Safety Instrumented Systems / Intrinsic Safety

BP Renews Safety at North Slope Gathering Center

From HAZOP to Handover. How BP Reduced Risk and Achieved IEC 61511 Compliance

By Jim Montague

HUG2014 header

Upgrading process safety systems is challenging in the best conditions and times—doing it at -40 °F is a little more tricky. But that's what BP Exploration just accomplished at its Gathering Center 1 (GC1) facility in Prudhoe Bay, Alaska.

The venerable GC1 was built and started up about 37 years ago in 1977 and was originally designed to process about 350,000 barrels of raw crude oil per day. Though its present daily volume is less than in its heyday, GC1 still separates crude oil from water and gas taken in from seven wellhead pads located half a mile to five miles away. After such a long tenure, GC1's safety capabilities were due for re-evaluation and renewal. In due course, this involved upgrading some 1,123 I/O components, installing 14 new valves, adding 73 pressure indication transmitters (PITs) and six level indication transmitters (LITs). BP also migrated 19 other sensor/transmitters, 133 valves and five rotating devices.

"We needed to revamp GC1's safety shutdown system and provide a safety instrumented system (SIS) conforming with the ISA 84/ IEC 61511-1 standard," said Sam Murphy, I&C and automation engineer at BP. He presented "GC1 Safety System Renewal Project" today at the Honeywell Users Group (HUG) Americas Symposium in San Antonio, Texas. "Previously, we had relay and PLC logic co-mingled with our basic process control system (BPCS), but they didn't comply with ISA's standards, and we also needed to reduce our risk. So we began by revalidating our HAZOP (hazard and operability) analysis, and this gave us our independent protection layers (IPLs) and safety instrumented functions (SIF) list. These formed the basis of our project design and P&IDs. We also evaluated the risks that might come from any of the new SIFs and made sure we'd achieve sufficient integrity level to reach our risk-reduction targets and successfully comply with the ISA standard."

Honeywell Safety Manager Chosen

After evaluating several solutions, BP decided to implement Safety Manager (SM) logic solvers from Honeywell Process Solutions (HPS). This required one SM and five remote I/O cabinets with 21 Remote Universal Safety I/O (RUSIO) nodes at GC1, and another SM at each of the pads. "We also established two fault-tolerant Ethernet (FTE) communities, one for GC1 and another for the wellpads in our local Western Operating Area (WOA)," explained Murphy. "Microwave communications between GC1 and the wellpads needed this two-FTE community approach to comply with BP's digital security requirements, and WOA also had to make sure no SafeNet communication takes place over the microwave paths."

Murphy added that GC1 and other process applications on the North Slope typically use microwave communications because fiber-optic lines are expensive to run, and because installation time is precious during the short summer season. So BP also upgraded its microwave communications from 43 Mbps to 150 Mbps on several wellpads and installed a fiber-optic link between GC1 and nearby Gathering Center 2 (GS2), which is another four miles away and manages flows form another 11 wellpads. To determine exactly what safety instrumented functions (SIFs) and SISs it required, BP worked with AE Solutions, a process safety consultant located in Houston and Anchorage. BP also contracted with GCI, a system integrator in Anchorage, to complete its networking upgrades.

"This is a very brownfield environment, so migrating existing safety-related interlocks to SM meant keeping existing non-safety controls and interlocks in our BPCS," explained Murphy. "We also needed to replace pressure and level switches and bring existing output from our legacy logic solver to final control elements into SM as a digital input interlock. SM's output to the final control element is never in series with another control signal, and local controls and legacy control system can never override the safety function of any SIF. SM's output is the master of the final control element."

Lessons Learned, Challenges Overcome

As a result, SIFs for the wellpads were cut over during a planned full-pad outage in summer, while SIFs for GC1 were done during partial plant outages by using different process trains or redundant systems. "It took longer to upgrade GC1 this way, but we wanted to minimize any impact on production," added Murphy. "We also completed our factory acceptance testing (FAT) for this project, including all SMs, I/O channels, marshalling equipment and microwave upgrades, in about six weeks at HPS' Customer Solutions Center in Houston."

Murphy offered the following lessons learned:

  • SIF scope should be set and validated in early stages of the project, and HAZOP analysis conducted early as well;
  • IPLs should be well-defined and validated early too;
  • The logic and graphical interfaces should be tested with operations participation, using an office test system long before FAT;
  • Operator support for the project during design and execute stages is crucial for success;
  • Field verification of the existing instrumentation that will be migrated into the new SIS early in the project will identify what must be upgraded or changed;
  • Functional safety assessments (FSAs) should be conducted at the completion of each safety lifecycle phase;
  • In brownfield environments, the cost of field discovery during construction and commissioning far outweigh any savings associated with reusing existing wires and junction boxes. So plan to use new cables, wires and junction boxes from the start.

Despite the challenges and this being the first project of its kind for BP's AF&G (automation, fire & gas) program, the joint project teams worked together to safely deliver a successful project. All systems have been installed, cut over, commissioned and handed over to operations, which is delivering risk reduction and improved reliability for our facility. Also, training for operators and for maintenance technicians has been delivered, and new alarms have been rationalized and documented. Lessons learned were collected and documented for continuous improvement on future projects."