Embed Size (px)
DESCRIPTION
for young technicians
Citation preview
When is an Independent Protection Layer (IPL) Not a Safeguard
We are going to continue discussing the results from exida’s recently published industry benchmark survey on the practices for the use of alarms as safeguards and IPLs. Over 200 safety practitioners from around the world provided responses. This entry will discuss the relationship between alarms identified as safeguards and those that become IPLs. One industry reference defines a safeguard as “a potential protection layer that has yet to be evaluated in a LOPA to determine effectiveness and independence” [1]
Respondents provided feedback to the following question: What percentage of the alarms that are considered during a Layer of Protection Analysis (LOPA) were identified during a Process Hazard Analysis (PHA)?
Ideally 100% of the alarms that are considered in a LOPA would have first been identified as a safeguard/recommendation in the PHA. Figure 2 shows that in practice, this is far from the case. Only 12.4% of the respondents indicated that all (100%) of the alarms in the LOPA had come from the PHA. 51% of the respondents appear to frequently identify new alarms during LOPA that were “missed” during the PHA. This would seem to indicate poor PHA practices. Failing to identify alarms during a PHA could signal various issues, such as a lack of thoroughness, lack of documenting all safeguards in order to save time, or a lack of understanding of the process. This blogger wonders whether this pattern is unique to the treatment of alarms or is present for other safeguards as well.
SIS Should Only Be Used as an IPL Once
Another mistake that I commonly run into when reviewing HAZOP/LOPA studies (i.e., studies where the SIS is included as a protection as opposed to LOPA/SIL where the SIS is not considered an IPL so that its performance target can be determined) is the unrealistic use of the SIS in multiple protection layers. This is a clear violation of the “separation” criteria of a protection layer that often gets neglected due to inexperienced analysts focus on “sensors” instead of entire SIF. The best rule of thumb for including a SIS as an IPL in a LOPA is that the “SIS can only be used as a protection layer once per scenario”. Granted, the SIL target may be high (e.g., SIL 2 or SIL 3 – with corresponding failure probability of 1% and 0.1%), but credit can only be taken once.
Let me clarify this rule with an example of an analysis that was done very poorly, and the correct assessment of the situation. Consider the hazard of overfilling a compressor knockout drum with liquid which subsequently could be carried over into the machine causing damage to the machine and potential loss of containment through damaged seals. The assessment team, lead by an inexperienced facilitator with little understanding of how SIS worked listed the following IPL.
1. High Level Shutoff
2. High Vibration Shutoff
3. High/Low Motor Current Shutoff
4. and strangely, High Pressure Shutoff
Furthermore, the team stated that since the facility used a SIL 3 rated logic solver, all of these protection layers afforded three orders of magnitude of risk reduction, resulting in an overall protection level of 12 orders of magnitude of risk reduction.
Incredibly safe? Hardly. This analysis was a comedy of errors that I will now dissect. The first thing to note is the amateur description of the SIS IPL that only includes the sensor and not the action taken. This is usually a dead giveaway that the analysis was put together by a rookie who doesn’t understand the SIS IPL. While each one of these “protection layers” does indeed use a separate sensors, they all share the same logic solver (with the possible exception of the over/undercurrent trip) and all share the same final element, i.e., the compressor’s motor starter. In reality you don’t have four SIF’s, you have one SIF with four sensors (at least that is what the team alleges.
Furthermore, the “high pressure” SIF blatantly violates the “specificity” criteria of an IPL. You can’t argue that the high pressure shutdown in the separator vessel was “specifically designed” to detect an overfill condition. Even high current and vibration trips are of dubious credibility with respect to an overfill condition, but are still somewhat commonly used. In this scenario, the team theorized that if the separator
drum were to overfill it would also result in a high pressure, which would be detected by the high pressure switch. This is in fact not true, in addition to being not “specific” and not “separate”.
Finally, while a SIL 3 logic solver may be a good thing, that doesn’t mean that every loop that goes through the logic solver is SIL 3. In fact, most of the failure probability is associated with field equipment, which in this case was blind switches – capable of achieving SIL 1, but not more.
Ultimately, all of the protection layers that were listed by the team fell very much short of reaching the purported 12 orders of magnitude of risk reduction. The most restrictive interpretation of an IPL would only allow credit for the high level SIF (the others are not really specific, and not really separate), which can only provide one order of magnitude of risk reduction. If you additionally took credit for the vibration and/or under/overcurrent sensing, these are not additional protection layers, but could be considered as additional sensors for the single SIF that protects the compressor. If these multiple sensors are considered as part of the SIF, then the SIF could likely achieve SIL 2, but no more. The final result – not 12 orders of magnitude of risk reduction, but at most 2.
Acceptable Sharing of BPCS and SIS Field Measurements
Posted November 30, 2014 by Kevin Mitchell
Many users of safety automation equipment employ a practice of using redundant field devices on safety-critical process measurements (e.g., level transmitters, flow transmitters, pressures transmitters, etc.). These users, who are often in the petroleum refining industry, typically use these measurements in a 2oo3 (two-out-of-three) vote to shutdown using triplicated field instruments, with this logic being implemented in the Safety Instrumented System (SIS) logic solver. Less commonly, some also use these same three signals as inputs to the basic process control system (BPCS), usually with a mid-select function for feedback control of a process variable. This practice involves splitting each of the three signals with one analog input to the Safety PLC and one analog input to the BPCS. Signal repeaters are typically powered by the SIS.
ISA and IEC standards for SIS encourage users to separate field devices used in BPCS from field devices used in the SIS. The intent is to ensure that no device that is used in BPCS can fail in a way that inhibits or degrades the performance of the SIS. This position would argue that the shared transmitter practice of shared BPCS and SIS transmitters in a 2oo3 vote is not compliant with ISA and IEC standards for SIS. The ANSI/ISA 84.00.01-2004 standard Functional Safety: Safety Instrumented Systems for the Process Industry Sector (harmonized with the IEC-51511 standard) states:
Clause 11.2.9 The design of the SIS shall take into consideration all aspects of independence and dependence between the SIS and BPCS, and the SIS and other protection layers. And
Clause 11.2.10 A device used to perform part of a safety instrumented function shall not be used for basic process control purposes, where a failure of that device results in a failure of the basic process control function which causes a demand on the safety instrumented function, unless an analysis has been carried out to confirm that the overall risk is acceptable.
Therefore, allowance is made for situations where sharing BPCS / SIS field devices is suitable from the perspective of risk. In precise terms used in risk analysis, shared signals for BPCS and SIS only become a problem when there is a potential for a transmitter failure that inhibits or degrades the performance of the SIS while simultaneously creating a demand for the SIS to take action by causing the BPCS to malfunction in a way that initiates a hazardous condition. For example, if loss of liquid level in a vessel could result in a hazardous “gas blow-by” event, a single level transmitter that is used for both control and safety could fail in place above the set point. This would falsely indicate a high level. In this scenario with a single transmitter and a 1oo1 vote to trip, the SIS would be unaware of any subsequent low level conditions. Simultaneously, the BPCS would sense high level and take action to drive the level in the vessel lower. Because the transmitter has failed in place, the level would continue to drop until a hazardous low level condition occurred. Clearly, this is not an acceptable level transmitter configuration for safety-critical applications.
Conversely, shared signals for BPCS and SIS are not an issue in risk analysis terms, when there is no potential failure mode of the BPCS control loop that would place a demand on the SIS. One example would be backflow prevention safeguards afforded by shared flow transmitters. The SIL Selection team identified no failure modes for flow control loops that could result in a potential hazardous backflow condition occurring. This hazard would only occur if charge pump fails. No demand would occur for the SIS to trip even if flow transmitter(s) were in a failed state.
In the refining industry, we see use of three transmitters in a 2oo3 vote to trip in the SIS and a mid-select function in the BPCS. When 3 transmitters are operational, no single transmitter failure would simultaneously inhibit the SIS and initiate a hazardous condition that would place a demand on the SIS. However, not all transmitter modes-of-failure, that would traditionally be safeguarded by a typical 2oo3 vote to trip, are being safeguarded by this practice.
Kenexis has identified the following failure modes that are unprotected by the SIS:
Two transmitters failed in a dangerous undetected mode such as “fail-in-place”. This would defeat the protection afforded by the SIS. In this case, the demand for the hazardous condition would occur simultaneous with the failure of the second transmitter. Because three transmitters are used to sense the same process variable, deviation alarms could be used to diagnose a single transmitter being failed-in-place.
A common cause failure mechanism that simultaneously defeats all three transmitters. Note: this failure mechanism could not be argued to be safeguarded against by providing additional transmitters that physically separate the BPCS and SIS.
The SIS has degraded to a 1oo1 vote due to diagnosed failures of two out of three transmitters. Repair to either transmitter has not yet occurred. In this time interval, a single transmitter is now being used for both control and SIS protection. If this transmitter were to fail dangerous undetected mode (e.g., fail-in-place) prior to repair of the remaining two, the SIS would be inhibited and the BPCS would simultaneously initiate a hazardous condition that would result in a demand on the SIS. Using administrative procedures that ensure faulted transmitters are repaired within a relatively short time-frame (e.g., 72 hours) would greatly reduce the likelihood of this scenario. This would be covered under procedures for defeat of critical safety systems and temporary operation with Safety Instrumented System in bypass.
Kenexis advises our customers that ISA / IEC standards do not promote use of the practice of sharing BPCS/SIS transmitters. Further, Kenexis advises our customers on the potential failure modes which are not protected by the SIS when using this practice, which are limited to the above four identified interlocks.
Some customers deem these risks to be tolerable given the engineering design and strong administrative controls that are in place for these systems. Others prefer the more traditional separation of BPCS and SIS transmitters. ANSI/ISA standards on SIS allow sharing, but require additional analysis of failure modes, the likelihood of failure, and an assessment of the risk.
SIS Function Testing
Posted November 6, 2014 by Kevin Mitchell
I recently assisted a customer in testing a newly installed Safety Instrumented System (SIS) at a Natural Gas Liquids (NGL) processing facility. The activity was a Site Acceptance Test (SAT) in which Safety Instrumented Function (SIF) is thoroughly tested. The plan involved exercising each transmitter through its range of normal operation, alarm points, and trip points. Final elements were reset and observed to change state during a trip, thereby proving that the SIF logic as well as all field devices were functioning properly. We encountered a non-conformance when testing for transmitter fault conditions. The procedure involved driving the transmitter outside the normal 4 to 20 mA range. The expected behavior is for this to be detected by the SIS logic solver, and the associated process variable to be placed in a vote-to-trip state. In the first, when we drive the transmitter below the calibrated range resulting in a signal below 4 mA at the PLC. However, no vote-to-trip occurred. The signal was lowered to 3 mA, 2 mA and so forth, but no change in state was observed. We discovered that the configuration of the logic solver relied upon fault detection at the Analog Input module, which would set a fault bit and communicate this to the processor. It was noted that this logic was not properly functioning. The resolution was to program logic in the SIS application for the processor to detect the out of range condition and properly place the process variable in a vote-to-trip state.
A thorough examination of the SIS should include defining the saturation current of each transmitter or type of transmitter being used as input to the SIS. Saturation current is the lowest current that a transmitter will generate while still functioning within the calibrated range. For example, a transmitter may be able calibrated to read 100 psig to 1500 psig. 4mA would correspond to 100 psig. The saturation current may be 3.9 mA for a transmitter. The fault detection is typically set at 0.1 mA below the saturation current, or other value specified by the vendor. This results in a fault detection at 3.8 mA or below for this example. Logic was also programmed to detect an over-range fault as well; however, each transmitter is configured to drive the signal downscale on a self-diagnosed fault condition. Again, the exact value of the fault current will vary from vendor to vendor, but it will be significantly lower than the saturation current. For example, the fault current may be 3.75 mA, which would be detected by our 3.8 mA or less PLC diagnostic.
The important concept here is to understand the engineering techniques used to verify that the design of the SIF meets the Safety Integrity Level (SIL) target. This is known as SIL Verification, which involves a reliability engineering principals and an examination of possible device failure modes. Each transmitter will have a characteristic failure rate for failure modes such as “Fail High”, “Fail Low”, and “Fail in Place”. Self-diagnosed fault conditions are usually configured to result in a “Fail Low” effect. The SIL verification calculations typically assume that all over-range (>20mA) or under-range (<4mA) conditions result in a vote-to-trip, which results in a potentially dangerous failure mode being converted to a safe outcome. This reduces the SIF probability of failure on demand (PFD) and increases the achieved Risk Reduction Factor (RRF). It would be a
significant gap if the SIS configuration for fault detection does not match with these assumptions used in SIL verification.
At Kenexis, we always require function test plans to verify proper handling of transmitter faults by the SIS Logic Solver. When using a Safety PLC that is certified for SIS applications, this fault handling is typically the default configuration. However, when using a general purpose industrial PLC with a safety configuration, this type of fault handling may require application programming. Please contact Kenexis is you’d like more guidance on SIS function testing, also called proof testing.
Process Safety Milestones
Posted September 22, 2014 by Kevin Mitchell
I recently assisted a customer in conducting risk analysis to develop a Safety Instrumented System (SIS) design. The chemical process involved storage and handling of Methyl Isocyanate (MIC), and I was reminded that this coming December will be the 30th anniversary of the Bhopal tragedy, which involved the same chemical. Bhopal was one of the major turning points in the movement toward a series of safety principals that would later become known as “Process Safety”. My professional opinion is that the severity of the Bhopal event could not occur in the US due to several fundamental differences; but, I also advocate that we should never be complacent. My recent experience prompted some introspection on the progress made in 30 years toward improving process safety. I started my career as a process engineer in 1992; coincidentally, this was the same year as the advent of the OSHA Process Safety Management standard. Throughout 20+ years I have seen many changes for the better. Some prompted by government regulations, but most from industry initiatives. Sadly, there have also been numerous serious process accidents since that time. While each is a tragedy, industry should respond to the learnings from these accidents.
In retrospect, here are just a few important process safety improvements, many of which didn’t exist or were not widely practiced in 1992.
Process Hazards Analysis to identify hazards and qualitatively assess their significance
Change Management to assess the safety impacts of proposed changes before they are implemented
Mechanical integrity programs and risk based inspection instead of breakdown maintenance
Layer of Protection Analysis (LOPA) to provide consistent semi-quantitative risk analysis and use as the design basis for critical instrumentation and control
An independent agency charged with investigating chemical process incidents and communicating lessons learned
Facility siting analyses resulting in blast resistant control buildings and relocating personnel out of process areas.
Industry consortia for sharing process safety information such as component failures and lessons learned
Discipline to define safe operating limits and ensure those limits are not violated, even if it means downtime and lost production
As we look ahead, some challenges remain. Currently, the US Environmental Protection Agency (EPA) is considering additional regulatory action under 40 CFR Part 68 Risk Management Program (RMP). In a “request for information”, EPA has asked for input on several aspects of process safety. EPA will review responses received by 29 October 2014, and decide what action, if any, to pursue.
Just some of the topics of interest to regulators, include:
Application of Process Safety regulations to reactive chemicals such as ammonium nitrate.
Formalizing requirements for considering “Inherent Safety” in process design and operation
Automated release detection measures such as gas detection and fire detection
Third Party Compliance Audits of Process Safety Management programs
Integrating Safety & Security practices as part of the President’s directive on Improving Chemical Facility Safety and Security
Managing organizational change in addition to managing process change
The “Safety Case Model”, which is a European requirement for facilities to document and submit a technical justification for safe design and operation, as a condition of permit to operate
While I don’t advocate more government regulation, I do believe that several of these concepts would indeed reduce the frequency and severity of process safety incidents. We should strive for a balance of increasing rigor of existing good practices with stretching to reach new initiatives with new goals. I’m reminded of the philosophy of DuPont, which was once described to me simply as “zero”. The goal is zero incidents, zero harm to people, and zero impact on the environment. It’s an ambitious target that helps keep our eyes looking forward and focusing always on continual improvement.
Bypass of Safety Instrumented Functions
Posted August 25, 2014 by Kevin Mitchell
Kenexis is commonly asked to assist in specifying requirements for bypassing functions the Safety Instrumented System (SIS). Most SIS share a common Human Machine Interface (HMI) with the Basic Process Control System (BPCS). The HMI application software typically runs on a server and communicates with both the BPCS and the SIS using a digital protocol (e.g., Modbus, Ethernet I/P, etc.). In rare situations the SIS will have its own, dedicated HMI, but this is not typical.
Operators will bypass a Safety Instrumented Function (SIF) using the HMI, which communicates bypass information to the SIS controller. For relatively small systems, bypass is accomplished using physical switches that are hardwired inputs to the SIS, but this is increasingly uncommon.
For most systems, Kenexis’ limits the ability to bypass to SIS inputs; we disallow SIS outputs or overriding the commanded state of a SIF. In doing so, operators are required to take responsibility for providing alternate protection when bypassing any process condition that is being monitored by the SIS.
Using any digital protocol to communicate bypass status should be carefully engineered to avoid an unsafe bypass situation. Good engineering practice is described in ANSI/ISA 84.00.01-2004 (IEC 61511-MOD), Clause 11.7.3.1 “The design of the SIS communication interface shall ensure that any failure of the communication interface shall not adversely affect the ability of the SIS to bring the process to a safe state”.
Failure of the communications link between the HMI server and SIS should not create a situation where a bypass remains in effect when it shouldn’t be. Of course, we could configure the SIS to monitor the status of the communications link and take some pre-defined action, which could theoretically include automatic shutdown of the process. Albeit safe, this would not be desirable in most situations, so other configuration options should be considered.
Typically, Kenexis recommends the SIS be provided with physical switch that is hardwired to an SIS digital input channel. This is usually a keyswitch that is designated “Bypass Enable”. When the switch is in the “NORMAL” position, the input channel is OFF, and the SIS is programmed to ignore any requests to bypass any SIS input from the HMI. When the switch is in the “ENABLE” position, the input channel is ON, and the SIS will permit bypasses to be requested from the HMI.
Failure of the communication link between the HMI and the SIS would be a revealed condition that would generate a fault alarm; however, the state of bypasses would not change in the SIS. Even though the comm link is down, operators can remove any bypasses by switching the Bypass Enable keyswitch to NORMAL.
If a Bypass Enable switch has not been provided in the design, then operators would not have this ability to remove bypasses that were in effect at the time of the communications failure. This does not conform to Clause 11.7.3.1. To resolve this without adding a bypass enable switch, we would require the SIS to be configured to automatically remove any bypasses that might be in effect at the time of comms failure. Obviously, this could result in a SIF to activate if an input were not in service or otherwise outside the safe operating limits at the time of the comms failure. As this may result in an unwanted shutdown of the process, the bypass enable switch avoids the need for this configuration of the SIS.
SIL 3 Requirements from LOPA, Should be Challenged Before Implementing Costly Systems
Posted August 15, 2014 by Kevin Mitchell
Recently Kenexis was asked to develop an SIS design for an NGL processing facility. The hazards were associated with operation of equipment beyond design temperature and pressure ratings of equipment including pressure vessels, distillation towers, condensers, reboilers, and pressurized liquid storage tanks. A third party conducted a hazard and risk analysis to establish target Safety Integrity Levels (SIL) for various Safety Instrumented Functions (SIF). Our challenge was to identify requirements for both field instrumentation and the SIS Logic Solver. During our review of the risk analysis, which was conducted using Layer of Protection Analysis (LOPA), we discovered several requirements for SIL 3 shutdown of equipment. Most SIL 3 requirements arose from postulated risk scenarios in which equipment could be subject to temperature beyond the Maximum Allowable Working Temperature (MAWT), which was specified by the mechanical designers of pressure vessels in accordance with the ASME Boiler and Pressure Vessel Code, Section VIII.
The LOPA team contemplated that failure of temperature control in a distillation column reboiler could subject equipment to temperatures as high as 500 F, when the design limit is approximately 300 F. The LOPA identified concerns associated with “loss of vessel tensile strength” and a significant release of flammable hydrocarbons to the atmosphere. However, the scenario also involved no elevated pressure of equipment, which would be well within the allowances of Maximum Allowable Working Pressure (MAWP). Instead of implementing a SIL 3 shutdown on high temperature, Kenexis recommended the end user consult with the mechanical designers of the equipment. Operating a carbon steel pressure vessel above the MAWT is undesirable, and can result in damage to the equipment over time. At worst, some flange leakage might be expected in the long term. However, often there is no potential for acute degradation of the mechanical performance to contain the process pressure, because the vessel is operating well below its MAWP, and within the allowable working stress. It requires a competent mechanical engineer to address this concern, and in this case, the existing vessels were re-rated to limits that were within the bounds of the scenario the LOPA team contemplated. This eliminated the need to install several SIL 3 loops, which would have required significant field instrumentation upgrades as well as a SIL 3 capable logic solver. The SIS was then designed
for hazards that resulted in a maximum SIL of SIL 2, and saved significant resources in terms of implementation.
The key learning is to ensure that any SIL 3 finding from a LOPA is subjected to proper scrutiny before accepting that high target as the basis of design. Spending a bit more time and effort in the risk analysis phase can pay big dividends in terms of simplicity of the SIS, lower maintenance and testing requirements, and more effective use of scarce resources to be applied to other, more critical safety issues.
Subsea success
Des Irvine describes the development of the world’s first subsea high-integrity pressure protection system.
Back in 1996, the Kingfisher project in the UK sector of the North Sea appeared to be financially questionable unless innovative techniques were applied to reduce the capital and operating costs (Capex and Opex). A concept was tabled for the use of a high-integrity pressure protection system (HIPPS) located on the seabed, which would allow de-rating of the flow lines.
Traditionally, the flow lines are designed to withstand the wellhead pressure, with the HIPPS systems located topsides to protect the process. In this instance, it was realised that major capital savings could be made on the flow lines if the HIPPS could be relocated closer to the wellheads.
Although this is a simple concept, realisation requires technology that combines the highest integrity with the highest reliability and availability. The combination of these three features is often a balancing act: increase the integrity and nuisance failures reduce availability; or incorporate redundancy to improve availability and reliability falls because more components are involved.
A number of other constraints inherent in the system include diversity from control functions; built-in remote communications; autonomous shutdown functions; remote testability; space (the system must fit into the existing subsea control module, SCM); weight; and power.
Suggestions had been made to build a new system using integrated electronics. However, the client quickly rejected this approach, and referred to his experience with the magnetic logic systems used on most Shell platforms in the North Sea. With a great deal of experience in the supply of HIPPS using the magnetic logic based ProSafe-SLS system, certified for applications up to SIL 4, Yokogawa was approached to develop a HIPPS solution for subsea operation.
The resulting subsea HIPPS comprised two banks of triplicated transmitters, each voted 2oo3 (two out of three), with the voted states ANDed such that either bank tripping would trip all outputs. The outputs comprised two ESD (emergency shutdown) valves; each operated by redundant solenoid valves (SOV), such that SOV closing would shut down the flow line via the ESD valve.
Manual shutdown was required via the serial communications interface to the SCM controller using redundant serial interfaces. Facilities to override inputs and test outputs remotely were also required via this serial interface, with provision for partial closure testing of the ESD valve.
On a topsides HIPPS, transmitters would be powered by a field power supply and the input to the HIPPS system would be fused. Failure of a transmitter would cause the voting to fall back to 1oo2. For subsea use, however, with a SIL 4 integrity requirement, this is insufficient. Fuses are not allowed for obvious reasons, and failure modes must be guaranteed. To address this, two-wire transmitters were used with current-limiting resistors applied to prevent damage to the input circuits.
The power for each transmitter loop was derived from inherently failsafe output drivers from the HIPPS system such that they could be powered down from topsides via the serial interface, guaranteeing that the input loop would go to a trip on that input. The output driver power-supply modules are inherently failsafe, certified by TÜV to Class AK7, such that it is virtually impossible for the output to be on when the input request is for off (see Figure 1 below).
This design addressed the problem of fallback voting and predictable failure modes. However, to satisfy SIL 4, other diagnostics were required for the transmitters. The devices selected were intelligent with some programmable failure modes based on internal diagnostics, which were supplemented by additional diagnostics in the HIPPS system.
The problem with analogue signals is that the only way to verify that the reported value is correct is by comparing it with a reference or other measurements from the same source. The analogue input values were repeated to the subsea control system such that some relative comparisons could be made, but this was not possible in the HIPPS logic. Each input circuit is isolated, and no transfer of analogue values between circuits was impracticable. If the analogue value is below the trip level, the HIPPS system presumes that each analogue value is correct (see Figure 2 below).
To enhance the diagnostics, each HIPPS analogue input was programmed to detect process noise within a threshold range. Should the noise level fall below the threshold for a limited duration, the HIPPS would declare that input faulty and trip that channel. It was not anticipated that this would be used in anger, but in fact, owing to a latent problem in the transmitters, after several years’ operation faults occurred which froze the transmitter outputs — faults that were only detected by this feature. Ultimately, the transmitters had to be replaced.
The weaknesses in any high-integrity system are primarily the process valve and secondly the input transmitters. These are in the process line, and are the items most prone to failures caused by the process. To compensate for this, test features are included to allow online periodic testing in between longer-interval full function testing.
For transmitters, this testing was linked to the facility for clearing impulse lines. Methanol injection into impulse lines would clear the orifice and would cause an instantaneous overpressure. This overpressure generates a trip condition on the HIPPS input, which produces an alarm but no trip as it is only one channel. By cleaning impulse lines individually, a full input test is performed.
For the ESD valve, periodic partial closure testing provides justification for extending the full closure test interval. The test request is a pulse that is processed as a ‘one shot’ function, which is latched. This results in the output to the ESD valve solenoid(s) de-energising, thereby causing the valve to close.
The ‘one shot’ function ensures that a test request is not held on if the incoming request pulse fails to a steady ‘on’ position. The position of the valve is monitored by a VPI (valve position indicator) to an analogue trip amplifier. When the valve reaches a set position, the trip amplifier trips and the test latch is reset. If the
VPI feedback does not occur in a set time, the test is cancelled by an inherently fail-safe timer. Genuine trip demands are not disabled during the test cycle.
Concern was initially expressed at the ability of the HIPPS system to meet environmental requirements, specifically shock and vibration but also temperature and humidity. The original design required a 24-inch rack for the complete HIPPS logic and input/output processing. The first-pass build revealed the rack to be a 19-inch rack with a bolted-on extension, so this was quickly replaced by a purpose-built rack prior to client inspection, highlighting the importance of adapting to special requirements. In this instance, it had not been appreciated by the assembly engineer that this would be a problem. The rack was issued for shock and vibration testing and passed first time.
The complete logic system, including the powering of transmitters, solenoid valves and the communications interface required 4A at 24Vdc. The ProSafe-SLS logic system is based on magnetic core technology using dynamic current pulses on a 1ms clock frequency. The current pulses are 0.5A in amplitude, which provide extremely high immunity, but they are only 50ms in duration, which results in very low overall consumption and low heat dissipation.
The Kingfisher project went on line in late 1997, and the system operated with no problems until a series of transmitter faults reported by the HIPPS system.
Despite attracting much attention — as the savings in flow-line costs were several million dollars and the whole project was brought on stream early and under budget — the solution was not repeated for five years. It had always been recognised that this was a project to create an impact, with Yokogawa providing a solution to enhance the capability of the subsea control systems supplier.
After five years of successful operation, a spate of repeat systems finally followed in the North Sea, with currently over 20 systems installed.
Deeper waters demand different approach to design
What do Superman, LSD and World War II have in common with the discovery of the first offshore field in the Gulf of Mexico (GoM)? Other than the year history books give credit for discovery or start—1938—each demonstrates the success or failure of collaboration.
That first field—the Creole—was operated by Pure Oil Co. and Superior Oil Co. and was located a mere 1.9 km (1.2 miles) from the shores of Cameron Parish and 21 km (13 miles) from the nearest coastal community of Cameron, La. The platform—built on timber pilings in water depths of 3 m to 4.5 m (10 ft to 15 ft)—represents the first of what would be many steps out onto the continental shelf of the GoM.
The offshore platforms of today are made of steel, and it is not uncommon to find them operating in water depths greater than 500 m (1,640 ft) and in fields located more than 160 km (100 miles) from land.
The significant planning and development processes necessary to bring highly technical and highly challenging GoM frontier resource plays like the Paleogene online require long lead times and highly sophisticated technologies. Collaboration—the most basic of technologies—has long played a key role in the development of the GoM from a single fledgling field to a global powerhouse of many.
Tapping the Paleogene
The Paleogene, aka Lower Tertiary Trend, is the next exploration and production frontier in the GoM. It also is an important one for the U.S., according to Cindy Yeilding, vice president and director of appraisal for BP.
“Historically, the U.S. has—since the 1970s—been getting two million to three million barrels per day of production primarily from the shallower waters of the Gulf of Mexico Shelf. That number started to decline around 2000, but fortunately deepwater Miocene production started to ramp up,” she said. “The deepwater Miocene reservoirs ramp up quickly and provide excellent production for five to 10 years before starting to decline. We see production from the Paleogene reservoirs starting to fill the vacancy as the Miocene trend starts to play out and begins to decline.”
The industry has found about 6 Bboe in the Paleogene since entering the play in the early 2000s, according to Yeilding.
“We think there’s 15 billion to 25 billion barrels yet to find. We’re still in the early days of exploration in the trend,” she added.
BP’s success in the Paleogene includes discoveries at Kaskida, Tiber and Gila. The Kaskida exploration well, drilled in 2006, is located on Keathley Canyon Block 292 in about 1,786-m (5,860-ft) water depth and is about 402 km (250 miles) southwest of New Orleans. The well was drilled to a total depth of about 9,906 m (32,500 ft) and encountered 244 m (800 ft) net of hydrocarbon-bearing sands.
In 2009, BP discovered oil in the Tiber prospect in the ultradeepwater of the western GoM. It is, according to a BP-issued press release, believed to be one of the largest finds in the region. Drilled to a total depth of 10,685 m (35,055 ft) including 1,259 m (4,132 ft) of water, the Tiber exploration well is one of the deepest ever drilled.
BP announced in 2013 the discovery of its Gila prospect located about 483 km (300 miles) southwest of New Orleans in nearly 1,524 m (5,000 ft) of water. An initial discovery well was drilled to a total depth of 8,906 m (29,221 ft), but further appraisal drilling will be required to determine the size and potential commerciality of the discovery.
“Our ability to find new accumulations is pretty good. What we can’t do yet is develop some of those accumulations we have found because of higher pressures,” Yeilding said.
Different approach to developing the Paleogene
The success of the GoM offshore industry is due in large part to the collaborative efforts of many over a span of seven-plus decades. As the industry continues to march into the deeper waters of the Outer Continental Shelf in the years to come, the systems and equipment necessary to safely and efficiently develop the fields beneath the seafloor will either require redesign or creation.
In February 2012, to meet the development demands of its portfolio of ultradeepwater GoM Paleogene discoveries, BP launched Project 20K. The multiyear initiative seeks to develop the next generation of systems and tools necessary to unlock the next frontier of deepwater oil and gas resources that are beyond the reach of today’s technology.
The project will enable the company to explore, develop and produce new deepwater resources that are at pressures up to 20,000 psi and temperatures up to 177 C (350 F). The company estimates it could potentially access an additional 10 Bboe to 20 Bboe across its global portfolio during the next two decades with the application of Project 20K technology.
The project’s four focus areas—well design and completion; rigs, risers and BOPs; subsea production systems; and well intervention and containment—guide the research and development efforts of BP and its partners from industry and academia.
For Stuart Rettie and Mick Leary, Project 20K team leads for the company’s Global Projects and Global Wells groups, respectively, the project is a departure from the norm in many ways.
“It is a technology development project and not a specific asset development project,” said Rettie, projects director. “Our role is to develop the entire holistic capability for [operating at] 20,000 psi; that’s being able to drill, complete, produce and intervene on these wells. About 70% of the project is wells-related, so we are approaching this project a little bit differently.”
Leary, wells director, added that the project is figuratively “starting on a cleaner sheet of paper than we’ve ever done in the past and really looking at what it takes to safely, reliably and efficiently drill, complete and intervene on these wells.”
“The hardware and designs we develop will be implemented by future projects, whether they are in the Gulf of Mexico, the Caspian Sea or Nile Delta,” Rettie said. “Those are the three areas we have in mind for initially deploying the technology. We are playing to one of our strengths, which is the deepwater.”
‘More hands, lighter load’
It has been a very busy two years for Rettie and Leary. The internal collaborative efforts between their two groups build upon the expertise of each to advance the project closer to its ultimate goal of first oil within the next decade.
“We’re using our major project delivery processes and systems to have oversight of the project,” Rettie said. “But we’ve got deep expertise from the wells community that’s helping us develop the technologies. The role that the Projects Group is playing is delivering the capital discipline, executing the project at a given cost within a given time and integrating the technical expertise.”
That capital discipline is critical to the project and to meet the goal of keeping the project economics in check. Rettie noted the project’s practice of a concept called “value engineering.”
“Value engineering is making smart decisions about the systems we’re going to deploy and the redundancy we may or may not need. We have an interesting model that we’ve created with Maersk Drilling [a Project 20K partner] around how we will evaluate the different systems that go onto the drilling rig,” Rettie said. “The other different thing that we are doing in this project is taking a holistic mindset. This isn’t just an upgrade to a 20,000-psi capable rig. This is about everything that it takes to deliver the entire capability at one time.”
To that, Leary added that the internal collaboration extends beyond the doors of the Houston office. “If we look at the regions around the world where this could be applied, there’s integration between various different regions and Project 20K.
“We make sure that as we develop these designs and equipment there’s been a working relationship that provides input to those designs from the various regions so we don’t get to a point where we’ve developed all of this and they say, ‘We don’t like this or that about it.’ All of that integrated input is being put in up front as opposed to doing our own work and sending it out to the regions in a vacuum.”
The internal team has grown during the last two years with the addition of several new external partners. Nine months after announcing the initial project launch—in November 2012—BP awarded the first contracts to FMC Technologies and KBR. The FMC Technologies contract is collaborative but places them as the leading partner to design, develop and manufacture the subsea production equipment for the project—including the 20,000-psi subsea tree and high-integrity pressure protection system (HIPPS).
Project execution and management plans, risk assessments, cost and scheduling estimates, and the systems engineering management fall under KBR’s umbrella of project responsibilities.
“KBR’s role is to act almost like a central clearinghouse. We have a couple of hundred new technologies to develop, and the way we monitor development is through ‘technology readiness levels,’” Rettie said. “As an
idea moves from napkin to prototyping, we have a process to test the readiness. With all the complex interactions that have many interfaces in this project, we need everything coming back from the various entities so we can monitor and understand where we are on the maturation of the various technology readiness levels. That way we can ensure that everything moves in the right sequences with the right timing.”
Leary added that it is “important to note that as we look at all of the interfaces, we’re all dependent on one another. From a well design and completions standpoint, we need a rig to construct that well. From a subsea production system point of view, there are many interfaces between the well that was constructed and the subsea systems, and from a capping and containment standpoint, we have to be able to go back and interface with all of that previously installed equipment.”
Maersk Drilling was selected in 2013 as BP’s partner to execute the development of the rig, riser and BOP designs. In the same year, BP launched a strategic partnership with the University of Texas at Austin (UT) to support several leading-edge oil and gas industry research projects. The work conducted for Project 20K will study the impact of “human factors” on the drilling process and develop new systems that can enhance safety and efficiency. UT’s efforts will join with the long-established and BP-supported materials and corrosion research efforts underway at the University of Manchester and “complex systems integration” analysis at the Massachusetts Institute of Technology.
“This project has provided a catalyst or foundation in the industry for further collaboration,” Leary said. “This technology development has kicked off API activity around the standards that various pieces of equipment are designed to, and we’ve seen BSEE [Bureau of Safety and Environmental Enforcement] also take a very engaged interest in development of this technology.”
He noted that BSEE has been involved in the API standards activity and is very keen from a regulatory view to see an aligned set of standards that industry will work from as opposed to “each and every company creating their own design standards.”
Collaborative integration
The integration of both internal and external collaborative groups is a key Project 20K theme. Rettie noted that the integration of the Projects and Wells groups and, in turn, the project’s integration with the Exploration Group and the very early involvement in the project by suppliers is also an approach different from projects of the past.
“I don’t think we’ve ever before brought the drilling contractor in as early as we’ve done with this project,” he said. “Together, we can jointly look at the processes for what it takes to drill a well and can effectively optimize the drilling rig for that purpose.”
But why advance the technology in increments of 5,000 psi? For Rettie, the answer is simple.
“Historically, industry has moved from onshore with pressures increasing to offshore and in the deepwater,” he said. “We’ve gone from 5,000 psi to 10,000 psi to 15,000 psi, and the natural step is to now go to 20,000 psi.
“Some may ask about an intermediate step, but I think the industry has wisely chosen to do it in 5,000-psi increments. Part of that fits the aspect of standardization,” he said. “One of the key levers we have to control costs in our industry is to develop standard systems. If we all work on a standard, it improves safety and reliability of these systems, and the next band for deepwater is 20,000 psi.”
Collaborative integration begins with the first focus area for Project 20K—well design and construction. This focus requires the second focus area—rig, riser and BOP design—tasks well suited for Maersk Drilling. The first also impacts the third focus area—subsea production systems—that FMC Technologies is tasked with developing.
Well design and completion
Due to the early involvement in Project 20K by the Exploration Group, the Wells Group has an enhanced understanding of Paleogene reservoir conditions. This understanding, when combined with an extensive knowledge and resource base to draw from, gives the Wells Group an edge in designing wells for these challenging reservoirs.
“These wells will need to hold up for a long life cycle of production, but intervention capability is also needed,” Leary said. “These wells will require stimulation to produce, so the design needs to enable that. These wells are a little deeper, a little hotter and at a higher pressure than other wells that have been done in the industry; thus, the components have to be able to handle these higher design loads.”
For example, many of the planned casing strings will have a heavier wall thickness and be stronger than the ones in use today.
“To effectively stimulate the well, we also will need to attain good zonal isolation across the production intervals to isolate any water sands,” Leary said. “We’re working on all of the various components in the design of a producing well, and that’s offering up a number of challenges.”
Much of the design work includes the development of components that do not exist in the market today.
“The fluids, techniques, materials and equipment—like packers and safety valves—will all have to be developed because they don’t really exist for this application,” Leary said. “There is considerable effort going into that. We’re relying on a small team but calling on specific expertise across BP to contribute in their areas
of expertise. We can pull resources out of other parts of the company to help in a particular area, whether that be tubular design, cementing or fracture stimulation.”
The best well construction and completion design is still just a plan without the equipment necessary to make it possible.
The decision, Leary said, was made early in the process to take a different route to rig design.
“We picked Maersk Drilling—and Maersk Drilling picked us—to collaborate on what a 20,000-psi rig should really look like, and this has been a great relationship. It has worked very well for us, and I think Maersk Drilling would say the same thing. We bounce ideas off each other; we challenge each other—us to our requirements and them to their capabilities—to construct these wells.”
Rig, riser and BOP design
The step-change from 15,000 psi to 20,000 psi is significant, requiring equipment that will be larger, heavier and stronger than what has been used to date at 15,000 psi and below.
“For example, the 20,000-psi BOP stack will weigh about 50% more than a 15,000-psi BOP” Leary said. “Due to the weight of the BOP and the longer, heavier casing strings, the hoisting system on the rig will have to be capable of handling heavier loads than the 15,000-psi rigs of today.
“However, we also want to incorporate inherently safer design concepts into the layout of the rig. We are thinking about the workflow of the well construction process and how the rig should be set up to safely and effectively do the activities.”
The philosophy and approach is different than most have taken in the design and building of a typical rig, Leary noted.
“Oftentimes we’ll contract for a rig when construction has already started or may be complete; then we try to make adjustments for our particular well program. Thus we end up retrofitting where practical as opposed to designing in the requirements from the start.”
Rettie added that the approach goes back to capital discipline on the part of the project.
“We’re not going to start with a clean piece of paper on everything because if you start out with an unlimited checkbook, you could end up with a design that could do absolutely everything you imagined needing it to do, but would it be a cost-effective tool?” he said. “It would not be economical. Some of the things we’re doing are based on the standards we want to adhere to. Today’s standard wellhead connector—the 18 ¾ in.
—we’ve said, ‘OK, that’s a fixed point, and we’re going to stay with that because it is out there and can satisfy our needs.’ We’re not going to go far beyond that because it starts to become uneconomic.”
In examining the design and functions of today’s rigs, the team is looking for the features that add value to the design and the work scope contemplated, noted Leary.
“We’re asking questions like, ‘How many pumps do we need to have?’ and ‘How much deck space do we need?’ We’re focused on delivering a product that is competitive and that can deliver a cost-effective, reliable well in a safe and efficient way,” he said.
In selecting a design, the Project 20K team selected a drillship as its first rig design.
“When we looked at the requirement in the GoM, primarily with the depth of water and the depth of these wells combined with the casing loads, you can get more payload onto a drillship than a semisubmersible for an equivalent cost,” Leary said. “When you look at our GoM portfolio, the drillship is going to be more cost-effective and efficient in delivering results.”
Maersk Drilling has considerable range of experience and resource base to draw from in the design of the necessary equipment for Project 20K. For Frederik Smidth, chief technology officer for Maersk Drilling, working with BP presented a real opportunity to work on a project that is, “from an engineering perspective extremely interesting and challenging.”
The project, he believes, aligns nicely with Maersk Drilling’s strategy to grow in the deepwater and ultraharsh environment segments.
“We want to grow in what we call the ‘post-technology and operationally challenging areas.’ That is where we believe we can justify being and where we traditionally have been more successful,” Smidth said. “Project 20K is actually spot-on. It is in our main strategy to go for the 20,000-psi area. We want to be in deepwater. We want to be in the challenging part.”
Getting to start with a “cleaner sheet of paper” is a unique opportunity for Maersk Drilling, Smidth said. A project’s time or financial limits often determine what can be done on the design side.
“We’ve done it once or twice before, mainly on the jackup side of the business. We were able to improve the efficiency of the jackup significantly. Our goal with Project 20K is to do the same on the deepwater side,” he said.
Another unique aspect to this project was that the company had a client in BP that was willing to share and listen to the design visions of Maersk Drilling.
“We have a client telling us what its pain points are and where it sees the pain points being and so on,” he said. Another huge advantage in working with BP is that Maersk Drilling gets access to data.
“We get access to their operational and technical knowledge, especially when we’re talking new development like this,” he said. “They have experts we can draw on and can access their knowledge.
“If we get the right people from the operator to open up and tell us what they like and what they don’t like, we can understand their problems and try to understand their cost structure where they spend the money and where they don’t spend effectively. If we can help them improve spending efficiency, I think that’s a gain for all of us.”
Smidth finds that in balancing the needs vs. the wants in the new rig design, being very disciplined in addressing and justifying each is critical.
“That’s how we build. We have to justify things either from a safety point of view or operational efficiency point of view. Saying you want a dual-drill rig or two BOPs, you’ve got to be able to justify it.”
There are a number of challenges in designing a rig, riser and BOP system for 20,000 psi, challenges like the higher pressures and higher temperatures.
“But as long as you know beforehand, we can design the ship for handling a bigger BOP and heavier riser,” he said. “The challenge is determining what standards we design against and how we design the internal components of the BOP as it has to be able to handle not only high pressure but also high temperatures.”
The larger sizes and heavier weights of the equipment like the BOPs, casing strings and drillpipe will have an impact not only on the design of the rig but also the handling systems.
“The handling systems we’ll see will be similar in types to what we see today but stronger, I would say,” Smidth said. “Obviously the ship cranes and the mobile cranes and support systems and so on will have to be designed to handle the weights and size.
“We have not completed the design yet, so I’m a little bit hesitant to make conclusions. But the way we handle drillpipe and casing and so on today—I think that in principle is going to be the same, but the equipment has got to be stronger to handle the higher weight and bigger dimensions.”
Smidth would not comment on details about the size of the drillship other than to say it “will be bigger than what we see today” and that it “will have higher load-carrying capacities.”
Subsea production systems
The decision was made early on in Project 20K that the 20,000-psi hydrocarbons would not be taken to the surface, according to Rettie. To accomplish this, BP partnered with FMC Technologies to develop the suitable subsea production systems with a HIPPS necessary to safely produce from the Paleogene reservoirs.
For Brad Beitler, VP of technology for FMC Technologies, working with BP on Project 20K was a natural extension of work the company had already begun a few years ago.
“We had actually started an internal program funded by ourselves to develop high-pressure, high-temperature equipment,” Beitler said. “We had a road map that took us over a period of five to seven years that would take us from where we were at the time.”
The company was developing at that time its 15,000-psi systems for temperatures in the 120 C to 150 C (250 F to 300 F) range, according to Beitler.
“Our road map took us all the way out to 30,000 psi at 500 F [260 C] over a long period of time, with some various intermediate waypoints. One of them was 20,000 psi at [177 C].”
FMC Technologies met with several of its customers at the time, including BP, to get feedback. Those early discussions, in Beitler’s view, are what led to the eventual partnership for Project 20K.
“When it came down to BP actually looking at some of these leases they have in the Gulf that are going to require this kind of equipment, I think they had it in their minds there was a couple of us that could do the work,” he said. “At the end of the day, they probably looked to see who was the farthest along, who could quickly move the direction that would favor them. We’d been doing some work with Shell on some of their fields and with others. I think BP felt like, at the end of the day, when they made the decision, we would probably be quicker out of the chute and provide them with the kind of integrity they needed for this kind of venture.”
One of the key components in subsea production is HIPPS. HIPPS is not a new technology, but it is a significant one for ensuring the safety of production from HP/HT reservoirs.
“HIPPS allows the well’s flow to be shut off right near the tree if it detects any kind of buildup in pressure in the flowline,” Beitler said. “It allows the operator to create a specification break on the seabed and use a thinner wall flowline and production riser that’s more rated toward the flowing pressure of the well as opposed to the shut-in pressure of the well. The HIPPS is a triple-redundant valve that quickly shuts off flow if it detects any kind of high-pressure transient moving through the flowline. The HIPPS lets us use existing technology for the flowline and production riser and eliminates 20,000-psi hydrocarbons to the production
facility. There’s a lot of technology in a subsea HIPPS, and it’s a unique piece of technology that’s really geared up for high-pressure circumstances like this.”
While HIPPS addresses one safety angle, another looks at the finer elements in the design. Like the rig design, many of the components will be larger in size and heavier in weight. However, a majority of the design and safety enhancements for Project 20K subsea equipment focus on smaller components like materials used in seals.
“The base materials themselves probably aren’t going to have a lot of enhancements,” Beitler said. “We’re looking at everything, ensuring they’re all adequate and that we don’t go through any phase changes. But at [177 C], you don’t get a whole lot of changes in materials.
“As we look at the long-term effects of temperature on materials, there is a possibility that we may want to increase our safety factors a bit to make sure that the long-term effect of temperature doesn’t reduce the mechanical strength. So far, we haven’t seen anything like that. It’s a possibility out there as we go through the testing.
“With regard to things like the seals, that’s why we’re doing so much temperature testing. It’s to ensure that we understand the long-term effects of temperature and pressure on the materials we use for seals to ensure that the seals don’t flow or do strange things under those kinds of conditions. We test the seals to 20,000-plus psi, some to 25,000 psi, and to temperatures much higher than [177 C], more like 400 F to 450 F [204 C to 232 C], just to find out what the operating envelopes are.”
Of all the types of materials available for seals, elastomers are probably the most difficult, according to Beitler.
“There are a lot of different elastomers for seals out there that are good at really high temperatures like this. But in this case they also have to perform over a range of temperatures. The seabed is close to freezing, and the flowing temperature is close to [177 C], but they have to seal under both of those conditions. The temperature range then becomes the issue.
“There are a few elastomers that will do that, and we have to ensure that the ones we select are going to be the ones that can a last a lifetime and have the integrity that we need. It presents a lot of issues and a lot of opportunities for basic research in these materials and how we assure their longevity and integrity.”
Beitler believes this project will have a widespread impact on the rest of the Paleogene (Lower Tertiary) in the GoM and around the world.
“The work we’re doing here is groundbreaking, and the things that we’re doing will not only set the pace but also the basic design guidelines for everything else done in this kind of environment and these formations,” he said. “I believe API will then take what has been developed and put it into their regulations and specifications. I think other oil companies will look very closely at this and ask the question of ‘Why design something different? Why not just use what’s been proven?’
“First of all, the regulators are going to be scrutinizing this very carefully, and if this is something already passed by the regulators, then that becomes a lot easier for the oil companies to use for their development. I think this is going to have a huge impact on the future of this whole Lower Tertiary area. We don’t take it lightly. This is a big responsibility that we all have—BP, FMC Technologies and Maersk Drilling—to get this project right.”
Bright future
The size and scope of BP’s Project 20K doesn’t end with BP, FMC Technologies and Maersk Drilling. There are future partnerships planned that will address the hundreds of new pieces of kit necessary to develop and produce the Paleogene. From umbilicals to valves, casing strings to production tubing, personnel training and more, enhancements to all will be needed. The capital investments necessary to support R&D efforts, testing facilities, manufacturing facilities and more will keep the industry very busy in the coming years. A decade or more of technology development for Project 20K will further foster the collaborative spirit that has revolutionized the GoM offshore industry since its start at Creole so many years ago.
World's Longest Electrically Heated Flowline Allows HP/HT Field Tieback to Existing Host
The Linnorm gas/condensate field in the Norwegian Sea is technically challenging. The high-pressure/high-temperature (HP/HT) reservoir contains gas with CO2, H2S, and traces of mercury. Although the gas is relatively lean, the associated condensate has waxy properties. Although there are production facilities within 30 to 70 km, this discovery was initially seen as “stranded” gas because of the absence of an export route with available capacity. The wells and subsea concepts would push the limits of existing technology and require some world-first solutions for what will be the highest-temperature subsea field development on the Norwegian continental shelf with the world’s longest electrically heated flowline.
Introduction
The Linnorm gas discovery was made during the first half of 2005 in the Haltenbanken area offshore Norway. Well 6406/9-1 found a 180-m net column of lean gas in a gas-down-to situation in three Jurassic reservoir zones, all under HP/HT conditions (180°C, 800 bara). Two reservoir zones were production tested, both with good results. The field was further appraised by Well 6406/9-2 in 2007, successfully determining the gas/water contact in the key reservoirs.
Several follow-up exploration wells all proved dry. This meant that the projected hub development for the Halten South area was no longer feasible. The likely way forward for Linnorm then was a subsea satellite development, tied back to existing infrastructure when ullage in the Asgard pipeline became available (currently estimated to occur later than 2020) . The project was put on hold in 2007 because Linnorm was not expected to be developed before the 2020s. In summer 2008, an opportunity to accelerate the development of Linnorm was identified by making use of potential ullage in the newly commissioned onshore gas-processing plant at Nyhamna, built to process gas from the giant Shell-operated Ormen Lange
field. This would require a new 200-km trunkline, the cost of which made the development commercially marginal. The solution was found by entering a new joint venture, the Norwegian Sea Gas Infrastructure project.
The next challenge was to select an option for gas processing. Rather than an expensive new-build platform on Linnorm, the choice was made in mid-2011 for a subsea development with a tieback to the Shell-operated Draugen oil platform. In December 2011, the development concept was confirmed as a twotemplate, five-well subsea development, with a 55-km directly electrically heated (DEH) flowline tied back to Draugen, and 15 million m3/d of gas-processing capacity installed on Draugen (Fig. 1).
Subsurface Uncertainties
An extensive wireline formationsampling program showed that the discovered gas is generally fairly dry, with high CO2 content, some H2S, and, on average, 50 µg/std m3 of mercury. The condensate/gas ratio (CGR) varies per reservoir, with evidence for vertical compartmentalization in up to six different reservoir layers. Reservoir quality is variable, with some very good sands but also large sections with lower-quality tight sandstone. The high variability in reservoir quality across the reservoir leads to a number of specific challenges.
Connectivity. The risk of low connectivity has been reduced significantly by a crucial well production test on the two key reservoirs. Fault interpretation shows no evidence of compartmentalization; hence, as a base case, connectivity is assumed to be fieldwide.
Sand Control. Sand screens require a limited drawdown to prevent hotspotting and damage. A limited drawdown then required a choice of subhorizontal wells to obtain sufficient productivity. To drill these wells to 5000 m under HP/HT conditions, with CO2 and H2S in the reservoir fluids, is a significant challenge, requiring a range of material qualifications to ensure well integrity over the lifetime of the field.
Tight Gas. About half of the gas in place is locked up into the tight reservoir layers, with an additional 20% in low-quality rock within the conventional reservoirs. This rock, with 0.01- to 0.05-md permeability, has a very low recovery, and the challenge is to commercially develop it in conjunction with the conventional rock.
The tight reservoir layers provide a second major challenge in terms of differential depletion of the reservoir. The better-quality reservoir layers will deplete quickly from the high initial pressure of 800 bara, with a corresponding drop in fracture gradient in those layers. At the same time, tight layers will remain close to initial pressure for much longer. This imposes a tight time constraint and careful sequencing on drilling the development wells, with a need to get the drainage right the first time.
Water. On the basis of geophysical analysis of the possible extent of an aquifer, offset wells, and analog data, a significant level of water production is expected.
Subsea-Development Decisions
The Linnorm subsea facilities will be composed of two four-slot production template manifolds approximately 3.5 km apart. Each template manifold will produce commingled well streams into a common gas-production flowline by use of a connection spool and flowline tee. Each subsea manifold will include a cooler, to avoid exceeding the flowline-coating design temperature (155°C), and a pressure protection system (PPS), to avoid exceeding the flowline design pressure (300 barg). The 55-km-long flowline will transport the gas to the Draugen host platform for processing and export. The flowline will be insulated to prevent formation of hydrates and wax deposition during normal operation. The flowline will also be electrically heated to prevent formation of hydrates and wax deposition during shutdowns or when otherwise required by prevailing process conditions.
DEH Flowline. A 16-in.-internal-diameter flowline has been selected on the requirement to produce 15 million std m3/d of gas in combination with up to 2000 m3/d of formation water without exceeding the maximum flowline operating pressure of 230 barg. This requirement translates into a flowline design pressure of 300 barg with a 70-bar margin for alarm and trip settings for overpressure control within the subsea PPS.
Flowline heating will be required only during shutdowns, after a no-touch time of 8 to 12 hours, to maintain 25°C or to reheat the flowline from 6°C, the seabed temperature, back to 25°C for startup after an extended shutdown.
Flowline and Riser Design Philosophy. During the concept design phase, it was determined that a fully rated flowline and riser system, with design pressure equal to the closed-in tubinghead pressure (CITHP) of 717 barg, was not feasible. The selected flowline-system concept is a derated or burst-critical (300-barg design pressure) flowline with a nonburst-critical riser capable of withstanding the CITHP. In order to protect the flowline from the well CITHP, a PPS comprising a high-integrity pressure protection system (HIPPS) in addition to the production-shutdown (PSD) system will be installed at the subsea manifolds.
Cooler. The flowing-wellhead-temperature (FWHT) design temperature of 176°C is significantly higher than previous subsea HP/HT developments. The commingled-well- stream temperatures are predicted to range between 150 and 176°C. The higher temperatures exceed the current limit of 155°C for available flowline-insulation materials. A new-design natural-convection compact cooler developed by the subsea-production-system contractor will be used to reduce the well-stream temperature to within the flowline-insulation design temperature. Natural convection offers a simple, robust design with no moving parts. The design consists of relatively short tube sections joined by 180° bends. The gas flows from the inlet header at the top to the discharge header at the bottom. The cooler uses the seawater as coolant, which flows by natural convection from the bottom to the top of the cooler or by forced convection from seabed currents.
Surface Development Decisions
The key surface development decisions for the Linnorm project must be seen in the context of incorporating significant gas-processing facilities onto an existing 20-year-old oil platform. In effect, the Linnorm project is to turn the Draugen oil platform into an oil- and gas-processing facility. The Draugen oil platform is a single-leg gravity-base structure with a relatively traditional topside oil-processing facility, originally designed for 90,000-B/D oil-processing capacity.
The Linnorm project selected an economically optimum gas-export capacity of 15 million std m3/d, and this requirement was incompatible with the existing Draugen gas-handling capacity.
The processing scheme selected to achieve the gas-export specification is shown in Fig. 2. After initial liquid separation, the gas is cooled and mercury is removed (by a metal sulfide bed) before dehydration. In the initial years, an additional valve will be used to provide Joule-Thomson cooling to achieve the required hydrocarbon dewpoint at a higher pressure. This results in lower peak compression power; in later years, the lower compressor suction pressure will coincide with lower flow rates. The gas is then recompressed to achieve an export pressure in excess of 200 bara.
Platform Weight and Space Constraints. As a single-leg platform, the total weight-carrying capacity varies with the platform’s center of gravity. The selected layout (Fig. 3) was a compromise of a number of factors, including
◗ Maximizing the available weight capacity by placing all the nonhydrocarbon-containing equipment on the opposite side of the platform to the main process expansion
◗ Creating additional platform space while minimizing platform brownfield scope by using a hang-off module, which maximized the load-carrying capabilities of the existing structure
◗ Fully exploiting existing areas that were redundant in terms of their original use
◗ Minimizing the effect on crane operations by placing tall equipment at the edge of the platform
New Modules vs. Brownfield Scope.
Conventional wisdom would seek to maximize the extent of off-platform construction activities by building self-contained process modules that could be assembled, tested, and precommissioned to the greatest extent possible onshore, thereby reducing the extent of offshore activity. For the Linnorm project, maximizing this principle within the space and weight constraints resulted in the following decisions:
◗ The Linnorm condensate could be mixed with the Draugen oil and processed in the existing facilities with only minor changes to the operating parameters throughout a range of condensate/oil ratios.
◗ The Linnorm produced water, high in barium, will be mixed with the sulfate-rich Draugen produced water and processed in the existing Draugen produced-water- treatment and -reinjection facilities.
◗ The electrical power supply to the new Linnorm equipment will use the existing Draugen electrical infrastructure.
◗ The top-deck equipment was split into two modules to ensure that a wider range of heavy-lift vessels could potentially be used and enhance competition between contractors.
Conclusion
Commercial and technical innovation has been the key to enabling the development of Linnorm, a marginal HP/HT gas field offshore Norway. Development of Linnorm could not be justified following its discovery in 2005 because of the economic and technical challenges that existed at the time. Now, however, advances in subsea technology have made it possible to overcome the inherent challenges of this HP/HT subsea greenfield-to-brownfield tieback. Among these are the longest DEH flowline in the world and the qualification of subsea- production-system equipment for use beyond the current limits of operating temperatures. The new technology, combined with the opportunity to share a new gas export route with other recent discoveries in the Norwegian Sea, has led to a commercially and technically complex, but viable, development.
President’s Column • SPE Introduces An Innovation In HSE Communication
Egbert Imomoh, 2013 SPE President
In my columns, I have talked about innovation and the importance it has in our industry. From the first well logs to horizontal drilling, innovation has been the driving force behind this industry’s successes and the key to the future. There is no place that innovation is more important than in the health, safety, and environment discipline. HSE has been a vital part of our industry since its inception. However, recently our industry has been marked by a number of large-scale safety and environmental incidents that raised strong concerns about operations. These incidents have forever changed our industry and resulted in the demand for an even more vigorous stance on health and safety by authorities worldwide. Although very large volumes of oil and gas are safely produced and moved daily, any incident that causes injury and impacts the environment attracts global attention because of the ease and speed of communication and because many stakeholders watch our operations and demand zero incidents—I believe rightfully so.
This year will mark the start of a new SPE periodical devoted to this discipline. HSE Now, scheduled to debut in March, is a monthly e-newsletter focused on the Health, Safety, Security, Environment, and Social Responsibility (HSSE-SR) discipline. Unlike other SPE periodicals, which rely on SPE-generated content, HSE Now will be a curator of information important to the discipline, collating important news, regulations, and articles about these aspects of oil and gas operations from a wide variety of sources. Members who have chosen HSSE-SR as their primary or secondary discipline will have access to HSE Now automatically; other members will have the opportunity to opt in.
Over the years, attention to the HSE segment of this discipline has grown, with all companies recognizing that protection of life and the environment is a responsibility that is absolutely essential for any company. Fulfillment of this responsibility is linked to the company’s public reputation and its ability to attract and retain quality staff, who scrutinize the company when making employment decisions.
Security also plays an important role. Serious conflict often visits areas of the world where oil and gas are located and the protection of staff to prevent injuries or loss of life is critical. The concept of social responsibility is a fairly late arrival to the discipline, as most companies focused mainly on operating in a financially efficient manner so that a healthy bottom line could be reported. The strict attention to what is good for the shareholder has now been expanded to awareness of what stakeholders demand. Corporate accountability now requires that social and financial interests are given due attention, but this may lead to conflict and stresses (Paine, Lynn Sharp. 2003). Most companies are now aware that they cannot operate separately from societal considerations and aspiring managers embrace these concepts early in their career.
It is this growth and evolution of these important aspects of our operations that led SPE to first establish a discipline on health, safety, and environment and then to expand it to include security and social responsibility. The periodical HSE Now is the latest SPE offering to help our industry in these endeavors, following on a number of special conferences and workshops. I look forward to your comments on the new HSE Now.
http://instrumentationtubing.blogspot.com/
http://www.piping-engineering.com/page/17/
