The Blowout Preventer (BOP) is an assembly of specialized valves or similar mechanical devices

installed, during drilling, between the wellhead system and the drill floor to avoid kicks and
blowouts. It is designed to be a very reliable safety equipment and its primary function is to
close if the drilling crew loses control of the formation fluids. By closing the valves the drilling
operator usually is able to regain control of the reservoir and can initiate procedures to restart
drilling.

BOPs are of utmost importance to the safety of the working crew, the drilling platform,
wellbore itself and environment.

Figure 1: Typical configuration of a BOP stack.

The subsea BOP control system includes surface components, subsea components and the
connecting umbilical fibres. The surface components which normally are located on the drilling
rig, consist on the control station, Ethernet switch and PLC. These components are the control
interface. The operator of the BOP controls directly the system via the control station. The
commands sent by the control station are transmitted to the PLC system and to the Subsea
Electronics Module (SEM) by an eternet switch.

However, the BOP system has to be very reliable in order to maintain the drilling operation
safe. It is the most important safety equipment during drilling and cannot fail under any
circumstances. Therefore, the BOP control system is projected to have redundancies in critical
equipments, for an example additional PLCs.
Exercise 2 shows a BOP control system configuration which has 3 control stations (Drillers
Panel, Work Station and Toolpushers Panel), a couple of Ethernet Switches (A and B) aligned
with the dual double modular redundancy (DDMR) configuration. This configuration consists
on 2 groups of double PLCs systems to increase reliability. Each pair of PLCs are responsible to
send commands to its respective SEM. In this case, PLC A or PLC B have to survive in order to
convey information to the Blue SEM. PLC C, D and Yellow SEM are designed for redundancy.
FAULT TREE

When building the fault tree for Exercise 2, we considered the failure of the BOP control
system as the top undesirable event, consequence of failures in any of control stations, eternet
switches or control system.

Failure in all control stations or switches does not always lead to failure of the whole system
and these components are generally easier replaceable than subsea components. Instead, it is
related to failure in controlling the BOP.

Although, to simplify our task we considered that failure of the control stations or Ethernet
switches lead to the whole system failure as the operator is unable to manage and interfere in
the system.

TREE FIGURE

RESULTS

COMMENTS

It is of great notice the much higher contribution of the surface equipment reliability in
the calculation of the top event reliability. This is partly due to the instability in sending
commands to a remote located BOP equipment, sometimes in deepwater and extreme
conditions. However, in our point of view, this can be an intentional relative low
reliability. The surface components are located on the drilling rig, therefore are easier
and faster to replace if it is needed. Another point is because there are redundancies,
the system can operate for a short period of time without one of those failing
equipments. The replacing time is lower and the cost is possibly lower as well.
The failure of one of these components do not necessarily lead to whole system fail, as
mentioned before.
The BOP is very important to the safety of the drilling operation so its reliability should
be always as close to 100% as possible but increasing the reliability always generates
increasing the project budget.