NG50-2-300-SPS-TR-AB-30-0132

AKPO Field Development Project (OML 130)
Subsea Production Systems (SPS)
Contract No. APO/C007/03
2 6 NOV 07 IFI Issued for Information A Moore C. Kochenower

1 22 DEC 06 IFI Issued for Information A Moore C. Kochenower
0 24 JUL 06 IFI Issued for Information A Moore C. Kochenower
- 08 JUL 06 R Issued for IDC A Moore C. Kochenower
Status
Rev Date Reason for Issue Originator Approved
Code
Document Title:
FMEA Report
Document Number: NG50-2-300-SPS-TR-AB-30-0132

PAGE 1 OF 182
Cameron Document No. X-219400-01-78 REV. 05
Originated By Date Rev Cameron Document No.
A Moore 6 NOV 07 05 X-219400-01-78
Approved By Date Rev Total Document No.
C. Kochenower 6 NOV 07 02 NG50-2-300-SPS-TR-AB-30-0132
Page 2 of 182
TABLE OF CONTENTS
1 INTRODUCTION......................................................................................................................4
1.1 Purpose ......................................................................................................................................4
1.2 Objectives ...................................................................................................................................4
1.3 Scope and Boundary ..................................................................................................................4
2.0 CONTROL SYSTEM CONFIGURATION ................................................................................6
2.1 Hydraulics ...................................................................................................................................6
2.2 Power & Control..........................................................................................................................7
3.0 METHODOLOGY.....................................................................................................................8
3.1 Overview.....................................................................................................................................8
3.2 Format ........................................................................................................................................8
3.3 Failure Criteria ............................................................................................................................9
3.3.1 Overview ..........................................................................................................................9
3.3.2 HPU Loss of Hydraulic Supply .........................................................................................9
3.4 Technical Review......................................................................................................................10
4.0 FMEA RESULTS ...................................................................................................................11
4.1 Overview...................................................................................................................................11
4.2 Data-sheets ..............................................................................................................................11
4.3 Single Point Failure – Safety Related .......................................................................................12
4.4 Single Point Failure – Production Related ................................................................................12
4.5 Connectivity Arrangements.......................................................................................................16
4.5.1 Redundant Failures ........................................................................................................16
4.5.2 Dormant Failure Modes..................................................................................................16
4.5.3 Hold for Repair ...............................................................................................................16
5.0 AKPO SUB-SYSTEM CONTROLS CHARACTERISTICS ....................................................24
5.1 Overview...................................................................................................................................24
5.2 Subsea Controls Distribution ....................................................................................................24
5.2.1 Electrical.........................................................................................................................24
5.2.2 Hydraulics.......................................................................................................................24
5.2.3 Methanol.........................................................................................................................24
5.2.4 Chemical Lines – Corrosion/Scale/Wax Inhibitor & Anti-Asphaltene .............................25
5.2.5 Sparing in the Chemical & Methanol Systems ...............................................................25
5.3 Tree Subsea Control Module (SCM) ........................................................................................26
5.4 Hydraulic Power Unit (HPU) .....................................................................................................26
5.5 Subsea Control unit (SCU) .......................................................................................................26
5.5.1 MCS Communications Server ........................................................................................27
5.5.2 Network Switch Units .....................................................................................................27
5.5.3 PLC ................................................................................................................................27
5.5.4 Delta V Stratus Server....................................................................................................27
5.5.5 Delta V Workstation........................................................................................................27
5.5.6 MCS Workstation EWS SCS 3.......................................................................................28
6.0 CONCLUSIONS.....................................................................................................................29
7.0 RECOMMENDATIONS ..........................................................................................................30
7.1 General .....................................................................................................................................30
7.2 Safety Related ..........................................................................................................................30
7.3 Production Related ...................................................................................................................30
7.4 Operability Related ...................................................................................................................30
7.5 RAM Analysis ...........................................................................................................................30
8.0 GLOSSARY OF RAM TERMS ..............................................................................................31
A Moore 6 NOV 07 05 X-219400-01-78
Page 3 of 182
LIST OF TABLES
Table 1 – FMEA Tabular Format ........................................................................................................... 8
Table 2 - Safety Related Single Point Failures .................................................................................... 12
Table 3 - Production Related Single Point Failures ............................................................................. 13
Table 4 - Redundant Failures Including Dormancy and Hold For Repair ............................................ 17
Table 5 - Glossary of RAM Terms ....................................................................................................... 31
Table 6 – Equipment subjected to FMEA ............................................................................................ 32
Table 7 – Summary of FMEA Worksheets........................................................................................... 36
A Moore 6 NOV 07 05 X-219400-01-78
Page 4 of 182
1 INTRODUCTION
1.1 PURPOSE
The purpose of the FMEA has been to examine and determine the impact on system
availability of the failure modes of individual items of the AKPO subsea controls equipment
and trees, in order to identify the associated failure effect and to determine the overall risk to
the project.
The findings of this analysis will be used to enhance the RAM modelling process and to justify
the selected repair policy. To that end, the FMEA has examined the diagnosis policy and paid
particular attention to any operational limitations that may occur during the maintenance
process to restore the equipment function.
1.2 OBJECTIVES
The main objective of the FMEA toolset is to determine which components are the main
contributors to system unreliability/unavailability in terms of:
• Single point failure modes and associated failure frequency.
• Dormant failure.
• Hold for repair.
• Configuration issues/connectivity arrangements
• Providing the starting point for subsequent analyses such as RAM Modelling,
Support Policy and Spares Analysis.
Any safety related issues would be identified, collated and passed to the Control Systems
Engineer for validation and possible mitigation action.
1.3 SCOPE AND BOUNDARY

Cameron will implement the FMEA based on the generic equipment utilised by the Subsea
Controls System. Hence the FMEA will be undertaken on those items of the subsea control
system associated with the P40 Production Loop.
For the purposes of the FMEA, the scope of the AKPO subsea control system is from the
topsides located equipment (SCU, SCPU, and HPU) through to the DCV’s within the SCM.
Hence the FMEA will be undertaken on those elements of the subsea control required to
control a single tree or manifold.
• HPU (pumps, accumulators, ESD valves, isolation valves, relief valves etc)
• SCS (PLC’s, Modems, etc)
• SPCU (UPS, subsea output modules)
• SUT (LP hydraulic channel, HP hydraulic channel, Comms Channel, Power
Channel)
• HDU (LP hydraulic channel, HP hydraulic channel, Comms Channel, Power
Channel)
• EFL (Comms Channel, Power Channel)
A Moore 6 NOV 07 05 X-219400-01-78
Page 5 of 182
• HFL (LP hydraulic channel, HP hydraulic channel and chemical channels)

• Bridge Jumper (LP hydraulic channel, HP hydraulic channel and chemical
channels)
• Production Tree SCM (including LP and HP accumulators, SEM, VEM, LP
DCV’s, HP DCV’s, LP and HP shuttle valves)
• Manifold SCM (including LP accumulators, SEM, VEM, LP DCV’s, LP
shuttle valve)
A Moore 6 NOV 07 05 X-219400-01-78
Page 6 of 182
2.0 CONTROL SYSTEM CONFIGURATION
The control system for the AKPO subsea development is a multiplexed, electro-hydraulic
control system. In such a system, a microprocessor-based unit (two Subsea Electronics
Modules (SEM)) located inside the Subsea Control Electronics Module (SCM) is sent valve
command and data request transmissions from the topsides control system.
The SCM subsequently controls and monitors the subsea facilities by performing actions
based on these transmissions. Control is implemented via a “Comms on Power”
communication system whereby each SEM is connected to separate quad cables, to maintain
a high degree of fault tolerance.
Up to 2 Tree SEM channels are allocated to single pair of conductors and up to 4 Tree SEM
channels can be connected to a single Quad.
The FMEA and the RAM modelling of the AKPO subsea control system have utilised the
following technical criteria.
2.1 HYDRAULICS
The AKPO hydraulic system is comprised of duplicated LP and HP supplies generated in the
HPU and distributed to the SCM via Main & Infield Umbilicals/Dynamic and Infield SUT’s/HDU
and HFL’s as follows:
• HPU containing duplicated LP & HP pumps, accumulators and supply headers.
o LP Accumulators – 5 off
o HP Accumulator – 2 off
• Each Production Loop has a dedicated umbilical containing Dual LP & HP
Hydraulic feeds.
• Controls Bridge Jumper (1 off) between each DSUT to ISUT (dual LP & HP
hydraulic feeds within each Jumper).
• Hydraulic flying leads (2 off) between each SUT type and HDU (single LP & HP
hydraulic feeds within each HFL).
• Hydraulic flying leads (2 off) between each Tree and Manifold SCM and the
associated HDU (single LP & HP hydraulic feeds within each HFL).
• SCM
o Dual LP & HP hydraulic selector valves.
o Single LP & HP Shuttle Valves
o LP & HP directional control valves with dual solenoids.
o LP Accumulators – 3 off
o HP Accumulator – 1 off
• Manifold SAM - 1 off for each manifold, for manifold valve operations, (contains
dual banks of LP Accumulators).
• MCM
A Moore 6 NOV 07 05 X-219400-01-78
Page 7 of 182
o Dual LP hydraulic selector valves.

o Single LP Shuttle Valve
o LP directional control valves with dual solenoids.
2.2 POWER & CONTROL

The AKPO Power on Communication system is comprised of duplicated Power supplies and
communication channels originating in the SCS and distributed to the SCM via Main and
Infield Umbilicals/Dynamic and Infield SUT’s/HDU and EFL’s as follows:
• Dual SCS system with separate output channels.

• Dual electrical supply with separate output channels.
• Six separate “Comms on Power Quads” within each umbilical,
• Two separate “Comms on Power pairs of conductors within each Quad”.
• Controls electrical flying leads, 6 off between each DSUT and ISUT, each lead
contains two Comms on Power channels (two pairs of conductors).
• Controls electrical flying leads, 2 off between each SCM and a DSUT, each lead
contains a single Comms on Power channel (one pair of conductors).
• SCM Containing
• Dual SEM’s.
• Dual VEM’s.
A Moore 6 NOV 07 05 X-219400-01-78
Page 8 of 182
3.0 METHODOLOGY
3.1 OVERVIEW
The FMEA has been formulated to concentrate on the identification of key contributors of
equipment availability, where all 22 production wells are continuously active and available for
the life of the field to classify the overall system as being available. For the P40 Loop there are
4 active wells with a maximum capability of 12 wells should all the spares slots be utilised.
The FMEA has assessed each failure mode individually in terms of loss of functions, effect on
local and system performance, dormant failure modes, detection methods and the
consequential impact on the system of the subsequent repair solution.
The FMEA has specifically excluded:
• Multiple failures, and
• Secondary/consequential failure caused by other equipment failures
3.2 FORMAT
The FMEA has assessed the subsea controls system at the following levels:
• Sub-system
• Module
• Equipment
The FMEA has been implemented, utilizing MIL STD 1629A for guidance only, in a tabular
format, as described in Table 1 and has examined the effects of each failure at local and
system level.
Table 1 – FMEA Tabular Format
Heading Description
FM Ref: This provides a unique Failure Mode identification.
Failure Mode For each function, failure modes are identified and recorded. A failure mode is
(FM): defined as the manner by which a failure is revealed. All units are designed to fulfil
one or more functions; a failure is thus defined as non-fulfilment of one or more of
these functions.
CS Ref: This provides unique failure cause identification.
Causes (CS): The possible failure mechanisms (corrosion, erosion, fatigue, etc.) that may produce
the identified failure modes
Local Effect: The main effects of the identified failure modes on the localized parts.
System Effect: The main effects of the identified failure modes on the primary function of the FPSO
system and the resulting operational status of the system after the failure. It also
includes the impact of dormant failures and repair actions.
A Moore 6 NOV 07 05 X-219400-01-78
Page 9 of 182
Heading Description
Method of The various possibilities for detection of the identified failure modes. These may
Detection: involve different alarms, testing, human perception, and so on. Some failures are
called evident failures. Evident failures are detected instantly. Another type of failure
is called the dormant (hidden) failure.
A dormant failure is only revealed during testing of the unit or when a demand is
placed on the unit. Dormant failures are usually associated with protective systems
or systems that are inactive during normal operation. The failure mode “ESD
Solenoid fails to function” is an example of a dormant failure.
Mitigation/ Design features which limit the impact of failure, including possible actions to restore
Recovery: the function or prevent serious consequences.
Preferred methodologies to restore the failed item to full serviceability, details
include the nominated higher assembly for subsea located equipment (e.g. an SCM
would be retrieved in the event of a failure of a shuttle valve.)
Comments Additional field for comments arising from the analysis.
3.3 FAILURE CRITERIA
3.3.1 Overview
The FMEA has been carried out on the Cameron supplied AKPO subsea controls system, to
determine which components are the main contributors to system unreliability/unavailability.
The criteria that have been examined include:
• (SPF) Single point failures that impact on production.

• (SPF*) Single point failures that impact only on a significant subsystem with no
direct impact on production.
• (RF) Redundant Failures.
• Reliability Limitations.
• Partial redundancy.
• Dormancy.
• Maintenance/Intervention limitations including Hold for Repair.
3.3.2 HPU Loss of Hydraulic Supply

The FMEA has considered as a worst case scenario; that a loss of a hydraulic subsystem (LP
or HP) is a single point failure; although it is accepted that once the subsea system is in a
steady (fully charged) state; i.e. the HPU is used to make-up for losses / leakages within the
system. In addition, given the amount of topsides and subsea accumulation provided in the
system, The duty cycle of the pumps is expected to be infrequent.
A Moore 6 NOV 07 05 X-219400-01-78
Page 10 of 182
3.4 TECHNICAL REVIEW

The FMEA Worksheets have been compiled in conjunction with the design specialist for the
following types of equipment and approved:
• FPSO located equipment

• Subsea located control chain equipment
• SCM
Prior to the compilation of the body of the FMEA Report, the individual FMEA worksheets were
reviewed and assessed by the Control Systems Engineer, and his comments incorporated as
appropriate.
A Moore 6 NOV 07 05 X-219400-01-78
Page 11 of 182
4.0 FMEA RESULTS
4.1 OVERVIEW
The FMEA has been carried out on representative Cameron supplied AKPO subsea controls
system equipment, to determine which components are the main contributors to system
unreliability/unavailability.
The FMEA has been carried out on the Cameron supplied generic equipment types within the
subsea control system. For clarity the main umbilical has been included within the scope of the
Analysis.
The analysis has been carried out as the effects on the system of the constituent components
and equipment situated in the AKPO P40 Production Loop. The findings of the FMEA are
discussed against the criteria presented below.
• Single point failures – safety
• Single point failures – production
• Partial redundancy
• Dormancy
• Hold for Repair Maintenance/Intervention limitations
4.2 DATA-SHEETS
A list of the modules subject to the FMEA process is presented below, the detailed listing of
the actual equipment is presented in Appendix A, Table 6, which includes the appropriate
indenture level and associated reliability value.
• HPU
• SCS
• SPCU
• Umbilicals
• SUT (Dynamic and Infield)
• Bridge Jumper
• EFL
• HFL
• HDU
• Subsea Control Module (SCM)
A listing of the individual worksheets and their associated filenames are presented in Table 7
Appendix B, including a representative worked example of the Umbilical (for “Comms on
Power” and LP channels only).
A Moore 6 NOV 07 05 X-219400-01-78
Page 12 of 182
4.3 SINGLE POINT FAILURE – SAFETY RELATED

The FMEA study has identified a limited number of single point failures, which affect the safety
functions of the AKPO subsea control system. The single point failures identified that primarily
relate to safety are specific to topsides related equipment and include:
• Failure in the ESD circuits (hydraulic and electronic signal): HPU
Equipment within the overall control system that is considered to be safety related single point
failures are detailed in Table 2.
Table 2 - Safety Related Single Point Failures
SAFETY RELATED FAILURE

ITEM COMMENT
MODE
HPU ASSEMBLY (LP & HP)
Fails to operate on demand –

Dormant
ESD Pilot Valve associated hydraulic header fails
Failure
to depressurize
4.4 SINGLE POINT FAILURE – PRODUCTION RELATED

The FMEA study has identified a limited number of single point failures within the AKPO
subsea control system which affect production in terms of
• Total loss of all the production trees on all four Production Loops
• Total loss of all the production trees on a single Production Loop
• Loss of a single tree
The single point failures identified that primarily relate to production include:
• Failure in the HPU (LP and HP Supplies)
• Failure in the SCM (hydraulic and electrical signal)
The large majority of HPU failure modes concern the spurious operation of the common supply
reservoir (Level protection and leakage) and accumulator pressure relief valves (PRV’s),
however in most cases the failed PRV can be quickly isolated restoring functionality to the
system
It should be pointed out that the condition of losing a LP or HP supply until the failed
accumulator PRV is isolated is a generic condition for any HPU where accumulators are
connected to a common header. Therefore for a short period of time only a severe leak or
spurious operation of a PRV will cause a loss of supply pressure. It should be noted that
during such an event the umbilicals and subsea accumulators remain charged. They cannot
however be re-charged until the fault is rectified.
A Moore 6 NOV 07 05 X-219400-01-78
Page 13 of 182
Equipment within the overall subsea control system that are considered to be production
related single point failures are detailed in Table 3.
Overall the FMEA indicates that the AKPO subsea control system is resilient against single
point failures, with the exception of the HPU and SCM.
Table 3 - Production Related Single Point Failures
Unit Failure Mode Impact on Subsea System Mitigation/Comments
HPU Severe Leak – Total loss of both LP and HP Obvious failure condition
Loss of Hydraulic supplies until the leak relatively easy to repair.
Single Reservoir Hydraulic has been repaired.
Contents
LP and HP accumulators remain
charged and the Umbilicals remain
pressurized
HPU Severe Leak – Total loss of both LP and HP Obvious failure condition
Loss of Hydraulic supplies until the leak relatively easy to repair.
Pump Flexible Hydraulic has been repaired.
hose(s) Contents
LP and HP accumulators remain
charged and the Umbilicals remain
pressurized
HPU Spurious Loss of LP Supply Pressure, until Operation of manual

Operation failed accumulator is isolated isolation valve to the
Any LP restoring system functionality. associated accumulator
Accumulator will restore supply.
Pressure Relief Umbilicals remain pressurized
Valve (5 off) Accumulator PRV can be
repaired/replaced at
appropriate time without
system shutdown.
HPU Severe Leak Loss of LP Supply Pressure, until Operation of manual

failed accumulator is isolated isolation valve to the
Any LP restoring system functionality associated accumulator
(5off) Umbilicals remain pressurized
Accumulator can be
system shutdown.
HPU Severe Leak Loss of HP Supply Pressure, until Operation of manual

failed accumulator is isolated isolation valve to the
Any HP restoring system functionality associated accumulator
(2off) Umbilicals remain pressurized
Accumulator can be
system shutdown.
A Moore 6 NOV 07 05 X-219400-01-78
Page 14 of 182
HPU Failure In the event of a surface ESD Manual bleed down.

(sticking) shutdown, a single subsea LP
LP ESD Pilot Supply pressure is not relieved. Electronic control to vent
Valve Due to the action of the SCM valves via the SCM may
located shuttle valves all DCV’s still be available
within the following Well SCM’s
and Manifold SCM’s will remain Subsea electrical control
"latched closed" and the to the LP DCV’s is the
associated fail safe valves remain primary means of closing
open. ** the Tree and Manifold
Valves.
Unable to perform a controlled
ESD shutdown. Potential increase
in time (and hence loss of LP venting via the USV’s
production) when re-starting. will stop production.
Single Point Failure and Dormant

failure in normal operation.
HPU Failure In the event of a surface ESD Manual bleed down.

(sticking) shutdown, a single subsea HP
HP ESD Pilot Supply pressure is not relieved. Electronic control to vent
Valve Due to the action of the SCM valves via the SCM may
located shuttle valves all DCV’s still be available
within the following Well SCM’s
and Manifold SCM’s will remain Subsea electrical control
"latched closed" and the to the HP DCV’s is the
associated fail safe valves remain primary means of closing
open. the Tree and Manifold
Valves.
Unable to perform a controlled
ESD shutdown. Potential increase
in time (and hence loss of HP venting via the SCSSV
production) when re-starting. will stop production.
Single Point Failure and Dormant

failure in normal operation.
SCM Severe Leak All DCV's will unlatch and all of the Subsequent recovery
(Loss of hydraulically actuated valves on action is to pull SCM and
LP Shuttle Valve containment to the production tree will close and repair
the shut in the well.
environment)
There will be a total loss of
production from the well.
SCM Severe Leak Unable to operate all HP DCVs Subsequent recovery

associated with Intelligent Well action is to pull SCM and
Completion valves. repair
Dump Valve (Loss of
containment to Loss of zone selectivity.
the
environment) Tree will continue to produce.
SCM Spurious Unable to operate all HP DCVs Subsequent recovery

Operation associated with Intelligent Well action is to pull SCM and
Completion valves. repair
Dump Valve
(mechanical Loss of zone selectivity.
failure)
Tree will continue to produce.
A Moore 6 NOV 07 05 X-219400-01-78
Page 15 of 182
SCM Severe Leak The HP DCV's will unlatch and the Subsequent recovery
hydraulically actuated SCSSV will action is to pull SCM and
HP Shuttle Valve close out of sequence and shut in repair
the well.
There will be a total loss of

production from the well.
SCM Spurious DCV The predominant failure mode of The predominant failure
signal the VEM is a loss of output hence mode is loss of function.
Tree Valve; two VEMs are fitted per Quad in
VEM’s the SCM. Spurious signal is deemed
There is however a very low to be exceedingly rare.
probability that a spurious signal
from a single VEM could be sent Subsequent recovery
to a DCV leading to the spurious action is to pull SCM and
opening or closing of a valve. replace.
The pulse / check back / verify and ROV intervention

execute routine would not prevent
spurious operation of a VEM
SCM Fails in the Selected valve fails to close on Possible ROV

open position demand. intervention.
Tree Valve;
Associated Remove all LP hydraulic
DCV’s pressure from SCM via
topsides intervention.
** - In response to this condition (i.e. Well SCM’s and Manifold SCM’s will remain "latched
closed" and the associated fail safe valves remain open) Cameron has fitted two solenoid ESD
valves in each line, both of which are connected to a single ESD pilot valve. The solenoid ESD
valves have the higher failure rate and although the probability of a spring operated pilot valve
failing to relieve is low the failure condition is still a single point failure. It is also a dormant
failure as it would only be discovered during a specific, scheduled test. A recommendation to
implement this test program is included in Section 7.4 of this report.
A Moore 6 NOV 07 05 X-219400-01-78
Page 16 of 182
4.5 CONNECTIVITY ARRANGEMENTS

The FMEA study has also determined the potential impact on operational capability from non-
single point failures as detailed below:
• Redundant failures (RF)
• Dormant failures- operational impact
• Maintenance restrictions (hold for repair)
4.5.1 Redundant Failures

The FMEA study confirms the existence of a high degree of fault tolerance and redundancy in
the design of the AKPO subsea controls system. The FMEA has also taken into account
possible dormancy and maintenance restrictions associated with redundant failures.
A listing of redundant failures including any associated dormant and hold for repair condition
are presented in Table 4. The impact of dormant failure modes and hold for repair are
described in more below.
4.5.2 Dormant Failure Modes

A dormant (hidden) failure is only revealed during testing of the unit or when a demand is
placed on the unit. Dormant failures are usually associated with protective systems or
systems that are inactive during normal operation.
The FMEA study confirms that the design of the AKPO subsea controls system is resilient to
redundancy associated with dormant failures. The majority of dormant redundant failure
modes are associated with safety related equipment within the HPU, namely Pressure Relief
Valves and bursting discs. The Pressure Relief Valves all have separate block and bleed
which allows for separate testing and replacement, where required without affecting the
functionality of the HPU.
In addition failures associated with the LP and HP Filtration system (blocked, failure of DP
sensing, holed filter element and spurious by-pass) can allow possible contaminated/dirty fluid
subsea and cause damage to subsea control components in the long term.
Dormant failures can also occur in the SCM; these are restricted to malfunction of two
particular equipments types; Dump Valve (fails to open) and DCV(s) (fails to function open or
close).
4.5.3 Hold for Repair

The FMEA has assessed the maintainability characteristics of the support policy to determine
if there is a detrimental escalation of the effect on system performance when a repair/recovery
action takes place. Where such detrimental escalation can occur, the equipment is
categorized as “Hold for Repair”, whereby control system faults, which do not stop
production/injection, are not repaired until a major degradation has been deemed to occur.
AKPO, like many other industry standard control systems, is a complex arrangement of
several electrical and hydraulic circuits, which are configured into multiple (normally 2)
separate channels, for hydraulics, power/communications, in a series/parallel arrangement
The true impact of the hold for repair cannot be determined by FMEA alone, items of
equipment classified as hold for repair have been identified in Table 4 and the information
A Moore 6 NOV 07 05 X-219400-01-78
Page 17 of 182
subsumed into the RAM Analysis Models, which can determine the resultant impact on system
availability.
Table 4 - Redundant Failures Including Dormancy and Hold For Repair
Failure Mitigation/ Hold For

Unit Impact on Subsea Control
Mode Comments Repair
SPCU Isolating No direct system effect on subsea Alternative supply

relay fails cabinet performance (6 off) whilst available. Yes
Mains Cabinet: the opposite supply remains fully
serviceable. Isolating relay cannot be
Loss of single safely removed without
power supply to Overall SCS continues to operate isolating the overall
a single mains in a fully dual redundant mode. SPCU Mains Incoming
cabinet Cabinet.
SPCU Input No direct system effect on subsea Alternative supply

current cabinet performance (6 off) whilst available. Yes
Mains Cabinet: limiting the opposite supply remains fully
device serviceable. Input current limiting
Loss of single device cannot be safely
power supply to Overall SCS continues to operate removed without isolating
a single mains in a fully dual redundant mode. the overall SPCU Mains
cabinet Incoming Cabinet.
SPCU Output No direct system effect on subsea Alternative supply Yes

current cabinet performance (6 off) whilst available.
Mains Cabinet: limiting the opposite supply remains fully
device to serviceable. Output current limiting
Loss of single an device cannot be safely
power supply to individual Overall SCS continues to operate removed without isolating
a single subsea subsea in a fully dual redundant mode. the overall SPCU Mains
cabinet cabinet Incoming Cabinet.
fails
SPCU PLC PSU No direct system effect on subsea Alternative supply Yes
fails system performance. available.
Mains Cabinet:
Power Supply Unit cannot
Loss of a single be safely removed
24 DC power without isolating the
supply overall SPCU Mains
Incoming Cabinet.
SPCU Input No direct system effect on subsea Alternative supply Yes

current system performance. available.
Mains Cabinet: limiting
device to Current limiting device
Loss of a single individual cannot be safely removed
24 DC power PLC PSU without isolating the
supply fails overall SPCU Mains
Incoming Cabinet.
SPCU Input No direct system effect on subsea Alternative supply Yes

current system performance. available.
Mains Cabinet: limiting
device from Current limiting device
individual cannot be safely removed
Loss of a single without isolating the
24 DC power PLC PSU
fails overall SPCU Mains
supply Incoming Cabinet.
A Moore 6 NOV 07 05 X-219400-01-78
Page 18 of 182

SPCU Input No direct system effect on subsea Current limiting device Yes
current system performance. cannot be safely removed
Subsea limiting without isolating the
Cabinet: device to overall SPCU Mains
PLC PSU Incoming Cabinet.
Loss of fails
electrical
supply/modulat
ed signal to all
of the single
pairs of
conductors (7
off) within the
subsea cabinet
SPCU Output No direct system effect on subsea Alternative supply Yes

current cabinet performance, whilst the available.
Subsea limiting opposite supply remains fully
Cabinet: device to serviceable. Current limiting device
PLC PSU cannot be safely removed
Loss of fails Overall SCS continues to operate without isolating the
electrical in a fully dual redundant mode. overall SPCU Subsea
supply/modulat Cabinet.
ed signal to all
of the single
pairs of
conductors (7
off) within the
subsea cabinet
SPCU Input No direct system effect on subsea Current limiting device Yes
current cabinet performance, whilst the cannot be safely removed
Subsea limiting opposite supply remains fully without isolating the
Cabinet: device fails serviceable. overall SPCU Subsea
Cabinet.
Loss of a single Overall SCS continues to operate
power supply in a fully dual redundant mode.
channel
A Moore 6 NOV 07 05 X-219400-01-78
Page 19 of 182

SPCU SOM Loss of control of a single pair of Alternative supply Yes

Power conductors within the P40 available.
Subsea Transformer umbilical.
fails The Subsea Cabinet is of
Cabinet: modular design to affect
No direct system effect whilst the the safe
Loss of opposite control channel remains repair/replacement of the
electrical fully serviceable. Subsea Output modules.
supply/
modulated Reduction in fault tolerance in that Hence SOM may be
signal to a up to 3 SCM's remain operational serviced by removal and
single pair of on the alternative channel in a non- replacement while the
conductors redundant configuration. cabinet is live.
within a subsea
cabinet However as the subsea system The SOM Power
degrades over time, there is an Transformers
increased probability that this unfortunately cannot be
failure mode will cause a complete safely worked on due to
loss of one or more wells. their location in the
cabinet and require the
subsea cabinet to be
powered down to affect
repair.
The hold for repair in this

case refers to the short
time interval to check that
the isolation of the
associated Quad Pairs to
the rest of the field will
not result in the loss of a
Tree. When the repair
action takes place the
associated Quad Pairs to
the field will be lost for a
short time. This will not
results in the loss of any
trees so long as the
alternative channel is
serviceable. This is the
benefit of the fault
tolerant system specified
by TOTAL.
A Moore 6 NOV 07 05 X-219400-01-78
Page 20 of 182

HPU Isolating No effect on system performance Dual redundant LP Pump Yes

Valve at other than loss of redundancy. set.
Loss of reservoir
Hydraulic outlet Isolating valve cannot be
Supply to the Restricted safely replaced without
LP Pump. or Blocked affecting the remaining
functionality of the overall
HPU.
Hold for repair until a

combinational failure
occurs in the HPU or
subsea.
Maintain Fluid
cleanliness. Periodic task
to assess Fluid
cleanliness and run
circulation/transfer pump.
HPU Isolating No effect on system performance Dual redundant HP Pump Yes

Valve at other than loss of redundancy. set.
Loss of reservoir
Hydraulic outlet Isolating valve cannot be
Supply to the Restricted safely replaced without
HP Pump. or Blocked affecting the remaining
functionality of the overall
HPU.

combinational failure
occurs in the HPU or
subsea.
Maintain Fluid
cleanliness. Periodic task
to assess Fluid
cleanliness and run
A Moore 6 NOV 07 05 X-219400-01-78
Page 21 of 182

HPU ESD Loss of a single LP channel to all of Alternative supply is Yes

solenoid the Well SCM’s (max 12 off) and available (remaining LP
Loss of LP valve Manifold SCM’s (3 off) on the line)
hydraulic spurious umbilical.
supply in a operation
single header Subsequent Reduction in fault
tolerance in that all affected Trees
and Manifolds Control Modules will
remain operational on the
alternative channel in a non-
redundant configuration.
In the event that the alternative

supply has not been selected open,
then for a short period of time until
the alternative LP channel is
selected - Total loss of production
from all trees and Manifolds on the
P40 Loop.
This can potentially result in the

loss of 4 Wells on the three
production manifolds and all of the
manifolds valves (manifold valves
fail "as is", pigging valves fail
open). Worst case is the loss of 12
production wells, if all spare wells
are utilised).
HPU ESD pilot Loss of a single LP channel to all of Alternative supply is

valve the Well SCM’s (max 12 off) and available (remaining LP Yes
Loss of LP spurious Manifold SCM’s (3 off) on the line)
hydraulic operation umbilical.
supply in a On NG50-2-300-SCS-PI-
single header Subsequent Reduction in fault 30-0469 sheet 5 of 5 and
tolerance in that all affected Trees NG50-2-300-SCS-PF-ST-
and Manifolds Control Modules will 64-0158 there are no
remain operational on the isolation valves detailed
alternative channel in a non- on the ESD return line,
redundant configuration. only a single check valve.
Hence the reason for the
In the event that the alternative LP ESD pilot valve being
supply has not been selected open, ‘Hold for Repair’ since
then for a short period of time until repair/replacement
the alternative LP channel is cannot be affected safely.
from all trees and Manifolds on the ESD valve returns are
P40 Loop. segregated by function –
i.e. LP1 returns are totally
This can potentially result in the segregated from all other
loss of 4 Wells on the three ESD valve returns from
production manifolds and all of the the valve to the supply
manifolds valves (manifold valves tank. This is described in
fail "as is", pigging valves fail Subsea HAZOP action
open). Worst case is the loss of 12 041.
are utilised).
A Moore 6 NOV 07 05 X-219400-01-78
Page 22 of 182

HPU Header Subsequent Reduction in fault Alternative supply is Yes

PRV tolerance in that all affected Trees available (remaining LP
Loss of LP spuriously and Manifolds Control Modules will line)
hydraulic relieves remain operational on the
supply in a pressure alternative channel in a non-
single header redundant configuration.

the alternative LP channel is
from all trees and Manifolds on the
P40 Loop.

production manifolds and all of the
manifolds valves (manifold valves
fail "as is", pigging valves fail
open). Worst case is the loss of 12
are utilised).
HPU Failure Loss of fault tolerance and a Alternative ESD is Yes

(sticking of dormant failure. The second ESD available via the second
LP ESD ESD solenoid valve in the line will ESD solenoid valve in the
solenoid Valve solenoid operate and successfully vent the line
valve) line.
System will continue to function combinational failure
and perform an ESD shutdown. occurs in the HPU since
corrective maintenance
However loss of fault tolerance and cannot be undertaken
a dormant failure mode. safely as it shares a
common return line.
HPU ESD Loss of a single HP channel to all Alternative supply is Yes

solenoid of the Well SCM’s (max 12 off) on available (remaining HP
Loss of HP valve the umbilical. line)
hydraulic spurious
supply in a operation Subsequent Reduction in fault
single header tolerance in that all affected Trees

the alternative HP channel is
from all trees on the P40 Loop.

production manifolds Worst case is
the loss of 12 production wells, if all
spare wells are utilised).
A Moore 6 NOV 07 05 X-219400-01-78
Page 23 of 182

HPU ESD pilot Loss of a single HP channel to all Alternative supply is Yes
valve of the Well SCM’s (max 12 off) on available (remaining HP
Loss of HP spurious the umbilical. line)
hydraulic operation
supply in a Subsequent Reduction in fault


HPU Header Loss of a single HP channel to all Alternative supply is Yes

PRV of the Well SCM’s (max 12 off) on available (remaining HP
Loss of HP spuriously the umbilical. line)
hydraulic relieves
supply in a pressure Subsequent Reduction in fault


HPU Failure Loss of fault tolerance and a Alternative ESD is Yes

(sticking / dormant failure. The second ESD available via the second
Loss of ESD seizing) of solenoid valve in the line will ESD solenoid valve in the
shutdown in a ESD operate and successfully vent the line.
single HP solenoid line. Hold for repair until a
header. valve. combinational failure
System will continue to function occurs in the HPU since
and perform an ESD shutdown. corrective maintenance
cannot be undertaken
However loss of fault tolerance and safely as it shares a
a dormant failure mode. common return line.
A Moore 6 NOV 07 05 X-219400-01-78
Page 24 of 182
5.0 AKPO SUB-SYSTEM CONTROLS CHARACTERISTICS
5.1 OVERVIEW
The AKPO subsea controls distribution system is a fault tolerant sub-system providing
redundant Comms on Power Channels, LP & HP hydraulic supplies from the FPSO to subsea
located SCM’s.
5.2 SUBSEA CONTROLS DISTRIBUTION
5.2.1 Electrical
The electrical control sub-system is extremely fault tolerant and comprises of 6 Quads in each
production umbilical. No more than two SEMs are connected to a single Quad pair and
duplicated Comms on Power channels are provided to each tree via two Electrical Flying
Leads from the DSUT to the SCM.
5.2.2 Hydraulics
The LP & HP hydraulic subsea distribution is a simplistic series-parallel arrangement, with

“daisy chaining” of the manifolds via SUT’s and in-field umbilicals. Hence, a leak anywhere in
a single supply chain, results in the total loss of that individual supply to all of the wells
connected to the umbilical. In particular, there is no means of isolation of the individual
supplies in the SUT assemblies.
Note a failure of a single hydraulic supply in any part of the subsea system is not a
classified as a system failure, but a severe degradation in fault tolerance.
Isolation facilities are only provided in the HDU. As an example, a leak in a single hydraulic
supply line within the HDU say LP1; initially causes a loss of that supply to the whole umbilical
until it can be isolated in the HDU.
Isolation of LP1 at HDU would restore LP1 to the remainder of the production loop; however
LP1 would be disconnected from the SCM’s on the HDU – maximum of 4 trees and a single
manifold SCM.
Duplicated LP & HP hydraulic supplies are provided to each tree SCM.
Two separate Hydraulic Flying Leads, which comprise of single LP and HP supplies, are used
between the DSUT and HDU and the HDU and each individual tree SCM.
Bridge jumpers’ supply duplicated LP & HP hydraulic and chemical channels between DSUT’s
and ISUT’s.
5.2.3 Methanol
The methanol system is a multi-drop distribution system comprising of three lines which
provides limited fault tolerance, in that a minimum of two lines are considered to provide
sufficient flow during normal production In addition the service line is considered to provide an
alternative means of supply should an associated MIV line fail. As stated in section 5.1, the
spare chemical line and the spare line are not considered as appropriate back-up for the
methanol system.
A Moore 6 NOV 07 05 X-219400-01-78
Page 25 of 182
Two lines are considered to provide sufficient methanol to the four normally producing trees on
the P40 loop. If leak is located in a tree HFL, methanol can be restored to the remainder of the
system if the HFL is disconnected.
If the fault is located within the HDU it is possible to isolate the faulty supply line (e.g. MI1) and
operate the hydraulically actuated isolation valve to divert the MI1 supply into the 'SERVICE
LINE' thereby creating the new MEOH line/header.
This results in the fault tolerant configuration being restored. Bridge jumpers’ supply duplicated
LP & HP hydraulic and chemical channels between DSUT’s and ISUT’s.
5.2.4 Chemical Lines – Corrosion/Scale/Wax Inhibitor & Anti-Asphaltene

The availability analysis has been carried out on the assumption that the chemical supply
system can tolerate a loss of a function for a short period of time, whilst the spare chemical
line in the TUT is reconfigured. The spare line is considered only to back up the LP and HP
lines in the event of a total loss of LP or HP function.
Hence Chemical connectivity including distributions lines and individual tree valves has
assumed that the spare chemical line is available to support a failure in any of the following:
• Corrosion/Scale inhibitor;
• Wax Inhibitor
• Anti-Asphaltine.
The chemical supply from the DSUT to the HDU is split into two separate HFL’s; one HFL
supplies Wax Inhibitor/Demulsifier and a spare chemical line and the second HFL contains the
corrosion/scale inhibitor, anti-asphaltene lines and another spare chemical line. This split of
chemical channels is continued in the two HFL’s between the HDU and individual tree with the
exception of the spare chemical lines.
A leakage in a HFL of, for example, anti-asphaltene to a single tree will result in a loss of anti-
asphaltene to the entire P40 Production Loop however functionality can be restored to the
loop by isolating the incoming supply via an ROV actuated isolation valve in the HDU. This will
result in a loss of chemical supply to all four trees on the manifold.
5.2.5 Sparing in the Chemical & Methanol Systems

The spare line is less robust than the spare chemical line, in that it requires reconfiguration at
the TUT and reconfiguration at the appropriate tree HFL. Hence the spare line cannot be
reconfigured without causing the loss of one or more trees and is considered to be only
applicable after a combinational failure (total LP failure or total HP failure) has occurred which
enables a non redundant supply to be re-established.
The methanol system is a multi-drop distribution system comprising of three lines which
provides limited fault tolerance, in that a minimum of two lines are considered to provide
sufficient flow during normal production In addition the service line is considered to provide an
alternative means of supply should an associated MIV line fail.
The chemical supply system can tolerate a loss of an individual function for a short period of
time, whilst the spare chemical line in the TUT is reconfigured to replace any of the chemical
supplies and inject through a specific hydraulically operated valve at the Xmas tree.
Hence chemical connectivity including distributions lines and individual tree valves has
assumed that the spare chemical line is available to support a failure in any of the following:
A Moore 6 NOV 07 05 X-219400-01-78
Page 26 of 182
• Corrosion/Scale inhibitor;
• Wax Inhibitor
• Anti-Asphaltine.
5.3 TREE SUBSEA CONTROL MODULE (SCM)

The Tree SCM contains electronic control and LP & HP hydraulic supplies and is connected to
the HDU via two separate HFL’s and two separate EFL’s.
The SCM is configured such that the duplicated LP and HP supplies are selected via a
combination of selector valves (normally open) and shuttle valves. The SCM contains two LP
Accumulators and a single HP accumulator.
The SCM utilizes dual redundant Subsea Electronic Modules (SEM’s), Valve Electronic
Modules (VEM’s) and each Directional Control Valve (DCV) has dual solenoids per actuating
function.
Single point failures are restricted a loss of functionality of the LP & HP DCV’s and leakage
(as a loss of containment to the environment) associated with LP & HP shuttle valves and the
Dump Valve.
5.4 HYDRAULIC POWER UNIT (HPU)

The HPU is a self-contained fault tolerant unit that supplies duplicated LP & HP supply
channels to each drill centre.
Each LP & HP sub-system contains duplicated electrically driven pumps. All are connected to
a single common reservoir which can cause the loss of hydraulic power generation for a short
period of time if genuine or spurious low level alarms occur, although all headers and
umbilicals will remain pressurised.
The HPU contains a number of pressure relief valves, failure or operation of which will result in
a loss of hydraulic power generation for a short period of time; again all headers and
umbilicals will remain pressurised.
The HPU contains a number of header PRVs and ESD valves; failure of an ESD solenoid/pilot
valve or a PRV results in only the loss of a dual redundant supply to a single header channel.
PRVs and ESD valves can be replaced without impacting on HPU functionality due to the use
of separate return lines for each header.
Within the HPU there are banks of LP & HP accumulators arranged such that the loss of any
single accumulator does not cause a loss of hydraulic supply.
The single HPU PLC monitors the status of the HPU and controls the operation of the LP and
HP pumps. The PLC has a watchdog monitor to prevent an undetected failure of the PLC. In
addition the LP and HP pump controls are hardwired to allow local manual operation of the
LP/HP pump sets.
5.5 SUBSEA CONTROL UNIT (SCU)

The SCU provides the control of the overall subsea control system and comprises of several
duplicated processing devices, the connectivity arrangements are such that a failure of any
component will not on its own cause a complete failure of the overall system.
A Moore 6 NOV 07 05 X-219400-01-78
Page 27 of 182
The level of redundancy for each sub function varies slightly and the differences are detailed
below.
5.5.1 MCS Communications Server
The SCS utilizes a dual Communications Server arrangement to control, communicate and
diagnose the subsea systems, and to interface with SD hardwired I/O. The MCS
Communications Servers 2NH 64204A/04B are fully dual redundant with respect to switching
operations (HMI and ESD) and also with respect to subsea control.
Failure of a single MCS Communications Server results only in a loss of server redundancy,
the remainder of the SCS continues to operate in a fully dual redundant mode.
5.5.2 Network Switch Units

The SCS utilizes four sets of network switch units in two redundant arrangements.
Switch units 2ND 642 02 & 03 connect the Delta V workstations to the MCS Server units and
the switch units 2ND 642 04 & 05 connect the MCS Servers to the SPCU’s; MCS PLCs and
the HPU PLCs.
Network switch units 2ND 642 02 & 03 are fully redundant with respect to the MCS Servers
and of the HMI connection, i.e. a failure of either switch units 2ND 642 02 or 03 has a
minimal affect on the redundancy of the overall SCS system.
Network switch units 2ND 642 04 & 05 are fully redundant with respect to the MCS Servers
and local I/O and the subsea control system, i.e. a failure of either switch units ND 642 04 or
04 has a minimal affect on the redundancy of the overall SCS system.
5.5.3 PLC
The SCS utilizes two PLCs to interface the ESD signals and Local I/O HMI with the MCS
Servers, in a fully redundant arrangement where each PLC is connected to a both network
switches. After a PLC failure, the remainder of the SCS continues to operate in a fully dual
redundant mode.
The PLC has a watchdog monitor to prevent an undetected failure of the PLC.
5.5.4 Delta V Stratus Server

Two Delta V Stratus Servers (2NH 64203A SCMs 1-27 and 2NH 642 03B SCMs 28-53) are
required to provide the HMI facility from the FPSO SCU to the SCMs. Each Delta V Stratus
Server has a fully dual redundant processor unit which
A complete loss of a single server causes the loss of HMI control of 50% of the subsea
development from the SCU. Full HMI is still available from the MCS EWS in the CTR.
5.5.5 Delta V Workstation

The Delta V Workstation is single unit with communication connections to each Delta V
Stratus Server which is used to provide the HMI interface within the CTR.
A complete loss of a single workstation causes the loss of HMI for the subsea system from the
CTR. Full HMI is still available from the FPSO CCR.
A Moore 6 NOV 07 05 X-219400-01-78
Page 28 of 182
5.5.6 MCS Workstation EWS SCS 3

The MCS Workstation EWS SCS 3, is single unit with communication connections to each of
the Network switch units ND 642 02 & ND 642 03, and thus the MCS Communications
Servers that is used to provide the HMI & diagnostic facilities for the subsea system within the
CTR.
A complete loss of a single workstation causes the loss of secondary HMI & diagnostic
facilities for the subsea system from the CTR. Full HMI is still available from the SCU EWS
Monitor.
A Moore 6 NOV 07 05 X-219400-01-78
Page 29 of 182
6.0 CONCLUSIONS
A detailed and thorough FMEA has been carried out in conjunction with the AKPO subsea
control system design specialists to examine and determine the impact on system availability
from the failure modes of individual items of the subsea control system, in order to identify the
level of project risk.
The FMEA has been carried out on P40 production loop against specific Cameron supplied
subsea control equipment.
The FMEA has been implemented, utilizing MIL STD 1629A for guidance only, in a tabular
format and has examined the effects of each failure at local and system level. The FMEA has
assessed each failure mode individually in terms of loss of functions, effect on local and
system performance, dormant failure modes and detection methods and the consequential
impact on the system of the subsequent repair solution.
The FMEA has determined a listing of those components which are the main contributors to
system unreliability/unavailability. Two such failure modes are:
• A failure of an individual header ESD Pilot Valve to operate on demand is a

dormant and single mode failure inhibiting the ESD shutdown function.
• A severe leak in the flexible hose to any one of the four supply pumps (HP and LP)
can cause a complete loss of hydraulic reservoir contents.
The FMEA has examined the AKPO subsea control system including both Subsea and
Topsides located equipment, in terms of operational functionality and concludes that the
controls system has a resilient architecture, with the exception of the HPU and SCM, and is
capable of achieving a high level of production availability.
However there are a high number of dual redundant faults that cannot be repaired without
impacting on the functionality of the overall system. These hold for repair characteristics have
been identified and will be taken into account during the subsequent RAM modelling of the
subsea control system
The FMEA concludes that the design phase has resulted in a fault tolerant system design, with
a minimum of single point failures which are aligned with current industry practice and a
reasonable level of preventive maintenance recommendations to further support system
operability.
A Moore 6 NOV 07 05 X-219400-01-78
Page 30 of 182
7.0 RECOMMENDATIONS
7.1 GENERAL
The FMEA report recommends that all equipment containing safety and production related
single point of failures, be subject to formal DRACAS monitoring. The report has made several
recommendations to mitigate against the affects of safety related failures and dormant failure
modes. The report further recommends that all of the proposed mitigation be subsumed into
the Operability Program of Work, key aspects of which are presented below.
7.2 SAFETY RELATED
The FMEA has identified a limited list of ESD components which can impact on system safety.
It is recommended that the Operability Program of Work highlights the impact of dormant
failure modes of the ESD Pilot valve in the Technical Documentation, including the
development of appropriate maintenance/test schedules and inspection.
7.3 PRODUCTION RELATED
The FMEA has identified a limited list of components which may impact on system availability.
The RAM Analysis determines and verifies the impact of the failure or degradation of these
items of equipment on system availability.
7.4 OPERABILITY RELATED
The FMEA has identified certain issues that have a significant impact on the operability of the
subsea control system. It is recommended that an appropriate maintenance/test schedule and
inspection frequency is developed for all equipment types which have been identified as
Dormant Failures be subsumed into the Operability Program of Work specifically for the
following items:
• An effective procedure to re-cycle and clean fluid in return reservoir before re-filling
supply reservoir.
• An effective inspection schedule & frequency be derived to confirm filter
serviceability.
• An effective inspection schedule & frequency be derived for Hydraulic flexible
hoses to mitigate against severe leakage. Periodic flexible hose integrity
inspections to be carried out to assess the condition of flexible hoses. Furthermore
accumulation allows normal operation to continue until maintenance action
restores reservoir supply.
• Confirm Technical Publications indicate that failure of any PRV to relieve pressure
is classified as a dormant failure, including an effective inspection schedule &
frequency be derived to confirm PRV serviceability.
7.5 RAM ANALYSIS
The impact of single point failures and hold for repair issues are assessed further as part of
the RAM Analysis program of work.
A Moore 6 NOV 07 05 X-219400-01-78
Page 31 of 182
8.0 GLOSSARY OF RAM TERMS
The listing of abbreviations relating to equipment is given in Appendix A of “ NG50-S-300-

SPS-GN-AB-030-0022.
Table 5 - Glossary of RAM Terms
Abbreviation Definition
DRACAS Data Reporting Analysis and Corrective Action System
FMEA Failure Mode and Effects Analysis
FPR Field Performance Reporting
FRACAS Failure Reporting Analysis and Corrective Action System
LCC Life Cycle Cost
LRI Lowest Replaceable Item
MIL HDBK Military Handbook
MTBF Mean Time Between Failure
MTTR Mean Time To Repair
NPRD-95 Non Electronic Parts Reliability Data
OREDA Off-shore Reliability Data
RAM Reliability, Availability and Maintainability
RF Redundancy Failure
R&M Reliability and Maintainability
RBD Reliability Block Diagram
SPF Single Point Failure
A Moore 6 NOV 07 05 X-219400-01-78
Page 32 of 182
Appendix A
Table 6 – Equipment subjected to FMEA
Sub-
FM Number Module Equipment MTTF
system
Instrumented Reservoir 137,669
Isolation Valve 4,140,000
1-0-1 Common Reservoir supply
Suction Strainer 430,139
Flexible Hose 300,000
LP Hydraulic Pump Assembly 256,334
1-0-2 LP Supply Pressure Relief Valve 3,500,000
Pressure transducer 322,580
1-0-3 LP Filtration Filtration 430,139

LP Accumulator Assembly 225,479
Pressure Relief Valve 3,500,000
LP Accumulation and
1-0-4 Bursting Disc 3,500,000
Distribution Header
ESD Pilot Valve 255,102
ESD Solenoid Valve 255,102
HP Hydraulic Pump Assembly 256,334
1-0-5 HP Supply Pressure Relief Valve 3,500,000
Pressure transducer 322,580
HPU 1-0-6 HP Filtration Filtration Assembly 430,139
HP Accumulator Assembly 225,479
HP Accumulation and Pressure Relief Valve 3,500,000
1-0-7
Distribution Header
ESD Pilot Valve 255,102
3 way Selector Valve 416,579
Pressure Relief Valve 3,500,000
Filtration Assembly 430,139
HP Hydraulic Pump Assembly 256,334
Hydraulic Circulation
1-0-8
System Check Valve (Non Return Valve) 1,450,000
Relief Valve 3,500,000
Filtration 430,139
ESD Bypass Valve (Manual Bleed) 4,140,000
ESD PRV 225,479
2-0-1 Delta V Delta V Stratus Workstation 35,020
2-0-2 MCS Server 35,020
SCU
2-0-3 PLC PSU 50,000
Processor Card 80,000
A Moore 6 NOV 07 05 X-219400-01-78
Page 33 of 182
Sub-
system
Ethernet Card 100,000
Bus Controller card 100,000
PSU 80,000
Control Card 100,000
2-0-4 Network Switch 02A Ethernet Card 100,000
Network Switch Module 100,000
PSU 80,000
Control Card 100,000
2-0-5 Network Switch 03A Ethernet Card 100,000
2-0-6 HMI Interface Delta V Stratus Workstation 35,020
Engineering Workstation 35,020
Isolating Relay 29,141
Input Current Limiting Device 29,140
Output Current Limiting Device 29,140
3-0-1 Mains Cabinet PLC 50,000
Switching Unit 35,020
UPS N/A
PLC PSU 80,000
Switching Unit 35,020
SPCU PLC 50,000
Subsea Output Module 650,204
SOM 1 Transformer 650,204
3-0-2 Subsea Cabinet Modem 90,560
PLC PSU 80,000
Diplexer 650,204
Input Current Limiting Device 29,140
Output Current Limiting Device 29,140
Twisted Pair Power/Comms 2,146,000
LP Hydraulic line 1,510,700
UMBILICAL:
HP Hydraulic line 1,510,700
Umbilical 4-0-1 30-UD-P41 CI/SI Line 1,510,700
4-0-2 30-US-P42
Wax Inhibitor/Demulsifier Line 1,510,700
4-0-3 30-US-P43
Methanol Line 1,510,700
Anti-Asphaltene Line 1,510,700
SUTA SUT: Twisted Pair Power 2,146,000
5-0-1 30-DS-P41 Twisted Pair Comms 2,146,000

5-0-2 30-DS-P42 LP Hydraulic line 1,510,700
5-0-3 30-DS-P43
5-0-4 30-DS-P44
5-0-5 30-DS-P45 CI/SI Line 1,510,700
A Moore 6 NOV 07 05 X-219400-01-78
Page 34 of 182
Sub-
system
EFL
6-0-1 Single Quad Power/Comms 467,224
30-DS-P41 to 30-DS-P42
EFL
EFL 6-0-2 Single Quad Power/Comms 467,224
30-DS-P43 to 30-DS-P44
6-0-3 Generic EFL to SCM Single Twisted Pair Power/Comms 934,448

Bridge Jumper CI/SI Line 2,760,000
7-0-1
30-DS-P41 to 30-DS-P42 Wax Inhibitor/Demulsifier Line 2,760,000
Bridge Anti-Asphaltene Line 2,760,000
Jumper LP Hydraulic line 2,760,000
Bridge Jumper CI/SI Line 2,760,000
7-0-2
30-DS-P43 to 30-DS-P44 Wax Inhibitor/Demulsifier Line 2,760,000
HFL CI/SI Line 2,760,000
8-0-1
DSUT to HDU Wax Inhibitor/Demulsifier Line 2,760,000
HFL
HFL CI/SI Line 2,760,000

8-0-2
HDU - SCM Wax Inhibitor/Demulsifier Line 2,760,000
Twisted Pair Power/Comms 2,146,000
HDU Assembly
HDU 9-0-1
30-HDU-P41
CI/SI Line 1,510,700
SCM 10-0-1 SCM Assembly VEM 313,450
SEM 177,176
LP Shuttle Valve 2,101,000
LP Shuttle Valve 2,101,000
LP Selector Valve 2,101,000
LP Hydraulic DCV 2,101,000
LP Hydraulic DCV (Choke) 2,101,000
A Moore 6 NOV 07 05 X-219400-01-78
Page 35 of 182
Sub-
system
HP Hydraulic DCV 2,101,000
HP Selector Valve 2,101,000
LP Hydraulic Accumulator 741,490
HP Hydraulic Accumulator 366,481
A Moore 6 NOV 07 05 X-219400-01-78
Page 36 of 182
Appendix B
Table 7 – Summary of FMEA Worksheets
Appendix Ref. Module File Reference
Appendix B1 HPU Appendix B-1 AKPO FMEA HPU August 2007
Appendix B2 SCS Appendix B-2 AKPO SCS August 2007
Appendix B3 SPCU Appendix B-3 AKPO SPCU August 2007
Appendix B4 Umbilical Appendix B-4 AKPO Umbilical August 2007
Appendix B5 SUT Appendix B-5 AKPO SUT August 2007
Appendix B6 Bridge Jumper Appendix B-6 AKPO Bridge Jumper August 2007
Appendix B7 EFL Appendix B-7 AKPO EFL August 2007
Appendix B8 HFL Appendix B-8 AKPO HFL August 2007
Appendix B9 HDU Appendix B-9 AKPO HDU August 2007
Appendix B10 SCM Appendix B-10 AKPO SCM August 2007

A Moore August 07 02 X-219400-01-78
C. Kochenower August 07 01 NG50-2-300-SPS-TR-AB-30-0132
Page 37 of 37
Originated By: A Moore Date: November 07 Rev: 05 Cameron Document No.
X-219400-01-78
Approved By: C Kochenower Date: November 07 Rev: 02 Total Document No.
NG50-2-300-SPS-TR-AB-30-0132
Appendix B1
SUBSYSTEM DESCRIPTION: Production Loop P40 Subsea Controls SUBSYSTEM DESCRIPTION: LP & HP Hydraulic Supply
SUBSYSTEM: Hydraulic Power Unit
FM
FAILURE MODE CS Ref CAUSES LOCAL EFFECTS SYSTEM EFFECTS METHOD OF DETECTION MITIGATION/RECOVERY COMMENTS
Ref
FM: Common Reservoir supply FUNCTION DESCRIPTION: To provide Hydraulic Supply to each LP & HP Pump
FM No: 1-0-1
1 Loss of Hydraulic Supply to A Isolating Reduced / No flow through the affected valve to its LP Pump. No effect on system performance Standby Transmitter set point activated, Dual redundant LP Pump set.
the LP Pump. Valve at other than loss of redundancy. standby pump starts.
reservoir Loss of Duty LP Hydraulic supply. Standby LP Pump starts when Isolating valve cannot be safely replaced
Nominally LP Duty Pump outlet setpoint activated. Fault indication on operator panels. (Not without affecting the remaining functionality of
Restricted or manned) the overall HPU.
Blocked
Audio and Visual alarm on SCS (not Hold for repair until a combinational failure
100% manned) and relayed to DCS. occurs in the HPU or subsea.
Event logger recording. Maintain Fluid cleanliness. Periodic task to

assess Fluid cleanliness and run
B Isolating valve Reduced / No flow through the affected valve to its LP Pump. No effect on system performance Standby Transmitter set point activated, Dual redundant LP Pump set.
at pump inlet other than loss of redundancy. standby pump starts.
restricted or Loss of Duty LP Hydraulic supply. Standby LP Pump starts when Isolating valve can be safely replaced without
blocked setpoint activated. Fault indication on operator panels. (Not affecting the remaining functionality of the
manned) overall HPU.
Audio and Visual alarm on SCS (not Maintain Fluid cleanliness. Periodic task to
100% manned) and relayed to DCS. assess Fluid cleanliness and run
Event logger recording.
C Suction Reduced / No flow through the affected valve to its LP Pump. No effect on system performance Standby Transmitter set point activated, Dual redundant LP Pump set.
strainer other than loss of redundancy. standby pump starts.
Restricted or Loss of Duty LP Hydraulic supply. Standby LP Pump starts when Failed Item can be safely replaced without
Blocked setpoint activated. Fault indication on operator panels. (Not affecting the remaining functionality of the
D Failure Loss of hydraulic contents via hose - No flow available to both of Loss of LP and HP primary supplies. All LP and HP pumps will be Maintain flexible hose Integrity. Periodic task
(rupture) of the LP and HP pump-sets. automatically stopped if Supply Reservoir to assess condition of flexible hoses -
flexible hose Associated topsides and subsea "Low Low" Level Transmitter is activated. possible lifed item.
on primary LP and HP accumulators remain charged and all umbilicals accumulation allows restricted subsea
HP pump remain pressurised. operations until maintenance action Accumulation allows normal operation until
restores pumps maintenance action restores resevoir.
Single Point Failure.
Environmental hazard will require

Topside isolation and clean-up
Page 1 of 21
X-219400-01-78
NG50-2-300-SPS-TR-AB-30-0132
Appendix B1
FM
Ref
FM No: 1-0-1
2 Loss of Hydraulic Supply to A Isolating Reduced / No flow through the affected valve to its HP Pump. No effect on system performance Standby Transmitter set point activated, Dual redundant HP Pump set.
HP Pumps. Valve at other than loss of redundancy. standby pump starts.
reservoir Loss of Duty HP Hydraulic supply. Standby HP Pump starts Isolating valve cannot be safely replaced
Nominally HP Duty Pump. outlet when setpoint activated. Fault indication on operator panels. (Not without affecting the remaining functionality of
Restricted or manned) the overall HPU.
Blocked
Audio and Visual alarm on SCS (not Hold for repair until a combinational failure
100% manned) and relayed to DCS. occurs in the HPU or subsea.
Event logger recording. Maintain Fluid cleanliness. Periodic task to

assess Fluid cleanliness and run
B Isolating valve Reduced / No flow through the affected valve to its HP Pump. No effect on system performance Standby Transmitter set point activated, Dual redundant HP Pump set.
at pump inlet other than loss of redundancy. standby pump starts.
restricted or Loss of Duty HP Hydraulic supply. Standby HP Pump starts Isolating valve can be safely replaced without
blocked when setpoint activated. Fault indication on operator panels. (Not affecting the remaining functionality of the
C Suction Reduced / No flow through the affected valve to its HP Pump. No effect on system performance Standby Transmitter set point activated, Dual redundant HP Pump set.
strainer other than loss of redundancy. standby pump starts.
Restricted or Loss of Duty HP Hydraulic supply. Standby HP Pump starts Failed Item can be safely replaced without
Blocked when setpoint activated. Fault indication on operator panels. (Not affecting the remaining functionality of the
D Failure Loss of hydraulic contents via hose - No flow available to both of Loss of LP and HP primary supplies. All LP and HP pumps will be Maintain flexible hose Integrity. Periodic task
(rupture) of the LP and HP pump-sets. automatically stopped if Supply Reservoir to assess condition of flexible hoses -
flexible hose Associated topsides and subsea "Low Low" Level Transmitter is activated. possible lifed item.
on primary LP and HP accumulators remain charged and all umbilicals accumulation allows restricted subsea
HP pump remain pressurised. operations until maintenance action Accumulation allows normal operation until
restores pumps maintenance action restores resevoir.

Page 2 of 21
X-219400-01-78
NG50-2-300-SPS-TR-AB-30-0132
Appendix B1
FM
Ref
FM No: 1-0-1
3 Loss of Hydraulic contents A Leak in No flow available to both of the LP and HP pump-sets. Loss of LP and HP primary supplies. All LP and HP pumps will be Maintain Tank Integrity. Periodic task to
Supply automatically stopped if Supply Reservoir assess tank for leakage.
Reservoir or LP and HP accumulators remain charged and all umbilicals Associated topsides and subsea "Low Low" Level Transmitter is activated.
in return lines remain pressurised. accumulation allows restricted subsea Accumulation allows normal operation until
operations until maintenance action maintenance action restores resevoir.
restores pumps

4 Loss of Hydraulic supply to A Spurious All LP & HP Pumps will be incorrectly isolated via the low level Loss of LP and HP primary supplies. Supply Tank low level alarm will be Accumulation allows normal operation until
both LP and HP pump-sets operation of protection system. initated. Investigation will identify that the maintenance action restores pumps.
the Supply Associated topsides and subsea tank is not empty.
Tank "Low LP and HP accumulators remain charged and all umbilicals accumulation allows restricted subsea
Low Level remain pressurised. operations until maintenance action
Alarm & restores pumps
Pump Stop"
switch Single Point Failure.
Page 3 of 21
X-219400-01-78
NG50-2-300-SPS-TR-AB-30-0132
Appendix B1
SUBSYSTEM DESCRIPTION: Production Loop P40 Subsea Controls SUBSYSTEM DESCRIPTION: LP Hydraulic Supply
FM
Ref
FM: LP Supply FUNCTION DESCRIPTION: To provide clean LP Hydraulic Supply to the Umbilical (up to Topside Accumulator Manifold)
FM No: 1-0-2
1 Loss of Hydraulic Output A LP Duty Loss of output from Duty LP Hydraulic Pump No effect on system performance Standby Transmitter set point activated, Dual redundant LP Pump set.
from LP Pump Pump/motor other than loss of redundancy. standby pump starts.
Failure Loss of Duty LP Hydraulic supply. Standby LP Pump starts when
Nominally LP Pump setpoint activated. Fault indication on operator panels. (Not
assembly manned)
(pump/motor -
2-GA-6403A/ Audio and Visual alarm on SCS (not
2-XA-6403A 100% manned) and relayed to DCS.
B Pressure Relief Pump continues to run, pressure and flow continuously diverted No effect on system performance Standby Transmitter set point activated, Reset Pressure Relief setting to 110% of WP.
Valve operates to the Return Reservoir. other than loss of redundancy. standby pump starts.
at less than Replace PRV if not able to reset.
normal working Loss of output from the LP Pump. Fault indication on operator panels. (Not
pressure. manned) Audio and Visual alarm on SCS PRV can be reset or replaced without
Loss of Duty LP Hydraulic supply. Standby LP Pump starts when (not 100% manned) and relayed to DCS. affecting the remaining functionality of the
setpoint activated. overall HPU.
Fluid will flow to return reservoir - If
reservoir level is excessive, High Level
Return Light on operators panel, warning
at SCS and DCS.
Audio and Visual alarm on operator

panels.
C Pressure Pressure transducer fails to send a signal to controller that No effect on system performance Supply Transmitter set point activated, Control of pumps can be undertaken in
Transducer pressure is low. Pump fails to start. other than loss of redundancy. standby pump starts. manual mode at HPU Control Panel whilst
fails to maintenance action takes places.
function. Loss of output from the LP Pump. Fault indication on operator panels. (Not
manned) Audio and Visual alarm on SCS
Loss of Duty LP Hydraulic supply. Standby LP Pump starts when (not 100% manned) and relayed to DCS.
setpoint activated.
2 Loss of Pump hydraulic A PRV fails to Affected PRV does not relieve in an over pressurization No direct effect on system Dormant failure. Accumulator and header PRV's provide Confirm Technical
Over Pressure Protection relieve at condition, possible damage to system. performance during normal pump backup during normal operations. Publications indicate that this
correct over operations. LP accumulator PRV's failure of the PRV is classified
Nominally Duty LP Pump pressure downstream of the dual LP pump-set Associated pressure transmitter stops pump as a dormant failure.
setting. will provide safety back-up and relieve at preset cut-off value.
over pressure. Recommend that an effective
inspection schedule &
If Isolation valve is closed, possible frequency be derived to
safety hazard if the LP pump is confirm PRV serviceability.
operated against a "Dead Head".
B Pressure Pressure transducer fails to send a signal to HPU PLC that Pressure rises until either pump or Multiple alarms from the various pressure Associated pump and accumulator PRV's and
Transducer pressure is high. Pump fails to stop. accumulator PRV's relieve pressure. transducers in the LP system. LP header PRV's provide backup during
fails to normal operation.
function.
Page 4 of 21
X-219400-01-78
NG50-2-300-SPS-TR-AB-30-0132
Appendix B1
FM
Ref
FM: LP Filtration FUNCTION DESCRIPTION: To provide clean LP Hydraulic Supply to each Umbilical (up to Topside Accumulator Manifold)
FM No: 1-0-3
1 Reduced/No Flow A Filter Reduced/No flow of hydraulic fluid through the affected filter. No immediate effect on system Differential pressure alarm will sound and Filter system checked and changed on a
element performance. Standby filter available provide warnng of blocked filter before the regular basis.
blocked Differential pressure sensor will alarm the condition to enable the in a non-redundant configuration. bypass condition is reached.
operator to manually select the standby filter. Differential pressure transmitter provides
However if filter bypass operates then Fault indication on operator panels. (Not information on the cleanliness and condition
the LP system will use unfiltered manned) Audio and Visual alarm on MCS of the duty filter. The filter will gradually clog
hydraulic fluid - increased risk of (not 100% manned) and relayed to DCS. over time. This allows preventive
subsea component maintenance to be carried out on the blocked
blockages/malfunction due to filter whilst HPU operations continue using
contaminated hydraulic fluid. the second filter.
Loss of filter redundancy. Additional filtration provided by cleaning

circuit filters during transfer from return
reservoir to supply reservoir.
B Filter Reduced flow of hydraulic fluid through the affected filter. Dormant failure mode in normal Dormant failure mode until filter is Filter system checked and changed on a
differential operation. replaced on a regular basis. regular basis.
pressure Differential pressure sensor fails to alarm a blocked filter
device fails condition to enable the operator to manually select the standby Nil effect during normal operations Additional filtration provided by cleaning
to identify filter. until the filter becomes blocked and circuit filters during transfer from return
blocked filter the filter bypass operates then the LP reservoir to supply reservoir.
system will use unfiltered hydraulic
fluid - increased risk of subsea
component blockages/malfunction
due to contaminated hydraulic fluid.
Loss of filter redundancy.
2 Loss of Filtration A Filter No filtration of hydraulic oil. Dormant failure mode in normal Dormant failure mode until filter assembly Filter system checked and changed on a Recommend that an effective
element operation. is checked on a regular basis. regular basis. procedure to re-cycle and
holed or clean fluid in return reservoir
missing The LP system will use unfiltered Additional filtration provided by cleaning Additional filtration provided by cleaning before re-filling supply
hydraulic fluid - increased risk of circuit filters during transfer from return circuit filters during transfer from return reservoir.
subsea component reservoir to supply reservoir. reservoir to supply reservoir.
blockages/malfunction due to Recommend that an effective
contaminated hydraulic fluid. inspection schedule &
frequency be derived to
confirm filter serviceability.
B Filter by- No filtration of hydraulic oil. Dormant failure mode in normal Dormant failure mode until filter assembly Filter system checked and changed on a Recommend that an effective
pass operation. is checked on a regular basis. regular basis. procedure to re-cycle and
spuriously clean fluid in return reservoir
operates When filter bypass operates Additional filtration provided by cleaning Additional filtration provided by cleaning before re-filling supply
continually then the LP system will circuit filters during transfer from return circuit filters during transfer from return reservoir.
use unfiltered hydraulic fluid - reservoir to supply reservoir. reservoir to supply reservoir.
increased risk of subsea component Recommend that an effective
blockages/malfunction due to inspection schedule &
contaminated hydraulic fluid. frequency be derived to
Page 5 of 21
X-219400-01-78
NG50-2-300-SPS-TR-AB-30-0132
Appendix B1
FM
Ref
FM: LP Accumulation and Distribution Header FUNCTION DESCRIPTION: To provide redundant LP Hydraulic Supply through each Umbilical.
FM No: 1-0-4
1 Loss of LP accumulation A Accumulator Pressure will be maintained by the remaining accumulators and No direct effect on the system Local pressure indicator will provide Remaining accumulators and pumps provide
(nominally 2- the LP Pumps. performance. indication of a loss of pre-charge. sufficient volume and pressure to undertake
DA-6402A) normal operations
pre-charge Reduction in fault tolerance.
fails.
Dormant failure.
B Accumulator Pressure will be maintained by the remaining accumulators and No direct effect on the system Local pressure indicator will provide Remaining accumulators and pumps sets
bursting disc the LP Pumps. performance. indication of a loss of pre-charge. provide sufficient volume and pressure to
spuriously undertake normal operations
relives Reduction in fault tolerance.
Dormant failure.
2 Loss of LP Hydraulic A Severe leak Loss of LP pressure from pumps and accumulators. Loss of LP Supply Pressure, until Low pressure alarm initiated and then Operation of manual isolation valve to the
Supply. from any failed accumulator is isolated restoring standby pump started. If pressure associated accumulator will restore supply.
accumulator Both LP pumps stop when pressure drops below a system functionality continues to fall Low-Low alarm is Accumulator can be repaired/replaced at
predetermined setpoint. initiated and both LP pumps are stopped. appropriate time without system shutdown.
All tree valves are retained in position
Umbilical supply lines remain charged. via the accumulation in the SCMs.
Severe restriction on subsea valve

operations
B Accumulator Loss of LP pressure from pumps and accumulators. Loss of LP Supply Pressure, until Low pressure alarm initiated and then Operation of manual isolation valve to the
PRV failed accumulator is isolated restoring standby pump started. If pressure associated accumulator will restore supply.
(TS6433) Both LP pumps stop when pressure drops below a system functionality continues to fall Low-Low alarm is
spuriously predetermined setpoint. initiated and both LP pumps are stopped. Accumulator PRV cannot be
relieves All tree valves are retained in position repaired/replaced at appropriate time without
pressure. Umbilical supply lines remain charged. via the accumulation in the SCMs. system shutdown as it share a common PRV
return line.
operations
Page 6 of 21
X-219400-01-78
NG50-2-300-SPS-TR-AB-30-0132
Appendix B1
FM
Ref
FM No: 1-0-4
4 Loss of LP Hydraulic Supply A ESD solenoid Loss of a single LP channel to all of the Well SCMs (max 12 off) Subsequent Reduction in fault Associated LP A header Low pressure Alternative supply is available (remaining LP
in a single Header line valve and Manifold SCMs (3 off) on the umbilical. tolerance in that all affected Trees and alarm initiated. line)
spurious Manifolds Control Modules will remain
Nominally LP Channel 1(A) operation Pressure drop will be automatically detected by the shuttle valve operational on the alternative channel Hold for repair until a combinational failure
P40 Loop and the alternative channel connected before the DCVs unlatch. in a non-redundant configuration. occurs in the HPU since corrective
Nominally LP- maintenance cannot be undertaken safely as
ESD-P41 In the event that the alternative supply has not been selected In the event that the alternative supply it shares a common return line.
Solenoid open then for a short period of time all DCVs within the following has not been selected open, then for
Valve 1 Well SCMs and Manifold SCMs will "drop out" and the well will a short period of time until the
close safely. alternative LP channel is selected -
Total loss of production from all trees
Currently: and Manifolds on the P40 Loop .
30-M-P41 Manifold SCM This can potentially result in the loss

of 4 Wells on the three production
30-X-P42-C Well SCM manifolds and all of the manifolds
30-X-P42-D Well SCM valves (manifold valves fail "as is",
30-M-P42 Manifold SCM pigging valves fail open). Worst case
is the loss of 12 production wells, if all
30-X-P43-B Well SCM spare wells are utilised).
30-X-P43-C Well SCM
30-M-P43 Manifold SCM
Page 7 of 21
X-219400-01-78
NG50-2-300-SPS-TR-AB-30-0132
Appendix B1
FM
Ref
FM No: 1-0-4
B ESD solenoid Loss of a single LP channel to all of the Well SCMs (max 12 off) Subsequent Reduction in fault Associated LP A header Low pressure Alternative supply is available (remaining LP
valve and Manifold SCMs (3 off) on the umbilical. tolerance in that all affected Trees and alarm initiated. line)
operation Pressure drop will be automatically detected by the shuttle valve operational on the alternative channel Hold for repair until a combinational failure
and the alternative channel connected before the DCVs unlatch. in a non-redundant configuration. occurs in the HPU since corrective

30-X-P43-C Well SCM
Page 8 of 21
X-219400-01-78
NG50-2-300-SPS-TR-AB-30-0132
Appendix B1
FM
Ref
FM No: 1-0-4
C ESD Pilot Loss of a single LP channel to all of the Well SCMs (max 12 off) Subsequent Reduction in fault Associated LP A header Low pressure Alternative supply is available (remaining LP
valve and Manifold SCMs (3 off) on the umbilical. tolerance in that all affected Trees and alarm initiated. line)
Pilot Valve open then for a short period of time all DCVs within the following has not been selected open, then for
Well SCMs and Manifold SCMs will "drop out" and the well will a short period of time until the

30-X-P43-C Well SCM
D Header PRV Loss of a single LP channel to all of the Well SCMs (max 12 off) Subsequent Reduction in fault Associated LP A header Low pressure Alternative supply is available (remaining LP
(6487) and Manifold SCMs (3 off) on the umbilical. tolerance in that all affected Trees and alarm initiated. line)
spuriously Manifolds Control Modules will remain
relieves Pressure drop will be automatically detected by the shuttle valve operational on the alternative channel Hold for repair until a combinational failure
pressure. and the alternative channel connected before the DCVs unlatch. in a non-redundant configuration. occurs in the HPU since corrective
maintenance cannot be undertaken safely as
In the event that the alternative supply has not been selected In the event that the alternative supply it shares a common return line.
open then for a short period of time all DCVs within the following has not been selected open, then for

30-X-P43-C Well SCM
Page 9 of 21
X-219400-01-78
NG50-2-300-SPS-TR-AB-30-0132
Appendix B1
FM
Ref
FM No: 1-0-4
5 Loss of ESD shutdown ina A Failure In the event of a surface ESD shutdown, a single subsea LP Unable to perform a controlled ESD After an ESD the associated header Manual bleed down. Recommend that an effective
single header. (sticking / Supply pressure is not relieved . Due to the action of the SCM shutdown. Potential increase in time instrumentation will indicate a pressurised inspection schedule &
seizing) of located shuttle valves all DCVs within the following Well SCMs (and hence loss of production) when condition. Electronic control to vent valves via the SCM frequency be derived to
Nominally LP Channel 1(A) ESD pilot and Manifold SCMs will remain "latched closed" and the re-starting. may still be available confirm ESD serviceability.
P40 Loop. valve. associated fail safe valves remain open.
Nominally LP- Single Point Failure and Dormant Subsea electrical control to the LP DCVs are
ESD-P41 Currently: failure in normal operation. the primary means of closing the Tree and
Manifold Valves.
30-X-P42-C Well SCM

30-X-P42-D Well SCM
30-X-P43-B Well SCM

30-X-P43-C Well SCM
B Failure Loss of fault tolernace and a dormant failure. The second ESD System will continue to function and Dormant failure Alternative ESD is available via the second Recommend that an effective
(sticking / solenoid valve in the line will operate and succesfully vent the perform an ESD shutdown. ESD soleniod valve in the line inspection schedule &
seizing) of line. frequency be derived to
ESD solenoid However loss of fault tolernace and a Hold for repair until a combinational failure confirm ESD serviceability.
valve. dormant failure mode. occurs in the HPU since corrective
Nominally LP- it shares a common return line.
ESD-P41
Solenoid
Valve 1
C Failure Loss of fault tolernace and a dormant failure. The second ESD System will continue to function and Dormant failure Alternative ESD is available via the second Recommend that an effective
(sticking / solenoid valve in the line will operate and succesfully vent the perform an ESD shutdown. ESD soleniod valve in the line inspection schedule &
ESD solenoid However loss of fault tolernace and a Hold for repair until a combinational failure confirm ESD serviceability.
valve. dormant failure mode. occurs in the HPU since corrective
Nominally LP- it shares a common return line.
ESD-P41
Solenoid
Valve 1
Page 10 of 21
X-219400-01-78
NG50-2-300-SPS-TR-AB-30-0132
Appendix B1
FM
Ref
FM No: 1-0-4
6 Loss of LP Over Pressure A PRV 6487 Affected PRV does not relieve in an over pressurisation condition With associated header isolation valve Associated header instrumentation will Upstream pump LP pressure control. Confirm Technical
Protection in an individual fails to relieve leading to possible damage of the individual output line in an open, LP Accumulator PRV's will also indicate over pressure condition. Publications indicate that this
Output Header Channel. at correct isolated umbilical channel dead head situation. provide a degree of safety back-up Upstream accumulator PRV's. failure of the PRV is classified
over pressure and relieve Input pressure at a as a dormant failure.
Nominally LP Channel 1 setting. predetermined set value. Manual bleed available to depressurise the
P40 loop umbilicals. Recommend that an effective
Dormant failure inspection schedule &
confirm PRV serviceability.
Page 11 of 21
X-219400-01-78
NG50-2-300-SPS-TR-AB-30-0132
Appendix B1
SUBSYSTEM DESCRIPTION: Production Loop P40 Subsea Controls SUBSYSTEM DESCRIPTION: HP Hydraulic Supply
FM
Ref
FM: HP Supply FUNCTION DESCRIPTION: To provide clean HP Hydraulic Supply to the Umbilical (up to Topside Accumulator Manifold)
FM No: 1-0-5
1 Loss of Hydraulic Output A HP Duty Loss of output from Duty HP Hydraulic Pump No effect on system performance Standby Transmitter set point activated, Dual redundant HP Pump set.
from HP Pump Pump/motor other than loss of redundancy. standby pump starts.
Failure Loss of Duty HP Hydraulic supply. Standby HP Pump starts
Nominally HP Pump when setpoint activated. Fault indication on operator panels. (Not
assembly manned)
(pump/motor -
2-GA-6402A/ Audio and Visual alarm on SCS (not
2-XA-6402A 100% manned) and relayed to DCS.
B Pressure Relief Pump continues to run, pressure and flow continuously diverted No effect on system performance Standby Transmitter set point activated, Reset Pressure Relief setting to 110% of WP.
Valve operates to the Return Reservoir. other than loss of redundancy. standby pump starts.
at less than Replace PRV if not able to reset.
normal working Loss of output from the HP Pump. Fault indication on operator panels. (Not
pressure. manned) Audio and Visual alarm on SCS PRV can be reset or replaced without
Loss of Duty HP Hydraulic supply. Standby HP Pump starts (not 100% manned) and relayed to DCS. affecting the remaining functionality of the
when setpoint activated. overall HPU.
Fluid will flow to return reservoir - If
reservoir level is excessive, High Level
Return Light on operators panel, warning
at SCS and DCS.
Audio and Visual alarm on operator

panels.
C Pressure Pressure transducer fails to send a signal to controller that No effect on system performance Supply Transmitter set point activated, Control of pumps can be undertaken in
Transducer pressure is low. Pump fails to start. other than loss of redundancy. standby pump starts. manual mode at HPU Control Panel whilst
fails to maintenance action takes places.
function. Loss of output from the HP Pump. Fault indication on operator panels. (Not
Loss of Duty HP Hydraulic supply. Standby HP Pump starts (not 100% manned) and relayed to DCS.
when setpoint activated.
2 Loss of Pump hydraulic A PRV fails to Affected PRV does not relieve in an over pressurization No direct effect on system Dormant failure. Accumulator and header PRV's provide Confirm Technical
Over Pressure Protection relieve at condition, possible damage to system. performance during normal pump backup during normal operations. Publications indicate that this
correct over operations. HP accumulator PRV's failure of the PRV is classified
Nominally Duty HP Pump pressure downstream of the dual HP pump-set Associated pressure transmitter stops pump as a dormant failure.
setting. will provide safety back-up and relieve at preset cut-off value.
over pressure. Recommend that an effective
inspection schedule &
If Isolation valve is closed, possible frequency be derived to
safety hazard if the HP pump is confirm PRV serviceability.
operated against a "Dead Head".
B Pressure Pressure transducer fails to send a signal to HPU PLC that Pressure rises until either pump or Multiple alarms from the various pressure Associated pump and accumulator PRV's and
Transducer pressure is high. Pump fails to stop. accumulator PRV's relieve pressure. transducers in the HP system. HP header PRV's provide backup during
fails to normal operation.
function.
Page 12 of 21
X-219400-01-78
NG50-2-300-SPS-TR-AB-30-0132
Appendix B1
FM
Ref
FM: HP Filtration FUNCTION DESCRIPTION: To provide clean HP Hydraulic Supply to each Umbilical (up to Topside Accumulator Manifold)
FM No: 1-0-6
1 Reduced/No Flow A Filter Reduced/No flow of hydraulic fluid through the affected filter. No immediate effect on system Differential pressure alarm will sound and Filter system checked and changed on a
element performance. Standby filter available provide warnng of blocked filter before the regular basis.
blocked Differential pressure sensor will alarm the condition to enable the in a non-redundant configuration. bypass condition is reached.
operator to manually select the standby filter. Differential pressure transmitter provides
However if filter bypass operates then Fault indication on operator panels. (Not information on the cleanliness and condition
the HP system will use unfiltered manned) Audio and Visual alarm on MCS of the duty filter. The filter will gradually clog
hydraulic fluid - increased risk of (not 100% manned) and relayed to DCS. over time. This allows preventive
subsea component maintenance to be carried out on the blocked
blockages/malfunction due to filter whilst HPU operations continue using
contaminated hydraulic fluid. the second filter.
Loss of filter redundancy. Additional filtration provided by cleaning

circuit filters during transfer from return
reservoir to supply reservoir.
B Filter Reduced flow of hydraulic fluid through the affected filter. Dormant failure mode in normal Dormant failure mode until filter is Filter system checked and changed on a
differential operation. replaced on a regular basis. regular basis.
pressure Differential pressure sensor fails to alarm a blocked filter
device fails condition to enable the operator to manually select the standby Nil effect during normal operations Additional filtration provided by cleaning
to identify filter. until the filter becomes blocked and circuit filters during transfer from return
blocked filter the filter bypass operates then the HP reservoir to supply reservoir.
system will use unfiltered hydraulic
fluid - increased risk of subsea
component blockages/malfunction
due to contaminated hydraulic fluid.
Loss of filter redundancy.
2 Loss of Filtration A Filter No filtration of hydraulic oil. Dormant failure mode in normal Dormant failure mode until filter assembly Filter system checked and changed on a Recommend that an effective
element operation. is checked on a regular basis. regular basis. procedure to re-cycle and
holed or clean fluid in return reservoir
missing The HP system will use unfiltered Additional filtration provided by cleaning Additional filtration provided by cleaning before re-filling supply
hydraulic fluid - increased risk of circuit filters during transfer from return circuit filters during transfer from return reservoir.
subsea component reservoir to supply reservoir. reservoir to supply reservoir.
blockages/malfunction due to Recommend that an effective
contaminated hydraulic fluid. inspection schedule &
B Filter by- No filtration of hydraulic oil. Dormant failure mode in normal Dormant failure mode until filter assembly Filter system checked and changed on a Recommend that an effective
pass operation. is checked on a regular basis. regular basis. procedure to re-cycle and
spuriously clean fluid in return reservoir
operates When filter bypass operates Additional filtration provided by cleaning Additional filtration provided by cleaning before re-filling supply
continually then the HP system will circuit filters during transfer from return circuit filters during transfer from return reservoir.
use unfiltered hydraulic fluid - reservoir to supply reservoir. reservoir to supply reservoir.
increased risk of subsea component Recommend that an effective
blockages/malfunction due to inspection schedule &
contaminated hydraulic fluid. frequency be derived to
Page 13 of 21
X-219400-01-78
NG50-2-300-SPS-TR-AB-30-0132
Appendix B1
FM
Ref
FM: HP Accumulation and Distribution Header FUNCTION DESCRIPTION: To provide redundant HP Hydraulic Supply through each Umbilical.
FM No: 1-0-7
1 Loss of HP accumulation A Accumulator Pressure will be maintained by the remaining accumulators and No direct effect on the system Local pressure indicator will provide Remaining accumulators and pumps provide
(nominally 2- the HP Pumps. performance. indication of a loss of pre-charge. sufficient volume and pressure to undertake
DA-6401A) normal operations
pre-charge Reduction in fault tolerance.
fails.
Dormant failure.
B Accumulator Pressure will be maintained by the remaining accumulators and No direct effect on the system Local pressure indicator will provide Remaining accumulators and pumps sets
bursting disc the HP Pumps. performance. indication of a loss of pre-charge. provide sufficient volume and pressure to
spuriously undertake normal operations
relives Reduction in fault tolerance.
Dormant failure.
2 Loss of HP Hydraulic A Severe leak Loss of HP pressure from pumps and accumulators. Loss of HP Supply Pressure, until Low pressure alarm initiated and then Operation of manual isolation valve to the
Supply. from any failed accumulator is isolated restoring standby pump started. If pressure associated accumulator will restore supply.
accumulator Both HP pumps stop when pressure drops below a system functionality continues to fall Low-Low alarm is Accumulator can be repaired/replaced at
predetermined setpoint. initiated and both HP pumps are stopped. appropriate time without system shutdown.
All tree valves are retained in position
Umbilical supply lines remain charged. via the accumulation in the SCMs.

operations
B Accumulator Loss of HP pressure from pumps and accumulators. Loss of HP Supply Pressure, until Low pressure alarm initiated and then Operation of manual isolation valve to the
PRV failed accumulator is isolated restoring standby pump started. If pressure associated accumulator will restore supply.
(TS6423) Both HP pumps stop when pressure drops below a system functionality continues to fall Low-Low alarm is
spuriously predetermined setpoint. initiated and both HP pumps are stopped. Accumulator PRV cannot be
relieves All tree valves are retained in position repaired/replaced at appropriate time without
pressure. Umbilical supply lines remain charged. via the accumulation in the SCMs. system shutdown as it share a common PRV
return line.
operations
3 Loss of HP Hydraulic A ESD solenoid Loss of a single HP channel to all of the Well SCMs (max 12 off) Subsequent Reduction in fault Associated HP A header Low pressure Alternative supply is available (remaining HP
Supply in a single Header valve and Manifold SCMs (3 off) on the umbilical. tolerance in that all affected Tree alarm initiated. line)
line spurious Control Modules will remain
Nominally HP Channel 1(A) and the alternative channel connected before the DCVs unlatch. in a non-redundant configuration. occurs in the HPU since corrective
P40 Loop Nominally HP- maintenance cannot be undertaken safely as
close safely. alternative HP channel is selected -
Currently: on the P40 Loop .
30-X-P42-C Well SCM This can potentially result in the loss

30-X-P42-D Well SCM of 4 Wells on the three production
manifolds. Worst case is the loss of
30-X-P43-B Well SCM 12 production wells, if all spare wells
30-X-P43-C Well SCM are utilised).
Page 14 of 21
X-219400-01-78
NG50-2-300-SPS-TR-AB-30-0132
Appendix B1
FM
Ref
FM No: 1-0-7
B ESD solenoid Loss of a single HP channel to all of the Well SCMs (max 12 off) Subsequent Reduction in fault Associated HP A header Low pressure Alternative supply is available (remaining HP
valve and Manifold SCMs (3 off) on the umbilical. tolerance in that all affected Tree alarm initiated. line)
spurious Control Modules will remain
Nominally HP- maintenance cannot be undertaken safely as

C ESD Pilot Loss of a single HP channel to all of the Well SCMs (max 12 off) Subsequent Reduction in fault Associated LP A header Low pressure Alternative supply is available (remaining HP
valve and Manifold SCMs (3 off) on the umbilical. tolerance in that all affected Tree alarm initiated. line)
spurious Control Modules will remain
Nominally HP- maintenance cannot be undertaken safely as
Pilot Valve open then for a short period of time all DCVs within the following has not been selected open, then for

Page 15 of 21
X-219400-01-78
NG50-2-300-SPS-TR-AB-30-0132
Appendix B1
FM
Ref
FM No: 1-0-7
D Header PRV Loss of a single HP channel to all of the Well SCMs (max 12 off) Subsequent Reduction in fault Associated HP A header Low pressure Alternative supply is available (remaining HP
(6487) and Manifold SCMs (3 off) on the umbilical. tolerance in that all affected Tree alarm initiated. line)
spuriously Control Modules will remain
relieves Pressure drop will be automatically detected by the shuttle valve operational on the alternative channel Hold for repair until a combinational failure
pressure. and the alternative channel connected before the DCVs unlatch. in a non-redundant configuration. occurs in the HPU since corrective
In the event that the alternative supply has not been selected In the event that the alternative supply it shares a common return line.
open then for a short period of time all DCVs within the following has not been selected open, then for

4 Loss of ESD shutdown ina A Failure Loss of fault tolernace and a dormant failure. The second ESD System will continue to function and Dormant failure Alternative ESD is available via the second Recommend that an effective
single header. (sticking / solenoid valve in the line will operate and succesfully vent the perform an ESD shutdown. ESD soleniod valve in the line inspection schedule &
Nominally LP Channel 1(A) ESD-P41 However loss of fault tolernace and a Hold for repair until a combinational failure confirm ESD serviceability.
P40 Loop. solenoid dormant failure mode. occurs in the HPU since corrective
valve. maintenance cannot be undertaken safely as
Nominally it shares a common return line.
Solenoid
Valve 1
Failure (sticking / seizing) of B Failure Loss of fault tolernace and a dormant failure. The second ESD System will continue to function and Dormant failure Alternative ESD is available via the second Recommend that an effective
ESD pilot valve. (sticking / solenoid valve in the line will operate and succesfully vent the perform an ESD shutdown. ESD soleniod valve in the line inspection schedule &
Nominally HP-ESD-P41 ESD-P41 However loss of fault tolernace and a Hold for repair until a combinational failure confirm ESD serviceability.
Pilot Valve 1 solenoid dormant failure mode. occurs in the HPU since corrective
valve. maintenance cannot be undertaken safely as
Nominally it shares a common return line.
Solenoid
Valve 2
Page 16 of 21
X-219400-01-78
NG50-2-300-SPS-TR-AB-30-0132
Appendix B1
FM
Ref
FM No: 1-0-7
C Failure In the event of a surface ESD shutdown, a single subsea HP Unable to perform a controlled ESD Dormant failure during normal operation Manual bleed down. Recommend that an effective
(sticking / Supply pressure is not relieved . Due to the action of the SCM shutdown. Potential increase in time inspection schedule &
seizing) of located shuttle valves all of the HP DCVs within the following (and hence loss of production) when After an ESD the associated header Electronic control to vent valves via the SCM frequency be derived to
ESD pilot Well SCMs will remain "latched closed" and the associated fail re-starting. instrumentation will indicate a pressurised may still be available. confirm ESD serviceability.
valve. safe valves remain open. condition.
Single Point Failure and Dormant Subsea electrical control to the HP DCV and
Nominally HP- Currently: failure in normal operation. to the LP DCVs are the primary and
ESD-P41 secondary means of closing the SCSSV
Pilot Valve 30-X-P42-C Well SCM The HP DCV will remain in the latched
30-X-P42-D Well SCM closed position only if the electrical
control circuits to the HP Selector
30-X-P43-B Well SCM valves and HP DCV are unavailable
30-X-P43-C Well SCM and the LP supply pressure cannot be
relieved via subsea electronic control
or surface LP ESD.
5 Loss of HP Over Pressure A PRV 6467 Affected PRV does not relieve in an over pressurisation condition With associated header isolation valve Associated header instrumentation will Upstream pump LP pressure control. Confirm Technical
Protection in an individual fails to relieve leading to possible damage of the individual output line in an open, LP Accumulator PRV's will also indicate over pressure condition. Publications indicate that this
Output Header Channel. at correct isolated umbilical channel dead head situation. provide a degree of safety back-up Upstream accumulator PRV's. failure of the PRV is classified
over pressure and relieve Input pressure at a as a dormant failure.
Nominally HP Channel 1 setting. predetermined set value. Manual bleed available to depressurise the
P40 loop umbilicals. Recommend that an effective
Dormant failure inspection schedule &
confirm PRV serviceability.
Page 17 of 21
X-219400-01-78
NG50-2-300-SPS-TR-AB-30-0132
Appendix B1
FM
Ref
FM: Hydraulic Circulation System FUNCTION DESCRIPTION: To circulate hydraulic fluid through filters for cleaning and to transfer fluid between supply and return reservoirs
FM No: 1-0-8
1 Loss of Hydraulic flow to A Pump inlet No flow of hydraulic fluid through the recirculation pump, No immediate effect on the Circulation pump will continue to run until Maintain oil cleanliness.
Circulation Pump, selector valve unable to circulate hydraulic fluid through filters. performance of the Subsea Controls it trips out on an overheat condition and
(pump/motor - Restricted or System. then remote indication that recirculation Periodic task to assess oil cleanliness and
2-GA-6401/2-XA-6401 Blocked Unable to transfer fluid from the return reservoir to the supply pump has stopped. run circulation/transfer pump.
reservoir. In the event of a loss of supply
reservoir contents the Low Low alarm In the event of a blocked subsea LP
will activate. All pumps will stop and and/or HP filter, the subsea Differential
the accumulators and umbilicals pressure alarm will sound and provide
remain pressurised. warnng of blocked recirculation filter
before the bypass condition is reached.
In the event of contaminated fluid the Fault indication on operator panels. (Not
worst case is that the primary subsea manned) Audio and Visual alarm on SCS
LP and HP filters may becomed (not 100% manned) and relayed to DCS.
clogged prematurely and the filter
bypass operates allowing the use
unfiltered hydraulic fluid - increased
risk of subsea component
blockages/malfunction due to
contaminated hydraulic fluid.
B Transfer / Loss of output from circulation pump, unable to circulate No immediate effect on the Remote indication that recirculation Periodic task to assess condition of
Circulation hydraulic fluid through filters. performance of the Subsea Controls pump is not running. circulation/transfer pump, 2-GA-6401/2-XA-
Pump Failure System. 6401
Unable to transfer fluid from the return reservoir to the supply In the event of a blocked subsea LP
reservoir. In the event of a loss of supply and/or HP filter, the subsea Differential
reservoir contents the Low Low alarm pressure alarm will sound and provide
will activate. All pumps will stop and warnng of blocked recirculation filter
the accumulators and umbilicals before the bypass condition is reached.
remain pressurised. Fault indication on operator panels. (Not
In the event of contaminated fluid the (not 100% manned) and relayed to DCS.
worst case is that the primary subsea
LP and HP filters may becomed
Page 18 of 21
X-219400-01-78
NG50-2-300-SPS-TR-AB-30-0132
Appendix B1
FM
Ref
FM No: 1-0-8
C Return No flow of hydraulic fluid through the recirculation pump, No immediate effect on the Circulation pump will continue to run until Maintain oil cleanliness.
reservoir output unable to circulate hydraulic fluid through filters. performance of the Subsea Controls it trips out on an overheat condition and
selector valve System. then remote indication that recirculation Periodic task to assess oil cleanliness and
restricted or Unable to transfer fluid from the return reservoir to the supply pump has stopped. run circulation/transfer pump.
blocked reservoir. In the event of a loss of supply
reservoir contents the Low Low alarm In the event of a blocked subsea LP
will activate. All pumps will stop and and/or HP filter, the subsea Differential
the accumulators and umbilicals pressure alarm will sound and provide
remain pressurised. warnng of blocked recirculation filter
In the event of contaminated fluid the Fault indication on operator panels. (Not
worst case is that the primary subsea manned) Audio and Visual alarm on SCS
LP and HP filters may becomed (not 100% manned) and relayed to DCS.
C Blocked Filter, Reduced flow of hydraulic fluid through the affected No immediate effect on the Recirculating differential pressure alarm Recirculating differential pressure sensor will
FL6401 recirculation filter. performance of the Subsea Controls will sound and provide warnng of blocked indicate that the filter is clogged and requires
System. recirculation filter before the bypass attention due to a high differential pressure
Differential pressure sensor will alarm the condition. condition is reached. across the filter.
Worst case is that the primary subsea
No immediate effect on recirculatuion/transfer function. LP and HP filters may becomed Fault indication on operator panels. (Not Periodic inspection and cleaning of filter.
clogged prematurely and the filter manned) Audio and Visual alarm on SCS
Worst case is that the recirculation filter by-pass will operate, as bypass operates allowing the use (not 100% manned) and relayed to DCS.
the circulating hydraulic fluid will not be filtered, there is a unfiltered hydraulic fluid - increased
potential for the subsea HP and LP filters to clog quicker than risk of subsea component In the event of a blocked subsea LP
expected. blockages/malfunction due to and/or HP filter, the subsea Differential
contaminated hydraulic fluid. pressure alarm will sound and provide
warnng of blocked recirculation filter
Fault indication on operator panels. (Not
(not 100% manned) and relayed to DCS.
2 Loss of ability to transfer A Tank input Unable to direct hydraulic oil into the supply reservoir when No immediate effect on the Problem will be evident when transfer Periodic testing and operation of manual
fluid from the return selector valve required. Hydraulic oil is incorrectly diverted into return performance of the Subsea Controls operations begin and supply reservoir selector valve.
reservoir to the supply incorrectly reservoir. System. level remains unchanged. When this
reservoir. selects return occurs problem will be investigated.
reservoir Worse case is that supply reservoir runs to a Low Low level due In the event of a loss of supply
to normal subsea consumption. reservoir contents, the Low Low alarm However all pumps will automatically
will activate. All pumps will stop and stop if supply reservoir Low Low alarms
No flow available to both of the LP and HP pumps. the accumulators and umbilicals are ctivated.
remain pressurised.
LP and HP accumulators remain charged and all umbilicals
remain pressurised. Single Point Failure.
Page 19 of 21
X-219400-01-78
NG50-2-300-SPS-TR-AB-30-0132
Appendix B1
FM
Ref
FM No: 1-0-8
B Pump inlet Unable to select hydraulic oil from the return reservoir when No immediate effect on the Problem will be evident when transfer Periodic testing and operation of manual
selector valve required. Hydraulic fluid is drawn from the supply reservoir. performance of the Subsea Controls operations begin and supply reservoir selector valve.
incorrectly System. level remains unchanged. When this
selects return Worse case is that supply reservoir runs to a Low Low level due occurs problem will be investigated.
reservoir to normal subsea consumption. In the event of a loss of supply
reservoir contents, the Low Low alarm However all pumps will automatically
No flow available to both of the LP and HP pumps. will activate. All pumps will stop and stop if supply reservoir Low Low alarms
the accumulators and umbilicals are ctivated.
LP and HP accumulators remain charged and all umbilicals remain pressurised.
remain pressurised.
Spurious selection of supply reservoir recirculation mode.
C Return Loss of output from circulation pump, unable to circulate No immediate effect on the Problem will be evident when transfer Periodic task to assess condition of
reservoir output hydraulic fluid. performance of the Subsea Controls operations begin and supply and return circulation/transfer pump, 2-GA-6401/2-XA-
selector valve System. reservoir levels remain unchanged. 6401
incorrectly Unable to transfer fluid from the return reservoir to the supply When this occurs problem will be
selects dipping reservoir. In the event of contaminated fluid the investigated.
lance route. worst case is that the primary subsea
LP and HP filters may becomed In the event of a blocked subsea LP
clogged prematurely and the filter and/or HP filter, the subsea Differential
bypass operates allowing the use pressure alarm will sound and provide
unfiltered hydraulic fluid - increased warnng of blocked recirculation filter
risk of subsea component before the bypass condition is reached.
blockages/malfunction due to Fault indication on operator panels. (Not
contaminated hydraulic fluid. manned) Audio and Visual alarm on SCS
(not 100% manned) and relayed to DCS.
3 Loss of ability to recirculate A Tank input Unable to direct hydraulic oil into the return reservoir when No immediate effect on the Problem will be evident when transfer Periodic testing and operation of manual
and clean fluid to return selector valve required. Hydraulic oil is incorrectly diverted into supply performane of the Subsea Controls operations begin and return reservoir selector valve.
reservoir. incorrectly reservoir. Return reservoir empties and supply reservoir fills System. level remains unchanged. When this
selects supply until either the return reservoir Low Low or supply reservoir high occurs problem will be investigated.
reservoir alarm is activated. In the event of a loss of return
Worst case is that return reservoir runs to a Low Low level will activate. In the event of overfilling stop if return reservoir Low Low alarms
resulting in no flow available to both of the LP and HP pumps. the supply reservoir the High alarm will are activated.
activate.
remain pressurised. A|ll pumps will stop and the
accumulators and umbilicals remain
pressurised.
B Pump input Unable to obtain hydraulic oil from return reservoir when No immediate effect on the Problem will be evident when Periodic testing and operation of manual
selector valve required. Hydraulic oil is incorrectly obtained from the supply performance of subsea system. recirculation operations begin and both selector valve.
incorrectly reservoir. Supply reservoir high level alarm will reservoir levels alther.
selects supply activate and prevent overfilling
reservoir Supply reservoir empties and return reservoir fills until either the
supply reservoir Low Low or return reservoir High alarm is
activated.
Potential risk of spillage of hydraulic oil.
Page 20 of 21
X-219400-01-78
NG50-2-300-SPS-TR-AB-30-0132
Appendix B1
FM
Ref
FM No: 1-0-8
4 Loss of ability to recirculate A Tank input Unable to direct hydraulic oil into the supply reservoir when No immediate effect on the Problem will be evident when transfer Periodic testing and operation of manual
and clean fluid to supply selector valve required. Hydraulic oil is incorrectly diverted into return performane of the Subsea Controls operations begin and supply reservoir selector valve.
reservoir. incorrectly reservoir. Supply reservoir empties and return reservoir fills until System. level remains unchanged. When this
selects return either the supply reservoir Low Low or return high alarm is occurs problem will be investigated.
reservoir activated. In the event of a loss of supply
Worst case is that supply reservoir runs to a Low Low level will activate. In the event of overfilling stop if supply reservoir Low Low alarms
resulting in no flow available to both of the LP and HP pumps. the return reservoir the High alarm will are activated.
activate.
remain pressurised. A|ll pumps will stop and the
accumulators and umbilicals remain
pressurised.
B Pump inlet Unable to obtain hydraulic oil from supply reservoir when No immediate effect on the Problem will be evident when Periodic testing and operation of manual
selector valve required. Hydraulic oil is incorrectly obtained from the return performance of subsea system. recirculation operations begin and both selector valve.
incorrectly reservoir. Return reservoir high level alarm will reservoir levels alther.
selects return activate and prevent overfilling
reservoir Return reservoir empties and supply reservoir fills until either the
return reservoir Low Low or supply reservoir High alarm is
activated.
Potential risk of spillage of hydraulic oil.
5 Loss of filtration in either A Filter holed or Loss of recirculation filtration No immediate effect on the Dormant failure. Filter system checked and changed on a Recommend that an effective
circulation mode. missing, FL- performance of the Subsea Controls regular basis. inspection schedule &
6401 As the circulating hydraulic fluid is not filtered there is a potential System. frequency be derived to
for the HP and LP filters will clog quicker than expected. Additional system filtration provided by filters confirm filter serviceability.
Worst case is that the primary subsea downstream of LP & HP Pumps.
LP and HP filters may becomed
Note: Supply reservoir will require to be refilled from the return reservoir, and topped up as appropriate every 10 days (dependent on amount of valve activity)
Require a periodic inspection and operational procedure to transfer fluid between reservoirs
Page 21 of 21
X-219400-01-78
NG50-2-300-SPS-TR-AB-30-0132
Appendix B 2
SUBSYSTEM DESCRIPTION: Production Loop P40 Subsea Controls

SUBSYSTEM: SCS
FM FAILURE MODE CS Ref CAUSES LOCAL EFFECTS SYSTEM EFFECTS METHOD OF DETECTION MITIGATION/ RECOVERY COMMENTS
Ref
FM: Delta V workstation FUNCTION DESCRIPTION: To provide control signals to the SCS.
FM No: 2-0-1
1 Fault in a DELTA V A Failure of Loss of an individual internal processor Reduction in HMI Processor fault SCS health/fault level displays / alarms The DELTA V STRATUS
STRATUS Application dual tolerance. Workstation can be repaired
Workstation redundant Reduction in fault tolerance without affecting the functionality
processor No direct system effect on the subsea of the overall SCS
Nominally 2NH 642 03A control system.
Remainder of the SCS continues to

operate in a fully dual redundant
mode.
2 Failure of a DELTA V A Failure of a Loss of HMI Communication from PPFO to SCMs 1-27 Loss of HMI control from the SCU. SCS health/fault level displays / alarms The HMI control of these trees is
STRATUS Application DELTA V still availabe via the SCU EWS in
Workstation STRATUS Unable to manually command 50% of subsea valves from the Nil effect on system perofance so the CTR
/Station SCU long as the SCU EWS is also
Nominally 2NH 642 03A available in the CTR.
Possible that the System runs blind, all affected wells remain
latched in the operating condition.
Single point failure
3 Loss of A Ethernet Loss of a HMI Communication path between Delta V Reduction in HMI fault tolerance SCS health/fault level displays / alarms The DELTA V STRATUS
Communication/control with Card Fails Workstation and the Associated Switch Workstation can be repaired
Switch Unit A Remainder of the SCS continues to without affecting the functionality
operate in a fully dual redundant of the overall SCS
mode.
4 Loss of A Ethernet Loss of a HMI Communication path between Delta V Reduction in HMI fault tolerance SCS health/fault level displays / alarms The DELTA V STRATUS
Communication/control with Card Fails Workstation and the Associated Switch Workstation can be repaired
Switch Unit 01P Remainder of the SCS continues to without affecting the functionality
operate in a fully dual redundant of the overall SCS
mode.
Page 1 of 9
X-219400-01-78
NG50-2-300-SPS-TR-AB-30-0132
Appendix B 2

SUBSYSTEM: SCS
Ref
FM: MCS FUNCTION DESCRIPTION: To provide control signals to the SCS.
FM No: 2-0-2
1 Loss of the MCS comms A MCS failure Loss of Communications Server functions at Channel 'A'. Reduction in MCS fault tolerance. SCS health/fault level displays / alarms Alternative Comms Server 2NH
Server 64204B still available.
All DCV's remain "latched" in their current positions. No direct system effect whilst the
Nominally Channel 'A' opposite MCS Comms Server
Server 2NH 64204A. Significant reduction in fault tolerance of the SCS remains fully serviceable

mode.
2 Loss of A Ethernet Loss of Communication path to MCS A from Switch A Minor reduction in fault tolerance SCS health/fault level displays / alarms Communication from MCS
Communication/control with Card Fails Switching Interface remains Comms Server A via Switch B
Switch Unit 2ND64204 redundant.
Overall SCS continues to operate in a

fully dual redundant mode.
3 Loss of A Ethernet Loss of Communication path to MCS A from Switch B Minor reduction in fault tolerance SCS health/fault level displays / alarms Communication from MCS
Communication/control with Card Fails Switching Interface remains Comms Server A via Switch A
Switch Unit 2ND 64205 redundant.

4 Loss of A Ethernet Loss of HMI Communication from MCS A to both Delta V Reduction in HMI fault tolerance SCS health/fault level displays / alarms Communication from MCS
Communication/control with Card Fails Workstations VIA Switch A Comms Server A via Switch B
Switch Unit 2ND 642 02 Remainder of the SCS continues to
modee.
5 Loss of A Ethernet Loss of HMI Communication from MCS A to both Delta V Reduction in HMI fault tolerance SCS health/fault level displays / alarms Communication from MCS
Communication/control with Card Fails Workstations VIA Switch B Comms Server A via Switch A
Switch Unit 2ND 642 03 Remainder of the SCS continues to
modee.
X-219400-01-78
NG50-2-300-SPS-TR-AB-30-0132
Appendix B 2

SUBSYSTEM: SCS
Ref
FM: PLC FUNCTION DESCRIPTION: To provide control signals to the SCS.
FM No: 2-0-3
1 Loss of Processor Control A PLC Power Loss of PLC Channel A. Reduction in PLC fault tolerance. SCS health/fault level displays / alarms Alternative device still available.
in the SCS PLC supply fails
Loss of Communications channel "A" to the associated No direct system effect whilst the The PLC has a watchdog monitor to
TRICONNEX ESD System opposite PLC remains fully prevent an undetected failure of the PLC.
serviceable
Loss of Communications channel "A" to the associated local I/O.
Loss of fault tolerance operate in a fully dual redundant
mode..
B Processor Loss of PLC Channel A. Reduction in PLC fault tolerance. SCS health/fault level displays / alarms Alternative device still available.
Card fails
Loss of Communications channel "A" to the associated No direct system effect whilst the The PLC has a watchdog monitor to
TRICONNEX ESD System opposite PLC remains fully prevent an undetected failure of the PLC.
serviceable
Loss of fault tolerance
mode..
2 Loss of communication with A Ethernet Loss of an individual Communications between MCS A and Minor reduction in fault tolerance PLC SCS health/fault level displays / alarms Communication between PLC A
Switch Unit ND 642 04 Card Fails MCS B and PLC A via Switch A Interface remains redundant. and MCS A and B remains
available via Switch B (ND 642
Loss of an individual communications path to the associated Overall SCS continues to operate in a 05)
TRICONEX ESD System fully dual redundant mode.
Loss of an individual communications path to the associated

local I/O.
3 Loss of communication with A Ethernet Loss of an individual Communications between MCS A and Minor reduction in fault tolerance PLC SCS health/fault level displays / alarms Communication between PLC A
Switch Unit ND 642 05 Card Fails MCS B and PLC A via Switch B Interface remains redundant. and MCS A and B remains
available via Switch a (ND 642
Loss of an individual communications path to the associated Overall SCS continues to operate in a 04)
TRICONEX ESD System fully dual redundant mode.

local I/O.
Page 3 of 9
X-219400-01-78
NG50-2-300-SPS-TR-AB-30-0132
Appendix B 2

SUBSYSTEM: SCS
Ref
FM: PLC FUNCTION DESCRIPTION: To provide control signals to the SCS.
FM No: 2-0-3
4 Loss of A Ethernet Loss of PLC Channel A. Reduction in PLC fault tolerance. SCS health/fault level displays / alarms Alternative device still available.
Communication/control Card Fails
from the PLC with the local Loss of Communications channel "A" to the associated local I/O. No direct system effect whilst the
I/O Channel A opposite PLC remains fully
Loss of fault tolerance serviceable

mode..
5 Loss of communication with A Ethernet Loss of PLC Channel A. Reduction in PLC fault tolerance. SCS health/fault level displays / alarms Alternative device still available.
Swict Unit 642 02A Card Fails
Loss of Communications channel "A" to the associated No direct system effect whilst the
TRICONNEX ESD System opposite PLC remains fully
serviceable
Loss of fault tolerance
mode..
Page 4 of 9
X-219400-01-78
NG50-2-300-SPS-TR-AB-30-0132
Appendix B 2

SUBSYSTEM: SCS
Ref
FM: Switching Unit 02 FUNCTION DESCRIPTION: To connect the MCS with units within the SCS.
FM No: 2-0-4
1 Loss of Network Switch A Power supply Loss of Control Communication between MCS A and MCS B Reduction in Network Switching fault SCS health/fault level displays / alarms Alternative device still available.
fails and both SPCUs via Switch A tolerance.
nominally Switch Unit ND
642 04A Loss of ESD Signals from PLC A to MCS A and MCS B via No direct system effect whilst the
Switch A opposite Switch remains fully
serviceable
Loss Control Communication between MCS A and MCS B and
HPU A via Switch A Remainder of the SCS continues to
mode..
B Network Loss of Control Communication between MCS A and MCS B Reduction in Network Switching fault SCS health/fault level displays / alarms Alternative device still available.
Switch and both SPCUs via Switch A tolerance.
Module Fails
Loss of ESD Signals from PLC A to MCS A and MCS B via No direct system effect whilst the
Switch A opposite Switch remains fully
serviceable
Loss Control Communication between MCS A and MCS B and
HPU A via Switch A Remainder of the SCS continues to
mode..
2 Loss of communication with A Ethernet Loss of an individual Communications between MCS A and Minor reduction in fault tolerance SCS health/fault level displays / alarms Communication from MCS A
PLC Channel A Module fails MCS B PLC A via awitch A Switching Interface remains and B remains available via
redundant. Switch B
TRICONEX ESD System Overall SCS continues to operate in a
local I/O.
3 Loss of A Ethernet Loss of Communication path to MCS A from Switch A Minor reduction in fault tolerance SCS health/fault level displays / alarms Communication from MCS
communication/control with Module fails Switching Interface remains Comms Server A via Switch B
MCS A redundant.

Page 5 of 9
X-219400-01-78
NG50-2-300-SPS-TR-AB-30-0132
Appendix B 2

SUBSYSTEM: SCS
Ref
FM No: 2-0-4
4 Loss of A Ethernet Loss of Communication path to MCS B from Switch A Minor reduction in fault tolerance SCS health/fault level displays / alarms Communication from MCS
communication/control with Module fails Switching Interface remains Comms Server B via Switch B
MCS B redundant.

5 Loss of communication with A Ethernet Loss Control Communication between MCS A and MCS B and Minor reduction in fault tolerance SCS health/fault level displays / alarms Communication from MCS A
HPU A Module fails HPU A via Switch A Switching Interface remains and B remains available via
redundant. Switch B

SPCU A Switch 1 Module fails MCS B and both SPCU A via Switch A Switching Interface remains and B remains available via
redundant. Switch B

SPCU B Switch 1 Module fails MCS B and both SPCU B via Switch A Switching Interface remains and B remains available via
redundant. Switch B

8 Loss of communication with A Ethernet Loss of the Uplink Communications Channel between the Loss of uplink redundant path. SCS health/fault level displays / alarms Communication from MCS A
Associated Switch B Module fails Switches 2ND64204A and 2ND64205B and B remains available via
Overall SCS continues to operate in a Switch B
Minor loss of fault tolerance fully dual redundant mode.
Page 6 of 9
X-219400-01-78
NG50-2-300-SPS-TR-AB-30-0132
Appendix B 2

SUBSYSTEM: SCS
Ref
FM No: 2-0-5
1 Loss of Network Switch A Power supply Loss of HMI Communication between MCS A and MCS B and Reduction in Network Switching fault SCS health/fault level displays / alarms Alternative device still available.
fails both Delta V Workstations tolerance.
Nominally Switch Unit
ND642 02 No direct system effect whilst the
opposite Switch remains fully
serviceable

mode..
Loss of Network Switch B Network Loss of HMI Communication between MCS A and MCS B and Reduction in Network Switching fault SCS health/fault level displays / alarms Alternative device still available.
Switch both Delta V Workstations tolerance.
Nominally Switch Unit Module Fails
ND642 02 No direct system effect whilst the
opposite Switch remains fully
serviceable

mode..
2 Loss of A Ethernet Loss of HMI Communication from MCS Comms Server A to both Minor reduction in fault tolerance HMI SCS health/fault level displays / alarms Communication from MCS
Communication/control with Module Fails Delta V Workstations via Switch A. interface remains redundant. Comms Server A to both Delta V
MCS Comms Server A Workstations available via Switch
Overall SCS continues to operate in a B
Nominally Switch Unit fully dual redundant mode.
ND642 02
3 Loss of A Ethernet Loss of HMI Communication from MCS Comms Server B to both Minor reduction in fault tolerance HMI SCS health/fault level displays / alarms Communication from MCS
Communication/control with Module Fails Delta V Workstations via Switch A. interface remains redundant. Comms Server B to both Delta V
MCS Comms Server A Workstations available via Switch
Overall SCS continues to operate in a B
Nominally Switch Unit fully dual redundant mode.
ND642 02
4 Loss of communication with A Ethernet Loss of an individual Communications Channel to a Delta V Minor reduction in fault tolerance HMI SCS health/fault level displays / alarms Communication to Delta V
a single communications Module Fails Workstation (SCMs 1-27) via Switch A interface remains redundant. Workstation (SCMs 1-27)
channel to a Delta V available via Switch B
Workstation Overall SCS continues to operate in a
ND642 02
Page 7 of 9
X-219400-01-78
NG50-2-300-SPS-TR-AB-30-0132
Appendix B 2

SUBSYSTEM: SCS
Ref
FM No: 2-0-5
5 Loss of communication with A Ethernet Loss of an individual Communications Channel to a Delta V Minor reduction in fault tolerance HMI SCS health/fault level displays / alarms Communication to Delta V
a single communications Module Fails Workstation (SCMs 28.53) via Switch A interface remains redundant. Workstation (SCMs 28-53)
channel to a Delta V available via Switch B
Workstation Overall SCS continues to operate in a
ND642 02
8 Loss of communication with A Ethernet Loss of the Uplink Communications Channel between the Loss of uplink redundant path. SCS health/fault level displays / alarms Communication from MCS A
Associated Switch B Module fails Switches 2ND642 02 and 2ND642 03 and B remains available via
Overall SCS continues to operate in a Switch B
Minor loss of fault tolerance fully dual redundant mode.
Page 8 of 9
X-219400-01-78
NG50-2-300-SPS-TR-AB-30-0132
Appendix B 2

SUBSYSTEM: SCS
Ref
FM: HMI Interface FUNCTION DESCRIPTION: To provide HMI within the SCS.
FM No: 2-0-5
1 Failure of a A Network Loss of an individual Communications Link from the PPFO to the No direct system effect on the subsea SCS health/fault level displays / alarms Alternative communications
communications switch Switch failure DELTA V STRATUS Operator Workstations and the DELTA V control system. switch available
SCS to PPFO (nominally STRATUS Application Workstations to the PPFO.
Network HMI remains available via O1S
(nominally Network Switch Switch O1P) Reduction in fault tolerance
O1P) Overall SCS continues to operate in a
2 Failure of a A Network Loss of an individual Communications Link from the PPFO to the No direct system effect on the subsea SCS health/fault level displays / alarms Alternative communications
communications switch Switch failure DELTA V STRATUS Operator Workstations and the DELTA V control system. switch available
SCS to PPFO (nominally STRATUS Application Workstations to the PPFO.
Network HMI remains available via O1P
(nominally Network Switch Switch O1S) Reduction in fault tolerance
O1S) Overall SCS continues to operate in a
3 Failure of a DELTA V A Failure of a Loss of SCS HMI Control from a single Operator workstation No direct system effect on the subsea SCS health/fault level displays / alarms Alternative workstation available.
STRATUS Operator DELTA V control system.
Workstation STRATUS
Workstation HMI remains available VIA EWS SCS
Nominally OWS SCS 1 1

4 Failure of a the MPFM EWS A Failure of an Loss of SCS MPFM Configurability from a single Operator No direct system effect on the subsea EWS in use only for periodic MPFM Use of spare EWS provided by Service tool only.
Engineering workstation control system. configuration. Detected by MPFM service vendor technician.
Workstation technician at EWS.
5 Failure of the MCS EWS A Failure of an Loss of SCS Diagnostic capability in the MCS Inability to undertake SCS diagnostics SCS health/fault level displays / alarms Alternative workstation available.
Engineering from the MCS Central Technical
Workstation Reduction in Operator effectiveness Room
Diagnostics remain available VIA

SCU Monitor 2NH 642 04

Page 9 of 9
X-219400-01-78
NG50-2-300-SPS-TR-AB-30-0132
Appendix B3

SUBSYSTEM: SPCU
Ref
FM: Mains Cabinet FUNCTION DESCRIPTION: To provide electrical supply and control singnals to the Subsea Cabinets (6 off)
FM No: 3-0-1
1 Loss of a single UPS power A UPS fails Loss of an individual electrical supply to both of the Mains Significant reduction in fault tolerance. SCS health/fault level displays / alarms Alternative UPS supply available.
supply to both of SPCU (Nominally Cabinets (Subsea Channel A and subsea Channel B), reduction No direct system effect on subsea
Mains Cabinets; Subsea UPS A) in fault tolerance to all of the Subsea Cabinets 12 off. cabinet performance (12 off) whilst
Channel 'A' and 'B'. the opposite UPS supply remains fully
All of the Subsea Cabinets (12 off) continue to function on the serviceable.
alternative supply.
2 Loss of a single power A Isolating Loss of an individual electrical supply to a single Mains Cabinet, No direct system effect on subsea SCS health/fault level displays / alarms Alternative supply available.
supply to a single Mains relay fails reduction in fault tolerance to all of the Subsea Cabinets 6 off. cabinet performance (6 off) whilst the
Cabinet. opposite supply remains fully Isolating relay cannot be safely
All of the Subsea Cabinets (6off) continue to function on the serviceable. removed without isolating the
alternative supply. overall SPCU Mains Incoming
Overall SCS continues to operate in a Cabinet.
combinational failure occurs in
the SPS.
B Input Current Loss of an individual electrical supply to a single Mains Cabinet, No direct system effect on subsea SCS health/fault level displays / alarms Alternative supply available.
Limiting reduction in fault tolerance to all of the Subsea Cabinets 6 off. cabinet performance (6 off) whilst the
Device fails opposite supply remains fully Current limiting device cannot be
All of the Subsea Cabinets (6off) continue to function on the serviceable. safely removed without isolating
alternative supply. the overall SPCU Mains
Overall SCS continues to operate in a Incoming Cabinet.
the SPS.
3 Loss of a single power A Output Loss of an individual electrical supply, reduction in fault tolerance No direct system effect on subsea SCS health/fault level displays / alarms Alternative supply available.
supply to a single Subsea Current to a single Subsea cabinet. cabinet performance, whilst the
Cabinet. Limiting opposite supply remains fully Current limiting device cannot be
Device to an Subsea Cabinet (1 off) continues to function on the alternative serviceable. safely removed without isolating
individual supply. the overall SPCU Mains
Subsea Overall SCS continues to operate in a Incoming Cabinet.
Cabinet fails fully dual redundant mode.
the SPS.
4 Loss of a single 24V DC A PLC PSU Loss of an individual electrical supply to the Mains Cabinet PLC, No direct system effect on subsea SCS health/fault level displays / alarms Alternative supply available.
power supply fails reduction in fault tolerance. system performance.
Power Supply Unit cannot be
Master PLC continues to function on the alternative supply. safely removed without isolating
the overall SPCU Mains
Incoming Cabinet.

the SPS.
Page 1 of 6
X-219400-01-78
NG50-2-300-SPS-TR-AB-30-0132
Appendix B3

SUBSYSTEM: SPCU
Ref
FM: Mains Cabinet FUNCTION DESCRIPTION: To provide electrical supply and control singnals to the Subsea Cabinets (6 off)
FM No: 3-0-1
B Input Current Loss of an individual electrical supply to the Mains Cabinet PLC, No direct system effect on subsea SCS health/fault level displays / alarms Alternative supply available.
Limiting reduction in fault tolerance. system performance.
Device to an Current limiting device cannot be
individual Master PLC continues to function on the alternative supply. safely removed without isolating
PLC PSU the overall SPCU Mains
fails Incoming Cabinet.

the SPS.
C Output Loss of an individual electrical supply to the Mains Cabinet PLC, No direct system effect on subsea SCS health/fault level displays / alarms Alternative supply available.
Current reduction in fault tolerance. system performance.
Limiting Current limiting device cannot be
Device from Master PLC continues to function on the alternative supply. safely removed without isolating
an individual the overall SPCU Mains
PLC PSU Incoming Cabinet.
fails
the SPS.
5 Total loss of monitoring of A Master PLC Loss of the PLC leaves the SCU unable to read Mains Cabinet No direct system effect on subsea SCS health/fault level displays / alarms
the Mains Cabinet. fails housekeeping data; plc does not control the network switch; nil system performance.
affect on subsea comms functionality.
Loss of monitoring only
6 Failure of a A Switching Loss of an individual Communications Channel from a single No direct system effect on subsea SCS health/fault level displays / alarms Alternative control channel
communications switch in Unit failure Mains Cabinet, reduction in fault tolerance to all of the Subsea cabinet performance (6 off) whilst the available.
the Mains Cabinet. (nominally Cabinets 6 off. opposite communications channel
Switching remains fully serviceable.
unit 2) All of the Subsea Cabinets (6off) continue to function on the
alternative Communication Channel. Overall SCS continues to operate in a
B Switching As Switching Unit 2 for Subsea Control functions. SCS health/fault level displays / alarms
Unit failure
(nominally In addition loss of control and communications to a HPU PLC No direct system effect on the HPU Alternative control channel
Switching whilst the opposite SCS Control available.
unit 1) channel remains fully serviceable.
Page 2 of 6
X-219400-01-78
NG50-2-300-SPS-TR-AB-30-0132
Appendix B3

SUBSYSTEM: SPCU
Ref
FM: Subsea Cabinet FUNCTION DESCRIPTION: To provide control signals to an individual SPCU cabinet
FM No: 3-0-2
1 Total loss of monitoring of A Master PLC Loss of the plc leaves the SCU unable to read Subsea Cabinet No direct system effect on subsea SCS health/fault level displays / alarms
the Subsea Cabinet. fails and individual SOM housekeeping data; plc does not control the system performance.
network switch; nil affect on subsea comms functionality.
Nominally Channel A. Loss of monitoring only
2 Loss of electrical A Subsea Loss of electrical supply/modulated signal to all of the single pair Loss of control of a single pair of SCS health/fault level displays / alarms Alternative control channel
supply/modulated signal to Cabinet of conductors within the cabinet. conductors within eight umbilicals. available.
all of the single pairs of Switching
conductors (7 off) within a Unit failure Loss of Power and Communications channel 'A' to the No direct system effect whilst the
subsea cabinet. associated SEM's on each umbilical (8off), a maximum of 3 opposite control channel remains fully
SCM's on each umbilical serviceable.
Reduction in fault tolerance in that up

to 21 SCM's remain operational on
All DCV's remain "latched" in their current positions. However the alternative channel in a non-
the alternative channel can be used to control the system. redundant configuration.
However as the subsea system

degrades over time, there is an
increased probability that this failure
mode will cause a complete loss of
one or wells.
B PLC PSU Loss of electrical supply to all of the modems within the Subsea Loss of control of a single pair of SCS health/fault level displays / alarms Alternative control channel
fails Cabinet, loss of a modulated signal to all of the single pair of conductors within eight umbilicals. available.
conductors within the cabinet.
No direct system effect whilst the
Loss of Power and Communications channel 'A' to the opposite control channel remains fully
associated SEM's on each umbilical (8off), a maximum of 3 serviceable.
SCM's on each umbilical
to 21 SCM's remain operational on
the alternative channel in a non-
All DCV's remain "latched" in their current positions. However redundant configuration.
the alternative channel can be used to control the system.
one or wells.
Page 3 of 6
X-219400-01-78
NG50-2-300-SPS-TR-AB-30-0132
Appendix B3

SUBSYSTEM: SPCU
Ref
FM No: 3-0-2
C Input Current Loss of electrical supply to all of the modems within the Subsea No direct system effect on subsea SCS health/fault level displays / alarms Alternative supply available.
Limiting Cabinet, loss of a modulated signal to all of the single pair of system performance.
Device to the conductors within the cabinet. Current limiting device cannot be
PLC PSU safely removed without isolating
fails Loss of Power and Communications channel 'A' to the the overall SPCU Mains
associated SEM's on each umbilical (8off), a maximum of 3 Incoming Cabinet.
the SPS.
All DCV's remain "latched" in their current positions. However
D Output Loss of electrical supply to all of the modems within the Subsea No direct system effect on subsea SCS health/fault level displays / alarms Alternative supply available.
Current Cabinet, loss of a modulated signal to all of the single pair of system performance.
Limiting conductors within the cabinet. Current limiting device cannot be
Device from safely removed without isolating
the PLC PSU Loss of Power and Communications channel 'A' to the the overall SPCU Mains
fails associated SEM's on each umbilical (8off), a maximum of 3 Incoming Cabinet.
the SPS.
All DCV's remain "latched" in their current positions. However
3 Loss of a single power A Input Current Loss of an individual electrical supply, reduction in fault tolerance No direct system effect on subsea SCS health/fault level displays / alarms Alternative supply available.
supply channel Limiting to a single Subsea cabinet. cabinet performance, whilst the
Device fails opposite supply remains fully Current limiting device cannot be
Subsea Cabinet (1 off) continues to function on the alternative serviceable. safely removed without isolating
supply. the overall SPCU Subsea
Overall SCS continues to operate in a Cabinet.
the SPS.
Page 4 of 6
X-219400-01-78
NG50-2-300-SPS-TR-AB-30-0132
Appendix B3

SUBSYSTEM: SPCU
Ref
FM No: 3-0-2
4 Loss of electrical A Subsea Loss of electrical supply/modulated signal to a single pair of Loss of control of a single pair of SCS health/fault level displays / alarms Alternative control channel
supply/modulated signal to Output conductors within a subsea cabinet. conductors within the P40 umbilical. available.
a single pair of conductors Module fails
within a subsea cabinet. Loss of Power and Communications channel 'A' to the No direct system effect whilst the
associated SEM's on a maximum of 3 SCM's. opposite control channel remains fully
Nominally Quad 1/Pair 1 serviceable.
(Q1/P1), P40 Loop Currently there are no wells allocated to Q1 P1
All DCV's remain "latched" in their current positions. However to 3 SCM's remain operational on the
the alternative channel can be used to control the system. alternative channel in a non-

one or wells.
B SOM 1 KVA Loss of electrical supply/modulated signal to a single pair of Loss of control of a single pair of SCS health/fault level displays / alarms Alternative supply available.
Transformer conductors within a subsea cabinet. conductors within the P40 umbilical.
fails SOM Transformer cannot be
Loss of Power and Communications channel 'A' to the No direct system effect whilst the safely removed without isolating
associated SEM's on a maximum of 3 SCM's. opposite control channel remains fully the overall Subsea Cabinet.
serviceable.
Currently there are no wells allocated to Q1 P1 Hold for repair until a
Reduction in fault tolerance in that up combinational failure occurs in
All DCV's remain "latched" in their current positions. However to 3 SCM's remain operational on the the SPS.

one or wells.
Page 5 of 6
X-219400-01-78
NG50-2-300-SPS-TR-AB-30-0132
Appendix B3

SUBSYSTEM: SPCU
Ref
FM No: 3-0-2
5 Loss of control signal to a A Modem Loss of modulated signal to a single pair of conductors within a Loss of control of a single pair of SCS health/fault level displays / alarms Alternative control channel
pair of conductors within a internal subsea cabinet. conductors within the P40 umbilical. available.
subsea cabinet. failure
Loss of Power and Communications channel 'A' to the No direct system effect whilst the
Nominally Quad 1/Pair 1 serviceable.
(Q1/P1), P40 Loop Currently there are no wells allocated to Q1 P1

one or wells.
B Diplexer Loss of modulated signal to a single pair of conductors within a Loss of control of a single pair of SCS health/fault level displays / alarms Alternative control channel
Internal quad cabinet. conductors within the P40 umbilical. available.
failure
Loss of Power and Communications channel 'A' to the No direct system effect whilst the
serviceable.
Currently there are no wells allocated to Q1 P1

one or wells.
Page 6 of 6
X-219400-01-78
NG50-2-300-SPS-TR-AB-30-0132
Appendix B4

SUBSYSTEM: Umbilical 30-UD-P41
FM
FAILURE MODE CS Ref CAUSES LOCAL EFFECTS SYSTEM EFFECTS METHOD OF DETECTION MITIGATION/ RECOVERY COMMENTS
Ref
FM: Umbilical FUNCTION DESCRIPTION: To transfer LP & HP Hydraulics, power and communications from Topsides to Subsea
FM No: 4-0-1
1 Loss of electronic control A Short circuit. Possibility of tripping the associated SPCU Subsea Output Loss of Control from a single pair of Alarm on SCS. Alternative channel is available -
from a single twisted pair Module. conductors within an umbilical. System is Dual Redundant.
within a quad. Over current trip or LIM trip on Subsea
Loss of Power & Communications channel "A" to the associated No direct system effect whilst the Power Control Unit. The proposed repair policy is to
Nominally Q1/P1 SEMs on the P40 Production Loop, a maximum of 3 Well SCMs. opposite control channel remains fully replace the Umbilical and DSUT
serviceable. It may be difficult to differentiate between as a single entity (after the
Currently there are no wells allocated to Q1 P1 failures in the Umbilicals / DSUT / DSUT- resultant numbers of failed quad
Reduction in fault tolerance in that up ISUT EFL and individual SCM EFLs. pairs causes the loss of one or
All DCVs remain "latched" in their current positions. to 3 SEMs remain operational on the more wells).
alternative channel in a non- The diagnosis methodology is to
redundant configuration. progressively disconnect each EFL in turn
(along the Control Loop) and restart the
Control channel to see if the fault has
been isolated.
B Open circuit. Loss of Power & Communications channel "A" to the associated Loss of Control from a single pair of Alarm on SCS. Alternative channel is available -
SEMs on 30-DS-P45; conductors within an umbilical. System is Dual Redundant.
It may be difficult to differentiate between
Currently there are no wells allocated to Q1 P1 No direct system effect whilst the failures in the Umbilicals / DSUT / DSUT- The proposed repair policy is to
opposite control channel remains fully ISUT EFL and individual SCM EFLs. utilise TDR to locate the open
All DCVs remain "latched" in their current positions. serviceable. circuit failure point
The diagnosis methodology is to
Reduction in fault tolerance in that up progressively disconnect each EFL in turn When the failure is located within
to 3 SEMs remain operational on the (along the Control Loop) and restart the the umbilical; the umbilical itself
alternative channel in a non- Control channel to see if the fault has will be replaced as a single item
redundant configuration. been isolated. (after the resultant numbers of
failed quad pairs has caused the
loss of one or more wells).
Should the failure point within the

umbilical be close to the DSUT,
the Umbilical and DSUT will be
replaced as a single entity
Nominally Q1/P2 SEMs on the P40 Production Loop, a maximum of 3 Well SCMs. opposite control channel remains fully replace the Umbilical and DSUT
serviceable. It may be difficult to differentiate between as a single entity (after the
Currently only a single well is connected to Q1 P2 failures in the Umbilicals / DSUT / DSUT- resultant numbers of failed quad
Well 30-X-P42-D SEM B; to 3 SEMs remain operational on the more wells).
All DCVs remain "latched" in their current positions. redundant configuration. progressively disconnect each EFL in turn
been isolated.
Page 1 of 23
X-219400-01-78
NG50-2-300-SPS-TR-AB-30-0132
Appendix B4

FM
Ref
FM No: 4-0-1
B Open circuit. Loss of Power & Communications channel "B" to the associated Loss of Control from a single pair of Alarm on SCS. Alternative channel is available -
SEMs on 30-DS-P45: conductors within an umbilical. System is Dual Redundant.
Currently only a single well is connected to Q1 P2 No direct system effect whilst the failures in the Umbilicals / DSUT / DSUT- The proposed repair policy is to
Well 30-X-P42-D SEM B; serviceable. circuit failure point
All DCVs remain "latched" in their current positions. Reduction in fault tolerance in that up progressively disconnect each EFL in turn When the failure is located within
to 3 SEMs remain operational on the (along the Control Loop) and restart the the umbilical; the umbilical itself
alternative channel in a non- Control channel to see if the fault has will be replaced as a single item
redundant configuration. been isolated. (after the resultant numbers of
failed quad pairs has caused the
loss of one or more wells).
Should the failure point within the

3 Loss of electronic control A Combination Loss of Power & Communications channel "A" and "B" to the Loss of Control from a single pair of Alarm on SCS. Alternative channel is available -
from an overall quad of individual associated SEMs on a maximum of 6 Well SCMs. conductors within an umbilical. System is Dual Redundant.
assembly. pairs It may be difficult to differentiate between
resulting in a Currently only a single well is connected to Qaud 1 No direct system effect whilst the failures in the Umbilicals / DSUT / DSUT- The proposed repair policy is to
total failure opposite control channel remains fully ISUT EFL and individual SCM EFLs. replace the umbilical and DSUT
of the Quad Well 30-X-P42-D SEM B; serviceable. The diagnosis methodology is to as a single entity when the
progressively disconnect each EFL in turn resultant numbers of failed quad
All DCVs remain "latched" in their current positions. Reduction in fault tolerance in that up (along the Control Loop) and restart the pairs causes the loss of one or
to 6 SEMs remain operational on the Control channel to see if the fault has more wells.
alternative channel in a non- been isolated.
4 Loss of LP Hydraulic supply A Complete Loss of a single LP channel to all of the Well SCMs (max 12 off) Subsequent Reduction in fault Sudden loss in LP hydraulic pressure of a Alternative supply is available
in a single channel. loss and Manifold SCMs (3 off) on the Umbilical. tolerance in that all affected Trees single LP channel. (remaining LP line)
(Nominally LP1) (Rupture) of and Manifolds Control Modules will
LP hydraulic Pressure drop will be automatically detected by the shuttle valve remain operational on the alternative It may be difficult to differentiate between Hold for repair until a
lines / and the alternative channel connected before the DCVs unlatch. channel in a non-redundant failures in the Umbilicals / DSUT / combinational failure occurs in
connectors in configuration. ISUT/HDU / DSUT-ISUT Bridge the Umbilical, DSUT, ISUT &
a single Severe leakage of hydraulic fluid into the sea. Jumper/DSUT-HDU HFL and individual HDU assemblies within the P40
channel. Environmental hazard will require SCM HFLs Loop.
In the event that the alternative supply has not been selected Topside isolation.
open then for a short period of time all DCVs within the following When the failure is located within
Well SCMs and Manifold SCMs will "drop out" and the well will In the event that the alternative supply the umbilical; the umbilical itself
close safely. has not been selected open, then for will be replaced as a single item.
a short period of time until the
Currently: alternative LP channel is selected - Should the failure point within the
Total loss of production from all trees umbilical be close to the DSUT,
30-M-P41 Manifold SCM and Manifolds on the P40 Loop . the Umbilical and DSUT will be
30-X-P42-C Well SCM This results in the loss of 4 Wells on
30-X-P42-D Well SCM the three production manifolds and In addition, in the event of a total
30-M-P42 Manifold SCM all of the manifolds valves will also fail failure of both LP supplies, all of
shut, (with the exception of pigging the Well SCMs and Manifold
30-X-P43-B Well SCM valves). Worst case is the loss of 12 SCMs can be connected to the
30-X-P43-C Well SCM production wells, if all spare wells are spare line via reconfiguration of
30-M-P43 Manifold SCM utilised) the Bridge Jumper/HFL as
required.
Page 2 of 23
X-219400-01-78
NG50-2-300-SPS-TR-AB-30-0132
Appendix B4

FM
Ref
FM No: 4-0-1
Loss of LP Hydraulic supply B Leak from LP Gradual loss of a single LP channel to all of the Well SCMs (max Subsequent Reduction in fault Gradual loss in LP hydraulic pressure of a Alternative supply is available
in a single channel hydraulic 12 off) and Manifold SCMs (3 off) on the Umbilical. tolerance in that all affected Trees single LP channel. (remaining LP line)
(continued). lines / and Manifolds Control Modules will
connectors in Pressure drop will be automatically detected by the shuttle valve remain operational on the alternative Hydraulic Power Unit hydraulic reservoir Hold for repair until a
a single and the alternative channel connected before the DCVs unlatch. channel in a non-redundant will require more frequent topping up as combinational failure occurs in
channel. configuration. indicated by pressure and level the Umbilical, DSUT, ISUT &
Leakage of hydraulic fluid into the sea. transmitters. HDU assemblies within the P40
Environmental hazard will require Loop.
In the event that the alternative supply has not been selected Topside isolation. It may be difficult to differentiate between
open then for a short period of time all DCVs within the following failures in the Umbilicals / DSUT / When the failure is located within
Well SCMs and Manifold SCMs will "drop out" and the well will In the event that the alternative supply ISUT/HDU / DSUT-ISUT Bridge the umbilical; the umbilical itself
close safely. has not been selected open, then for Jumper/DSUT-HDU HFL and individual will be replaced as a single item.
a short period of time until the SCM HFLs
Currently: alternative LP channel is selected - Should the failure point within the
Total loss of production from all trees umbilical be close to the DSUT,
30-M-P41 Manifold SCM and Manifolds on the P40 Loop . the Umbilical and DSUT will be
30-X-P42-D Well SCM of 4 Wells on the three production In addition, in the event of a total
30-M-P42 Manifold SCM manifolds and all of the manifolds failure of both LP supplies, all of
valves (manifold valves fail "as is", the Well SCMs and Manifold
30-X-P43-B Well SCM pigging valves fail open). Worst case SCMs can be connected to the
30-X-P43-C Well SCM is the loss of 12 production wells, if all spare line via reconfiguration of
30-M-P43 Manifold SCM spare wells are utilised). the Bridge Jumper/HFL as
required.
C Single LP Loss of LP pressure in affected channel following valve Subsequent Reduction in fault Excessive pressure drop over the length Alternative supply is available
hydraulic operations - loss of HP to all of the Well SCMs (max 12 off) on tolerance in that all affected Trees of the umbilical. (remaining LP line)
channel the umbilical and Manifold SCMs (3 off) on the umbilical. and Manifolds Control Modules will
blocked - remain operational on the alternative It may be difficult to differentiate between Hold for repair until a
input The resultant pressure drop will be automatically detected by the channel in a non-redundant failures in the Umbilicals / DSUT / combinational failure occurs in
pressure shuttle valve and the alternative channel connected before the configuration. ISUT/HDU / DSUT-ISUT Bridge the Umbilical, DSUT, ISUT &
DCVs unlatch. Jumper/DSUT-HDU HFL and individual HDU assemblies within the P40
In the event that the alternative supply SCM HFLs Loop.
In the event that the alternative supply has not been selected has not been selected open, then for
open then for a short period of time all DCVs within the following a short period of time until the Inability to operate valves in this line and The proposed repair policy is to
Well SCMs and Manifold SCMs will "drop out" and the well will alternative LP channel is selected - no visual indication from flowmeters. replace the Umbilical and DSUT
close safely. Total loss of production from all trees as a single entity
and Manifolds on the P40 Loop .
Currently: In addition, in the event of a total
This can potentially result in the loss failure of both LP supplies, all of
30-M-P41 Manifold SCM of 4 Wells on the three production the Well SCMs and Manifold
manifolds and all of the manifolds SCMs can be connected to the
30-X-P42-C Well SCM valves (manifold valves fail "as is", spare line via reconfiguration of
30-X-P42-D Well SCM pigging valves fail open). Worst case the Bridge Jumper/HFL as
30-M-P42 Manifold SCM is the loss of 12 production wells, if all required.
30-X-P43-B Well SCM
30-X-P43-C Well SCM
Page 3 of 23
X-219400-01-78
NG50-2-300-SPS-TR-AB-30-0132
Appendix B4

FM
Ref
FM No: 4-0-1
D Single LP In the event of a surface ESD shutdown, subsea LP Supply Loss of surface ESD HP pressure Subsea electrical control to the
hydraulic pressure is not relieved . All DCVs within the following Well relief. HP DCV and to the LP DCVs are
channel SCMs and Manifold SCMs will remain "latched closed" and the the primary and secondary
blocked - associated fail safe valves remain open. The HP DCV will remain in the means of closing the SCSSV
ESD latched closed position only if the
pressure Currently: electrical control circuits to the HP
relief Selector valves; DCV are unavailable
30-M-P41 Manifold SCM and the LP supply pressure cannot be
30-X-P42-C Well SCM or surface LP ESD.
30-X-P42-D Well SCM
30-X-P43-B Well SCM

30-X-P43-C Well SCM
5 Loss of HP Hydraulic supply A Complete Loss of a single HP channel to all of the production trees (max Subsequent Reduction in fault Sudden loss in HP hydraulic pressure of Alternative supply is available
in a single channel. loss 12 off) on the umbilical. tolerance in that all affected Tree a single HP channel. (remaining HP line)
(Nominally HP1) (Rupture) of Control Modules will remain
HP hydraulic Pressure drop will be automatically detected by the shuttle valve operational on the alternative channel It may be difficult to differentiate between Hold for repair until a
lines / and the alternative channel connected before the DCVs unlatch. in a non-redundant configuration. failures in the Umbilicals / DSUT / HDU / combinational failure occurs in
connectors in DSUT-HDU Bridge Jumper and individual the Umbilical, DSUT, ISUT &
a single Severe leakage of hydraulic fluid into the sea. Environmental hazard will require SCM HFLs HDU assemblies within the P40
channel. Topside isolation. Loop.
In the event that the alternative supply has not been selected
open then for a short period of time all DCVs within the following In the event that the alternative supply When the failure is located within
Well SCMs will "drop out" and the well will close OUT OF has not been selected open, then for the umbilical; the umbilical itself
SYNCH. a short period of time until the will be replaced as a single item.
alternative HP channel is selected -
Currently: Total loss of production from all trees Should the failure point within the
on the P40 Loop . umbilical be close to the DSUT,
30-X-P42-C Well SCM the Umbilical and DSUT will be
30-X-P42-D Well SCM This can potentially result in the loss replaced as a single entity
30-X-P43-B Well SCM manifolds. Worst case is the loss of In addition, in the event of a total
30-X-P43-C Well SCM 12 production wells, if all spare wells failure of both HP supplies, all of
are utilised). the Well SCMs can be connected
to the spare line via
reconfiguration of the Bridge
Jumper/HFL as required.
Page 4 of 23
X-219400-01-78
NG50-2-300-SPS-TR-AB-30-0132
Appendix B4

FM
Ref
FM No: 4-0-1
Loss of HP Hydraulic supply B Leak from Gradual loss of a single HP channel to all of the production trees Subsequent Reduction in fault Gradual loss in HP hydraulic pressure of Alternative supply is available
in a single channel HP hydraulic (max 12 off) on the umbilical. tolerance in that all affected Tree a single HP channel. (remaining HP line)
(continued). lines / Control Modules will remain
connectors in Subsequent pressure drop will be automatically detected by the operational on the alternative channel Hydraulic Power Unit hydraulic reservoir Hold for repair until a
a single shuttle valve and the alternative channel connected before the in a non-redundant configuration. will require more frequent topping up as combinational failure occurs in
channel. DCVs unlatch. indicated by pressure and level the Umbilical, DSUT, ISUT &
Environmental hazard will require transmitters. HDU assemblies within the P40
Leakage of hydraulic fluid into the sea. Topside isolation. Loop.
In the event that the alternative supply has not been selected In the event that the alternative supply failures in the Umbilicals / DSUT / HDU / When the failure is located within
open then for a short period of time all DCVs within the following has not been selected open, then for DSUT-HDU Bridge Jumper and individual the umbilical; the umbilical itself
Well SCMs will "drop out" and the well will close OUT OF a short period of time until the SCM HFLs will be replaced as a single item.
SYNCH. alternative HP channel is selected -
Total loss of production from all trees Should the failure point within the
Currently: on the P40 Loop . umbilical be close to the DSUT,
the Umbilical and DSUT will be
30-X-P42-C Well SCM This can potentially result in the loss replaced as a single entity
manifolds. Worst case is the loss of In addition, in the event of a total
30-X-P43-B Well SCM 12 production wells, if all spare wells failure of both HP supplies, all of
30-X-P43-C Well SCM are utilised). the Well SCMs can be
connected to the spare line via
C Single HP Loss of HP pressure in affected channel following valve Subsequent Reduction in fault Excessive pressure drop over the length Alternative supply is available
hydraulic operations - loss of HP to all of the Well SCMs (max 12 off) on tolerance in that all affected Tree of the umbilical. (remaining LP line)
channel the umbilical and Manifold SCMs (3 off) on the umbilical. Control Modules will remain
blocked - operational on the alternative channel It may be difficult to differentiate between Hold for repair until a
input The resultant pressure drop will be automatically detected by the in a non-redundant configuration. failures in the Umbilicals / DSUT / combinational failure occurs in
pressure shuttle valve and the alternative channel connected before the ISUT/HDU / DSUT-ISUT Bridge the Umbilical, DSUT, ISUT &
DCVs unlatch. In the event that the alternative supply Jumper/DSUT-HDU HFL and individual HDU assemblies within the P40
has not been selected open, then for SCM HFLs. Loop.
In the event that the alternative supply has not been selected a short period of time until the
open then for a short period of time the SCSSV DCV within the alternative HP channel is selected - Inability to operate valves in this line and The proposed repair policy is to
following Well SCMs will "drop out" and the well will close OUT Total loss of production from all trees no visual indication from flowmeters. replace the Umbilical and DSUT
OF SYNCH. on the P40 Loop . as a single entity
Currently: This can potentially result in the loss In addition, in the event of a total
of 4 Wells on the three production failure of both LP supplies, all of
30-X-P42-C Well SCM manifolds. Worst case is the loss of the Well SCMs can be connected
30-X-P42-D Well SCM 12 production wells, if all spare wells to the spare line via
are utilised). reconfiguration of the Bridge
30-X-P43-B Well SCM Jumper/HFL as required.
30-X-P43-C Well SCM
Page 5 of 23
X-219400-01-78
NG50-2-300-SPS-TR-AB-30-0132
Appendix B4

FM
Ref
FM No: 4-0-1
D Single HP In the event of a surface ESD shutdown, subsea HP supply Loss of surface ESD HP pressure Subsea electrical control to the
hydraulic pressure is not relieved . HP DCV within the following Well relief. HP DCV and to the HP Selector
channel SCMs will remain "latched closed" until the LP Pilot pressure is Valves and the LP Dump valves
blocked - vented. The HP DCV will remain in the are the primary means of closing
ESD latched closed position only if the the SCSSV
30-X-P42-D Well SCM relieved via subsea electronic control
or surface LP ESD.
30-X-P43-B Well SCM
30-X-P43-C Well SCM
6 Loss of Wax A Complete Sudden loss of wax inhibitor/Demulsifier supply to the drill No long term effect on production as Sudden loss in CI pressure at CI Unit Alternative injection capability via
Inhibitor/Demulsifier supply loss centre. spare chemical line can be output transmitters. spare chemical line if available.
in a single channel. (Rupture) of reconfigured if available.
CI lines / Severe leakage of wax inhibitor/Demulsifier into the sea. Hold for repair until a
connectors. Environmental hazard will require combinational failure occurs in
Topside isolation. the Umbilical, DSUT, ISUT &
HDU assemblies within the P40
Loop.
B Leak from CI Gradual loss of wax inhibitor/Demulsifier supply to the drill No long term effect on production as Gradual reduction in CI pressure at CI Alternative injection capability via
lines / centre. spare chemical line can be Unit output transmitters. spare chemical line if available.
connectors. reconfigured if available.
Leakage of wax inhibitor/Demulsifier into the sea. Increase in consumption of wax Hold for repair until a
Environmental hazard will require inhibitor/Demulsifier. combinational failure occurs in
Loop.
7 Loss of Corrosion/Scale A Complete Sudden loss of wax inhibitor/Demulsifier supply to the drill No long term effect on production as Sudden loss in CI pressure at CI Unit Alternative injection capability via
Inhibitor supply in a single loss centre. spare chemical line can be output transmitters. spare chemical line if available.
channel. (Rupture) of reconfigured if available.
Loop.
Leakage of wax inhibitor/Demulsifier into the sea. Increase in consumption of Hold for repair until a
Environmental hazard will require corrosion/scale inhibitor. combinational failure occurs in
Loop.
Page 6 of 23
X-219400-01-78
NG50-2-300-SPS-TR-AB-30-0132
Appendix B4

FM
Ref
FM No: 4-0-1
8 Loss of Anti-Asphaltene A Complete Sudden loss of anti-Asphaltene supply to the drill centre. No long term effect on production as Sudden loss in CI pressure at CI Unit Alternative injection capability via
supply in a single channel. loss spare chemical line can be output transmitters. spare chemical line if available.
(Rupture) of Severe leakage of anti-Asphaltene into the sea. reconfigured if available.
CI lines / Hold for repair until a
Loop.
B Leak from CI Gradual loss of anti-Asphaltene supply to the drill centre. No long term effect on production as Gradual reduction in CI pressure at CI Alternative injection capability via
lines / spare chemical line can be Unit output transmitters. spare chemical line if available.
connectors. Leakage of anti-Asphaltene into the sea. reconfigured if available.
Increase in consumption of anti- Hold for repair until a
Environmental hazard will require Asphaltene. combinational failure occurs in
Loop.
9 Loss of MEOH (nominally A Complete Sudden loss of MI1 supply to the drill centre. M2 and M3 No long term effect on production as Sudden loss in MI1 pressure at upstream Hold for repair until a
MI1) supply loss supplies will still be available. two lines are considered to provide HDU pressure transmitter. combinational failure occurs in
(Rupture) of sufficient MEOH to the four normally the Umbilical, DSUT, ISUT &
MI1 lines / Severe leakage of methanol into the sea. producing trees on the P40 loop. HDU assemblies within the P40
connectors. Loop.
However work over will be
compromised by the reduction in flow.
Fault tolerance configuration during

normal tree operations.

Topside isolation.
B Leak from Gradual loss of MI1 supply to the drill centre. M2 and M3 No long term effect on production as Gradual reduction in MI1 pressure at Hold for repair until a
MI1 lines / supplies will still be available. two lines are considered to provide upstream HDU pressure transmitter. combinational failure occurs in
connectors. sufficient MEOH to the four normally the Umbilical, DSUT, ISUT &
Leakage of methanol into the sea. producing trees on the P40 loop. Increase in consumption of MEOH. HDU assemblies within the P40
Loop.


Topside isolation.
Page 7 of 23
X-219400-01-78
NG50-2-300-SPS-TR-AB-30-0132
Appendix B4
SUBSYSTEM: Umbilical 30-US-P42
FM
Ref
FM No: 4-0-2
Nominally Q1/P1 SEMs on the P40 Production Loop, a maximum of 3 Well SCMs. opposite control channel remains fully replace the DSUT; Umbilical and
serviceable. It may be difficult to differentiate between ISUT as a single entity (after the
Reduction in fault tolerance in that up ISUT EFL and individual SCM EFLs. pairs causes the loss of one or more
All DCVs remain "latched" in their current positions. to 3 SEMs remain operational on the wells).
been isolated.
opposite control channel remains fully ISUT EFL and individual SCM EFLs. utilise TDR to locate the open circuit
All DCVs remain "latched" in their current positions. serviceable. failure point and replace the DSUT;
The diagnosis methodology is to Umbilical and ISUT as a single
Reduction in fault tolerance in that up progressively disconnect each EFL in turn entity (after the resultant numbers of
to 2 SEMs remains operational on the (along the Control Loop) and restart the failed quad pairs has caused the
alternative channel in a non- Control channel to see if the fault has loss of one or more wells).
redundant configuration. been isolated.
However the quad pair to Spare Well 30-

X-P41-B SEM A on 30-DS-P41 provides
an indication of where the fault may be.
Reduction in fault tolerance in that up ISUT EFL and individual SCM EFLs. pairs causes the loss of one or more
Well 30-X-P42-D SEM B; to 3 SEMs remain operational on the wells).
been isolated.
Page 8 of 23
X-219400-01-78
NG50-2-300-SPS-TR-AB-30-0132
Appendix B4
FM
Ref
FM No: 4-0-2
Well 30-X-P42-D SEM B; serviceable. failure point and replace the DSUT;
The diagnosis methodology is to Umbilical and ISUT as a single
All DCVs remain "latched" in their current positions. Reduction in fault tolerance in that up progressively disconnect each EFL in turn entity (after the resultant numbers of
to 2 SEMs remain operational on the (along the Control Loop) and restart the failed quad pairs has caused the
alternative channel in a non- Control channel to see if the fault has loss of one or more wells).
Further diagnosis between the Dynamic

Umbilical/DSUT assembly and the
ISUT/Infield Umbilical/DSUT assembly to
identify the failed item is believed to be
limited by the lack of ROV breakable
connections within these systems.

X-P41-A SEM A on 30-DS-P41 provides
an indication of where the fault may be
assembly. pairs resulting Over current trip or LIM trip on Subsea
in a total Currently only a single well is connected to Qaud 1 No direct system effect whilst the Power Control Unit. The proposed repair policy is to
failure of the opposite control channel remains fully replace the DSUT; Umbilical and
Quad Well 30-X-P42-D SEM B; serviceable. It may be difficult to differentiate between ISUT as a single entity (after the
failures in the Umbilicals / DSUT / DSUT- resultant numbers of failed quad
All DCVs remain "latched" in their current positions. Reduction in fault tolerance in that up ISUT EFL and individual SCM EFLs. pairs causes the loss of one or more
to 6 SEMs remain operational on the wells).
been isolated.
Page 9 of 23
X-219400-01-78
NG50-2-300-SPS-TR-AB-30-0132
Appendix B4
FM
Ref
FM No: 4-0-2
LP hydraulic Pressure drop will be automatically detected by the shuttle valve remain operational on the alternative It may be difficult to differentiate between Hold for repair until a combinational
lines / and the alternative channel connected before the DCVs unlatch. channel in a non-redundant failures in the Umbilicals / DSUT / failure occurs in the Umbilical,
connectors in configuration. ISUT/HDU / DSUT-ISUT Bridge DSUT, ISUT & HDU assemblies
a single Severe leakage of hydraulic fluid into the sea. Jumper/DSUT-HDU HFL and individual within the P40 Loop. The proposed
channel. Environmental hazard will require SCM HFLs repair policy is to replace the DSUT;
In the event that the alternative supply has not been selected Topside isolation. Umbilical and ISUT as a single
open then for a short period of time all DCVs within the following entity
Well SCMs and Manifold SCMs will "drop out" and the well will In the event that the alternative supply
close safely. has not been selected open, then for In addition, in the event of a total
a short period of time until the failure of both LP supplies, all of the
Currently: alternative LP channel is selected - Well SCMs and Manifold SCMs can
Total loss of production from all trees be connected to the spare line via
30-M-P41 Manifold SCM and Manifolds on the P40 Loop . reconfiguration of the Bridge
30-X-P42-D Well SCM the three production manifolds and
30-M-P42 Manifold SCM all of the manifolds valves will also fail
shut, (with the exception of pigging
30-X-P43-B Well SCM valves). Worst case is the loss of 12
30-X-P43-C Well SCM production wells, if all spare wells are
30-M-P43 Manifold SCM utilised)
Page 10 of 23
X-219400-01-78
NG50-2-300-SPS-TR-AB-30-0132
Appendix B4
FM
Ref
FM No: 4-0-2
connectors in Pressure drop will be automatically detected by the shuttle valve remain operational on the alternative Hydraulic Power Unit hydraulic reservoir Hold for repair until a combinational
a single and the alternative channel connected before the DCVs unlatch. channel in a non-redundant will require more frequent topping up as failure occurs in the Umbilical,
channel. configuration. indicated by pressure and level DSUT, ISUT & HDU assemblies
Leakage of hydraulic fluid into the sea. transmitters. within the P40 Loop. The proposed
Environmental hazard will require repair policy is to replace the DSUT;
In the event that the alternative supply has not been selected Topside isolation. It may be difficult to differentiate between Umbilical and ISUT as a single
open then for a short period of time all DCVs within the following failures in the Umbilicals / DSUT / entity
Well SCMs and Manifold SCMs will "drop out" and the well will In the event that the alternative supply ISUT/HDU / DSUT-ISUT Bridge
close safely. has not been selected open, then for Jumper/DSUT-HDU HFL and individual In addition, in the event of a total
a short period of time until the SCM HFLs failure of both LP supplies, all of the
Currently: alternative LP channel is selected - Well SCMs and Manifold SCMs can
Total loss of production from all trees be connected to the spare line via
30-M-P41 Manifold SCM and Manifolds on the P40 Loop . reconfiguration of the Bridge
channel the umbilical and Manifold SCMs (3 off) on the umbilical. and Manifolds Control Modules on 30-
blocked - DS-P43 and 30-DS-P45 will remain It may be difficult to differentiate between
Hold for repair until a combinational
input The resultant pressure drop will be automatically detected by the operational on the alternative channel failures in the Umbilicals / DSUT / failure occurs in the Umbilical,
pressure shuttle valve and the alternative channel connected before the in a non-redundant configuration. ISUT/HDU / DSUT-ISUT Bridge DSUT, ISUT & HDU assemblies
DCVs unlatch. Jumper/DSUT-HDU HFL and individual within the P40 Loop. The proposed
In the event that the alternative supply SCM HFLs. repair policy is to replace the DSUT;
In the event that the alternative supply has not been selected has not been selected open, then for Umbilical and ISUT as a single
open then for a short period of time all DCVs within the following a short period of time until the Inability to operate valves in this line and entity.
Well SCMs and Manifold SCMs will "drop out" and the well will alternative LP channel is selected - a no visual indication from flowmeters.
close safely. loss of production from all Trees and In addition, in the event of a total
Manifolds on the P40 Loop 30-DS- However serviceability of the LP line on failure of both LP supplies, all of the
Currently: P43 and 30-DS-P45 . 30-DS-P41 provides and indication of Well SCMs and Manifold SCMs can
where the fault may be. be connected to the spare line via
30-X-P42-C Well SCM This results in the loss of 4 Wells on reconfiguration of the Bridge
30-X-P42-D Well SCM production manifolds 30-DS-P43 and Jumper/HFL as required.
30-M-P42 Manifold SCM 30-DS-P45, the associated manifolds
valves will fail "as is". Pigging valve
30-X-P43-B Well SCM fail open. Worst case is the loss of 8
30-X-P43-C Well SCM production wells if all spare wells are
Page 11 of 23
X-219400-01-78
NG50-2-300-SPS-TR-AB-30-0132
Appendix B4
FM
Ref
FM No: 4-0-2
D Single LP In the event of a surface ESD shutdown, subsea LP Supply Loss of surface ESD LP pressure However serviceability of the LP line on Subsea electrical control to the
hydraulic pressure is not relieved . All DCVs within the following Well relief. 30-DS-P41 provides an indication of DCVs and to the LP Dump valves is
channel SCMs and Manifold SCMs will remain "latched closed" and the where the fault may be. the primary means of closing
blocked - associated fail safe valves remain open. The DCVs will remain in the latched subsea valves.
ESD pressure closed position if the electrical control
relief Currently: circuits to the DCVs and the Dumps
valves are also unavailable.
30-X-P42-C Well SCM
30-X-P42-D Well SCM
30-X-P43-B Well SCM

30-X-P43-C Well SCM
HP hydraulic Pressure drop will be automatically detected by the shuttle valve operational on the alternative channel It may be difficult to differentiate between Hold for repair until a combinational
lines / and the alternative channel connected before the DCVs unlatch. in a non-redundant configuration. failures in the Umbilicals / DSUT / failure occurs in the Umbilical,
connectors in ISUT/HDU / DSUT-ISUT Bridge DSUT, ISUT & HDU assemblies
a single Severe leakage of hydraulic fluid into the sea. Environmental hazard will require Jumper/DSUT-HDU HFL and individual within the P40 Loop. The proposed
channel. Topside isolation. SCM HFLs repair policy is to replace the DSUT;
In the event that the alternative supply has not been selected Umbilical and ISUT as a single
open then for a short period of time all DCVs within the following In the event that the alternative supply entity.
Well SCMs will "drop out" and the well will close OUT OF has not been selected open, then for
SYNCH. a short period of time until the In addition, in the event of a total
alternative HP channel is selected - failure of both HP supplies, all of the
Currently: Total loss of production from all trees Well SCMs can be connected to the
on the P40 Loop . spare line via reconfiguration of the
30-X-P42-C Well SCM Bridge Jumper/HFL as required.
30-X-P42-D Well SCM This can potentially result in the loss
30-X-P43-B Well SCM manifolds. Worst case is the loss of
30-X-P43-C Well SCM 12 production wells, if all spare wells
are utilised).
Page 12 of 23
X-219400-01-78
NG50-2-300-SPS-TR-AB-30-0132
Appendix B4
FM
Ref
FM No: 4-0-2
Loss of HP Hydraulic supply B Leak from HP Gradual loss of a single HP channel to all of the production trees Subsequent Reduction in fault Gradual loss in HP hydraulic pressure of Alternative supply is available
in a single channel hydraulic (max 12 off) on the umbilical. tolerance in that all affected Tree a single HP channel. (remaining HP line)
connectors in Subsequent pressure drop will be automatically detected by the operational on the alternative channel Hydraulic Power Unit hydraulic reservoir Hold for repair until a combinational
a single shuttle valve and the alternative channel connected before the in a non-redundant configuration. will require more frequent topping up as failure occurs in the Umbilical,
channel. DCVs unlatch. indicated by pressure and level DSUT, ISUT & HDU assemblies
Environmental hazard will require transmitters. within the P40 Loop. The proposed
Leakage of hydraulic fluid into the sea. Topside isolation. repair policy is to replace the DSUT;
It may be difficult to differentiate between Umbilical and ISUT as a single
In the event that the alternative supply has not been selected In the event that the alternative supply failures in the Umbilicals / DSUT / entity.
open then for a short period of time all DCVs within the following has not been selected open, then for ISUT/HDU / DSUT-ISUT Bridge
Well SCMs will "drop out" and the well will close OUT OF a short period of time until the Jumper/DSUT-HDU HFL and individual In addition, in the event of a total
SYNCH. alternative HP channel is selected - SCM HFLs failure of both HP supplies, all of the
Total loss of production from all trees Well SCMs can be connected to the
Currently: on the P40 Loop . spare line via reconfiguration of the
Bridge Jumper/HFL as required.
hydraulic operations - loss of HP to all of the Well SCMs (max 12 off) on tolerance in that all affected HP line of the umbilical. (remaining HP line)
channel the umbilical and Manifold SCMs (3 off) on the umbilical. on 30-DS-P43 and 30-DS-P45 will
blocked - remain operational on the alternative It may be difficult to differentiate between Hold for repair until a combinational
input The resultant pressure drop will be automatically detected by the channel in a non-redundant failures in the Umbilicals / DSUT / failure occurs in the Umbilical,
pressure shuttle valve and the alternative channel connected before the configuration. ISUT/HDU / DSUT-ISUT Bridge DSUT, ISUT & HDU assemblies
In the event that the alternative supply SCM HFLs. repair policy is to replace the DSUT;
In the event that the alternative supply has not been selected has not been selected open, then for Umbilical and ISUT as a single
open then for a short period of time the SCSSV DCV within the a short period of time until the Inability to operate valves in this line and entity.
following Well SCMs will "drop out" and the well will close OUT alternative HP channel is selected - a no visual indication from flowmeters.
OF SYNCH. loss of production from all Trees on In addition, in the event of a total
the P40 Loop 30-DS-P45 . However serviceability of the HP line on failure of both HP supplies, all of the
Currently: 30-DS-P41 provides an indication of Well SCMs can be connected to the
This results in the loss of 4 Wells on where the fault may be. spare line via reconfiguration of the
30-X-P42-C Well SCM each production manifold 30-DS-P43 Bridge Jumper/HFL as required.
30-X-P42-D Well SCM and 30-DS-P45. Worst case is the
loss of 8 production wells if all spare
30-X-P43-B Well SCM wells are utilised)
30-X-P43-C Well SCM
Page 13 of 23
X-219400-01-78
NG50-2-300-SPS-TR-AB-30-0132
Appendix B4
FM
Ref
FM No: 4-0-2
D Single HP In the event of a surface ESD shutdown, subsea HP supply Loss of surface ESD HP pressure However serviceability of the ESD trip on Subsea electrical control to the HP
hydraulic pressure is not relieved . HP DCV within the following Well relief. the HP line on 30-DS-P41 provides an DCV and to the LP DCVs are the
channel SCMs will remain "latched closed" until the LP Pilot pressure is indication of where the fault may be. primary and secondary means of
blocked - vented. The HP DCV will remain in the closing the SCSSV
ESD pressure latched closed position only if the
relief Currently: electrical control circuits to the HP
Selector valves; DCV are unavailable
or surface LP ESD.
30-X-P43-B Well SCM
30-X-P43-C Well SCM
CI lines / Severe leakage of wax inhibitor/Demulsifier into the sea. Hold for repair until a combinational
connectors. Environmental hazard will require failure occurs in the Umbilical,
Topside isolation. DSUT, ISUT & HDU assemblies
within the P40 Loop.
Leakage of wax inhibitor/Demulsifier into the sea. Increase in consumption of wax Hold for repair until a combinational
Environmental hazard will require inhibitor/Demulsifier. failure occurs in the Umbilical,
Leakage of wax inhibitor/Demulsifier into the sea. Increase in consumption of Hold for repair until a combinational
Environmental hazard will require corrosion/scale inhibitor. failure occurs in the Umbilical,
CI lines / Hold for repair until a combinational
Page 14 of 23
X-219400-01-78
NG50-2-300-SPS-TR-AB-30-0132
Appendix B4
FM
Ref
FM No: 4-0-2
Increase in consumption of anti- Hold for repair until a combinational
Environmental hazard will require Asphaltene. failure occurs in the Umbilical,
9 Loss of MEOH (nominally A Complete Sudden loss of MI1 supply to the drill centre. M2 and M3 No long term effect on production as Sudden loss in MI1 pressure at upstream Hold for repair until a combinational
MI1) supply loss supplies will still be available. two lines are considered to provide HDU pressure transmitter. failure occurs in the Umbilical,
(Rupture) of sufficient MEOH to the four normally DSUT, ISUT & HDU assemblies
MI1 lines / Severe leakage of methanol into the sea. producing trees on the P40 loop. within the P40 Loop or a workover is
connectors. to be performed.


Topside isolation.
B Leak from Gradual loss of MI1 supply to the drill centre. M2 and M3 No long term effect on production as Gradual reduction in MI1 pressure at Hold for repair until a combinational
MI1 lines / supplies will still be available. two lines are considered to provide upstream HDU pressure transmitter. failure occurs in the Umbilical,
connectors. sufficient MEOH to the four normally DSUT, ISUT & HDU assemblies
Leakage of methanol into the sea. producing trees on the P40 loop. Increase in consumption of MEOH. within the P40 Loop or a workover is
to be performed.


Topside isolation.
Page 15 of 23
X-219400-01-78
NG50-2-300-SPS-TR-AB-30-0132
Appendix B4

FM
Ref
FM No: 4-0-3
been isolated.
All DCVs remain "latched" in their current positions. serviceable. circuit failure point and replace
The diagnosis methodology is to the DSUT; Umbilical and ISUT
Reduction in fault tolerance in that up progressively disconnect each EFL in turn as a single entity (after the
to 1 SEM remains operational on the (along the Control Loop) and restart the resultant numbers of failed quad
alternative channel in a non- Control channel to see if the fault has pairs has caused the loss of one
redundant configuration. been isolated. or more wells).
However the serviceability of the quad

pair to Spare Well 30-X-P41-B SEM A on
30-DS-P41 and Spare Well 30-X-P42-A
SEM A on 30-DS-P43 provides an
indication of where the fault may be.
been isolated.
Page 16 of 23
X-219400-01-78
NG50-2-300-SPS-TR-AB-30-0132
Appendix B4

FM
Ref
FM No: 4-0-3
Currently there are no wells allocated to this manifold on Q1P2 No direct system effect whilst the failures in the Umbilicals / DSUT / DSUT- The proposed repair policy is to
serviceable. circuit failure point and replace
to 1 SEM remains operational on the (along the Control Loop) and restart the resultant numbers of failed quad


pair to Spare Well 30-X-P41-C SEM B on
30-DS-P41 and Spare Well 30-X-P42-D
SEM B on 30-DS-P43 provides an
assembly. pairs Over current trip or LIM trip on Subsea
resulting in a Currently only a single well is connected to Qaud 1 No direct system effect whilst the Power Control Unit. The proposed repair policy is to
total failure opposite control channel remains fully replace the DSUT; Umbilical and
of the Quad Well 30-X-P42-D SEM B; serviceable. It may be difficult to differentiate between ISUT as a single entity (after the
All DCVs remain "latched" in their current positions. Reduction in fault tolerance in that up ISUT EFL and individual SCM EFLs. pairs causes the loss of one or
to 6 SEMs remain operational on the more wells).
been isolated.
Page 17 of 23
X-219400-01-78
NG50-2-300-SPS-TR-AB-30-0132
Appendix B4

FM
Ref
FM No: 4-0-3
LP hydraulic Pressure drop will be automatically detected by the shuttle valve remain operational on the alternative It may be difficult to differentiate between Hold for repair until a
channel. Environmental hazard will require SCM HFLs Loop. The proposed repair policy
In the event that the alternative supply has not been selected Topside isolation. is to replace the DSUT; Umbilical
open then for a short period of time all DCVs within the following and ISUT as a single entity
a short period of time until the failure of both LP supplies, all of
Currently: alternative LP channel is selected - the Well SCMs and Manifold
Total loss of production from all trees SCMs can be connected to the
30-M-P41 Manifold SCM and Manifolds on the P40 Loop . spare line via reconfiguration of
the Bridge Jumper/HFL as
30-X-P42-C Well SCM This can potentially result in the loss required.
30-M-P42 Manifold SCM manifolds and all of the manifolds
valves (manifold valves fail "as is",
30-X-P43-B Well SCM pigging valves fail open). Worst case
30-X-P43-C Well SCM is the loss of 12 production wells, if all
30-M-P43 Manifold SCM spare wells are utilised).
a single and the alternative channel connected before the DCVs unlatch. channel in a non-redundant will require more frequent topping up combinational failure occurs in
Environmental hazard will require Loop. The proposed repair policy
In the event that the alternative supply has not been selected Topside isolation. It may be difficult to differentiate between is to replace the DSUT; Umbilical
open then for a short period of time all DCVs within the following failures in the Umbilicals / DSUT / and ISUT as a single entity
a short period of time until the SCM HFLs failure of both LP supplies, all of
30-M-P41 Manifold SCM and Manifolds on the P40 Loop . spare line via reconfiguration of
the Bridge Jumper/HFL as
Page 18 of 23
X-219400-01-78
NG50-2-300-SPS-TR-AB-30-0132
Appendix B4

FM
Ref
FM No: 4-0-3
hydraulic operations - loss of HP to all of the Well SCMs (max 12 off) on tolerance in that all affected LP line of the umbilical. (remaining LP line)
channel the umbilical and Manifold SCMs (3 off) on the umbilical. on 30-DS-P45 will remain operational
blocked - on the alternative channel in a non- It may be difficult to differentiate between Hold for repair until a
input The resultant pressure drop will be automatically detected by the redundant configuration. failures in the Umbilicals / DSUT / combinational failure occurs in
has not been selected open, then for SCM HFLs. Loop. The proposed repair policy
In the event that the alternative supply has not been selected a short period of time until the is to replace the DSUT; Umbilical
open then for a short period of time all DCVs within the following alternative LP channel is selected - a Inability to operate valves in this line and and ISUT as a single entity.
Well SCMs and Manifold SCMs will "drop out" and the well will loss of production from all Trees and no visual indication from flowmeters.
close safely. Manifolds on the P40 Loop 30-DS- In addition, in the event of a total
P45 . However serviceability of the LP line on failure of both LP supplies, all of
Currently: 30-DS-P41 and 30-DS-P43 provides and the Well SCMs and Manifold
This results in the loss of 3 Wells on indication of where the fault may be. SCMs can be connected to the
30-X-P43-B Well SCM production manifolds 30-DS-P45, the spare line via reconfiguration of
30-X-P43-C Well SCM associated manifolds valves will fail the Bridge Jumper/HFL as
30-M-P43 Manifold SCM "as is". Pigging valves fail open. required.
Worst case is the loss of 4 production
wells if all spare wells are utilised)
hydraulic pressure is not relieved . All DCVs within the following Well relief. 30-DS-P41 and 30-DS-P43 provides an DCVs and to the LP Dump
channel SCMs and Manifold SCMs will remain "latched closed" and the indication of where the fault may be. valves is the primary means of
blocked - associated fail safe valves remain open. The DCVs will remain in the latched closing subsea valves
ESD closed position if the electrical control
pressure Currently: circuits to the DCVs and the Dumps
relief valves are also unavailable.
30-X-P43-B Well SCM
30-X-P43-C Well SCM
Page 19 of 23
X-219400-01-78
NG50-2-300-SPS-TR-AB-30-0132
Appendix B4

FM
Ref
FM No: 4-0-3
HP hydraulic Pressure drop will be automatically detected by the shuttle valve operational on the alternative channel It may be difficult to differentiate between Hold for repair until a
lines / and the alternative channel connected before the DCVs unlatch. in a non-redundant configuration. failures in the Umbilicals / DSUT / combinational failure occurs in
connectors in ISUT/HDU / DSUT-ISUT Bridge the Umbilical, DSUT, ISUT &
a single Severe leakage of hydraulic fluid into the sea. Environmental hazard will require Jumper/DSUT-HDU HFL and individual HDU assemblies within the P40
channel. Topside isolation. SCM HFLs Loop. The proposed repair policy
In the event that the alternative supply has not been selected is to replace the DSUT; Umbilical
open then for a short period of time all DCVs within the following In the event that the alternative supply and ISUT as a single entity.
alternative HP channel is selected - failure of both HP supplies, all of
Currently: Total loss of production from all trees the Well SCMs can be connected
on the P40 Loop . to the spare line via
30-X-P42-C Well SCM reconfiguration of the Bridge
30-X-P42-D Well SCM This can potentially result in the loss Jumper/HFL as required.
are utilised).
Leakage of hydraulic fluid into the sea. Topside isolation. Loop. The proposed repair policy
It may be difficult to differentiate between is to replace the DSUT; Umbilical
In the event that the alternative supply has not been selected In the event that the alternative supply failures in the Umbilicals / DSUT / and ISUT as a single entity.
SYNCH. alternative HP channel is selected - SCM HFLs failure of both HP supplies, all of
Total loss of production from all trees the Well SCMs can be connected
Currently: on the P40 Loop . to the spare line via
30-X-P42-C Well SCM This can potentially result in the loss Jumper/HFL as required.
Page 20 of 23
X-219400-01-78
NG50-2-300-SPS-TR-AB-30-0132
Appendix B4

FM
Ref
FM No: 4-0-3
blocked - on the alternative channel in a non- It may be difficult to differentiate between
input The resultant pressure drop will be automatically detected by the redundant configuration. failures in the Umbilicals / DSUT / combinational failure occurs in
has not been selected open, then for SCM HFLs. Loop. The proposed repair policy
In the event that the alternative supply has not been selected a short period of time until the is to replace the DSUT; Umbilical
open then for a short period of time the SCSSV DCV within the alternative HP channel is selected - a Inability to operate valves in this line and and ISUT as a single entity.
following Well SCMs will "drop out" and the well will close OUT loss of production from all Trees on no visual indication from flowmeters.
OF SYNCH. the P40 Loop 30-DS-P45 . In addition, in the event of a total
However serviceability of the HP line on failure of both HP supplies, all of
Currently: This results in the loss of 3 Wells on 30-DS-P41 and 30-DS-P43 provides an the Well SCMs can be connected
production manifolds 30-DS-P43 and indication of where the fault may be. to the spare line via
30-X-P43-B Well SCM 30-DS-P45. Worst case is the loss of reconfiguration of the Bridge
30-X-P43-C Well SCM 4 production wells if all spare wells Jumper/HFL as required.
are utilised)
hydraulic pressure is not relieved . HP DCV within the following Well relief. HP DCV and to the LP DCVs are
channel SCMs will remain "latched closed" until the LP Pilot pressure is However serviceability of the ESD trip on the primary and secondary
blocked - vented. The HP DCV will remain in the the HP line on 30-DS-P41 and 30-DS- means of closing the SCSSV
ESD latched closed position only if the P43 provides an indication of where the
pressure Currently: electrical control circuits to the HP fault may be.
30-X-P43-B Well SCM and the LP supply pressure cannot be
30-X-P43-C Well SCM relieved via subsea electronic control
or surface LP ESD.
Loop.
Page 21 of 23
X-219400-01-78
NG50-2-300-SPS-TR-AB-30-0132
Appendix B4

FM
Ref
FM No: 4-0-3
Loop.
Loop.
Loop.
Loop.
Loop.
Page 22 of 23
X-219400-01-78
NG50-2-300-SPS-TR-AB-30-0132
Appendix B4

FM
Ref
FM No: 4-0-3
connectors. Loop or a workover is to be
However work over will be performed.


Topside isolation.
Loop or a workover is to be
However work over will be performed.


Topside isolation.
Page 23 of 23
X-219400-01-78
NG50-2-300-SPS-TR-AB-30-0132
Appendix B5
SYSTEM: Production Loop P40 Subsea Controls

SUBSYSTEM: SUT Type 1 : 30-DS-P41
FM
Ref
FM: SUT Type 1 FUNCTION DESCRIPTION: To distribute fluids, power and communication subsea.
FM No: 5-0-1
Nominally Q1/P1 SEMs on the P40 Production Loop, a maximum of 3 Well SCMs. opposite control channel remains fully replace the Umbilical and DSUT as
serviceable. It may be difficult to differentiate between a single entity (after the resultant
Currently there are no wells allocated to Q1 P1 failures in the Umbilicals / DSUT / DSUT- numbers of failed quad pairs causes
Reduction in fault tolerance in that up ISUT EFL and individual SCM EFLs. the loss of one or more wells).
All DCVs remain "latched" in their current positions. to 3 SEMs remain operational on the
been isolated.
All DCVs remain "latched" in their current positions. serviceable. failure point
Reduction in fault tolerance in that up progressively disconnect each EFL in turn Should the failure point be within the
to 3 SEMs remain operational on the (along the Control Loop) and restart the DSUT, the Umbilical and DSUT will
alternative channel in a non- Control channel to see if the fault has be replaced as a single entity
Nominally Q1/P2 SEMs on the P40 Production Loop, a maximum of 3 Well SCMs. opposite control channel remains fully replace the Umbilical and DSUT as
serviceable. It may be difficult to differentiate between a single entity (after the resultant
Currently only a single well is connected to Q1 P2 failures in the Umbilicals / DSUT / DSUT- numbers of failed quad pairs causes
Reduction in fault tolerance in that up ISUT EFL and individual SCM EFLs. the loss of one or more wells).
Well 30-X-P42-D SEM B; to 3 SEMs remain operational on the
been isolated.
Page 1 of 42
X-219400-01-78
NG50-2-300-SPS-TR-AB-30-0132
Appendix B5

FM
Ref
FM No: 5-0-1
Well 30-X-P42-D SEM B; serviceable. failure point
All DCVs remain "latched" in their current positions. Reduction in fault tolerance in that up progressively disconnect each EFL in turn Should the failure point be within the
to 3 SEMs remain operational on the (along the Control Loop) and restart the DSUT, the Umbilical and DSUT will
alternative channel in a non- Control channel to see if the fault has be replaced as a single entity
3 Loss of electronic control A Combination of Loss of Power & Communications channel "A" and "B" to the Loss of Control from a single pair of Alarm on SCS. Alternative channel is available -
from an overall quad individual pairs associated SEMs on a maximum of 6 Well SCMs. conductors within an umbilical. System is Dual Redundant.
assembly. resulting in a It may be difficult to differentiate between
total failure of Currently only a single well is connected to Qaud 1 No direct system effect whilst the failures in the Umbilicals / DSUT / DSUT- The proposed repair policy is to
the Quad opposite control channel remains fully ISUT EFL and individual SCM EFLs. replace the umbilical and DSUT as a
Well 30-X-P42-D SEM B; serviceable. The diagnosis methodology is to single entity when the resultant
progressively disconnect each EFL in turn numbers of failed quad pairs causes
All DCVs remain "latched" in their current positions. Reduction in fault tolerance in that up (along the Control Loop) and restart the the loss of one or more wells.
to 6 SEMs remain operational on the Control channel to see if the fault has
alternative channel in a non- been isolated.
4 Loss of LP Hydraulic supply A Complete loss Loss of a single LP channel to all of the Well SCMs (max 12 off) Subsequent Reduction in fault Sudden loss in LP hydraulic pressure of a Alternative supply is available
in a single channel. (Rupture) of LP and Manifold SCMs (3 off) on the Umbilical. tolerance in that all affected Trees single LP channel. (remaining LP line)
hydraulic lines / and Manifolds Control Modules will
Nominally LP1 connectors in a Pressure drop will be automatically detected by the shuttle valve remain operational on the alternative It may be difficult to differentiate between Hold for repair until a combinational
single channel. and the alternative channel connected before the DCVs unlatch. channel in a non-redundant failures in the Umbilicals / DSUT / failure occurs in the Umbilical,
configuration. ISUT/HDU / DSUT-ISUT Bridge DSUT, ISUT & HDU assemblies
Severe leakage of hydraulic fluid into the sea. Jumper/DSUT-HDU HFL and individual within the P40 Loop.
Environmental hazard will require SCM HFLs
In the event that the alternative supply has not been selected Topside isolation. Should the failure point be within the
open then for a short period of time all DCVs within the following DSUT, the Umbilical and DSUT will
Well SCMs and Manifold SCMs will "drop out" and the well will In the event that the alternative supply be replaced as a single entity
close safely. has not been selected open, then for
a short period of time until the In addition, in the event of a total
Currently: alternative LP channel is selected - failure of both LP supplies, all of the
Total loss of production from all trees Well SCMs and Manifold SCMs can
30-M-P41 Manifold SCM and Manifolds on the P40 Loop . be connected to the spare line via
30-X-P42-C Well SCM This results in the loss of 4 Wells on Jumper/HFL as required.
Page 2 of 42
X-219400-01-78
NG50-2-300-SPS-TR-AB-30-0132
Appendix B5

FM
Ref
FM No: 5-0-1
in a single channel hydraulic lines / 12 off) and Manifold SCMs (3 off) on the Umbilical. tolerance in that all affected Trees single LP channel. (remaining LP line)
(continued). connectors in a and Manifolds Control Modules will
single channel. Pressure drop will be automatically detected by the shuttle valve remain operational on the alternative Hydraulic Power Unit hydraulic reservoir Hold for repair until a combinational
and the alternative channel connected before the DCVs unlatch. channel in a non-redundant will require more frequent topping up as failure occurs in the Umbilical,
configuration. indicated by pressure and level DSUT, ISUT & HDU assemblies
Leakage of hydraulic fluid into the sea. transmitters. within the P40 Loop.
In the event that the alternative supply has not been selected Topside isolation. It may be difficult to differentiate between Should the failure point be within the
open then for a short period of time all DCVs within the following failures in the Umbilicals / DSUT / DSUT, the Umbilical and DSUT will
Well SCMs and Manifold SCMs will "drop out" and the well will In the event that the alternative supply ISUT/HDU / DSUT-ISUT Bridge be replaced as a single entity
close safely. has not been selected open, then for Jumper/DSUT-HDU HFL and individual
a short period of time until the SCM HFLs In addition, in the event of a total
Currently: alternative LP channel is selected - failure of both LP supplies, all of the
Total loss of production from all trees Well SCMs and Manifold SCMs can
30-M-P41 Manifold SCM and Manifolds on the P40 Loop . be connected to the spare line via
30-X-P42-C Well SCM This can potentially result in the loss Jumper/HFL as required.
channel the umbilical and Manifold SCMs (3 off) on the umbilical. and Manifolds Control Modules will
blocked - input remain operational on the alternative It may be difficult to differentiate between Hold for repair until a combinational
pressure The resultant pressure drop will be automatically detected by the channel in a non-redundant failures in the Umbilicals / DSUT / failure occurs in the Umbilical,
shuttle valve and the alternative channel connected before the configuration. ISUT/HDU / DSUT-ISUT Bridge DSUT, ISUT & HDU assemblies
DCVs unlatch. Jumper/DSUT-HDU HFL and individual within the P40 Loop.
In the event that the alternative supply SCM HFLs
In the event that the alternative supply has not been selected has not been selected open, then for The proposed repair policy is to
open then for a short period of time all DCVs within the following a short period of time until the Inability to operate valves in this line and replace the Umbilical and DSUT as
Well SCMs and Manifold SCMs will "drop out" and the well will alternative LP channel is selected - no visual indication from flowmeters. a single entity
close safely. Total loss of production from all trees
and Manifolds on the P40 Loop . In addition, in the event of a total
Currently: failure of both LP supplies, all of the
This can potentially result in the loss Well SCMs and Manifold SCMs can
30-M-P41 Manifold SCM of 4 Wells on the three production be connected to the spare line via
manifolds and all of the manifolds reconfiguration of the Bridge
30-X-P42-C Well SCM valves (manifold valves fail "as is", Jumper/HFL as required.
30-X-P42-D Well SCM pigging valves fail open). Worst case
30-M-P42 Manifold SCM is the loss of 12 production wells, if all
30-X-P43-B Well SCM
30-X-P43-C Well SCM
Page 3 of 42
X-219400-01-78
NG50-2-300-SPS-TR-AB-30-0132
Appendix B5

FM
Ref
FM No: 5-0-1
D Single LP In the event of a surface ESD shutdown, subsea LP Supply Loss of surface ESD LP pressure Subsea electrical control to the
hydraulic pressure is not relieved . All DCVs within the following Well relief. DCVs is the primary means of
channel SCMs and Manifold SCMs will remain "latched closed" and the closing subsea valves.
blocked - ESD associated fail safe valves remain open. The DCVs will remain in the latched
pressure relief closed position if the electrical control
Currently: circuits to the DCVs are also
unavailable.
30-X-P42-C Well SCM

30-X-P42-D Well SCM
30-X-P43-B Well SCM

30-X-P43-C Well SCM
5 Loss of HP Hydraulic supply A Complete loss Loss of a single HP channel to all of the production trees (max Subsequent Reduction in fault Sudden loss in HP hydraulic pressure of Alternative supply is available
in a single channel. (Rupture) of HP 12 off) on the umbilical. tolerance in that all affected Tree a single HP channel. (remaining HP line)
hydraulic lines / Control Modules will remain
Nominally HP1 connectors in a Pressure drop will be automatically detected by the shuttle valve operational on the alternative channel It may be difficult to differentiate between Hold for repair until a combinational
single channel. and the alternative channel connected before the DCVs unlatch. in a non-redundant configuration. failures in the Umbilicals / DSUT / HDU / failure occurs in the Umbilical,
DSUT-HDU Bridge Jumper and individual DSUT, ISUT & HDU assemblies
Severe leakage of hydraulic fluid into the sea. Environmental hazard will require SCM HFLs within the P40 Loop.
Topside isolation.
In the event that the alternative supply has not been selected Should the failure point be within the
open then for a short period of time all DCVs within the following In the event that the alternative supply DSUT, the Umbilical and DSUT will
Well SCMs will "drop out" and the well will close OUT OF has not been selected open, then for be replaced as a single entity
SYNCH. a short period of time until the
alternative HP channel is selected - In addition, in the event of a total
Currently: Total loss of production from all trees failure of both HP supplies, all of the
on the P40 Loop . Well SCMs can be connected to the
30-X-P42-C Well SCM spare line via reconfiguration of the
30-X-P42-D Well SCM This can potentially result in the loss Bridge Jumper/HFL as required.
are utilised).
Page 4 of 42
X-219400-01-78
NG50-2-300-SPS-TR-AB-30-0132
Appendix B5

FM
Ref
FM No: 5-0-1
in a single channel hydraulic lines / (max 12 off) on the umbilical. tolerance in that all affected Tree a single HP channel. (remaining HP line)
(continued). connectors in a Control Modules will remain
single channel. Subsequent pressure drop will be automatically detected by the operational on the alternative channel Hydraulic Power Unit hydraulic reservoir Hold for repair until a combinational
shuttle valve and the alternative channel connected before the in a non-redundant configuration. will require more frequent topping up as failure occurs in the Umbilical,
DCVs unlatch. indicated by pressure and level DSUT, ISUT & HDU assemblies
Environmental hazard will require transmitters. within the P40 Loop.
Leakage of hydraulic fluid into the sea. Topside isolation.
It may be difficult to differentiate between Should the failure point be within the
In the event that the alternative supply has not been selected In the event that the alternative supply failures in the Umbilicals / DSUT / HDU / DSUT, the Umbilical and DSUT will
open then for a short period of time all DCVs within the following has not been selected open, then for DSUT-HDU Bridge Jumper and individual be replaced as a single entity
Well SCMs will "drop out" and the well will close OUT OF a short period of time until the SCM HFLs
SYNCH. alternative HP channel is selected - In addition, in the event of a total
Total loss of production from all trees failure of both HP supplies, all of
Currently: on the P40 Loop . the Well SCMs can be connected to
the spare line via reconfiguration of
30-X-P42-C Well SCM This can potentially result in the loss the Bridge Jumper/HFL as required.
hydraulic operations - loss of HP to all of the Well SCMs (max 12 off) on tolerance in that all affected Tree of the umbilical. (remaining LP line)
channel the umbilical and Manifold SCMs (3 off) on the umbilical. Control Modules will remain
blocked - input operational on the alternative channel It may be difficult to differentiate between Hold for repair until a combinational
pressure The resultant pressure drop will be automatically detected by the in a non-redundant configuration. failures in the Umbilicals / DSUT / failure occurs in the Umbilical,
shuttle valve and the alternative channel connected before the ISUT/HDU / DSUT-ISUT Bridge DSUT, ISUT & HDU assemblies
DCVs unlatch. In the event that the alternative supply Jumper/DSUT-HDU HFL and individual within the P40 Loop.
has not been selected open, then for SCM HFLs.
In the event that the alternative supply has not been selected a short period of time until the The proposed repair policy is to
open then for a short period of time the SCSSV DCV within the alternative HP channel is selected - Inability to operate valves in this line and replace the Umbilical and DSUT as
following Well SCMs will "drop out" and the well will close OUT Total loss of production from all trees no visual indication from flowmeters. a single entity
OF SYNCH. on the P40 Loop .
In addition, in the event of a total
Currently: This can potentially result in the loss failure of both LP supplies, all of the
of 4 Wells on the three production Well SCMs can be connected to the
30-X-P42-C Well SCM manifolds. Worst case is the loss of spare line via reconfiguration of the
30-X-P42-D Well SCM 12 production wells, if all spare wells Bridge Jumper/HFL as required.
are utilised).
30-X-P43-B Well SCM
30-X-P43-C Well SCM
D Single HP In the event of a surface ESD shutdown, subsea HP supply Loss of surface ESD HP pressure Subsea electrical control to the HP
hydraulic pressure is not relieved . HP DCV within the following Well relief. DCV and to the LP DCVs are the
channel SCMs will remain "latched closed" until the LP Pilot pressure is primary and secondary means of
blocked - ESD vented. The HP DCV will remain in the closing the SCSSV
pressure relief latched closed position only if the
Currently: electrical control circuits to the HP
or surface LP ESD.
30-X-P43-B Well SCM
30-X-P43-C Well SCM
Page 5 of 42
X-219400-01-78
NG50-2-300-SPS-TR-AB-30-0132
Appendix B5

FM
Ref
FM No: 5-0-1
6 Loss of Wax A Complete loss Sudden loss of wax inhibitor/Demulsifier supply to the drill No long term effect on production as Sudden loss in CI pressure at CI Unit Alternative injection capability via
Inhibitor/Demulsifier, supply (Rupture) of CI centre. spare chemical line can be output transmitters. spare chemical line if available.
in a single channel. lines / reconfigured if available.
connectors. Severe leakage of wax inhibitor/Demulsifier into the sea. Hold for repair until a combinational
Environmental hazard will require failure occurs in the Umbilical,
7 Loss of Corrosion/Scale A Complete loss Sudden loss of wax inhibitor/Demulsifier supply to the drill No long term effect on production as Sudden loss in CI pressure at CI Unit Alternative injection capability via
Inhibitor supply in a single (Rupture) of centre. spare chemical line can be output transmitters. spare chemical line if available.
channel. lines / reconfigured if available.
B Leak from lines Gradual loss of wax inhibitor/Demulsifier supply to the drill No long term effect on production as Gradual reduction in CI pressure at CI Alternative injection capability via
/ connectors. centre. spare chemical line can be Unit output transmitters. spare chemical line if available.
reconfigured if available.
8 Loss of Anti-Asphaltene A Complete loss Sudden loss of anti-Asphaltene supply to the drill centre. No long term effect on production as Sudden loss in CI pressure at CI Unit Alternative injection capability via
supply in a single channel. (Rupture) of spare chemical line can be output transmitters. spare chemical line if available.
lines / Severe leakage of anti-Asphaltene into the sea. reconfigured if available.
connectors. Hold for repair until a combinational
B Leak from lines Gradual loss of anti-Asphaltene supply to the drill centre. No long term effect on production as Gradual reduction in CI pressure at CI Alternative injection capability via
/ connectors. spare chemical line can be Unit output transmitters. spare chemical line if available.
Leakage of anti-Asphaltene into the sea. reconfigured if available.
Page 6 of 42
X-219400-01-78
NG50-2-300-SPS-TR-AB-30-0132
Appendix B5

FM
Ref
FM No: 5-0-1
9 Loss of MEOH (nominally A Complete loss Sudden loss of MI1 supply to the drill centre. M2 and M3 No long term effect on production as Sudden loss in MI1 pressure at upstream Hold for repair until a combinational
MI1) supply (Rupture) of supplies will still be available. two lines are considered to provide HDU pressure transmitter. failure occurs in the Umbilical,
MI1 lines / sufficient MEOH to the four normally DSUT, ISUT & HDU assemblies
connectors. Severe leakage of methanol into the sea. producing trees on the P40 loop. within the P40 Loop.



Topside isolation.
B Leak from MI1 Gradual loss of MI1 supply to the drill centre. M2 and M3 No long term effect on production as Gradual reduction in MI1 pressure at Hold for repair until a combinational
lines / supplies will still be available. two lines are considered to provide upstream HDU pressure transmitter. failure occurs in the Umbilical,
Leakage of methanol into the sea. producing trees on the P40 loop. Increase in consumption of MEOH. within the P40 Loop.



Topside isolation.
Page 7 of 42
X-219400-01-78
NG50-2-300-SPS-TR-AB-30-0132
Appendix B5

SUBSYSTEM: Intermediate SUT: 30-DS-P42
FM
Ref
FM: SUT Type 2 FUNCTION DESCRIPTION: To distribute LP & HP hydraulics, power and communication subsea.
FM No: 5-0-2
been isolated.
All DCVs remain "latched" in their current positions. serviceable. circuit failure point and replace the
The diagnosis methodology is to DSUT; Umbilical and ISUT as a
Reduction in fault tolerance in that up progressively disconnect each EFL in turn single entity (after the resultant
to 2 SEMs remains operational on the (along the Control Loop) and restart the numbers of failed quad pairs has
alternative channel in a non- Control channel to see if the fault has caused the loss of one or more
redundant configuration. been isolated. wells).

been isolated.
Page 8 of 42
X-219400-01-78
NG50-2-300-SPS-TR-AB-30-0132
Appendix B5

FM
Ref
FM No: 5-0-2
Well 30-X-P42-D SEM B; serviceable. circuit failure point and replace the
All DCVs remain "latched" in their current positions. Reduction in fault tolerance in that up progressively disconnect each EFL in turn single entity (after the resultant
to 2 SEMs remain operational on the (along the Control Loop) and restart the numbers of failed quad pairs has


2 Loss of electronic control A Short circuit. Loss of Power & Communications channel "A" and "B" to the Loss of Control from a single pair of Alarm on SCS. Alternative channel is available -
from a single twisted pair associated SEMs on a maximum of 6 Well SCMs. conductors within an umbilical. System is Dual Redundant.
Currently only a single well is connected to Qaud 1 No direct system effect whilst the Power Control Unit. The proposed repair policy is to
Nominally Q1/P2 opposite control channel remains fully replace the DSUT; Umbilical and
Well 30-X-P42-D SEM B; serviceable. It may be difficult to differentiate between ISUT as a single entity (after the
been isolated.
Page 9 of 42
X-219400-01-78
NG50-2-300-SPS-TR-AB-30-0132
Appendix B5

FM
Ref
FM No: 5-0-2
B Open circuit. Loss of a single LP channel to all of the Well SCMs (max 12 off) Subsequent Reduction in fault Sudden loss in LP hydraulic pressure of a Alternative channel is available -
and Manifold SCMs (3 off) on the Umbilical. tolerance in that all affected Trees single LP channel. System is Dual Redundant.
Pressure drop will be automatically detected by the shuttle valve remain operational on the alternative It may be difficult to differentiate between The proposed repair policy is to
and the alternative channel connected before the DCVs unlatch. channel in a non-redundant failures in the Umbilicals / DSUT / utilise TDR to locate the open
configuration. ISUT/HDU / DSUT-ISUT Bridge circuit failure point and replace the
Severe leakage of hydraulic fluid into the sea. Jumper/DSUT-HDU HFL and individual DSUT; Umbilical and ISUT as a
Environmental hazard will require SCM HFLs single entity (after the resultant
In the event that the alternative supply has not been selected Topside isolation. numbers of failed quad pairs has
open then for a short period of time all DCVs within the following caused the loss of one or more
Well SCMs and Manifold SCMs will "drop out" and the well will In the event that the alternative supply wells).
Currently: alternative LP channel is selected -
30-M-P41 Manifold SCM and Manifolds on the P40 Loop .

3 Loss of electronic control A Combination Gradual loss of a single LP channel to all of the Well SCMs (max Subsequent Reduction in fault Gradual loss in LP hydraulic pressure of a Alternative channel is available -
from an overall quad of individual 12 off) and Manifold SCMs (3 off) on the Umbilical. tolerance in that all affected Trees single LP channel. System is Dual Redundant.
assembly. pairs and Manifolds Control Modules will
resulting in a Pressure drop will be automatically detected by the shuttle valve remain operational on the alternative Hydraulic Power Unit hydraulic reservoir The proposed repair policy is to
total failure and the alternative channel connected before the DCVs unlatch. channel in a non-redundant will require more frequent topping up as replace the DSUT; Umbilical and
of the Quad configuration. indicated by pressure and level ISUT as a single entity (after the
Leakage of hydraulic fluid into the sea. transmitters. resultant numbers of failed quad
Environmental hazard will require pairs causes the loss of one or
In the event that the alternative supply has not been selected Topside isolation. It may be difficult to differentiate between more wells).
open then for a short period of time all DCVs within the following failures in the Umbilicals / DSUT /

Page 10 of 42
X-219400-01-78
NG50-2-300-SPS-TR-AB-30-0132
Appendix B5

FM
Ref
FM No: 5-0-2
4 Loss of LP Hydraulic supply A Complete Loss of LP pressure in affected channel following valve Subsequent Reduction in fault Excessive pressure drop over the length Alternative supply is available
in a single channel. loss operations - loss of HP to all of the Well SCMs (max 12 off) on tolerance in that all affected Trees of the umbilical. (remaining LP line)
(Rupture) of the umbilical and Manifold SCMs (3 off) on the umbilical. and Manifolds Control Modules on 30-
Nominally LP1 LP hydraulic DS-P43 and 30-DS-P45 will remain It may be difficult to differentiate between
Hold for repair until a combinational
lines / The resultant pressure drop will be automatically detected by the operational on the alternative channel failures in the Umbilicals / DSUT / failure occurs in the Umbilical,
connectors in shuttle valve and the alternative channel connected before the in a non-redundant configuration. ISUT/HDU / DSUT-ISUT Bridge DSUT, ISUT & HDU assemblies
a single DCVs unlatch. Jumper/DSUT-HDU HFL and individual within the P40 Loop. The proposed
channel. In the event that the alternative supply SCM HFLs. repair policy is to replace the
In the event that the alternative supply has not been selected has not been selected open, then for DSUT; Umbilical and ISUT as a
open then for a short period of time all DCVs within the following a short period of time until the Inability to operate valves in this line and single entity
Manifolds on the P40 Loop 30-DS- However serviceability of the LP line on failure of both LP supplies, all of
Currently: P43 and 30-DS-P45 . 30-DS-P41 provides and indication of the Well SCMs and Manifold SCMs
where the fault may be. can be connected to the spare line
30-X-P42-C Well SCM This results in the loss of 4 Wells on via reconfiguration of the Bridge
Loss of LP Hydraulic supply B Leak from LP In the event of a surface ESD shutdown, subsea LP Supply Loss of surface ESD LP pressure However serviceability of the LP line on Alternative supply is available
in a single channel hydraulic pressure is not relieved . All DCVs within the following Well relief. 30-DS-P41 provides an indication of (remaining LP line)
(continued). lines / SCMs and Manifold SCMs will remain "latched closed" and the where the fault may be.
connectors in associated fail safe valves remain open. The DCVs will remain in the latched Hold for repair until a combinational
a single closed position if the electrical control failure occurs in the Umbilical,
channel. Currently: circuits to the DCVs and the Dumps DSUT, ISUT & HDU assemblies
valves are also unavailable. within the P40 Loop. The proposed
30-X-P42-C Well SCM repair policy is to replace the
30-X-P42-D Well SCM DSUT; Umbilical and ISUT as a
30-M-P42 Manifold SCM single entity
30-X-P43-B Well SCM In addition, in the event of a total

30-X-P43-C Well SCM failure of both LP supplies, all of
30-M-P43 Manifold SCM the Well SCMs and Manifold SCMs
can be connected to the spare line
via reconfiguration of the Bridge
Page 11 of 42
X-219400-01-78
NG50-2-300-SPS-TR-AB-30-0132
Appendix B5

FM
Ref
FM No: 5-0-2
C Single LP Loss of a single HP channel to all of the production trees (max Subsequent Reduction in fault Sudden loss in HP hydraulic pressure of Alternative supply is available
hydraulic 12 off) on the umbilical. tolerance in that all affected Tree a single HP channel. (remaining LP line)
channel Control Modules will remain
blocked - Pressure drop will be automatically detected by the shuttle valve operational on the alternative channel It may be difficult to differentiate between Hold for repair until a combinational
input and the alternative channel connected before the DCVs unlatch. in a non-redundant configuration. failures in the Umbilicals / DSUT / failure occurs in the Umbilical,
pressure ISUT/HDU / DSUT-ISUT Bridge DSUT, ISUT & HDU assemblies
Severe leakage of hydraulic fluid into the sea. Environmental hazard will require Jumper/DSUT-HDU HFL and individual within the P40 Loop. The proposed
Topside isolation. SCM HFLs repair policy is to replace the
In the event that the alternative supply has not been selected DSUT; Umbilical and ISUT as a
open then for a short period of time all DCVs within the following In the event that the alternative supply single entity.
alternative HP channel is selected - failure of both LP supplies, all of
Currently: Total loss of production from all trees the Well SCMs and Manifold SCMs
on the P40 Loop . can be connected to the spare line
30-X-P42-C Well SCM via reconfiguration of the Bridge
30-X-P42-D Well SCM This can potentially result in the loss Jumper/HFL as required.
are utilised).
D Single LP Gradual loss of a single HP channel to all of the production trees Subsequent Reduction in fault Gradual loss in HP hydraulic pressure of Subsea electrical control to the
hydraulic (max 12 off) on the umbilical. tolerance in that all affected Tree a single HP channel. DCVs and to the LP Dump valves
channel Control Modules will remain is the primary means of closing
blocked - Subsequent pressure drop will be automatically detected by the operational on the alternative channel Hydraulic Power Unit hydraulic reservoir subsea valves.
ESD shuttle valve and the alternative channel connected before the in a non-redundant configuration. will require more frequent topping up as
pressure DCVs unlatch. indicated by pressure and level
relief Environmental hazard will require transmitters.
Leakage of hydraulic fluid into the sea. Topside isolation.
In the event that the alternative supply has not been selected In the event that the alternative supply failures in the Umbilicals / DSUT /
Well SCMs will "drop out" and the well will close OUT OF a short period of time until the Jumper/DSUT-HDU HFL and individual
SYNCH. alternative HP channel is selected - SCM HFLs

Page 12 of 42
X-219400-01-78
NG50-2-300-SPS-TR-AB-30-0132
Appendix B5

FM
Ref
FM No: 5-0-2
5 Loss of HP Hydraulic supply A Complete Loss of HP pressure in affected channel following valve Subsequent Reduction in fault Excessive pressure drop over the length Alternative supply is available
in a single channel. loss operations - loss of HP to all of the Well SCMs (max 12 off) on tolerance in that all affected HP line of the umbilical. (remaining HP line)
(Rupture) of the umbilical and Manifold SCMs (3 off) on the umbilical. on 30-DS-P43 and 30-DS-P45 will
Nominally HP1 HP hydraulic remain operational on the alternative It may be difficult to differentiate between Hold for repair until a combinational
lines / The resultant pressure drop will be automatically detected by the channel in a non-redundant failures in the Umbilicals / DSUT / failure occurs in the Umbilical,
connectors in shuttle valve and the alternative channel connected before the configuration. ISUT/HDU / DSUT-ISUT Bridge DSUT, ISUT & HDU assemblies
a single DCVs unlatch. Jumper/DSUT-HDU HFL and individual within the P40 Loop. The proposed
channel. In the event that the alternative supply SCM HFLs. repair policy is to replace the
open then for a short period of time the SCSSV DCV within the a short period of time until the Inability to operate valves in this line and single entity.
the P40 Loop 30-DS-P45 . However serviceability of the HP line on failure of both HP supplies, all of
Currently: 30-DS-P41 provides an indication of the Well SCMs can be connected
This results in the loss of 4 Wells on where the fault may be. to the spare line via reconfiguration
30-X-P42-C Well SCM each production manifold 30-DS-P43 of the Bridge Jumper/HFL as
30-X-P42-D Well SCM and 30-DS-P45. Worst case is the required.
30-X-P43-C Well SCM
Loss of HP Hydraulic supply B Leak from In the event of a surface ESD shutdown, subsea HP supply Loss of surface ESD HP pressure However serviceability of the ESD trip on Alternative supply is available
in a single channel HP hydraulic pressure is not relieved . HP DCV within the following Well relief. the HP line on 30-DS-P41 provides an (remaining HP line)
(continued). lines / SCMs will remain "latched closed" until the LP Pilot pressure is indication of where the fault may be.
connectors in vented. The HP DCV will remain in the Hold for repair until a combinational
a single latched closed position only if the failure occurs in the Umbilical,
channel. Currently: electrical control circuits to the HP DSUT, ISUT & HDU assemblies
Selector valves; DCV are unavailable within the P40 Loop. The proposed
30-X-P42-C Well SCM and the LP supply pressure cannot be repair policy is to replace the
30-X-P42-D Well SCM relieved via subsea electronic control DSUT; Umbilical and ISUT as a
or surface LP ESD. single entity.
30-X-P43-B Well SCM
30-X-P43-C Well SCM In addition, in the event of a total
failure of both HP supplies, all of
the Well SCMs can be connected
to the spare line via reconfiguration
of the Bridge Jumper/HFL as
required.
Page 13 of 42
X-219400-01-78
NG50-2-300-SPS-TR-AB-30-0132
Appendix B5

FM
Ref
FM No: 5-0-2
C Single HP Sudden loss of wax inhibitor/Demulsifier supply to the drill No long term effect on production as Sudden loss in CI pressure at CI Unit Alternative supply is available
hydraulic centre. spare chemical line can be output transmitters. (remaining HP line)
channel reconfigured if available.
blocked - Severe leakage of wax inhibitor/Demulsifier into the sea. Hold for repair until a combinational
input Environmental hazard will require failure occurs in the Umbilical,
pressure Topside isolation. DSUT, ISUT & HDU assemblies
within the P40 Loop. The proposed
repair policy is to replace the
DSUT; Umbilical and ISUT as a
single entity.
In addition, in the event of a total

failure of both HP supplies, all of
the Well SCMs can be connected
to the spare line via reconfiguration
required.
D Single HP Gradual loss of wax inhibitor/Demulsifier supply to the drill No long term effect on production as Gradual reduction in CI pressure at CI Subsea electrical control to the HP
hydraulic centre. spare chemical line can be Unit output transmitters. DCV and to the LP DCVs are the
channel reconfigured if available. primary and secondary means of
blocked - Leakage of wax inhibitor/Demulsifier into the sea. Increase in consumption of wax closing the SCSSV
ESD Environmental hazard will require inhibitor/Demulsifier.
pressure Topside isolation.
relief
7 Loss of Corrosion/Scale A Complete Sudden loss of anti-Asphaltene supply to the drill centre. No long term effect on production as Sudden loss in CI pressure at CI Unit Alternative injection capability via
Inhibitor supply in a single loss spare chemical line can be output transmitters. spare chemical line if available.
channel. (Rupture) of Severe leakage of anti-Asphaltene into the sea. reconfigured if available.
CI lines / Hold for repair until a combinational
Page 14 of 42
X-219400-01-78
NG50-2-300-SPS-TR-AB-30-0132
Appendix B5

FM
Ref
FM No: 5-0-2
8 Loss of Anti-Asphaltene A Complete Sudden loss of MI1 supply to the drill centre. M2 and M3 No long term effect on production as Sudden loss in MI1 pressure at upstream Alternative injection capability via
supply in a single channel. loss supplies will still be available. two lines are considered to provide HDU pressure transmitter. spare chemical line if available.
(Rupture) of sufficient MEOH to the four normally
CI lines / Severe leakage of methanol into the sea. producing trees on the P40 loop. Hold for repair until a combinational
connectors. failure occurs in the Umbilical,
However work over will be DSUT, ISUT & HDU assemblies
compromised by the reduction in flow. within the P40 Loop.


Topside isolation.
B Leak from CI Gradual loss of MI1 supply to the drill centre. M2 and M3 No long term effect on production as Gradual reduction in MI1 pressure at Alternative injection capability via
lines / supplies will still be available. two lines are considered to provide upstream HDU pressure transmitter. spare chemical line if available.
connectors. sufficient MEOH to the four normally
Leakage of methanol into the sea. producing trees on the P40 loop. Increase in consumption of MEOH. Hold for repair until a combinational
failure occurs in the Umbilical,
However work over will be DSUT, ISUT & HDU assemblies
compromised by the reduction in flow. within the P40 Loop.


Topside isolation.
Page 15 of 42
X-219400-01-78
NG50-2-300-SPS-TR-AB-30-0132
Appendix B5

FM
Ref
FM No: 5-0-2
9 Loss of MEOH (nominally A Complete Sudden loss of MI1 supply to the drill centre. M2 and M3 No long term effect on production as Sudden loss in MI1 pressure at TUT Hold for repair until a combinational
MI1) supply loss supplies will still be available. two lines are considered sufficient for pressure gauge. failure occurs in the Umbilical,
(Rupture) of normal production. DSUT, ISUT & HDU assemblies
MI1 lines / Severe leakage of methanol into the sea. within the P40 Loop or a workover
connectors. However work over maybe is to be performed.
Dual Redundant.
Alternatively, the spare chemical line

can be used to supply methanol after
reconfiguration if no spare bridge
jumper available.

Topside isolation.
B Leak from Gradual loss of MI1 supply to the drill centre. M2 and M3 No long term effect on production. Gradual reduction in MI1 pressure at TUT Hold for repair until a combinational
MI1 lines / supplies will still be available. pressure gauge. failure occurs in the Umbilical,
connectors. MEOH injection can be restored to all DSUT, ISUT & HDU assemblies
Leakage of methanol into the sea. trees on the SUT by isolating MI1 Increase in consumption of MEOH. within the P40 Loop or a workover
lines (ROV Valves) and injecting is to be performed.
through MI2 or MI3 lines by opening
MI2 or MI3 ROV isolation valves
respectively if no spare bridge jumper
available.
Dual Redundant.

Topside isolation.
Page 16 of 42
X-219400-01-78
NG50-2-300-SPS-TR-AB-30-0132
Appendix B5

SUBSYSTEM: SUT Type 2: 30-DS-P43
FM
Ref
FM No: 5-0-3
been isolated.
to 2 SEMs remains operational on the (along the Control Loop) and restart the numbers of failed quad pairs has

been isolated.
Page 17 of 42
X-219400-01-78
NG50-2-300-SPS-TR-AB-30-0132
Appendix B5

FM
Ref
FM No: 5-0-3
Well 30-X-P42-D SEM B; serviceable. circuit failure point and replace the
All DCVs remain "latched" in their current positions. Reduction in fault tolerance in that up progressively disconnect each EFL in turn single entity (after the resultant
to 2 SEMs remain operational on the (along the Control Loop) and restart the numbers of failed quad pairs has


assembly. resulting in a Over current trip or LIM trip on Subsea
total failure of Currently only a single well is connected to Qaud 1 No direct system effect whilst the Power Control Unit. The proposed repair policy is to
the Quad opposite control channel remains fully replace the DSUT; Umbilical and
Well 30-X-P42-D SEM B; serviceable. It may be difficult to differentiate between ISUT as a single entity (after the
been isolated.
Page 18 of 42
X-219400-01-78
NG50-2-300-SPS-TR-AB-30-0132
Appendix B5

FM
Ref
FM No: 5-0-3
4 Loss of LP Hydraulic supply A Complete loss Loss of a single LP channel to all of the Well SCMs (max 12 off) Subsequent Reduction in fault Sudden loss in LP hydraulic pressure of a Alternative supply is available
in a single channel. (Rupture) of LP and Manifold SCMs (3 off) on the Umbilical. tolerance in that all affected Trees single LP channel. (remaining LP line)
hydraulic lines / and Manifolds Control Modules will
Nominally LP1 connectors in a Pressure drop will be automatically detected by the shuttle valve remain operational on the alternative It may be difficult to differentiate between Hold for repair until a combinational
single channel. and the alternative channel connected before the DCVs unlatch. channel in a non-redundant failures in the Umbilicals / DSUT / failure occurs in the Umbilical,
configuration. ISUT/HDU / DSUT-ISUT Bridge DSUT, ISUT & HDU assemblies
Severe leakage of hydraulic fluid into the sea. Jumper/DSUT-HDU HFL and individual within the P40 Loop. The proposed
Environmental hazard will require SCM HFLs repair policy is to replace the
In the event that the alternative supply has not been selected Topside isolation. DSUT; Umbilical and ISUT as a
open then for a short period of time all DCVs within the following single entity
Currently: alternative LP channel is selected - the Well SCMs and Manifold SCMs
Total loss of production from all trees can be connected to the spare line
30-M-P41 Manifold SCM and Manifolds on the P40 Loop . via reconfiguration of the Bridge
Page 19 of 42
X-219400-01-78
NG50-2-300-SPS-TR-AB-30-0132
Appendix B5

FM
Ref
FM No: 5-0-3
in a single channel hydraulic lines / 12 off) and Manifold SCMs (3 off) on the Umbilical. tolerance in that all affected Trees single LP channel. (remaining LP line)
(continued). connectors in a and Manifolds Control Modules will
single channel. Pressure drop will be automatically detected by the shuttle valve remain operational on the alternative Hydraulic Power Unit hydraulic reservoir Hold for repair until a combinational
and the alternative channel connected before the DCVs unlatch. channel in a non-redundant will require more frequent topping up as failure occurs in the Umbilical,
configuration. indicated by pressure and level DSUT, ISUT & HDU assemblies
Leakage of hydraulic fluid into the sea. transmitters. within the P40 Loop. The proposed
Environmental hazard will require repair policy is to replace the
In the event that the alternative supply has not been selected Topside isolation. It may be difficult to differentiate between DSUT; Umbilical and ISUT as a
open then for a short period of time all DCVs within the following failures in the Umbilicals / DSUT / single entity
Page 20 of 42
X-219400-01-78
NG50-2-300-SPS-TR-AB-30-0132
Appendix B5

FM
Ref
FM No: 5-0-3
channel blocked the umbilical and Manifold SCMs (3 off) on the umbilical. and Manifolds Control Modules on 30-
- input pressure DS-P43 and 30-DS-P45 will remain It may be difficult to differentiate between Hold for repair until a combinational
The resultant pressure drop will be automatically detected by the operational on the alternative channel failures in the Umbilicals / DSUT / failure occurs in the Umbilical,
shuttle valve and the alternative channel connected before the in a non-redundant configuration. ISUT/HDU / DSUT-ISUT Bridge DSUT, ISUT & HDU assemblies
In the event that the alternative supply SCM HFLs. repair policy is to replace the
open then for a short period of time all DCVs within the following a short period of time until the Inability to operate valves in this line and single entity.
Manifolds on the P40 Loop 30-DS- However serviceability of the LP line on failure of both LP supplies, all of
Currently: P43 and 30-DS-P45 . 30-DS-P41 provides and indication of the Well SCMs and Manifold SCMs
where the fault may be. can be connected to the spare line
30-X-P42-C Well SCM This results in the loss of 4 Wells on via reconfiguration of the Bridge
hydraulic pressure is not relieved . All DCVs within the following Well relief. 30-DS-P41 provides an indication of DCVs is the primary means of
channel blocked SCMs and Manifold SCMs will remain "latched closed" and the where the fault may be. closing subsea valves.
- ESD pressure associated fail safe valves remain open. The DCVs will remain in the latched
relief closed position if the electrical control
Currently: circuits to the DCVs and the Dumps
valves are also unavailable.
30-X-P42-C Well SCM
30-X-P42-D Well SCM
30-X-P43-B Well SCM

30-X-P43-C Well SCM
Page 21 of 42
X-219400-01-78
NG50-2-300-SPS-TR-AB-30-0132
Appendix B5

FM
Ref
FM No: 5-0-3
5 Loss of HP Hydraulic supply A Complete loss Loss of a single HP channel to all of the production trees (max Subsequent Reduction in fault Sudden loss in HP hydraulic pressure of Alternative supply is available
in a single channel. (Rupture) of HP 12 off) on the umbilical. tolerance in that all affected Tree a single HP channel. (remaining HP line)
hydraulic lines / Control Modules will remain
Nominally HP1 connectors in a Pressure drop will be automatically detected by the shuttle valve operational on the alternative channel It may be difficult to differentiate between Hold for repair until a combinational
single channel. and the alternative channel connected before the DCVs unlatch. in a non-redundant configuration. failures in the Umbilicals / DSUT / failure occurs in the Umbilical,
ISUT/HDU / DSUT-ISUT Bridge DSUT, ISUT & HDU assemblies
Severe leakage of hydraulic fluid into the sea. Environmental hazard will require Jumper/DSUT-HDU HFL and individual within the P40 Loop. The proposed
Topside isolation. SCM HFLs repair policy is to replace the
In the event that the alternative supply has not been selected DSUT; Umbilical and ISUT as a
open then for a short period of time all DCVs within the following In the event that the alternative supply single entity.
on the P40 Loop . to the spare line via reconfiguration
30-X-P42-C Well SCM of the Bridge Jumper/HFL as
30-X-P42-D Well SCM This can potentially result in the loss required.
are utilised).
in a single channel hydraulic lines / (max 12 off) on the umbilical. tolerance in that all affected Tree a single HP channel. (remaining HP line)
single channel. Subsequent pressure drop will be automatically detected by the operational on the alternative channel Hydraulic Power Unit hydraulic reservoir Hold for repair until a combinational
shuttle valve and the alternative channel connected before the in a non-redundant configuration. will require more frequent topping up as failure occurs in the Umbilical,
DCVs unlatch. indicated by pressure and level DSUT, ISUT & HDU assemblies
Environmental hazard will require transmitters. within the P40 Loop. The proposed
Leakage of hydraulic fluid into the sea. Topside isolation. repair policy is to replace the
It may be difficult to differentiate between DSUT; Umbilical and ISUT as a
In the event that the alternative supply has not been selected In the event that the alternative supply failures in the Umbilicals / DSUT / single entity.
Currently: on the P40 Loop . to the spare line via reconfiguration
Page 22 of 42
X-219400-01-78
NG50-2-300-SPS-TR-AB-30-0132
Appendix B5

FM
Ref
FM No: 5-0-3
channel blocked the umbilical and Manifold SCMs (3 off) on the umbilical. on 30-DS-P43 and 30-DS-P45 will
- input pressure remain operational on the alternative It may be difficult to differentiate between Hold for repair until a combinational
The resultant pressure drop will be automatically detected by the channel in a non-redundant failures in the Umbilicals / DSUT / failure occurs in the Umbilical,
shuttle valve and the alternative channel connected before the configuration. ISUT/HDU / DSUT-ISUT Bridge DSUT, ISUT & HDU assemblies
In the event that the alternative supply SCM HFLs. repair policy is to replace the
open then for a short period of time the SCSSV DCV within the a short period of time until the Inability to operate valves in this line and single entity.
the P40 Loop 30-DS-P45 . However serviceability of the HP line on failure of both HP supplies, all of
Currently: 30-DS-P41 provides an indication of the Well SCMs can be connected
This results in the loss of 4 Wells on where the fault may be. to the spare line via reconfiguration
30-X-P42-C Well SCM each production manifold 30-DS-P43 of the Bridge Jumper/HFL as
30-X-P42-D Well SCM and 30-DS-P45. Worst case is the required.
30-X-P43-C Well SCM
D Single HP In the event of a surface ESD shutdown, subsea HP supply Loss of surface ESD HP pressure However serviceability of the ESD trip on Subsea electrical control to the HP
hydraulic pressure is not relieved . HP DCV within the following Well relief. the HP line on 30-DS-P41 provides an DCV and to the LP DCVs are the
channel blocked SCMs will remain "latched closed" until the LP Pilot pressure is indication of where the fault may be. primary and secondary means of
- ESD pressure vented. The HP DCV will remain in the closing the SCSSV
relief latched closed position only if the
or surface LP ESD.
30-X-P43-B Well SCM
30-X-P43-C Well SCM
6 Loss of Wax A Complete loss Sudden loss of wax inhibitor/Demulsifier supply to the drill No long term effect on production as Sudden loss in CI pressure at CI Unit Alternative injection capability via
Inhibitor/Demulsifier supply (Rupture) of CI centre. spare chemical line can be output transmitters. spare chemical line if available.
in a single channel. lines / reconfigured if available.
Page 23 of 42
X-219400-01-78
NG50-2-300-SPS-TR-AB-30-0132
Appendix B5

FM
Ref
FM No: 5-0-3
7 Loss of Corrosion/Scale A Complete loss Sudden loss of wax inhibitor/Demulsifier supply to the drill No long term effect on production as Sudden loss in CI pressure at CI Unit Alternative injection capability via
Inhibitor supply in a single (Rupture) of CI centre. spare chemical line can be output transmitters. spare chemical line if available.
channel. lines / reconfigured if available.
8 Loss of Anti-Asphaltene A Complete loss Sudden loss of anti-Asphaltene supply to the drill centre. No long term effect on production as Sudden loss in CI pressure at CI Unit Alternative injection capability via
supply in a single channel. (Rupture) of CI spare chemical line can be output transmitters. spare chemical line if available.
lines / Severe leakage of anti-Asphaltene into the sea. reconfigured if available.
connectors. Hold for repair until a combinational
Page 24 of 42
X-219400-01-78
NG50-2-300-SPS-TR-AB-30-0132
Appendix B5

FM
Ref
FM No: 5-0-3
9 Loss of MEOH (nominally A Complete loss Sudden loss of MI1 supply to the drill centre. M2 and M3 No long term effect on production as Sudden loss in MI1 pressure at upstream Hold for repair until a combinational
MI1) supply (Rupture) of MI1 supplies will still be available. two lines are considered to provide HDU pressure transmitter. failure occurs in the Umbilical,
lines / sufficient MEOH to the four normally DSUT, ISUT & HDU assemblies
connectors. Severe leakage of methanol into the sea. producing trees on the P40 loop. within the P40 Loop or a workover
is to be performed.


Topside isolation.
B Leak from MI1 Gradual loss of MI1 supply to the drill centre. M2 and M3 No long term effect on production as Gradual reduction in MI1 pressure at Hold for repair until a combinational
lines / supplies will still be available. two lines are considered to provide upstream HDU pressure transmitter. failure occurs in the Umbilical,
Leakage of methanol into the sea. producing trees on the P40 loop. Increase in consumption of MEOH. within the P40 Loop or a workover
is to be performed.


Topside isolation.
Page 25 of 42
X-219400-01-78
NG50-2-300-SPS-TR-AB-30-0132
Appendix B5

FM
Ref
FM No: 5-0-4
been isolated.
to 1 SEM remains operational on the (along the Control Loop) and restart the numbers of failed quad pairs has

been isolated.
Page 26 of 42
X-219400-01-78
NG50-2-300-SPS-TR-AB-30-0132
Appendix B5

FM
Ref
FM No: 5-0-4
serviceable. circuit failure point and replace the


been isolated.
Page 27 of 42
X-219400-01-78
NG50-2-300-SPS-TR-AB-30-0132
Appendix B5

FM
Ref
FM No: 5-0-4
(Rupture) of and Manifolds Control Modules will
Nominally LP1 LP hydraulic Pressure drop will be automatically detected by the shuttle valve remain operational on the alternative It may be difficult to differentiate between Hold for repair until a
lines / and the alternative channel connected before the DCVs unlatch. channel in a non-redundant failures in the Umbilicals / DSUT / combinational failure occurs in the
connectors in configuration. ISUT/HDU / DSUT-ISUT Bridge Umbilical, DSUT, ISUT & HDU
a single Severe leakage of hydraulic fluid into the sea. Jumper/DSUT-HDU HFL and individual assemblies within the P40 Loop.
channel. Environmental hazard will require SCM HFLs The proposed repair policy is to
In the event that the alternative supply has not been selected Topside isolation. replace the DSUT; Umbilical and
open then for a short period of time all DCVs within the following ISUT as a single entity
30-M-P41 Manifold SCM and Manifolds on the P40 Loop . spare line via reconfiguration of the
a single and the alternative channel connected before the DCVs unlatch. channel in a non-redundant will require more frequent topping up combinational failure occurs in the
channel. configuration. indicated by pressure and level Umbilical, DSUT, ISUT & HDU
Leakage of hydraulic fluid into the sea. transmitters. assemblies within the P40 Loop.
Environmental hazard will require The proposed repair policy is to
In the event that the alternative supply has not been selected Topside isolation. It may be difficult to differentiate between replace the DSUT; Umbilical and
open then for a short period of time all DCVs within the following failures in the Umbilicals / DSUT / ISUT as a single entity
30-M-P41 Manifold SCM and Manifolds on the P40 Loop . spare line via reconfiguration of the
Page 28 of 42
X-219400-01-78
NG50-2-300-SPS-TR-AB-30-0132
Appendix B5

FM
Ref
FM No: 5-0-4
input The resultant pressure drop will be automatically detected by the redundant configuration. failures in the Umbilicals / DSUT / combinational failure occurs in the
pressure shuttle valve and the alternative channel connected before the ISUT/HDU / DSUT-ISUT Bridge Umbilical, DSUT, ISUT & HDU
DCVs unlatch. In the event that the alternative supply Jumper/DSUT-HDU HFL and individual assemblies within the P40 Loop.
has not been selected open, then for SCM HFLs. The proposed repair policy is to
In the event that the alternative supply has not been selected a short period of time until the replace the DSUT; Umbilical and
open then for a short period of time all DCVs within the following alternative LP channel is selected - a Inability to operate valves in this line and ISUT as a single entity.
Currently: 30-DS-P41 and 30-DS-P43 provides and the Well SCMs and Manifold
This results in the loss of 3 Wells on indication of where the fault may be. SCMs can be connected to the
30-X-P43-B Well SCM production manifolds 30-DS-P45, the spare line via reconfiguration of the
30-X-P43-C Well SCM associated manifolds valves will fail Bridge Jumper/HFL as required.
30-M-P43 Manifold SCM "as is". Pigging valves fail open.
hydraulic pressure is not relieved . All DCVs within the following Well relief. 30-DS-P41 and 30-DS-P43 provides an DCVs is the primary means of
channel SCMs and Manifold SCMs will remain "latched closed" and the indication of where the fault may be. closing subsea valves.
blocked - associated fail safe valves remain open. The DCVs will remain in the latched
30-X-P43-B Well SCM
30-X-P43-C Well SCM
Page 29 of 42
X-219400-01-78
NG50-2-300-SPS-TR-AB-30-0132
Appendix B5

FM
Ref
FM No: 5-0-4
(Rupture) of Control Modules will remain
Nominally HP1 HP hydraulic Pressure drop will be automatically detected by the shuttle valve operational on the alternative channel It may be difficult to differentiate between Hold for repair until a
lines / and the alternative channel connected before the DCVs unlatch. in a non-redundant configuration. failures in the Umbilicals / DSUT / combinational failure occurs in the
connectors in ISUT/HDU / DSUT-ISUT Bridge Umbilical, DSUT, ISUT & HDU
a single Severe leakage of hydraulic fluid into the sea. Environmental hazard will require Jumper/DSUT-HDU HFL and individual assemblies within the P40 Loop.
channel. Topside isolation. SCM HFLs The proposed repair policy is to
In the event that the alternative supply has not been selected replace the DSUT; Umbilical and
open then for a short period of time all DCVs within the following In the event that the alternative supply ISUT as a single entity.
are utilised).
a single shuttle valve and the alternative channel connected before the in a non-redundant configuration. will require more frequent topping up as combinational failure occurs in the
channel. DCVs unlatch. indicated by pressure and level Umbilical, DSUT, ISUT & HDU
Environmental hazard will require transmitters. assemblies within the P40 Loop.
Leakage of hydraulic fluid into the sea. Topside isolation. The proposed repair policy is to
It may be difficult to differentiate between replace the DSUT; Umbilical and
In the event that the alternative supply has not been selected In the event that the alternative supply failures in the Umbilicals / DSUT / ISUT as a single entity.
Page 30 of 42
X-219400-01-78
NG50-2-300-SPS-TR-AB-30-0132
Appendix B5

FM
Ref
FM No: 5-0-4
open then for a short period of time the SCSSV DCV within the alternative HP channel is selected - a Inability to operate valves in this line and ISUT as a single entity.
production manifolds 30-DS-P43 and indication of where the fault may be. to the spare line via reconfiguration
30-X-P43-B Well SCM 30-DS-P45. Worst case is the loss of of the Bridge Jumper/HFL as
30-X-P43-C Well SCM 4 production wells if all spare wells required.
are utilised)
channel SCMs will remain "latched closed" until the LP Pilot pressure is However serviceability of the ESD trip on primary and secondary means of
blocked - vented. The HP DCV will remain in the the HP line on 30-DS-P41 and 30-DS- closing the SCSSV
or surface LP ESD.
connectors. Environmental hazard will require combinational failure occurs in the
Topside isolation. Umbilical, DSUT, ISUT & HDU
assemblies within the P40 Loop.
Environmental hazard will require inhibitor/Demulsifier. combinational failure occurs in the
Page 31 of 42
X-219400-01-78
NG50-2-300-SPS-TR-AB-30-0132
Appendix B5

FM
Ref
FM No: 5-0-4
Environmental hazard will require corrosion/scale inhibitor. combinational failure occurs in the
Environmental hazard will require Asphaltene. combinational failure occurs in the
MI1) supply loss supplies will still be available. two lines are considered to provide HDU pressure transmitter. combinational failure occurs in the
(Rupture) of sufficient MEOH to the four normally Umbilical, DSUT, ISUT & HDU
MI1 lines / Severe leakage of methanol into the sea. producing trees on the P40 loop. assemblies within the P40 Loop or
connectors. a workover is to be performed.


Topside isolation.
Page 32 of 42
X-219400-01-78
NG50-2-300-SPS-TR-AB-30-0132
Appendix B5

FM
Ref
FM No: 5-0-4
MI1 lines / supplies will still be available. two lines are considered to provide upstream HDU pressure transmitter. combinational failure occurs in the
connectors. sufficient MEOH to the four normally Umbilical, DSUT, ISUT & HDU
Leakage of methanol into the sea. producing trees on the P40 loop. Increase in consumption of MEOH. assemblies within the P40 Loop or
a workover is to be performed.


Topside isolation.
Page 33 of 42
X-219400-01-78
NG50-2-300-SPS-TR-AB-30-0132
Appendix B5

FM
Ref
FM No: 5-0-5
been isolated.

been isolated.
Page 34 of 42
X-219400-01-78
NG50-2-300-SPS-TR-AB-30-0132
Appendix B5

FM
Ref
FM No: 5-0-5


been isolated.
Page 35 of 42
X-219400-01-78
NG50-2-300-SPS-TR-AB-30-0132
Appendix B5

FM
Ref
FM No: 5-0-5
lines / and the alternative channel connected before the DCVs unlatch. channel in a non-redundant failures in the Umbilicals / DSUT / combinational failure occurs in the
connectors in configuration. ISUT/HDU / DSUT-ISUT Bridge Umbilical, DSUT, ISUT & HDU
a single Severe leakage of hydraulic fluid into the sea. Jumper/DSUT-HDU HFL and individual assemblies within the P40 Loop.
channel. Environmental hazard will require SCM HFLs The proposed repair policy is to
In the event that the alternative supply has not been selected Topside isolation. replace the DSUT; Umbilical and
open then for a short period of time all DCVs within the following ISUT as a single entity
Page 36 of 42
X-219400-01-78
NG50-2-300-SPS-TR-AB-30-0132
Appendix B5

FM
Ref
FM No: 5-0-5
a single and the alternative channel connected before the DCVs unlatch. channel in a non-redundant will require more frequent topping up combinational failure occurs in the
channel. configuration. indicated by pressure and level Umbilical, DSUT, ISUT & HDU
Leakage of hydraulic fluid into the sea. transmitters. assemblies within the P40 Loop.
Environmental hazard will require The proposed repair policy is to
In the event that the alternative supply has not been selected Topside isolation. It may be difficult to differentiate between replace the DSUT; Umbilical and
open then for a short period of time all DCVs within the following failures in the Umbilicals / DSUT / ISUT as a single entity
Page 37 of 42
X-219400-01-78
NG50-2-300-SPS-TR-AB-30-0132
Appendix B5

FM
Ref
FM No: 5-0-5
open then for a short period of time all DCVs within the following alternative LP channel is selected - a Inability to operate valves in this line and ISUT as a single entity.
Currently: 30-DS-P41 and 30-DS-P43 provides and the Well SCMs and Manifold SCMs
This results in the loss of 3 Wells on indication of where the fault may be. can be connected to the spare line
30-X-P43-B Well SCM production manifolds 30-DS-P45, the via reconfiguration of the Bridge
30-X-P43-C Well SCM associated manifolds valves will fail Jumper/HFL as required.
30-X-P43-B Well SCM
30-X-P43-C Well SCM
Page 38 of 42
X-219400-01-78
NG50-2-300-SPS-TR-AB-30-0132
Appendix B5

FM
Ref
FM No: 5-0-5
lines / and the alternative channel connected before the DCVs unlatch. in a non-redundant configuration. failures in the Umbilicals / DSUT / combinational failure occurs in the
connectors in ISUT/HDU / DSUT-ISUT Bridge Umbilical, DSUT, ISUT & HDU
a single Severe leakage of hydraulic fluid into the sea. Environmental hazard will require Jumper/DSUT-HDU HFL and individual assemblies within the P40 Loop.
channel. Topside isolation. SCM HFLs The proposed repair policy is to
In the event that the alternative supply has not been selected replace the DSUT; Umbilical and
open then for a short period of time all DCVs within the following In the event that the alternative supply ISUT as a single entity.
are utilised).
a single shuttle valve and the alternative channel connected before the in a non-redundant configuration. will require more frequent topping up as combinational failure occurs in the
channel. DCVs unlatch. indicated by pressure and level Umbilical, DSUT, ISUT & HDU
Environmental hazard will require transmitters. assemblies within the P40 Loop.
Leakage of hydraulic fluid into the sea. Topside isolation. The proposed repair policy is to
It may be difficult to differentiate between replace the DSUT; Umbilical and
In the event that the alternative supply has not been selected In the event that the alternative supply failures in the Umbilicals / DSUT / ISUT as a single entity.
Page 39 of 42
X-219400-01-78
NG50-2-300-SPS-TR-AB-30-0132
Appendix B5

FM
Ref
FM No: 5-0-5
open then for a short period of time the SCSSV DCV within the alternative HP channel is selected - a Inability to operate valves in this line and ISUT as a single entity.
production manifolds 30-DS-P43 and indication of where the fault may be. to the spare line via reconfiguration
30-X-P43-B Well SCM 30-DS-P45. Worst case is the loss of of the Bridge Jumper/HFL as
30-X-P43-C Well SCM 4 production wells if all spare wells required.
are utilised)
channel SCMs will remain "latched closed" until the LP Pilot pressure is However serviceability of the ESD trip on primary and secondary means of
blocked - vented. The HP DCV will remain in the the HP line on 30-DS-P41 and 30-DS- closing the SCSSV
or surface LP ESD.
Environmental hazard will require inhibitor/Demulsifier. combinational failure occurs in the
Page 40 of 42
X-219400-01-78
NG50-2-300-SPS-TR-AB-30-0132
Appendix B5

FM
Ref
FM No: 5-0-5
Environmental hazard will require corrosion/scale inhibitor. combinational failure occurs in the
Environmental hazard will require Asphaltene. combinational failure occurs in the
Page 41 of 42
X-219400-01-78
NG50-2-300-SPS-TR-AB-30-0132
Appendix B5

FM
Ref
FM No: 5-0-5
MI1) supply loss supplies will still be available. two lines are considered to provide HDU pressure transmitter. combinational failure occurs in the
(Rupture) of sufficient MEOH to the four normally Umbilical, DSUT, ISUT & HDU
MI1 lines / Severe leakage of methanol into the sea. producing trees on the P40 loop. assemblies within the P40 Loop or
connectors. a workover is to be performed.


Topside isolation.
MI1 lines / supplies will still be available. two lines are considered to provide upstream HDU pressure transmitter. combinational failure occurs in the
connectors. sufficient MEOH to the four normally Umbilical, DSUT, ISUT & HDU
Leakage of methanol into the sea. producing trees on the P40 loop. Increase in consumption of MEOH. assemblies within the P40 Loop or
a workover is to be performed.


Topside isolation.
Page 42 of 42
X-219400-01-78
NG50-2-300-SPS-TR-AB-30-0132
Appendix B6

SUBSYSTEM: Bridge Jumper connecting 30-DS-P41 and 30-DS-P42
FM
Ref
FM: Bridge Jumper FUNCTION DESCRIPTION: To connect hydraulic supplies from DSUT P41 to ISUT P42
FM No: 7-0-1
open then for a short period of time all DCVs within the following

Page 1 of 13
X-219400-01-78
NG50-2-300-SPS-TR-AB-30-0132
Appendix B6

FM
Ref
FM No: 7-0-1
a single and the alternative channel connected before the DCVs unlatch. channel in a non-redundant will require more frequent topping up as combinational failure occurs in

Page 2 of 13
X-219400-01-78
NG50-2-300-SPS-TR-AB-30-0132
Appendix B6

FM
Ref
FM No: 7-0-1
channel the umbilical and Manifold SCMs (3 off) on the umbilical. and Manifolds Control Modules on 30-
blocked - DS-P43 and 30-DS-P45 will remain It may be difficult to differentiate between Disconnect/re-connect jumpers
input The resultant pressure drop will be automatically detected by the operational on the alternative channel failures in the Umbilicals / DSUT / until affected jumper has been
pressure shuttle valve and the alternative channel connected before the in a non-redundant configuration. ISUT/HDU / DSUT-ISUT Bridge identified. Once identified old for
DCVs unlatch. Jumper/DSUT-HDU HFL and individual repair until a combinational
In the event that the alternative supply SCM HFLs. failure occurs in the Umbilical,
In the event that the alternative supply has not been selected has not been selected open, then for DSUT, ISUT & HDU assemblies
open then for a short period of time all DCVs within the following a short period of time until the Inability to operate valves in this line and within the P40 Loop.
close safely. loss of production from all Trees and
Manifolds on the P40 Loop 30-DS- However serviceability of the LP line on
Currently: P43 and 30-DS-P45 . 30-DS-P41 provides and indication of
where the fault may be.
30-X-P42-D Well SCM production manifolds 30-DS-P43 and
hydraulic pressure is not relieved . All DCVs within the following Well relief. 30-DS-P41 provides an indication of DCVs is the primary means of
channel SCMs and Manifold SCMs will remain "latched closed" and the where the fault may be. closing subsea valves.
30-X-P42-C Well SCM
30-X-P42-D Well SCM
30-X-P43-B Well SCM

30-X-P43-C Well SCM
Page 3 of 13
X-219400-01-78
NG50-2-300-SPS-TR-AB-30-0132
Appendix B6

FM
Ref
FM No: 7-0-1
channel. Topside isolation. SCM HFLs Loop.
open then for a short period of time all DCVs within the following In the event that the alternative supply
Currently: Total loss of production from all trees
on the P40 Loop .
30-X-P42-C Well SCM
are utilised).

Page 4 of 13
X-219400-01-78
NG50-2-300-SPS-TR-AB-30-0132
Appendix B6

FM
Ref
FM No: 7-0-1
channel the umbilical and Manifold SCMs (3 off) on the umbilical. on 30-DS-P43 and 30-DS-P45 will
blocked - remain operational on the alternative It may be difficult to differentiate between Disconnect/re-connect jumpers
input The resultant pressure drop will be automatically detected by the channel in a non-redundant failures in the Umbilicals / DSUT / until affected jumper has been
pressure shuttle valve and the alternative channel connected before the configuration. ISUT/HDU / DSUT-ISUT Bridge identified. Once identified old for
DCVs unlatch. Jumper/DSUT-HDU HFL and individual repair until a combinational
In the event that the alternative supply SCM HFLs. failure occurs in the Umbilical,
In the event that the alternative supply has not been selected has not been selected open, then for DSUT, ISUT & HDU assemblies
open then for a short period of time the SCSSV DCV within the a short period of time until the Inability to operate valves in this line and within the P40 Loop.
OF SYNCH. loss of production from all Trees on
the P40 Loop 30-DS-P45 . However serviceability of the HP line on
Currently: 30-DS-P41 provides an indication of
This results in the loss of 4 Wells on where the fault may be.
30-X-P42-C Well SCM each production manifold 30-DS-P43
30-X-P42-D Well SCM and 30-DS-P45. Worst case is the
30-X-P43-C Well SCM
D Single HP In the event of a surface ESD shutdown, subsea HP supply Loss of surface ESD HP pressure However serviceability of the ESD trip on Subsea electrical control to the
hydraulic pressure is not relieved . HP DCV within the following Well relief. the HP line on 30-DS-P41 provides an HP DCV and to the LP DCVs are
channel SCMs will remain "latched closed" until the LP Pilot pressure is indication of where the fault may be. the primary and secondary
blocked - vented. The HP DCV will remain in the means of closing the SCSSV
or surface LP ESD.
30-X-P43-B Well SCM
30-X-P43-C Well SCM
Loop.
Page 5 of 13
X-219400-01-78
NG50-2-300-SPS-TR-AB-30-0132
Appendix B6

FM
Ref
FM No: 7-0-1
Loop.
Loop.
Loop.
Loop.
Loop.
Page 6 of 13
X-219400-01-78
NG50-2-300-SPS-TR-AB-30-0132
Appendix B6

FM
Ref
FM No: 7-0-1
connectors. Loop.


Topside isolation.
Loop.


Topside isolation.
Page 7 of 13
X-219400-01-78
NG50-2-300-SPS-TR-AB-30-0132
Appendix B6

FM
Ref
FM No: 7-0-2
open then for a short period of time all DCVs within the following

Page 8 of 13
X-219400-01-78
NG50-2-300-SPS-TR-AB-30-0132
Appendix B6

FM
Ref
FM No: 7-0-2
a single and the alternative channel connected before the DCVs unlatch. channel in a non-redundant will require more frequent topping up combinational failure occurs in

blocked - on the alternative channel in a non- It may be difficult to differentiate between Disconnect/re-connect jumpers
input The resultant pressure drop will be automatically detected by the redundant configuration. failures in the Umbilicals / DSUT / until affected jumper has been
pressure shuttle valve and the alternative channel connected before the ISUT/HDU / DSUT-ISUT Bridge identified. Once identified old for
DCVs unlatch. In the event that the alternative supply Jumper/DSUT-HDU HFL and individual repair until a combinational
has not been selected open, then for SCM HFLs. failure occurs in the Umbilical,
In the event that the alternative supply has not been selected a short period of time until the DSUT, ISUT & HDU assemblies
open then for a short period of time all DCVs within the following alternative LP channel is selected - a Inability to operate valves in this line and within the P40 Loop.
close safely. Manifolds on the P40 Loop 30-DS-
P45 . However serviceability of the LP line on
Currently: 30-DS-P41 and 30-DS-P43 provides and
This results in the loss of 3 Wells on indication of where the fault may be.
30-X-P43-B Well SCM production manifolds 30-DS-P45, the
30-X-P43-C Well SCM associated manifolds valves will fail
Page 9 of 13
X-219400-01-78
NG50-2-300-SPS-TR-AB-30-0132
Appendix B6

FM
Ref
FM No: 7-0-2
30-X-P43-B Well SCM
30-X-P43-C Well SCM
channel. Topside isolation. SCM HFLs Loop.
on the P40 Loop .
30-X-P42-C Well SCM
are utilised).
Page 10 of 13
X-219400-01-78
NG50-2-300-SPS-TR-AB-30-0132
Appendix B6

FM
Ref
FM No: 7-0-2

blocked - on the alternative channel in a non- It may be difficult to differentiate between Disconnect/re-connect jumpers
input The resultant pressure drop will be automatically detected by the redundant configuration. failures in the Umbilicals / DSUT / until affected jumper has been
pressure shuttle valve and the alternative channel connected before the ISUT/HDU / DSUT-ISUT Bridge identified. Once identified old for
DCVs unlatch. In the event that the alternative supply Jumper/DSUT-HDU HFL and individual repair until a combinational
has not been selected open, then for SCM HFLs. failure occurs in the Umbilical,
In the event that the alternative supply has not been selected a short period of time until the DSUT, ISUT & HDU assemblies
open then for a short period of time the SCSSV DCV within the alternative HP channel is selected - a Inability to operate valves in this line and within the P40 Loop.
OF SYNCH. the P40 Loop 30-DS-P45 .
However serviceability of the HP line on
Currently: This results in the loss of 3 Wells on 30-DS-P41 and 30-DS-P43 provides an
production manifolds 30-DS-P43 and indication of where the fault may be.
30-X-P43-B Well SCM 30-DS-P45. Worst case is the loss of
30-X-P43-C Well SCM 4 production wells if all spare wells
are utilised)
Page 11 of 13
X-219400-01-78
NG50-2-300-SPS-TR-AB-30-0132
Appendix B6

FM
Ref
FM No: 7-0-2
channel SCMs will remain "latched closed" until the LP Pilot pressure is However serviceability of the ESD trip on the primary and secondary
blocked - vented. The HP DCV will remain in the the HP line on 30-DS-P41 and 30-DS- means of closing the SCSSV
or surface LP ESD.
Loop.
Loop.
Loop.
Loop.
Page 12 of 13
X-219400-01-78
NG50-2-300-SPS-TR-AB-30-0132
Appendix B6

FM
Ref
FM No: 7-0-2
Loop.
Loop.
connectors. Loop.


Topside isolation.
Loop.


Topside isolation.
Page 13 of 13
X-219400-01-78
NG50-2-300-SPS-TR-AB-30-0132
Appendix B7

SUBSYSTEM: Electrical Flying Lead
FM
Ref
FM: EFL 30-DS-P41/30-IS-P42 FUNCTION DESCRIPTION: To transfer power and communications from DSUT, 30-DS-P41 to ISUT, 30-IS-P42
FM No: 6-0-1
Nominally Q1/P1 SEMs on the P40 Production Loop, a maximum of 3 Well SCMs. opposite control channel remains fully utilise TDR to locate the open
serviceable. It may be difficult to differentiate between circuit failure point and replace
Currently there are no wells allocated to Q1 P1 failures in the Umbilicals / DSUT / DSUT- the EFL as a single entity (after
Reduction in fault tolerance in that up ISUT EFL and individual SCM EFLs. the resultant numbers of failed
All DCVs remain "latched" in their current positions. to 3 SEM's remain operational on the quad pairs has caused the loss
alternative channel in a non- The diagnosis methodology is to of one or more wells).
been isolated.
All DCVs remain "latched" in their current positions. serviceable. circuit failure point and replace
to 2 SEMs remains operational on the (along the Control Loop) and restart the resultant numbers of failed quad

pair to the Spare Wells on 30-DS-P41
provides an indication of where the fault
may be.
Nominally Q1/P2 SEMs on the P40 Production Loop, a maximum of 3 Well SCMs. opposite control channel remains fully replace the EFL as a single entity
serviceable. It may be difficult to differentiate between (after the resultant numbers of
Currently only a single well is connected to Q1 P2 failures in the Umbilicals / DSUT / DSUT- failed quad pairs causes the loss
Reduction in fault tolerance in that up ISUT EFL and individual SCM EFLs. of one or more wells).
Well 30-X-P42-D SEM B; to 3 SEM's remain operational on the
been isolated.
Page 1 of 5
X-219400-01-78
NG50-2-300-SPS-TR-AB-30-0132
Appendix B7

FM
Ref
FM No: 6-0-1
Well 30-X-P42-D SEM B; serviceable. circuit failure point and replace
The diagnosis methodology is to the EFL as a single entity (after
All DCVs remain "latched" in their current positions. Reduction in fault tolerance in that up progressively disconnect each EFL in turn the resultant numbers of failed
to 2 SEM's remain operational on the (along the Control Loop) and restart the quad pairs has caused the loss
alternative channel in a non- Control channel to see if the fault has of one or more wells).

provides an indication of where the fault
may be.
Nominally Quad 1. total failure opposite control channel remains fully replace the EFL as a single entity
of the Quad Well 30-X-P42-D SEM B; serviceable. It may be difficult to differentiate between (after the resultant numbers of
failures in the Umbilicals / DSUT / DSUT- failed quad pairs causes the loss
All DCVs remain "latched" in their current positions. Reduction in fault tolerance in that up ISUT EFL and individual SCM EFLs. of one or more wells).
to 6 SEM's remain operational on the
been isolated.
Page 2 of 5
X-219400-01-78
NG50-2-300-SPS-TR-AB-30-0132
Appendix B7

FM
Ref
FM No: 6-0-2
Currently there are no wells allocated to Q1 P1 failures in the Umbilicals / DSUT / DSUT- failed quad pairs causes the loss
All DCVs remain "latched" in their current positions. to 3 SEMs remain operational on the
been isolated.
The diagnosis methodology is to EFL as a single entity (after the
Reduction in fault tolerance in that up progressively disconnect each EFL in turn resultant numbers of failed quad
to 1 SEM remains operational on the (along the Control Loop) and restart the pairs has caused the loss of one or
alternative channel in a non- Control channel to see if the fault has more wells).

and 30-DS-P43 provides an indication of
Currently only a single well is connected to Q1 P2 failures in the Umbilicals / DSUT / DSUT- failed quad pairs causes the loss
Well 30-X-P42-D SEM B; to 3 SEM's remain operational on the
been isolated.
Page 3 of 5
X-219400-01-78
NG50-2-300-SPS-TR-AB-30-0132
Appendix B7

FM
Ref
FM No: 6-0-2
The diagnosis methodology is to EFL as a single entity (after the
Reduction in fault tolerance in that up progressively disconnect each EFL in turn resultant numbers of failed quad
to 1 SEM remains operational on the (along the Control Loop) and restart the pairs has caused the loss of one or
alternative channel in a non- Control channel to see if the fault has more wells).

assembly. resulting in a Over current trip or LIM trip on Subsea
total failure of Currently only a single well is connected to Quad 1 No direct system effect whilst the Power Control Unit. The proposed repair policy is to
the Quad opposite control channel remains fully replace the EFL as a single entity
Well 30-X-P42-D SEM B; serviceable. It may be difficult to differentiate between (after the resultant numbers of
failures in the Umbilicals / DSUT / DSUT- failed quad pairs causes the loss
All DCVs remain "latched" in their current positions. Reduction in fault tolerance in that up ISUT EFL and individual SCM EFLs. of one or more wells).
to 6 SEM's remain operational on the
been isolated.
Page 4 of 5
X-219400-01-78
NG50-2-300-SPS-TR-AB-30-0132
Appendix B7

SUBSYSTEM: Generic EFL from a DSUT to a production tree/manifold SCM
FM
Ref
FM: Generic Electrical Flying Lead FUNCTION DESCRIPTION: To transfer power and communications from a DSUT to a Production Tree SCM
FM No: 6-0-3
1 Loss of electronic control A Short circuit. Possibility of tripping the associated SPCU Subsea Output Loss of Control from a single channel Alarm on SCS. Alternative channel is available -
from a single twisted pair Module. within an EFL System is Dual Redundant.
Loss of Power & Communications channel "A" to the associated Reduction in fault tolerance in that up Power Control Unit. The proposed repair policy is to
Nominally Q1/P1 to Well 30- SEMs on the P40 Production Loop, a maximum of 3 Well SCMs. to 3 SEMs remain operational on the replace the EFL as a single entity
X-P43-A, SEM A alternative channel in a non It may be difficult to differentiate between (after the resultant numbers of
Currently there are no wells allocated to Q1 P1 redundant configuration. failures in the Umbilicals / DSUT / DSUT- failed quad pairs causes the loss
ISUT EFL and individual SCM EFLs. of one or more wells).
All DCVs remain "latched" in their current positions.
progressively disconnect each EFL in turn
been isolated.
B Open circuit. Loss of Power & Communications channel "A" to a single well Loss of Control from a single channel Alarm on SCS. Alternative channel is available -
within an EFL. System is Dual Redundant.
Currently there are no wells allocated to Q1 P1 It may be difficult to differentiate between
No direct system effect whilst the failures in the Umbilicals / DSUT / DSUT- The proposed repair policy is to
All DCVs remain "latched" in their current positions. opposite control channel remains fully ISUT EFL and individual SCM EFLs. utilise TDR to locate the open
serviceable. circuit failure point and replace
The diagnosis methodology is to the EFL as a single entity (after
Reduction in fault tolerance in that up progressively disconnect each EFL in turn the resultant numbers of failed
to 1 SEM remains operational on the (along the Control Loop) and restart the quad pairs has caused the loss
alternative channel in a non- Control channel to see if the fault has of one or more wells).

Page 5 of 5
X-219400-01-78
NG50-2-300-SPS-TR-AB-30-0132
Appendix B8

SUBSYSTEM: Generic Hydraulic Flying Lead from 30-S-P41 to 30-HDU-P41
FM
Ref
FM: HFL from 30-S-P41 to 30-HDU-P41 FUNCTION DESCRIPTION: To transfer LP & HP Hydraulics and chemical supplies from DSUT, 30-S-P41 to HDU 1
FM No: 8-0-1
1 Loss of LP Hydraulic supply A Complete Leak in the HFL causes the Loss of a single LP channel to all of Subsequent Reduction in fault Sudden loss in LP hydraulic pressure of a Alternative supply is available If no spare HFL is available
in a single channel. loss the Well SCMs (max 12 off) and Manifold SCMs (3 off) on the tolerance in that all affected Trees single LP channel. (remaining LP line) then the HFL can be
(Rupture) of Umbilical. and Manifolds Control Modules will disconnected and parked to
Nominally LP1 to 30-HDU- LP hydraulic remain operational on the alternative It may be difficult to differentiate between When the failure is identified the restore functionality to the
P41 lines / Pressure drop will be automatically detected by the shuttle valve channel in a non-redundant failures in the Umbilicals / DSUT / HFL will be replaced as a single remainder of the P40 Loop.
connectors in and the alternative channel connected before the DCVs unlatch. configuration. ISUT/HDU / DSUT-ISUT Bridge entity.
a single Jumper/DSUT-HDU HFL and individual This action will isolate one set
channel. Severe leakage of hydraulic fluid into the sea. Environmental hazard will require SCM HFLs of hydraulic and chemical
Topside isolation. supplies to 30-HDU-P41.
Well SCMs and Manifold SCMs will "drop out" and the well will has not been selected open, then for
close safely. a short period of time until the
alternative LP channel is selected -
This results in the loss of 4 Wells on
30-X-P42-C Well SCM the three production manifolds and
30-X-P42-D Well SCM all of the manifolds valves will also fail
30-M-P42 Manifold SCM shut, (with the exception of pigging
valves). Worst case is the loss of 12
30-X-P43-B Well SCM production wells, if all spare wells are
30-X-P43-C Well SCM utilised)
Loss of LP Hydraulic supply B Leak from LP Leak in the HFL causes the gradual loss of a single LP channel Subsequent Reduction in fault Gradual loss in LP hydraulic pressure of a Alternative supply is availableIf no spare HFL is available
in a single channel hydraulic to all of the Well SCMs (max 12 off) and Manifold SCMs (3 off) tolerance in that all affected Trees single LP channel. (remaining LP line) then the HFL can be
(continued). lines / on the Umbilical. and Manifolds Control Modules will disconnected and parked to
connectors in remain operational on the alternative Hydraulic Power Unit hydraulic reservoir When the failure is identified the restore functionality to the
a single Pressure drop will be automatically detected by the shuttle valve channel in a non-redundant will require more frequent topping up as HFL will be replaced as a single remainder of the P40 Loop.
channel. and the alternative channel connected before the DCVs unlatch. configuration. indicated by pressure and level entity.
transmitters. This action will isolate one set
Leakage of hydraulic fluid into the sea. Environmental hazard will require of hydraulic and chemical
Topside isolation. It may be difficult to differentiate between supplies to 30-HDU-P41.
In the event that the alternative supply has not been selected failures in the Umbilicals / DSUT /
open then for a short period of time all DCVs within the following In the event that the alternative supply ISUT/HDU / DSUT-ISUT Bridge
Well SCMs and Manifold SCMs will "drop out" and the well will has not been selected open, then for Jumper/DSUT-HDU HFL and individual
close safely. a short period of time until the SCM HFLs
This can potentially result in the loss
30-X-P42-C Well SCM of 4 Wells on the three production
30-X-P42-D Well SCM manifolds and all of the manifolds
30-M-P42 Manifold SCM valves (manifold valves fail "as is",
pigging valves fail open). Worst case
30-X-P43-B Well SCM is the loss of 12 production wells, if all
30-X-P43-C Well SCM spare wells are utilised).
Page 1 of 13
X-219400-01-78
NG50-2-300-SPS-TR-AB-30-0132
Appendix B8

FM
Ref
FM No: 8-0-1
hydraulic operations - loss of LP to all of the Well SCMs (max 4 off) and tolerance in that all affected LP line of the umbilical. (remaining LP line)
channel Manifold SCMs (1 off) on 30-S-P41 on 30-S-P41 will remain operational
blocked - on the alternative channel in a non- It may be difficult to differentiate between When the failure is identified the
input The resultant pressure drop will be automatically detected by the redundant configuration. failures in the Umbilicals / DSUT / HFL will be replaced as a single
pressure shuttle valve and the alternative channel connected before the ISUT/HDU / DSUT-ISUT Bridge entity.
DCVs unlatch. In the event that the alternative supply Jumper/DSUT-HDU HFL and individual
open then for a short period of time all DCVs within the following alternative LP channel is selected - a Inability to operate valves in this line and
close safely. Manifolds on the P40 Loop 30-S-P45
. However serviceability of the LP line on
Currently: 30-S-P43 and 30-S-P45 provides and
This results in the loss of 1 Well on indication of where the fault may be.
30-M-P41 Manifold SCM production manifolds 30-S-P41, the
associated manifolds valves will fail
"as is". Pigging valves fail open.
D Single LP In the event of a surface ESD shutdown, subsea LP Supply Loss of surface ESD LP pressure However serviceability of the ESD trip on Subsea electrical control to the
hydraulic pressure is not relieved . All DCVs within the following Well relief. the LP line on 30-S-P43 and 30-S-P45 DCVs is the primary means of
channel SCMs and Manifold SCMs will remain "latched closed" and the provides an indication of where the fault closing subsea valves.
blocked - associated fail safe valves remain open. The DCVs will remain in the latched may be.
pressure Currently: circuits to the DCVs are also
relief unavailable.
2 Loss of HP Hydraulic supply A Complete Leak in the HFL causes the Loss of a single HP channel to all of Subsequent Reduction in fault Sudden loss in HP hydraulic pressure of Alternative supply is available If no spare HFL is available
in a single channel. loss the production trees (max 12 off) on the umbilical. tolerance in that all affected Tree a single HP channel. (remaining HP line) then the HFL can be
(Rupture) of Control Modules will remain disconnected and parked to
Nominally HP1 to 30-HDU- HP hydraulic Pressure drop will be automatically detected by the shuttle valve operational on the alternative channel It may be difficult to differentiate between When the failure is identified the restore functionality to the
P41 lines / and the alternative channel connected before the DCVs unlatch. in a non-redundant configuration. failures in the Umbilicals / DSUT / HDU / HFL will be replaced as a single remainder of the P40 Loop.
connectors in DSUT-HDU Bridge Jumper and individual entity.
a single Severe leakage of hydraulic fluid into the sea. Environmental hazard will require SCM HFLs This action will isolate one set
channel. Topside isolation. of hydraulic and chemical
In the event that the alternative supply has not been selected supplies to 30-HDU-P41.
on the P40 Loop .
30-X-P42-C Well SCM
are utilised).
Page 2 of 13
X-219400-01-78
NG50-2-300-SPS-TR-AB-30-0132
Appendix B8

FM
Ref
FM No: 8-0-1
Loss of HP Hydraulic supply B Leak from Leak in the HFL causes the gradual loss of a single HP channel Subsequent Reduction in fault Gradual loss in HP hydraulic pressure of Alternative supply is available
If no spare HFL is available
in a single channel HP hydraulic to all of the Well SCMs (max 12 off) on the Umbilical. tolerance in that all affected Tree a single HP channel. (remaining HP line) then the HFL can be
(continued). lines / Control Modules will remain disconnected and parked to
connectors in Subsequent pressure drop will be automatically detected by the operational on the alternative channel Hydraulic Power Unit hydraulic reservoir When the failure is identified the restore functionality to the
a single shuttle valve and the alternative channel connected before the in a non-redundant configuration. will require more frequent topping up as HFL will be replaced as a single remainder of the P40 Loop.
channel. DCVs unlatch. indicated by pressure and level entity.
Environmental hazard will require transmitters. This action will isolate one set
Leakage of hydraulic fluid into the sea. Topside isolation. of hydraulic and chemical
It may be difficult to differentiate between supplies to 30-HDU-P41.
In the event that the alternative supply has not been selected In the event that the alternative supply failures in the Umbilicals / DSUT / HDU /
open then for a short period of time all DCVs within the following has not been selected open, then for DSUT-HDU Bridge Jumper and individual

30-X-P42-D Well SCM manifolds. Worst case is the loss of
12 production wells, if all spare wells
30-X-P43-B Well SCM are utilised).
30-X-P43-C Well SCM
hydraulic operations - loss of LP to all of the Well SCMs (max 4 off) and tolerance in that all affected LP line of the HFL. (remaining HP line)
channel Manifold SCMs (1 off) on 30-S-P45 on 30-S-P41 will remain operational
blocked - on the alternative channel in a non- It may be difficult to differentiate between When the failure is identified the
input The resultant pressure drop will be automatically detected by the redundant configuration. failures in the Umbilicals / DSUT / HFL will be replaced as a single
pressure shuttle valve and the alternative channel connected before the ISUT/HDU / DSUT-ISUT Bridge entity.
DCVs unlatch. In the event that the alternative supply Jumper/DSUT-HDU HFL and individual
open then for a short period of time all DCVs within the following alternative LP channel is selected - a Inability to operate valves in this line and
close safely. Manifolds on the P40 Loop 30-S-P41
.
Currently: However serviceability of the LP line on
This results in the loss of 1 Well on 30-S-P43 and 30-S-P45 provides and
There are no active wells assigned to the manifold production manifolds 30-S-P41, the indication of where the fault may be.
associated manifolds valves will fail
"as is". Pigging valves fail open.
Page 3 of 13
X-219400-01-78
NG50-2-300-SPS-TR-AB-30-0132
Appendix B8

FM
Ref
FM No: 8-0-1
D Single HP In the event of a surface ESD shutdown, subsea HP supply Loss of surface ESD HP pressure However serviceability of the ESD trip on Subsea electrical control to the
hydraulic pressure is not relieved . HP DCV within the following Well relief. the HP line on 30-S-P43 and 30-S-P45 HP DCV and to the LP DCVs are
channel SCMs will remain "latched closed" until the LP Pilot pressure is provides an indication of where the fault the primary and secondary
blocked - vented. The HP DCV will remain in the may be. means of closing the SCSSV
There are no active wells assigned to the manifold and the LP supply pressure cannot be
or surface LP ESD.
3 Loss of Wax A Complete Sudden loss of wax inhibitor/Demulsifier supply to the drill Environmental hazard will require Sudden loss in CI pressure at CI Unit When the failure is identified the If no spare HFL is available
Inhibitor/Demulsifier supply loss centre. Topside isolation. output transmitters. HFL will be replaced as a single then the HFL can be
in a single channel. (Rupture) of entity. disconnected and parked to
CI lines / Severe leakage of wax inhibitor/Demulsifier into the sea. restore functionality to the
Nominally to HDU 30-HDU- connectors. remainder of the P40 Loop.
P41
This action will isolate one set
of hydraulic and chemical
supplies to HDU 1
B Leak from CI Gradual loss of wax inhibitor/Demulsifier supply to the drill Environmental hazard will require Gradual reduction in CI pressure at CI When the failure is identified the If no spare HFL is available
lines / centre. Topside isolation. Unit output transmitters. HFL will be replaced as a single then the HFL can be
connectors. entity. disconnected and parked to
Leakage of wax inhibitor/Demulsifier into the sea. Increase in consumption of wax restore functionality to the
inhibitor/Demulsifier. remainder of the P40 Loop.

supplies to HDU 1
4 Loss of Corrosion/Scale A Complete Sudden loss of corrosion/scale inhibitor supply to the drill centre. Environmental hazard will require Sudden loss in CI pressure at CI Unit When the failure is identified the If no spare HFL is available
Inhibitor supply in a single loss Topside isolation. output transmitters. HFL will be replaced as a single then the HFL can be
channel. (Rupture) of Severe leakage of corrosion/scale inhibitor into the sea. entity. disconnected and parked to
CI lines / restore functionality to the
Nominally to HDU 30-HDU- connectors. remainder of the P40 Loop.
P41
supplies to HDU 1
Page 4 of 13
X-219400-01-78
NG50-2-300-SPS-TR-AB-30-0132
Appendix B8

FM
Ref
FM No: 8-0-1
B Leak from CI Gradual loss of corrosion/scale inhibitor supply to the drill centre. Environmental hazard will require Gradual reduction in CI pressure at CI When the failure is identified the If no spare HFL is available
lines / Topside isolation. Unit output transmitters. HFL will be replaced as a single then the HFL can be
connectors. Leakage of corrosion/scale inhibitor into the sea. entity. disconnected and parked to
Increase in consumption of restore functionality to the
corrosion/scale inhibitor. remainder of the P40 Loop.

supplies to HDU 1
5 Loss of Anti-Asphaltene A Complete Sudden loss of anti-Asphaltene supply to the drill centre. Environmental hazard will require Sudden loss in CI pressure at CI Unit When the failure is identified the If no spare HFL is available
supply in a single channel. loss Topside isolation. output transmitters. HFL will be replaced as a single then the HFL can be
(Rupture) of Severe leakage of anti-Asphaltene into the sea. entity. disconnected and parked to
CI lines / restore functionality to the
connectors. remainder of the P40 Loop.

supplies to HDU 1
B Leak from CI Gradual loss of anti-Asphaltene supply to the drill centre. Environmental hazard will require Gradual reduction in CI pressure at CI When the failure is identified the If no spare HFL is available
lines / Topside isolation. Unit output transmitters. HFL will be replaced as a single then the HFL can be
connectors. Leakage of anti-Asphaltene into the sea. entity. disconnected and parked to
Increase in consumption of anti- restore functionality to the
Asphaltene. remainder of the P40 Loop.

supplies to HDU 1
6 Loss of a single MEOH A Complete Sudden loss of MI1 supply to the drill centre. M2 and M3 No long term effect on production as Sudden loss in MI1 pressure at upstream When the failure is identified the If no spare HFL is available
supply loss supplies will still be available. two lines are considered to provide HDU pressure transmitter. HFL will be replaced as a single then the HFL can be
(Rupture) of sufficient MEOH to the four normally entity. disconnected and parked to
Nominally to MEOH 1 to MI1 lines / Severe leakage of methanol into the sea. producing trees on the P40 loop. restore functionality to the
HDU 30-HDU-P41 connectors. remainder of the P40 Loop.
compromised by the reduction in flow. This action will isolate one set
Fault tolerance configuration during supplies to HDU 1

Topside isolation.
Page 5 of 13
X-219400-01-78
NG50-2-300-SPS-TR-AB-30-0132
Appendix B8

FM
Ref
FM No: 8-0-1
B Leak from Gradual loss of MI1 supply to the drill centre. M2 and M3 No long term effect on production as Gradual reduction in MI1 pressure at When the failure is identified the If no spare HFL is available
MI1 lines / supplies will still be available. two lines are considered to provide upstream HDU pressure transmitter. HFL will be replaced as a single then the HFL can be
connectors. sufficient MEOH to the four normally entity. disconnected and parked to
Leakage of methanol into the sea. producing trees on the P40 loop. Increase in consumption of MEOH. restore functionality to the
remainder of the P40 Loop.
compromised by the reduction in flow. This action will isolate one set
Fault tolerance configuration during supplies to HDU 1

Topside isolation.
Page 6 of 13
X-219400-01-78
NG50-2-300-SPS-TR-AB-30-0132
Appendix B8

SUBSYSTEM: Generic Hydraulic Flying Lead from 30-HDU-P41 to 30-X-P41 C
FM
Ref
FM: HFL from 30-HDU-P41 to 30-X-P41-C FUNCTION DESCRIPTION: To transfer LP & HP Hydraulics and chemical supplies from the 30-HDU-P41 to Production Tree 30-X-P41-C
FM No: 8-0-2
1 Loss of LP Hydraulic supply A Complete Leak in the HFL causes the Loss of a single LP channel to all of Subsequent Reduction in fault Sudden loss in LP hydraulic pressure of a Alternative supply is available LP 1 functionality can be
in a single channel. loss the Well SCMs (max 12 off) and Manifold SCMs (3 off) on the tolerance in that all affected Trees single LP channel. (remaining LP line) restored to the remainder of
(Rupture) of Umbilical. and Manifolds Control Modules will the P40 Loop by isolating the
Nominally LP1 LP hydraulic remain operational on the alternative It may be difficult to differentiate between When the failure is identified the incoming supply via HDU
lines / Pressure drop will be automatically detected by the shuttle valve channel in a non-redundant failures in the Umbilicals / DSUT / HFL will be replaced as a single ROV isolation valve IV 3054.
connectors in and the alternative channel connected before the DCVs unlatch. configuration. ISUT/HDU / DSUT-ISUT Bridge entity.
a single Jumper/DSUT-HDU HFL and individual This action will isolate the LP
channel. Severe leakage of hydraulic fluid into the sea. Environmental hazard will require SCM HFLs 1 supply from all the SCMs
Topside isolation. connected to 30-HDU-P41.
close safely. a short period of time until the
and Manifolds on the P40 Loop.
30-M-P42 Manifold SCM shut (with the exception of pigging
Page 7 of 13
X-219400-01-78
NG50-2-300-SPS-TR-AB-30-0132
Appendix B8

FM
Ref
FM No: 8-0-2
Loss of LP Hydraulic supply B Leak from LP Leak in the HFL causes the gradual loss of a single LP channel Subsequent Reduction in fault Gradual loss in LP hydraulic pressure of a Alternative supply is available LP 1 functionality can be
in a single channel hydraulic to all of the Well SCMs (max 12 off) and Manifold SCMs (3 off) tolerance in that all affected Trees single LP channel. (remaining LP line) restored to the remainder of
(continued). lines / on the Umbilical. and Manifolds Control Modules will the P40 Loop by isolating the
connectors in remain operational on the alternative Hydraulic Power Unit hydraulic reservoir When the failure is identified the incoming supply via HDU
a single Pressure drop will be automatically detected by the shuttle valve channel in a non-redundant will require more frequent topping up as HFL will be replaced as a single ROV isolation valve IV 3054.
channel. and the alternative channel connected before the DCVs unlatch. configuration. indicated by pressure and level entity.
transmitters. This action will isolate the LP
Leakage of hydraulic fluid into the sea. Environmental hazard will require 1 supply from all the SCMs
Topside isolation. It may be difficult to differentiate between connected to 30-HDU-P41.
In the event that the alternative supply has not been selected failures in the Umbilicals / DSUT /
open then for a short period of time all DCVs within the following In the event that the alternative supply ISUT/HDU / DSUT-ISUT Bridge
close safely. a short period of time until the SCM HFLs
and Manifolds on the P40 Loop.
hydraulic operations - loss of LP to a single Production Tree SCM. tolerance in that Production Tree 30-X- of the umbilical. (remaining LP line)
channel P41-C Subsea Control Module will
blocked - The resultant pressure drop will be automatically detected by the remain operational on the alternative It may be difficult to differentiate between When the failure is identified the
input shuttle valve and the alternative channel connected before the channel in a non-redundant failures in the Umbilicals / DSUT / HFL will be replaced as a single
pressure DCVs unlatch. configuration. ISUT/HDU / DSUT-ISUT Bridge entity.
Jumper/DSUT-HDU HFL and individual
In the event that the alternative supply has not been selected Environmental hazard will require SCM HFLs. In addition, in the event of a total
open then for a short period of time all DCVs within the Well Topside isolation. failure of both LP supplies, the
SCM will "drop out" and the well will close safely. Inability to operate valves in this line and production from the affected tree
In the event that the alternative supply no visual indication from flowmeters. will be lost until a replacement HFL
Currently: has not been selected open, then for has been connected.
a short period of time until the However serviceability of the LP line on
There are no active wells assigned to the manifold alternative LP channel is selected - 30-S-P43 & 30-S-P45 provides and
Total loss of production from 30-X- indication of where the fault may be.
P41-C.
Page 8 of 13
X-219400-01-78
NG50-2-300-SPS-TR-AB-30-0132
Appendix B8

FM
Ref
FM No: 8-0-2
hydraulic pressure is not relieved. All DCVs within a single Production relief. 30-S-P43 & 30-S-P45 provides and DCVs is the primary means of
channel Tree SCM will remain "latched closed" and the associated fail indication of where the fault may be. closing subsea valves.
blocked - safe valves remain open. The DCVs will remain in the latched
There are no active wells assigned to the manifold
2 Loss of HP Hydraulic supply A Complete Leak in the HFL causes the Loss of a single HP channel to all of Subsequent Reduction in fault Sudden loss in HP hydraulic pressure of Alternative supply is available HP 1 functionality can be
in a single channel. loss the production trees (max 12 off) on the umbilical. tolerance in that all affected Tree a single HP channel. (remaining HP line) restored to the remainder of
(Rupture) of Control Modules will remain the P40 Loop by isolating the
Nominally HP1 HP hydraulic Pressure drop will be automatically detected by the shuttle valve operational on the alternative channel It may be difficult to differentiate between When the failure is identified the incoming supply via HDU
lines / and the alternative channel connected before the DCVs unlatch. in a non-redundant configuration. failures in the Umbilicals / DSUT / HDU / HFL will be replaced as a single ROV isolation valve IV 3055.
connectors in DSUT-HDU Bridge Jumper and individual entity.
a single Severe leakage of hydraulic fluid into the sea. Environmental hazard will require SCM HFLs This action will isolate one the
channel. Topside isolation. HP 1 supply from all the
In the event that the alternative supply has not been selected SCMs connected to 30-HDU-
open then for a short period of time all DCVs within the following In the event that the alternative supply P41.
on the P40 Loop .
30-X-P42-C Well SCM
are utilised).
Page 9 of 13
X-219400-01-78
NG50-2-300-SPS-TR-AB-30-0132
Appendix B8

FM
Ref
FM No: 8-0-2
Loss of HP Hydraulic supply B Leak from Leak in the HFL causes the gradual loss of a single HP channel Subsequent Reduction in fault Gradual loss in HP hydraulic pressure of Alternative supply is available HP 1 functionality can be
in a single channel HP hydraulic to all of the Well SCMs (max 12 off) on the Umbilical. tolerance in that all affected Tree a single HP channel. (remaining HP line) restored to the remainder of
(continued). lines / Control Modules will remain the P40 Loop by isolating the
connectors in Subsequent pressure drop will be automatically detected by the operational on the alternative channel Hydraulic Power Unit hydraulic reservoir When the failure is identified the incoming supply via HDU
a single shuttle valve and the alternative channel connected before the in a non-redundant configuration. will require more frequent topping up as HFL will be replaced as a single ROV isolation valve IV 3055.
channel. DCVs unlatch. indicated by pressure and level entity.
Environmental hazard will require transmitters. This action will isolate one the
Leakage of hydraulic fluid into the sea. Topside isolation. HP 1 supply from all the
It may be difficult to differentiate between SCMs connected to 30-HDU-
In the event that the alternative supply has not been selected In the event that the alternative supply failures in the Umbilicals / DSUT / HDU / P41.
open then for a short period of time all DCVs within the following has not been selected open, then for DSUT-HDU Bridge Jumper and individual

30-X-P43-C Well SCM
hydraulic operations - loss of LP to a single Production Tree SCM. tolerance in that Production Tree 30-X- of the umbilical. (remaining HP line)
channel P41-C Subsea Control Module will
blocked - The resultant pressure drop will be automatically detected by the remain operational on the alternative It may be difficult to differentiate between When the failure is identified the
input shuttle valve and the alternative channel connected before the channel in a non-redundant failures in the Umbilicals / DSUT / HFL will be replaced as a single
pressure DCVs unlatch. configuration. ISUT/HDU / DSUT-ISUT Bridge entity.
Jumper/DSUT-HDU HFL and individual
In the event that the alternative supply has not been selected Environmental hazard will require SCM HFLs. In addition, in the event of a total
open then for a short period of time all DCVs within the Well Topside isolation. failure of both HP supplies, the
SCM will "drop out" and the well will close OUT OF SYNCH. Inability to operate valves in this line and production from the affected tree
In the event that the alternative supply no visual indication from flowmeters. will be lost until a replacement HFL
Currently: has not been selected open, then for has been connected.
a short period of time until the However serviceability of the LP line on
There are no active wells assigned to the manifold alternative HP channel is selected - 30-S-P43 & 30-S-P45 provides and
Total loss of production from 30-X- indication of where the fault may be.
P41-C.
D Single HP In the event of a surface ESD shutdown, subsea HP supply Loss of surface ESD HP pressure However serviceability of the LP line on Subsea electrical control to the HP
hydraulic pressure is not relieved. HP DCV within A Well SCM will remain relief. 30-S-P43 & 30-S-P45 provides and DCV and to the LP DCVs are the
channel "latched closed" until the LP Pilot pressure is vented. indication of where the fault may be. primary and secondary means of
blocked - The HP DCV will remain in the closing the SCSSV
ESD Currently: latched closed position only if the
pressure electrical control circuits to the HP
relief There are no active wells assigned to the manifold Selector valves; DCV are unavailable
and the LP supply pressure cannot be
or surface LP ESD.
Page 10 of 13
X-219400-01-78
NG50-2-300-SPS-TR-AB-30-0132
Appendix B8

FM
Ref
FM No: 8-0-2
3 Loss of Wax A Complete Sudden loss of wax inhibitor/Demulsifier supply to the drill Environmental hazard will require Sudden loss in CI pressure at CI Unit When the failure is identified the CI functionality can be
Inhibitor/Demulsifier supply loss centre. Topside isolation. output transmitters. HFL will be replaced as a single restored to the remainder of
in a single channel. (Rupture) of entity. the P40 Loop by isolating the
CI lines / Severe leakage of wax inhibitor/Demulsifier into the sea. incoming supply via HDU
connectors. ROV isolation valve IV3056.
This action will isolate one the

CI supply from all the SCMs
connected to 30-HDU-P41.
B Leak from CI Gradual loss of wax inhibitor/Demulsifier supply to the drill Environmental hazard will require Gradual reduction in CI pressure at CI When the failure is identified the CI functionality can be
lines / centre. Topside isolation. Unit output transmitters. HFL will be replaced as a single restored to the remainder of
connectors. entity. the P40 Loop by isolating the
Leakage of wax inhibitor/Demulsifier into the sea. Increase in consumption of wax incoming supply via HDU
inhibitor/Demulsifier. ROV isolation valve IV3056.

4 Loss of Corrosion/Scale A Complete Sudden loss of corrosion/scale inhibitor supply to the drill centre. Environmental hazard will require Sudden loss in CI pressure at CI Unit When the failure is identified the CI functionality can be
Inhibitor supply in a single loss Topside isolation. output transmitters. HFL will be replaced as a single restored to the remainder of
channel. (Rupture) of Severe leakage of corrosion/scale inhibitor into the sea. entity. the P40 Loop by isolating the
CI lines / incoming supply via HDU

B Leak from CI Gradual loss of corrosion/scale inhibitor supply to the drill centre. Environmental hazard will require Gradual reduction in CI pressure at CI When the failure is identified the CI functionality can be
lines / Topside isolation. Unit output transmitters. HFL will be replaced as a single restored to the remainder of
connectors. Leakage of corrosion/scale inhibitor into the sea. entity. the P40 Loop by isolating the
Increase in consumption of incoming supply via HDU
corrosion/scale inhibitor. ROV isolation valve IV3067.

Page 11 of 13
X-219400-01-78
NG50-2-300-SPS-TR-AB-30-0132
Appendix B8

FM
Ref
FM No: 8-0-2
5 Loss of Anti-Asphaltene A Complete Sudden loss of anti-Asphaltene supply to the drill centre. Environmental hazard will require Sudden loss in CI pressure at CI Unit When the failure is identified the CI functionality can be
supply in a single channel. loss Topside isolation. output transmitters. HFL will be replaced as a single restored to the remainder of
(Rupture) of Severe leakage of anti-Asphaltene into the sea. entity. the P40 Loop by isolating the
CI lines / incoming supply via HDU

B Leak from CI Gradual loss of anti-Asphaltene supply to the drill centre. Environmental hazard will require Gradual reduction in CI pressure at CI When the failure is identified the CI functionality can be
lines / Topside isolation. Unit output transmitters. HFL will be replaced as a single restored to the remainder of
connectors. Leakage of anti-Asphaltene into the sea. entity. the P40 Loop by isolating the
Increase in consumption of anti- incoming supply via HDU
Asphaltene. ROV isolation valve IV3068.

6 Loss of MEOH (nominally A Complete Sudden loss of MI1 supply to the drill centre. M2 and M3 No long term effect on production as Sudden loss in MI1 pressure at upstream When the failure is identified the MI1 functionality can be
MI1) supply loss supplies will still be available. two lines are considered sufficient for HDU pressure transmitter. HFL will be replaced as a single restored to the remainder of
(Rupture) of normal production. entity. the P40 Loop by isolating the
MI1 lines / Severe leakage of methanol into the sea. incoming supply via HDU
connectors. However work over maybe ROV isolation valve
compromised by the reduction in flow. MMV3091.
Dual Redundant. This action will isolate one the

MI 1 supply from all the SCMs
Alternatively, the spare chemical line connected to 30-HDU-P41.
can be used to supply methanol after
reconfiguration if no spare bridge
jumper available.

Topside isolation.
Page 12 of 13
X-219400-01-78
NG50-2-300-SPS-TR-AB-30-0132
Appendix B8

FM
Ref
FM No: 8-0-2
B Leak from Gradual loss of MI1 supply to the drill centre. M2 and M3 No long term effect on production. Gradual reduction in MI1 pressure at When the failure is identified the MI1 functionality can be
MI1 lines / supplies will still be available. upstream HDU pressure transmitter. HFL will be replaced as a single restored to the remainder of
connectors. MEOH injection can be restored to all entity. the P40 Loop by isolating the
Leakage of methanol into the sea. trees on the SUT by isolating MI1 Increase in consumption of MEOH. incoming supply via HDU
lines (ROV Valves) and injecting ROV isolation valve
through MI2 or MI3 lines by opening MMV3091.
MI2 or MI3 ROV isolation valves
respectively if no spare bridge jumper This action will isolate one the
available. MI 1 supply from all the SCMs
Dual Redundant.

Topside isolation.
Page 13 of 13
X-219400-01-78
NG50-2-300-SPS-TR-AB-30-0132
Appendix B9

SUBSYSTEM: 30-HDU-P41
FM
Ref
FM: HDU FUNCTION DESCRIPTION: To distribute LP & HP Hydraulics and chemical supplies to various Production Trees
FM No: 9-0-1
1 Loss of LP Hydraulic supply A Complete loss Leak in the HDU causes the Loss of a single LP channel to all of Subsequent Reduction in fault Sudden loss in LP hydraulic pressure of a Alternative supply is available
in a single channel. (Rupture) of LP the Well SCMs (max 12 off) and Manifold SCMs (3 off) on the tolerance in that all affected Trees single LP channel. (remaining LP line)
hydraulic lines / Umbilical. and Manifolds Control Modules will
Nominally LP1 in 30-HDU- connectors in a remain operational on the alternative It may be difficult to differentiate between Isolate LP1 supply line using inlet
P41 single channel. Pressure drop will be automatically detected by the shuttle valve channel in a non-redundant failures in the Umbilicals / DSUT / ROV valve (IV3054). Once
and the alternative channel connected before the DCVs unlatch. configuration. ISUT/HDU / DSUT-ISUT Bridge affected channel (LP1) has been
Jumper/DSUT-HDU HFL and individual isolated remaining Production
Severe leakage of hydraulic fluid into the sea. Environmental hazard will require SCM HFLs Tree SCMs (8 off) and Manifold
Topside isolation. SCMs (2 off) on 30-DS-P43 and
In the event that the alternative supply has not been selected 30-DS-P45 DSUTs will operate
open then for a short period of time all DCVs within the following In the event that the alternative supply as normal.
close safely. a short period of time until the Hold for repair until a
alternative LP channel is selected - combinational failure occurs in
Currently: Total loss of production from all trees the Umbilical, DSUT, ISUT &
and Manifolds on the P40 Loop . HDU assemblies within the P40
30-M-P41 Manifold SCM Loop.
30-M-P42 Manifold SCM shut, (with the exception of pigging
Loss of LP Hydraulic supply B Leak from LP Leak in the HDU causes the gradual loss of a single LP channel Subsequent Reduction in fault Gradual loss in LP hydraulic pressure of a Alternative supply is available
in a single channel hydraulic lines / to all of the Well SCMs (max 12 off) and Manifold SCMs (3 off) tolerance in that all affected Trees single LP channel. (remaining LP line)
(continued). connectors in a on the Umbilical. and Manifolds Control Modules will
single channel. remain operational on the alternative Hydraulic Power Unit hydraulic reservoir Isolate LP1 supply line using inlet
Pressure drop will be automatically detected by the shuttle valve channel in a non-redundant will require more frequent topping up as ROV valve (IV3054). Once
and the alternative channel connected before the DCVs unlatch. configuration. indicated by pressure and level affected channel (LP1) has been
transmitters. isolated remaining Production
Leakage of hydraulic fluid into the sea. Environmental hazard will require Tree SCMs (8 off) and Manifold
Topside isolation. It may be difficult to differentiate between SCMs (2 off) on 30-DS-P43 and
In the event that the alternative supply has not been selected failures in the Umbilicals / DSUT / 30-DS-P45 DSUTs will operate
open then for a short period of time all DCVs within the following In the event that the alternative supply ISUT/HDU / DSUT-ISUT Bridge as normal.
close safely. a short period of time until the SCM HFLs Hold for repair until a
alternative LP channel is selected - combinational failure occurs in
Currently: Total loss of production from all trees the Umbilical, DSUT, ISUT &
and Manifolds on the P40 Loop . HDU assemblies within the P40
30-M-P41 Manifold SCM Loop.
Page 1 of 7
X-219400-01-78
NG50-2-300-SPS-TR-AB-30-0132
Appendix B9

FM
Ref
FM No: 9-0-1
C Single LP Loss of LP pressure in affected channel following valve Subsequent Reduction in fault Excessive pressure drop across the HDU. Alternative supply is available
hydraulic operations - loss of LP to all of the Well SCMs (max 4 off) and tolerance in that all affected Trees (remaining LP line)
channel Manifold SCMs (1 off) on 30-S-P41 and Manifolds Control Modules will It may be difficult to differentiate between
blocked - input remain operational on the alternative failures in the Umbilicals / DSUT / Isolate LP1 supply line using inlet
pressure The resultant pressure drop will be automatically detected by the channel in a non-redundant ISUT/HDU / DSUT-ISUT Bridge ROV valve (IV3054). Once
shuttle valve and the alternative channel connected before the configuration. Jumper/DSUT-HDU HFL and individual affected channel (LP1) has been
DCVs unlatch. SCM HFLs isolated remaining Production
In the event that the alternative supply Tree SCMs (8 off) and Manifold
In the event that the alternative supply has not been selected has not been selected open, then for Inability to operate valves in this line and SCMs (2 off) on 30-DS-P43 and
open then for a short period of time all DCVs within the following a short period of time until the no visual indication from flowmeters. 30-DS-P45 DSUTs will operate
Well SCMs and Manifold SCMs will "drop out" and the well will alternative LP channel is selected - as normal.
close safely. Total loss of production from all trees
and Manifolds on the P40 Loop . Hold for repair until a
Currently: combinational failure occurs in
This can potentially result in the loss the Umbilical, DSUT, ISUT &
30-M-P41 Manifold SCM of 4 Wells on the three production HDU assemblies within the P40
manifolds and all of the manifolds Loop.
D Single LP In the event of a surface ESD shutdown, subsea LP Supply Loss of surface ESD LP pressure Subsea electrical control to the
hydraulic pressure is not relieved . All DCVs within the following Well relief. DCVs is the primary means of
channel SCMs and Manifold SCMs will remain "latched closed" and the closing subsea valves.
blocked - ESD associated fail safe valves remain open. The DCVs will remain in the latched
pressure relief closed position if the electrical control
Currently: circuits to the DCVs are also
unavailable.
Page 2 of 7
X-219400-01-78
NG50-2-300-SPS-TR-AB-30-0132
Appendix B9

FM
Ref
FM No: 9-0-1
2 Loss of HP Hydraulic supply A Complete loss Leak in the HDU causes the Loss of a single HP channel to all of Subsequent Reduction in fault Sudden loss in HP hydraulic pressure of Alternative supply is available
in a single channel. (Rupture) of the production trees (max 12 off) on the umbilical. tolerance in that all affected Tree a single HP channel. (remaining HP line)
HP hydraulic Control Modules will remain
lines / Pressure drop will be automatically detected by the shuttle valve operational on the alternative channel It may be difficult to differentiate between Isolate HP1 supply line using
Nominally HP1 in 30-HDU- connectors in a and the alternative channel connected before the DCVs unlatch. in a non-redundant configuration. failures in the Umbilicals / DSUT / HDU / inlet ROV valve (IV3055). Once
P41 single channel. DSUT-HDU Bridge Jumper and individual affected channel (HP1) has been
Severe leakage of hydraulic fluid into the sea. Environmental hazard will require SCM HFLs isolated remaining Production
Topside isolation. Tree SCMs (8 off) and Manifold
In the event that the alternative supply has not been selected SCMs (2 off) on 30-DS-P43 and
open then for a short period of time all DCVs within the following In the event that the alternative supply 30-DS-P45 DSUTs will operate
Well SCMs will "drop out" and the well will close OUT OF has not been selected open, then for as normal.
alternative HP channel is selected - Hold for repair until a
Currently: Total loss of production from all trees combinational failure occurs in
on the P40 Loop . the Umbilical, DSUT, ISUT &
30-X-P42-C Well SCM HDU assemblies within the P40
30-X-P42-D Well SCM This can potentially result in the loss Loop.
are utilised).
Loss of HP Hydraulic supply B Leak from HP Leak in the HDU causes the gradual loss of a single HP channel Subsequent Reduction in fault Gradual loss in HP hydraulic pressure of Alternative supply is available
in a single channel hydraulic lines / to all of the Well SCMs (max 12 off) on the Umbilical. tolerance in that all affected Tree a single HP channel. (remaining HP line)
single channel. Subsequent pressure drop will be automatically detected by the operational on the alternative channel Hydraulic Power Unit hydraulic reservoir Isolate HP1 supply line using
shuttle valve and the alternative channel connected before the in a non-redundant configuration. will require more frequent topping up as inlet ROV valve (IV3055). Once
DCVs unlatch. indicated by pressure and level affected channel (HP1) has been
Environmental hazard will require transmitters. isolated remaining Production
Leakage of hydraulic fluid into the sea. Topside isolation. Tree SCMs (8 off) and Manifold
It may be difficult to differentiate between SCMs (2 off) on 30-DS-P43 and
In the event that the alternative supply has not been selected In the event that the alternative supply failures in the Umbilicals / DSUT / HDU / 30-DS-P45 DSUTs will operate
open then for a short period of time all DCVs within the following has not been selected open, then for DSUT-HDU Bridge Jumper and individual as normal.
SYNCH. alternative HP channel is selected - Hold for repair until a
Total loss of production from all trees combinational failure occurs in
Currently: on the P40 Loop . the Umbilical, DSUT, ISUT &
This can potentially result in the loss Loop.
30-X-P43-C Well SCM
Page 3 of 7
X-219400-01-78
NG50-2-300-SPS-TR-AB-30-0132
Appendix B9

FM
Ref
FM No: 9-0-1
hydraulic operations - loss of LP to all of the Well SCMs (max 4 off) and tolerance in that all affected Tree of the umbilical. (remaining HP line)
channel Manifold SCMs (1 off) on 30-S-P45 Control Modules will remain
blocked - input operational on the alternative channel It may be difficult to differentiate between Isolate HP1 supply line using
pressure The resultant pressure drop will be automatically detected by the in a non-redundant configuration. failures in the Umbilicals / DSUT / inlet ROV valve (IV3055). Once
shuttle valve and the alternative channel connected before the ISUT/HDU / DSUT-ISUT Bridge affected channel (HP1) has been
DCVs unlatch. In the event that the alternative supply Jumper/DSUT-HDU HFL and individual isolated remaining Production
has not been selected open, then for SCM HFLs. Tree SCMs (8 off) and Manifold
In the event that the alternative supply has not been selected a short period of time until the SCMs (2 off) on 30-DS-P43 and
open then for a short period of time all DCVs within the following alternative HP channel is selected - Inability to operate valves in this line and 30-DS-P45 DSUTs will operate
Well SCMs and Manifold SCMs will "drop out" and the well will Total loss of production from all trees no visual indication from flowmeters. as normal.
close safely. on the P40 Loop .
Currently: This can potentially result in the loss combinational failure occurs in
of 4 Wells on the three production the Umbilical, DSUT, ISUT &
There are no active wells assigned to the manifold manifolds. Worst case is the loss of HDU assemblies within the P40
12 production wells, if all spare wells Loop.
are utilised).
channel SCMs will remain "latched closed" until the LP Pilot pressure is the primary and secondary
blocked - ESD vented. The HP DCV will remain in the means of closing the SCSSV
pressure relief latched closed position only if the
There are no active wells assigned to the manifold and the LP supply pressure cannot be
or surface LP ESD.
3 Loss of Wax A Complete loss Sudden loss of wax inhibitor/Demulsifier supply to the drill Environmental hazard will require Sudden loss in CI pressure at CI Unit Isolate CI supply line using ROV
Inhibitor/Demulsifier supply (Rupture) of CI centre. Topside isolation. output transmitters. valve (IV3056). Once affected
in a single channel. lines / channel has been isolated
connectors. Severe leakage of wax inhibitor/Demulsifier into the sea. remaining Production Tree SCMs
(8 off) and Manifold SCMs (2 off)
on 30-DS-P43 and 30-DS-P45
DSUTs will operate as normal.

the Umbilical, DSUT, ISUT &
Loop.
Page 4 of 7
X-219400-01-78
NG50-2-300-SPS-TR-AB-30-0132
Appendix B9

FM
Ref
FM No: 9-0-1
B Leak from CI Gradual loss of wax inhibitor/Demulsifier supply to the drill Environmental hazard will require Gradual reduction in CI pressure at CI Isolate CI supply line using ROV
lines / centre. Topside isolation. Unit output transmitters. valve (IV3056). Once affected
connectors. channel has been isolated
Leakage of wax inhibitor/Demulsifier into the sea. Increase in consumption of wax remaining Production Tree SCMs
inhibitor/Demulsifier. (8 off) and Manifold SCMs (2 off)

Loop.
4 Loss of Corrosion/Scale A Complete loss Sudden loss of corrosion/scale inhibitor supply to the drill centre. Environmental hazard will require Sudden loss in CI pressure at CI Unit Isolate CI supply line using ROV
Inhibitor supply in a single (Rupture) of CI Topside isolation. output transmitters. valve (IV3067). Once affected
channel. lines / Severe leakage of corrosion/scale inhibitor into the sea. channel has been isolated
connectors. remaining Production Tree SCMs

Loop.
B Leak from CI Gradual loss of corrosion/scale inhibitor supply to the drill centre. Environmental hazard will require Gradual reduction in CI pressure at CI Isolate CI supply line using ROV
lines / Topside isolation. Unit output transmitters. valve (IV3067). Once affected
connectors. Leakage of corrosion/scale inhibitor into the sea. channel has been isolated
Increase in consumption of remaining Production Tree SCMs
corrosion/scale inhibitor. (8 off) and Manifold SCMs (2 off)

Loop.
Page 5 of 7
X-219400-01-78
NG50-2-300-SPS-TR-AB-30-0132
Appendix B9

FM
Ref
FM No: 9-0-1
5 Loss of Anti-Asphaltene A Complete loss Sudden loss of anti-Asphaltene supply to the drill centre. Environmental hazard will require Sudden loss in CI pressure at CI Unit Isolate CI supply line using ROV
supply in a single channel. (Rupture) of CI Topside isolation. output transmitters. valve (IV3068). Once affected
lines / Severe leakage of anti-Asphaltene into the sea. channel has been isolated
connectors. remaining Production Tree SCMs

Loop.
B Leak from CI Gradual loss of anti-Asphaltene supply to the drill centre. Environmental hazard will require Gradual reduction in CI pressure at CI Isolate CI supply line using ROV
lines / Topside isolation. Unit output transmitters. valve (IV3068). Once affected
connectors. Leakage of anti-Asphaltene into the sea. channel has been isolated
Increase in consumption of anti- remaining Production Tree SCMs
Asphaltene. (8 off) and Manifold SCMs (2 off)

Loop.
6 Loss of MEOH (nominally A Complete loss Sudden loss of MI1 supply to the drill centre. M2 and M3 No long term effect on production as Sudden loss in MI1 pressure at HDU Isolate MI1 supply line using
MI1) supply (Rupture) of supplies will still be available. two lines are considered to provide pressure transmitter. ROV operated isolation valve
MI1 lines / sufficient MEOH to the four normally (MMV3091), open the associated
connectors Severe leakage of methanol into the sea. producing trees on the P40 loop. MI1 ROV operated valve
downstream of (MMV3096) to feed MI1 supply
MMV3091. However work over will be into the 'SERVICE LINE' creating
compromised by the reduction in flow. a new MEOH line/header. Fault
tolerant configuration restored.
normal tree operations. Hold for repair until a
Environmental hazard will require the Umbilical DSUT, ISUT &
Topside isolation. HDU assemblies within the P40
loop.
Page 6 of 7
X-219400-01-78
NG50-2-300-SPS-TR-AB-30-0132
Appendix B9

FM
Ref
FM No: 9-0-1
B Leak from MI1 Gradual loss of MI1 supply to the drill centre. M2 and M3 No long term effect on production as Gradual reduction in MI1 pressure at Isolate MI1 supply line using
lines / supplies will still be available. two lines are considered to provide HDU pressure transmitter. ROV operated isolation valve
connectors sufficient MEOH to the four normally (MMV3091), open the associated
downstream of Leakage of methanol into the sea. producing trees on the P40 loop. MI1 ROV operated valve
MMV3091. (MMV3096) to feed MI1 supply
However work over will be into the 'SERVICE LINE' creating
compromised by the reduction in flow. a new MEOH line/header. Fault
tolerant configuration restored.
normal tree operations. Hold for repair until a
Environmental hazard will require the Umbilical DSUT, ISUT &
Topside isolation. HDU assemblies within the P40
loop.
C Complete loss Sudden loss of MI1 supply to the drill centre. M2 and M3 No long term effect on production as Sudden loss in MI1 pressure at HDU Hold for repair until a
(Rupture) of supplies will still be available. two lines are considered to provide pressure transmitter. combinational failure occurs in
MI1 lines / sufficient MEOH to the four normally the Umbilical, DSUT, ISUT &
connectors Severe leakage of methanol into the sea. producing trees on the P40 loop. HDU assemblies within the P40
upstream of Loop.
MMV3091. However work over will be


Topside isolation.
D Leak from MI1 Gradual loss of M1 supply to the drill centre. No long term effect on production as Gradual reduction in MI1 pressure at Hold for repair until a
lines / two lines are considered to provide HDU pressure transmitter. combinational failure occurs in
connectors Leakage of methanol into the sea. sufficient MEOH to the four normally the Umbilical, DSUT, ISUT &
upstream of producing trees on the P40 loop. Increase in consumption of MEOH. HDU assemblies within the P40
MMV3091. Loop.


Topside isolation.
Page 7 of 7
X-219400-01-78
NG50-2-300-SPS-TR-AB-30-0132
Appendix B10

SUBSYSTEM: Subsea Control Module (SCM)
FM
Ref
FM SCM Assembly FUNCTION DESCRIPTION: To control subsea solenoid actuated hydraulic tree valves.
FM No: 10-0-1
1 Loss of redundancy of A One of the Loss of Subsea Control Channel A, loss of all associated SEM Loss of Subsea Control Channel A. Alarm on SCS. SEM's are in a partially redundant
electronic control of all two SEMs instrumentation. configuration - there will be a graceful
associated hydraulically fail No direct system effect whilst the degradation in that the redundant SEMs are
actuated tree valves No direct system effect whilst the opposite control channel opposite control channel remains fully unlikely to fail at the same time.
remains fully serviceable. serviceable.
Hold for repair until a combinational failure
All DCV's remain "latched" in their current positions. occurs in the alternate SEM, Umbilical,
SUTA & HDU control channel.
2 Loss of electronic control of A In time both Unable to electronically control any valve associated with the 1) Loss of control of the well, SCS comms alarm. SEM's are in a partially redundant
all associated hydraulically SEMs fail SCM. resulting in a requirement to "shut-in" configuration - there will be a graceful
actuated tree valves the well. This is an SESD2 trip degradation in that the redundant SEMs are
All DCV's remain "latched" in their current positions. unlikely to fail at the same time.
2) The procedure to remove hydraulic
Loss of all associated subsea instrumentation. pressure subsea from topside will Subsequent recovery action is to pull SCM
result in the closure of all wells and and replace SEMs.
manifold valves on the umbilical.
3) Once the pressure has been

reduced, the affected SCM can be
isolated on the SDU/SUTA and
pressure restored.
3 Loss of the LP Hydraulic A Severe leak LP pressure will fall and activate the LP Dump Valve. All LP and Single Point Failure. All DCV's will SCS LP Hydraulic pressure alarm. Subsequent recovery action is to pull SCM
Supply from the LP HP DCV's will unlatch in the correct sequence. unlatch and all of the hydraulically and repair
Shuttle actuated valves on the production
valve tree will close and shut in the well.
There will be a total loss of production

from the well.
4 Loss of HP supply to the A Severe leak LP pressure will fall and activate the Dump Valve. Single Point Failure. SCS alarm. Subsequent recovery action is to pull SCM
IWC DCVs from the and repair
Dump valve All HP IWC DCV's will unlatch Unable to operate all HP DCVs
associated with Intelligent Well
Completion valves.
Loss of zone selectivity. Tree will

continue to produce.
B Spurious/ina Dump Valve inadvertantly vents IWC HP presuure Dormsant and Single Point Failure. SCS alarm. Subsequent recovery action is to pull SCM
dvertent and repair
operation of All HP IWC DCV's will unlatch All HP DCVs associated with
the Dump Intelligent Well Completion valves
valve remain latched open
5 HP supply to the IWC A Dump valve Dump valve fails to operate all HP IWC DCV's remain latched. Single Point Failure. SCS alarm. Subsequent recovery action is to pull SCM
DCVs remains energised fails to and repair
on a fall of LP pressure operate Dormant Failure Unable to operate all HP DCVs
associated with Intelligent Well
Completion valves.
Loss of zone selectivity. Tree will

continue to produce.
Page 1 of 6
X-219400-01-78
NG50-2-300-SPS-TR-AB-30-0132
Appendix B10

FM
Ref
FM No: 10-0-1
6 Loss of a single HP A Severe leak HP pressure will fall and all of the HP DCV's will unlatch in the Single Point Failure. The HP DCV's SCS HP Hydraulic pressure alarm. Subsequent recovery action is to pull SCM
Hydraulic Supply from the HP wrong sequence will unlatch and the hydraulically and repair
Shuttle actuated SCSSV will close out of
valve sequence and shut in the well.
There will be a total loss of production

from the well.
7 Production Wing Valve A In time both Unable to electronically open Associated DCV. PWV fails to open , unable to start No production flow available. There will be a graceful degradation in that
(PWV) fails to open on associated production from the well. the dual redundant VEMs are unlikely to fail
demand from the closed VEMs fail Associated DCV will remain "latched" in the shut position. SCS VEM fault indication & valve 'failed at the same time.
position (normally open). to move' alarm.
Loss of a single VEM can be held for repair
until failure of the associated VEM has
occurred.
Subsequent recovery action is to pull SCM

and repair.
Dependant upon regulations, it may be

possible to ROV override the valve and
operate with the two Upper Safety Valves
available to isolate the production flow if
necessary.
B Associated Unable to open Associated DCV. PWV fails to open , unable to start No production flow available. Subsequent recovery action is to pull SCM
DCV fails in production from the well. and repair.
the shut Associated DCV will remain "latched" in the shut position. MCS VEM fault indication & valve 'failed
position to move' alarm. Dependant upon regulations, it may be
necessary.
C Associated Insufficient hydraulic pressure to open Associated DCV. PWV fails to open , unable to start No production flow available. Subsequent recovery action is to pull SCM
DCV production from the well. and repair.
hydraulic Associated DCV will remain "latched" in the shut position. MCS VEM fault indication & valve 'failed
fluid to move' alarm. Dependant upon regulations, it may be
leakage. possible to ROV override the valve and
necessary.
D Associated DCV closes when the solenoids are de-energised Associated PWV fails to open , unable to start No production flow available. Subsequent recovery action is to pull SCM
DCV fails to DCV). production from the well. and repair.
latch open SCS VEM fault indication & valve 'failed
Associated DCV will remain "latched" in the shut position. to move' alarm. Dependant upon regulations, it may be
necessary.
8 PWV shuts spuriously from A Associated Associated DCV shuts. PWV spuriously closes unscheduled No production flow available. Subsequent recovery action is to pull SCM
the open position (normally DCV loss of production. and repair.
open). unlatches. Associated DCV will remain "latched" in the shut position. SCS VEM fault indication & valve 'failed
to move' alarm. Dependant upon regulations, it may be
necessary.
Page 2 of 6
X-219400-01-78
NG50-2-300-SPS-TR-AB-30-0132
Appendix B10

FM
Ref
FM No: 10-0-1
B Associated Reduction in hydraulic pressure eventually causes Associated PWV spuriously closes unscheduled No production flow available. Subsequent recovery action is to pull SCM
DCV DCV to shut. loss of production. and repair.
hydraulic SCS VEM fault indication & valve 'failed
fluid PWV shuts. Temporary shut-off of flow. Potential long term gate to move' alarm. Dependant upon regulations, it may be
leakage. & seat erosion. possible to ROV override the valve and
necessary.
9 PWV fails to shut on A In time both Unable to electronically open Associated DCV. Production flow can still be isolated Unable to shut off production flow via There will be a graceful degradation in that
demand from the open associated utilizing the USV1 or the USV2. PWV. the dual redundant VEMs are unlikely to fail
position (normally open). VEMs fail Associated DCV will remain "latched" in the open position. at the same time.
Finally, the LP supplies could be Indication of production flow / pressure
discharged Topsides to shut the from tree instrumentation. Loss of a single VEM can be held for repair
valve. Upon subsequent re- until failure of the associated VEM has
instatement of the LP supplies, the SCS VEM fault indication & valve 'failed occurred.
valve will stay shut. to move' alarm.
PWV may be considered to be dual
May be unable to recover choke redundant with the two Upper Safety Valves.
insert for repair.
and repair.
B Associated Unable to shut Associated DCV. Production flow can still be isolated Unable to shut off production flow via PWV may be considered to be dual
DCV fails in utilizing the USV1 or the USV2. PWV. redundant with the two Upper Safety Valves.
the open Associated DCV will remain "latched" in the open position.
position Finally, the LP supplies could be Indication of production flow / pressure Subsequent recovery action is to pull SCM
discharged Topsides to shut the from tree instrumentation. and repair.
valve. Upon subsequent re-
instatement of the LP supplies, the SCS VEM fault indication & valve 'failed
valve will stay shut. to move' alarm.
May be unable to recover choke

insert for repair.
10 Production Choke Valve A In time both Unable to electronically open Associated DCV PCVO actuator Unable to set required choke valve Choke discrepancy alarm at SCS. There will be a graceful degradation in that
Open (PCVO) actuator associated position; reduction in flow of oil from the dual redundant VEMs are unlikely to fail
DCV fails to extend PCV VEMs fail the affected well. at the same time.
Open Actuator Production Choke Valve Open (PCVO) actuator DCV fails to
extend PCV Open Actuator The Choke can still be "inched" in the Loss of a single VEM can be held for repair
closed direction, if required. until failure of the associated VEM has
PCVO will remain in its current position. Unable to open the occurred.
Production Choke Valve as required. ROV can manually set choke position
for short term production. Subsequent recovery action is to pull SCM
and replace.
Dual redundant VEMs & dormant
failure. ROV intervention.
Page 3 of 6
X-219400-01-78
NG50-2-300-SPS-TR-AB-30-0132
Appendix B10

FM
Ref
FM No: 10-0-1
B Associated Unable to hydraulically open Associated DCV. Unable to set required choke valve Choke discrepancy alarm at SCS. ROV intervention.
DCV fails in position; reduction in flow of oil from
the shut Production Choke Valve Open (PCVO) actuator DCV fails to the affected well. Dual solenoid coils.
position extend PCV Open Actuator
The Choke can still be "inched" in the
PCVO will remain in its current position. Unable to open the closed direction, if required.
Production Choke Valve as required.
ROV can manually set choke position
for short term production.
DCV is Single Point Failure
C Associated Unable to hydraulically open Associated DCV. Unable to set required choke valve Choke discrepancy alarm at SCS. ROV intervention.
DCV position; reduction in flow of oil from
hydraulic Production Choke Valve Open (PCVO) actuator DCV fails to the affected well. Dual solenoid coils.
fluid extend PCV Open Actuator
leakage. The Choke can still be "inched" in the
PCVO will remain in its current position. Unable to open the closed direction, if required.
11 Production Choke Valve A Any one of Unable to electronically close Associated DCV. Unable to set required choke valve Choke discrepancy alarm at SCS. There will be a graceful degradation in that
Open (PCVO) actuator the two position; reduction in flow of oil from the dual redundant VEMs are unlikely to fail
DCV remains in the open asscoiated Production Choke Valve Open (PCVO) actuator DCV fails to the affected well. at the same time.
position VEMs; retract PCV Open Actuator
spurious The Choke cannot be "inched" in the Loss of a single VEM can be held for repair
DCV open PCVO actuator will move one step and then remain "latched" in closed direction, if required. until failure of the associated VEM has
signal. its current position. Unable to open or close the Production occurred.
Choke Valve as required. ROV can manually set choke position
and replace.
Each of the 2 VEMs is Single Point
Failure ROV intervention.
B Associated Unable to hydraulically close Associated DCV. Unable to set required choke valve
DCV fails in position; reduction in flow of oil from
the open Production Choke Valve Open (PCVO) actuator DCV fails to the affected well.
position retract PCV Open Actuator
The Choke cannot be "inched" in the
PCVO actuator will move one step and then remain "latched" in closed direction, if required.
its current position. Unable to open or close the Production
Choke Valve as required. ROV cannot manually set choke
position for short term production.
Page 4 of 6
X-219400-01-78
NG50-2-300-SPS-TR-AB-30-0132
Appendix B10

FM
Ref
FM No: 10-0-1
12 Production Choke Valve A In time both Unable to electronically open Associated DCV. Unable to set required choke valve Choke discrepancy alarm at SCS. There will be a graceful degradation in that
Close actuator (PCVC) fails associated position; increase in flow of oil from the dual redundant VEMs are unlikely to fail
to extend PCV Closed VEMs fail Production Choke Valve Close (PCVC) actuator DCV fails to the affected well. at the same time.
Actuator . extend PCV Close Actuator
The Choke can still be "inched" in the Loss of a single VEM can be held for repair
PCVO will remain in its current position. Unable to close the open direction, if required. until failure of the associated VEM has
Production Choke Valve as required. occurred.
and replace.
failure. ROV intervention.
B Associated Unable to hydraulically open Associated DCV. Unable to set required choke valve Choke discrepancy alarm at SCS. ROV intervention.
DCV fails in position; increase in flow of oil from
the shut Production Choke Valve Close (PCVC) actuator DCV fails to the affected well. Dual solenoid coils.
position extend PCV Close Actuator
The Choke can still be "inched" in the
PCVO will remain in its current position. Unable to close the open direction, if required.
C Associated Unable to hydraulically open Associated DCV. Unable to set required choke valve Choke discrepancy alarm at SCS. ROV intervention.
DCV position; increase in flow of oil from
hydraulic Production Choke Valve Close (PCVC) actuator DCV fails to the affected well. Dual solenoid coils.
fluid extend PCV Close Actuator
leakage. The Choke can still be "inched" in the
PCVO will remain in its current position. Unable to close the open direction, if required.
13 Production Choke Valve A Any one of Unable to electronically close Associated DCV. Unable to set required choke valve Choke discrepancy alarm at SCS. There will be a graceful degradation in that
Close (PCVC) actuator the two position; increase in flow of oil from the dual redundant VEMs are unlikely to fail
DCV remains open associated Production Choke Valve Close (PCVC) actuator DCV fails to the affected well. at the same time.
VEMs; retract PCV Close Actuator
spurious The Choke cannot be "inched" in the Loss of a single VEM can be held for repair
DCV open PCVC will move one step and then remain "latched" in its closed direction, if required. until failure of the associated VEM has
signal. current position. Unable to open or close the Production Choke occurred.
Valve as required. ROV cannot manually set choke
position for short term production. Subsequent recovery action is to pull SCM
and replace.
Each of the 2 VEMs is Single Point
Failure ROV intervention.
Page 5 of 6
X-219400-01-78
NG50-2-300-SPS-TR-AB-30-0132
Appendix B10

FM
Ref
FM No: 10-0-1
B Associated Unable to hydraulically close Associated DCV. Unable to set required choke valve Choke discrepancy alarm at SCS.
DCV fails in position; increase in flow of oil from
the open Production Choke Valve Close (PCVC) actuator DCV fails to the affected well.
position retract PCV Close Actuator
The Choke cannot be "inched" in the
PCVC will move one step and then remain "latched" in its closed direction, if required.
current position. Unable to open or close the Production Choke
Valve as required. ROV cannot manually set choke
position for short term production.

failure.
14 SCSSV fails to open on A In time both Unable to electronically open Associated DCV. SCSSV fails to open , unable to start No production flow available. There will be a graceful degradation in that
demand from the closed associated production from the well. the dual redundant VEMs are unlikely to fail
position (normally open). VEMs fail Associated DCV will remain "latched" in the shut position. SCS VEM fault indication & valve 'failed at the same time.
to move' alarm.
Loss of a single VEM can be held for repair
until failure of the associated VEM has
occurred.

and repair.
B Associated Unable to open Associated DCV. SCSSV fails to open , unable to start No production flow available. Subsequent recovery action is to pull SCM
DCV fails in production from the well. and repair.
the shut Associated DCV will remain "latched" in the shut position. SCS VEM fault indication & valve 'failed
position to move' alarm.
C Associated Insufficient hydraulic pressure to open Associated DCV. SCSSV fails to open , unable to start No production flow available. Subsequent recovery action is to pull SCM
DCV production from the well. and repair.
hydraulic Associated DCV will remain "latched" in the shut position. SCS VEM fault indication & valve 'failed
fluid to move' alarm.
leakage.
D Associated DCV closes when the solenoids are de-energised Associated SCSSV fails to open, unable to start No production flow available. Subsequent recovery action is to pull SCM
DCV fails to DCV). production from the well. and repair.
latch open SCS VEM fault indication & valve 'failed
Associated DCV will remain "latched" in the shut position. to move' alarm.
15 SCSSV shuts spuriously A Associated Associated DCV shuts. SCSSV spuriously closes No production flow available. Subsequent recovery action is to pull SCM
from the open position DCV unscheduled loss of production. and repair.
(normally open). unlatches. Associated DCV will remain "latched" in the shut position. SCS VEM fault indication & valve 'failed
to move' alarm.
B Associated Reduction in hydraulic pressure eventually causes Associated SCSSV spuriously closes No production flow available. Subsequent recovery action is to pull SCM
DCV DCV to shut. unscheduled loss of production. and repair.
hydraulic SCS VEM fault indication & valve 'failed
fluid SCSSV shuts. Temporary shut-off of flow. to move' alarm.
leakage.
16 SCSSV fails to shut on A In time both Unable to electronically open Associated DCV. Loss of the high integrity down hole Unable to shut off production flow via There will be a graceful degradation in that
demand from the open associated isolating device. SCSSV. the dual redundant VEMs are unlikely to fail
position (normally open). VEMs fail Associated DCV will remain "latched" in the open position. at the same time.
The SCSSV could be shut via SCS VEM fault indication & valve 'failed
discharging the Topsides supplies to to move' alarm. Loss of a single VEM can be held for repair
shut the valve. until failure of the associated VEM has
occurred.
B Associated Unable to shut Associated DCV. Loss of the high integrity down hole Unable to shut off production flow via Subsequent recovery action is to pull SCM
DCV fails in isolating device. SCSSV. and repair.
the open Associated DCV will remain "latched" in the open position.
position The SCSSV could be shut via SCS VEM fault indication & valve 'failed
discharging the Topsides supplies to to move' alarm.
shut the valve.
Page 6 of 6

NG50-2-300-SPS-TR-AB-30-0132

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

NG50-2-300-SPS-TR-AB-30-0132

Uploaded by

Copyright:

Available Formats

AKPO Field Development Project (OML 130)

Subsea Production Systems (SPS)

Contract No. APO/C007/03

2 6 NOV 07 IFI Issued for Information A Moore C. Kochenower

Document Number: NG50-2-300-SPS-TR-AB-30-0132

1.3 SCOPE AND BOUNDARY

• HFL (LP hydraulic channel, HP hydraulic channel and chemical channels)

2.0 CONTROL SYSTEM CONFIGURATION

o Dual LP hydraulic selector valves.

2.2 POWER & CONTROL

• Dual SCS system with separate output channels.

Table 1 – FMEA Tabular Format

3.3 FAILURE CRITERIA

• (SPF) Single point failures that impact on production.

3.3.2 HPU Loss of Hydraulic Supply

3.4 TECHNICAL REVIEW

• FPSO located equipment

4.0 FMEA RESULTS

4.3 SINGLE POINT FAILURE – SAFETY RELATED

• Failure in the ESD circuits (hydraulic and electronic signal): HPU

Table 2 - Safety Related Single Point Failures

SAFETY RELATED FAILURE

HPU ASSEMBLY (LP & HP)

Fails to operate on demand –

4.4 SINGLE POINT FAILURE – PRODUCTION RELATED

Table 3 - Production Related Single Point Failures

Unit Failure Mode Impact on Subsea System Mitigation/Comments

HPU Spurious Loss of LP Supply Pressure, until Operation of manual

HPU Severe Leak Loss of LP Supply Pressure, until Operation of manual

HPU Severe Leak Loss of HP Supply Pressure, until Operation of manual

Unit Failure Mode Impact on Subsea System Mitigation/Comments

HPU Failure In the event of a surface ESD Manual bleed down.

Single Point Failure and Dormant

HPU Failure In the event of a surface ESD Manual bleed down.

Single Point Failure and Dormant

SCM Severe Leak Unable to operate all HP DCVs Subsequent recovery

SCM Spurious Unable to operate all HP DCVs Subsequent recovery

Unit Failure Mode Impact on Subsea System Mitigation/Comments

There will be a total loss of

The pulse / check back / verify and ROV intervention

SCM Fails in the Selected valve fails to close on Possible ROV

4.5 CONNECTIVITY ARRANGEMENTS

4.5.1 Redundant Failures

4.5.2 Dormant Failure Modes

4.5.3 Hold for Repair

Table 4 - Redundant Failures Including Dormancy and Hold For Repair

Failure Mitigation/ Hold For

SPCU Isolating No direct system effect on subsea Alternative supply

SPCU Input No direct system effect on subsea Alternative supply

SPCU Output No direct system effect on subsea Alternative supply Yes

SPCU Input No direct system effect on subsea Alternative supply Yes

SPCU Input No direct system effect on subsea Alternative supply Yes

Failure Mitigation/ Hold For

SPCU Output No direct system effect on subsea Alternative supply Yes

Failure Mitigation/ Hold For

SPCU SOM Loss of control of a single pair of Alternative supply Yes

The hold for repair in this

Failure Mitigation/ Hold For

HPU Isolating No effect on system performance Dual redundant LP Pump Yes

Hold for repair until a

HPU Isolating No effect on system performance Dual redundant HP Pump Yes

Hold for repair until a

Failure Mitigation/ Hold For

HPU ESD Loss of a single LP channel to all of Alternative supply is Yes