Application of STPA to Subsea Systemspsas.scripts.mit.edu/.../04/STPA-to-Subsea-20180329-Kim.pdf13 1) Deﬁne Purpose of the Analysis 2) Model the Control Structure 3) Iden@fy Unsafe

Application of STPA to Subsea Systems

29.3.2018Dr.Kim,Hyungju

Prof.Lundteigen,MaryAnn

Opportunities and Challenges

[email protected]

2

Background

3

4

5

6

7

STPAStudiesinRAMSGroup,NTNU

•  SubseaGatebox–Masterthesis

•  SubseaGatebox–Journalpaper

•  IsolaMonofsubseawells–OTC2018

•  Subseagascompression–ESREL2018

•  TobeconMnued…

•  Autonomousship–Masterthesis

•  DynamicposiMoningsysteminArcMccondiMon–ESREL2018(withKRISO)

•  Securingmaintenancearea–Masterthesis

8

STPAtoSubseaGasCompression

9

SubseaSystem

Manifold

ReceivingFacility

Riser

Wellhead/X-masTree

Seasurface

Seabed

Reservoir

BoosMngPumpand/or

GasCompressor

10

SystemConfigura@on

Ref:APIRP17V(2015),RecommendedPracMceforAnalysis,Design,InstallaMon,andTesMngofSafetySystemsforSubseaApplicaMons

Gas+Oil+Water

11

STPAProcedure

1)DefinePurposeoftheAnalysis

2)ModeltheControlStructure

3)IdenMfyUnsafeControl

AcMons

4)IdenMfyLoss

Scenarios

STPA

12

1)DefinePurposeoftheAnalysis 2)ModeltheControlStructure 3)Iden@fyUnsafeControlAc@ons 4)Iden@fyLossScenarios2)ModeltheControlStructure 3)Iden@fyUnsafeControlAc@ons 4)Iden@fyLossScenarios

a)IdenMfyinglosses


System Losses

SubseaGasCompressionSystem

L-1:Lossoflifeorinjurytopeople

L-2:Environmentalloss

L-3:DamagetovaluableSGCcomponents

L-4:ReducedgasproducMon

13

1)DefinePurposeoftheAnalysis 2)ModeltheControlStructure 3)Iden@fyUnsafeControlAc@ons 4)Iden@fyLossScenarios

a)IdenMfyinglosses

b)IdenMfyingsystem-levelhazards

System Losses System-LevelHazards


L-1:Lossoflifeorinjurytopeople H-1:SGCsystemconMnuestosupplygaswhengasleakstotheenvironment



H-2:SGCsystemoperatesunderabnormalcondiMons

L-4:ReducedgasproducMon H-3:SGCsystemcannotproducegaswithmaximumcapacity

14

System Losses System-LevelHazards System-LevelConstraints


L-1:Lossoflifeorinjurytopeople H-1:SGCsystemconMnuestosupplygaswhengasleakstotheenvironment

SC-1:SGCsystemmuststopcompressinggaswhengasleakstotheenvironment




SC-2:SGCsystemmustbeprotectedfromabnormaloperaMngcondiMonsthatcandamagevaluablecomponents

L-4:ReducedgasproducMon H-3:SGCsystemcannotproducegaswithmaximumcapacity

SC-3:SGCsystemmustalwaysproducegaswithmaximumcapacity


a)IdenMfyinglosses


c)Definingsystem-levelconstraints

15

System-levelhazard Sub-hazardsderivedfromsystem-levelhazards Sub-constraints


H-2.1:Liquidflowsintothegascompressor SC-2.1:Liquidmustneverflowintogascompressor

H-2.2:Gasflowsintotheliquidpump SC-2.2:Gasmustneverflowintoliquidpump

H-3:SGCsystemcannotproducegaswithmaximumcapacity

H-3.1:SGCsystemstopscompressinggaswhencompressionisneeded

SC-2.1:SGCsystemmustneverstopcompressinggaswhengascompressionisneeded

H-3.2:SGCsystemoperatesundernon-opMmaloperaMngcondiMons

SC-2.2:SGCsystemmustbeoperatedunderopMmaloperaMngcondiMons


a)IdenMfyinglosses


c)Definingsystem-levelconstraints

d)Refiningthesystem-levelhazards

16

1)DefinePurposeoftheAnalysis 3)Iden@fyUnsafeControlAc@ons 4)Iden@fyLossScenarios2)ModeltheControlStructure

HumanOperator

ControlSystem OtherSensors

•  Statusofothersubseaandtopsidesystems

SubseaGasCompressorUnit

•  StatusofSGCunit

•  Controlcompressor•  Controlvalves

•  StatusofSGCunit•  Statusofothersubseaandtopsidesystems

•  AdjustsetpointsofSGCunit

•  Shutdownprocess

Processinputandoutput

Feedback

Controlcommands

Non-pressurizedmixtureofgas,oilandwater

Pressurizedgasandliquid

17


•  Statusofothertopsidesystems

•  Speedup/downcomp.

•  Tripcomp.



•  Shutdownprocess ControlSystem


•  Open/closeLDV•  Open/closeASV

•  CloseSDVs

•  Open/closeLDV•  Open/closeASV•  CloseSDVs

SDVsposiMon

CloseSDVs

ASVposiMon

Open/closeASV

LDVposiMon

Open/closeLDV

•  Compressorinlettemp.•  Compressorinletpress.•  Compressorinletflow•  Compressoroutlettemp.•  Compressoroutletpress.•  Scrubberlevel

SCM/SEM

SDVs ASV LDV Sensors

HumanOperator

OtherTopsideSensors

•  StatusofSGC•  SDVs/ASV/LDVposiMon•  Compressorinlet/outletflow/temp./press.•  Scrubberlevel•  Statusofothersubseasystems

•  Statusofothersubseasystems OtherSubsea

Sensors

•  StatusofSGCunitandothersubseasystems


SCU

Abbrevia@on

•  VSD:VariableSpeedDrive

•  PCS:ProcessControlSystem

•  PSD:ProcessShutdown

•  SCU:SubseaControlUnit

•  SCM:SubseaControlModule

•  SEM:SubseaElectronicModule

•  SGC:SubseaGasCompressor

•  SDV:ShutdownValve

•  ASV:AnM-SurgeValve

•  LDV:LiquidDischargeValve

StatusofSGC


•  Comp.speed

SGC

VSD PSDSystem

•  Tripcompressor

PCS

Non-pressurizedmixtureofgas,oilandwater

Pressurizedgasandliquid


18

HumanOperator




•  Tripcomp.






•  CloseSDVs



SDVsposiMon

CloseSDVs

ASVposiMon

Open/closeASV

LDVposiMon

Open/closeLDV


SCM/SEM


OtherTopsideSensors



Sensors



SCU

StatusofSGC


•  Comp.speed

SGC

VSD PSDSystem

•  Tripcompressor

PCS

HumanOperatorResponsibility ProcessModel Feedback

HO.R-1:AdjustsetpointstomaximizetheefficiencyofSGCunit

HO.P-1SetpointsofsubseagascompressorisnotopMmal

•  Compressorinlet/outletpressure

•  Compressorinlet/outletflow

HO.R-2ShutdownSGCunitincaseofemergency

HO.P-2Hydrocarbonsleaktotheenvironment

•  Statusofsubseasystems(normal/leak)

•  Statusoftopsidesystems(normal/leak)

HumanOperator

19

HumanOperator




•  Tripcomp.






•  CloseSDVs



SDVsposiMon

CloseSDVs

ASVposiMon

Open/closeASV

LDVposiMon

Open/closeLDV


SCM/SEM


OtherTopsideSensors



Sensors



SCU

StatusofSGC


•  Comp.speed

SGC

VSD PSDSystem

•  Tripcompressor PCSResponsibility ProcessModel Feedback

PC.R-1:Adjustcompressorspeedtomeetthesetpoints

HO.P-1Compressorspeedisnotalignedwiththesetpoints

•  Compressorinlet/outletpressure•  Compressorinlet/outletflow•  Compressorspeed

PC.R-2Open/closeLDVtocontrolliquidlevelofscrubber

HO.P-2Scrubberlevelistoohighortoolow

•  Liquidlevelofscrubber

PC.R-3Open/closeASVtopreventsurging

HO.P-3Surgingisabouttohappen

•  Compressorinlet/outletpressure

PCS

PC.R-2Open/closeLDVtocontrolliquidlevelofscrubber

HO.P-2Scrubberlevelistoohighortoolow

•  Liquidlevelofscrubber

20


Controller:PCS

No ControlAc@onProcessModel UnsafeControlAc@ons?

Scrubberlevel Notprovided Provided Tooearly Toolate Tooshort Toolong

1 OpenLDV High2 Normal3 Low4 CloseLDV High5 Normal6 Low

OpenLDV

Unsafe Safe Unsafe UnsafeSafe SafeSafe Safe Safe Safe Safe SafeSafe N/A N/A N/A N/AUnsafe

21


UCA.PCS.LDV.001:PCSdoesnotprovideopenLDVcommandwhenscrubberlevelishigh[H-2.1]

UCA.PCS.LDV.002:PCSprovidesopenLDVcommandtoolatewhenscrubberlevelishigh[H-2.1]

UCA.PCS.LDV.003:PCSprovidesopenLDVcommandtooshort(beforetheleveldropstonormal)whenscrubberlevelishigh[H-2.1]

UCA.PCS.LDV.004:PCSprovidesopenLDVcommandwhenscrubberlevelislow[H-2.2]

UCA.PCS.LDV.005:PCSprovidescloseLDVcommandwhenscrubberlevelishigh[H-2.1] . . .

Controller:PCS

No ControlAc@onProcessModel UnsafeControlAc@ons?

Scrubberlevel Notprovided Provided Tooearly Toolate Tooshort Toolong

1 OpenLDV High Unsafe[H2] Safe Safe Unsafe[H2] Unsafe[H2] Safe2 Normal Safe Safe Safe Safe Safe Safe3 Low Safe Unsafe[H2] N/A N/A N/A N/A4 CloseLDV High Safe Unsafe[H2] N/A N/A N/A N/A5 Normal Safe Safe Safe Safe Safe Safe6 Low Unsafe[H2] Safe Safe Unsafe[H2] Unsafe[H2] Safe

22


UnsafeControlAc@ons ControllerConstraints

UCA.PCS.LDV.001

PCSdoesnotprovideopenLDVcommandwhenscrubber

levelishigh[H-2.1]

CC.PCS.LDV.001

PCSmustprovideopenLDVcommandwhenscrubberlevelishigh

[UCA.PCS.LDV.001]

UCA.PCS.LDV.002

PCSprovidesopenLDVcommandtoolatewhenscrubber

levelishigh[H-2.1]

CC.PCS.LDV.002

PCSmustprovideopenLDVcommandwithinXXsecondswhenscrubber

levelishigh[UCA.PCS.LDV.002]

UCA.PCS.LDV.003

PCSprovidesopenLDVcommandtooshort(beforethelevel

dropstonormal)whenscrubberlevelishigh[H-2.1]

CC.PCS.LDV.003

PCSmustnotstopprovidingopenLDVcommandbeforethescrubber

leveldropstonormalwhenscrubberlevelishigh[UCA.PCS.LDV.003]

UCA.PCS.LDV.004

PCSprovidesopenLDVcommandwhenscrubberlevelislow

[H-2.2]

CC.PCS.LDV.004

PCSmustnotprovideopenLDVcommandwhenscrubberlevelislow

[UCA.PCS.LDV.004]

23


a)IdenMfyingscenariosthatleadtoUCAs

UCA.PCS.LDV.001

PCSdoesnotprovideopenLDVcommandwhenscrubberlevelishigh[H-2.1]

•  Scenario1:ThePCSphysicalcontrollerfailswhenscrubberlevelishigh,causingthevalveopencommandnottobeprovided

[UCA.PCS.LDV.001].Asaresult,liquidmayflowintothegascompressor[H-2.1].(physicalcontroller)

•  Scenario2:Theliquidinthescrubberreacheshighlevel,butprocessingfailureswithinthePCSresultinthevalveopencommand

beingnotprovided[UCA.PCS.LDV.001].Asaresult,liquidmayflowintothegascompressor[H-2.1].(inadequatecontrolalgorithm)

•  Scenario3:Theliquidinthescrubberreacheshighlevel,butthePCSdoesnotprovidethevalveopencommand[UCA.PCS.LDV.001]

becausethePCSincorrectlybelievestheliquidlevelisnormalorlow.Thisflawedprocessmodelwilloccuriftheleveltransmimer

drinsandprovideswrongmeasurement.Asaresult,liquidmayflowintothegascompressor[H-2.1].(inadequateprocessmodels)

•  Scenario4:Theliquidinthescrubberreacheshighlevel,butthePCSdoesnotprovidethevalveopencommand[UCA.PCS.LDV.001]

becausethePCSisnotawareofthissituaMon.Thisflawedprocessmodelwilloccuriftheleveltransmimerfails,ifpowerisnot

suppliedtothetransmimer,orifthesignalcablefromthetransmimerisdisconnected.Asaresult,liquidmayflowintothegas

compressor[H-2.1].(inadequateprocessmodels)

24


a)IdenMfyingscenariosthatleadtoUCAs

UCA.PCS.LDV.001

PCSdoesnotprovideopenLDVcommandwhenscrubberlevelishigh[H-2.1]

•  Scenario5:PCSprovidesvalveopencommandwhenscrubberlevelishigh,butthevalveactuatordoesnotreceivethecontrol

commandduetoawiringerrorbetweenPCSandthevalveactuator.Asaresult,liquidmayflowintothegascompressor[H-2.1].

(scenarioinvolvingthecontrolpath)

•  Scenario6:PCSprovidesvalveopencommand,andtheactuatorreceivesthecommandwhenscrubberlevelishigh,butthevalve

isnotopenedduenoresponsefromthevalveactuator.Thisflawedresponsewilloccuriftheactuatorfails,ifpowerisnot

suppliedtotheactuator,orifthevalveisstuck.Asaresult,liquidmayflowintothegascompressor[H-2.1].(scenarioinvolving

thecontrolpath)

•  Scenario7:PCSprovidesvalveopencommandwhenscrubberlevelishigh,andthevalveisopen,buttheliquidleveldoesnot

dropbecauseliquidsupplyrateislargerthandischargerate.ThisflawedprocesswilloccurifthecalculaMonofsupplyanddischarge

ratewaswronginthedesignphase.Asaresult,liquidmayflowintothegascompressor[H-2.1].(scenariorelatedtothecontrolled

process)

b)IdenMfyingscenariosinwhichcontrolacMonsareimproperlyexecutedornotexecuted

25

STPAtoIsola@onofSubseaWells

26

SystemDescrip@on

Manifold

ReceivingFacility

Riser

Wellhead/X-masTree

Seasurface

Seabed

Reservoir

BoosMngPumpand/or

GasCompressor

27

SystemConfigura@on

28



•  Statusofothersubseasystems

•  StatusofESDvalves

Control/PowerSystem

•  Bleeddownhydraulicpressure

•  Cutoffelec.power

ESDValves

•  PressureofDHSV•  PressureofPMV•  PressureofPWV•  PressureofCIV

HumanOperator

OtherTopsideSensors


Sensors

Abbrevia@on

•  SAS:SafetyAutomaMonSystem

•  HPU:HydraulicPowerUnit

•  EPU:ElectricPowerUnit•  SCM:SubseaControlModule

•  DCV:DirecMonControlValve•  ESD:EmergencyShutdown

•  DHSV:DownHoleSafetyValve

•  PMW:ProducMonMasterValve

•  PWV:ProducMonWingValve

•  CIV:ChemicalInjecMonValve

•  SEM:SubseaElectronicModule

HPU

SCM

Hydraulicpressure Electricpower

DumpDCV

DHSVDCV

PMVDCV

PWVDCV

CIVDCV

DHSV PMV PWV CIV Sensors

Hydraulicpressure

Hydraulicpressure

Hydraulicpressure

Hydraulicpressure



SEM

•  Bleeddownhyd.pressure

•  Cutoffelectricalpower

SASESD

EPU

•  Emergencyshutdown

Feedback

Controlcommands

Hydraulicpressure

Hydraulicpressure

29

Discussions

30

No

UCA.HOP.001SNR.HOP.001.01 HumanOperatorreceiveswrongfeedbackfromSASduetosensorfailureSNR.HOP.001.02 HumanOperatorreceivesnofeedbackfromSASduetosensorfailureSNR.HOP.001.03 HumanOperatorreceivesnofeedbackfromSASduetocommunicationcablefailureSNR.HOP.001.04 HumanOperatorreceivesnofeedbackfromSASduetolossofpowersupplySNR.HOP.001.05 HumanOperatorreceiveswrongfeedbackfromSASduetosoftwareerrorinsideSASSNR.HOP.001.06 HumanOperatorreceivesnofeedbackfromSASduetosoftwareerrorinsideSASSNR.HOP.001.07 HumanOperatorreceivesnofeedbackfromSASduetoHMIfailureSNR.HOP.001.08 HumanOperatorreceivescorrectfeedbackfromSAS,butdoesnotprovidecommand

UCA.HOP.002SNR.HOP.002.01 HumanOperatorreceivesfeedbackfromSAStoolateduetosensorfailureSNR.HOP.002.02 HumanOperatorreceivesfeedbackfromSAStoolateduetosoftwareerrorinsideSASSNR.HOP.002.03 HumanOperatorreceivesfeedbackfromSASintime,butprovidescontrolcommandtoolate

UCA.HOP.003SNR.HOP.003.01 HumanOperatorreceiveswrongfeedbackfromSASduetosensorfailureSNR.HOP.003.02 HumanOperatorreceiveswrongfeedbackfromSASduetosoftwareerrorinsideSASSNR.HOP.003.03 HumanOperatorreceivescorrectfeedbackfromSAS,butprovidescommand

UCA.ESD.001SNR.ESD.001.01 ESDdoesnotreceivecontrolcommandfromHumanOperatorduetocablefailureSNR.ESD.001.02 ESDdoesnotreceivecontrolcommandfromHumanOperatorduetolossofpowersupplySNR.ESD.001.03 ESDreceivescontrolcommandfromHumanOperator,butdoesnotprovidecontrolcommandduetoESDsystemfailure

UCA.ESD.002SNR.ESD.002.01 Nopossiblescenario


UCA.ESD.004SNR.ESD.004.01 ESDprovidescontrolcommandduetoshortcircuit

UCA.ESD.005SNR.ESD.005.01 ESDdoesnotreceivecontrolcommandfromHumanOperatorduetocablefailureSNR.ESD.005.02 ESDdoesnotreceivecontrolcommandfromHumanOperatorduelossofpowersupplySNR.ESD.005.03 ESDreceivescontrolcommandfromHumanOperator,butdoesnotprovidecontrolcommandduetoESDsystemfailure



UCA.ESD.008SNR.ESD.008.01 ESDprovidescontrolcommandduetoshortcircuit

UCA.SAS.001SNR.SAS.001.01 SASreceiveswrongfeedbackfromsensorsduetosensorfailureSNR.SAS.001.02 SASreceivesnofeedbackfromsensorsduetosensorfailureSNR.SAS.001.03 SASreceivesnofeedbackfromsensorsduetosignalcablefailureSNR.SAS.001.04 SASreceivesnofeedbackfromsensorsduetolossofpowersupplySNR.SAS.001.05 SASreceivescorrectfeedbackfromsensors,butdoesnotprovidecommandduetosoftwareerrorinsideSAS

UCA.SAS.002SNR.SAS.002.01 SASreceivesfeedbackfromsensorstoolateduetosensorfailureSNR.SAS.002.02 SASreceivesfeedbackfromsensorsintime,butprovidescontrolcommandtoolateduetosoftwareerrorinsideSAS

UCA.SAS.003SNR.SAS.003.01 SASstopsprovidingbleeddowncommendtoosoonduetosoftwareerrorinsideSAS

UCA.SAS.004SNR.SAS.004.01 SASreceiveswrongfeedbackfromsensorsduetosensorfailureSNR.SAS.004.02 SASreceivescorrectfeedbackfromsensors,butprovidescommandduetosoftwareerrorinsideSAS

UCA.SAS.005SNR.SAS.005.01 SASreceiveswrongfeedbackfromsensorsduetosensorfailureSNR.SAS.005.02 SASreceivesnofeedbackfromsensorsduetosensorfailureSNR.SAS.005.03 SASreceivesnofeedbackfromsensorsduetosignalcablefailureSNR.SAS.005.04 SASreceivesnofeedbackfromsensorsduetolossofpowersupplySNR.SAS.005.05 SASreceivescorrectfeedbackfromsensors,butdoesnotprovidecommandduetosoftwareerrorinsideSAS

UCA.SAS.006SNR.SAS.006.01 SASreceivesfeedbackfromsensorstoolateduetosensorfailureSNR.SAS.006.02 SASreceivesfeedbackfromsensorsintime,butprovidescontrolcommandtoolateduetosoftwareerrorinsideSAS

UCA.SAS.007SNR.SAS.007.01 SASstopsprovidingbleeddowncommendtoosoonduetosoftwareerrorinsideSAS

UCA.SAS.008SNR.SAS.008.01 SASreceiveswrongfeedbackfromsensorsduetosensorfailureSNR.SAS.008.02 SASreceivescorrectfeedbackfromsensors,butprovidescommandduetosoftwareerrorinsideSAS

UCA.HPU.001SNR.HPU.001.01 HPUreceiveswrongcommandfromESDorSASduetocommunicationcablefailreSNR.HPU.001.02 HPUreceivesnocommandfromESDorSASduetocommunicationcablefailureSNR.HPU.001.03 HPUreceivesnocommandfromESDorSASduetolossofpowersupplySNR.HPU.001.04 HPUreceivescommandfromESDorSAS,butprovideshydraulicpressureduetosoftwareerrorinsideHPUSNR.HPU.001.05 HPUreceivescommandfromESDorSAS,butprovideshydraulicpressureduetosolenoidvalvefaliure

UCA.HPU.002SNR.HPU.002.01 HPUreceivescommandfromESDorSAStoolateduetocommunicationcablefailureSNR.HPU.002.02 HPUreceivescommandintime,butstopprovidinghydraulicpressuretoolateduetosoftwareerrorinsideHPUSNR.HPU.002.03 HPUreceivescommandintime,butstopprovidinghydraulicpressuretoolateduetosolenoidvalvefailure

UCA.HPU.003SNR.HPU.003.01 HPUstartsprovidinghydraulicpressureagainduetosoftwareerrorinsideHPUSNR.HPU.003.02 HPUstartsprovidinghydraulicpressureagainduetosolenoidvalvefailure

UCA.HPU.004SNR.HPU.004.01 HPUreceiveswrongcommandfromESDorSASduetocommunicationcablefailreSNR.HPU.004.02 HPUdoesnotreceivecommandfromESDorSAS,butprovideshydraulicpressureduetosoftwareerrorinsideHPUSNR.HPU.004.03 HPUdoesnotreceivecommandfromESDorSAS,butprovideshydraulicpressureduetosolenoidvalvefaliure

UCA.EPU.001SNR.EPU.001.01 EPUreceiveswrongcommandfromESDorSASduetocommunicationcablefailreSNR.EPU.001.02 EPUreceivesnocommandfromESDorSASduetocommunicationcablefailureSNR.EPU.001.03 EPUreceivesnocommandfromESDorSASduetolossofpowersupplySNR.EPU.001.04 EPUreceivescommandfromESDorSAS,butprovideselectricpowerduetosoftwareerrorinsideEPUSNR.EPU.001.05 EPUreceivescommandfromESDorSAS,butprovideselectricpowerduetorelayfaliure

UCA.EPU.002SNR.EPU.002.01 EPUreceivescommandfromESDorSAStoolateduetocommunicationcablefailureSNR.EPU.002.02 EPUreceivescommandintime,butstopprovidingelectricpowertoolateduetosoftwareerrorinsideEPUSNR.EPU.002.03 EPUreceivescommandintime,butstopprovidingelectricpowertoolateduetorelayfailure

UCA.EPU.003SNR.EPU.003.01 EPUstartsprovidinghydraulicpressureagainduetosoftwareerrorinsideEPUSNR.EPU.003.02 EPUstartsprovidinghydraulicpressureagainduetorelayfailure

UCA.EPU.004SNR.EPU.004.01 EPUreceiveswrongcommandfromESDorSASduetocommunicationcablefailreSNR.EPU.004.02 EPUdoesnotreceivecommandfromESDorSAS,butprovideselectricpowerduetosoftwareerrorinsideEPUSNR.EPU.004.03 EPUdoesnotreceivecommandfromESDorSAS,butprovideselectricpowerduetorelayfaliure

UCA.SCM.001

SNR.SCM.001.01 HydraulicleakSNR.SCM.001.02 DCVsareclogged

UCA.SCM.002

SNR.SCM.002.01 NopossiblescenarioUCA.SCM.003

SNR.SCM.003.01 DuttolongdistancebetweenHPUandSCM

SCMdoesnotdistributehydraulicpressurewhenhydraulicpressureorelectricpowerissupplied[H3]

SCMdistributeshydraulicpressurewhenhydraulicpressureorelectricpowerisnotsupplied[H1,H2]

SCMdoesnotdistributehydraulicpressuretoolatewhenhydraulicpressureorelectricpowerisnotsupplied[H1,H2]

HPUdoesnotprovidehydraulicpressuretooshortwhenESDorSASprovidesbleeddownhydraulicpressurecommand[H1,H2]

HPUdoesnotprovidehydraulicpressurewhenESDorSASdoesnotprovidebleeddownhydraulicpressurecommand[H3]

EPUprovideselectricpowerwhenESDorSASprovidescutoffelectricalpowercommand[H1,H2]

EPUdoesnotprovideelectricpowertoolatewhenESDorSASprovidescutoffelectricalpowercommand[H1,H2]

EPUdoesnotprovideelectricpowertooshortwhenESDorSASprovidescutoffelectricalpowercommand[H1,H2]

EPUdoesnotprovideelectricpowerwhenESDorSASdoesnotprovidecutoffelectricalpowercommand[H3]

HPUdoesnotprovidehydraulicpressuretoolatewhenESDorSASprovidesbleeddownhydraulicpressurecommand[H1,H2]

ESDprovidescutoffelectricalpowercommandtooshortwhenHumanOperatorprovidesemergencyshutdowncommand[H1,H2]

ESDprovidescutoffelectricalpowercommandwhenHumanOperatordoesnotprovideemergencyshutdowncommand[H3]

SASdoesnotprovidebleeddownhydraulicpressurecommandwhenpre-definedabnormalconditionsaredetected[H1,H2]

SASprovidesbleeddownhydraulicpressurecommandtoolatewhenpre-definedabnormalconditionsaredetected[H1,H2]

SASprovidesbleeddownhydraulicpressurecommandtooshortwhenpre-definedabnormalconditionsaredetected[H1,H2]

SASprovidesbleeddownhydraulicpressurecommandwhenpre-definedabnormalconditionsarenotdetected[H3]

SASdoesnotprovidecutoffelectricalpowercommandwhenpre-definedabnormalconditionsaredetected[H1,H2]

SASprovidescutoffelectricalpowercommandtoolatewhenpre-definedabnormalconditionsaredetected[H1,H2]

SASprovidescutoffelectricalpowercommandtooshortwhenpre-definedabnormalconditionsaredetected[H1,H2]

SASprovidescutoffelectricalpowercommandwhenpre-definedabnormalconditionsarenotdetected[H3]

HPUprovideshydraulicpressurewhenESDorSASprovidesbleeddownhydraulicpressurecommand[H1,H2]

ESDprovidescutoffelectricalpowercommandtoolatewhenHumanOperatorprovidesemergencyshutdowncommand[H1,H2]

Contents

HumanOperatordoesnotprovideemergencyshutdowncommandwhenanemergencyoccurs[H1,H2]

HumanOperatorprovidesemergencyshutdowncommandtoolatewhenanemergencyoccurs[H1,H2]

HumanOperatorprovidesemergencyshutdowncommandwhenanemergencydoesnotoccur[H3]

ESDdoesnotprovidebleeddownhydraulicpressurecommandwhenHumanOperatorprovidesemergencyshutdowncommand[H1,H2]

ESDprovidesbleeddownhydraulicpressurecommandtoolatewhenHumanOperatorprovidesemergencyshutdowncommand[H1,H2]

ESDprovidesbleeddownhydraulicpressurecommandtooshortwhenHumanOperatorprovidesemergencyshutdowncommand[H1,H2]

ESDprovidesbleeddownhydraulicpressurecommandwhenHumanOperatordoesnotprovideemergencyshutdowncommand[H3]

ESDdoesnotprovidecutoffelectricalpowercommandwhenHumanOperatorprovidesemergencyshutdowncommand[H1,H2]

[email protected]–Widerscope

•  STPAcancoverhumanerrors,sonwareflaws,andphysicalcomponentfailures

Physicalcomponentfailure48(68%)

So_wareerror20(28%)

Humanerror3(4%)

•  71scenarioswereidenMfiedfromIsolaMonofsubseawells

31

[email protected]–Top-downapproach

•  Analysiscanberefinedwithmoredetails

32

[email protected]–Top-downapproach

•  Analysiscanberefinedwithmoredetails

Controller:SAS

No ControlAc@on

Processmodel UnsafeControlAc@ons?

Pre-definedemergencycondi@ons Notprovided Provided Tooearly Toolate Tooshort Toolong

1 Bleeddownhydraulicpressure

Occurred Unsafe[H1,H2] Safe N/A Unsafe[H1,H2] Unsafe[H1,H2] N/A

2 Notoccurred Safe Unsafe[H3] N/A N/A N/A N/A

3Cutoffelectricalpower

Occurred Unsafe[H1,H2] Safe N/A Unsafe[H1,H2] Unsafe[H1,H2] N/A

4 Notoccurred Safe Unsafe[H3] N/A N/A N/A N/A

• GasleakatHVACinlet• Gasleakinnon-hazardousarea• Gasleakinhazardousarea•  Fireinhazardousarea• Gas/waterheatexchangertube

33

Opportuni@es

Manifold

ReceivingFacility

Riser

Wellhead/X-masTree

Seasurface

Seabed

Reservoir

BoosMngPumpand/or

GasCompressor

Unmannedplaaorm

Inopera@onsince2015

VS

34

Subseasystemsaresuddenlygepngmorecomplexandsonware-intensive

Opportuni@es

TradiMonalhazardidenMficaMonmethods(FMECAorHAZOP)arenotsuitabletoidenMfysonwareflaws,humanerrors,orinteracMonsofcomplexsystemcomponents

STPAcandoit!(withsystemaMcandtop-downapproach)

35

Challenges1.Dynamiccontrolstructure


•  Statusofothersubseasystems


Control/PowerSystem

•  Bleeddownhydraulicpressure

•  Cutoffelec.power

ESDValves

•  PressureofDHSV•  PressureofPMV•  PressureofPWV•  PressureofCIV

HumanOperator

OtherTopsideSensors


Sensors

HPU

SCM

Hydraulicpressure Electricpower

DumpDCV

DHSVDCV

PMVDCV

PWVDCV

CIVDCV

DHSV PMV PWV CIV Sensors

Hydraulicpressure

Hydraulicpressure

Hydraulicpressure

Hydraulicpressure



SEM

•  Bleeddownhyd.pressure

•  Cutoffelectricalpower

SASESD

EPU

•  Emergencyshutdown

36

Challenges1.Dynamiccontrolstructure

PetroleumSafetyAuthority(PSA)Norway

OilCompanyA OilCompanyB OilCompanyC

OilField1

OilField2

OilField3

OilField4

OilField5

OilField6ESD

37

Challenges


So_wareerror20(28%)

Humanerror3(4%)

2.Physicalcomponentplaysanimportantroleinsubseasystems

Hardware-orienteddesignconstraints,like

•  Gasleakagedetectormusthaveredundancy(2oo3configuraMon)

•  Gasleakagedetectormustbeconnectedtoredundantpower

supplyorUPS

NeedtoclassifyandprioriMzedesignconstraints-Someconstraintsarecheap,easyandveryeffecMve,whileothersareexpensive,difficultandlesseffecMve-Somescenarioscanneverbecompletelyprevented,whileotherscanbe

38

ScreeningandPriori@za@on


3)Iden@fyUnsafeControlAc@ons

4)Iden@fyLossScenarios

2)ModeltheControlStructure DesignConstraints

•  UCA1•  UCA2•  UCA3•  UCA4•  UCA5•  UCA6•  UCA7•  UCA8...

•  Scenario1•  Scenario2•  Scenario3•  Scenario4•  Scenario5•  Scenario6•  Scenario7•  Scenario8

...

•  UCA1•  UCA2•  UCA3•  UCA4•  UCA5•  UCA6•  UCA7•  UCA8...

•  DC1•  DC2•  DC3•  DC4•  DC5•  DC6•  DC7•  DC8...

•  Scenario1•  Scenario2•  Scenario3•  Scenario4•  Scenario5•  Scenario6•  Scenario7•  Scenario8

...

ScreeningUCAs(consequence,responseMme,

levelofknowledge,etc.)

ScreeningScenarios(consequence,frequency,

levelofknowledge,etc.)

•  DC5

•  DC1•  DC2•  DC3•  DC4

•  DC6•  DC7•  DC8

Priori@zeDCs(easiness,cost,

effecMveness,etc.)

UCA.PCS.ASV.001PCSdoesnotprovideopenASVcommandwhencompressoroutletpressureishigherthansurgelimit

UCA.PCS.CMP.003PCSdoesnotprovideCompressorspeedupcommandwheninletflowisbelowopMmalcondiMon

39

Challenges


So_wareerror20(28%)

Humanerror3(4%)

3.IteraMonsofSTPA

Hardware-orienteddesignconstraints,like

•  Gasleakagedetectormusthaveredundancy(2oo3configuraMon)

•  Gasleakagedetectormustbeconnectedtoredundantpower

supplyofUPS

Designconstraintsthatincreasesystemcomplexity,like

•  SASmustgenerateanalarmwhennosignalisreceived

fromgasleakagedetector

DoweneedtoconductSTPAagain?-ifnot,whatcanwedoforaddiMonalhazards?-ifso,whencanwestop?

40

FutureWork

•  SubseaProcessingSystem

•  SubseaSafetySystem

•  SubseaProduc@onSystem

•  SummarizeoverallSTPAchallengesinsubseaapplica@onandprovidesolu@ons

•  ApplySTPAtoSubseasafetystandardsinNorway

41

AnyQues@ons?

42

Documents

Application of STPA to Subsea Systemspsas.scripts.mit.edu/.../04/STPA-to-Subsea-20180329-Kim.pdf13 1) Deﬁne Purpose of the Analysis 2) Model the Control Structure 3) Iden@fy Unsafe