DEMONSTRATING SAFETY OF NOVEL SOLUTIONS
With examples from subsea electric technology
Preliminary Chapters to include
Note, the textbook is rather abstract. It will be hard to develop examples to demonstrate. We need case studies to support the textbook.
PART I FRAMEWORK
1 Principles and approach for safety demonstration 3
Tore Myhrvold, Andreas Hafver, Odd Ivar Haugen
1.1 Governing principles and approach 5
1.1.1 Governing principles 5
1.1.2 Basis for the safety demonstration approach 6
1.1.3 Overview of the safety demonstration approach 6
1.2 Guidelines for safety demonstration 8
1.2.1 Process guideline (Chapter 2) 10
1.2.2 Comparison guideline (Chapter 3) 11
1.2.3 Argument guideline (Chapter 4) 12
2 Safety demonstration process for novel subsea solutions 15
Tore Myhrvold, Andreas Hafver
2.1 Motivation 15
2.2 Overview of safety demonstration process 17
2.2.1 The main steps of safety demonstration 17
2.2.2 Safety demonstration perspectives 18
2.2.3 The overall safety demonstration process 21
2.2.4 Types of novelties and paths to safety demonstration 21
2.3 Overall risk assessment 25
2.3.1 Establishing the context 26
2.3.2 Risk identification 26
2.3.3 Risk analysis 27
2.3.4 Risk evaluation 28
2.4 Risk treatment 30
2.4.1 Risk management strategies 31
2.4.2 Barrier strategies 32
2.4.3 Safety design and operating principles 33
2.4.4 Defining barrier performance requirements 34
2.5 Technology qualification 35
2.5.1 Qualification basis 36
2.5.2 Technology risk assessment 37
2.5.3 Qualification plan and execution, and verification of performance 39
Appendix 2A:
Types of failure 42
Appendix 2B:
Safety demonstration plan 43
3 Risk description and safety comparison 47
Andreas Hafver
3.1 Risk description and safety comparison approach 49
3.1.1 Uncertaintybased
risk description 50
3.1.2 Use of this guideline 51
3.2 Preliminary screening of novelties, challenges, and opportunities 51
3.3 Detailed risk description 53
3.4 Comparing safety of alternative solutions 53
Appendix 3A:
Tables 54
4 Developing a safety argument 61
Odd Ivar Haugen
4.1 Overview of the Argument guideline 63
4.1.1 Organization of the guideline 64
4.2 Theory and principles 65
4.2.1 Systems approach and First principles 66
4.2.2 Create grounds for justified confidence 66
4.2.3 Objectivity and knowledge 67
4.2.4 Structuring and documenting strength of knowledge 70
4.3 Demonstrating safety 75
4.3.1 Step 1: Identifying adequate and relevant safety requirements 75
4.3.2 Step 2: Argument of the fulfilment of safety requirements 81
Appendix 4A:
Evidence and evidence properties 83
PART II NORWEGIAN SUBSEA CONTEXT
5 Overview of the offshore regulatory regime in Norway 89
Andreas Hafver
5.1 As good, as or better than 90
5.2 Responsible authorities 90
5.3 Acts and regulations 91
5.4 Key principles of the PSA regulations 92
5.5 Regulatory requirements for safety functions and barriers 93
5.6 Standards and guidelines 94
5.6.1 IEC 61508 95
5.6.2 IEC 61511 95
5.6.3 NOG 070 96
5.6.4 NORSOK S001
5.6.5 NORSOK U001
5.6.6 ISO 13628 97
5.6.7 API standards 99
5.7 Safety design principles in the regulations 100
5.8 Use of functional safety standards and SIL requirements 101
6 Gaps and challenges in the Norwegian legal framework 105
Andreas Hafver
6.1 Subsea hazards versus topside hazards 106
6.2 Gaps and challenges 107
7 Subsea risk picture 113
Andreas Hafver, Andreas Falck, Bjoern Soegaard
7.1 System definition and boundaries 114
7.2 Consequences of concern 115
7.3 Events of concern 116
7.3.1 Loss of containment 118
7.3.2 Loss of function 120
7.3.3 Loss of communication 121
7.4 Hazards of concern 121
7.5 Relevant safety barriers subsea 123
7.6 Important uncertainties subsea 125
7.7 Other challenges in subsea risk management 125
7.8 Summary and concluding remarks 127
Appendix 7A:
Tables—Consequences of concern in subsea oil and gas activities 127
Appendix 7B:
Tables—Threats to subsea facilities and umbilicals 131
PART III PRINCIPLES AND METHODS
8 Uncertainty based risk 139
Roger Flage, Andreas Hafver, Christine Berner Nyvik, Andreas Falck
8.1 The risk concept 140
8.1.1 Risk description 140
8.1.2 Types of uncertainty in relation to risk 141
8.2 Assumptions and risk 142
8.2.1 Definition of assumption 143
8.2.2 Identifying assumptions 143
8.2.3 Evaluating assumption criticality 144
8.2.4 Strength of knowledge 144
8.2.5 Sensitivity 145
8.2.6 Belief in deviation 146
8.2.7 Treating assumptions 146
8.3 Risk management strategies 147
8.4 Summary 149
9 Assessing safety from a systemic and lifecycle perspective 151
Andreas Hafver, Dimitrios Kostopoulos, Nanda Anugrah Zikrullah
9.1 Background 152
9.1.1 Challenges for operators 153
9.1.2 Need for new risk management strategies 153
9.2 Safety from a systemic perspective 154
9.2.1 Current approach 154
9.2.2 Safety is not equal to reliability 155
9.2.3 Systemic safety approach 156
9.2.4 Topdown versus bottomup approaches 159
9.3 Safety from a lifecycle perspective 162
9.3.1 The need for a lifecycle perspective 162
9.3.2 Assumptionbased planning 164
9.3.3 Assurance case for following up assumptions 166
9.4 Prognostics, health management, and realtime risk models 169
9.5 Concluding remarks 170
10 Aspects of failsafe
Kenneth Kvinnesland
10.1 Failure events for computer controlled systems 174
10.2 Principles for maintaining or going to a safe state 176
10.2.1 Deenergization combined with passive safety mechanisms 176
10.2.2 Use of programmable electronics while moving to or maintaining safe state 178
10.3 Failsafe related mechanisms in rules and regulations 182
10.3.1 The legal framework 182
10.4 Comparison with requirements in other industries 183
10.4.1 Use of the term failsafe
10.5 Isolation of a subsea well using electric motors 188
10.5.1 Subsea system characteristics 188
10.5.2 Design for Fault Detection Isolation and Recovery 190
10.6 Conclusion 194
Appendix 10A:
Tables 194
11 Aspects of independence 201
Meine van der Meulen
11.1 Requirements in Norwegian regulations and standards 202
11.2 Generic definitions of independence 202
11.3 Independence requirements in IEC 61511 and IEC 61508 203
11.3.1 Independence in IEC 61511 203
11.3.2 Independence in IEC 61508 204
11.3.3 Summary of independence from excerpts from IEC 61511 and IEC 61508 205
11.4 Aspects of the definition of independence 206
11.5 Other definitions of independence from the literature 207
11.6 Conclusion 207
11.7 A systems approach to independence analysis 207
11.7.1 Introduction to emergence and hierarchies 208
11.7.2 Levelism and relationships 210
11.8 The Method of Levels of Abstraction 211
11.9 Introduction to the CESM model 213
11.9.1 The CESM model: a way of thinking about systems 213
11.9.2 System failures in the context of the CESM model 214
11.9.3 System analysis in the context of the CESM model 215
11.10 Combining the Method of Abstraction and the CESM model 216
11.11 Independence as a means to achieve safety in the context of the CESM model 220
Appendix 11A:
Tables 222
12 The systems approach 225
Odd Ivar Haugen
12.1 The systems approach 225
12.1.1 What is a systems approach, and why is it necessary? 225
12.1.2 CESM metamodel—a model of models 226
12.1.3 Complexity, the CESM metamodel, and software 228
12.1.4 The complex and the simple 229
12.2 System models and levelism based on the CESM metamodel 231
12.2.1 Model diversity 232
12.2.2 Model consistency and relationships 234
12.2.3 Shifting between Levels of Abstraction (LoA) 235
12.2.4 Methods and models 236
12.3 A systems approach to assurance in operation 238
12.3.1 The position of algorithms in the verification effort: Algorithm based Verification Agents 239
12.4 A systems approach to independence 240
12.5 A systems approach to failsafe (deenergize/energize to safe) 242
13 Analysis methods 245
Odd Ivar Haugen
13.1 Functional analysis system technique (FAST) 245
13.1.1 A quick FAST overview 246
13.1.2 FAST workshop process 247
13.1.3 Discussion 248
13.2 System theoretic process analysis (STPA) 249
13.2.1 STPA basics 249
13.2.2 The STPA process 249
14 Towards safe integration 255
Nanda Anugrah Zikrullah, Meine van der Meulen, Mary Ann Lundteigen
14.1 Layers of protection concept 256
14.2 Integration concept 258
14.2.1 Integration of sensors 259
14.2.2 Integration of actuators 260
14.2.3 Integration of logic solvers 261
14.2.4 Integration of the communication system 263
14.3 Example challenges with integration 265
14.3.1 Integration of logic solvers—example 265
14.3.2 Effect of different horizontal integration in logic solvers 266
14.3.3 Hardware vs. systematic failure 268
14.4 Conclusion 268
14.5 Acknowledgement 269
15 Safety integrity of mitigation functions 271
Meine van der Meulen
15.1 Terminology and risk acceptance matrices 272
15.2 Layer of Protection Analysis 273
15.3 Risk based design 276
15.4 Integrity of mitigation functions 276
15.5 Case study 277
15.6 Underlying assumptions 279
15.7 Conclusion 281
15.8 Acknowledgement 282
PART IV ELECTRIC CHRISTMAS TREE
16 The requirements and intent of the Norwegian legal framework 285
Meine van der Meulen
16.1 Intent of the legal framework 287
16.2 Independence 287
16.2.1 Layers of protection 288
16.2.2 Process shutdown 290
16.2.3 Independence of programmable systems 290
16.2.4 Control, ESD and PSD share valves 290
16.3 Failsafe
16.3.1 ESD without programmable systems 292
16.3.2 Failsafety of valves 293
16.3.3 Necessity of a spring return mechanism 293
16.3.4 Necessity of a local accumulator 293
16.4 Response time 293
16.5 Functional safety 294
16.6 Conclusion 295
Appendix 16A:
Tables 295
17 Alternative barrier strategies 301
Andreas Hafver
17.1 Identification of novelties 304
17.2 Specification of adequate safety criteria 305
17.3 Demonstration that safety criteria are met 307
17.4 Custom SIL allocation for ESD 308
17.5 Concluding remarks 310
18 Generic architecture of electric Christmas trees 311
Meine van der Meulen
18.1 Architecture of electrohydraulic
Christmas trees 312
18.2 Architecture of electric Christmas trees 313
18.3 Comparison of the electrohydraulic
and electric architecture 315
18.4 Basic assumptions for electric Christmas trees 316
19 Reliability block diagram 321
Meine van der Meulen
19.1 Quantifying software failure, hardware failure, and common cause failure 322
19.1.1 Probability of systematic failure 322
19.1.2 Probability of random hardware failure and common cause failure 323
19.2 Failure data of the components 323
19.3 Reliability block diagram 327
19.4 Diagnostics and testing 328
19.5 Conclusion 329
Appendix 19A:
Tables 330
20 Generic safety argument 333
Kristin Berg, Odd Ivar Haugen, Kenneth Kvinnesland, Andreas Hafver, Meine van der Meulen
20.1 Safety instrumented function 334
20.2 Method for safety demonstration 335
20.3 Three perspectives for safety demonstration 337
20.4 Perspective 1: regulations 340
20.4.1 Adaptation to functional safety standards 341
20.5 Perspective 2: fit for purpose 343
20.5.1 Derive functions 343
20.5.2 Propose architecture 344
20.5.3 Analyse architecture 345
20.5.4 Provide safety argument based on the set of safety requirements349
20.6 Perspective 3: the overall risk picture 350
20.6.1 The most robust and simple solution 350
20.6.2 Continuous improvement 352
20.7 Generalization of results 353
20.8 Conclusion 353
21 Application of ML/MMSA on a subsea Christmas tree 355
Odd Ivar haugen
21.1 The role of methods used 356
21.2 Intermodel connection points 357
21.3 Building the FAST diagrams of a subsea Christmas tree 357
21.3.1 FAST workshop 358
21.3.2 Discussing FAST diagrams 359
21.4 System boundary, losses, and hazards, and system safety constraint (STPA Step 1) 369
21.5 Analysis 369
21.5.1 Initial LoA 369
21.5.2 Second LoA 374
21.5.3 Third level of abstraction 379
21.5.4 Continuing the analysis into subsequent LoAs 383
21.6 Aspects of different technologies 384
Appendix 21A:
FASTdiagrams 392
Appendix 21B:
Tables 392