SIS Requirements Specification

Safety Instrumented Systems

Wellhead Standardisation
Wellhead Standardisation
Gas Wellhead

PDO
Pertoleum Development of Oman

Printed 03/11/16 2.4.1.3900.3 Revision 1

By SIFpro Custodian Page 1 Working Document
Table of Contents
Preface 2

Section 1 Function narratives and integrity level assessment 3

Specific assumptions and Risk Assessments 3

Plant: Wellhead Standardisation 3

Unit: Gas Wellhead Standardisation 3

Specific assumptions 3

SIF: TYPICAL-AA-001A OVER PRESSURE PROTECTION OF API 15000 RATING WELLHEAD - FLOW LINE 3RUPTURE CASE

SIF: TYPICAL-AA-001B OVER PRESSURE PROTECTION OF API 15000 RATING WELLHEAD - STATION INLET
6 MANIFOLD RUPTU

SIF: TYPICAL-AA-002 WELLHEAD REVERSE FLOW 9

Appendices 12

Appendix A - Method for assessing integrity level 12

Appendix B - Assumptions with relation to integrity level and fault tolerance requirements 13

Appendix C - Assumptions with relation to justification for capital investment 14

Printed 03/11/16 2.4.1.3900.3 Revision 1

By SIFpro Custodian Working Document
Preface
IEC 61511 requires the development of a SIS requirements specification. A number of elements of the requirements specification
has been collected during the definition of the safety functions, the risk assessment (SIL assessment) and the design of the SIFs.
For complex situations and to provide an overview of the interactions of the various SIFs a narrative describing the functional and
operational requirements of the SIS has been added as required.

This overall SIS requirements specification provides the detailed specification for the SIS.

This SIS requirements specification refers to:

Cause and Effect Diagrams
Safeguarding Memoranda
Process Safeguarding Flow Schemes (PSFS)
Process Engineering Flow Schemes (PEFS)
The SIL assessment Study reports or details
and includes the SIS/SIF Narratives.

Note that a strategy for proof testing and maintenance of the SIS and the SIFs has been developed during and prior to the
development of the SIS requirements specification so that necessary allowances can be made in the design of hardware and
software.
This maintenance strategy has influenced the following decisions:
Requirement for additional robustness in sensors and final elements where operational opportunities to proof test and
maintain were limited. Robustness will improve access to components for testing or allow test intervals to be increased to
allow access.
Requirement for additional access to instruments (e.g. ladders, platforms etc.) or allowance for reduced access and
added test costs (scaffolding).
Use of automated testing using software algorithms and/or hardware (e.g. Measurement Validation and Comparison
(MVC), automated valve stroking, partial valve stroking).
Operational and maintenance manning levels for the facility.

Contributions to this SIS requirements specification were sought from other disciplines (process, process control, mechanical,
rotating equipment, civil/structural, operations, maintenance) and from vendors.

This SIF requirements specification document is intended to provide a single point of reference for all information relevant
information with regards to the requirements, design and testing/inspection strategy of the SIS.

Printed 03/11/16 2.4.1.3900.3 Revision 1

By SIFpro Custodian Page 2 Working Document
Section 1 Function narratives and integrity level assessment

Specific assumptions and Risk Assessments

Plant: Wellhead Standardisation
Unit: Gas Wellhead Standardisation

SIF: TYPICAL-AA-001A OVER PRESSURE PROTECTION OF API 15000 RATING WELLHEAD -

Analysis
FLOW LINE RUPTURE CASE
Function group: 00-UZ-XXX PHA/HAZOP reference: Node-2 Unit Gas Wellhead
Associated entity: 28/02/16 Assessment status: OK Last revision: 03/11/2016
Design status: Waived Analysis
Analysis: Full

Design intent/Hazard to be protected against

To prevent overpressurization of flow line of DEP class 15,000 DSS wellhead.
Demand Scenario Lopa has been applied: Yes
Initiating Events:
IE1: Inadvertent closure of manual isolation valves on flow line; IEF=0.05/y (In general, LO valves are provided)
IE2: Malfunction of pressure control loop at wellhead; IEF=0.1/y

Barriers:
NIL
(Relief valves are suitable only for releasing leakage through the IPF valve. Hence, not a valid barrier.)

Mitigation:
M1: Probability for igniting the released gas of 1 to 50 kg/s = 0.07

Condition Modifier:
CM1: Probability for personnel presence in the released hazard = 0.1

Printed 03/11/16 2.4.1.3900.3 Revision 1

By SIFpro Custodian Page 3 Working Document
Initiating events Lower Higher Freq.
Malfunction of pressure control loop at wellhead 1.00e-1 1.00e-1
Inadvertent closure of manual isolation valves on flow line 5.00e-2 5.00e-2
Protection layers Lower Higher PFD
Probability for igniting the released gas of 1 to 50 kg/s 7.00e-2 7.00e-2
Probability for personnel presence in the released hazard 1.00e-1 1.00e-1

Eco demand rate Real 1.50e-1 1.50e-1 Per year

Virtual 1.05e-2 1.05e-2 Per year

HS demand rate Real 1.50e-1 1.50e-1 Per year

Virtual 1.05e-3 1.05e-3 Per year

Env demand rate Real 1.50e-1 1.50e-1 Per year

Virtual 1.05e-3 1.05e-3 Per year

Consequence of Failure on Demand

CoFoD:
Possible over-pressurization leading to potential rupture of flowline, loss of containment with release of flammable hydrocarbon.
Potential for jet fire, which may affect near-by equipment e.g. WHCP, CI skid, etc.
The well head will not be available for long duration.

H&S:
Potential for 1 to 3 fatalities

Environment:
Localised effect

Economics:
Estimated total incremental economic consequence including cost of repair/replacement, deferment of production from one well and
associated activities > 1 MUSD and < 10 MUSD

Consequence of Safe Failure:

Well will be isolated, it will be restored within 12 hours.

Cost of Gas deferment per day = 1 MMSCMD x 175K USD /MMSM x 1 day = 175 K USD
Cost of Oil/Condensate deferment per day = 1000 m3/day X 6.29 bbl/m3 X 20 USD /bbl x 1 day = 125 K USD
Hence, total cost of deferment for 12 hours = 150 KUSD

Subsystems
Sensor WELLHEAD CHOKE VALVE 00-PZ-XX6 A/B
DOWNSTREAM PRESSURE
HH

Logic Solver WELLHEAD HIPPS & WHCP 00-WHCP-XXX/00-HIPPS-XXX

Final Element WELLHEAD HIPPS VALVE 00-UZV-XX2

CLOSE
Final Element WELLHEAD SC-SSV CLOSE 00-UZV-XX1
Success criterion

Printed 03/11/16 2.4.1.3900.3 Revision 1

By SIFpro Custodian Page 4 Working Document
Success criterion
Sensors Final elements
1oo2 (hydraulic pilot pressure switches, 00-PZ-XX6A/B in 1oo2 1oo2 (hydraulic actuated HIPPS valve & hydraulic actuated
voting logic) SC-SSV; logic of closing SC-SSV is implemented in Wellhead
hydraulic control panel (WHCP) and logic of closing the HIPPS
valve is implemented in HIPPS hydraulic control panel)

Consequence severity and Criticality Assessment ALARP applied? No

Demand interval Years

Consequences Rating Acceptable: Tolerable:
Economics H SIL 1
Health and safety H SIL 2
Environment M SIL 1

Total H SIL 2

Notes
2. The wellhead HH pressure protection function is classified with two cases: flowline rupture case and station manifold rupture
case. Out of these two cases, Case-2 (station manifold rupture case - SIF ID: TYPICAL-AA-001B) is predominant. Hence,
implementation of this SIF is done as part of TYPICAL-AA-001B.
1. The SIL classification is done only for one design option (API 15000 rating & DSS material) gas wellhead pressure protection
function. SIL classification for all other well hook-up design options (API 10000 rating & DSS material, ASME 2500 rating & DSS/CS
material) will fall within this SIL range.

Printed 03/11/16 2.4.1.3900.3 Revision 1

By SIFpro Custodian Page 5 Working Document
SIF: TYPICAL-AA-001B OVER PRESSURE PROTECTION OF API 15000 RATING WELLHEAD -
Analysis
STATION INLET MANIFOLD RUPTURE CASE
Function group: 00-UZ-XXX PHA/HAZOP reference: Node-2 Unit Gas Wellhead
Associated entity: 28/02/16 Assessment status: OK Last revision: 03/11/2016
Design status: Waived Analysis
Analysis: Full

Design intent/Hazard to be protected against

To prevent overpressurization of the RMS where the flow line of DEP class 15,000 DSS wellhead is connected
Demand Scenario Lopa has been applied: Yes
Initiating Events:
IE1: Closure of Station inlet valve on inlet separator PSD; IEF=0.2/y (In general, this valve closes on High level and High pressure
of inlet separator)
IE2: Closure of Station inlet valve on Station ESD; IEF=1.0/y
IE3: Inadvertent closure of station inlet valve; IEF=0.05/y
IE4: Malfunction of pressure control loop at wellhead; IEF=0.1/y

Barriers:
NIL
(Relief valves are suitable only for releasing leakage through the IPF valve. Hence, not a valid barrier.)

Mitigation:
M1: Probability for igniting the released gas of 1 to 50 kg/s = 0.07

Condition Modifier:
CM1: Probability for personnel presence in the released hazard = 0.1

Initiating events Lower Higher Freq.

Closure of Station inlet valve on inlet separator PSD 2.00e-1 2.00e-1
Inadvertent closure of station inlet valve 5.00e-2 5.00e-2
Malfunction of pressure control loop at wellhead 1.00e-1 1.00e-1

Printed 03/11/16 2.4.1.3900.3 Revision 1

By SIFpro Custodian Page 6 Working Document
Closure of Station inlet valve on Station ESD 1.00 1.00
Protection layers Lower Higher PFD
Probability for personnel presence in the released hazard 1.00e-1 1.00e-1
Probability for igniting the released gas of 1 to 50 kg/s 7.00e-2 7.00e-2

Eco demand rate Real 1.35 1.35 Per year

Virtual 9.45e-2 9.45e-2 Per year

HS demand rate Real 1.35 1.35 Per year

Virtual 9.45e-3 9.45e-3 Per year

Env demand rate Real 1.35 1.35 Per year

Virtual 9.45e-3 9.45e-3 Per year

Consequence of Failure on Demand

CoFoD:
Possible over-pressurization leading to potential rupture of RMS, bulk line resulting in loss of containment with release of flammable
hydrocarbon.
Potential for jet fire, which may affect near-by equipment e.g. Station inlet separator.
The related gathering station/production station will not be available for long duration.

H&S:
Potential for 1 to 3 fatalities

Environment:
Localised effect

Economics:
Estimated total incremental economic consequence including cost of repair/replacement, deferment of production from the
gathering/production station and associated activities > 10 MUSD

Consequence of Safe Failure:

Well will be isolated, it will be restored within 12 hours.

Cost of Gas deferment per day = 1 MMSCMD x 175K USD /MMSM x 1 day = 175 K USD
Cost of Oil/Condensate deferment per day = 1000 m3/day X 6.29 bbl/m3 X 20 USD /bbl x 1 day = 125 K USD
Hence, total cost of deferment for 12 hours = 150 KUSD

Subsystems
Sensor WELLHEAD CHOKE VALVE 00-PZ-XX6 A/B
DOWNSTREAM PRESSURE
HH

Logic Solver WELLHEAD HIPPS & WHCP 00-WHCP-XXX/00-HIPPS-XXX

Final Element WELLHEAD HIPPS VALVE 00-UZV-XX2

CLOSE
Final Element WELLHEAD SC-SSV CLOSE 00-UZV-XX1
Success criterion
Sensors Final elements
1oo2 (hydraulic pilot pressure switches, 00-PZ-XX6A/B in 1oo2 1oo2 (hydraulic actuated HIPPS valve & hydraulic actuated
voting logic) SC-SSV; logic of closing SC-SSV is implemented in Wellhead
hydraulic control panel (WHCP) and logic of closing the HIPPS
valve is implemented in HIPPS hydraulic control panel)

Consequence severity and Criticality Assessment ALARP applied? No

Printed 03/11/16 2.4.1.3900.3 Revision 1

By SIFpro Custodian Page 7 Working Document
 Demand interval Years
Consequences Rating Acceptable: Tolerable:
Economics E SIL 2
Health and safety H SIL 2
Environment M SIL 1

Total E SIL 3

Notes
1. The SIL classification is done only for one design option (API 15000 rating & DSS material) gas wellhead pressure protection
function. SIL classification for all other well hook-up design options (API 10000 rating & DSS material, ASME 2500 rating & DSS/CS
material) will fall within this SIL range.
2. SIF design is done using RRM Version 1.51 standard excel file.

Printed 03/11/16 2.4.1.3900.3 Revision 1

By SIFpro Custodian Page 8 Working Document
SIF: TYPICAL-AA-002 WELLHEAD REVERSE FLOW Analysis
Function group: 00-UZ-XXX PHA/HAZOP reference: HAZOP Unit Gas Wellhead
Associated entity: 16-06-2016 Assessment status: OK Last revision: 03/11/2016
Design status: Waived Analysis
Analysis: Full

Design intent/Hazard to be protected against

To prevent reverse flow of process fluid from wellhead piping to the CI skid.

Demand Scenario Lopa has been applied: No

Initiating Events:
IE1: Malfunction of auto start sequence for the CI pumps; IEF= 0.1/y.

Barriers:
NIL

Mitigation:
NIL

Condition Modifier:
NIL

Consequence of Failure on Demand

CoFoD:
Potential reverse flow of process fluid from wellhead piping to the CI skid.

However, there is no threat identified w.r.t the following:

a) Overpressurization of CI skid is not credible because the vent on the Chemical storage tank is suitably sized to release possible
overpressure scenario. Further, height of the vent confirms safe disposal of process fluid, i.e. sweet HC.

b) No concern is identified w.r.t impact on the MOC of the entire CI skid.

c) No concern is identified w.r.t impact on the Chemical due to mixing of process fluid following reverse flow. In the worst case, it
might require replacing the chemical.

H&S:
NIL

Environment:
NIL

Economics:

In the worst case, replacement of chemical might result in economic consequence of < 10 KUSD. Replacement of chemical is
considered unlikely as process fluid is primarily gas with residual condensate.

Consequence of Safe Failure:

Injection of chemical will stop, which will be restored within 12 hrs. No impact for short term outage on the pipeline MOC.

Subsystems
Sensor REVERSE FLOW 00-PDIZA-XXX

Logic Solver WELLHEAD HIPPS & WHCP 00-WHCP-XXX/00-HIPPS-XXX

Printed 03/11/16 2.4.1.3900.3 Revision 1
By SIFpro Custodian Page 9 Working Document
 Logic Solver WELLHEAD HIPPS & WHCP 00-WHCP-XXX/00-HIPPS-XXX

Final Element ESD VALVE ON CI SUPPLY 00-UZV-XXX3

LINE
Success criterion
Sensors Final elements

Consequence severity and Criticality Assessment ALARP applied? No

Demand interval Years

Consequences Rating Acceptable: Tolerable:
Economics N SIL a
Health and safety - -
Environment - -

Total N SIL a

Notes
1. In the worst case, it might require replacing the chemical, which might result in economic consequence of < 10 KUSD.
Replacement of chemical is considered unlikely as process fluid is primarily gas with residual condensate. Hence, it is selected as
UNCLASSIFIED.

Printed 03/11/16 2.4.1.3900.3 Revision 1

By SIFpro Custodian Page 10 Working Document
Printed 03/11/16 2.4.1.3900.3 Revision 1
By SIFpro Custodian Page 11 Working Document
Appendices
Appendix A - Method for assessing integrity level
The SIL decision matrix for personal risks is calibrated to achieve an individual risk per annum (IRPA) that is ALARP and in
accordance with DEP 32.80.10.10-gen (July 2008). See also report GS 08 53543 (EAR99).

For environmental risks, the SIL decision matrix is calibrated to achieve a residual risk for major environmental consequences of
less than 1E-03 per year per hazardous situation. For production loss and equipment damage, the SIL decision matrix is calibrated
to achieve a residual risk of less than $10,000 per year per hazardous situation. It is assumed that the SIL decision matrix is used
by professionals aware of these assumptions, limitations, the instructions and relevant applicable standards (e.g. IEC 61511).

Consequences shall be taken as 'potential credible' consequences rather than average or ultimately conceivable consequences.
Consequences shall always be taken as the difference between 'success' on demand and 'failure on demand'. The demand rate
shall be taken as the frequency of the consequence with all other safeguards (barriers), mitigations, and conditional modifiers in
place except for the IPF under consideration. Do not take credit for a protection layer if it is not dependable, effective or
independent. A protection layer is dependable if its proper functioning is inspected (and repaired) on a regular basis. Protection
layers are not independent if they share significant amount of elements. E.g. 2 alarms in the DCS may not be independent because
they usually share the operator. Each protection layer shall also be independent from the initiating events that may ultimately lead
to the hazardous event

The default SIL decision matrix is in line with Shell DEP 32.80.10.10.-Gen (2008). Depending on the companies own risk criteria,
the matrix may require re-calibration, e.g. in the case of existing installations where meeting the requisite SIL would be prohibitive
and a lower SIL may be ALARP. The method used by SIFpro(tm) to evaluate if a design reduces a risk to a level that is ALARP (As
Low As Reasonably Practicable) is developed for financial risks only. Note that modification of the rule sets or SIL decision matrix
of SIFpro(tm), allows to apply ALARP for non-financial risks as well. However, demonstration of ALARP for non-financial risks
requires techniques to evaluate all Risk Reducing Alternatives (RRA), which goes far beyond the scope of SIFpro(tm). Therefore,
SIFpro(tm) shall not be used in isolation to demonstrate that risks to personal safety or environment are ALARP. Useful information
with regards to the demonstration of ALARP can be found on http://www.hse.gov.uk/comah/index.htm.

Printed 03/11/16 2.4.1.3900.3 Revision 1

By SIFpro Custodian Page 12 Working Document
Appendix B - Assumptions with relation to integrity level and fault
tolerance requirements
Defined integrity codes
The following integrity codes have been applied

Code PFD target PFD limit d target d limit Base fault tolerance ETT allowed
- 1.00 1.00 1.00 1.00 0 Yes
SIL a 9.00e-1 9.00e-1 1.00 1.00 -1 Yes
SIL 1 7.00e-2 1.00e-1 6.13e-2 8.76e-2 0 No
SIL 2 7.00e-3 1.00e-2 6.13e-3 8.76e-3 1 No
SIL 3 7.00e-4 1.00e-3 6.13e-4 8.76e-4 2 No
SIL 4 7.00e-5 1.00e-4 6.13e-5 8.76e-5 3 No
X 0 0 0 0 0 No

Where target and limiting d are used for safety functions in continuous demand.
Where Base FT is the base fault tolerance that is used to calculate the minimum required degree of dangerous fault tolerance for
each subsystem defined in each function. The minimum required degree of fault tolerance is corrected using the following
parameters of each tag used in the subsystems.

Fault tolerance modifiers

Fail Safe
Possible values and corresponding FT correction
No 1
Yes 0
Prior Use
Possible values and corresponding FT correction
No 0
Yes -1

When a subsystem is made up from various Tags that have different overall FT corrections, the largest correction factor has been
used to define the minimum degree of fault tolerance for the entire subsystem.

'ETT allowed' may be set to yes if energise to trip (ETT) circuits are allowed for the integrity level. In that case ETT has been set to
'Yes'.

Not allowable Equipment Types

The following Equipment Types are not allowed
Code - All allowed except: None

Code SIL a All allowed except: None

Code SIL 1 All allowed except:

P Sw. Mechanical Pressure Switch

Code SIL 2 All allowed except:

P Sw. Mechanical Pressure Switch

Code SIL 3 All allowed except:

P Sw. Mechanical Pressure Switch

Code SIL 4 All allowed except: None

Code X All allowed except: None

Printed 03/11/16 2.4.1.3900.3 Revision 1

By SIFpro Custodian Page 13 Working Document
Appendix C - Assumptions with relation to justification for capital
investment
When justifying the investment in redundancy (either safe or dangerous fault tolerance) the following is
assumed:-
An investment should be depreciated in 10 Years
The target TEI is 15 %.
If the return on an investment is lower than the target, the investment is not justified on economic
grounds.

Printed 03/11/16 2.4.1.3900.3 Revision 1

By SIFpro Custodian Page 14 Working Document