NG50-5-BE-INS-TR-AB-00-0102

NIGERIA - OPL 246
AKPO FIELD DEVELOPMENT PROJECT
BASIC ENGINEERING
_____________
TOP OF RISER HIPPS
RELIABILITY STUDY
This document is based on the riser top HIPPS design defined in the
revision 3 of the drawing NG50-5-BE-PRO-DW-AB-300-001. This revision 3 is
now super-seeded.
CONTRACTOR shall use this document as a guideline and will update it
taking into account the HIPPS design reflected in the revision 4 of the
drawing NG50-5-BE-PRO-DW-AB-300-001 (i.e. the option case).
1 02/04/04 AL Approved ST HA DTT BTc
0 12/03/04 AL Issued for approval ST HA

CHECK APPR. SPEC. RESP.
REV DATE BY DESCRIPTION
CONTRACTOR APPROVAL COMPANY APPROVAL
STATUS CODE : A = Issued for comments - B = Issued for approval - C = Approved
TOTAL OR PARTIAL REPRODUCTION AND/OR UTILIZATION OF THIS DOCUMENT ARE FORBIDDEN

WITHOUT PRIOR WRITTEN AUTHORIZATION OF THE OWNER
SAPETRO
REVISION STATUS
N° NG 50 5 BE INS TR AB 000 102
1 C
Doc N° NG 50 BE INS TR AB 000 102 Rev. 1 St. C Page 3 of 54
CONTENTS
1. INTRODUCTION...................................................................................................................... 5
2. CONCLUSIONS....................................................................................................................... 6
3. REFERENCES ........................................................................................................................ 8
3.1. Project description ........................................................................................................ 8

3.2. Reliability methodology................................................................................................. 8
3.3. Reliability data .............................................................................................................. 8
3.4. Common cause failure analysis.................................................................................... 8
4. BASIS FOR THE STUDY ........................................................................................................ 9
4.1. Description of the HIPPS.............................................................................................. 9

4.1.1. Dedicated HIPPS equipment for each top riser.............................................. 9
4.1.2. Common HIPPS equipment to all top risers ................................................... 9
4.2. HIPPS and existing protection layers ........................................................................... 9
4.3. Main assumptions......................................................................................................... 9
5. ACHIEVEMENT OF THE STUDY.......................................................................................... 12
5.1. Description of the methodology .................................................................................. 12

5.2. Description of the study .............................................................................................. 12
6. FAILURE ANALYSIS ............................................................................................................ 15
6.1. Failure modes of interest ............................................................................................ 15

6.2. Failure Mode and Effects Analysis ............................................................................. 15
7. RELIABILITY MODELLING .................................................................................................. 18
7.1. Fault tree modelling .................................................................................................... 18

7.2. Common cause failure analysis (HIPPS equipment only) .......................................... 18
7.2.1. Zone analysis ............................................................................................... 18
7.2.2. Logic solver .................................................................................................. 18
7.2.3. Sensors ........................................................................................................ 18
7.2.4. Valves........................................................................................................... 19
7.2.5. Utilities .......................................................................................................... 19
7.2.6. Human error during maintenance and tests ................................................. 19
7.2.7. External hazards........................................................................................... 20
7.2.8. IEC 61508-6 tables....................................................................................... 20
8. RELIABILITY AND OPERATIONALDATA ........................................................................... 25

8.1. Proof tests .................................................................................................................. 25

8.1.1. Test on HIPPS items .................................................................................... 25
8.1.2. Tests on items connected to PSS ................................................................ 25
8.1.3. Assumptions on the tests ............................................................................. 25
8.2. Common cause factors............................................................................................... 26
8.2.1. Items............................................................................................................. 26
8.2.2. Logic units .................................................................................................... 26
8.2.3. Tests............................................................................................................. 26
8.3. Reliability characteristics ............................................................................................ 27
9. RESULTS AND CONCLUSION ............................................................................................ 30
9.1. Results........................................................................................................................ 30
9.1.1. HIPPS reliability excluding PSS protection layer.......................................... 30
9.1.2. HIPPS reliability including PSS protection layer........................................... 30
9.1.3. Protection against critical scenari 9 and 10. ................................................. 31
9.1.4. Protection against critical scenari 12 and 13. ............................................... 31
9.1.5. Protection against critical scenario 17. ......................................................... 31
9.2. Conclusion.................................................................................................................. 31
10. APPENDICES........................................................................................................................ 34
10.1. Definitions, acronyms and abbreviations.................................................................... 34

10.1.1. Definitions..................................................................................................... 34
10.1.2. Acronyms and abbreviations ........................................................................ 34
10.2. Fault tree methodology............................................................................................... 35
10.2.1. Method presentation..................................................................................... 35
10.2.2. ARALIA-SIMTREE software package .......................................................... 37
10.2.3. ARALIA-SIMTREE symbolism...................................................................... 38
10.2.4. Example........................................................................................................ 40
10.3. Reliability data selection ............................................................................................. 41
10.3.1. Origin of the reliability data ........................................................................... 41
10.3.2. Terminology.................................................................................................. 42
10.3.3. Equipment failure rate .................................................................................. 44
10.4. Common cause failure analysis.................................................................................. 47
10.4.1. Definition and modelling ............................................................................... 47
10.4.2. The IEC 61508-6 approach .......................................................................... 47
10.4.3. Common cause failure analysis for PSHH ................................................... 49
1. INTRODUCTION
From the overpressure analysis report [6], there is a HIPPS function to achieve at
the flowline arrival on topsides. Event trees show that ten scenari may be critical:
- Category 4 events:
- Scenario 17B: Depacking of 8 flowlines from pressure slightly below
109 barg through large chokes and ignition of the gas cloud.
- Scenario 13B: Simultaneous opening of 2 ESDV of 2 flowlines from
ESD1 shut-down, small and large chokes full open and ignition of the
gas cloud (pressure greater than 160 barg).
- Scenario 12B: Simultaneous opening of 2 ESDV of 2 flowlines from
ESD1 shut-down, small and large chokes full open and ignition of the
gas cloud (pressure smaller than 160 barg).
- Scenario 17A: Depacking of 8 flowlines from pressure slightly below
109 barg through large chokes and no ignition of the gas cloud.
- Scenario 13A: Simultaneous opening of 2 ESDV of 2 flowlines from
ESD1 shut-down, small and large chokes full open and no ignition of
the gas cloud.
- Scenario 12A: Simultaneous opening of 2 ESDV of 2 flowlines from
ESD1 shut-down, small and large chokes full open and no ignition of
the gas cloud (pressure smaller than 160 barg).
- Scenario 10B: Opening of 1 ESDV of 1 flowline from ESD1 shutdown,
small and large choke full open and ignition of the gas cloud
(pressure greater than 160 barg).
- Scenario 9B: Opening of 1 ESDV of 1 flowline from ESD1 shutdown,
small and large choke full open and ignition of the gas cloud
(pressure smaller than 160 barg).
- Scenario 10A: Opening of 1 ESDV of 1 flowline from ESD1 shutdown,
small and large choke full open and no ignition of the gas cloud
(pressure greater than 160 barg.
- Scenario 9A: Opening of 1 ESDV of 1 flowline from ESD1 shutdown,
small and large choke full open and no ignition of the gas cloud
(pressure smaller than 160 barg).
The aim of the Reliability study is to calculate the reliability level of the Safety
Instrumented System consisting of the existing PSS system and the HIPPS, for
these scenari. A SIL requirement is also calculated for the HIPPS.
The HIPPS arrangement considered in this study is based on a minimized

number of on/off valves.
2. CONCLUSIONS
Taking into account the frequency of the initiating events, the maximum yearly
frequency of the ten above scenari was calculated. These values are plotted on
the annual frequency / consequence diagram below.
Consequence
Severity
Catastrophic 4 Target
For
Improv. I
Major 3 Intolerable
Risk
II
Significant 2
III
Minor 1 Tolerable
Risk
10-5 – 10-4 10-4 – 10-3 10-3 – 10-2 10-2 – 10-1
Annual Frequency
All scenari are outside of the diagram range. The corresponding unrevealed
unavailability of the HIPPS system is as follows:
• The maximum unrevealed unavailability of 1 HIPPS is 2.2 x 10-3.

The selected design for the riser top HIPPS provides annual frequency of the
blow-by scenario within the Tolerable risk area. Therefore the “base case” HIPPS
design is acceptable. This confirms the assessment of the analysis of
overpressure risk [6].
It is important to note that these results are associated to the testing philosophy
proposed below. Indeed, the testing in staggering configuration reduces the
probability of occurrence of the scenario 12B from the boarder line of the “target
for improvement” (1 x 10-5) to the “tolerable risk” area (5.9 x 10-6).
For the other scenari, the staggering configuration was not necessary since they
were all in the “tolerable risk” area.
Test on HIPPS items
The following testing requirement is assumed in this study for each item:
• PSHHs and pilot valves: full testing every 3 months for HIPPS and PSS.
• SDV's:
- Partial stroking every three months.
- Full closure every year.
- Staggered full testing between flowlines.
Each HIPPS flowline shall be fully tested at 12 month interval. During that test the
full closure of all valves will be performed. During this period partial stroking at
three month interval shall be performed. All HIPPS flowline shall not be
simultaneously tested. There will be 1.5 month interval between successive
HIPPS flowline full testing. It is mandatory to stick to this 1.5 month interval.
HIPPS logic solver SIL
The above mentioned conclusion is based on the assumption that the HIPPS
logic solver is SIL 3.
HIPPS SIL
The HIPPS consists of 8 independent HIPPS with a common logic solver.
The unrevealed unavailability (peak value corresponding to PFD x 2) of the

HIPPS of 1 flowline is 2.2 x 10-3. This value is at the threshold between the SIL 2
/ SIL 3 interface. Therefore SIL 3 is required.
The unrevealed unavailability (peak value corresponding to PFD x 2) of the

HIPPS of all flowlines is 1.4 x 10-2. This value is at the threshold between the SIL
1 / SIL 2 interface. Therefore, SIL 2 is required.
These values will be specified in the HIPPS specification [7].

3. REFERENCES
3.1. Project description

[1] Process system description NG50 5 BE PRO PH AB 000 105
[2] ESD general logic diagrams NG50 5 BE PRO DW AB 000 060
NG50 5 BE PRO DW AB 000 061
NG50 5 BE PRO DW AB 000 062
[3] Process Safety Diagrams NG 50 5 BE PRO DW AB 000 050
NG 50 5 BE PRO DW AB 000 051
NG 50 5 BE PRO DW AB 000 052
[4] HAZID report NG 50 6 BE SAF TR AB 000 003
[5] Production riser HIPPS assessment report NG 50 5 BE PRO TR AB 000 012
[6]. Analysis of overpressure risk NG 50 5 BE INS TR AB 000 101
[7] HIPPS Specification NG 50 5 BE INS PS AB 000 103
[8] PID. Production and test manifolds for P10 wells
NG 50 BE PRO DW AB 300 001
3.2. Reliability methodology
[9] Functional safety of electrical / electronic / programmable electronic safety-

related systems
IEC 61508 (1st edition. 1998).
[10] Functional safety. Safety instrumented systems for the process industry
sector.
IEC 61511 (1st edition. 2003).
3.3. Reliability data

[11] OREDA 2002
Offshore reliability data (4th edition. 2002).
Published by the OREDA participants
[12] OREDA 1997
Offshore reliability data (3rd edition. 1997).
Published by the OREDA participants
[13] OREDA-1992
Offshore reliability data handbook
Published by the OREDA participants (2nd edition. 1992).
[14] NPRD-95.
Non Electronic Reliability Data handbook (RAC. 1995).
3.4. Common cause failure analysis

[15] IEC 61508 (Draft 1998)
Functional safety of electrical/electronic/programmable electronic safety-related
systems
Part 6: guidelines on the application of parts 2 and 3
4. BASIS FOR THE STUDY
4.1. Description of the HIPPS
4.1.1. Dedicated HIPPS equipment for each top riser
As shown on Figure 1 there are 2 single PSHH located downstream choke

valves:
• PSHH11a sends a signal to close SDV1 and SDV2.
• PSHH11b sends a signal to close SDV1 and SDV2.
SDV1 and SDV2 are provided with two solenoid valves:

• 1 connected to the PSS.
• 1 connected to the HIPPS.
The two solenoid valves are connected in parallel from a reliability point of view.
Each top riser is equipped with its own set of PSHHs and SDVs.
4.1.2. Common HIPPS equipment to all top risers
There is a single logic solver common to the 8 risers.
4.2. HIPPS and existing protection layers
As shown on Figure 2 PSHH1 located downstream PSHHs of the HIPPS issues a

signal to close SDV1 and SDV2.
4.3. Main assumptions
• Failure rates are constant, i.e. the valves, and the sensors, are no longer in
their infant mortality period, and they have not yet entered their wear-out
period.
• All items are maintained, and operated, according to the international

oil and gas industry standards. Should these practices not been
complied with, reliability calculations would have been based on non-
applicable failure rates. Accordingly, results given would be of no value.
LOGIC
SOLVER
Small
choke valve To
Large separators
choke valve PSHH 11a PSHH 11b
2oo3 2oo3
SDV 2
From wells
SDV 1
HIPPS EQUIPMENT
Figure 1
All flowlines connected

to the separator
SDV 1
SDV 1x Set @ 93 barg
Associated flowline SDV 2
SDV 2x
HIPS + PSV 1
SDV 1x's SDV 4 A or B To HP
SDV 2x HIPPS PSS
Set @ PSS Flare
SMALL CHOKE Set @ Set @
90 barg 88 barg
VALVE 88 barg
PSHH PSHH PSHH
Up to PSHH
Set @ 85 barg
11ax 11bx 1x 8 Off 4A
PV 1
LARGE CHOKE
VALVE
To HP
SDV 4
Compressors
Production
manifold
SDV 8x
Production
Separator
SDV 2x
SDV 1x's
SDV 1x's PSHH

SECONDARY BARRIER (HIPS)
SDV 2x PSS
Set @
PSHH
109 barg PRIMARY BARRIER (PSS)
PSHH
3x pss PSHH
2x pss SDV 2x
PSS "x" SINGLE FLOWLINE INVOLVED
Set @
136 barg " 's " SAFETY VALVE WITH PRESSURISATION 2" VALVE
ESDVx
Figure 2 - HIPPS AND EXISTING PROTECTION LAYERS

5. ACHIEVEMENT OF THE STUDY
5.1. Description of the methodology
The methodology for conducting a reliability study is shown on figure 3. It is a

five-steps approach.
• Step 1: provides a detailed understanding of the modes of operation of the

protection system and at identifying dangerous failure modes.
• Step 2: building of the mathematical reliability model, using the results of

the common cause failure analysis.
• Step 3: selection of the reliability data and common cause failure

parameters.
• Step 4: calculation of the reliability using a specific software package.
• Step 5: provides the results of the calculations, together with conclusions

and recommendations based on these results.
5.2. Description of the study
STEP 1 – SYSTEM AND FAILURE ANALYSIS
The study was initiated with the collection of the information.
Starting from engineering documentation (i.e. PIDs), a thorough analysis of the

protection system was carried out.
Then, a Failure Mode and Effects Analysis was carried out for each item making
up the system.
STEP 2 – RELIABILITY MODELLING
The reliability of the system was modelled with a fault tree. The unwanted event
is considered as the top event of the fault tree. Then the tree is built by a top-
down process.
A common cause failure analysis is performed for each set of redundant items.
Common cause failures are shown on the fault trees.
Fault trees were drafted using the ARALIA / SIMTREE software package (see
description in § 10.2).
STEP 3 – RELIABILITY AND OPERATIONAL DATA SELECTION
Reliability data (see § 10.3) were extracted from openly available reliability data
sources, for each item which failure is shown on the fault tree.
Operational data (e.g. test frequencies and test policy) were provided by TOTAL.
Common cause failures were quantified using the β-model as presented by IEC
61508.
STEP 4 – QUANTITATIVE ANALYSIS
Fault trees were quantified using the ARALIA / SIMTREE software package,
according to the characteristics of the test policies.
STEP 5 – SYNTHESIS
Results of the calculations are given for each fault tree. The reliability of the
HIPPS is provided together with the main contributors to the unreliability.
Functional description
STEP 1
SYSTEM AND FAILURE F.M.E.A.

ANALYSIS
System reliability modelling

ARALIA/SIMTREE
(fault tree analysis)
STEP 2
RELIABILITY
MODELLING Common cause failure
analysis IEC 61508
STEP 3 Reliability data selection OREDA mainly
RELIABILITY AND
OPERATIONAL DATA
SELECTION Common cause failures IEC 61508
quantification
STEP 4
Reliability calculations ARALIA/SIMTREE
QUANTITATIVE
ANALYSIS
STEP 5
Results, conclusions and
SYNTHESIS recommendations
Figure 3 - STEPS IN THE RELIABILITY METHODOLOGY

6. FAILURE ANALYSIS
6.1. Failure modes of interest
According to ref. 9 and 10, failures are to be classified as:

• Detected failures or undetected failures.
• Dangerous failures or safe failures.
As accurate information is not yet available on the logic solver, such classification
was not implemented. The OREDA classification was used instead of, without
trying to split relevant failure modes into safe/unsafe or detected/not detected
failures. Accordingly, a standard value was used for the failure mode coverage of
the partial stroking.
A detailed FMEA should be performed at DETAILED ENGINEERING level
when more information will become available.
A specific FMEA worksheet was then designed in order to:

• Identify relevant failure modes for each item from a standard list of failure
modes (column "failure mode").
• Show the proof test coverage for each failure mode (column "Failure
detection").
6.2. Failure Mode and Effects Analysis
FMEA worksheets are given in next pages.

FAILURE MODE AND EFFECTS ANALYSIS

Failure detection
Item Function Failure mode Remarks
Method Coverage (%)
To provide signal to LOGIC Spurious signal Self revealed 100
PSHH SOLVER upon High High No signal upon High High
pressure Proof test 100
pressure
To transmit analog signal Voltage falls below
Cable from PSHH Cut Self revealed 100
from PSHH to analog input 4 mV
to Logic solver
card of logic solver Earthing Autodiagnostic 100
Analog input card Spurious signal Self revealed 100
To process the signal from
on the Logic No signal to “Central Unit”
the sensor Autodiagnostic 100
solver upon sensor signal
To process the signal from
“Central Unit” of
the input cards and to issue No data processing NONE /
the Logic solver
an order to output cards
Digital output Spurious signal Self revealed 100
To shutdown the electric
card on the Logic
power to the SOV No signal to SOV Autodiagnostic 100
solver
FAILURE MODE AND EFFECTS ANALYSIS

Failure detection
Item Function Failure mode Remarks
Method Coverage (%)
To transmit signal from Cut Self revealed 100
Cable from Logic
output card of Logic solver
solver to valve Earthing Autodiagnostic 100
to valve
Spurious movement Self revealed 100
To move upon loss of
SOV Fail to move on
electric power Proof test 100
demand
Spurious closure Self revealed 100 Spring activated
Shut-down Valve To close upon trip of SOV Blocked open Partial stroking 75
Blocked open Proof test 100
Electric power To provide power to Logic
No power Self revealed 100 Close SDVs
supply Solver
Pneumatic power To provide power to shut- Spring return
No power Self revealed 100
supply down valves valves
7. RELIABILITY MODELLING
7.1. Fault tree modelling
Symbols used on the fault trees are explained in § 10.2.3.
Fault tree “Failure of 1 HIPPS” is shown on Figure 4.
Fault tree “Failure of 1 HIPPS and protection layer” is shown on Figure 5.
Fault tree “No closure of SDV2” is shown on Figure 6.
Fault trees “PSHH11a failure to detect” and “PSHH11b failure to detect” are
shown on Figure 7.
7.2. Common cause failure analysis (HIPPS equipment only)
7.2.1. Zone analysis
Outdoors equipment of one HIPPS are all located within the same area (riser top
and manifold area).
7.2.2. Logic solver
The logic solver common to the 8 HIPPS shall be installed in a dedicated HIPPS
cabinet located inside one of the FPSO Instrument Technical rooms on Topsides.
7.2.3. Sensors
Command circuitry from sensors

PSHH shall be directly connected to the logic solver without any junction box or
marshalling rack.
Input loops are of fail-safe design.
Diversity
The three pressure transmitters for each set of 3 PSHH will be from different
vendors and model.
7.2.4. Valves
Command circuitry to SOV

Output loops are of fail-safe design.
SDVs
They are of the spring return type.
7.2.5. Utilities
Electric power
The power supply shall be through 24 V DC UPS and distribution panel with two
separate feeders.
Pneumatic power
It is provided by the instrument air of the FPSO, without additional requirement.
HVAC
HVAC is provided by the HVAC of the FPSO, without additional requirement.
7.2.6. Human error during maintenance and tests
Logic solver shall hardwired logic solver, minimizing the risk of human
intervention.
Possibilities of human errors should be reviewed during Detailed Engineering

when detailed procedures and control panel design are available.
7.2.7. External hazards
Fluid
- Characteristics of the fluid are such that valve partial stroking is unlikely to be
the cause of valve failure to fully close.
- Each PSHH has its own tapping, minimizing the risk of 3 PSHH be isolated from
the fluid by a plug.
Man made hazards
A HAZID (8.1.1.d.) was carried out: no specific hazard was identified within
manifold area and for technical rooms.
Environment
HIPPS indoor equipment shall be designed for outdoor temperature and relative
humidity corresponding to HVAC failure.
HIPPS outdoor equipment shall be designed for withstanding outdoor conditions.
7.2.8. IEC 61508-6 tables
Results of above analyses and additional information are provided in § 10.4.3.

Failure of 1 HIPPS
G1
Logic solver No detection

failure G2
No isolation Logic
Solver
G5
Common cause Failures on 2 sets

failure on 2 set of PSHH
of PSHH G3
Val ves fai l to Val ves fai l to
move full y close ccf_2PSHH
G6 G7
PSHH11a PSHH11b
fail ure to fail ure to
Random failure on Common cause Common cause Random fai lure on detect detect
SDV1 and SDV2 failure on 2 SDV fail ure on 2 SDV SDV1 and SDV2 fail
{7} {8}
fail to move fail to move fail to full y close to full y close
G4 ccf_2valvesFtoM ccf_2valvesFtoFC G8
SDV1 fail ure to SDV2 fail ure to

move move
SDV1 fail ure SDV2 fail ure
G9 G10 to full y close to full y close
SDV1FtoFC SDV2FtoFC
PV HIPPS SDV1 PV HIPPS SDV2

fail ure to move SDV1 fail ure fail ure to move SDV2 fail ure
to move to move
PV_HIPPS_SDV1 PV_HIPPS_SDV2
SDV1FtoM SDV2FtoM
Figure 4
Failure of 1 HIPPS
and protection layer
G12
Random fai lures on Common cause

SDVs failure on 2 SDV Common cause
fail to fully close fail ure on 2 SDV
G13 fail to move
ccf_2valvesFtoFC
ccf_2valvesFtoM
No closure of
SDV1
No closure
of SDV2 G16
{2}
No order to close SDV1 fail to

to SDV1 close
G15 G14
Common cause CCF on logic No signal to SDV1

Common SDV1 fail ure SDV1 fail ure
failure on 3 set of solver and G17 cause failure to move to fully close
PSHH PSS/ESD logics on 3 pilot
valves
ccf_3PSHH CCFcontrolunits SDV1FtoM SDV1FtoFC
CCF-3PV
No signal from
No signal from PSHH11a No signal from PSHH1
PSHH11b
G18 G20
G19
Logic solver PV HIPPS SDV1

PSHH11a fail ure failure to move PSHH11b
fail ure to failure to Logic solver PV HIPPS SDV1 PSHH1 failure
detect PV_HIPPS_SDV1 detect fail ure failure to move to detect PSS
Logic Solver failure
{7} {8} PV_HIPPS_SDV1 PSHH1
Logic Solver
PSS
Figure 5
{2}
No closure of
SDV2
G23
No order to close SDV2 fail to

to SDV1 close
G22 G21
Common
CCF on logic No signal to SDV1
cause failure Common SDV2 failure SDV2 failure
on 3 set of solver and G24 cause failure to fully close to move
PSHH PSS/ESD logics on 3 pilot
valves
ccf_3PSHH CCFcontrolunits SDV2FtoFC SDV2FtoM
CCF-3PV
No signal from
No signal from PSHH11a PSHH11b
G25 G26 No signal from

PSHH1
G27
PV HIPPS SDV2 PV HIPPS SDV2

PSHH11a failure to move PSHH11b failure to move
failure to Logic solver failure to Logic solver
detect failure PV_HIPPS_SDV2 detect failure PV_HIPPS_SDV2
{7} {8} PSHH1 failure PSS
Logic Solver Logic Solver to detect failure
PSHH1 PSS
Figure 6
{7}
PSHH11a failure to
detect
G62
Random failures of CCF on

PSHH11a PSHH11a
G63 ccf_PSHH11a {8}
2/3
PSHH11b failure
to detect
Random Randomf Random G64

failure of failure of failure of
PSHH11a1 PSHH11a PSHH11a3
PSHH11a1 PSHH11a2 PSHH11a3

Random failures of CCF on
PSHH11b PSHH11b
G65 ccf_PSHH11b
2/3
Random Random Random

failure of failure of failure of
PSHH11b1 PSHH11b2 PSHH11b3
PSHH11b1] PSHH11b2 PSHH11b3
Figure 7
8. RELIABILITY AND OPERATIONALDATA
8.1. Proof tests
8.1.1. Test on HIPPS items
Following tests are performed for each HIPPS:

• PSHHs and pilot valves: full testing every 3 months for HIPPS and PSS.
• SDV's:
- Partial stroking every three months.
- Full closure every year.
The SOV connected to the Logic solver is tested every 3 months.
8.1.2. Tests on items connected to PSS
Following tests are performed:

• PSHHs and pilot valves: full testing every 3 months.
• SDV's: see above.
8.1.3. Assumptions on the tests
It is assumed that the tests cannot cause any item failure.
PSHH testing
It is assumed that:
• The logic solver can not detect all failures of the PSHHs, specific tests are
to be performed.
• Each PSHH is unavailable during its test, the duration of the test being 1 hr.
• If a single PSHH is found failed the repair is performed within 4 hr. The riser
is not shutdown.
• Should 2 PSHHs of 1 group of 3 be found failed on testing, the riser
will be shutdown until the failed sensors are repaired.
• During its testing, each PSHH is isolated from the flowline. The probability
to forget to re-open the manual isolating valve is 10-3 (operator error).
Valves testing
It is assumed that:
• Each SDV is unavailable during its test, the duration of the test being 1 hr.
• Should any Valve fail to close upon testing, the riser will be shutdown
as long as the failed valve is not repaired.
• The test coverage for the partial stroking is 75 %.
• During its testing, each pilot valve added to existing SDV is isolated from
the SDV. The probability to forget to re-connect it is 10-3 (operator error).
Logic solver
It is assumed that:
• Autodiagnostic tests are performed on a regular basis. These tests have no
impact on the availability of the logic solver.
• Should the logic solver be detected as failed, all the riser tops will be
shutdown until it is repaired.
Human factor
It is assumed that:
• Testing / repair team is trained to report, in an efficient way, the way the
failures that have occurred.
• Safety management is aware of the meaning of the test reports, and makes
the decision (i.e. to initiate the test on another well so as to detect common
cause failures) without delay.
8.2. Common cause factors
8.2.1. Items
The common cause failure analysis provided the following data:

β = 10 % for PSHHs (2oo3 redundancy).
It is also assumed that:

β = 10 % for SDVs (2oo2 redundancy).
8.2.2. Logic units
As no detailed information is available on the logic units it is considered that:
β = 5 % for Logic solver and Control unit of PSS.
8.2.3. Tests
It is considered that tests reveal common cause failures on:

- SDVs: every 3 months for partial stroking, every year for full closure.
- PSHHs: every 3 months.
8.3. Reliability characteristics
Table 1 provides the value of the failure rates used for the fault tree
quantification. Origin of the failure rates is given in § 8.4.
Table 2 provides the reliability characteristics of the items considered in the

calculations.
ITEM Failure mode λ (10-6 hr-1)
PSHH Failure to issue signal 0.80
SDV Failure to close 7.16
Pilot valve Failure to move 0.37
Logic solver Total failure γ = 5 x 10-4
PSS Total failure γ = 5 x 10-3
RELIABILITY DATA SELECTED
Table 1
Item Configuration
Repair time Test duration
Failure rate available error
(hr) (hr)
during test probability
PSHH 4 1 NO 10-3
SDV N.A. 1 NO 0
Table 1
HIPPS Pilot
1 1 NO 10-3
valve
Logic solver N.A. 0 YES 0
ITEM RELIABILITY CHARACTERISTICS
Table 2
9. RESULTS AND CONCLUSION
9.1. Results
9.1.1. HIPPS reliability excluding PSS protection layer
The maximum unrevealed unavailability is 3.7 x 10-3.
As shown on below graph.
3.5000e-3
3.0000e-3
2.5000e-3
2.0000e-3 Pr[SSommet]
1.5000e-3
1.0000e-3
5.0000e-4
0.0000 5000.0000 10000.0000
9.1.2. HIPPS reliability including PSS protection layer
As shown on below graph.
3.5000e-3
3.0000e-3
2.5000e-3
2.0000e-3
Pr[SSommet]
1.5000e-3
1.0000e-3
5.0000e-4
0.0000e+0
0.0000 5000.0000 10000.0000
9.1.3. Protection against critical scenari 9 and 10.
One HIPPS (and existing protection layer) is to be activated for scenari 9 and 10.
9.1.4. Protection against critical scenari 12 and 13.
It is considered (conservative assumption) that 2 HIPPS (and existing protection

layer) are to be activated for scenari 12 and 13.
The maximum unrevealed unavailability of 2 HIPPs and protection layers is

6.8 x 10-3.
9.1.5. Protection against critical scenario 17.
It is considered (conservative assumption) that the 8 HIPPS (and existing

protection layer) are to be activated for scenario 17.
The maximum unrevealed unavailability of 8 HIPPS and protection layers is

2.7 x 10-2.
9.2. Conclusion
The results are shown on Table 1.
All the scenari are within the Tolerable risk area, with the exception of
scenario12B which is on the borderline (1 x 10-5).
To improve the HIPPS efficiency for the scenario 12 B, it is required to perform

the HIPPS full test of each flowline in staggered sequence.
Calculations with this new assumption give:

• An annual frequency of 5.9 x 10-6 for the case 12B
• a maximum unrevealed unavailability of 2.2 x 10-3 for the HIPPS of one
flowline (2.0 x 10-3 for the HIPPS and protection layers),
• a maximum unrevealed unavailability of 3.9 x 10-3 for the HIPPS of two
flowline,
• a maximum unrevealed unavailability of 1.4 x 10-2 for the HIPPS of 8 flowline
These HIPS unrevealed unavailability are resulting from the following testing
procedure:
Each HIPPS flowline shall be fully tested at 12 month interval. During that test the
full closure of all valves will be performed. During this period partial stroking at
three month interval shall be performed. All HIPPS flowline shall not be
simultaneously tested. There will be 1.5 month interval between successive
HIPPS flowline full testing. It is mandatory to stick to this 1.5 month interval.
Pressure Consequence Probability of HIPPS + PSS Annual

Scenario
DESCRIPTION upstream of the level occurrence of the maximum unrevealed frequency
n° valve / choke(s) (GS EXP 401) initiating event unavailability of the scenario
Opening of 1 ESDV of one flowline from ESD1 shut down – Small &
9A large chokes full open
< 160 barg 2 3.5 10-3 3.4 10-3 1.2 10-5
9B large chokes full open
< 160 barg 3 (ignition) 1.5 10-3 3.4 10-3 5.1 10-6
10A large chokes full open
> 160 barg 2 2.5 10-4 3.4 10-3 8.5 10-7
10B large chokes full open
> 160 barg 3 (ignition) 1.2 10-4 3.4 10-3 4.1 10-7
Simultaneous Opening of 2 ESDV of 2 flowlines from ESD1 shut down
12A – Small & large chokes full open
< 160 barg 3 3.5 10-3 6.8 10-3 2.4 10-5
12B – Small & large chokes full open
< 160 barg 4 (ignition) 1.5 10-3 6.8 10-3 1.0 10-5
13A – Small & large chokes full open
> 160 barg 3 2.5 10-4 6.8 10-3 1.7 10-6
13B – Small & large chokes full open
> 160 barg 4 (ignition) 1.2 10-4 6.8 10-3 8.2 10-7
Depacking of 8 flowlines from pressure slightly below 109 barg
17A through large chokes
< 109 barg 3 3.5 10-4 2.7 10-2 9.5 10-6
Depacking of 8 flowlines from pressure slightly below 109 barg
17B through large chokes
< 109 barg 4 (ignition) 1.5 10-4 2.7 10-2 4.1 10-6
ANNUAL FREQUENCY OF THE SCENARI – HIPPS TESTING WITH NO STAGGERING CONFIGURATION
Table 1
10. APPENDICES
10.1. Definitions, acronyms and abbreviations
10.1.1. Definitions
The failure rate λ is the reciprocal of the MTTF.
The repair rate µ is the reciprocal of the MTTR.
The CCF factor β is the ratio of the CCF rate to the random failure rate.
10.1.2. Acronyms and abbreviations
CCF : Common Cause Failure

ESD : Emergency Shut-Down
FPSO : Floating Production and Storage Unit
HIPPS : High Integrity Pressure Protection System
MTTF : Mean Time To Failure
MTTR : Mean Time To Repair
NA : Not Applicable.
OCWR : Overall Control of Wells and Risers
PSHH : Pressure Sensor High High
PSS : Process Safety System
SDV : Shut-Down Valve
SOV : Solenoid Valve
β : Common Cause Failure factor

λ : Failure rate (hr-1)
µ : Repair rate (hr-1)
10.2. Fault tree methodology
10.2.1. Method presentation
A. Method objective
Fault tree modelling has two objectives:

- To infer the possible combinations of events (or causes), which lead to the
occurrence of a unique event, considered as being undesired and being called
an "unwanted event".
- To illustrate these causes through a graphic and arborescent structure.
These causes are made up of a combination of events, from equipment failure to

human error or any internal or external event that is pertinent to the system.
A fault tree makes it possible to calculate the probability of occurrence of an

unwanted event.
B. Method description
Several stages are involved in the correct application of the fault tree method.
First stage: determination of the unwanted event
This is undoubtedly the most important stage because all the later analysis
depends on the right choice of this event. This choice is in fact made before the
real fault tree analysis. This determination of the unwanted event is not part of the
method itself.
Second stage: construction of the fault tree
The unwanted event becomes the event at the top of the tree that is to say at the
departure point of the deductive process. The causes of the top event are looked
for: when they are found, each of these events is considered as being an "effect"
for which the causes are in turn looked for.
The process is repeated until item failure level ("basic event") is reached. When
an intermediate event has several possible independent causes they are linked
by an OR gate. When an intermediate event must have several possible causes
to occur they are linked by an AND gate.
The deductive process is followed through until the elementary events can be
characterised by the following criteria:
- They are independent from each other.
- Their probabilities of occurrence can be estimated (even if this estimation is
uncertain).
- The specialists involved do not feel the need (or do not have the means) to
divide them up into simpler combinations of events.
Third stage: qualitative analysis
This stage was not implemented for the study. As the fault tree is the graphical
representation of a logical equation, it can be analysed with Boole's algebra
rules. It is therefore possible to deduce the different combinations of elementary
events leading to the occurrence of the unwanted event. These combinations are
called "cut sets". Some of these cut sets are minimal. This means that all the
elementary events contained in the cut set are necessary and sufficient for the
unwanted event to occur. As all the non-minimal cut sets are included in the
minimal cut sets, knowledge of the latter is necessary and sufficient for all the
information contained in the fault tree to be translated.
The minimal cut sets are classified according to the number of elementary events
it contains:
- Order 1: single fault - unique fault.
- Order 2: double fault.
- Order 3: triple fault.
- Etc.
As single faults are generally more probable than doubles, and doubles more
probable than the triples, they can thus be classified qualitatively. While this
classification is not valid in every case (if the faults have very different
probabilities), it is enough to be simply aware of its limits. It is nevertheless
interesting where no numeric data is available.
Fourth stage: quantitative analysis
The quantitative analysis of a fault tree can be carried out at two levels (after
collection of reliability data):
- Minimal cut set level: each minimal cut set is quantified; they can therefore be
classified by order of decreasing probabilities. This classification is naturally
more specific than the one drawn up at the qualitative analysis stage.
- Unwanted event stage: the calculation of the probability of the unwanted event
from elementary fault probabilities poses no theoretical problem. However, this
calculation rapidly becomes difficult due to the growth of the tree without a
calculation code and, even in this case, approximations are necessary.
C. Remarks
- Not all the system faults can be studied in the fault tree model. A fault tree
corresponds to an unwanted event defined elsewhere.
- A fault tree is only applicable for one phase of the system life cycle.
- The fault tree does not mean that all the causes of appearance of an event are
taken into account. There is no guarantee as to the exhaustiveness of the
study; only the most probable or foreseen faults are considered.
10.2.2. ARALIA-SIMTREE software package
SIMTREE is the tool for drafting the fault trees.

ARALIA engine allows performing fast and exact calculations (without
approximation). This calculation engine is based on the encoding of Fault Trees
as Binary Decision Diagrams (BDD)
ARALIA is certified by DGAC (French official authority for Civil Aviation) for
the dependability studies of business aircraft (Falcon) made by Dassault Aviation
company. Dassault Aviation prescribes the use of Cecilia Aralia to every
subcontractor involved in Falcon 7X program.
ARALIA calculation code is certified by CEA/IPSN (French Institute for

Protection and Nuclear Safety), EDF and TECHNICATOME for the Probabilistic
Safety Assessments of the french REP 900MW and REP1300MW nuclear power
plants.
Release number: ARALIA PACK 2.3
SUPPLIER:
GFI Consulting
TECHNICAL PAPERS
Polynomial approximations of boolean functions by means of positive

binary decision diagrams.
Y. Dutuit and A. Rauzy.
Proceedings of European Safety and Reliability Association Conference,
ESREL'98, pages 1467-1472. Balkerna, Rotterdam, 1998. ISBN 90 54 10 966 1.
Exact and Truncated Computations of Prime Implicants of Coherent and

non-Coherent Fault Trees within Aralia.
Y. Dutuit and A. Rauzy.
Reliability Engineering and System Safety, 58:127-144, 1997.
Computation of Prime Implicants of a Fault Tree within Aralia

Proceedings of European Safety and Reliability Association Conference,
ESREL'95, pages 190-202, Bournemouth - England, June 1995,
New Algorithms for Fault Trees Analysis.

A. Rauzy.
Reliability Engineering & System Safety, 05(59):203-211, 1993.
10.2.3. ARALIA-SIMTREE symbolism
As fault trees are designed (then analysed) with the ARALIA/SIMTREE software
package, the symbolism used by ARALIA/SIMTREE is shown below:
Engine → Detailed description of the event

breakdown
→ Event (or gate) reference used for

GF16
calculation
See also figure 10.1.

EVENTS MEANING
BASIC EVENT
CIRCLE
Basic event needing no further development
UNDEVELOPED EVENT
Detailed qualitative analysis not carried out
DIAMOND
because of lack of information (but taken into
account in the calculations)
LOGICAL GATES MEANING

OUTPUT
THE OUTPUT EVENT OCCURS IF ALL THE
AND
INPUT EVENTS OCCUR.
INPUTS
+ The output event occurs if one or several input

OR events occur.
TRANSFER SYMBOL MEANING
The event referenced above is written on

TRIANGLE another page (with the same reference)
ARALIA/SIMTREE SYMBOLISM
Figure 10-1
10.2.4. Example
Let us consider a circuit of water consisting of a valve and two 100% redundant
pumps:
P1
Entrance Exit
V
P2
The fault tree corresponding to the unwanted event "no water at exit", given that
there is water at the entrance, is shown below (no common cause failure):
No water
at exit
+ "OR" gate
DIRECTION Valve V Failure of

blocked shut the 2 pumps
OF THE
CONSTRUCTION "AND" gate
Failure of Failure of
pump P1 pump P2
10.3. Reliability data selection
10.3.1. Origin of the reliability data
Reliability data sources
Most of the reliability data were extracted from the OREDA 02 handbook [11].
This public handbook provides reliability information on equipment used in the
North Sea and in the Adriatic sea.
Additional information come from the NPRD-95, public handbook. It gives failure
rate on equipment (e.g. valves) and on items (e.g. solenoid valves) used in
various environmental conditions.
Failure rate (FR)
The failure rate λ is assumed to be a constant value (bottom of the "bathtub"

curve below), as it is stated in OREDA 2002: "all the failure rate estimates
presented in this handbook are (therefore) based on the assumption that the
failure rate is constant and independent of time".
Failure rate function
Time (not to scale)
Burn-in phase Useful life phase Wear-out phase
Failure rate and probability to fail upon demand
Failures of on-guard items (such as Master valves) find their roots:

- During their "dormant" period.
- Upon a demand (true demand or test).
Accordingly, to provide a true picture of the reliability of an on-guard item two
parameters should be measured:
- A "true" failure rate λ* (e.g. number of failures per million hours).
- A "true" probability to fail upon demand γ (dimensionless).
Proof tests reveal some of the failures occurring during the dormant period, but
they have no impact on the "true" probability to fail upon demand γ.
Unfortunately, reliability data handbooks provide failure rates, only. These failure
rates λ are a mixture of the "true" failure rate λ* and of the "true" probability to fail
upon demand γ.
Accordingly, high testing frequencies are meaningless as tests reveal some of
the failures occurred during the "dormant" period, only.
10.3.2. Terminology
Reference documents do not use the same terminology as the reliability data
sources. The aim of this paragraph is to present both terminologies so as to
explain how the reliability data were selected.
10.3.2.1. IEC
Following definitions are provided within IEC 61508 part 4 [9] and IEC 61511 part
1 [10].
Common cause failure

Failure, which is the result of one or more events, causing coincident failures of
two separate channels in a multiple channel system, leading to system failure.
Error
Discrepancy between a computed, observed or measured specified or
theoretically correct value or condition
Human error
Mistake
Human action or inaction that can produce an unintended result.
Proof test (IEC 61511)

Periodic test performed to reveal undetected faults in a safety-instrumented
system so that, if necessary, the system can be restored to its design
functionality.
Detected (IEC 61511)

Revealed
Overt
In relation to hardware and software faults found by the diagnostic test or during
normal operation
Undetected (IEC 61511)

Unrevealed
Covert
In relation to hardware and software faults not found by the diagnostic test or
during normal operation
10.3.2.2. OREDA
Following definitions are provided within OREDA 2002 handbook [11].
Failure Mode
The effect by which a failure is observed on the failed unit. The failure modes
describe the loss of required system function(s) that result from failures, or an
undesired change in state or condition. The failure mode is related to the
equipment unit level. The failure mode is a description of the various abnormal
states/conditions of an equipment unit, and the possible transition from correct to
incorrect state.
The failure mode can be subdivided in two major classes:

1. Demanded change of state is not achieved.
2. Undesired change in conditions (state).
The first class typically comprises events like fail-to-start / stop and fail-to-open /
close, i.e. directly related to a failure of the function of the unit. The latter category
can either be related to function and condition as follows:
a) Undesired change of condition (e.g. vibration, leakage). This category does not
affect the function immediately, but may do so if not attended to within a
reasonable time.
b) Undesired change in manner of operation (e.g. spurious stop, high output)
Severity Class Types

The severity class is used to describe effect on operational status and the
severity of loss of output from the system. Each failure has been associated with
only one severity class, either critical, degraded or incipient, independently of the
failure mode and failure cause.
CRITICAL FAILURE: A failure which causes immediate and complete loss of a

system's capability of providing its output.
DEGRADED FAILURE. A failure which is not critical, but which prevents the
system from providing its output within specifications. Such a failure would
usually, but not necessarily, be gradual or partial, and may develop into a critical
failure in time.
INCIPIENT FAILURE. A failure which does not immediately cause loss of a

system's capability of providing its output, but which, if not attended to, could
result in a critical or degraded failure in the near future.
UNKNOWN. Failure severity was not recorded or could not be deduced.
10.3.2.3. Conclusion
For systems which are called upon demand in emergency conditions only
CRITICAL failure modes are to be considered. If an equipment failure is either
degraded or incipient type it is capable of providing its output, the failure will be
repaired later on.
There is no indication within OREDA handbook whether recorded failures were

dangerous failures or safe failures. However, it is sensible to consider that for on-
guard items (e.g. ESDV):
- Spurious failure modes are REVEALED failures.
- Failure to close (or to open, etc.) are UNREVEALED FAILURES detected upon
testing only. Depending upon item function these unrevealed failures can then
be classified as SAFE failures or DANGEROUS failures.
Furthermore, following definitions are used:
Test coverage
Fractional decrease in the probability of unrevealed dangerous hardware failure
resulting from the operation of the tests.
Test interval
Interval between tests to detect failures.
10.3.3. Equipment failure rate
Pressure sensor
According to OREDA-02 (operational time = 1,467,500 hr; data from 2

installations), failure rates are as follows (all types of pressure sensors):
- For "critical" failure mode: 0.00 x 10-6 hr-1.
- For "degraded" failure mode: 5.55 x 10-6 hr-1.
0 .7
Using the formula (T = operational time) if no failure is recorded, it comes:
T
λ (critical failure mode) = 0.48 x 10-6 hr-1
According to OREDA-97 (operational time = 7,061,200 hr; data from 6

installations) failure rates are as follows (all types of pressure sensors):
- For "critical/fail to operate on demand " failure mode:0.71 x 10-6 hr-1.

- For "critical/spurious operation" failure mode: 0.42 x 10-6 hr-1.
- For "critical/unknown" failure mode: 0.14 x 10-6 hr-1.
- For "degraded" failure mode: 16.25 x 10-6 hr-1.
Assuming “unknown” failure mode can be split proportionally to the “fail to

operate on demand” and “spurious operation” failure mode, the failure rate to
consider for the “fail to operate on demand” failure mode is then:
0.71
λ = (0.71 + 0.14 x ) x 10-6 hr-1 = 0.80 x 10-6 hr-1
0.71 + 0.42
Which is close to 0.48 x 10-6 hr-1.
It is possible that the reliability of pressure sensors has increased with the
time as:
- No critical failure was recorded by OREDA 2002.
- The degraded failure mode was divided by 3 within 5 years.
Then above failure rate may be pessimistic.
The failure rate to consider for the “spurious” failure mode is then:
0.42
λ = (0.42 + 0.14 x ) x 10-6 hr-1 = 0.47 x 10-6 hr-1
0.71 + 0.42
ESD/PSD valves
According to OREDA2002, failure rates are as follows (ESD, Ball) for:

- "Critical/fail to close on demand" failure mode:
All sizes: 7.16 x 10-6 hr-1.
- "Critical/spurious operation" failure mode:
All sizes: 0.95 x 10-6 hr-1.
Logic solver
It is assumed that the logic solver is SIL 3. Accordingly, its probability to fail upon
demand can be considered to be:
γ = 5 x 10-4
PSS
It is assumed to be SIL 2. Accordingly, its probability to fail upon demand can be

considered to be:
γ = 5 x 10-3
Pilot valve
Reliability data handbooks provide failure data on equipment (e.g. a valve with its
actuator and its control unit), mainly. It is difficult to have information on the
reliability of components (e.g. a pilot valve). NPRD-95 provides following
information:
“Valve, diverting/sequency, 3 way” failure rate: 0.37 x 10-6 hr-1
The failure rate to consider for the pilot valve is then:

λ = 0.37 x 10-6 hr-1
10.4. Common cause failure analysis
10.4.1. Definition and modelling
The failures of an item are considered to arise from two causes:

- Random failures; and
- Common Cause Failures (CCF).
CCF are likely to affect more than one item. Accordingly, the probability of CCF is
likely to be the dominant factor in determining the overall probability of failure of a
redundant system.
The "β-factor" model assumes that the failure rate of an item is:
λ = λi + λc
with :
λi = random failure rate
λc = ccf rate
And : λc = βλ
where β is a constant whose value depends on the CCF defenses applied to the
system.
The β-factor method is the only CCF factor given in the IEC 61508-6.
10.4.2. The IEC 61508-6 approach
IEC 61508-6 (annex D) provides a methodology for quantifying the effect of

hardware-related common cause failures in multi-channel programmable
electronic systems. It is based on a set of scoring tables taking account of all
defenses against common cause failures:
- Separation/segregation of signal cables and of control electronics.
- Diversity/redundancy of physical principles for acting, of test methods.
- Complexity/design/application/maturity/experience of the equipment.
- Assessment/analysis and feedback of data either at design stage or at field
stage.
- Procedures/human interface to operate the equipment.
- Competence/training/safety culture of designers and of maintainers.
- Environmental control of the equipment.
- Environmental testing of the equipment (before to be installed).
Check-lists provided in this appendix are a copy of “Table D1 – Scoring

programmable electronics or sensors/actuators” from IEC 61508-6.
These check-lists are used for assessing the quality of the measures against
common cause failures. Two values are assigned for each of these measures
("Score" column):
- Y for measures whose contribution will not be improved by the use of diagnostic
tests.
- X for measures whose contribution will be improved by the use of diagnostic
tests.
The score is then calculated using the following equations:

- S = X + Y when the diagnostic tests are repeated at intervals smaller than 5 min
(diagnostic coverage greater than 90%) or smaller than 1 min (diagnostic
coverage greater than 60%).
- S = X (Z + 1) + Y in the other cases, the value of Z being given by table D2 (IEC
61508-6).
Below table gives the value of β.
Corresponding value of β for the

Score S
Logic system Sensors or actuators
120 or above 0.5 % 1%
70 to 120 1% 2%
45 to 70 2% 5%
Less than 45 5% 10 %
10.4.3. Common cause failure analysis for PSHH
The tables are provided next pages.
The value of Z is 0 (diagnostic test repeated at intervals greater than 5 minutes).
The score is: 39.5 for 2oo2 redudancy
The value to consider for β is then: 10 %.

YES / NO SCORE COMMENTS

Separation / Segregation
Are all signal cables for the channels routed separately at all
positions?
NO 0
If the sensors have dedicated control electronics, is the

electronics for each channel on separate printed-circuit
boards?
YES 0
If the sensors have dedicated control electronics, is the

electronics for each channel indoors and in separate
cabinets?
NO 0
Diversity / Redundancy
Do the devices employ different physical principles for

the sensing elements?
For example, pressure and temperature, vane anemometer NO 0
and Doppler transducer, etc
Do the devices employ different electrical

principles/designs?
For example, digital and analogue, different manufacturer NO 0
(not re-badged) or different technology.
Do the channels employ enhanced redundancy with MooN

architecture, where
N> M + 2? OR N = M + 2? NO X0
Are separate test methods and people used for each

channel during commissioning? NO 0
Is maintenance on each channel carried out by different
people at different times? NO 0
YES /NO SCORE COMMENTS
Complexity/design/application/maturity/experience
Does cross-connection between channels preclude the

exchange of any information other than that used for
diagnostic testing or voting purposes? X = 0.5
YES
Y = 0.5
Is the design based on techniques used in equipment that

has been used successfully in the field for > 5 years?
X = 1.0
YES
Y = 1.0
Is there more than 5 years experience with the same

hardware used in similar environments? X = 1.5
YES
Y = 1.5
Are inputs and outputs protected from potential levels of

over-voltage and over-current? X = 1.5
YES
Y = 0.5
Are all devices/components conservatively rated? (for
example, by a factor or 2 or more) YES X = 2.0
Assessment/analysis and feedback of data
Have the results of the failure modes and effects analysis or

fault tree analysis been examined to establish sources of
common cause failure and have predetermined sources of
common cause failure been eliminated by design? NO 0
Were common cause failures considered in design reviews

with the results fed back into the design? (Documentary
evidence of the design review activity is required).
YES 0
Are all field failures fully analysed with feedback into the
design? (Documentary evidence of the procedure is
required)
NO 0
YES/NO SCORE COMMENTS

Procedure/human interface
Is there a written system of work which will ensure that all

component failures (or degradations) are detected, the root
causes established and other similar items are inspected for YES 0
similar potential causes of failure?
Are procedures in place to ensure that maintenance
(including adjustment or calibration) of any part of the
independent channels is staggered, and, in addition to the
manual checks carried out following maintenance, the YES 0
diagnostic tests are allowed to run satisfactorily between the
completion of maintenance on one channel and the start of
maintenance on another?
Do the documented maintenance procedures specify that all
parts of redundant systems (for example, cables, etc.),
YES 0
intended to be independent of each other, must not be
relocated?
Is all maintenance of printed-circuit boards, etc. carried out All the repaired
off-site at a qualified repair centre and have all the repaired items have
items gone through a full pre-installation testing gone through a
factory
acceptance
X = 0.5
YES test.
Y = 1.5
Maintenance of
various items is
too complex to
be performed
on site.
Do the system diagnostics tests report failures to the level of
a field-replaceable module? YES 0
YES/NO SCORE COMMENTS
Competence/training/safety culture
Have designers been trained (with training documentation)

to understand the causes and consequences of common NO 0
cause failures?
Have maintainers been trained (with training documentation)
to understand the causes and consequences of common YES 0
cause failures?
Environmental control
Is personnel access limited (for example locked cabinets, X = 0.5

inaccessible position)? YES
Y = 2.5
Will the system be operating within the range of
temperature, humidity, corrosion, dust, vibration, etc., over X = 3.0
which it has been tested, without the use of external YES
Y = 1.0
environmental control?
Are all signal and power cables separate at all positions?

NO 0
Environmental testing
Has a system been tested for immunity to all relevant

environmental influences (for example EMC, temperature, X = 10.0
vibration, shock, humidity) to an appropriate level as YES
Y = 10.0
specified in recognised standards?

NG50-5-BE-INS-TR-AB-00-0102

Uploaded by

Copyright:

Available Formats

You might also like

NG50-5-BE-INS-TR-AB-00-0102

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

NG50-5-BE-INS-TR-AB-00-0102

Uploaded by

Copyright:

Available Formats

NIGERIA - OPL 246

AKPO FIELD DEVELOPMENT PROJECT

TOP OF RISER HIPPS

1 02/04/04 AL Approved ST HA DTT BTc

0 12/03/04 AL Issued for approval ST HA

STATUS CODE : A = Issued for comments - B = Issued for approval - C = Approved

TOTAL OR PARTIAL REPRODUCTION AND/OR UTILIZATION OF THIS DOCUMENT ARE FORBIDDEN

Doc N° NG 50 BE INS TR AB 000 102 Rev. 1 St. C Page 3 of 54

3.1. Project description ........................................................................................................ 8

4. BASIS FOR THE STUDY ........................................................................................................ 9

4.1. Description of the HIPPS.............................................................................................. 9

5. ACHIEVEMENT OF THE STUDY.......................................................................................... 12

5.1. Description of the methodology .................................................................................. 12

6. FAILURE ANALYSIS ............................................................................................................ 15

6.1. Failure modes of interest ............................................................................................ 15

7. RELIABILITY MODELLING .................................................................................................. 18

7.1. Fault tree modelling .................................................................................................... 18

8. RELIABILITY AND OPERATIONALDATA ........................................................................... 25

Doc N° NG 50 BE INS TR AB 000 102 Rev. 1 St. C Page 4 of 54

8.1. Proof tests .................................................................................................................. 25

9. RESULTS AND CONCLUSION ............................................................................................ 30

10.1. Definitions, acronyms and abbreviations.................................................................... 34

Doc N° NG 50 BE INS TR AB 000 102 Rev. 1 St. C Page 5 of 54

The HIPPS arrangement considered in this study is based on a minimized

Doc N° NG 50 BE INS TR AB 000 102 Rev. 1 St. C Page 6 of 54

10-5 – 10-4 10-4 – 10-3 10-3 – 10-2 10-2 – 10-1

• The maximum unrevealed unavailability of 1 HIPPS is 2.2 x 10-3.

Doc N° NG 50 BE INS TR AB 000 102 Rev. 1 St. C Page 7 of 54

Test on HIPPS items

HIPPS logic solver SIL

The HIPPS consists of 8 independent HIPPS with a common logic solver.

The unrevealed unavailability (peak value corresponding to PFD x 2) of the

The unrevealed unavailability (peak value corresponding to PFD x 2) of the

These values will be specified in the HIPPS specification [7].

Doc N° NG 50 BE INS TR AB 000 102 Rev. 1 St. C Page 8 of 54

3.1. Project description

3.2. Reliability methodology

[9] Functional safety of electrical / electronic / programmable electronic safety-

3.3. Reliability data

3.4. Common cause failure analysis

Doc N° NG 50 BE INS TR AB 000 102 Rev. 1 St. C Page 9 of 54

4. BASIS FOR THE STUDY

4.1. Description of the HIPPS

4.1.1. Dedicated HIPPS equipment for each top riser

As shown on Figure 1 there are 2 single PSHH located downstream choke

SDV1 and SDV2 are provided with two solenoid valves:

4.1.2. Common HIPPS equipment to all top risers

There is a single logic solver common to the 8 risers.

4.2. HIPPS and existing protection layers

As shown on Figure 2 PSHH1 located downstream PSHHs of the HIPPS issues a

4.3. Main assumptions

• All items are maintained, and operated, according to the international

Doc N° NG 50 BE INS TR AB 000 102 Rev. 1 St. C Page 10 of 54

Doc N° NG 50 BE INS TR AB 000 102 Rev. 1 St. C Page 11 of 54

All flowlines connected

SDV 1x's PSHH

Figure 2 - HIPPS AND EXISTING PROTECTION LAYERS

Doc N° NG 50 BE INS TR AB 000 102 Rev. 1 St. C Page 12 of 1

5. ACHIEVEMENT OF THE STUDY