LOPA applied on the case study

In this section the LOPA procedure based on the system is described, where the process in Figure 4.1 is used as the approach. In Appendix C the spreadsheet used in the study is presented.

The acceptance criteria are as in Table 4.1. The severity level is categorized as CC which is 1 to 3 fatalities suffered. The screening criteria give us that the

Experts were involved in the hazard identification study, and all members involved in the LOPA as well as in previous studies fulfill requirements regarding competency. The HAZOP preformed previously to the LOPA is assumed well documented and sufficient, and the data adjusted to fit with the LOPA analysis.

Initiating causes

Fluid slug congestion, choke control error due to human error, and choke col-lapse are the initiating causes identified. Slug congestion is accumulation of fluid / hydrates / scale leading to a blockage and pressure build-up upstream the blockage point. When this substance yields, the fluid accelerates and creates overpressure in the separator. Choke collapse is most likely a hardware valve failure, e.g. fatigue. Choke control error is erroneous operation of the choke control where the operator make the wrong response or fails to act at all. All these initiating causes lead to potential overpressure of the separator. The ini-tiating cause frequencies are found from tables, and the chosen values showed in Table 6.1 The frequency of slug congestion differs from field to field, and

de-Table 6.1: Initiating cause frequencies

Initiating cause Data source Frequency

Fluid slug congestion Expert judgment / Ormen Lange

5 times per year Choke control, human error BP/CCPS 1·10⁻¹/ per

oppor-tunity to act

Choke collapse / error OREDA 11.3 per 10⁶hours

pends on the composition of the fluid and the field construction. In the Ormen Lange project 5 demands was identified by expert judgment, which is assumed applicable. The human error (choke control) is assumed to be a routine task. In order to estimate the frequency the value in the table has to be multiplied with the number of opportunities / demands per year. The choke task is assumed to be executed approximately 20 times per year giving a resulting frequency of 2 times per year for this initiating cause. The OREDA estimate is given in hours, and assuming 8760 hours per year gives a frequency of 9.9 · 10⁻²per year.

IPLs - general considerations

In the next section it is described and discussed what protections layers that exist, and which of these that can be credited as IPLs.

The PL criteria are presented, and the definition of IPL clarified, in Section 3.2. The risk reduction and availability requirements are easy to assess. The four characteristics, especially the independence characteristic, are more difficult to prove. The key issue is to clarify what lies in the term independent. Can the IPLs share components, or do they have to be totally redundant? CCPS (2001)

state that the independence requirement claims that the IPL must be indepen-dent of the occurrence, consequence of the initiating event, and the failure of any component of an IPL already credited. Two approaches (A and B) are sug-gested, where B allows IPLs to physically share components and A restrains this configuration. But it is assumed that the logic solver will not be the source of failure, which imply detectors or final element to fail more frequently. If two IPLs share the same sensor(s) or final element(s) neither of the approaches jus-tify more than one IPL given credit. Note that approach A eliminates a larger extent of CCFs.

IPLs in the system

The system has the following protection layers:

• Topside PSD (closing PSDV)

• PSV (mechanical relief device)

• HIPPS

• Subsea PSD (closing PMV and / or: PWV and XOV)

• BPCSsubsea(PCV)

• BPCStopside(CV)

BPCS is referred to as process control system in the introduction to system para-graph. When and if these can be credited as IPLs must be evaluated. The BPCS_subsea which has the PCV as the actuating item, is not independent when the initiating cause is collapse of this valve. The PCV also share the same PT and TT as the subsea PSD. These are not independent and both cannot be credited as IPL. A question that arises is which system to credit. The most rational is to credit the PSD, but should be evaluated for the different initiating causes.

The PSV is credited as an IPL. It is independent as it shares no other com-ponents with any other protection layers. It is also independent of the initiating causes, and of high reliability.

The requirement and credited risk reduction of the PSD functions may vary.

The equipment vendor (e.g. the valve manufacturer) must document the per-formance of the valves in terms of SIL. This is documented in the safety ysis report (SAR), which is included in an overall document called safety anal-ysis specification (SRS). The contractor (e.g. Aker E&T and Aker Subsea) often present requirements to the equipment vendor which must be verified. In order to save time on documentation the equipment vendor certify the equipment.

The equipment then becomes SIL-certified. Usually the PSD functions are given credit within the interval of SIL 1, which is a PFD between 0.1 and 0.01. The

con-in the concerncon-ing case chosen to credit both PSD topside and subsea as a SIL 1 risk reduction.

Table 6.2: IPL PFDs

IPL Data source PFD

PSV CCPS table 1 · 10⁻²

Topside PSD (PSDV) BP / Aker Solutions 0.1 (SIL 1)

Subsea PSD BP / Aker Solutions 0.1 (SIL 1)

BPCS_subsea(PCV) CCPS table / BP 1 · 10⁻¹

BPCStopside(CV) CCPS table / BP 1 · 10⁻¹

HIPPS BP / Aker Solutions 5 · 10⁻⁴(SIL 3)

The HIPPS and the PSD subsea do have different PTs and actuating items, but they do share the same HPU / SCU. The XT and HIPPS valves will go to safe state if the HPU / SCU fails to provide hydraulic pressure. The only way this unit may cause an error is if the logic solver in the SCU fails in such way that the system does not initiate shutdown when a shutdown is needed. The issue that arise is how strict the independence requirement should be, and which of the two approaches presented in the previous paragraph to use. Even if they share logic solver both lead to risk reduction. With this basis approach B, which is described in the previous section, seems fair to use.

It is important to emphasize that a PL can be an IPL for one initiating cause - impact event pair, and not for another. The IPL PFDs are from different data sources, and Table 6.2 show the selected values.

Occupancy factor and ignition probability

Occupancy and ignition probability is included in the IPL columns in the LOPA worksheet. But they are not per definition considered as IPLs. It is assumed that 3 operators do rounds, and that the area is occupied 30 % of the time, leading to an occupancy factor of 0.3. The ignition probability depends on the pressure and the type of fluid. High pressure applied to a flammable fluid have a higher ignition probability than a low inflammable fluid working under low pressure.

A common classification is: 1 if the fluid is self igniting, 0.3 if the fluid is easy ignitable and 0.1 if it is a stable fluid. The fluid is a composition of oil, gas and water. This is assumed to be easy ignitable, but not 100% self ignitable leading to a chosen ignition probability of 0.5.

Analogy to Section 3.2: Relation between terms

Figure 6.3 is related to the figure in Section 3.2 and shows the initiating causes, process deviation, impact event and PLs based on the case description.

Figure 6.2: Relation between initiating causes, impact event, process deviation and PLs

Initiating cause impact event pair 1: Choke control human error -overpressure

The operator controlling the PCV has already failed and the PCV can not be cred-ited. Another question is whether the BPCS topside can be credited if the oper-ator and BPCS_subseafails. The BPCS topside have sensors and actuating items topside, which is far from the PCV located subsea. It is assumed that even if the operator is involved in the failure of the PCV, the topside BPCS will still function.

The credited IPLs are:

• Topside PSD (PSDV)

• PSV (mechanical relief device)

• HIPPS

• Subsea PSD

• BPCS_topside(CV)

The formula for calculating the intermediate event likelihood becomes:

Initiating cause frequency · PFDCV· PFDHIPPS· PFDPSDV· PFDsubseaPSD· PFDPSV· occupancy · ign. prob. = 2 · 10⁻¹· 5 · 10⁻⁴· 0.1 · 0.1 · 1 · 10⁻²· 0.3 · 0.5 = 1.5 · 10⁻⁹ Initiating cause - impact event pair 2: PCV collapse - overpressure When the PCV fails, does this influence the performance of the subsea PSD? If the PCV fails due to a SCU error it is expected that the subsea PSD will not

func-not certain that the PSD is able to prevent a pressure build-up due to the short distance between the XT valves and the choke module. There are several ways to interpret these issues. It is chosen to not give credit to the susbea PSD due to the response time. The following IPLs given credit are:

• Topside PSD (PSDV)

• PSV (mechanical relief device)

• HIPPS

• BPCS_topside(CV)

The formula for calculating the intermediate event likelihood becomes:

Initiating cause frequency·PFDCV·PFDHIPPS·PFDPSDV·PFDPSV·occupancy·ign. prob. = 9.9 · 10⁻²· 10⁻¹· 5 · 10⁻⁴· 0.1 · 10⁻²· 0.3 · 0.5 = 7.42 · 10⁻¹⁰

Initiating cause - impact event pair 3: Slug congestion - overpressure What PLs to give credit depends on where the slug congestion occurs. The PLs having actuating items upstream the blockage point have no function. If the blockage point is upstream the PSDV and downstream the riserbase the HIPPS, PCV and PSD will not be able to eliminate the hazard. The fluid column be-tween the blockage point and the valves will still provide pressure even if the valves close. The only way to eliminate pressure would be to have some sort of a bypass line in the system. Another issue is whether the other protection layers downstream have time to act. In the situation described the BPCStopside (CV) does probably not have time to act. The blockage point considered is upstream the PSDV and downstream the riser base, and the only IPLs given credit are:

• Topside PSD (PSDV)

• PSV (mechanical relief device)

The formula for calculating the intermediate event likelihood becomes: Initiating cause frequency·

PFDPSDV· PFDPSV· occupancy · ign. prob. = 5 · 10⁻¹· 0.1 · 10⁻²· 0.3 · 0.5 = 7.5 · 10⁻⁴ Sum up intermediate event likelihood for all pairs

The intermediate event likelihood for the three initiating cause - impact event pairs is summed up. The total intermediate event likelihood is 7.5 · 10⁻⁴. The third initiating cause - impact event pair is the most contributing to the total in-termediate event likelihood, and the frequencies associated with the two others have little effect.

Target risk measurement, SIL determination and mitigated event like-lihood

Compared to the TMEL the first two pairs are within the acceptable region be-cause 1.5 · 10⁻⁹and 7.42 · 10⁻¹⁰is less than 3 · 10⁻⁵. The total intermediate event likelihood is greater than the total TMEL for the entire scenario leading to the end-consequence (7.5 · 10⁻⁴> 3 · 10⁻⁵). This implies that a SIL must be deter-mined. By using Equation 4.3 the necessary risk reduction corresponding to the needed SIL is calculated:

Necessary risk reduction = 3 · 10⁻⁵

7.5 · 10⁻⁴ = 4 · 10⁻²

The question is now what SIL to set as the requirement. The necessary risk re-duction is between 10⁻²and 10⁻¹, and a SIL 2 is applicable. A conservative ap-proach is chosen and a SIL 2 is set as the requirement.

The next question is what PFD value a SIL 2 requirement constitutes, i.e what requirement to pass on to the SIS vendor. If the SIS vendor provides a system fulfilling SIL 2, but which only gives a risk reduction of 5 · 10⁻²the system is not safe enough. To solve this potential issue an additional PFD requirement is set to 1·10⁻². The final requirement is SIL 2, where the new safety system must have a specific P F D ≤ 1 · 10⁻².

The chosen PFD requirement is implemented in worksheet, and the miti-gated event likelihood is calculated. All values are within requirements, and the analysis is finalized.