Preparing for subsea safety instrumented systems

Edward Marszal - Kenexis

As we all know, the offshore oil industry – especially operators in the Gulf of Mexico (GoM) – are moving into deeper waters. This is a natural maturing process due to the lessening availability of opportunities in shallower waters and geopolitical limitations on production in other regions. While this move into deeper waters is packed with unprecedented technical challenges, the people of the GoM's oil and gas technical community have risen to the challenge and developed new tools, equipment, and techniques that have allowed this industry transition to occur with a minimum of growing pains.

One of the keys shifts in the production technology that is employed in the GoM is the expanding use of equipment items that reside on the seafloor. Some of this shift has been done to provide operating advantage and efficiency, while another part of this shift is absolutely necessary because the seafloor is the only technically feasible option for locating this equipment.

Deepwater has resulted in much higher pressures and longer flowlines required to get back up to the production platform. In some cases, a flowline that is the wall thickness required to contain the shut in tubing pressure (SITP) would be more than a mile in length in order to get back to the surface, and that is not technically feasible. In these cases, safety instrumented systems (SIS) such as flowline high-pressure protection on the seafloor is becoming a necessity.

While the ingenuity of our industry's technical personnel has allowed for the development of many solutions just in time for deployment when we needed it, use of novel components and technology for SIS is not so easy. In fact, use of new technology is simply not allowed in a large number of cases. The design of safety instrumented systems, especially in accordance with the ISA 84 (IEC 61511), does not allow the use of just any component. In general, SIS engineers are a cautious bunch. New technology is great, but we are generally not interested in being the first (or second) to try something new. Instead, we have coined terms like "proven in use" and "prior use experience" to describe the instrumentation that we will allow to be employed in a safety application.

These terms are more than platitudes, as the functional safety standards prescribe long lists of requirements for the manufacturers of these instruments, in addition to stringent statistical metrics they are required to achieve. Since not just any instrument can be placed into safety service, plans should be made now to develop the operating history required to claim prior use experience. Thus, when those instruments are required to be placed into safety critical equipment, the safety justification will be in place.

According to the ISA 84 Standard, in order for an instrument to be used in a safety instrumented function (SIF) with a safety integrity level (SIL) rating of one or greater, its use must be justified through one of two means.

Either the device needs to be designed and manufactured in accordance with the IEC 61508 Standard, or there must be sufficient "prior use" experience to justify the use of the device in a safety critical application. Many are familiar with the route of IEC 61580 compliance as the "certified" route, because most vendors that go through this level of effort in their design practices also go through the additional effort of getting their equipment certified as compliant by a third party.

While the "certified" device route is always available, it may not always be enough. In many cases there are not any certified devices in a measurement of final element category that you need to implement a certain safety function. Also, many appurtenances to the core equipment – such as solenoid valves, pneumatic relays, shuttle valves, and volume boosters – are often not certified. Plus, the subsea-capable components are not necessarily the same as their topsides equivalents. In these cases, operating companies will be required to develop prior-use experience with this equipment before implementing them in a safe application.

As an example, this author recently worked on a project where shutting in the wells at a SIL rating of SIL 2 was required. The original design called for use of two valves to achieve the SIL 2 target. One of the valves was located topsides, but the other was on the seafloor. While there was ample experience with the topsides valves, the one on the seafloor was made of completely novel technology in everything from valve mechanics and actuation to the signaling systems.

Since the valve was neither certified nor proven in use, we could not consider it to be part of the SIS. Luckily, we were able to fit an actuator on another topsides valve and use that as the second shutoff valve. The valve that is still on the seafloor is performing a useful service. The valve can still be used for shutdown purposes, but cannot be credited as part of the SIS.

In this non-critical service (since there is back-up with the topsides valves), the valve and the operating company are accumulating critical operating data and experience that will allow them to use the seafloor valve on future projects, assuming that the performance is suitable. This arrangement also enables the operator to identify and correct any design errors before the service of the valve is truly critical.

The Author

Edward M. Marszal is President and CEO of Kenexis, a consulting firm which helps process industry clients make plants safer and more productive by helping to ensure the integrity of instrumented safeguards. He can be reached at [email protected].