Applying IEC 61511 to BOPS

Over time, complexity and redundancy in BOP stack functions have increased in order to improve BOP functionality and reduce the likelihood for blowouts leading to major accidents. Application of the IEC 61508/61511 framework to safety critical BOP functions could lead to a reduction of complexity while maintaining the same level of safety integrity.

Subsea Blowout Preventers (BOPs) have evolved from simple stacks with limited redundancy to multiple ram configurations with complex redundant capabilities. Increasing the number of redundant capabilities for BOPs reduce the potential for loss of BOP functionality and thereby major accident potentials. However, increasing the number of components also lead to an increased failure frequency, where each failure has the potential to result in having to pull the BOP stack.  Pulling the stack has a significant cost impact due to the associated delays and increased rig time.

Based on the following principles, the application of the IEC61508/61511 approach on BOPs could be more beneficial than a general increase in redundant capabilities.

  • Functional Safety Management plans (FSMP) for BOPs will ensure that focus lies on the BOP performance throughout its lifecycle, from concept design and engineering through operations.

  • SIL allocation will ensure that the safety requirement assigned for the BOP functions is commensurate with the design intend and the actual operation. In other words, the safety requirements cover the field specific probability of kicks and blowouts and the potential consequence of these scenarios. Further, the safety requirements should be based on the other barriers in place. This will increase transparency and ensure that redundant capabilities are sufficient, but at the same time not excessive for the operation in question.

  • Development of Safety Requirement Specifications for the BOP will ensure that requirements placed on the safety functions are clearly documented and specific for the operation in question

  • Safety Integrity Level (SIL) verification of the BOP will ensure that the safety requirements placed on the BOP functions can be demonstrated with the stack design. Moreover, the output from the SIL verification may allow for adjustment of test intervals if it is allowed by regulations. Optimization of test intervals may reduce both operational time and OPEX while reducing the number of opportunities for human errors in connection with periodic test and maintenance.

On the NCS, the NOG-070 (OLF-070) guideline puts the following requirements on the drilling related safety functions:

  1. Seal around drill pipe (SIL 2)

  2. Seal an open hole (SIL 2)

  3. Shear drill pipe and seal off well (SIL 2)

Function 1 is carried out by one or more of the annular preventer(s) and pipe rams (depending on the BOP design and the drilling operation), while Function 2 and 3 are performed by the blind shear ram(s). NOG-070 includes all components involved, from the push-button to the actual closing of the rams in the Safety Instrumented Function (SIF).

However, there are several challenges with SIL verification of BOPs compared to standard SIFs:

  • The Human Factor – there is no sensor/automatic initiation of the safety function, hence estimating a failure rate for initiation of the SIF is difficult

  • There are often multiple rams that may or may not provide redundancy, based on the operational circumstances

  • There are no fail safe positions for the final elements in the SIF. Hence, all auxiliary systems shall be included

  • There are multiple passive components that shall be included in the SIF

  • There is limited failure data available

  • Frequent testing and potential for large contribution of test independent failures

ORS has extensive experience in assisting our customers in all phases of the IEC61511 / 61508 SIS lifecycle for BOPs, including:

  • Customized risk identification workshops

  • In-depth FMECA workshops to identify all components involved in the SIFs

  • Classification of SIFs and SIL allocation

  • Development of SRS

  • Validation and SIL verification of the SIFs

  • Monitoring of SIF performance during operation including special assistance for collection and classification of BOP failure data