The assignment can be worked on individually or in groups of 2 or 3 of your choosing HOWEVER the write up should be solely your own work. Place names of your group members on the assignment cover page.
Introduction
A Blowout Preventer (BOP) is being designed for an offshore drilling facility operating at a depth of 1300m. The drilling operation is from a floating platform rig where monitor and control of the BOP is conducted.
As a result of a hazard analysis, it has been determined that the "seal off well" function of the BOP is to be a Safety Instrumented System (SIS) in the form of a BOP Emergency Shutdown (BOP-ESD) System that must meet IEC 61508 Safety Integrity Level (SIL) of category 3.
The assignment involves undertaking concept control system design, PLC code development, SIL assessments, and RAM analysis to meet relevant system requirements.
Be sure to record any assumptions you have made in your analysis in an appendix to the assignment.
For context of the importance of the BOP in deep water drilling operations see https://www.youtube.com/watch?v=eOK9J0wETYo
TASK 1
Using candidate components listed above, provide a concept design for the BOP-ESD. Also, indicate and justify the fault tolerance levels used for the safety function.
For your design you can assume the following:
- There is sufficient space in the BOP to include at most one PLC and at most 2 DCVs.
- There is sufficient space in the BOP stack to include at most 1 additional Blind Shear Ram valve. If you decide the additional Blind Shear Ram valve is necessary, comment on and justify its preferred location within the BOP stack by considering common mode failures.
- There is sufficient electrical power and hydraulic power that can be obtained from existing BOP infrastructure to power all BOP-ESD components under normal operating conditions.
- All candidate components are classified as "Type A" or simple devices.
- The design should minimise component count but still meet all requirements.
Draw a RBD for the safety function of the BOP-ESD. Determine the PFD for the safety function and resulting SIL achieved. State the proof test interval required for the BOP-ESD components. All BOP-ESD components are to have identical proof test intervals. Use appendix B for relevant formulas.
TASK 2
Undertake RAM analysis to show if the BOP-ESD meets RAM system requirements. For RAM analysis purposes assume the following:
- The Mean Time To Repair (MTTR) for all subsea components in the event of the safety function activating is 2880 hours.
- All redundant items are non-repairable.
- Where the dangerous undetected failure rates are known for a component, then the residual failure rate (i.e. total failure rate minus the dangerous undetected failure rate) results in a fail safe condition for that component. Use appendix C for relevant formulas.
Note, the system is not fail safe, that is, the DCVs are normally closed and the BOP Blind Shear Ram value is normally open, so in terms of RAM analysis you will need to consider only those fault conditions that will cause the SIS to activate the safety function as a false positive.
TASK 3
Develop full PLC ladder logic for the logic solver to implement your SIS design based on the fault tolerance and redundancy levels chosen. Base your design on the same Omron PLC hardware (CPU and I/O modules) and development environment (CX-Programmer) as is used in the laboratories. Your design should consider the following:
a. The sea water pressure at a depth of 1300m is 1900 psi.
b. The PT that measures sea water pressure provides a 4-20mA output signal related linearly to a pressure range of 0 to 4000 psi. The load resistor used at the PLC for this PT 4-20mA input is 500Ω. This PTs has an accuracy (3σ) of ±0.5 % FS (max).
c. The PT that measures hydraulic supply pressure provides a 4-20mA output signal related linearly to a pressure range of 0 to 10,000 psi. The load resistor used at the PLC for this PT 4-20mA input is 500Ω. This PTs has an accuracy (3σ) of ±1 % FS (max).
d. The PLC analogue input module has a voltage input range of 0-10V.
e. The communications health detector provide a 0VDC digital low signal when the communications health status is "down" and a 24VDC digital high signal when the communications health status is "up". To avoid false tripping due to transient failures, the communications fault condition alarm should only be tripped if the status is "down" continuously for more than 20 seconds.
f. The PLC digital input module has a voltage input range of 0-24VDC.
g. When 0VDC is supplied to the DCV then the hydraulic pressure that is supplied to the valve actuator is low and the valve is in the open state. When 24VDC is supplied to the DCV then the hydraulic pressure supplied to the valve actuator is high and the valve is in the closed state.
h. The PLC digital output module has a voltage output range of 0-24VDC.
Attachment:- Assignment_ET.rar