To provide guidance to OSD inspectors on pipeline riser system pressure containment, and on the overpressure protection of riser systems by means of instrumented systems which are remotely located on a normally unattended installation (NUI) or subsea.
OSD inspectors should take account of the contents of this SPC when undertaking the assessment of Safety Cases and the inspection of pipeline riser systems.
In this SPC, the term riser system means the riser itself, associated items such as the riser ESDV and bolted joints, and the adjacent (possibly fortified) pipeline section within the installation’s 500m zone.
This SPC addresses safety instrumented systems, additional to the normal process trip/ESD function, where the plant is not fully rated for the pressure to which it might be exposed in fault conditions and either (1) there is no self-acting mechanical protective system [e.g. bursting disc, relief valve] to prevent overpressure, or (2) self-acting mechanical protection is present but by itself may be inadequate in certain foreseeable circumstances [e.g. it is not sized for the worst case].
Safe Instrumented Functions (SIFs) occur in three instances; (1) a SIF which provides a layer of protection but is not alone and is not the last to act, (2) a SIF which provides a layer of protection and is the last to act, and (3) a SIF which is the only layer of protection. This SPC addresses riser systems and the safety instrumented systems (SISs) which protect them. The subject SISs would normally be of type 2, here called final safety instrumented system (FSIS), but some duty holders use alternative terms, e.g. High Integrity Protection System (HIPS) High Integrity Pressure Protection System (HIPPS), Over Pressure Protection System [OPPS], or Secondary Protection System (SPS) – secondary in the sense that this system acts after the corresponding ‘primary’ system.
The implementation of FSIS subsea is relatively novel. HSE is aware of only a small number of systems worldwide, some on the UKCS.
Some FSIS have been implemented in situations where the ratio between the maximum pressure threat and system rated pressure is low (e.g. less than 1.5) and the hydrotest pressure will not be breached. In such situations, there may be a relatively low risk of loss of containment, though overpressure protection is still required. However, where this ratio is higher, the unprotected risk of a loss of containment is likely to be unacceptable and protection is critical.
The critical plant protected by a pipeline FSIS is generally a high inventory import riser system, the failure of which is a major hazard, where self-acting full flow mechanical relief is impractical and it is uneconomic to fully rate the pipeline and riser to the maximum pressure (e.g. where the pipeline is so long that rating it for the maximum pressure is feasible but renders the project uneconomic), or it is not possible to fully rate the pipeline and riser.
A pipeline rupture is a major safety hazard only if it occurs near people, though a pipeline rupture is likely to cause unacceptable environmental and commercial losses. For pipeline sections remote from offshore installations, shipping activity may be minimal and unlikely to be threatened by any release. Thus only a rupture of a pipeline near an installation or at the riser itself is addressed in this SPC as only this would be an OSD matter; however, these wider issues should be addressed by the duty holder [note that in the longer term, people may have to do potentially dangerous things on or near the installation to rectify any rupture, but this is beyond the current scope].
Pipelines Safety Regulations 1996 [SI 1996/825]
Offshore Installations (Prevention of Fire and Explosion, and Emergency Response) Regulations 1995 [SI 1995/743]
Offshore Installations (Safety Case) Regulations 2005 [SI 2005/3117]
Note that a FSIS on one installation protecting risers on another installation is an SCE, but the practicalities of verifying such elements are not simple, particularly when the installations concerned have different operators.
A subsea FSIS is not an SCE where it is part of the pipeline outwith 500 m of the installation because this part of the pipeline is not part of the installation [see SCR05 guidance para 85 and MAR Regulation 3(2)(f)]. A subsea FSIS is not part of a well since its function is to protect the pipeline and riser, not to contain the pressure in the well (see SCR05 Regulation 2, the definition of a well). Thus the FSIS is not part of the installation and hence not an SCE.
Any use of a FSIS should be addressed within a Safety Case, and should be assessed in the light of this SPC. Past experience indicates that assessors should ask high-level questions during every Safety Case assessment to establish (a) if any pressure containment system situated on the installation is protected against over-pressurisation by remote FSIS located subsea or on another installation, or (b) whether the installation features any FSIS which protects any remote installation(s) from over-pressurisation of a riser system. Once the principle of using FSIS has been demonstrated to be ALARP, the Functional Safety Assessment of the implementation is the starting point for assessment of the more detailed design.
SMS assessment should address the operational maintenance and testing philosophies to ensure adequate availability of FSIS. Where there is more than one offshore installation involved it is necessary, in order to ensure that the SMS measures are adequate for the FSIS protective function as a whole, to consider whether the maintenance and testing philosophies included in the Safety Cases for the other installation(s) are sufficient.
Riser system FSIS are particularly critical to safety of persons and should be identified for particular attention during inspection visits.
The requirements of BS EN 61511 (Refs 4-6) are considered as good practice in the UK process sector; also note that there is a forthcoming Energy Industry Council (EIC) guidance document (Ref 9) which supports the interpretation of BS EN 61511. Duty holders should demonstrably follow the recommendations for hardware and software safety integrity, or employ other equally effective means. Duty holders should comply with the safety management system requirements, as specified in BS EN 61511, which are appropriate to the SIL of the FSIS.
Topics addressed in an inspection of FSIS should include:
In the event that an inoperative or inadequately proof-tested and maintained FSIS is identified during an inspection, appropriate enforcement action should be taken.
Well CITHPs are likely to reduce over time and eventually may fall below the pipeline or riser pressure rating, which may themselves fall due to corrosion - the FSIS proof test and inspection plan should therefore be updated as required.
This SPC has been prepared jointly by OSD 3.5, HID SI3 and OSD3.4.
For further information contact OSD 3.5.
HSE may encounter design configurations as depicted in Figs 1 to 4. Applications of the type depicted in Figs. 1, 3 and 4 have already been encountered in practice.
Note that these figures are schematic only, and do not indicate where above the water line any topsides ESDV or FSIS valves are to be located.
Subsea wells with subsea FSIS feeding directly to a manned installation, subsea pipeline/riser not fully rated.
Subsea wells with subsea HIPPS feed directly to an NUI, the subsea pipeline/riser is not fully rated.
Subsea wells feed directly to an NUI. The NUI does not have full flow relief and the NUI import pipeline is fully rated. The NUI exports to a manned installation and the NUI export riser and the import riser on the manned platform are not fully rated.
Local wells, with flowlines fully rated, feed an NUI and the NUI exports to a manned platform. The NUI topsides are not fully rated. The NUI does not have full flow relief. The export pipeline from the NUI and the riser at the manned platform are not fully rated and are protected by HIPPS on the NUI.
An internet search was conducted to identify what has been achieved in relation to subsea wells without resorting to subsea FSIS. The search found the Gyrfalcon single well development, with an initial reservoir pressure of 14752 PSI, which has the world's first 15,000 psi subsea tree. The field has a single well, is located in 885 feet of water and is tied back 2.9 miles to Shell's GC-19 Boxer facility in the Gulf of Mexico. Gyrfalcon came on stream in 1999. The 6 inch flowline and riser system are rated to 12,200 psi. The 5 inch i.d. riser was tested to a burst pressure above 25,000 psi. This development demonstrates that it can be reasonably practicable to use a fully rated system without resort to a FSIS.
Several riser system configurations are discussed below to illustrate what OSD would consider to be appropriate overpressure protection arrangements where there is a likelihood of say > 0.1 of multiple deaths of say > 10 persons in the event of a riser system rupture. These configurations are listed in a hierarchy of descending order of inherent safety; note that HSE policy is a preference for inherent safety, refer to APOSC Principle 16 and SCR05 guidance para 136. Also note the PFEER ACOP reference to MHSWR para 38 which states that ‘it is best if possible to avoid a risk altogether’, and ‘to combat risks at source’. The guidance to the COMAH Regulations also discusses the ‘inherently safer approach’ as an important focus. Hence, the configurations higher in the list are recommended; an ALARP demonstration should show that each inherently safer option is not reasonably practicable before an option with less inherent safety is considered. This hierarchy is based, with some modifications in the light of experience, on that suggested by HSE Pipelines Inspectors since late 2002.
Fully rated riser system designed for the worst case fault conditions in accordance with a recognised code such as BS EN 14161 (Ref 2) supported by BS PD 8010-2 (Ref 1) – i.e. the riser system design pressure at or above the maximum possible pressure (usually CITHP or pipeline maximum burst pressure). Adherence to such a code gives confidence that all of the forces acting on the system have been considered and that the design is conservative. A fully rated system does not require a FSIS or any other instrumented trip function for overpressure protection, though trip functions are likely to be required for other reasons.
Riser system protected by a self-acting full-flow pressure relief system (e.g. relief valve) plus an overpressure trip function set no higher than the code rating of the protected system. Note that relief valves deliver their primary safety function by different means than an instrumented function, and therefore have different failure modes from instrumented trips; this gives the combination of a process trip + RV a useful degree of diversity lacking in a solution wholly dependent on instrumented systems. This configuration does not require an additional FSIS, but the integrity of the process trip/ESD should formally managed as discussed in BS IEC 61511 - in practice, a very low SIL, perhaps below SIL 1, is to be expected of the process trip/ESD. Note that for pipelines and risers designed to code, a riser designed for the same rating as a pipeline will normally have a higher burst pressure, so that in this configuration the pipeline may rupture preferentially, rather than the riser, if both layers of protection fail on demand. It is understood that the Kirstin installation in Norwegian waters uses a PSV upstream of the riser ESDV (along with an SSIV which reduces the volume requiring relief).
Riser system designed to a ‘no damage’ criterion, i.e. by engineering assessment is expected not be stressed beyond yield, and not to leak, if subjected to the maximum possible pressure. The pipeline rating is no higher than the riser system rating. Overpressure protection provided by an appropriate FSIS as a backup to the process trip/ESD system is required; each system is to be capable of independently isolating the over-pressure hazard. The FSIS may have modest SIL, and the additional layers of protection listed in para 38 should be considered.
Riser system designed to a ‘no burst’ criterion, i.e. by engineering assessment a low probability of leak or rupture is expected, typically <0.05, if subjected to the maximum possible pressure. The pipeline rating is no higher than the riser system rating. Overpressure protection provided by an appropriate FSIS as a backup to the process trip/ESD system is required; each system is to be capable of independently isolating the over-pressure hazard. The FSIS may have a medium SIL, and some of the additional layers of protection listed in para 38 should be provided.
The maximum possible pressure exceeds the pipeline burst pressure, but a riser rupture is not expected as it has a somewhat higher burst pressure than the pipeline. The FSIS will have a very high integrity requirement, partly to protect the pipeline for commercial and environmental reasons. Many of the additional layers of protection listed in para 38 should be provided. This configuration is considered to have poor inherent safety and should be avoided unless the riser system protection provides a substantial assurance that riser overpressure is very unlikely. It should attract attention at the safety case assessment stage and in operation. The SIL requirement of the FSIS will be very high, but any proposal for a SIL 4 FSIS should be resisted strongly as there is no precedent for any such SIL 4 function on the UKCS and so there is no evidence that the practicalities of guaranteeing such a high standard of performance in service can be dealt with; support from OSD3.5 should be sought.
Similar to Configuration 5, but with uniform pressure containment capability throughout, so that the location of any rupture is unpredictable. A FSIS will be required, and have a very high integrity requirement, partly to protect the pipeline for commercial and environmental reasons. Many of the additional layers of protection listed in Para 38 should be provided. This configuration is considered to be highly undesirable, and should attract considerable attention at the safety case assessment stage and in operation. The SIL requirement of the FSIS will be very high, but any proposal for a SIL4 FSIS should be resisted strongly as there is no precedent for such any SIL4 function on the UKCS and so there is no evidence that the practicalities of guaranteeing such a high standard of performance in service can be dealt with; support from OSD3.5 should be sought.
The riser system burst pressure is below the maximum possible pipeline pressure and rupture is probable at the riser system (e.g. where it is the weakest link, say a pre-installed riser of inadequate rating). It is considered that this arrangement is seriously flawed and should be resisted strongly – instrumentation should not be the only defence against a potentially catastrophic hazard where practicable alternatives exist (in this example, redesign of the pipeline); support from OSD3.5 should be sought.
In determining the maximum possible burst pressure of the pipeline, the specified maximum thickness and material properties of the pipeline, or more accurately, measured actual maxima on a joint by joint basis, may be used. Specified minima for the riser, or indeed measured actual minima on a joint by joint basis, could be used to determine its minimum ‘no damage’ or burst pressure of the riser system. Where the maximum possible burst pressure of the pipeline is lower than the minimum possible ‘no damage’ pressure of the riser system (i.e. configuration 3), or below the minimum possible burst pressure of the riser system by a satisfactory margin (i.e. configuration 4), it is likely that in the event of a pressure protection system failure on demand, the pipeline section (at a safe distance from the installation) would fail preferentially, rather than the riser. Where credit is taken for the corrosion allowance in these calculations, an inspection regime will be required, e.g. to demonstrate that burst strength of the riser system declines no more quickly than the CITHP or maximum possible pipeline burst pressure.
All codes require risers to be hydrotested at 1.5 x design pressure, but carrying out a hydrotest beyond 1.5 x design pressure (though not beyond yield) would raise confidence in the analysis.
Moves away from pure inherent safety can reduce CAPEX on the pipeline and riser system, but could require higher OPEX on testing and maintenance of the FSIS, plus more CAPEX and OPEX on any additional layers of protection.
In any situation where a FSIS is proposed, the SIL of that function should be formally calculated, e.g. according to the EIC guidance (Ref 9), typically based on the demand rate and the consequences of a FSIS failure to act, and will depend on the option chosen for the riser system configuration. The integrity of the process trip/ESD should be managed as discussed in BS EN 61511 and the EIC guidance, so as to provide a basis for the demand rate element of the SIL calculation of the FSIS performance standard.
Note that if the process trip/ESD and FSIS were to fail on demand, a higher than normal pressure may reach the riser ESDV and pose an increased hazard e.g. in the event of an incident unrelated to riser overpressure protection failure (e.g. failure due to severe weather). Thus in achieving an overall ALARP solution, this may impact on overall risk to personnel by virtue of the large inventory involved; Thus an under-rated riser system may impact on the ALARP solution for topsides systems such ventilation, fire & gas detection, deluge release on gas detection, all with associated CAPEX and OPEX implications.
Whatever riser system configuration is adopted, normal operating pressure including normal excursions should be within the code rating of the entire pipeline and riser system.
The following additional layers of protection, listed in no particular order, may require to be addressed in the overall ALARP demonstration; it is to be expected that a riser configuration with less inherent safety will require more to be implemented. A sensitivity analysis might be helpful in identifying those measures or combination of measures which produce the greatest benefit at acceptable cost.
A FSIS for protecting pipeline/risers from well pressure is conceptually simple. The source of pressure, i.e. CITHP, is isolated when overpressure is detected. Depending on SIL requirement, multiple isolation valves and multiple sensors (e.g. either 1 out of 2 or 2 out of 3 voting) may be required to meet the required availability and the architectural constraints of BS IEC 61511.
Fig 4 illustrates a conceptual structure which meets SIL 3, but note that in practice the pressure transducers may be located differently, e.g. one or two may be between the shut-off valves, and that there may be other valves to allow ancillary functions (in addition to the main overpressure protection function) such as testing, flushing, manual isolation, and the safe blowdown of any locked-in inventories. The pressure transducers may be of diverse types, including a non-intrusive type.
It should be noted that API Recommended Practice 14 C (ref 7 Appendix A - Process Component Analysis para. A.184.108.40.206) prescribes that a single shut down valve with a single independent pressure sensor and relay is an acceptable alternative to a pressure relief valve for pipeline protection, depicted in Fig A-1.3 of API RP 14C. This arrangement cannot achieve a high SIL and cannot meet the architectural constraints required by BS EN 61511 for high SILs. However, the arrangement may be considered where a low SIL is acceptable. Note that the risk based methodology of BS EN 10418:2003 (ref 10) calls for the application of BS EN 61511 in the specification of instrument-based secondary overpressure protection systems.
It is recommended that the FSIS shut down valves be dedicated to the FSIS function; certainly, credit for shut off functionality (whether automatic or manual) should be taken only once per valve – e.g. it is not legitimate to take credit in the FSIS SIL calculation for the same valves which are part of the wellhead ESD function.
The integrity required for an FSIS function is determined by the ALARP principle, overall risk targets, and engineering judgement. Considerations of ALARP and target SIL for a FSIS require difficult judgements of tolerable risk, how to partition risk reduction across other layers of protective functionality, safety benefits and costs. The cost of instrumented protective functions increases rapidly with integrity level, but at the same time the benefit in terms of further risk reduction reduces because a large proportion of the uncontrolled risk has already been protected. (Note that well CITHP may decline very rapidly, and this will have an impact on the benefit element of ALARP calculations). An ALARP case should consider both the CAPEX savings and the OPEX costs arising from the use of FSIS. What is clear that a simple calculation will not suffice for high consequence low probability events such as the rupture of a riser; QRA is recommended, along with professional judgement and current good practice as defined in this document. If the resulting required SIL is higher than 3, the overall required risk reduction should be redistributed across other measures – it is the view of HID OSD that a SIL higher than 3 calls into question the validity of the basic design concept, and that SILs higher than 3 cannot be assured in practice.
Furthermore, to achieve higher SILs there would be a need for increased testing and maintenance. Where required, this intervention can itself have a detrimental risk impact because of the need for additional helicopter flights, work on an NUI, or work subsea.
Calculation of the SIL achievable by a FSIS appears to be a deceptively simple matter based on reliability data, though this is sparse and subject to some uncertainties. There is a problem with common cause failure, e.g. hydrate formation in the valves. 'Beta factors' used to quantify the likelihood of common cause failure mechanisms are at best uncertain. Note that the FSIS uses the same technology as the primary instrumented trip, so that these two layers of protection will always have common cause failure mechanisms which need to be addressed.
Note that for a FSIS to be effective, it must operate sufficiently rapidly to prevent overpressure. Often the line pack time is measured in hours, where this is unlikely to be a practical issue, but there are cases where the FSIS is required to close more rapidly (e.g. a liquids pipeline), and the required closure time should be calculated and accommodated in the design; facilities to measure closure time with sufficient accuracy should also be incorporated, especially where the required closure time is short. Note that hydraulic hammer may be an issue with rapid valve closure.
It is important to design the FSIS such that it defaults to a state of least danger on fault conditions where this property is easily designed-in (e.g. failure detected by electronic self-test), as well as to design for failure to safety on electric power failure and hydraulic power failure - thus e.g. spring return shut off valves are recommended.
A difference between traditional subsea control and topsides control is that some solenoid valves used in subsea control use pulses of power to switch between two stable states, and so do not fail safe on loss of electrical power. It is recommended that the overall FSIS function be designed to fail safe rapidly on loss of electrical power or electrical control signal to the subsea HIPPS, so fail safe solenoid valves are preferred.
A hydraulic dump valve to speed up 'failure to safety' on loss of hydraulic power supply should be considered, as otherwise valve closure could take a long time while hydraulic fluid flows back to the supply.
The basic function of the remote FSIS (whether subsea or on a NUI) should be autonomous, with no inhibit facility; there may be advantages in latching the tripped state.
The basic FSIS function logic solver should preferably be non-programmable. If the target integrity for the FSIS function is SIL3 and a programmable logic solver is proposed, then whatever combination of software lifecycle specification, design, programme coding, verification and validation techniques have been used, that combination should demonstrably, reliably and reproducibly have resulted in software compatible with SIL3 performance, i.e. that software methodology is mature, widely used and with extensive field evidence, and conforms with BS 61508.
There are certain ancillary functions which are likely to be useful, though such functions should be designed so that they are not capable of interfering with the basic function of the FSIS. For example, the relevant installation(s) may have read-only supervisory communications; typically, this function should be able to read pressures and valve positions (including bypass valves, methanol injection valves), etc.
There may not be a pressure transmitter upstream of the import riser ESDV; thus in the event of an ESDV closure, the only means of determining pipeline pressure may be from subsea data transmitted by communications link. Where this comms link fails, the data will become unavailable and the status of pipeline and riser system protection would be unknown. Hence there will generally be merit in an autonomous well/manifold ESD trip after a 'time-out' in the event of a communications failure.
It may be desirable to have a trip function capable of being operated from the protected (host) installation, a FSIS reset function, and a function to force any component (e.g. pressure transmitter) to the safe state; there is no objection to implementing these ancillary functions in programmable logic.
Start up bypass valves can be required to bleed down locked-in pressure, or to reduce the differential pressure across the FSIS shut off valves. Control of start up bypass valves around FSIS valves should be interlocked so that FSIS protection cannot be lost.
Other useful ancillary functions include valve position checks and discrepancy checks between pressure transmitter readings.
Because of the difficulty and risks associated with personnel access to the types of remote FSIS being considered, certain SMS issues are especially relevant. In particular, remote monitoring of operational performance, demand rate and component failures should be carefully considered as part of the design. A properly developed strategy should be in place to cater for severe problems such as transmitter failure, loss of communications or loss of a test facility such as valve position indication. There may be advantages in employing additional redundancy so that the fault tolerance criterion continues to be met under chosen fault conditions.
Subsea transmitters cannot normally be calibrated in situ (calibration normally involves checks at e.g. 0%, 20%, 100% of range, both rising and falling, to check for linearity, hysteresis, repeatability etc), but proof/bump tests of sufficient accuracy, at the set point, should be carried out.
Periodic partial closure tests of FSIS valves address the control circuit, solenoid valve and some failure modes of the FSIS valve itself, and so have useful diagnostic coverage, perhaps of order 50%. However, partial closure tests do not confirm that the valve will close fully, nor the stroke time for that operation, nor the leak rate in the closed state; it is therefore necessary for some periodic tests to involve full closure. An automated regime may be the only practical way to confirm correct operation. These restrictions should be considered in the reliability calculations.
Where the HIPS valve closure time requirement is rapid, this time needs to be measured accurately, and any loss of performance managed.
The required HIPS valve leakage rate should be specified, and measured on full closure test; any loss of performance should be managed.
Any maintenance of a subsea FSIS is likely to need ROV or diver intervention. Thus as many components, or whole modules, as reasonable should be diver/ROV replaceable. Instrument isolation valves should be considered for pressure transmitters, even though they result in a greater potential for failure.