I’ve been chairing some Safety Integrity Level (SIL) assessments recently for an offshore asset in the North Sea of late 1980’s vintage. There have been multiple changes over the years with several subsea tiebacks added. Nothing out of the ordinary in that per se. However, what I’ve found intriguing is the preservation of past design standards alongside current standards on the one platform. For example, the high pressure/low pressure (HP/LP) interfaces on the original production separators are only protected by the downstream relief valve on the low pressure separator, and there is only a control valve at the interface – no independent shutdown valve to isolate the segments and no low level trip on the upstream vessel to prevent gas blowby. It’s 2019 with no apparent attempt to incorporate lessons learned from the Grangemouth Hydrocracker explosion in 1987: http://www.hse.gov.uk/comah/sragtech/casebpgrang87b.htm
Alongside this design, there are several high integrity pressure protection systems (HIPPS) protecting the HP/LP interface between the subsea systems and topsides reception facilities. These use a mixture of reactive and permissive type voted pressure trips acting on multiple shutdown valves to protect against failures which could result in the downstream relief valves being overwhelmed. Each subsequent subsea tieback seems to incorporate increasingly complex shutdown logic to accomplish the same protection. It took me the best part of a day to get to grips with the logic protecting one HP/LP interface – this may suggest it’s too complicated, which can be counter-productive in the long run.
This illustrates one of the challenges with managing change on old assets – simultaneously justifying the acceptance of outdated and vulnerable safety systems alongside the adoption of overly complex ones and thinking risk has been satisfactorily reduced as low as reasonably practicable.
Sometimes it’s worth taking time out to step back from the details of one specific system and to experience some discomfort about the reality of the situation to think more clearly about the overall design – is the protection in the right place, to the correct standard, and of appropriate complexity?