Category: Engineering

I recently came across a Safety Integrity Level (SIL) review of a high level trip on a production separator.  Neither the relief valve nor the pressure control valve to flare off the top of the separator are sized for multiphase relief in the event that the liquid outlet should become blocked and the vessel overfill.  These protective devices will therefore not stop the vessel overpressuring, especially as the upstream pressure from the wells is several times the design pressure of the separator.  So you would think that the high level trip is quite important and intuitively should have a high SIL requirement.

The trip was assessed by Layer of Protection Analysis (LOPA).  And this is where the flawed thinking arises.  In the assessment, the worst case consequence was assumed to be an overpressure less than the corrected hydrotest pressure of the vessel on the basis that the relief valve and the pressure control valve would open allowing partial pressure relief.  So credit is implicitly being taken of protective layers acting to limit the consequence.  That’s bad enough logic, but then it is further compounded by claiming a probability of failure on demand (PFD) of 1 in 100 for the relief valve as an independent protective layer (IPL), in effect taking double credit for the relief valve.  The end result is a low SIL requirement.

A correct assessment of the situation needs to start with the unmitigated consequence in the absence of any layers of protection – what’s the worst case pressure the vessel can experience and will it rupture? How often is this event likely to happen based on failure of the liquid level control.  Then move on to consider what IPLs actually exist which fully mitigate the consequences. Clearly, if the relief valve and the pressure control valve are undersized for a blocked liquid outlet no credit can be taken for them. Even though they may act to limit the extent of the overpressure, their failure to act (which is assessed in LOPA) results in the worst case consequence and this needs to be considered in setting the SIL requirement for the high level trip.

LOPA is a simplified technique which can’t handle IPLs providing partial protection.  There are other tools to evaluate this such as fault trees.

Always guard against the tendency to “bend” the rules of a particular technique beyond the bounds of its validity and end up with flawed thinking about an issue. It might be more painful to use a more sophisticated technique but the answer will be robust.

I’ve been chairing some Safety Integrity Level (SIL) assessments recently for an offshore asset in the North Sea of late 1980’s vintage.  There have been multiple changes over the years with several subsea tiebacks added.  Nothing out of the ordinary in that per se. However, what I’ve found intriguing is the preservation of past design standards alongside current standards on the one platform.  For example, the high pressure/low pressure (HP/LP) interfaces on the original production separators are only protected by the downstream relief valve on the low pressure separator, and there is only a control valve at the interface – no independent shutdown valve to isolate the segments and no low level trip on the upstream vessel to prevent gas blowby.  It’s 2019 with no apparent attempt to incorporate lessons learned from the Grangemouth Hydrocracker explosion in 1987: http://www.hse.gov.uk/comah/sragtech/casebpgrang87b.htm

Alongside this design, there are several high integrity pressure protection systems (HIPPS) protecting the HP/LP interface between the subsea systems and topsides reception facilities.  These use a mixture of reactive and permissive type voted pressure trips acting on multiple shutdown valves to protect against failures which could result in the downstream relief valves being overwhelmed.   Each subsequent subsea tieback seems to incorporate increasingly complex shutdown logic to accomplish the same protection.  It took me the best part of a day to get to grips with the logic  protecting one HP/LP interface – this may suggest it’s too complicated, which can be counter-productive in the long run.  

This illustrates one of the challenges with managing change on old assets – simultaneously justifying the acceptance of outdated and vulnerable safety systems alongside the adoption of overly complex ones and thinking risk has been satisfactorily reduced as low as reasonably practicable. 

Sometimes it’s worth taking time out to step back from the details of one specific system and to experience some discomfort about the reality of the situation to think more clearly about the overall design – is the protection in the right place, to the correct standard, and of appropriate complexity?