Berit Gravgaard

Operations Technician on

the South Arne platform

Denmark

The extension of the production facility includes two new wellhead platforms, one bridge-linked to the existing production platform on the field (South Arne), and the other one located 2.5 km north of South Arne. The east and the north wellhead platforms will have slot-capacity for a total of 10 and 16 wells respectively, of which some will be for water injection.

A 36” carrier pipe on the seabed links the north wellhead platform to the South Arne production facility containing a 10” production pipeline, 8” water injection pipeline and a 6” gas lift pipeline, chemical lines and an umbilical with high voltage and optical fibre cables.

Functional Safety

The Piper Alpha production platform exploded on the 6th July 1988 killing 167 men. A lot of things have been learned from this disaster, both with regards to human work practices and design of platforms and systems on board. Safety is many things, and can be incorporated in nearly every aspect from building a platform to the everyday life on board. The more perfect and complete the design of automatic systems on board, the better hazardous situations due to human errors can be avoided.

As a new initiative to further-improve safety, Hess has implemented the international Functional Safety standard IEC61511 in order to follow the latest safety standards in terms of electronic safety systems in the design of the new wellhead platforms.

The international Functional Safety standard IEC61511 – Functional safety, Safety Instrumented Systems for the process industry – describes the minimum requirements for safety systems in the process Industry and is built based on the IEC61508 standard – Functional safety of electrical/ electronic/programmable electronic safetyrelated systems.

The Term “Functional Safety” Relies on Active Systems

Functional safety is the part of the overall safety depending on a system or equipment operating correctly in response to its input. The detection of a potentially hazardous event results in the activation of a protective or corrective device, and by that avoiding escalation of the hazard.

Functional Safety is a fundamental way of working and it ensures that the safety systems provide the necessary risk reduction. Functional Safety has great focus on reduction of faults in design and procedures. The standard applies to the entire safety loop, including SIL (Safety Integrity Level) rated field devices, field actuators, I/O modules and controllers and covers all aspects of safety including design, construction, installation, commissioning, maintenance, change management and de-commissioning.

Deep-water Construction Vessel Balder (HEEREMA) handling the jacket for the new Wellhead Platform East. To the left, the oil and gas production platform South Arne.

It is an on-going process throughout the system lifetime to prove that the technical systems, documentation and technical qualifications of personnel meet expectations of the standard. On South Arne, DNV (Det Norske Veritas) is used as an independent controlling authority to make sure that the standard is followed.

Integrated Control and Safety System

Both new wellhead platforms are designed to be unmanned which means that the daily production does not require any personal attendance. Monitoring and control of the production is done remote from the South Arne control room. The control and safety system for the platforms is delivered by ABB.

Hardware controllers and the human machine interface software system are configured to comply with SIL, to meet the requirements of the IEC 61508 and 61511 and the system is designed to help the operator as well as the system engineer to reduce plant risk caused by human errors.

The control system on South Arne and the new wellhead platforms are built from three main parts, Process Control System (PCS), Process and Emergency Shut Down (PSD/ESD) and Fire and Gas (F&G).

The PSD/ESD system handles all hazardous situations that arise in the production system, for example too high pressure in a vessel, and closes the plant down in a controlled and safe manner. Depending on the severity of the hazard, the plant can be closed down in different levels – from only closing the wells to full depressurisation of the plant and electrical isolation.

The F&G system monitors indication of flames, gas leaks, smoke and heat – and reacts by initiating the ESD system, releases the fixed fire fighting system if required and warns the crew on board by initiating the platform general alarm. Everything is automatic and does not require any intervention from the operator.

In Practice

In practice, the correct field equipment, software and hardware are chosen based on a SIL report which is the outcome of a SIL assessment carried out in the early design stage, where a multidiscipline team (in this case process engineers, a safety group, HESS representatives and a chairman) is gathered to go through all the different process systems in the design.

The SIL assessment is carried out from a structured workflow where all systems are broken down into smaller sections. Every section is discussed and situations that could represent a risk are assessed. The assessment of each risk results in a rating in three categories: risk to personnel, equipment/operation and environment and the highest rate of the three categories defines the SIL level of that particular section.

If a SIL level is considered too high (meaning that the risk is not at a tolerable level) the SIL level can be lowered by adding additional safety measures to the design. That could be an additional ESD valve or an extra ESD pressure transmitter to get redundancy, welding sections of piping together instead of having flange-connections, upgrade pipe-spec to a higher pressure class or to do preventive maintenance on a specific part of equipment more frequently. So it is a process of going through the entire design and consider if the SIL levels are satisfactory or if any improvements have to be made.

The report contains the requirement in terms of Safety Integrity Level for each piece of field equipment.

But it is not only a matter of buying the right equipment. The response time of the hardware and software, from an occurring event to the desired action, is also considered and has to comply with the overall highest SIL level.

Furthermore, when the wellhead platforms are completed and normal production commences, there will be considerably extensive work with regards to documentation if changes have to be made in the safety system and if technicians working on any part of the safety systems have to have the right skills.

Again, this is part of complying with the Functional Safety Standard, and by that it reduces plant risk caused by human error.