Over time, complexity and redundancy in BOP stack functions have increased in order to improve BOP functionality and reduce the likelihood of blowouts leading to major accidents. Application of the IEC 61508/61511 framework to safety-critical BOP functions could lead to a reduction of complexity while maintaining the same level of safety integrity.
Subsea Blowout Preventers (BOPs) have evolved from simple stacks with limited redundancy to multiple ram configurations with complex redundant capabilities. Increasing the number of redundant capabilities for BOPs reduces the potential for loss of BOP functionality and thereby major accident potentials. However, increasing the number of components also leads to an increased failure frequency, where each failure has the potential to result in having to pull the BOP stack. Pulling the stack has a significant cost impact due to the associated delays and increased rig time.
Based on the following principles, the application of the IEC61508/61511 approach to BOPs could be more beneficial than a general increase in redundant capabilities.
Functional Safety Management plans (FSMP) for BOPs will ensure that focus lies on the BOP performance throughout its lifecycle, from concept design and engineering through operations.
SIL allocation will ensure that the safety requirement assigned for the BOP functions is commensurate with the design intention and the actual operation. In other words, the safety requirements cover the field-specific probability of kicks and blowouts and the potential consequence of these scenarios. Further, the safety requirements should be based on the other barriers in place. This will increase transparency and ensure that redundant capabilities are sufficient, but at the same time not excessive for the operation in question.
Development of Safety Requirement Specifications for the BOP will ensure that requirements placed on the safety functions are clearly documented and specific for the operation in question
Safety Integrity Level (SIL) verification of the BOP will ensure that the safety requirements placed on the BOP functions can be demonstrated with the stack design. Moreover, the output from the SIL verification may allow for adjustment of test intervals if it is allowed by regulations. Optimization of test intervals may reduce both operational time and OPEX while reducing the number of opportunities for human errors in connection with periodic tests and maintenance.
On the NCS, the NOG-070 (OLF-070) guideline puts the following requirements on the drilling-related safety functions:
Shear seal ram function / Casing shear ram function
Sequenced shutdown function (emergency disconnect, auto shear)
Mechanical ram lock function
Additionally, the guideline puts SIL requirements on several workover-related functions such as PSD, ESD, and EQD.
However, there are several challenges with SIL verification of BOPs compared to standard SIFs:
The Human Factor – there is no sensor/automatic initiation of the safety function, hence estimating a failure rate for initiation of the SIF is difficult
There are often multiple rams that may or may not provide redundancy, based on the operational circumstances
There are no fail-safe positions for the final elements in the SIF. Hence, all auxiliary systems shall be included
There are multiple passive components that shall be included in the SIF
There is limited failure data available
Frequent testing and potential for the large contribution of test independent failures
ORS has extensive experience in assisting our Clients in all phases of the IEC61511 / 61508 SIS lifecycle for BOPs, including:
Customized risk identification workshops
In-depth FMECA workshops to identify all components involved in the SIFs
Classification of SIFs and SIL allocation
Development of SRS
Validation and SIL verification of the SIFs
Monitoring of SIF performance during operation including special assistance for collection and classification of BOP failure data