the riser
system protection provides a substantial assurance that riser
overpressure is very unlikely. It should attract attention at the
safety case assessment stage and in operation. The SIL requirement of
the FSIS will be very high, but any proposal for a SIL 4 FSIS should be
resisted strongly as there is no precedent for any such SIL 4 function
on the UKCS and so there is no evidence that the practicalities of
guaranteeing such a high standard of performance in service can be
dealt with; support from OSD3.5 should be sought.
Configuration 6:
Similar
to Configuration 5, but with uniform pressure containment capability
throughout, so that the location of any rupture is unpredictable. A
FSIS will be required, and have a very high integrity requirement,
partly to protect the pipeline for commercial and environmental
reasons. Many of the additional layers of protection listed in Para 38
should be provided. This configuration is considered to be highly
undesirable, and should attract considerable attention at the safety
case assessment stage and in operation. The SIL requirement of the FSIS
will be very high, but any proposal for a SIL4 FSIS should be resisted
strongly as there is no precedent for such any SIL4 function on the
UKCS and so there is no evidence that the practicalities of
guaranteeing such a high standard of performance in service can be
dealt with; support from OSD3.5 should be sought.
Configuration 7:
The
riser system burst pressure is below the maximum possible pipeline
pressure and rupture is probable at the riser system (e.g. where it is
the weakest link, say a pre-installed riser of inadequate rating). It
is considered that this arrangement is seriously flawed and should be
resisted strongly – instrumentation should not be the only defence
against a potentially catastrophic hazard where practicable
alternatives exist (in this example, redesign of the pipeline); support
from OSD3.5 should be sought.
In determining the maximum
possible burst pressure of the pipeline, the specified maximum
thickness and material properties of the pipeline, or more accurately,
measured actual maxima on a joint by joint basis, may be used.
Specified minima for the riser, or indeed measured actual minima on a
joint by joint basis, could be used to determine its minimum ‘no
damage’ or burst pressure of the riser system. Where the maximum
possible burst pressure of the pipeline is lower than the minimum
possible ‘no damage’ pressure of the riser system (i.e. configuration
3), or below the minimum possible burst pressure of the riser system by
a satisfactory margin (i.e. configuration 4), it is likely that in the
event of a pressure protection system failure on demand, the pipeline
section (at a safe distance from the installation) would fail
preferentially, rather than the riser. Where credit is taken for the
corrosion allowance in these calculations, an inspection regime will be
required, e.g. to demonstrate that burst strength of the riser system
declines no more quickly than the CITHP or maximum possible pipeline
burst pressure.
All codes require risers to be
hydrotested at 1.5 x design pressure, but carrying out a hydrotest
beyond 1.5 x design pressure (though not beyond yield) would raise
confidence in the analysis.
Moves away from pure
inherent safety can reduce CAPEX on the pipeline and riser system, but
could require higher OPEX on testing and maintenance of the FSIS, plus
more CAPEX and OPEX on any additional layers of protection.
In any situation where a FSIS is proposed, the SIL of that function
should be formally calculated, e.g. according to the EIC guidance (Ref
9), typically based on the demand rate and the consequences of a FSIS
failure to act, and will depend on the option chosen for the riser
system configuration. The integrity of the process trip/ESD should be
managed as discussed in BS EN 61511 and the EIC guidance, so as to
provide a basis for the demand rate element of the SIL calculation of
the FSIS performance standard.
Note that if the
process trip/ESD and FSIS were to fail on demand, a higher than normal
pressure may reach the riser ESDV and pose an increased hazard e.g. in
the event of an incident unrelated to riser overpressure protection
failure (e.g. failure due to severe weather). Thus in achieving an
overall ALARP solution, this may impact on overall risk to personnel by
virtue of the large inventory involved; Thus an under-rated riser
system may impact on the ALARP solution for topsides systems such
ventilation, fire & gas detection, deluge release on gas detection,
all with associated CAPEX and OPEX implications.
Whatever riser system configuration is adopted, normal operating
pressure including normal excursions should be within the code rating
of the entire pipeline and riser system.
The following
additional layers of protection, listed in no particular order, may
require to be addressed in the overall ALARP demonstration; it is to be
expected that a riser configuration with less inherent safety will
require more to be implemented. A sensitivity analysis might be helpful
in identifying those measures or combination of measures which produce
the greatest benefit at acceptable cost.
- Provide
for manual isolation. This may be feasible if the over-pressure hazard
is from an attended location where timely intervention [e.g. by closing
valves] to prevent pressure exceeding the design pressure is
practicable. The time required for manual intervention should be
significantly less than the time it would take for the pressure to
exceed the riser system design rated pressure. This time should be
subject to an appropriate human factors assessment.
- Protect
the riser system with subsea isolation valves [SSIV]. A subsea
isolation valve upstream of a critical import riser to an installation
may limit the potential inventory release, reducing the consequences
and hence reducing the required SIL performance of the FSIS. It should
be noted that closures (whether intentional or spurious) of a SSIV or
ESDV may place additional demands on the FSIS.
- Provide
a manually operated topsides pressure relief/blowdown system for the
pipeline, which can be brought into effect in the event of FSIS
failure, to fulfil a protective role with respect to the riser system.
The pressure relief should be upstream of the riser ESDV. Any such
design would require careful consideration to ensure the riser ESDV
requirements of Regulation 19 of the Pipelines Safety Regulations are
complied with. Where the pressure relief/blowdown is not upstream of
the ESDV, a guaranteed method of re-opening the ESDV prior to import
line pack exceeding the riser rating could be used as a protective
measure. HSE is not aware of the use of this method in UK waters. A
variation of this could be based on a manually operated ESDV bypass but
again HSE is not aware of the use of this method in UK. For the
protective measures as described in this para, gas from the pressure
relief/blowdown system could be disposed of via the flare system;
liquids present could be a problem, though it may be acceptable to
dispose of very small quantities to sea.
- Provide
subsea relief or bursting, e.g. a specifically designed 'weak' pipeline
section, although HSE is not aware of this arrangement on any UK
installation.
- Provide means to avoid blockages [e.g.
hydrates], which will reduce the number of demands on the over pressure
protection systems.
- Provide contingency plan for FSIS failure [e.g. evacuate the installation].
HIPPS Design
A
FSIS for protecting pipeline/risers from well pressure is conceptually
simple. The source of pressure, i.e. CITHP, is isolated when
overpressure is detected. Depending on SIL requirement, multiple
isolation valves and multiple sensors (e.g. either 1 out of 2 or 2 out
of 3 voting) may be required to meet the required availability and the
architectural constraints of BS IEC 61511.
Fig 4
illustrates a conceptual structure which meets SIL 3, but note that in
practice the pressure transducers may be located differently, e.g. one
or two may be between the shut-off valves, and that there may be other
valves to allow ancillary functions (in addition to the main
overpressure protection function) such as testing, flushing, manual
isolation, and the safe blowdown of any locked-in inventories. The
pressure transducers may be of diverse types, including a non-intrusive
type.
It should be noted that API Recommended Practice 14 C (ref 7 Appendix A
- Process Component Analysis para. A.1.2.2.1) prescribes that a single
shut down valve with a single independent pressure sensor and relay is
an acceptable alternative to a pressure relief valve for pipeline
protection, depicted in Fig A-1.3 of API RP 14C. This arrangement
cannot achieve a high SIL and cannot meet the architectural constraints
required by BS EN 61511 for high SILs. However, the arrangement may be
considered where a low SIL is acceptable. Note that the risk based
methodology of BS EN 10418:2003 (ref 10) calls for the application
of BS EN 61511 in the specification of instrument-based secondary
overpressure protection systems.
It is recommended that
the FSIS shut down valves be dedicated to the FSIS function; certainly,
credit for shut off functionality (whether automatic or manual) should
be taken only once per valve – e.g. it is not legitimate to take credit
in the FSIS SIL calculation for the same valves which are part of the
wellhead ESD function.
The integrity required for an
FSIS function is determined by the ALARP principle, overall risk
targets, and engineering judgement. Considerations of ALARP and target
SIL for a FSIS require difficult judgements of tolerable risk, how to
partition risk reduction across other layers of protective
functionality, safety benefits and costs. The cost of instrumented
protective functions increases rapidly with integrity level, but at the
same time the benefit in terms of further risk reduction reduces
because a large proportion of the uncontrolled risk has already been
protected. (Note that well CITHP may decline very rapidly, and this
will have an impact on the benefit element of ALARP calculations). An
ALARP case should consider both the CAPEX savings and the OPEX costs
arising from the use of FSIS. What is clear that a simple calculation
will not suffice for high consequence low probability events such as
the rupture of a riser; QRA is recommended, along with professional
judgement and current good practice as defined in this document. If the
resulting required SIL is higher than 3, the overall required risk
reduction should be redistributed across other measures – it is the
view of HID OSD that a SIL higher than 3 calls into question the
validity of the basic design concept, and that SILs higher than 3
cannot be assured in practice.
Furthermore, to achieve
higher SILs there would be a need for increased testing and
maintenance. Where required, this intervention can itself have a
detrimental risk impact because of the need for additional helicopter
flights, work on an NUI, or work subsea.
Calculation
of the SIL achievable by a FSIS appears to be a deceptively simple
matter based on reliability data, though this is sparse and subject to
some uncertainties. There is a problem with common cause failure, e.g.
hydrate formation in the valves. 'Beta factors' used to quantify the
likelihood of common cause failure mechanisms are at best uncertain.
Note that the FSIS uses the same technology as the primary instrumented
trip, so that these two layers of protection will always have common
cause failure mechanisms which need to be addressed.
Note that for a FSIS to be effective, it must operate sufficiently
rapidly to prevent overpressure. Often the line pack time is measured
in hours, where this is unlikely to be a practical issue, but there are
cases where the FSIS is required to close more rapidly (e.g. a liquids
pipeline), and the required closure time should be calculated and
accommodated in the design; facilities to measure closure time with
sufficient accuracy should also be incorporated, especially where the
required closure time is short. Note that hydraulic hammer may be an
issue with rapid valve closure.
It is important to
design the FSIS such that it defaults to a state of least danger on
fault conditions where this property is easily designed-in (e.g.
failure detected by electronic self-test), as well as to design for
failure to safety on electric power failure and hydraulic power failure
- thus e.g. spring return shut off valves are recommended.
A difference between traditional subsea control and topsides control is
that some solenoid valves used in subsea control use pulses of power to
switch between two stable states, and so do not fail safe on loss of
electrical power. It is recommended that the overall FSIS function be
designed to fail safe rapidly on loss of electrical power or electrical
control signal to the subsea HIPPS, so fail safe solenoid valves are
preferred.
A hydraulic dump valve to speed up 'failure
to safety' on loss of hydraulic power supply should be considered, as
otherwise valve closure could take a long time while hydraulic fluid
flows back to the supply.
The basic function of the
remote FSIS (whether subsea or on a NUI) should be autonomous, with no
inhibit facility; there may be advantages in latching the tripped
state.
The basic FSIS function logic solver should
preferably be non-programmable. If the target integrity for the FSIS
function is SIL3 and a programmable logic solver is proposed, then
whatever combination of software lifecycle specification, design,
programme coding, verification and validation techniques have been
used, that combination should demonstrably, reliably and reproducibly
have resulted in software compatible with SIL3 performance, i.e. that
software methodology is mature, widely used and with extensive field
evidence, and conforms with BS 61508.
There are certain
ancillary functions which are likely to be useful, though such
functions should be designed so that they are not capable of
interfering with the basic function of the FSIS. For example, the
relevant installation(s) may have read-only supervisory communications;
typically, this function should be able to read pressures and valve
positions (including bypass valves, methanol injection valves), etc.
There may not be a pressure transmitter upstream of the import riser
ESDV; thus in the event of an ESDV closure, the only means of
determining pipeline pressure may be from subsea data transmitted by
communications link. Where this comms link fails, the data will become
unavailable and the status of pipeline and riser system protection
would be unknown. Hence there will generally be merit in an autonomous
well/manifold ESD trip after a 'time-out' in the event of a
communications failure.
It may be desirable to have a
trip function capable of being operated from the protected (host)
installation, a FSIS reset function, and a function to force any
component (e.g. pressure transmitter) to the safe state; there is no
objection to implementing these ancillary functions in programmable
logic.
Start up bypass valves can be required to bleed
down locked-in pressure, or to reduce the differential pressure across
the FSIS shut off valves. Control of start up bypass valves around FSIS
valves should be interlocked so that FSIS protection cannot be lost.
Other useful ancillary functions include valve position checks and discrepancy checks between pressure transmitter readings.
Operational testing and maintenance of HIPPS
Because
of the difficulty and risks associated with personnel access to the
types of remote FSIS being considered, certain SMS issues are
especially relevant. In particular, remote monitoring of operational
performance, demand rate and component failures should be carefully
considered as part of the design.
A properly developed strategy should
be in place to cater for severe problems such as transmitter failure,
loss of communications or loss of a test facility such as valve
position indication. There may be advantages in employing additional
redundancy so that the fault tolerance criterion continues to be met
under chosen fault conditions.
Subsea transmitters
cannot normally be calibrated in situ (calibration normally involves
checks at e.g. 0%, 20%, 100% of range, both rising and falling, to
check for linearity, hysteresis, repeatability etc), but proof/bump
tests of sufficient accuracy, at the set point, should be carried out.
Periodic partial closure tests of FSIS valves address the control
circuit, solenoid valve and some failure modes of the FSIS valve
itself, and so have useful diagnostic coverage, perhaps of order 50%.
However, partial closure tests do not confirm that the valve will close
fully, nor the stroke time for that operation, nor the leak rate in the
closed state; it is therefore necessary for some periodic tests to
involve full closure. An automated regime may be the only practical way
to confirm correct operation. These restrictions should be considered
in the reliability calculations.
Where the HIPS valve
closure time requirement is rapid, this time needs to be measured
accurately, and any loss of performance managed.
The
required HIPS valve leakage rate should be specified, and measured on
full closure test; any loss of performance should be managed.
Any maintenance of a subsea FSIS is likely to need ROV or diver
intervention. Thus as many components, or whole modules, as reasonable
should be diver/ROV replaceable. Instrument isolation valves should be
considered for pressure transmitters, even though they result in a
greater potential for failure.
