Subsea success
23 Nov 2005
Traditionally, the flow lines are designed to withstand the wellhead pressure, with the HIPPS systems located topsides to protect the process. In this instance, it was realised that major capital savings could be made on the flow lines if the HIPPS could be relocated closer to the wellheads.
Although this is a simple concept, realisation requires technology that combines the highest integrity with the highest reliability and availability. The combination of these three features is often a balancing act: increase the integrity and nuisance failures reduce availability; or incorporate redundancy to improve availability and reliability falls because more components are involved.
A number of other constraints inherent in the system include diversity from control functions; built-in remote communications; autonomous shutdown functions; remote testability; space (the system must fit into the existing subsea control module, SCM); weight; and power.
Suggestions had been made to build a new system using integrated electronics. However, the client quickly rejected this approach, and referred to his experience with the magnetic logic systems used on most Shell platforms in the
The resulting subsea HIPPS comprised two banks of triplicated transmitters, each voted 2oo3 (two out of three), with the voted states ANDed such that either bank tripping would trip all outputs. The outputs comprised two ESD (emergency shutdown) valves; each operated by redundant solenoid valves (SOV), such that SOV closing would shut down the flow line via the ESD valve.
Manual shutdown was required via the serial communications interface to the SCM controller using redundant serial interfaces. Facilities to override inputs and test outputs remotely were also required via this serial interface, with provision for partial closure testing of the ESD valve.
On a topsides HIPPS, transmitters would be powered by a field power supply and the input to the HIPPS system would be fused. Failure of a transmitter would cause the voting to fall back to 1oo2. For subsea use, however, with a SIL 4 integrity requirement, this is insufficient. Fuses are not allowed for obvious reasons, and failure modes must be guaranteed. To address this, two-wire transmitters were used with current-limiting resistors applied to prevent damage to the input circuits.
The power for each transmitter loop was derived from inherently failsafe output drivers from the HIPPS system such that they could be powered down from topsides via the serial interface, guaranteeing that the input loop would go to a trip on that input. The output driver power-supply modules are inherently failsafe, certified by TÜV to Class AK7, such that it is virtually impossible for the output to be on when the input request is for off (see Figure 1 below).
This design addressed the problem of fallback voting and predictable failure modes. However, to satisfy SIL 4, other diagnostics were required for the transmitters. The devices selected were intelligent with some programmable failure modes based on internal diagnostics, which were supplemented by additional diagnostics in the HIPPS system.
The problem with analogue signals is that the only way to verify that the reported value is correct is by comparing it with a reference or other measurements from the same source. The analogue input values were repeated to the subsea control system such that some relative comparisons could be made, but this was not possible in the HIPPS logic. Each input circuit is isolated, and no transfer of analogue values between circuits was impracticable. If the analogue value is below the trip level, the HIPPS system presumes that each analogue value is correct (see Figure 2 below).
To enhance the diagnostics, each HIPPS analogue input was programmed to detect process noise within a threshold range. Should the noise level fall below the threshold for a limited duration, the HIPPS would declare that input faulty and trip that channel. It was not anticipated that this would be used in anger, but in fact, owing to a latent problem in the transmitters, after several years’ operation faults occurred which froze the transmitter outputs — faults that were only detected by this feature. Ultimately, the transmitters had to be replaced.
The weaknesses in any high-integrity system are primarily the process valve and secondly the input transmitters. These are in the process line, and are the items most prone to failures caused by the process. To compensate for this, test features are included to allow online periodic testing in between longer-interval full function testing.
For transmitters, this testing was linked to the facility for clearing impulse lines. Methanol injection into impulse lines would clear the orifice and would cause an instantaneous overpressure. This overpressure generates a trip condition on the HIPPS input, which produces an alarm but no trip as it is only one channel. By cleaning impulse lines individually, a full input test is performed.
For the ESD valve, periodic partial closure testing provides justification for extending the full closure test interval. The test request is a pulse that is processed as a ‘one shot’ function, which is latched. This results in the output to the ESD valve solenoid(s) de-energising, thereby causing the valve to close.
The ‘one shot’ function ensures that a test request is not held on if the incoming request pulse fails to a steady ‘on’ position. The position of the valve is monitored by a VPI (valve position indicator) to an analogue trip amplifier. When the valve reaches a set position, the trip amplifier trips and the test latch is reset. If the VPI feedback does not occur in a set time, the test is cancelled by an inherently fail-safe timer. Genuine trip demands are not disabled during the test cycle.
Concern was initially expressed at the ability of the HIPPS system to meet environmental requirements, specifically shock and vibration but also temperature and humidity. The original design required a 24-inch rack for the complete HIPPS logic and input/output processing. The first-pass build revealed the rack to be a 19-inch rack with a bolted-on extension, so this was quickly replaced by a purpose-built rack prior to client inspection, highlighting the importance of adapting to special requirements. In this instance, it had not been appreciated by the assembly engineer that this would be a problem. The rack was issued for shock and vibration testing and passed first time.
The complete logic system, including the powering of transmitters, solenoid valves and the communications interface required 4A at 24Vdc. The ProSafe-SLS logic system is based on magnetic core technology using dynamic current pulses on a 1ms clock frequency. The current pulses are 0.5A in amplitude, which provide extremely high immunity, but they are only 50ms in duration, which results in very low overall consumption and low heat dissipation.
The Kingfisher project went on line in late 1997, and the system operated with no problems until a series of transmitter faults reported by the HIPPS system.
Despite attracting much attention — as the savings in flow-line costs were several million dollars and the whole project was brought on stream early and under budget — the solution was not repeated for five years. It had always been recognised that this was a project to create an impact, with Yokogawa providing a solution to enhance the capability of the subsea control systems supplier.
After five years of successful operation, a spate of repeat systems finally followed in the
Des Irvine is systems sales and marketing director with Yokogawa UK.
