Académique Documents
Professionnel Documents
Culture Documents
Wellhead Standardisation
Wellhead Standardisation
Gas Wellhead
PDO
Pertoleum Development of Oman
Specific assumptions 3
SIF: TYPICAL-AA-001A OVER PRESSURE PROTECTION OF API 15000 RATING WELLHEAD - FLOW LINE 3RUPTURE CASE
SIF: TYPICAL-AA-001B OVER PRESSURE PROTECTION OF API 15000 RATING WELLHEAD - STATION INLET
6 MANIFOLD RUPTU
Appendices 12
Appendix B - Assumptions with relation to integrity level and fault tolerance requirements 13
This overall SIS requirements specification provides the detailed specification for the SIS.
Note that a strategy for proof testing and maintenance of the SIS and the SIFs has been developed during and prior to the
development of the SIS requirements specification so that necessary allowances can be made in the design of hardware and
software.
This maintenance strategy has influenced the following decisions:
Requirement for additional robustness in sensors and final elements where operational opportunities to proof test and
maintain were limited. Robustness will improve access to components for testing or allow test intervals to be increased to
allow access.
Requirement for additional access to instruments (e.g. ladders, platforms etc.) or allowance for reduced access and
added test costs (scaffolding).
Use of automated testing using software algorithms and/or hardware (e.g. Measurement Validation and Comparison
(MVC), automated valve stroking, partial valve stroking).
Operational and maintenance manning levels for the facility.
Contributions to this SIS requirements specification were sought from other disciplines (process, process control, mechanical,
rotating equipment, civil/structural, operations, maintenance) and from vendors.
This SIF requirements specification document is intended to provide a single point of reference for all information relevant
information with regards to the requirements, design and testing/inspection strategy of the SIS.
Barriers:
NIL
(Relief valves are suitable only for releasing leakage through the IPF valve. Hence, not a valid barrier.)
Mitigation:
M1: Probability for igniting the released gas of 1 to 50 kg/s = 0.07
Condition Modifier:
CM1: Probability for personnel presence in the released hazard = 0.1
H&S:
Potential for 1 to 3 fatalities
Environment:
Localised effect
Economics:
Estimated total incremental economic consequence including cost of repair/replacement, deferment of production from one well and
associated activities > 1 MUSD and < 10 MUSD
Cost of Gas deferment per day = 1 MMSCMD x 175K USD /MMSM x 1 day = 175 K USD
Cost of Oil/Condensate deferment per day = 1000 m3/day X 6.29 bbl/m3 X 20 USD /bbl x 1 day = 125 K USD
Hence, total cost of deferment for 12 hours = 150 KUSD
Subsystems
Sensor WELLHEAD CHOKE VALVE 00-PZ-XX6 A/B
DOWNSTREAM PRESSURE
HH
Total H SIL 2
Notes
2. The wellhead HH pressure protection function is classified with two cases: flowline rupture case and station manifold rupture
case. Out of these two cases, Case-2 (station manifold rupture case - SIF ID: TYPICAL-AA-001B) is predominant. Hence,
implementation of this SIF is done as part of TYPICAL-AA-001B.
1. The SIL classification is done only for one design option (API 15000 rating & DSS material) gas wellhead pressure protection
function. SIL classification for all other well hook-up design options (API 10000 rating & DSS material, ASME 2500 rating & DSS/CS
material) will fall within this SIL range.
Barriers:
NIL
(Relief valves are suitable only for releasing leakage through the IPF valve. Hence, not a valid barrier.)
Mitigation:
M1: Probability for igniting the released gas of 1 to 50 kg/s = 0.07
Condition Modifier:
CM1: Probability for personnel presence in the released hazard = 0.1
H&S:
Potential for 1 to 3 fatalities
Environment:
Localised effect
Economics:
Estimated total incremental economic consequence including cost of repair/replacement, deferment of production from the
gathering/production station and associated activities > 10 MUSD
Cost of Gas deferment per day = 1 MMSCMD x 175K USD /MMSM x 1 day = 175 K USD
Cost of Oil/Condensate deferment per day = 1000 m3/day X 6.29 bbl/m3 X 20 USD /bbl x 1 day = 125 K USD
Hence, total cost of deferment for 12 hours = 150 KUSD
Subsystems
Sensor WELLHEAD CHOKE VALVE 00-PZ-XX6 A/B
DOWNSTREAM PRESSURE
HH
Total E SIL 3
Notes
1. The SIL classification is done only for one design option (API 15000 rating & DSS material) gas wellhead pressure protection
function. SIL classification for all other well hook-up design options (API 10000 rating & DSS material, ASME 2500 rating & DSS/CS
material) will fall within this SIL range.
2. SIF design is done using RRM Version 1.51 standard excel file.
Barriers:
NIL
Mitigation:
NIL
Condition Modifier:
NIL
a) Overpressurization of CI skid is not credible because the vent on the Chemical storage tank is suitably sized to release possible
overpressure scenario. Further, height of the vent confirms safe disposal of process fluid, i.e. sweet HC.
c) No concern is identified w.r.t impact on the Chemical due to mixing of process fluid following reverse flow. In the worst case, it
might require replacing the chemical.
H&S:
NIL
Environment:
NIL
Economics:
In the worst case, replacement of chemical might result in economic consequence of < 10 KUSD. Replacement of chemical is
considered unlikely as process fluid is primarily gas with residual condensate.
Subsystems
Sensor REVERSE FLOW 00-PDIZA-XXX
Total N SIL a
Notes
1. In the worst case, it might require replacing the chemical, which might result in economic consequence of < 10 KUSD.
Replacement of chemical is considered unlikely as process fluid is primarily gas with residual condensate. Hence, it is selected as
UNCLASSIFIED.
For environmental risks, the SIL decision matrix is calibrated to achieve a residual risk for major environmental consequences of
less than 1E-03 per year per hazardous situation. For production loss and equipment damage, the SIL decision matrix is calibrated
to achieve a residual risk of less than $10,000 per year per hazardous situation. It is assumed that the SIL decision matrix is used
by professionals aware of these assumptions, limitations, the instructions and relevant applicable standards (e.g. IEC 61511).
Consequences shall be taken as 'potential credible' consequences rather than average or ultimately conceivable consequences.
Consequences shall always be taken as the difference between 'success' on demand and 'failure on demand'. The demand rate
shall be taken as the frequency of the consequence with all other safeguards (barriers), mitigations, and conditional modifiers in
place except for the IPF under consideration. Do not take credit for a protection layer if it is not dependable, effective or
independent. A protection layer is dependable if its proper functioning is inspected (and repaired) on a regular basis. Protection
layers are not independent if they share significant amount of elements. E.g. 2 alarms in the DCS may not be independent because
they usually share the operator. Each protection layer shall also be independent from the initiating events that may ultimately lead
to the hazardous event
The default SIL decision matrix is in line with Shell DEP 32.80.10.10.-Gen (2008). Depending on the companies own risk criteria,
the matrix may require re-calibration, e.g. in the case of existing installations where meeting the requisite SIL would be prohibitive
and a lower SIL may be ALARP. The method used by SIFpro(tm) to evaluate if a design reduces a risk to a level that is ALARP (As
Low As Reasonably Practicable) is developed for financial risks only. Note that modification of the rule sets or SIL decision matrix
of SIFpro(tm), allows to apply ALARP for non-financial risks as well. However, demonstration of ALARP for non-financial risks
requires techniques to evaluate all Risk Reducing Alternatives (RRA), which goes far beyond the scope of SIFpro(tm). Therefore,
SIFpro(tm) shall not be used in isolation to demonstrate that risks to personal safety or environment are ALARP. Useful information
with regards to the demonstration of ALARP can be found on http://www.hse.gov.uk/comah/index.htm.
Code PFD target PFD limit d target d limit Base fault tolerance ETT allowed
- 1.00 1.00 1.00 1.00 0 Yes
SIL a 9.00e-1 9.00e-1 1.00 1.00 -1 Yes
SIL 1 7.00e-2 1.00e-1 6.13e-2 8.76e-2 0 No
SIL 2 7.00e-3 1.00e-2 6.13e-3 8.76e-3 1 No
SIL 3 7.00e-4 1.00e-3 6.13e-4 8.76e-4 2 No
SIL 4 7.00e-5 1.00e-4 6.13e-5 8.76e-5 3 No
X 0 0 0 0 0 No
Where target and limiting d are used for safety functions in continuous demand.
Where Base FT is the base fault tolerance that is used to calculate the minimum required degree of dangerous fault tolerance for
each subsystem defined in each function. The minimum required degree of fault tolerance is corrected using the following
parameters of each tag used in the subsystems.
When a subsystem is made up from various Tags that have different overall FT corrections, the largest correction factor has been
used to define the minimum degree of fault tolerance for the entire subsystem.
'ETT allowed' may be set to yes if energise to trip (ETT) circuits are allowed for the integrity level. In that case ETT has been set to
'Yes'.