Kingston FMEA Report Example

''CLIENT''
''Confidential'' Rig
ZMS & Network
Operational FMEA
Report
Dragan Lovre, Nebojša Stanivuk,

Christopher Goetz
Kingston Systems LLC
January 2018
Table of Contents
1. Executive Summary .......................................................................................................................... 4
2. Workshop Objectives and Client Concerns ....................................................................................... 6
3. Methodology ..................................................................................................................................... 7
3.1. Basic FMEA Concepts ............................................................................................................. 7
3.2. Process Specifics for Control Network FMEA ........................................................................... 8
3.3. Risk Ranking Interpretation .................................................................................................... 12
4. FMEA Risk Scoring Summary ......................................................................................................... 13
4.1. Number of nodes reviewed ..................................................................................................... 13
4.2. Risk Distribution ..................................................................................................................... 14
4.3. Rank Scoring ......................................................................................................................... 16
4.4. Scoring Summary by Section ................................................................................................. 17
5. FMEA Detailed Results ................................................................................................................... 18
5.1. Top Failure Modes ................................................................................................................. 18
6. Summary Recommendations .......................................................................................................... 38
6.1. ZMS Actions........................................................................................................................... 38
6.2. Design Actions ....................................................................................................................... 38
6.3. Pre-Operation Actions ............................................................................................................ 38
6.4. Other Recommendations ........................................................................................................ 39
7. Closing Remarks ............................................................................................................................ 40
8. SMOC case studies ........................................................................................................................ 41
9. Glossary of Terms .......................................................................................................................... 43
10. Workshop Action Summary ........................................................................................................ 44
11. FMEA Workshop Table ............................................................................................................ 50
Confidential to ACES GQS - Evaluation Only 2

www.kingston-systems.com
Document Revision Log
Rev Date Prepared By Changes
1.0 Jan 26, 2018 Christopher Goetz Initial Draft
1.1 Jan 27, 2018 Nebojša Stanivuk Ongoing edits
1.2 Feb 10, 2018 Dragan Lovre Ongoing edits
1.3 Feb 18, 2018 Team Post Team Review
1.4 Feb 20, 2018 Dragan Lovre Edits
1.5 Feb 24, 2018 Christopher Goetz QA
1.6 Feb 27, 2018 Christopher Goetz Incorp Feedback
from
''CONFIDENTIAL''
2.0 Feb 28, 2018 Nebojša Stanivuk Released for Print
Disclaimer: Kingston Systems LLC assumes no responsibility for any loss, physical or financial, or damage from actions taken or not
taken in light of the comments or recommendations given or not given in this or any project communication

1. Executive Summary
Concerned over the reliability of Control System and Zone Management (ZMS) design, of their 2000hp
design rigs destined for the Petroleum Development of Oman (PDO), ''Client''and ''Client'' have asked
rd
Kingston Systems to perform a 3 party Failure Modes and Effects Analysis (FMEA) workshop.
The rigs to be delivered will be variants of the “''Confidential''” model. The design is an advanced
automated rig with a modern control system, including drillers chair, assistant driller control station,
integrated automated equipment, powered catwalk, racking system, and Zone Management System
(ZMS). At least two different vendors, NOV and ''Confidential'', are providing equipment on the drill floor.
''Confidential'' is providing both the Top Drive (TD) and the Rough Neck (RN). The Stand Trailing Vehicle
(STV) is provided by NOV. The drilling rig contractor is ''Client''.
The FMEA workshop was held on January 22-26 2018 at ''Client' 'America’s offices in Pearland TX. The
workshop brought together system and operations experts to identify prepare for and mitigate those
control network component failures that are most likely to be of consequence within the operating lifetime
of the rig.
In general the rig is well designed with the integration between the three main vendors considered. The
design does have some built in redundancy but is not a redundant system and should not be considered
as such. The FMEA identified several as design single point failures that could leave the rig inoperable.
As such given the planned remote and harsh operating conditions the FMEA team suggests;
 some design considerations or recommendations

 additional commissioning stress testing
rd
 3 party review of commissioning, test witness and acceptance
 enhanced spares management
 robust preventative maintenance including PLC and PC software management
 clear crew training and standard operating procedures for the various potential single point
failures.
The ZMS system itself is highly reliant on several non-redundant network connections to a single ZMS
PLC, and to critical connections with the ''Confidential'' supplied equipment. The operational range of the
ZMS as illustrated by the Zone Management Matrix appears to capture all potential operational collisions
envisioned by the FMEA team while investigating the ZMS system, zones and equipment interactions. A
few design and pre-operational suggestions were made by the team that could improve the ZMS system.
However, without major redesign, the ZMS, along with the rig cannot exceed the base redundancy level
of the rig. In that it is a stable design, but not a dual redundant network system.
The findings and recommendations from the FMEA are generally separated into 4 main groups.
 ZMS Failure Points

 Design Related Failure Points
 Commission Suggestions
 Pre-Operational and Operational Recommendations
For each finding where the Ranked Risk was deemed UNACCEPTABLE, mitigation was proposed by the
team and the risk post-mitigation calculated. These mitigations generally reduce the severity of the failure
or improve how easy it is to detect. Combined they reduce the potential ranked risk of the failure. This
BEFORE and AFTER picture is most easily illustrated in the two charts below.

Chart 1: Severity Reduction Before and After
Chart 2: RANK RISK Reduction Before and After
The FMEA findings and mitigation recommendations are discussed in detail through the body of the
report,, with suggestions summarized in Chapter 6.
The report describes the FMEA approach and scoring method for those less familiar with the concept and
Kingston Systems workshop approach to Operational FMEAs. Additionally as Software Management of
Change (SMOC) may be an unfamiliar concept to the rig operator, a section describing it and some case
studies was included in the appendix as a reference.

2. Workshop Objectives and Client Concerns
The main concept of the FMEA review as defined by the client would be to understand the operational
impact of failures from the ZMS and Control System to well and operational integrity. As an Operational
FMEA it is not to directly critique specific design equipment selection. Major points of concern included:
 Robustness of the ZMS system as implemented

 Robustness of the ZMS operation via integration, interlocks, inhibits and overrides
 Single points of failure of the ZMS system
 Robustness of the control system network with joysticks, HMI, communication network and Alarm
mechanisms
 Single points of failure of the control system network, Computers, PLCs and integration points to
major equipment on the control network
 Operational readiness steps for the drilling and maintenance crews

3. Methodology
3.1. Basic FMEA Concepts
Failure Modes and Effects Analysis (FMEA) is a systematic methodology designed to identify potential
failure modes for a system or process, assess the risk associated with those failure modes, rank the
issues in terms of importance, and to identify and carry out corrective actions to address the most serious
concerns.
Although the purpose, terminology and other details can vary according to type (e.g. Process
FMEA, Design FMEA, Operational etc.), the basic methodology is similar for all. Our focus is on
operations. Specifically, we want to answer the question “If part XYZ fails, what is the impact to
controlling the well and safe operations?” As such, this Operational FMEA is not directly intended to
critique the design, but to treat it as relatively set.
In general, an FMEA requires the identification of the following basic information:
 Item(s)
 Function(s)
 Failure(s) Potential
 Effect(s) of Failure
 Probability and Severity of the Failure (to operations)
 Operation actions to be taken in case of failure
 Detectability (by the user) of the failure
 Mitigation or avoidance recommendations
Most analyses of this type also include some method to assess the risk associated with the issues
identified during the analysis and to prioritize corrective actions.

3.2. Process Specifics for Control Network FMEA
An FMEA performed after construction is not specifically intended to identify faults in the design of the
system or the process used, although it may reveal such deficiencies. Rather, all components are
assumed to have some possibility of failure, and the intention of the session is to bring together system
and operations experts to prepare for and/or mitigate those component failures that are most likely to be
of operational or safety consequence within the operating lifetime of the rig.
The process used was as follows:
 An offline analysis of the system identified a list of components/functions whose failure/loss will
be considered.
 Experts were assembled who understand:
o The design and support of the system.
o The operations the system is used to perform.
 For each component/function on the pre-assembled list:
o A discussion gaining an understanding of the impact to operations if a part failed.
o Then, appropriate system experts scored the likelihood of the failure occurring, and made
clear to the operations experts the functional effect of that failure on the system. From
this the Occurrence Score is given (See reference Table 1).
o The group scored the Severity of the consequences to operations (See reference Table
2)
o A key component is understanding the ability of the driller and maintenance crew to
detect the failure. This Detection score (See reference Tables 3 and 4), determined if a
mitigation or action plan should be reviewed.
o The operations experts considered what could/should be done to make the system safe
for people and assets in the event of the failure; multiple operational scenarios may have
been considered, with a bias towards those more likely to involve safety-critical
conditions. They considered what could/should be done to continue operations; multiple
operations scenarios may have been considered, with a bias towards those more likely to
present fewer options for working around the lost function.
o Product of Severity, Occurrence and Detection is called Risk Ranking and is used to
further prioritize the item.
o The Detection Matrix (Chart X) helps identify if mitigation is generally recommended.
 Unless Risk Ranking or Detection Level is low enough that the item is not worth further attention,
the group agreed on a recommendation for corrective action to be taken to reduce likelihood
and/or severity, or to provide additional information if there are unanswered questions.
 If a mitigation is recommended and reviewed by the team. They then re-assess the Risk Rank
post mitigation to aid in communicating the reduced operational risk exposure.
 During the process, the group is allowed to make additions and corrections to the pre-assembled
list of components/functions.
 Different failure modes are discussed and recorded only if they led to different safety and
operational actions, or to significantly different occurrence likelihoods and severities.
 Failure causes were not explicitly discussed or recorded, although potential causes may have
been explored during discussions of likelihood, severity, or mitigating actions. This is because
the goal of this FMEA was to understand the frequency and impact of the failures, rather than the
causes.
 In this case the Risk Ranking score ranged from 1 to 1000. Items are prioritized relative to each
other and against the Detection Matrix (Reference Table 4) within each FMEA exercise.

3.2.1. Terminology
Following are definitions of columns in the FMEA Workbook, and other terminology used within this
report:
 Parent Part: Identifies the major component within which the failure may occur.
 Part Failing / Function Lost: When the Parent Part has multiple components or functions each of
whose failure or loss need to be considered separately identifies that component or function.
 Failure Type: Needed only when a component part has multiple failure modes that need to be
separately considered.
 Effect of Failure: The outcome described in terms of both the state of the system and (if appropriate)
the state of the drilling operations.
 Occurrence: A score given for likelihood of occurrence of the failure, see table below.
 Severity: A score given for severity of impact of the failure, see table below.
 Operational Action: A description of how what safety actions must be taken and how operations can
proceed with this failure.
 Detection Mode: How the user learns of the failure.
 Detection Score: The scoring of the detection mode.
 Risk Ranking: The product of occurrence, severity and detection provides a number which, when
used with the Detection Matrix can sort the worksheet by relative importance.
 Risk Acceptable: Risk evaluation mark based on the Detection Matrix
 Mitigating Action: What is the corrective action. Often these are training and spares management
related. However they can also be design, and process specific.
 Responsible: Company required to close the item
 Completion Date: Target date due
 New Occurrence: Score post implementation of mitigation
 New Severity: Score post implementation of mitigation
 New Detection: Score post implementation of mitigation
 New Rank: Product post mitigation
 New Rank Acceptable: Risk evaluation mark post implementation based on the Detection Matrix
 % Risk Reduced: Measure of Risk Reduction

3.2.2. Likelihood of Occurrence Scoring
This table is leveraged to objectively score the potential frequency of a part failing
Occurrence Scale
Possible failure
Ranking Possible failure rates
rates
10 at least once per day >= 1 in 2 Very High: Failure is almost
9 at least one per week 1 in 3 inevitable
8 at least once per month 1 in 8
High: Repeated failures
7 at least once per year 1 in 20
6 at least once per 2 years 1 in 80
Moderate: Occasional failures
5 at least one per 5 years 1 in 400
4 at least one per 10 years 1 in 2.000
Low: Relatively few failures
3 at least once per 25 years 1 in 15.000
2 less than once per 25 years 1 in 150.000
Remote: Failure is unlikely
1 never 1 in 1.500.000
Table 1: Occurrence Scoring Reference
3.2.3. Severity Scoring

This table is used to objectively rank how dangerous the failure is to normal safe operations and control of
the well. This can be paired with a company risk matrix, while LTIs and Life or Environmental damage are
part of the scaling.
Severity Scale
Rank Severity of Effect Type of Effect
Very high severity ranking when a potential failure mode affects safe operation Hazardous -
10 and/or involves noncomplience with regulations without warning without warning
Very high severity ranking when a potential failure mode affects safe operation Hazardous - with
9 and/or involves noncomplience with regulations with warning warning
8 Drilling Systems inoperable, loss of primary function Very High
7 Drilling systems operable, reduce funcationality. Customer dissatisfied High
Drilling systems operable, but Comfort/Convinience item inoperable. Customer
6 experiences discomfprt Moderate
5 Drilling system operable, minor work around. Reduced level of performance Low
4 Defect noticed by customers Very Low
3 Loss of Redundancy with warning, second failure would be severity 6 or above Minor
2 Loss of Redundancy with warning, second failure would be severity 5 or above Very minor
1 No effect None
Table 2: Severity Scoring Reference
These simply-defined failure rates effectively rank likelihood of failure, and can be directly related to the
lifetime of the rig. Systems experts generally find it much easier to score with this method, based on their
own experience, rather than trying to apply probabilities, reliability metrics, or other methods.

3.2.4. Detection Scoring
The detection score helps understand how the users learn of the failure. In some cases it is only possible
to learn of the failure when it is too late, of the failure will happen immediately and the user will know while
trying to run the equipment.
DETECTION Scale
Rank Description Detection
No known control available to detect Absolute
10
cause/mechanism of failure or the failure mode uncertainty
Very remote likelihood current control will detect
9 Very Remote
cause/mechanism of failure or the failure mode
Remote likelihood current control will detect
8 Remote
Very low likelihood current control will detect
7 Very low
Low likelihood current control will detect
6 Low
Moderate likelihood current control will detect
5 Moderate
Moderate high likelihood current control will detect
4 Moderately high
High likelihood current control will detect
3 High
Very high likelihood current control will detect
2 Very High
Current control almost certain to detect
1 cause/mechanism of failure or the failure mode. Almost certain
Reliable detection controls are known with similar processes
Table 3: Detection Scoring Scale
3.2.5. Detection Rank
Table 4: Detection Matrix

This matrix takes a moment to understand. The letters and numbers inside the table indicate whether a
corrective action is required for each case.
N = No corrective action needed.

C = Corrective action needed.
# = Corrective action needed if the Detection rating is equal to or greater than the given number.
For example, according to the risk ranking table in Figure 4, if Severity = 6 and Occurrence = 5, then
corrective action is required if Detection = 4 or higher. If Severity = 9 or 10, then corrective action is
always required. If Occurrence = 1 and Severity = 8 or lower, then corrective action is never required, and
so on.
3.3. Risk Ranking Interpretation
Risk Ranking or “Rank” is the product of Occurrence, Severity and Detection, and is used to prioritize
individual FMEA items on the worksheet. By the scales described above, the highest potential value is
1000 and the lowest is one. Because the Occurrence and Severity values used in the calculation combine
elements of attendee knowledge and experience as well as team negotiation, a holistic approach needs
to be taken to the resulting range of values. Generally a value over 200 is too high.
Certainly the higher extremity values need urgent attention. Additionally, all identified failure modes
warrant due consideration in order of importance. There is no ‘cut-off point’ beyond which failure mode
actions or mitigations should be ignored.

4. FMEA Risk Scoring Summary
This report summarizes the methodology, findings, and recommendations of the Failure
nd
Modes & Effects Analysis (FMEA) workshop performed during the week of January 22 2018 at
''Client''America’s location in Pearland TX.
Attendees at the FMEA session were:
Table 5: FMEA Workshop Participants
This document references the FMEA Workbook spreadsheet. This Excel spreadsheet contains the
output and actions of the FMEA session and is expected to be distributed and stored with this report
document.
4.1. Number of nodes reviewed
The FMEA Workshop reviewed and analyzed over 345 potential single point failures on the rig overall
control network. Where possible a potential mitigation or resolution was identified. In fact the mitigation
identified in 312 of 345 of the potential nodes reduced the workshop theoretical risk level by some
practical measure.

4.2. Risk Distribution
From the “Before” and “After” tables below we can see risk distribution before the workshop and after
suggested mitigations are implemented.
In table 6, we see the BEFORE mitigation clustering of risks around an Occurrence of 5, a Severity of 7 or
8. Post mitigation we graphically see risk being reduced to the left and up in the matrix (Table 7) to
Occurrence = 5 and Severity in the range of 4  7. We also see this risk reduction through mitigation in
the bar chart (Chart 1) of severity “Before” and “After”.
In theory at least, the rig is safer for longer with the suggested mitigations implemented.
Severity
1 2 3 4 5 6 7 8 9 10
1 3 0 0 0 0 0 0 0 0 0
2 0 0 0 3 0 0 2 4 4 0
3 0 0 0 0 1 10 9 4 8 0
Occurrence
4 0 1 1 7 11 4 11 27 8 0
5 1 19 2 22 13 8 30 39 7 0
6 0 4 3 6 1 5 7 7 0 0
7 0 0 0 2 0 1 0 1 0 0
8 0 0 0 0 0 0 0 0 0 0
9 0 0 0 0 0 0 0 0 0 0
10 0 0 0 0 0 0 0 0 0 0
Severity 1 2 3 4 5 6 7 8 9 10
Total Before 4 24 6 40 26 28 59 82 27 0
After 3 24 6 45 36 45 75 57 4 0
Table 6: Risk Matrix BEFORE FMEA Actions
Severity
1 2 3 4 5 6 7 8 9 10
1 2 0 0 0 0 0 0 0 0 0
2 0 0 0 1 0 6 5 2 1 0
3 0 1 0 0 4 14 15 2 3 0
Occurrence
4 0 2 3 7 20 6 17 21 0 0
5 1 17 3 32 12 17 34 26 0 0
6 0 4 0 3 0 2 4 5 0 0
7 0 0 0 2 0 0 0 1 0 0
8 0 0 0 0 0 0 0 0 0 0
9 0 0 0 0 0 0 0 0 0 0
10 0 0 0 0 0 0 0 0 0 0
Severity 1 2 3 4 5 6 7 8 9 10
Total After 3 24 6 45 36 45 75 57 4 0
Before 4 24 6 40 26 28 59 82 27 0
Table 7: Risk Matrix AFTER FMEA Actions

Chart 3: Severity concentration
Chart 4: Severity Reduction

4.3. Rank Scoring
As a product of Occurrence, Severity and Detection, the Risk Ranking gives indication about overall risk
for every single item that was included in FMEA. Risk Ranking is
s calculated for “Before” FMEA and “After”
recommended action is taken. Generally a value over 200 is too high and requires immediate action.
Positive impact on the system safety and reliability is visible on the Chart 5 as a reduced number of items
ranked with 100 and more After FMEA recommended actions are completed.
completed At the same time the
number of items ranked below 100 is increased.
Chart 5: Rank Scoring BEFORE vs. AFTER

4.4. Scoring Summary by Section
The scoring results of the Failure Modes and Effect Analysis by Section give an indication of risk
distribution across the system.
The most significant number of detected NOT Acceptable items is recorded in VFD House, followed by
Drilling Control Room and Rig Power Station.
Station
Identified Mitigation Actions for VFD House could reduce the total number of Not Accept
Acceptable items by
75,0%.. Similarly risk is reduced across the board by taking the FMEA recommended actions as illustrated
in Chart 6.
Chart 6:: Scoring of NOT Acceptable items BEFORE and AFTER by Section

5. FMEA Detailed Results
The complete workshop analysis results are captured in the FMEA workbook. This includes failure
effects, scoring details, safety actions, and operational actions as determined by the FMEA team. The
remainder of this section reviews the top failure modes and summarizes the overall results.
5.1. Top Failure Modes
Below we discuss the failure effect and potential mitigation of the highest ranked failure modes.
The list was created by sorting the FMEA worksheet by Risk Ranking and taking the significantly ranked
items from each section balanced with those with the highest detection score and the most significant
Severity ranking.
5.1.1. VFD House
Item # 7
Part failing: Generator Panel (one of 3 running) (+GEN1 -> +GEN5)
Failure Type: Comms Lost or unit failure
Forced into Power limit. No more equipment can start.
If demand is above 90%, then Power limit goes active ramping MP then
Effect of failure:
TD and then DW back.
If below 90% then no impact
Occurrence: 5 Severity: 5 Detection: 6
Rank Score: 150
Normally Use needs 2 to 3 generators.
Operational Action:
Drilling Power limit may become active and driller will have to respond
Will receive ''CONFIDENTIAL'' Drilling Power limit alarm.
Detection Mode:
May have ''CONFIDENTIAL'' Communications alarm to Driller
Suggest implement alarm to ET of Modbus status and generator failure
Recommendation: Test by ''CONFIDENTIAL'': Test break in Modbus communication line
New Occurrence: 5 New Severity: 5 New Detection: 4

New Rank Score: 100

Item # 8
Part failing: Generator Panel (two or more +GEN1 -> +GEN5)
Failure Type: Comms Lost or unit failure
Effect of failure: Two generators trip, Higher chance of Blackout
Rank Score: 162
Potential Blackout - plan for 10 minute recovery.
Operational Action:
DW Hard stop
Will receive ''CONFIDENTIAL'' Drilling Power limit alarm.
Detection Mode:
May have ''CONFIDENTIAL'' Comms alarm to Driller
Suggest implement alarm to ET of Modbus status and generator failure
Recommendation: Test by ''CONFIDENTIAL'': Test break in Modbus communication line

New Rank Score: 96
Item # 9
Part failing: Single Equipment Controller (VFD) - FPBA-01 - Applicable for all VFDs
Failure Type: Comms Lost or cable break between units
Lost Comms,
Effect of failure: Could Fault all 6 pieces of equipment
Do not TD or RN
Rank Score: 128
DW hard stop
Lose all equipment, Lose MPs & Rotary
do not lose TD, RN
Operational Action:
Consider well control options - WAIT
repair Profibus
Immediate impact,
Detection Mode:
Loss of Comms alarms
Consider moving VFD priority by moving DWA VFD to the front.
Consider training for repairs of this situation <Moving Termination of
Profibus>
Recommendation:
Consider Redundant designs (2 adaptor) - Set up a Modbus ring from
Generators to VFD drives
Spares
New Rank Score: 84

5.1.2. PLC (Programmable Logic Controller)
Item # 25
Part failing: Electrical drive & control system PLC (-CPU1)
Failure Type: SW Version back up on rig
Effect of failure: Regression Errors.
Rank Score: 245
Potential to lose functionality
Operational Action:
Potential Regression error
Detection Mode: Difficult
Recommendation: ''Client'' needs Software MOC procedure coordinated with Vendor
New Rank Score: 60
Item # 30
As Secondary Failure
Part failing:
Electrical drive & control system PLC (-CPU2)
Failure Type: CPU fault
Effect of failure: Lose control of everything except TD and RN. DW Hard Stop. MP Idle stop
Rank Score: 54
Only have TD and RN, No DW or MPs, etc.
Operational Action:
Rig Down. Manage Well
Detection Mode: Loss of communications, Loss of control
Drill SOP, spares, training
Recommendation:
Need Min 2 Spare PLCs
New Rank Score: 36
Item # 31
Part failing:
Failure Type: SF (System fault)
Rank Score: 54
Operational Action:
Recommendation:
New Rank Score: 36

Item # 32
Part failing:
Failure Type: BF (Bus fault)
Effect of failure: Intermittent, Worse case = loss of all controls except TD, RN
Rank Score: 81
Operational Action:
Recommendation:
New Rank Score: 36
Item # 33
Part failing:
Failure Type: Power Failure
Rank Score: 81
Operational Action:
Recommendation:
New Rank Score: 36
Item # 34
Part failing:
Failure Type: SW Version back up on rig
Effect of failure: Regression Errors
Rank Score: 245
Operational Action:
New Rank Score: 60

Item # 36
Part failing:
Failure Type: CPU 2 PLC Flash Card
Rank Score: 54
Operational Action:
Recommendation: Drill SOP, spares, training
New Rank Score: 36
Item # 39
Part failing: Secondary Failure Ethernet to -CPU2
Failure Type: Cable break to HUB1
Rank Score: 81
Operational Action:
Detection Mode: Loss of comms, Loss of control
Recommendation: Drill SOP, spares, training
New Rank Score: 54
Item # 46
Part failing: ZMS PLC (CPU4)
Failure Type: ZMS Version back up on rig
Rank Score: 245
Operational Action:
New Rank Score: 60

Item # 68
Part failing: HUB1 & HUB2
Failure Type: Ethernet cable break from HUB1 to HUB2
No ZMS Impact
Potential Operational Failure
Effect of failure:
Alarm ?
Might have bus fault…
Rank Score: 140
Potential short term loss, Potential Stop and Restart equipment. Potential DW
Operational Action:
hard stop
Detection Mode: No Alarm
Suggestion: Verify tolerance of watchdog timers will give alarm, but not
stop equipment..
Add alarm of failure to expedite action
Recommendation:
SOP instructions to reconnect ETH1 to SW1.
Test by ''CONFIDENTIAL''
New Rank Score: 80
5.1.3. HDCR Driller’s Control Room
Item # 71
Part failing: HUB3
Failure Type: HUB failure
Lose ''Confidential''
Lose ET1 and ET2
Effect of failure:
Lose both HMIs
ZMS lock down all
Rank Score: 144
Without HMIs cannot override ZMS, Well Management Situation.
Operational Action: Move Reroute 3 connections on SW3 to Sw4 override ZMS, Move DW and
Manage well
Detection Mode: HMIs lose information, Lose control access
Recommendation: Move Port5 to Sw4 Permanently.
Recommendation: SOP for this failure…
Test by ''CONFIDENTIAL'' options extensively

New Rank Score: 96

Item # 72
Part failing: HUB3
Lose ''Confidential''
Lose ET1 and ET2
Effect of failure:
Lose both HMIs
ZMS lock down all
Rank Score: 144
Without HMIs cannot override ZMS, Well Management Situation.
Operational Action: Move Reroute 3 connections on SW3 to Sw4 override ZMS, Move DW and
Manage well
Detection Mode: HMIs lose information, Lose control access
Recommendation: Move Port5 to Sw4 Permanently.
Recommendation: SOP for this failure…
Test by ''CONFIDENTIAL'' options extensively

New Rank Score: 96
Item # 73
Part failing: HUB4
Failure Type: HUB failure
Effect of failure: Lose Joysticks, Tool Push Client, Power CW. And AD monitor data
Rank Score: 144
Lose Control. Can control RN via ''Confidential'' screen. Maintain well.
Operational Action:
Move Port1 Sw4 to Port2 SW3, Move Port4 Sw4 to Port 8 Sw3, and Move
Port8 Sw4 to now open Port 5 SW3
Detection Mode: Alarms and HMIs
Suggestion: Permanently move Port5 Sw3 to Port 2 Sw4,
Recommendation: SOP for this failure, Training
New Rank Score: 96

Item # 74
Part failing: HUB4
Effect of failure: Lose Joysticks, Tool Push Client, Power CW. And AD monitor data
Rank Score: 144
Lose Control. Can control RN via ''Confidential'' screen. Maintain well.
Operational Action:
Move Port1 Sw4 to Port2 SW3, Move Port4 Sw4 to Port 8 Sw3, and Move
Port8 Sw4 to now open Port 5 SW3
Detection Mode: Alarms and HMIs
Suggestion: Permanently move Port5 Sw3 to Port 2 Sw4,
Recommendation: SOP for this failure, Training
New Rank Score: 96
Item # 75
Part failing: HUB3 & HUB4
Failure Type: Ethernet cable break from HUB3 to HUB4 (ETH7 to ETH5)
No ZMS Impact
Potential Operational Failure
Effect of failure:
Alarm ?
Might have bus fault…
Rank Score: 140
Potential short term loss, Potential Stop and Restart equipment.
Operational Action:
Potential DW hard stop
Suggestion: Verify tolerance of watchdog timers will give alarm, but not
stop equipment..
Add alarm of failure to expedite action
Recommendation:
SOP instructions to reconnect
New Rank Score: 80

Item # 89
Part failing: Pipe Handle & Integrated System PLC (CPU3)
Failure Type: Pipe Handle & Integration System Version back up on rig
Rank Score: 245
Operational Action:
New Rank Score: 60
Item # 121
Part failing: Main Driller HMI - HMI1
Failure Type: Power failure
Effect of failure: Lose all 3 HMIs
Rank Score: 315
Operational Action: Make safe
Detection Mode: Loss of alarms and visual
Spares, Training
Recommendation:
Suggest: HMIs on different 24VDC supply and Fuses
New Rank Score: 60
Item # 123
Failure Type: HMI 1 Version back up on rig
Rank Score: 245
Operational Action:
New Rank Score: 60

Item # 124
Failure Type: Flash Card
Effect of failure: Lose calibration values when change HMI or replace PLC CPU
Rank Score: 189
Operational Action: Requires Clarification
Detection Mode: Requires Clarification
Suggestion: Management of equipment calibration between HMI, Flash
Recommendation: and PLC needs to be clear and tested by ''CONFIDENTIAL'' before
delivery
New Rank Score: 189
Item # 126
Part failing: Main Driller HMI – HMI2
Rank Score: 315
Spares, Training
Recommendation:
New Rank Score: 60
Item # 128
Rank Score: 245
Operational Action:
New Rank Score: 60

Item # 129
Rank Score: 189
delivery
New Rank Score: 189
Item # 131
Part failing: Assistant Driller HMI - HMI3
Rank Score: 245
Spares, Training
Recommendation:
New Rank Score: 60
Item # 133
Rank Score: 245
Operational Action:
New Rank Score: 60

Item # 134
Rank Score: 189
delivery
New Rank Score: 189
Item # 137
Part failing: Remote I/O interface -ET1/ET2
Effect of failure: Lose redundancy as connected to same 24VDC supply
Rank Score: 135
Operational Action: Make well safe, repair
Detection Mode: Alarms
Troubleshoot, Training,
Recommendation: Test by ''CONFIDENTIAL''

New Rank Score: 60
Item # 139
Second Failure
Part failing:
Remote I/O interface -ET2
Failure Type: System fault (SF)
Lose signals from fault IO card
Effect of failure: Variety of problems. CPU1/2/3/4 responding as needed.
DW hard stop to minimal impact
Rank Score: 135
Operational Action: NO backup. Must repair
Recommendation: Training, Spares, etc.

New Rank Score: 120
Item # 140
Second Failure
Part failing:
Failure Type: Bus fault (BF)
Rank Score: 135
New Rank Score: 120
Item # 141
Second Failure
Part failing:
Rank Score: 135
New Rank Score: 120
Item # 142
Second Failure
Part failing:
Failure Type: I/O Card/Module fault
Rank Score: 135
New Rank Score: 120

Item # 150
Part failing: Power Catwalk PLC (CPU4)
Failure Type: Power Catwalk Version back up on rig
Rank Score: 245
Operational Action:
New Rank Score: 60
5.1.4. ''Confidential'' WR Cabinet
Item # 189
Part failing: WR Remote I/O interface 1.158
Failure Type: Unit failure
Current Effect :
RN not operable,
TD no impact, ZMS potential Impact
Effect of failure:
Required Effect:
ZMS adjust to RN failure
Rank Score: 144
If Wrench is retracted, less impact.
If Wrench is extended, impact is higher.
THERE is potential for ZMS collision!!
Drilling Ops Might be able to continue with work around
Operational Action:
Can Hydraulic move RN - but it is tough.
Required Operational Action: Move RN to Safety, Make RN Invisible, Use

manual tongs.
Loss of Comms Alarm on ''Confidential''.
Detection Mode:
No visual indication of this Comms loss on ''CONFIDENTIAL''.
Procedure for Manual RN operations
''Confidential'' needs to modify PLC application to integrate unit failure

Recommendation:
comms bit. ''CONFIDENTIAL'' to use to shutdown RN in ZMS.
ZMS MUST lock down any potential equipment with RN. RN should be
marked Invisible

New Rank Score: 60
Item # 190
Failure Type: Communication interface failure
Current Effect :
RN not operable,
Effect of failure:
Required Effect:
Rank Score: 144
Operational Action:

manual tongs.
Detection Mode: Loss of Comms Alarm on ''Confidential''.

Recommendation:
marked Invisible
New Rank Score: 60

Item # 191
Current Effect :
RN not operable,
Effect of failure:
Required Effect:
Rank Score: 144
Operational Action:

manual tongs.
Detection Mode: Loss of Comms Alarm on ''Confidential''.

Recommendation:
marked Invisible
New Rank Score: 60
5.1.5. ''Confidential'' DCR CIP Panel
Item # 214
Part failing: ''Confidential'' TD/Wrench PLC
Failure Type: Software Version back up on rig
Effect of failure: Unknown Regression issue
Rank Score: 384
Operational Action: ETs to follow correct SMOC on upgrades, installs, vendor visits
Difficult for Ops
Detection Mode:
ET, ''Confidential'' check date, version etc.
''Confidential'' SMOC Implementation, ''Client'' PM and SMOC
Recommendation: ''Confidential'' to confirm Checksum for PLC vs. Server compare
Suggest ''Client'' keep a configured spare CPU on site
New Rank Score: 90

5.1.6. ''Confidential'' TD
Item # 248
Part failing: TD Elevator Load sensor active (Pressure Switch 0 or 1)
Failure Type: Sensor failure
Effect of failure: potentially no alarm, No electrical detection of failure
Rank Score: 384
Operational Action: Uncertain ''CONFIDENTIAL'' to Verify
Alarm? ''Confidential''/ ''CONFIDENTIAL'' to verify how to detect… failure
Detection Mode:
and impact of failure
Recommendation: Potentially to use Traveling Block load cell in lieu of this sensor
New Rank Score: 384
Item # 249
Part failing: TD Elevator Load sensor active (Pressure Switch 0 or 1)
Failure Type: Mechanical failure post command
Effect of failure: No positive Feedback post command.
Rank Score: 384
Operational Action: Could damage equipment. Visual verification and training required
Detection Mode: Visual only
Sensor??
Require Drilling interaction push button? Likely this is not a practical
Recommendation:
solution
Training
New Rank Score: 384
Item # 252
Part failing: TD Elevator open sensor
Failure Type: Failure of Sensor
Effect of failure: NO electrical detection of Failure until you send a command
Rank Score: 210
Operational Action: Respond and Repair
Detection Mode: Lack of Feedback leads to Alarm
Recommendation: 3rd party Spares, Maintenance
New Rank Score: 175

Item # 253
Part failing: TD Elevator Closing Status
Failure Type: Failure of Sensor
Effect of failure: NO electrical detection of Failure until you send a command
Rank Score: 210
Operational Action: Respond and Repair
Detection Mode: Lack of Feedback leads to Alarm
Recommendation: 3rd party Spares, Maintenance
New Rank Score: 175
Item # 254
Part failing: IBOP Open/Closed Status
Failure Type: Mechanical failure post command
Blow seals, Blow Pop-Offs
Effect of failure:
Well Control Situation
Rank Score: 180
Potential Well Mgmt. Situation. May have IBOP open when think it is closed
Operational Action:
Can use manual control on TD
Detection Mode: Visual Indication
Recommendation: Training, Maintenance
New Rank Score: 120
RIG Power Station
Item # 321
Part failing: 600VAC BUS
Failure Type: Main breaker (Q8) fault/Trip
Effect of failure: VFDs available?, Via UPS have control, Lose HPU, Computers still ON
Rank Score: 245
Semi Controlled (no hydraulic) shut down to repair.
Operational Action: Can start standby or emergency Gen, and then start MCC and get safe on
well
Detection Mode: None - immediate
Recommendation: Confirm Drilling SOP and training for Blackout/Brownout
New Rank Score: 210

Item # 322
Failure Type: >>THD Total Harmonic Distortion
Effect of failure: Potential Trip/ Blackout & Permanent Damage to Electrical Equipment
Rank Score: 280
Operational Action: Potential Blackout Response
Recommendation: Suggest ''CONFIDENTIAL'' review filtering and monitoring options
New Rank Score: 64
Item # 324
Part failing: Transformer -T1
Failure Type: Ground fault
Effect of failure: Potential Blackout
Rank Score: 108
Operational Action: Respond to Blackout, Make well safe and repair
Detection Mode: Have monitoring
Recommendation: Confirm Drilling SOP and training for Blackout/Brownout
New Rank Score: 84
Item # 325
Failure Type: High temperature
Effect of failure: Potential Transformer Failure and Damage
Rank Score: 140
Operational Action: Maintenance to Respond
Recommendation: Suggestion: Implement alarm
New Rank Score: 40

Item # 326
Failure Type: Low oil
Effect of failure: Potential Transformer Failure and Damage
Rank Score: 140
Operational Action: Maintenance to Respond
Recommendation: Suggestion: Implement alarm
New Rank Score: 40
Item # 327
Failure Type: System interlock failure
Double failure post 600VAC fail
Effect of failure:
Blackout
Rank Score: 189
Operational Action: Blackout, make well safe, Maintenance to Respond
Confirm Drilling SOP and training for Blackout/Brownout,
Recommendation:
PMs
New Rank Score: 72

6. Summary Recommendations
6.1. ZMS Actions
 Updated ZMS User’s manual should be available for drilling crew and available in at least two
languages (Chinese and English)
 Permit To Work (PTW) should be required for any operation on maintenance activity with active
issue with ZMS
 ZMS Bypass feature has password protection. It is highly recommended that Invisible feature
could be activated with password protection, too.
 ''Confidential'' needs to modify PLC application to integrate WR Remote I/O Interface 1.158 unit
failure communication bit. ''CONFIDENTIAL'' should use it to shutdown RN in ZMS. ZMS MUST
lock down any potential equipment against RN. To continue with operation RN should be moved
to safe location out of zone and it has to be marked Invisible. Operation could continue using
manual tongs.
 ZMS Matrix to be corrected and updated
6.2. Design Actions
 Implementation of Modbus status and Modbus alarm.

 Investigate possibility to establish redundant link with Generators’ controllers over CANbus in
case of Modbus failure. That could mitigate the risk of reduced available power and impact to
drilling operation.
o ''CONFIDENTIAL'' Comment: We have contacted with the controller supplier, we cannot
do it. The Can bus communication is used for its internal communication, unable to
connect to outer network.
 Consider re-routing of Profibus cable for communication with VFDs
 Investigate possibility to establish redundant link with VFDs’ controllers over Modbus in case of
Profibus failure. That could mitigate the risk of DW hard stop and loss of DW, Mud Pumps and
Rotary table due to communication fault.
 Verify tolerance of Network Watchdog Timers. Alarms should be triggered without impact on
operation.
 In case of Top Drive VFD Failure there is a risk of safe well management. The rotation should be
maintained using Rotary table. The time required for the troubleshooting and system recovery
could be very long. To increase system reliability and availability it is recommended to install
break over switch between TD and MP1 VFD. In case of TD VFD failure, the TD could be driven
by MP1 VFD. Potential Rig downtime could be significantly reduced.
6.3. Pre-Operation Actions
 Drilling Contractor should prepare Standing Operational Instructions for all critical operational
situations. Those instructions should be available on site in two languages (Chinese and English).

 All drilling and maintenance crew should be trained to handle all identified situations that may
have impact on safe and reliable operation. It is recommended that the training program starts
during the factory testing of the equipment to get crew familiarized with the system. The drilling
crew training should ensure the following:
o Drilling crew are able to understand all system alarms
o In case of failure of any piece on equipment the crew should be able to use other
equipment to mitigate the risk, control the well and continue with operation
 The maintenance crew should be trained to perform the following tasks.
o Recover the system in case of equipment failure
o Identify required spare parts to fix the technical problem
o Change network configuration in case of specific hardware failure following Standing
Operational Instructions
o Specific Troubleshooting
 Update the Critical spare parts list considering OEM recommendations, identified Occurrence and
Severity Ranks given in FMEA table, number of units used, delivery time for spares in Oman and
price.
 The Drilling contractor should ensure the stock of Critical spare parts on site. Some of spare parts
with lower Occurrence Rank could be shared between two rigs.
 It is highly recommended that the Drilling Contractor create and implement Software
Management Of Change (SMOC) policy as per O&G industry standards and good business
practice. That includes implementation of multiple operational procedures, instructions, forms and
coordination with all vendors. There are 10 critical items identified during FMEA workshop that
rd
could be significantly mitigated by implementation of SMOC. 3 Party inspection and verification
is recommended.
o Kingston Systems is very experience in leading Drilling Contractors I SMOC
implementation and provides some case studies for SMOC failures and criticality in the
appendix.
 For any ZMS override, the Permit To Work (PTW) should be mandatory. Review, and if needed
upgrade Permit To Work (PTW) policy.
 Procedure for RN manual operation should be available on the Drill Floor.
rd
 Preventive Maintenance (PM) should be prepared and implemented. 3 Party inspection and
verification is recommended.
6.4. Other Recommendations
 Review and upgrade all testing procedures in accordance with FMEA. The most critical part is
related to the ZMS and entire Drilling Control System response in case on various
Communication faults, Hardware faults and the Rig Power Station fault. All involved parties
should have mutual agreement about required additional tests.
 Management of equipment calibration between Main Driller and Assistant Driller HMIs, Flash and
PLC needs to be clear and tested by ''CONFIDENTIAL'' before delivery.

7. Closing Remarks
rd
''Client'' engaged Kingston Systems as 3 technical party reviews and facilitators in a control systems
FMEA workshop. The primary objective was to review the stability of the Zone Management System and
Control Systems. In working to accomplish this goal, Kingston Systems received the full support and
involvement of ''Client'' and ''Confidential''.
The FMEA indicated that while the current design is solid, there are suggested design improvements both
for ''Confidential'' and Hong Hua, as well as clear operational process and training tasks for ''Client''.
With the correction of identified issue items, the stability of the control systems and the readiness of the
crew could be improved. As of this report, there are 51 high level suggestions for the team to be
considered and that might impact safe operations.
Kingston Systems would like to thank ''Confidential'', ''Client'' and ''Client'' for their participation and
involvement and we look forward to future cooperation during the testing, Commissioning, OMAN
Acceptance and SMOC deployment.
Disclaimer: Kingston Systems LLC assumes no responsibility for any loss, physical or financial, or damage from actions taken or not
taken in light of the comments or recommendations given or not given in this or any project communication

8. SMOC case studies
Lack of a clear SMOC is a direct risk to safe and consisted rig operations. Contractors must understand
this and modify their programs to include software management practices. Here a few case studies of
results of a poor SMOC.
Case 1: Crash of the sack room terminal. A HMI terminal in the sack room was discovered with an
unresponsive terminal after the close out of the Permit to Work for installing software updates on the
DrillView system. This was determined to be caused by the restarting of servers during the software
upgrade without properly reinitializing all the terminals afterwards.
Emphasizes the importance of:

o Post Installation Testing: Technicians are prone to only checking the update for items they
were told have been changed. Rechecking of functionality across the entire system is critical as
there are often unexpected side effects. This is a big job and requires effort from the crew. The
Chief Engineer should make this a priority in all installations and insist on a detailed and complete
written installation procedure. Special attention should be given to safety systems including
emergency stops, anti-collision systems, and equipment interlocks.
o Understanding the Interconnectivity and Interdependence: System complexity is often
underestimated. Technicians are often specialists in a very narrow subset and are unaware of
possible consequences to other systems.
o Good Restart Procedures: Servers and terminals sometimes need to be restarted in certain
orders. Restarting a server without reinitializing the connected terminals may cause the terminal
to hang up after having lost its connection. Unless a very careful study is made, it is generally
recommended to restart all connected servers and terminals according to OEM instructions after
a software upgrade.
Case 2: Software Upgrade Installation failure. A SCR (Software Change Request) was filed and
approved. Time was allocated under the Permit to Work process and other users were locked out of the
network and from access to effected machinery. Unfortunately, the technician was unknowingly provided
with a bad release package. To further complicate the situation, no offsite support was available to the
technician. When contact with the home office was reestablished, the missing files were sent but blocked
by antivirus software. Eventually, an alternate route for software delivery was found. After the
installation was completed, it was found to be incorrectly programmed and was of no use.
The end result was that several hours of system lock out time doing tasks that should have been done
offline. Because of low software quality and poor vendor testing, the end result was a completely
preventable waste of time.
Emphasizes the importance of:

o Good installation procedures: Because down time is expensive, the complete installation
package should be in hand locally, not downloaded over a slow connection after the lockdown
has been started. The update package should be checked to ensure all parts have arrived
before filing for the Permit to Work. When possible, onshore support should be available to help
resolve any problems. The Chief Engineer should require offshore support to be online during
installation time periods. Where possible offline testing should be done so that the installation
package can be confirmed as good before locking out the equipment.
o Post installation testing: It is important to never assume that the installed package actually
does what it is supposed to do.
o Good back out procedures: After a failed update, it is important to be able to restore the
system to its original state.

o Vendor Responsibility: Good SMOC procedures allow management to control installation
processes and hold vendors accountable for wasted time and low quality product. Because the
expected installation time and procedure was documented, it was easy to prove a failure and
promote the issue up the chain of command to prevent future occurrences.
Case 4: Failure to lock out tag out: The Drawworks control server was taken off line and rebooted for
backup. This backup was approved by the Chief Engineer. During the backup process, the Driller was
in the chair attempting to move the Drawworks. The Driller and the Technician were in informal
communication but no specific isolation or work stop was in place.
The driller’s chair left touch screen had a menu open which stopped responding after and during the
reboot. The Drawworks came to an unexpected halt and the driller was unable to exit the screen or
operate the chair menu using the “close button”. The chair had to be rebooted before full control was
restored. There was no risk of damage or injury as a non-critical function was being performed and the
equipment automatically stops motion when control is lost.
The following actions were not taken but would be required to satisfy SMOC concerns
 A scheduled time in which the action is to take place. This would prevent management confusion as
to why alarms are being generated and why equipment is off line.
 A formal notification of supervisors and operators that the action was about to be performed. This,
Job Safety Analysis (JSA) would have prevented the miscommunication and avoided any potential
equipment or personnel harm.
 A written set of steps. This would have allowed a supervisor to recognize that a reboot was to occur
and better understand possible side effects.
 Equipment Isolation would prevent any changes from causing sudden unexpected movement or
inability to move.
 Complete understanding of side effects so that the procedure included resetting of other effected
machinery. This requires the approvers to take additional responsibility in understanding how the
equipment functions and is interconnected.
Lesson: Equipment should be locked out and isolated during control system work and under a permit to
work system. Restart sequences for equipment need to be followed and well understood.
Case 5: Poor Testing: Software upgrade is installed leading to a collision between the top drive and the
top of the drill pipe because the update was designed for a rig with a shorter derrick. The pipe was bent
out of position and was in danger of popping out of the vertical pipe handler gripper arm. The upper stop
limit set point had been unknowingly changed by the software upgrade.
Lesson: Vendor test scripts are not infallible. Software upgrades sometimes change parameters
unexpectedly and without the knowledge of the technician performing the upgrade. Sometimes hidden
logic changes have unintended consequences that are not discovered until after installation. Following
every change, all limits and interlocks must be checked and tested.
Case 6: Inadequate Testing: A software change was made to zone management settings and was
retested between two machines. The interaction with a third machine was not tested and caused a
collision resulting in injury risk and 2 months of critical machinery down time.
Lesson: It is human nature to not check to see if changes made are working, and checking to see
what new errors have been introduced is often skipped. Following every change, all limits and
interlocks must be checked and tested.

9. Glossary of Terms
Glossary (Hong Hua)
Abbreviation Description
BF Bus Fault
CPU Central Processing Unit
CW Catwalk
DeltaP pump differential pressure
DFMA Drill Floor Manipulator Arm
DW Draw work
ET Electronic Technician
Ex Explosion-proof
FAT Factory Acceptance Test
FW Floor wrench
GEN Generator
HMI Human machine interface
HP Horse power
HUB Network HUB (Old)
I/O Input/output
MB Mud bucket
MCC Motor control center
MP Mud Pumps
PLC Programmable logic controller
PTW Permit to Work
RN Rough Neck, Floor Wrench
ROP Rate of penetration
RPM Rotary speed per minute
RTD Resistance temperature detector
SF System Fault
SMOC Software Management of Change
SOP Standard Operating (Drilling) Procedure
STV Stand Transfer Vehicle (pipe racker NOV provided)
SW Network Switch (New)
TD Top drive
TRQ Torque
VDC Volts Direct Current
VFD Verified frequency drive
WOB Weight on bit
ZMS Zone management system

10. Workshop Action Summary
Parking Lot for Questions/Actions/Research
# Comment/Action Who Result Status Due

Review testing procedures for CPU 1 and CPU ''CONFIDENTIAL'': Have the CPU1 on test and
2 handover, timing CPU2 on test separately in factory test
1 Team 20.03.2018. ''Confidential'': It is cool- Jan 29 PM
redundant design, not hot. Not necessary to
check the timing issue. Advise to close.
Update terms on drawings to represent in progress
SWITCHES vs. HUB. Also update others and 20.03.2018. ''Confidential'': Little effect to
2 ''CONFIDENTIAL'' Jan 29 PM
corrections. the system, consideration of most labels are
made as “HUB”. Advise to close.
Alarms: Are there two or more interfaces for ''CONFIDENTIAL'' shows generic / general
alarms (''Confidential'' and ''CONFIDENTIAL'')? alarms, ''Confidential'' shows specific alarms.
3 Are all or only some of ''Confidential'' alarms ''CONFIDENTIAL'' ''Confidential'' will have more Closed Jan 29 PM
on the ''CONFIDENTIAL'' interface/integration information/description.
document?
Verify ''CONFIDENTIAL'' UPS configuration 20.03.2018. ''Confidential'': Done. Please
and DC power distribution close.
Clarify VFD power filtering on 600Vac grid. IE ''CONFIDENTIAL'': No filter on 600Vac bus
Each VFD unit, main line only filtering or none reasons as follows:
1. Generator system is an independent
system which is different from industrial
power grid supply, THD will not harmful to
5 ''CONFIDENTIAL'' other system. Jan 29 PM
2. Any THD has less affect because we use
VFD to control which has a higher power
factor.
20.03.2018 ''Confidential'': Clarified done.
Please close.

What information and alarm do we have on ''CONFIDENTIAL'': Has clarified to Dragan.
the Transformers and generators/ power For the transformers, it is air cooling system
grid? Ground Fault, High Temp, Power Limit, and we only have high temp alarm to
Low Oil. monitor the transformer is healthy.
Please close.
Why no fuses for Estop relay in VFD Cabinet ''CONFIDENTIAL'': If the 24v device located in
<Check DC distribution side for similar the VFD house, we do not have the fuses,
concern> but if 24v line goes outside we have the
fuses which has a higher risk to short circuit.
For ESTOP relay, if any short circuit destroy
relay, we may have ESTOP function.
Please close.
Does ZMS Override function timeout? Yes, button needs to be held down while in
Does ZMS Override log action is integrated? use…Likely requires two people to operate.
8 Where? ''CONFIDENTIAL'' Closed Jan 29 PM
Does ZMS Override is activate by toggle
switch or Push button?
Does ''Client'' have PTW on Drilling SOP for Intent YES. Review in Operations
9 ''Client'' Closed Jan 29 PM
Invisible and Override?
Verify ZMS Matrix. Review with FMEA Team Final version not complete
Remove MB, Adjust STV/RN and others

To Be
10 Team Done Jan 29 PM
''CONFIDENTIAL'': not clear enough about
Later
the question.
20.03.2018 ''Confidential'': Updated. Please
see attaches.
Can you better describe the Fire and smoke PDO requested independent system fire
and flame and gas detection system. We only detection. The standard system is installed
11 ''CONFIDENTIAL'' Closed Jan 29 PM
directly see the six fire detectors on the separately.
generators. Pls clarify.

Is the Estop Network Auto Reset after 20.03.2018 ''Confidential'': When ESTOP is
triggering? triggered, equipment system will receive the
Are restarts on the a) single push button and ESTOP signal and all command output will be
12 then b) software reliant reset and restart ''CONFIDENTIAL'' reset, even if the ESTOP is reset, the Jan 29 PM
movement will not restart until command is
given. So it is safe for equipment control.
Advise to close.
''Confidential'' Spares List for equipment in To be done post workshop
13 ''Confidential'' Jan 29 PM
question. Review against FMEA actions
''Confidential'' function/functionality of Complete
14 ''Confidential'' Closed Jan 29 PM
Stratix
Factory tests: Be sure to check that tests on To be done during review of test and
15 ''Confidential'' rig network is tested for single Kingston, ''CONFIDENTIAL'' Commissioning Documents Later Jan 29 PM
and double fiber line breaks
''CLIENT'': Review ''Client'' SMOC and PM To be done post workshop
practices for Software Maintenance and
16 ''Client'' Later Jan 29 PM
practices in line with ''Confidential'' SMOC
program
''Confidential'', Jesus, check on checksum for
PLC vs. server version compare
''Confidential'', Jesus, verify PLC Flash card Card issue will generate an immediate fault.
version check / health check feature, On the PLC Only.
18 functionality ''Confidential'' We do not do card vs. PLC check Closed Jan 29 PM
No low battery alarm on HMI

''CONFIDENTIAL'' verify drilling power limit ''CONFIDENTIAL'': If one DW VFD failed
functionality wrt to VFD failures during the operation, DW will stop. We can
use one DW motor to hoist rating load with
limit speed base on the power curve.
Please close.
''CONFIDENTIAL'' to share outstanding docs ''CONFIDENTIAL'': in progress
- updated drawings 20.03.2018 ''Confidential'': Done. Please see
20 - ''Confidential'' and ''CONFIDENTIAL'' Alarm ''CONFIDENTIAL'' attaches. Jan 29 PM
Documents
- ZMS Matrix, Final

''Confidential'' Drawings for UPS, Power Final drawing review against FMEA
21 supplies, and surge protector not ready, ''Confidential'' Later Jan 29 PM
postpone.
''Confidential'' to verify if Fault detected on
vertical movement proxy sensor?
''CONFIDENTIAL''/''Confidential'' consider ''CONFIDENTIAL'': ''Confidential'' can keep
updating RN Block signals from 3 to 1 the 3 block signals as discussion.
23 ''Confidential''/ ''CONFIDENTIAL'' Jan 29 PM
Please close.
''CONFIDENTIAL''/''Confidential'', check need ''CONFIDENTIAL'': No need, remove this
for ZMS on RT/RN on MU BO. See ZMS interlock
24 ''Confidential''/ ''CONFIDENTIAL'' Jan 29 PM
Collision on RN/RT 20.03.2018 ''Confidential'': Clarified done.
Please close.
''CONFIDENTIAL'' ''Confidential''. Confirm that Not Needed
25 ''Confidential''/ ''CONFIDENTIAL'' Closed Jan 29 PM
Block the WHOLE RN is not needed
''Confidential'' needs to mod PLC application Done
to integrate unit failure comms bit.
STV-TB Collision prevention. Need to validate ''CONFIDENTIAL'': It is able to set the height
the height setting for this limit during test protection value and included in factory test.
Please close.
Verify functionality of Slips closed and ''CONFIDENTIAL'': A pressure transmitter is
confirmation of slips closed signal installed to measure the closed line pressure
28 ''CONFIDENTIAL'' to verify the slips is closed or not. Jan 29 PM
Please close.
How to tell if RT locked? And why is this on ''CONFIDENTIAL'': Confirmed no response on
ZMS Table? Verify that this is still Needed RT if locked, and no need this signal in ZMS
Please close.

Suggestion: revisit DW encoder and rejection ''CONFIDENTIAL'': Two drum encoder has
logic and Calculation and interaction with configured to calculate the speed, to
ZMS compare with the motor encoder speed, if
the deviation is too much, DW will have
30 ''CONFIDENTIAL'' alarm to inform which drum encoder may Jan 29 PM
have problem. Do not activate the encoder
which have problem on HMI.
Please close.
''CONFIDENTIAL'' to check on Transformer ''CONFIDENTIAL'': Have high temperature
Alarming and response alarm.
Please close.
''CONFIDENTIAL'' to verify 400VAC failure ''CONFIDENTIAL'': Q9, Q10, Q11 are the
modes for RCD and Q9, Q10, Q11 faults and hardware interlock, more description please
interlocks. Revisit FMEA table see the drawing SYSTEM SINGLE LINE page.
If the breaker has fault, it cannot switch on.
Please close.
Can bypass feature have password ''CONFIDENTIAL'': Yes, it is required to input
password.
Please close.
Will bypass feature WORK with Comms loss ''CONFIDENTIAL'': Yes For each equipment
from CPU4 to CPU3 - See #98 HDCR section screen has one button to disable the ZMS
function, equipment will ignore ZMS BLOCK
34 ''CONFIDENTIAL'' signal if it is activated when CPU 3&4 comms Jan 29 PM
loss.
Please close.
PLC vs. Flash card storage of Equipment ''CONFIDENTIAL'': Only supply one Flash card
Calibration between the 3 HMIs and the 2 on HMI to store the calibration value to
35 PLCs…. Version mgmt., User rights.. A ''CONFIDENTIAL'' avoid data inconsistence. Jan 29 PM
concern.. 20.03.2018 ''Confidential'': Clarified done.
Please close.

''Confidential'' And ''CONFIDENTIAL'' to Check
36 FMEA once Drawings complete for Surge ''Confidential'' Jan 29 PM
Protector and DC Power supply
''CONFIDENTIAL'', what happens when you ''CONFIDENTIAL'': Only alarm indication
get a 600VAC Ground fault? Blackout. Revisit 20.03.2018 ''Confidential'': Now only
37 FMEA table ''CONFIDENTIAL'' indication. Please close. Jan 29 PM

11. FMEA Workshop Table
Rank New New rank %

Item Operational RAN Complet New New New
Parent Part Part Failing Failure Type Effect of Failure OCC SEV Detection Mode DET Accep Mitigating Action Respon- sible Ran Acceptabl Reduction
# Action K Date Occ Sev DET
t k e in RPN
Complete Modbus No impact to Indication of Suggest
failure, Don't have drilling, unless generator status implement alarm
communication with additional power Potentially no to ET of Modbus
Generator, Drilling needed alarm. Alarm status and
power still available suggested generator failure
Modbus on ET to investigate
Generator Side of Comms Lost or and repair Suggest: Canbus Before
1 VFD House 5 4 6 120 N ''CONFIDENTIAL'' 5 4 3 60 Y 50.0
Thermostat and cable break is available on final test
Gas Detector GEN control Card.
This will reduce
risk of blackout by
switching to
different comms
channel
failure, Blind on drilling, unless generator status implement alarm
available power, and additional power Potentially no to ET of Modbus
Modbus Between transformer needed alarm. Alarm status and
Comms Lost or Before
2 VFD House Thermostat and information, 5 4 suggested 6 120 N generator failure ''CONFIDENTIAL'' 5 4 3 60 Y 50.0
cable break final test
Gas Controller Drilling power still ET to investigate
available and repair Suggest: Canbus
is available on
GEN control Card
failure, Drilling drilling, unless generator status implement alarm
power still available additional power Potentially no to ET of Modbus
Modbus needed alarm. Alarm status and
Loss of Before
3 VFD House termination 5 4 suggested 6 120 N generator failure ''CONFIDENTIAL'' 5 4 3 60 Y 50.0
connection final test
resistor ET to investigate
and repair Suggest: Canbus
is available on
GEN control Card
needed alarm. Alarm status and
Short circuit on Before
4 5 4 suggested 6 120 N generator failure ''CONFIDENTIAL'' 5 4 3 60 Y 50.0
Cable final test
ET to investigate
is available on
GEN control Card
VFD House Modbus
needed alarm. Alarm status and
Electromagnetic Before
5 5 4 suggested 6 120 N generator failure ''CONFIDENTIAL'' 5 4 3 60 Y 50.0
noise final test
ET to investigate
is available on
GEN control Card
No impact to Indication of Suggest
drilling, unless generator status implement alarm
Complete Modbus additional power Potentially no to ET of Modbus
Modbus break failure, Drilling needed alarm. Alarm status and
Comms Lost or Before
6 VFD House between power available 5 4 suggested 6 120 N generator failure ''CONFIDENTIAL'' 5 4 3 60 Y 50.0
cable break final test
Generators unknown? ET to investigate
is available on
GEN control Card

Rank New New rank %
t k e in RPN
Forced into Power Normally Use Will receive Test by
limit. No more need 2 to 3 ''CONFIDENTIAL'' ''CONFIDENTIAL'':
equipment can start. generators. Drilling Power Test break in
If demand is above limit alarm. Modbus
Generator Panel 90%, then Power Drilling Power communication
(one of 3 running) Comms Lost or limit goes active limit may become May have line Before
(+GEN1 -> unit failure ramping MP then TD active and driller ''CONFIDENTIAL'' final test
+GEN5) and then DW back. will have to Comms alarm to Suggest
If below 90% then respond Driller implement alarm
no impact to ET of Modbus
status and
generator failure
Two generators trip, Potential Will receive Test by
Higher chance of Blackout - plan ''CONFIDENTIAL'' ''CONFIDENTIAL'':
Blackout for 10 minute Drilling Power Test break in
recovery. limit alarm. Modbus
Generator Panel DW Hard stop communication
(two or more Comms Lost or May have line Before
+GEN1 -> unit failure ''CONFIDENTIAL'' final test
+GEN5) Comms alarm to Suggest
Driller implement alarm
to ET of Modbus
status and
generator failure
Lost Comms, DW hard stop immediate impact, Spares, Training
Could Fault all 6 Lose all Loss of Comms
pieces of equipment equipment, Lose alarms Consider moving
Do not TD or RN MPs & Rotary VFD priority by
do not lose TD, moving DWA VFD
RN to the front.
Consider training
Consider well for repairs of this
Comms Lost or
control options - situation. <Moving ''CONFIDENTIAL'', Before
9 cable break 4 8 4 128 N 3 7 4 84 Y 34.4
WAIT Termination of ''Client'' final test
between units
repair Profibus Profibus>
Consider
Redundant
Single Equipment designs (2
Controller (VFD) - adaptor) - Set up a
VFD House FPBA-01 - Modbus ring from
Applicable for all Generators to VFD
VFDs drives
Lose one Unit Might get Hard immediate impact,
Profibus stop or Pump Loss of Comms
10 6 6 3 108 N ''Client'' Operation 5 6 3 90 Y 16.7
connector fault stop but can alarms
switch Training, Spares
stop or Pump Loss of Comms
11 VFD trip 6 6 3 108 N ''Client'' Operation 5 6 3 90 Y 16.7
stop but can alarms
stop or Pump Loss of Comms
12 VFD fault 6 6 3 108 N ''Client'' Operation 5 6 3 90 Y 16.7
stop but can alarms
Single Profibus See Above Duplicate Duplicate
13 VFD House Cable break 5 8 4 160 N 5 8 4 160 N 0.0
Break Duplicate
Profibus DP Lose TD Lose TD, move to ''Confidential'' and
''Confidential'' X3008 loss of no ZMS impact safety and repair ''CONFIDENTIAL''
14 VFD House 5 8 3 120 N ''Client'' 5 8 3 120 N 0.0
TDS PLC to +TD connection alarm
VFD Training, Spares
Ethernet no impact - acts as a none Comms Loss Tests for
connection X3001 loss of ring alarms communication
15 VFD House 5 2 3 30 Y ''CONFIDENTIAL'' 5 2 3 30 Y 0.0
between - HUB 1 connection loss See test 16.1
and -HUB3

Rank New New rank %
t k e in RPN
Ethernet no impact - acts as a none Comms Loss Tests for
connection X3002 loss of ring alarms communication
16 VFD House 5 2 3 30 Y ''CONFIDENTIAL'' 5 2 3 30 Y 0.0
between - HUB 2 connection loss See test 16.1
and -HUB4
Complete Modbus No impact to Indication of

failure, Don't have drilling, unless generator status
communication with additional power Loss of Comms
Unit fault / Power Operation
17 Generator, Drilling 5 4 needed alarm 4 80 Y ''Client'' 5 4 4 80 Y 0.0
Supply Failure s
power still available
ET to investigate
and repair Spares, Training
Comms alarms No impact to Comms Alarms
drilling, unless
additional power
Operation
18 Voltage drop 6 4 needed 4 96 Y ''Client'' 6 4 4 96 Y 0.0
s
ET to investigate
Modbus to
PLC and repair Maintenance
Profibus Adaptor
Complete Modbus No impact to Indication of
failure, Don't have drilling, unless generator status
communication with additional power Loss of Comms
Operation
19 Power fault Generator, Drilling 5 4 needed alarm 4 80 Y ''Client'' 5 4 4 80 Y 0.0
s
power still available
ET to investigate
and repair Spares, Training
Lose Comms with VFD failure, Loss of comms
generators and operation not alarms
Profibus VFDs possible. Make Operation
20 4 8 4 128 N ''Client'' 4 7 4 112 Y 12.5
connector fault Well Safe, s
Investigate and
Repair Spares, Training
Lose control of Only have TD Loss of comms,
everything except and RN, No DW Loos of control
TD and RN. DW or MPs, etc. Operation
21 CPU fault 3 6 3 54 Y ''Client'' 3 6 3 54 Y 0.0
Hard Stop. MP Idle s
stop Switch to CPU 2 Drill SOP, spares,
and restart training
SF - Systems Operation
22 TD and RN. DW 3 6 or MPs, etc. 3 54 Y ''Client'' 3 6 3 54 Y 0.0
Fault s
Hard Stop. MP Idle Switch to CPU 2 Drill SOP, spares,
stop and restart training
Intermittent, Worse Only have TD Loss of comms,
case = loss of all and RN, No DW Loos of control
Operation
23 BF - Bus Fault controls except TD, 4 6 or MPs, etc. 3 72 Y ''Client'' 3 6 3 54 Y 25.0
s
RN Switch to CPU 2 Drill SOP, spares,
Electrical drive & and restart training
PLC control system Lose control of Only have TD Loss of comms,
PLC (-CPU1) everything except and RN, No DW Loos of control
TD and RN. DW or MPs, etc. Operation
24 Power failure 3 6 3 54 Y ''Client'' 3 6 3 54 Y 0.0
Hard Stop. MP Idle s
Regression Errors. Potential to lose Difficult ''Client'' needs
functionality Software MOC
SW Version back Operation
25 5 7 Potential 7 245 N procedure ''Client'' 4 5 3 60 Y 75.5
up on rig s
Regression error coordinated with
Vendor
CPU 1 PLC Flash TD and RN. DW or MPs, etc. Operation
26 3 6 3 54 Y ''Client'' 3 6 3 54 Y 0.0
Card Hard Stop. MP Idle s

Rank New New rank %
t k e in RPN
VFDs possible. Make Operation
27 Cable break 4 8 4 128 N ''Client'' 4 7 4 112 Y 12.5
Well Safe, s
Investigate and
PLC Profibus to CPU1
28 4 8 4 128 N ''Client'' 4 7 4 112 Y 12.5
Investigate and
Ethernet to - Cable break to TD and RN. DW or MPs, etc. Operation
29 PLC 3 6 3 54 Y ''Client'' 3 6 3 54 Y 0.0
CPU1 HUB1 Hard Stop. MP Idle s
everything except and RN, No DW Loos of control Drill SOP, spares,
Operation
30 CPU fault TD and RN. DW 2 9 or MPs, etc. 3 54 N training ''Client'' 2 6 3 36 Y 33.3
s
Hard Stop. MP Idle Rig Down. Need Min 2 Spare
stop Manage Well PLCs
everything except and RN, No DW Loos of control Drill SOP, spares,
Operation
31 SF TD and RN. DW 2 9 or MPs, etc. 3 54 N training ''Client'' 2 6 3 36 Y 33.3
s
Intermittent, Worse Only have TD Loss of comms,
case = loss of all and RN, No DW Loos of control Drill SOP, spares,
Operation
32 BF controls except TD, 3 9 or MPs, etc. 3 81 N training ''Client'' 2 6 3 36 Y 55.6
s
As Secondary RN Rig Down. Need Min 2 Spare
Failure Manage Well PLCs
PLC Electrical drive & Lose control of Only have TD Loss of comms,
control system everything except and RN, No DW Loos of control Drill SOP, spares,
Operation
33 PLC (-CPU2) Power failure TD and RN. DW 3 9 or MPs, etc. 3 81 N training ''Client'' 2 6 3 36 Y 55.6
s
SW Version back Operation
up on rig s
Vendor
35 Battery low NA 1 1 1 1 Y 1 1 1 1 Y 0.0
CPU 2 PLC Flash Operation
36 TD and RN. DW 2 9 or MPs, etc. 3 54 N ''Client'' 2 6 3 36 Y 33.3
Card s
Hard Stop. MP Idle Rig Down. Drill SOP, spares,
stop Manage Well training
VFDs possible. Make Operation
37 Cable break 2 8 4 64 N ''Client'' 2 7 3 42 Y 34.4
Well Safe, s
Investigate and
As Secondary
PLC failure
Profibus to CPU2
38 2 8 4 64 N ''Client'' 2 7 3 42 Y 34.4
Investigate and
Secondary
Failure Cable break to Operation
39 PLC TD and RN. DW 2 9 or MPs, etc. 3 54 N ''Client'' 3 6 3 54 Y 0.0
Ethernet to - HUB1 s
Hard Stop. MP Idle Rig Down. Drill SOP, spares,
CPU2
stop Manage Well training

Rank New New rank %
t k e in RPN
Lose capability to no impact unless Loss of comms
switch to CPU2, CPU 1 fails alarms Operation
40 PLC Relay -K1 Relay fault 2 4 3 24 Y ''Client'' 2 4 3 24 Y 0.0
s
Spares, Training
Relay -K2 (see switch to CPU 2 CPU 1 fails alarms Operation
41 PLC Relay fault 2 4 3 24 Y ''Client'' 2 4 3 24 Y 0.0
note Pg. 5) s
Spares, Training
Lose ZMS Temporary lock Alarms
down. Can over
ride bypass ZMS Operation
altogether on s
each piece of
equipment PTW
down. Can over
43 SF 3 7 3 63 Y ''Client'' 3 7 3 63 Y 0.0
altogether on s
each piece of
equipment PTW
down. Can over
44 BF 2 7 3 42 Y ''Client'' 2 7 3 42 Y 0.0
altogether on s
each piece of
ZMS PLC equipment PTW
PLC Lose ZMS Temporary lock Alarms
(CPU4)
down. Can over
altogether on s
each piece of
equipment PTW
ZMS Version back Operation
up on rig s
Vendor
47 Battery low NA
down. Can over
ZMS PLC Flash ride bypass ZMS Operation
48 3 7 3 63 Y ''Client'' 3 7 3 63 Y 0.0
Card altogether on s
each piece of
equipment PTW, Training
Temporary lock on DW Hard Stop Alarms
Lost Comm. With Operation
49 all ZMS equipment 5 6 Correct or disable 3 90 Y ''Client'' 5 6 3 90 Y 0.0
CPU1/2 s
ZMS PTW, Training
no impact, lose No Impact Alarms
50 ZMS PLC screen indication of 5 4 3 60 Y ''Client'' 5 4 3 60 Y 0.0
CPU3 s
(CPU4) HMI Spares, Training
PLC Temporary lock CW Minimal Impact, Alarms
Communication Lost Comm. With Operation
51 fault Collision potential 5 4 can Override 3 60 Y ''Client'' 5 4 3 60 Y 0.0
++CW CPU Equipment s
Spares, Training
Lost Comm. With Temp Lock on Minimal Impact, Alarms
RN/TD Collision can Override Operation
52 ++RN/TD CPU 5 4 3 60 Y ''Client'' 5 4 3 60 Y 0.0
Potential Equipment s
(''Confidential'') Spares, Training
down. Can over
Ethernet to ZMS Cable break to ride bypass ZMS Operation
53 PLC 2 7 3 42 Y ''Client'' 2 7 3 42 Y 0.0
PLC HUB2 altogether on s
each piece of
equipment PTW

Rank New New rank %
t k e in RPN
Lose unit function No Impact No Alarm
No impact to Alarm Historian Spares, Training
Base Component Operation not recording Operation
54 4 4 7 112 Y ''Client'' 4 4 7 112 Y 0.0
Fails Some Recommend s
Maintenance Update PMs or
Features reduced Alarms
No impact to Alarm Historian
Operation not recording Spares, Training Operation
55 Hard Drive Fails 4 4 7 112 Y ''Client'' 4 4 7 112 Y 0.0
Some s
Maintenance Consider: RAID,
Features reduced and Update PMs
Minimal impact until No Impact No Alarm Spares, Training Operation
56 Fans Fails overheat 5 3 7 105 Y ''Client'' 5 3 7 105 Y 0.0
PMs, s
No Keyboard No Impact No Alarm
USB Connection Operation
57 Mouse. Still 5 2 7 70 Y Spares, Training ''Client'' 5 2 7 70 Y 0.0
fails s
functioning PMs,
PC - Electrical
PLC Drive & Control
Power breaker Operation not recording Operation
58 System 4 4 7 112 Y ''Client'' 4 4 7 112 Y 0.0
trip/fail Some Recommend s
Ethernet port or
Operation not recording Operation
59 network adapter 4 4 7 112 Y ''Client'' 4 4 7 112 Y 0.0
Some Recommend s
failure
No impact to Alarm Historian
Ethernet cable Operation not recording Spares, Training Operation
60 4 4 7 112 Y ''Client'' 4 4 7 112 Y 0.0
break to HUB1 Some s
Maintenance Consider: RAID,
Features reduced and Update PMs
Connection to No Monitor, No No Impact No Alarm
Impact Operation
61 VGA Monitor - 5 2 7 70 Y Spares, Training ''Client'' 5 2 7 70 Y 0.0
s
VGA card fails PMs,
Lose Monitor not No Impact No Alarm Spares, Training Operation
62 Monitor failure Historian 5 2 7 70 Y ''Client'' 5 2 7 70 Y 0.0
PMs, s
Monitor - Power Lose Monitor not No Impact No Alarm Spares, Training Operation
63 PLC HMI5 - Monitor Historian 5 2 7 70 Y ''Client'' 5 2 7 70 Y 0.0
Supply failure PMs, s
Lose Monitor not Trips reset and No Alarm Spares, Training Operation
64 Power breaker trip Historian 5 1 OK 7 35 Y ''Client'' 5 1 7 35 Y 0.0
PMs, s
Lose function No Impact No Alarm Spares, Training Operation
65 PLC PC - Keyboard Keyboard fails 5 2 7 70 Y ''Client'' 5 2 7 70 Y 0.0
PMs, s
Lose control of Only have TD Loss of comms, Drill SOP, spares,
everything except and RN, No DW Loss of control training
TD and RN. DW or MPs, etc.
Hard Stop. MP Idle Have no Backup Suggestion: SOP
stop - Make well safe, instruction to
Replace HUB or connect Eth 2 &
Operation
66 PLC HUB1 HUB failure 4 8 Connect ETH2 & 3 96 Y Eth5 to HUB2 ''Client'' 3 6 3 54 Y 43.8
s
ETH5 to HUB2. or 2 relays in
parallel,
or different relay
with normally open
contact. Connect
CPU2 to HUB2

Rank New New rank %
t k e in RPN
Lose control of Only have TD Loss of comms, Drill SOP, spares,
everything except and RN, No DW Loss of control training
TD and RN. DW or MPs, etc.
Hard Stop. MP Idle Have no Backup Suggestion: SOP
stop - Make well safe, instruction to
Replace HUB or connect Eth 2 &
Operation
67 Power failure 4 8 Connect ETH2 & 3 96 Y Eth5 to HUB2 ''Client'' 3 6 3 54 Y 43.8
s
ETH5 to HUB2. or 2 relays in
parallel,
or different relay
with normally open
contact. Connect
CPU2 to HUB2
No ZMS Impact Potential short No Alarm Test by
Potential term loss, ''CONFIDENTIAL''
Operational Failure Potential Stop
Alarm ? and Restart Suggestion: Verify
Might have bus equipment. tolerance of
fault… Potential DW watchdog timers
hard stop will give alarm, but
Ethernet cable
not stop Before
68 PLC HUB1 & HUB2 break from HUB1 4 5 7 140 N ''CONFIDENTIAL'' 4 5 4 80 Y 42.9
equipment.. & final test
to HUB2
Add alarm of
failure to expedite
action
SOP instructions
to reconnect ETH1
to SW1.
Lose ZMS Temporary lock Alarms PTW
down. Can over
ride bypass ZMS Suggest: SOP Operation
69 HUB failure 4 7 3 84 Y ''Client'' 4 7 3 84 Y 0.0
altogether on instructions to s
each piece of reconnect ETH1 to
equipment SW1.
PLC HUB2
down. Can over
altogether on s
each piece of PTW,
equipment Troubleshooting
Lose ''Confidential'' Without HMIs HMIs lose

Lose ET1 and ET2 cannot override information, Lose Suggestion: Move
Lose both HMIs ZMS, Well control access Port5 to Sw4
ZMS lock down all Management Permanently.
Situation.
SOP for this ''CONFIDENTIAL'', Before
71 HUB failure 4 9 4 144 N 4 8 3 96 Y 33.3
Move Reroute 3 failure… ''Client'' final test
connections on
SW3 to Sw4 Test by
override ZMS, ''CONFIDENTIAL''
Move DW and options
Manage well extensively
HDCR HUB3
Lose ''Confidential'' Without HMIs HMIs lose
Lose ET1 and ET2 cannot override information, Lose Suggestion: Move
Lose both HMIs ZMS, Well control access Port5 to Sw4
ZMS lock down all Management Permanently.
Situation.
SOP for this ''CONFIDENTIAL'', Before
72 Power failure 4 9 4 144 N 4 8 3 96 Y 33.3
Move Reroute 3 failure… ''Client'' final test
connections on
SW3 to Sw4 Test by
override ZMS, ''CONFIDENTIAL''
Move DW and options
Manage well extensively

Rank New New rank %
t k e in RPN
Lose Joysticks, Tool Lose Control. Alarms and HMIs
Push Client, Power Can control RN
CW. And AD monitor via ''Confidential''
data screen. Maintain Suggest:
well. Permanently move
Port5 Sw3 to Port
''CONFIDENTIAL'', Before
73 HUB failure 4 9 Move Port1 Sw4 4 144 N 2 Sw4, 4 8 3 96 Y 33.3
''Client'' final test
to Port2 SW3,
Move Port4 Sw4 SOP for this
to Port 8 Sw3, failure, Training
and Move Port8
Sw4 to now open Test by
Port 5 SW3 ''CONFIDENTIAL''
HDCR HUB4
Lose Joysticks, Tool Lose Control. Alarms and HMIs
Push Client, Power Can control RN
CW. And AD monitor via ''Confidential''
data screen. Maintain Suggest:
well. Permanently move
Port5 Sw3 to Port
''CONFIDENTIAL'', Before
74 Power failure 4 9 Move Port1 Sw4 4 144 N 2 Sw4, 4 8 3 96 Y 33.3
''Client'' final test
to Port2 SW3,
Move Port4 Sw4 SOP for this
to Port 8 Sw3, failure, Training
and Move Port8
Sw4 to now open Test by
Port 5 SW3 ''CONFIDENTIAL''
No ZMS Impact Potential short No Alarm Test by
Potential term loss, ''CONFIDENTIAL''
Alarm ? and Restart Suggestion: Verify
Might have bus equipment. tolerance of
Ethernet cable fault… Potential DW watchdog timers
break from HUB3 hard stop will give alarm, but Before
75 HDCR HUB3 & HUB4 4 5 7 140 N ''CONFIDENTIAL'' 4 5 4 80 Y 42.9
to HUB4 (ETH7 to not stop final test
ETH5) equipment.. &
Add alarm of
failure to expedite
action
SOP instructions
to reconnect .
No ZMS Impact Potential short Comms Loss
Potential term loss, alarms
Ethernet X3001 loss of Test by
connection connection or ''CONFIDENTIAL''
76 HDCR Might have bus 5 5 and Restart 3 75 Y ''CONFIDENTIAL'' 5 5 3 75 Y 0.0
between - HUB 1 Ethernet cable for communication
fault… equipment.
and -HUB3 break (ETH6) loss See test 16.1
Potential DW
hard stop
No ZMS Impact Potential short Comms Loss
Potential term loss, alarms
Ethernet X3002 loss of Test by
connection connection or ''CONFIDENTIAL''
77 HDCR Might have bus 5 5 and Restart 3 75 Y ''CONFIDENTIAL'' 5 5 3 75 Y 0.0
between - HUB 2 Ethernet cable for communication
fault… equipment.
and -HUB4 break (ETH6) loss See test 16.1
Potential DW
hard stop
Ethernet No impact to none Alarm
connection Operations
X3004 loss of
between -HUB4 Tool Push lose data
connection or
78 HDCR and PC1 Client 5 2 3 30 Y ''Client'' 5 2 3 30 Y 0.0
Ethernet cable
(Drilling
break (ETH7)
Instrumentation
System)
Ethernet Lose CW remote Invisible CW and Alarms
X3003 loss of
connection control, Have CW continue ops.
connection or
79 HDCR between -HUB4 local control, Temp 5 3 Operate CW 3 45 Y ''Client'' 5 3 3 45 Y 0.0
Ethernet cable
and Power lock on all CW ZMS manual or with
break (ETH8)
Catwalk PLC Matrix interlocks remote training

Rank New New rank %
t k e in RPN
Ethernet Lose TD and RN. Manage and Alarms
connection And ZMS locks Repair
between -HUB3 Ethernet cable matrix interlocks
80 HDCR 5 8 3 120 N ''Client'' 5 8 3 120 N 0.0
and break (ETH1)
''Confidential''
Switch SOP Training
Ethernet Lose MCC, Lose Hard Stop DW Alarms
connection HPU, Pumps, Manage and SOP Training
Ethernet cable
81 HDCR between -HUB3 DFMA, Slips, RT, 5 8 Repair 3 120 N ''Client'' 5 7 3 105 N 12.5
break (ETH2)
and RIO -ET1 or Instrumentation Suggestion: spare
ET2 Hard Stop DW cable
Ethernet Lose HMI, have Minor Impact Alarms, visual
connection backup
Ethernet cable
82 HDCR between -HUB3 5 4 3 60 Y SOP Training ''Client'' 5 4 3 60 Y 0.0
break (ETH4)
and Main Driller
HMI1 Change Cable
Ethernet Lose HMI, have Minor Impact Alarms, visual
connection backup
Ethernet cable
83 HDCR between -HUB3 5 4 3 60 Y SOP Training ''Client'' 5 4 3 60 Y 0.0
break (ETH5)
and Main Driller
HMI2 Change Cable
Ethernet Lose HMI, no Lose AD until Alarms, visual
connection backup, but some repaired
Ethernet cable
84 HDCR between -HUB4 redundancy on 5 7 3 105 N SOP Training ''Client'' 5 5 3 75 N 28.6
break (ETH1)
and Assistant Driller HMI
Driller HMI3 Change Cable
Lose Joysticks, HMI DW Hard Stop Visual only
function, cannot Repair
85 CPU fault change equipment 3 8 4 96 Y ''Client'' 3 7 4 84 Y 12.5
mode, Lose control SOP training,
of equipment Spares
Lose Joysticks, HMI DW Hard Stop Visual only
function, cannot Repair
86 SF change equipment 3 8 4 96 Y ''Client'' 3 7 4 84 Y 12.5
of equipment Spares
Comms Fault, May DW Hard Stop Visual only
lose joystick, maybe Repair
DW hard stop,
87 BF 4 8 4 128 N ''Client'' 4 7 4 112 Y 12.5
maybe data loss on
Pipe Handle & HMI. Lose control of SOP training,
Integrated Equipment Spares
HDCR Lose Joysticks, HMI DW Hard Stop Visual only
System PLC
(CPU3) function, cannot Repair
88 Power failure change equipment 3 8 4 96 Y ''Client'' 3 7 4 84 Y 12.5
of equipment Spares
Regression Errors. Potential to lose Difficult
Pipe Handle & functionality ''Client'' needs
Integration Potential Software MOC Operation
89 5 7 7 245 N procedure ''Client'' 4 5 3 60 Y 75.5
System Version Regression error s
back up on rig coordinated with
Vendor
Lose Joysticks, HMI Only have TD Loss of comms,
function, cannot and RN, No DW Loos of control
change equipment or MPs, etc. Operation
90 PLC Flash Card 3 6 3 54 Y ''Client'' 3 6 3 54 Y 0.0
mode, Lose control s
of equipment Switch to CPU 2 Drill SOP, spares,
Pipe Handle & DW Hard Stop, Hard Stop DW Alarms
Integrated Ramp Down Pumps, Manage and
91 HDCR System PLC All not available 5 8 Repair 3 120 N ''Client'' 5 7 3 105 N 12.5
CPU1 s
(CPU3) ''Confidential'' No Drill SOP, spares,
Communication Impact training

Rank New New rank %
t k e in RPN
fault No Impact No Impact No Alarms
92 5 2 8 80 Y ''Client'' 5 2 8 80 Y 0.0
CPU2 s
ZMS lock down Hard Stop DW, Alarms Suggest: Bypass

everything can bypass feature has
ZMS? password
Lost Comm. With Before
93 5 8 Can ZMS 3 120 N protection. Also ''CONFIDENTIAL'' 5 8 3 120 N 0.0
CPU4 final test
override - but Invisible needs
only limited password
operations protection
No joystick control of CW in ZMS, use Alarms
Lost Comm. With CW and ZMS lock local or remote Operation
94 down Matrix 5 6 for CW 3 90 Y ''Client'' 5 6 3 90 Y 0.0
++CW CPU Drill SOP, spares, s
training
Reduced Control of Make safe w/o Alarms
Lost Comm. With RN and TD TD Operation
95 ++RN/TD CPU 5 8 3 120 N ''Client'' 5 8 3 120 N 0.0
Drill SOP, spares, s
(''Confidential'')
training
Lose DW, Slips, Soft Stop Alarms
Lost Comm. With Correction: can Make safe w/o Operation
96 control from 5 5 Dw 3 75 Y ''Client'' 5 5 3 75 Y 0.0
Joystick 1 Drill SOP, spares, s
TouchScreen training
Lose TD Correction: Make Safe w/o Alarms
Lost Comm. With can control from TD Operation
97 TouchScreen 5 5 3 75 Y ''Client'' 5 5 3 75 Y 0.0
Joystick 2 Drill SOP, spares, s
training
Lose RN, DFMA, Try to continue, Alarms
CW (joystick), reduced
98 Correction: can 5 5 functionality 3 75 Y ''Client'' 5 5 3 75 Y 0.0
Joystick 3 s
control from Drill SOP, spares,
Joystick 4 s
no impact No Impact Alarms
Lost Comm. With
100 5 2 3 30 Y 5 2 3 30 Y 0.0
Main Driller HMI 1
no impact No Impact Alarms

Lost Comm. With
101 5 2 3 30 Y 5 2 3 30 Y 0.0
Main Driller HMI 2

Lost Comm. With CW (joystick), reduced Operation
102 Assistant Driller 5 7 functionality 3 105 N ''Client'' 5 7 3 105 N 0.0
Drill SOP, spares, s
HMI 3
training
Comms Fault, Will DW Soft Stop Alarms
lose joystick, maybe Repair
Cable break to DW hard stop, Operation
103 HDCR Ethernet to PLC3 5 8 3 120 N ''Client'' 5 8 3 120 Y 0.0
HUB4 (ETH1) maybe data loss on s
HMI. Will Lose SOP training,
Control of equipment Spares
Mechanical Correction: can Make safe w/o Operation
104 control from 5 5 Dw 3 75 Y ''Client'' 5 5 3 75 Y 0.0
damage Drill SOP, spares, s
HDCR Joystick 1
Communication Correction: can Make safe w/o Operation
105 control from 5 5 TD 3 75 Y ''Client'' 5 5 3 75 Y 0.0
interface failure Drill SOP, spares, s

Rank New New rank %
t k e in RPN
Could lose both Make Safe Alarms
joysticks - Lose TD
Operation
106 Power failure and DW Correction: 5 5 3 75 Y ''Client'' 5 5 3 75 Y 0.0
s
can control from Drill SOP, spares,
Lose TD, Make Safe w/o Alarms
Mechanical Correction: can TD Operation
107 control from 5 5 3 75 Y ''Client'' 5 5 3 75 Y 0.0
Lose TD Make Safe w/o Alarms
Communication Correction: can TD Operation
108 control from 5 5 3 75 Y ''Client'' 5 5 3 75 Y 0.0
interface failure Drill SOP, spares, s
HDCR Joystick 2
joysticks - Lose TD
and DW
Correction: can Operation
control from s
TouchScreen
Drill SOP, spares,
training
Correction: can Try to continue, Alarms
Mechanical control from reduced Operation
110 TouchScreen 5 5 functionality 3 75 Y ''Client'' 5 5 3 75 Y 0.0
training
Communication Operation
interface failure s
HDCR Joystick 3 TouchScreen training
joysticks - Lose TD
and DW
112 Power failure control from 5 5 3 75 Y ''Client'' 5 5 3 75 Y 0.0
s
TouchScreen
Drill SOP, spares,
training
Mechanical Operation
damage s
Communication Operation
interface failure s
HDCR Joystick 4
joysticks - Lose TD
and DW.
control from s
TouchScreen
Drill SOP, spares,
training
Profibus May lose all 4 Make Safe , Alarms
Profibus joysticks or just troubleshoot and
Connection Operation
116 HDCR connector fault or Joystick 3 5 8 repair 4 160 N ''Client'' 5 8 4 160 N 0.0
between Joystick Drill SOP, spares, s
Cable break
3 and Joystick 4 training
117 HDCR connector fault or Joystick 4 &3 5 8 repair 4 160 N ''Client'' 5 8 4 160 N 0.0
Cable break
4 and CPU training

Rank New New rank %
t k e in RPN
118 HDCR connector fault or Joystick 1 & 2 5 8 repair 4 160 N ''Client'' 5 8 4 160 N 0.0
between Cup and Drill SOP, spares, s
Cable break
J1 training
119 HDCR connector fault or Joystick 2 5 8 repair 4 160 N ''Client'' 5 8 4 160 N 0.0
Cable break
1 and Joystick 2 training
Lose partial continue Visual and Alarms
redundancy Operation
120 Display failure 5 4 3 60 Y ''Client'' 5 4 3 60 Y 0.0
s
Spares, Training
Lose all 3 HMIs Make safe Loss of alarms Spares, Training
and visual
Operation
121 Power failure 5 9 7 315 N Suggest: HMIs on ''Client'' 5 4 3 60 Y 81.0
s
different 24VDC
supply and Fuses
Communication redundancy Operation
122 5 4 3 60 Y ''Client'' 5 4 3 60 Y 0.0
interface failure s
Spares, Training
Main Driller HMI - Regression Errors. Potential to lose Difficult ''Client'' needs
HDCR
HMI1 functionality Software MOC
HMI 1 Version Operation
back up on rig s
Vendor
Lose calibration Requires Requires Suggestion:
values when change Clarification Clarification Management of
HMI or replace PLC equipment
CPU calibration
between HMI, Before
124 Flash Card 3 9 7 189 N ''CONFIDENTIAL'' 3 9 7 189 N 0.0
Flash and PLC final test
needs to be clear
and tested by
''CONFIDENTIAL''
before delivery
redundancy Operation
125 Display failure 5 4 3 60 Y ''Client'' 5 4 3 60 Y 0.0
s
Spares, Training
and visual
Operation
s
different 24VDC
supply and Fuses
Communication redundancy Operation
127 5 4 3 60 Y ''Client'' 5 4 3 60 Y 0.0
interface failure s
Spares, Training
Main Driller HMI - Regression Errors. Potential to lose Difficult ''Client'' needs
HDCR
HMI2 functionality Software MOC
back up on rig s
Vendor
CPU calibration
between HMI, Before
needs to be clear
and tested by
''CONFIDENTIAL''
before delivery

Rank New New rank %
t k e in RPN
Lose RN, CW Manage for Visual
(Joysticks), DFMA manual ops Operation
130 Display failure 5 7 4 140 N ''Client'' 5 7 4 140 N 0.0
s
Spares, Training
and visual
Operation
s
different 24VDC
supply and Fuses
Full loss of continue Visual and Alarms
Communication equipment RN, Operation
132 DFMA< CW 5 4 3 60 Y ''Client'' 5 4 3 60 Y 0.0
interface failure s
(Joysticks) Spares, Training
Assistant Driller Regression Errors. Potential to lose Difficult ''Client'' needs
HDCR
HMI - HMI3 functionality Software MOC
back up on rig s
Vendor
CPU calibration
between HMI, Before
needs to be clear
and tested by
''CONFIDENTIAL''
before delivery
Lose signals from Possible Hard Alarms
fault IO card Stop.
Variety of problems. Manage Well Troubleshoot,
CPU1/2/3/4 Troubleshoot / Training, Before
135 SF (System Fault) 4 8 3 96 N ''CONFIDENTIAL'' 4 7 3 84 Y 12.5
responding as Switch to ET2 final test
needed. DW hard Test by
stop to minimal ''CONFIDENTIAL''
impact before delivery
Lose signals from Possible Hard Alarms
fault IO card Stop.
Variety of problems. Manage Well Troubleshoot,
CPU1/2/3/4 Troubleshoot / Training, Before
136 BF (Bus failure) 5 8 3 120 N ''CONFIDENTIAL'' 5 7 3 105 N 12.5
responding as Switch to ET2 final test
needed. DW hard Test by
stop to minimal ''CONFIDENTIAL''
impact before delivery
Remote I/O
Lose redundancy as Make well safe, Alarms Troubleshoot,
HDCR interface -
connected to same repair Training,
ET1/ET2
24VDC supply
Test by
''CONFIDENTIAL'' Before
137 Power failure 5 9 3 135 N ''CONFIDENTIAL'' 4 5 3 60 Y 55.6
before delivery final test
Suggest: HMIs on
different 24VDC
supply and Fuses
System Fault Possible Hard Alarms Troubleshoot,
Lose signals - Stop. Training,
variety of problems, Manage Well Switch to ET2 as
I/O Card/Module CPUs response Troubleshoot / designed ''CONFIDENTIAL''/''Client Operation
138 5 8 3 120 N 5 7 3 105 N 12.5
fault varies Switch to ET2 '' s
Test by
''CONFIDENTIAL''
before delivery

Rank New New rank %
t k e in RPN
Lose signals from NO backup. Must Alarms
fault IO card repair
Variety of problems.
CPU1/2/3/4 Operation
139 SF 5 9 3 135 N ''Client'' 5 8 3 120 N 11.1
responding as s
needed. DW hard
stop to minimal training, Spares,
impact etc.
140 BF 5 9 3 135 N ''Client'' 5 8 3 120 N 11.1
responding as s
needed. DW hard
Second Failure
impact etc.
HDCR Remote I/O
interface -ET2
141 Power failure 5 9 3 135 N ''Client'' 5 8 3 120 N 11.1
responding as s
needed. DW hard
impact etc.
I/O Card/Module CPU1/2/3/4 Operation
142 5 9 3 135 N ''Client'' 5 8 3 120 N 11.1
fault responding as s
needed. DW hard
impact etc.
Commutation switch to ET2 lose ET2 fails alarms Operation
143 HDCR PLC Relay redundancy 2 4 3 24 Y ''Client'' 2 4 3 24 Y 0.0
switch failure s
Spares, Training
Potential damage to troubleshoot, Bad data, system Spares, Training
IO cards with Lost switch to ET2 faults on ET and
Overvoltage on Operation
144 redundancy 2 8 related CPU 4 64 Y Suggestions: ''Client'' 2 8 4 64 Y 0.0
Digital input s
Remote I/O Requires design
HDCR interfaces -ET1 & modifications
-ET2 Potential damage to troubleshoot, Comments given
Short circuit on IO cards with Lost switch to ET2 are not executed Operation
145 redundancy 2 8 4 64 Y ''Client'' 2 8 4 64 Y 0.0
Digital output s
Spares, Training
Lose Joystick and Temporary lock Alarms
Remote control of down. Can over
Operation
146 CPU fault Catwalk. ZMS locks 3 6 ride bypass ZMS 3 54 Y ''Client'' 3 6 3 54 Y 0.0
s
down Matrix and for CW
alarms. PTW
Operation
147 SF Catwalk. ZMS locks 3 6 ride bypass ZMS 3 54 Y ''Client'' 3 6 3 54 Y 0.0
s
Power Catwalk alarms. PTW
HDCR
PLC (CPU4) Lose Joystick and Temporary lock Alarms
Operation
148 BF Catwalk. ZMS locks 4 6 ride bypass ZMS 3 72 Y ''Client'' 4 6 3 72 Y 0.0
s
alarms. PTW
Operation
149 Power failure Catwalk. ZMS locks 4 6 ride bypass ZMS 3 72 Y ''Client'' 4 6 3 72 Y 0.0
s
alarms. PTW

Rank New New rank %
t k e in RPN
Power Catwalk functionality Software MOC
Operation
150 Version back up 5 7 Potential 7 245 N procedure ''Client'' 4 5 3 60 Y 75.5
s
on rig Regression error coordinated with
Vendor
Lose Joystick and Loss of comms,
Remote control of Loos of control
Operation
151 PLC Flash Card Catwalk. ZMS locks 3 6 3 54 Y ''Client'' 3 6 3 54 Y 0.0
s
down Matrix and Drill SOP, spares,
alarms. training
Lose Remote, Local control only Alarms
can cause System
I/O Card/Module Operation
152 fault, 5 6 3 90 Y ''Client'' 5 6 3 90 Y 0.0
fault s
Cannot operate in Drill SOP, spares,
Auto training
NA
Lost Comm. With
153 0 0
CPU1/2
Only have Radio & Can bypass and Alarms

Local control (no use override
154 joysticks), 5 5 Use remote 3 75 Y ''Client'' 5 5 3 75 Y 0.0
CPU3 s
ZMS locks down Drill SOP, spares,
matrix training
Power Catwalk Lock down Matrix Can bypass and Alarms
PLC (CPU4) Lost Comms with can bypass and use override Operation
155 HDCR 5 5 3 75 Y ''Client'' 5 5 3 75 Y 0.0
Communication CPU4 (ZMS) override s
Drill SOP, spares,
fault
training
NA
Lost Comm. With
156 ++RN/TD CPU 0 0
(''Confidential'')
NA
Lost Comm. With
157 Assistant Driller 0 0
HMI 3
TDS unavailable, TD Hydraulic control Operator receives

Stops, Wrench RN is limited, alarm, Visual
Stops. DW frozen, Manage Well, indication,
CW motion limited. Make Repairs Immediate loss of
158 Switch failure 4 8 3 96 Y ''Client'' 4 7 3 84 Y 12.5
No direct impact to control. TD stops
other turning
''CONFIDENTIAL''
''Confidential'
Network Switch Equip Spares
' DCR
Stratix 5700 TDS unavailable, TD Hydraulic control Operator receives
CIP Panel
Stops, Wrench RN is limited, alarm, Visual
Stops. DW frozen, Manage Well, indication,
CW motion limited. Make Repairs ''Confidential''
No direct impact to Freezes,
other Immediate loss of
''CONFIDENTIAL'' control. TD stops
Equip turning Spares
Lose Heartbeat, TD ''Confidential'' HMI functioning
''Confidential' Network Switch and RN no control, HMI can 100% and
160 ' DCR CIP Stratix 5700 to Cable break stop safe 5 7 control of RN. Communicating. 3 105 Y ''Client'' 4 7 3 84 Y 20.0
Panel Profinet Gateway Limited TD
control Spares
PDO requested ''Confidential'' ''Confidential''
PLX82 Profinet independent system HMI can 100% sees fault.
''Confidential'
Gateway to fire detection. The control of RN. ''CONFIDENTIAL''
161 ' DCR CIP Unit failure 5 8 3 120 N ''Client'' 5 7 3 105 N 12.5
''CONFIDENTIAL' standard system is Limited TD sees Comms fault
Panel Spares. ''Client'' to
' Control Network installed separately. control
Manage spares

Rank New New rank %
t k e in RPN
Lose Heartbeat, TD ''Confidential'' ''Confidential''
and RN no control, HMI can 100% sees fault.
162 Power failure stop safe 5 8 control of RN. ''CONFIDENTIAL'' 3 120 N ''Client'' 5 7 3 105 N 12.5
Limited TD sees Comms fault Spares. ''Client'' to
control Manage spares
Lose Heartbeat, TD ''Confidential'' ''Confidential''
Profinet Gateway
''Confidential' and RN no control, HMI can 100% sees fault.
connection to
163 ' DCR CIP Cable break stop safe 5 8 control of RN. ''CONFIDENTIAL'' 3 120 N ''Client'' 5 7 3 105 N 12.5
''CONFIDENTIAL'
Panel Limited TD sees Comms fault
' Switch (HUB3)
control Spares, training
Cannot properly Normal ''Confidential''
shutdown Server. Operation. alarm "loss of
''Confidential' Network Switch
Server will stay on, <Unless double comms" -
164 ' DCR CIP Stratix 5700 to Cable break 5 4 3 60 Y ''Client'' 5 4 3 60 Y 0.0
until UPS drains. failure>
Panel UPS1 PLC
Could cause
corruption on OS Spares, training
''Confidential' Network Switch no historian, No Z Mostly normal ''Confidential''
165 ' DCR CIP Stratix 5700 to Cable break Torque 5 6 operation alarm "loss of 3 90 Y ''Client'' 5 6 3 90 Y 0.0
Panel Server 1.11 comms" - Spares, training
no historian, No Z Mostly normal General Server
Base Component Torque operation Alarm seen by
166 6 6 3 108 Y ''Client'' 5 6 3 90 N 16.7
Fails driller on
''Confidential'' HMI Spares, training
no historian, No Z Mostly normal General Server
Torque operation Alarm seen by
167 Hard Drive Fails 6 3 4 72 Y ''Client'' 5 3 4 60 Y 16.7
driller on Spares, training,
''Confidential'' HMI proper PM
eventual Fail Mostly normal Temperature Proper
168 Fans Fails 6 5 4 120 N ''Client'' 5 5 3 75 Y 37.5
Server 1.11 operation alarm? maintenance
''Confidential' USB Connection Not Used -
169 PC - Electrical 1 1 1 1 1 1 1 1 Y 0.0
' DCR CIP fails
Drive & Control
Panel
System no historian, No Mostly normal ''Confidential''
170 Power breaker trip 4 6 operation alarm "loss of 3 72 Y ''Client'' 4 6 3 72 Y 0.0
comms" - Spares, training
no historian, No Mostly normal General Server
Single or Double operation Alarm seen by
171 6 6 3 108 Y ''Client'' 5 6 3 90 Y 16.7
Power Supply fails driller on
''Confidential'' HMI Spares, training
Ethernet port or no historian, No Mostly normal ''Confidential''
172 network adapter 5 6 operation alarm "loss of 3 90 Y ''Client'' 4 6 3 72 Y 20.0
failure comms" - Spares, training
Network Switch Lose Heartbeat, TD TD dead, have ''Confidential''
''Confidential'
Stratix 5700 to no control, stop safe. limited alarm "loss of
173 ' DCR CIP Cable break 4 8 3 96 Y ''Client'' 4 8 3 96 Y 0.0
Prosoft Gateway Full RN control capabilities, comms"
Panel
1.87 cannot drill Spares, training
Lose Heartbeat, TD TD dead, have ''Confidential''
no control, stop safe. limited alarm "loss of
174 Unit failure 4 8 3 96 Y ''Client'' 4 8 3 96 Y 0.0
Full RN control capabilities, comms" Alarm on
''Confidential' Prosoft Profibus
cannot drill VFD Spares, training
' DCR CIP Gateway to TD
Lose Heartbeat, TD TD dead, have ''Confidential''
Panel VFD
no control, stop safe. limited alarm "loss of
Full RN control capabilities, comms" Alarm on
cannot drill VFD Spares, training
Loss ''Confidential'' Normal Screen Dead
Network Switch
''Confidential' HMI, Can use operations
Stratix 5700
176 ' DCR CIP Cable break ''CONFIDENTIAL'' 6 4 2 48 Y ''Client'' 5 4 2 40 Y 16.7
connection to
Panel and other one. No
HMI Client 1.180
Loss of drill function Spares
177 ' DCR CIP HMI Client 1.180 Display failure ''CONFIDENTIAL'' 5 4 2 40 Y ''Client'' 5 4 2 40 Y 0.0

Rank New New rank %
t k e in RPN
HMI, Can use operations
178 Power failure ''CONFIDENTIAL'' 5 4 2 40 Y ''Client'' 5 4 2 40 Y 0.0
and other one. No
Communication
179 ''CONFIDENTIAL'' 6 4 2 48 Y ''Client'' 6 4 2 48 Y 0.0
interface failure
and other one. No
Limited loss. Some Normal Depends
180 Hard Drive Fails applications lost 4 4 operations 6 96 y ''Client'' 4 4 6 96 Y 0.0
Spares, PM
minimal operational HMI code on Depends
Software Version impact, Some Server
181 6 3 8 144 N ''Client'', ''Confidential'' 4 3 4 48 Y 66.7
back up on rig features incorrect, Software
non-operational Management Plan
Network Switch
Stratix 5700
182 ' DCR CIP Cable break ''CONFIDENTIAL'' 6 4 2 48 Y ''Client'' 5 4 2 40 Y 16.7
connection to
HMI Client 1.181
183 Display failure ''CONFIDENTIAL'' 5 4 2 40 Y ''Client'' 5 4 2 40 Y 0.0
and other one. No
184 Power failure ''CONFIDENTIAL'' 5 4 2 40 Y ''Client'' 5 4 2 40 Y 0.0
and other one. No
' DCR CIP HMI Client 1.181 Communication
185 ''CONFIDENTIAL'' 6 4 2 48 Y ''Client'' 6 4 2 48 Y 0.0
Panel interface failure
and other one. No
Limited loss. Some Normal Depends
186 Hard Drive Fails applications lost 4 4 operations 6 96 y ''Client'' 4 4 6 96 Y 0.0
Spares, PM
minimal operational HMI code on Depends ''Client'' to
impact, Some Server implement an
features incorrect, SMOC Software
Software Version
187 non-operational 6 3 8 144 N Management Plan, ''Client'', ''Confidential'' 4 3 4 48 Y 66.7
back up on rig
and integrate with
Vendor
(''Confidential'')
Network Switch Loss ''Confidential'' Normal Screen Dead
''Confidential' Stratix 5700 HMI, Can use operations
188 ' DCR CIP connection to WR Cable break ''CONFIDENTIAL'' 6 4 2 48 Y ''Client'' 5 4 2 40 Y 16.7
Panel RIO Rack 2 and other one. No
1.158 Loss of drill function Spares

Rank New New rank %
t k e in RPN
Current Effect : If Wrench is Loss of Comms
RN not operable, retracted, less Alarm on
TD no impact, ZMS impact. ''Confidential''.
potential Impact If Wrench is No visual Procedure for
extended, impact indication of this Manual RN
Required Effect: is higher. THERE Comms loss on operations
ZMS adjust to RN is potential for ''CONFIDENTIAL''
failure ZMS collision .
.Drilling Ops
Might be able to ''Confidential''
continue with needs to mod PLC ''Confidential'',
189 Unit failure 4 9 work arounds 4 144 N application to ''CONFIDENTIAL'', 4 5 3 60 Y 58.3
Can Hydraulic integrate unit ''Client''
move RN - but it failure comms bit.
is tough. ''CONFIDENTIAL''
to use to shutdown
Required RN in ZMS. ZMS
Operational MUST lock down
Action: Move RN any potential
to Safety, Make equipment with
RN Invisible, Use RN. RN will have
manual tongs. be marked
''Confidential' WR Remote I/O Invisible
' WR Cabinet interface 1.158 Current Effect : If Wrench is Loss of Comms
TD no impact, ZMS impact. ''Confidential''
potential Impact If Wrench is Procedure for
extended, impact Manual RN
Required Effect: is higher. THERE operations
ZMS adjust to RN is potential for
failure ZMS collision
.Drilling Ops
Might be able to ''Confidential''
continue with needs to mod PLC ''Confidential'',
Communication work arounds
190 4 9 4 144 N application to ''CONFIDENTIAL'', 4 5 3 60 Y 58.3
interface failure Can Hydraulic integrate unit ''Client''
move RN - but it failure comms bit.
to use to shutdown
Invisible

Rank New New rank %
t k e in RPN
TD no impact, ZMS impact. ''Confidential'' Procedure for
potential Impact If Wrench is Manual RN
extended, impact operations
Required Effect: is higher. THERE
ZMS adjust to RN is potential for
failure ZMS collision
.Drilling Ops ''Confidential''
Might be able to needs to mod PLC
continue with application to ''Confidential'',
191 Power failure 4 9 work arounds 4 144 N integrate unit ''CONFIDENTIAL'', 4 5 3 60 Y 58.3
Can Hydraulic failure comms ''Client''
move RN - but it bit.<done>
to use to shutdown
Invisible
Wrench is extended retracted, less Alarm, Direct
and cannot and impact. indication of which
retract. If Wrench is I/O card is bad
TD no impact, ZMS extended, impact
no impact! is higher. THERE
is potential for
Required Effect: ZMS collision
ZMS adjust to RN .Drilling Ops
failure Might be able to
continue with ''Confidential'',
I/O Card/Module work arounds
192 4 8 4 128 N ''CONFIDENTIAL'', 4 5 3 60 Y 53.1
fault Can Hydraulic ''Client''
move RN - but it
is tough.
Required
Operational
Action: Move RN
to Safety, Make
RN Invisible, Use
manual tongs.
Action Covered
Network Switch Lose HMI, Lose Hydraulic control ''CONFIDENTIAL''
Stratix 5700 Control of TD and RN is limited, gets a comms
''Confidential'
connection to RN Manage Well, loss
193 ' DCR CIP Cable break 5 8 3 120 N ''Client'' 5 7 3 105 N 12.5
Ethernet/IP Tap Make Repairs
Panel
1783 ETAP1F
1.172 Spares, Training
Lose HMI, Lose Hydraulic control ''CONFIDENTIAL''
Control of TD and RN is limited, gets a comms
194 Switch failure RN 5 8 Manage Well, loss 3 120 N ''Client'' 5 7 3 105 N 12.5
''Confidential' Ethernet/IP Tap Make Repairs Spares, Training
' DCR CIP 1783 ETAP1F
Lose HMI, Lose Hydraulic control ''CONFIDENTIAL''
Panel 1.172
Control of TD and RN is limited, gets a comms
195 Power failure RN 6 8 Manage Well, loss 3 144 N ''Client'' 6 7 3 126 N 12.5
Make Repairs Spares, Training
''Confidential' Ethernet/IP Tap HMI on, no impact none ''CONFIDENTIAL''
196 ' DCR CIP 1783 ETAP1F Switch failure on operations 5 2 & caring gets a 3 30 Y ''Client'' 5 2 3 30 Y 0.0
Panel 1.175 comms loss Spares, Training

Rank New New rank %
t k e in RPN
HMI on, no impact None ''CONFIDENTIAL''
197 Power failure on operations 6 2 & caring gets a 3 36 Y ''Client'' 6 2 3 36 Y 0.0
comms loss Spares, Training
No TD, but have RN no TD, make well ''CONFIDENTIAL''
198 Switch failure and HMI 5 7 safe, major work & caring gets a 3 105 N ''Client'' 5 6 3 90 N 14.3
''Confidential' Ethernet/IP Tap
arounds comms loss Spares, Training
' DCR CIP 1783 ETAP1F
No TD, but have RN no TD, make well ''CONFIDENTIAL''
Panel 1.176
199 Power failure and HMI 6 7 safe, major work & caring gets a 3 126 N ''Client'' 6 6 3 108 N 14.3
arounds comms loss Spares, Training
Ethernet/IP Tap HMI on, no impact none ''Confidential''
1783 ETAP1F on operations Comms Alarm
1.172 to other
nodes on the
copper network
''Confidential'
(PLC 5069, TD Any Cable break
200 ' DCR CIP 5 2 3 30 Y ''Client'' 5 2 3 30 Y 0.0
RIO Rack 3, in the loop
Panel
MCC Network
Controller 193,
WR RIO Rack 1
and Ethernet/IP
Tap 1783 1.175) Spares, Training
Ethernet/IP Tap Lose RN and TD Shut down, Make ''Confidential''
1783 ETAP1F Well Safe Comms Alarm
1.172 to other
nodes on the
copper network
(PLC 5069, TD Second Copper
201 5 8 3 120 N ''Client'' 5 7 3 105 N 12.5
RIO Rack 3, Break
MCC Network
Controller 193,
WR RIO Rack 1
and Ethernet/IP
Tap 1783 1.175) Spares, Training
Ethernet/IP Tap HMI on, no impact none ''Confidential''
1783 ETAP1F on operations Comms Alarm
1.172 to other
nodes on the
''Confidential'
Fiber optic Any FO Cable
202 ' DCR CIP 5 2 3 30 Y ''Client'' 5 2 3 30 Y 0.0
network break in the loop
Panel
(Ethernet/IP Tap
1783 1.175 and
Ethernet/IP Tap
1783 1.176) Spares, Training
Ethernet/IP Tap Lose RN and TD Shut down, Make ''Confidential''
1783 ETAP1F Well Safe Comms Alarm
1.172 to other
nodes on the
Fiber optic Second Fiber
203 5 8 3 120 N ''Client'' 5 7 3 105 N 12.5
network Break
(Ethernet/IP Tap
1783 1.175 and
Ethernet/IP Tap
1783 1.176) Spares, Training
Ethernet/IP Tap Lose TD function Shut down, Make ''Confidential''
''Confidential' 1783 ETAP1F No Impact RN Well Safe Comms Alarm
204 ' TD Remote 1.176 to TD Cable break 5 8 3 120 N ''Client'' 5 7 3 105 N 12.5
I/O Panel Rack 4 (1794-
AENT RIO) 1.177 Spares, Training
Lose TD function Shut down, Make ''Confidential''
205 Unit failure No Impact RN 4 8 Well Safe Comms Alarm 3 96 Y ''Client'' 4 8 3 96 Y 0.0
Spares, Training
''Confidential' Lose TD function Shut down, Make ''Confidential''
TD Remote I/O Communication
206 ' TD Remote No Impact RN 4 8 Well Safe Comms Alarm 3 96 Y ''Client'' 4 8 3 96 Y 0.0
interface 1.177 interface failure Spares, Training
I/O Panel
Lose TD function Shut down, Make ''Confidential''
207 Power failure No Impact RN 5 8 Well Safe Comms Alarm 3 120 N ''Client'' 5 8 3 120 N 0.0
Spares, Training

Rank New New rank %
t k e in RPN
TD Rack 4 (1794- Can still operate TD, Continue with ''Confidential''
''Confidential' AENT RIO) 1.177 Loose analogue and caution, repair Comms Alarm
208 ' TD Remote to extension Cable break RTD(temp) 5 5 when possible 3 75 Y ''Client'' 5 5 3 75 Y 0.0
I/O Panel module 1794-
CE1/3 Spares, Training
Can still operate TD, Continue with ''Confidential''
209 Unit failure Loose analogue and 4 5 caution, repair Comms Alarm 3 60 Y ''Client'' 4 5 3 60 Y 0.0
''Confidential' TD Remote I/O RTD(temp) when possible Spares, Training
' TD Remote interface 1793
Can still operate TD, Continue with ''Confidential''
I/O Panel CE1/3
210 Power failure Loose analogue and 4 5 caution, repair Comms Alarm 3 60 Y ''Client'' 4 5 3 60 Y 0.0
RTD(temp) when possible Spares, Training
loss of td and RN Shut down, Make ''CONFIDENTIAL''
function Well Safe Alarms, HMI No
Comms on
''Confidential'' HMI Spares, Training
Communication function Well Safe Alarms, HMI No
212 4 8 3 96 Y ''Client'' 4 8 3 96 Y 0.0
interface failure Comms on
function Well Safe Alarms, HMI No
Comms on
Unknown ETs to follow Difficult for Ops ''Confidential''
Regression issue correct SMOC on ET, ''Confidential'' SMOC
upgrades, check date, Implementation,
installs, vendor version etc. ''Client'' PM and
visits SMOC
''Confidential'',
Software Version
214 6 8 8 384 N Jesus, confirm ''Confidential'', ''Client'' 5 6 3 90 Y 76.6
back up on rig
Checksum for PLC
''Confidential' vs. Server
''Confidential'' compare
' DCR CIP
TD/Wrench PLC
Panel
Suggest ''Client''
keep a configured
spare on site
no impact. Because Minor Impact PLC alarm,
'in theory' on PLC ''Confidential'' HMI
boot, the application Alarm
is loaded from the
215 Battery low/Dies 4 2 2 16 Y ''Client'' 4 2 2 16 Y 0.0
flash card. All setting
should be uploaded
from PLC application
or Server Spare, Training
Nothing until second Impact could be
failure of internal 3-8
216 PLC Flash Card Memory/program. 4 3 6 72 Y ''Client'' 4 3 6 72 Y 0.0
Spare, Training,
PLC fault indicator,
Verify PMs and
but no HMI fault
checks of cabinets
Depends Depends, PLC alarm,
Potentially TD ''Confidential'' HMI
I/O Card/Module
217 4 8 Down Alarm 5 160 N ''Client'' 4 8 5 160 N 0.0
fault
Visual indication
of equipment fault Spare, Training
''Confidential' ''Confidential'' Lose TD and RN Shut down, Make ''CONFIDENTIAL''
Lost Comm. With
218 ' DCR CIP TD/Wrench PLC 4 8 Well Safe, Alarms, 3 96 Y ''Client'' 4 8 3 96 Y 0.0
CPU3
Panel Communication Equipment Stops, Spare, Training

Rank New New rank %
t k e in RPN
fault All Movement stops, Equipment stops, ''CONFIDENTIAL'' ''CONFIDENTIAL''
Maintain Control of safety check, Alarms, to add a bypass
TD and RN, invisible/override Equipment Stops, button for ZMS,
equipment, Ensure it is in test
''Confidential'' PTW/JSA for procedures and
Cannot Extend link operations… Manuals.
tilt, open elevators, or new BYPASS
Block TD Rotate, button
Block TD BUW ''CONFIDENTIAL''
Lost Comm. With Close. can look at option
219 And RN is ZMS'd out 4 7 3 84 Y of option of ''CONFIDENTIAL'' 4 6 3 72 Y 14.3
CPU4
copying the
''Confidential'' Data
block to pass-
through the
Control PLC.
Lose 1 of 2 backup very minimal Visual

Lost Comm. With HMIs (not primary)
220 No impact to 6 2 2 24 Y 6 2 2 24 Y 0.0
HMI Client 1.180
maintenance NA
Lose 1 of 2 backup very minimal Visual
Lost Comm. With HMIs (not primary)
221 No impact to 6 2 2 24 Y 6 2 2 24 Y 0.0
HMI Client 1.181
maintenance NA
Keep RN, Can link tilt, but Alarms on all HMI,
Lost Comm. With Lose TD Rotation no drill, Equipment not
222 Maintain Hydraulic 7 8 available 2 112 N ''Client'' 7 8 2 112 N 0.0
TD VFD
function
Training, SOP
Lose RN, not Remove RN, Alarms on all HMI,
Lost Comm. With
223 operable 6 7 prepared for ops Equipment not 3 126 N ''Client'' 6 7 3 126 N 0.0
WR Rack 1 1.156
without RN available Training, SOP
Lost Comm. With
WR Rack 2 1.158
Lose TD and RN, Shut down, Make Alarms on all HMI,
Lost Comm. With
225 not operable 6 8 Well Safe Equipment not 3 144 N ''Client'' 6 8 3 144 N 0.0
TD Rack 3 1.173
available Training, SOP
TD down, Hydraulics Shut down, Make Alarms on all HMI,
Lost Comm. With
226 down 5 8 Well Safe Equipment not 3 120 N ''Client'' 5 8 3 120 N 0.0
TD Rack 4 1.177
Lost Comm. With TD down, Lose RN, Shut down, Make Alarms on all HMI,
227 MCC Device net Hydraulics down 5 8 Well Safe Equipment not 3 120 N ''Client'' 5 8 3 120 N 0.0
Controller 1.174 available Training, SOP
Lose Historian Minimal. Comms lost alarm
Lost Comm. With Lose historian on ''Confidential''
228 5 4 3 60 Y ''Client'' 5 4 3 60 Y 0.0
Server 1.11 capabilities HMI. Training, SOP
229 Unit failure not operable 4 8 Well Safe Equipment not 3 96 Y ''Client'' 4 8 3 96 Y 0.0
''Confidential' Lose TD and RN, Shut down, Make Alarms on all HMI,
TD Remote I/O Communication
230 ' DCR CIP not operable 6 8 Well Safe Equipment not 3 144 N ''Client'' 6 8 3 144 N 0.0
interface 1.173 interface failure
Panel available Training, SOP
231 Power failure not operable 4 8 Well Safe Equipment not 3 96 Y ''Client'' 4 8 3 96 Y 0.0
''Confidential' Lose RN, not Remove RN, Alarms on all HMI,
WR Remote I/O
232 ' DCR CIP Unit failure operable 4 7 prepared for ops Equipment not 3 84 Y ''Client'' 4 7 3 84 Y 0.0
interface 1.156
Panel without RN available Training, SOP

Rank New New rank %
t k e in RPN
Communication
interface failure
234 Power failure operable 4 7 prepared for ops Equipment not 3 84 Y ''Client'' 4 7 3 84 Y 0.0
TD down, Lose RN, Shut down, Make Alarms on all HMI,
235 Unit failure Hydraulics down 4 8 Well Safe Equipment not 3 96 Y ''Client'' 4 8 3 96 Y 0.0
''Confidential' TD down, Lose RN, Shut down, Make Alarms on all HMI,
Devicenet Communication
236 ' DCR CIP Hydraulics down 6 8 Well Safe Equipment not 3 144 N ''Client'' 6 8 3 144 N 0.0
Controller 1.174 interface failure
Panel available Training, SOP
TD down, Lose RN, Shut down, Make Alarms on all HMI,
237 Power failure Hydraulics down 4 8 Well Safe Equipment not 3 96 Y ''Client'' 4 8 3 96 Y 0.0
Only effects when maintenance HMI alarm
power fails. Systems reviews…
alarms.
Potential improper
238 Unit failure 5 2 2 20 Y ''Client'' 4 2 2 16 Y 20.0
shutdown, could
lose set points,
''Confidential'
UPS Power potential corruption
' DCR CIP
Supply of OS Maintenance
Panel
limited UPS life, maintenance Audio and UPS
May impact power reviews… HMI Alarm
Battery low or fail down cycle, and Maintenance,
239 5 2 2 20 Y ''Client'' 3 2 2 12 Y 40.0
or end of life potentially corrupt Replace and
OS code, monitor plans as
Audio alarm part of PM
''Confidential' Drawings not ready
240 ' DCR CIP Surge Protector Unit failure 0
Panel
''Confidential' DC power supply Drawings not ready
241 ' DCR CIP (Phoenix 24Vdc; Unit failure 0
Panel 20A)
TD will have May require no alarm
rotational issues, troubleshooting
after troubleshooting to understand
can use TD in issue
''Confidential'
encoder less mode Minimal - training
242 ' DCR CIP TD Encoder Unit failure 5 7 5 175 N ''Client'' 5 6 5 150 N 14.3
Accuracy on Torque required.
Panel
and speed at 85- Accuracy of TD
90% at 85-90%. Z-
Torque not
available Training Spares
''Confidential' Rockit software Driller loses ''Confidential''
TD PLC Encoder
243 ' DCR CIP Unit failure lost… 4 5 automated slide Alarm 3 60 Y ''Client'' 4 5 3 60 Y 0.0
Controller
Panel Training Spares
Cmd Sent, dangerous: Verify via

executed, not Currently prevented Commissioning
244 1 1
Received by via COMMS LOST testing
''CONFIDENTIAL'' Protection
''CONFIDENTIAL'' Stop via COMMS Alarms, Lack of
needs to lock all LOSS as response to
Link tilt retract
Cmd Sent, motion DESIGN.. Repair controls
Executed, but and continue.
245 7 4 3 84 Y ''CONFIDENTIAL'' 7 4 3 84 Y 0.0
then COMMS
LOST, Verify via
Commissioning
testing Verify in Testing

Rank New New rank %
t k e in RPN
DW prevented by Stop via COMMS Alarms, Lack of
Wrench Status, DW LOSS as response to
prevented by DESIGN.. Repair controls
Command not
''Confidential' TD backup Comms Loss. and continue.
246 executed due to 7 4 3 84 Y ''CONFIDENTIAL'' 7 4 3 84 Y 0.0
' TD wrench status
Comms Loss
Verify via
Commissioning
testing Verify in Testing
No positive Could damage Visual only
Feedback post equipment.
TD backup Mechanical failure
247 command. 4 7 Visual verification 7 196 N ''Client'' 4 6 3 72 Y 63.3
wrench status post command
and training Sensor?
required Training
potentially no alarm, Uncertain Alarm?
No electrical ''CONFIDENTIAL' ''Confidential''/
TD Elevator Load
detection of failure ' to Verify ''CONFIDENTIAL''
''Confidential' sensor active
248 Sensor failure 6 8 to verify how to 8 384 N Potentially to use ''Client'' 6 8 8 384 Y 0.0
' TD (Pressure Switch
detect… failure Traveling Block
0 or 1)
and impact of load cell in lieu of
failure this sensor
No positive Could damage Visual only Sensor?
Feedback post equipment. ? Require Drilling
TD Elevator Load
command. Visual verification interaction push
''Confidential' sensor active Mechanical failure
249 6 8 and training 8 384 N button? Likely this ''Client'' 6 8 8 384 Y 0.0
' TD (Pressure Switch post command
required is not a practical
0 or 1)
solution
Training
''Confidential' TD PH at Command not Duplicate with Link
250 Tilt 0 0
' TD dangerous angle executed
''Confidential' Block TD link tilt Command not Covered with
251 Comms 0 0
' TD status executed
NO electrical Respond and Lack of Feedback
''Confidential' TD Elevator open detection of Failure Repair leads to Alarm
252 Failure of Sensor 6 7 5 210 N ''Client'' 5 7 5 175 N 16.7
' TD sensor until you send a 3rd party Spares,
command Maint
NO electrical Respond and Lack of Feedback
''Confidential' TD Elevator detection of Failure Repair leads to Alarm
253 Failure of Sensor 6 7 5 210 N ''Client'' 5 7 5 175 N 16.7
' TD Closing Status until you send a 3rd party Spares,
command Maint
Blow seals, Blow Potential Well Visual Indication
Pop-Offs Mgmt. Situation.
May have IBOP
IBOP
''Confidential' Mechanical failure Well Control open when think
254 Open/Closed 4 9 5 180 N ''Client'' 3 8 5 120 N 33.3
' TD post command Situation it is closed
Status
Can use manual
control on TD Training, Maint
Fault indicated, no have to Manually ZMS message
auto extend/retract. Extend and and interlock, And
Have to bypass, Retract. alarms on fault
Linear transducer
255 Reported to ZMS by 5 6 In Override Mode and alarms on 2 60 Y ''Client'' 5 6 2 60 Y 0.0
fault
healthy signal - bypass
prevent other Maintenance,
''Confidential'
WR Location equipment Spares
' WR
Fault indicated, no have to Manually ZMS message
auto rotated. Have Rotate, (auto and interlock, And
Rotational to bypass, Reported Extend) then user alarms on fault
256 5 6 2 60 Y ''Client'' 5 6 2 60 Y 0.0
Encoder fault to ZMS by healthy verify position on and alarms on
signal - prevent screen bypass Maintenance,
other equipment In Override Mode Spares

Rank New New rank %
t k e in RPN
Software delay Manual Software will
detects problems in Use/Positioning report and issue
command execution, of cassette
Vertical
stops command and
257 movement proxy 5 5 3 75 Y ''Client'' 4 5 3 60 Y 20.0
alerts uses.
sensor fault
ZMS no effect - ir- Maintenance,
relevant Spares
no action. Operation Potential ZMS Visual upon
not possible. issues if no open failure
.
WR Upper Tong Electro/Mechanica If not open ZMS may Need visual
''Confidential'
258 Closed/Open l fault post assume incorrect 4 5 confirmation of 7 140 N ''Client'' 3 5 7 105 Y 25.0
' WR
Status command status action
Repair and use
manual method if
possible Training, Maint
.
WR Lower Tong Electro/Mechanica If not open ZMS may Need visual
''Confidential'
259 Closed/Open l fault post assume incorrect 4 5 confirmation of 7 140 N ''Client'' 3 5 7 105 Y 25.0
' WR
Status command status action
Repair and use
manual method if
.
WR Spinner
Electro/Mechanica If not open ZMS may Need visual
''Confidential' Clamp
260 l fault post assume incorrect 4 5 confirmation of 7 140 N ''Client'' 3 5 7 105 Y 25.0
' WR Open/Closed
command status action
Status
Repair and use
manual method if
not a concern
''Confidential' RN Horizontal Command not Liner Transducer
261 1 1 1 1 Y 1 1 1 1 Y 0.0
' WR Retracted executed provides positive
feedback
not a concern,
Drill mode Signal or Sensor covered by lost
262 0 0
Selected Fail comms, or other
positive indicator
not a concern,
Signal or Sensor covered by lost
263 TD Speed Zero 0 0
Fail comms, or other
positive indicator
not a concern,
TD LWCV Signal or Sensor covered by lost
264 0 0
Opened Fail comms, or other
positive indicator
ZMS TD
not a concern,
TD Elevator Signal or Sensor covered by lost
265 0 0
Opened Fail comms, or other
positive indicator
not a concern,
Torque Mode Signal or Sensor covered by lost
266 0 0
Selected Fail comms, or other
positive indicator
not a concern,
267 BUW Closed 0 0
positive indicator

Rank New New rank %
t k e in RPN
not a concern,
268 LWCV Closed 0 0
positive indicator
Signal or Sensor Duplicate
269 Elevator Closed 0 0
Fail
Block Link Signal or Sensor
270 0 0
Extended Fail
Block Elevator Signal or Sensor Duplicate
271 0 0
Open Fail
272 Block TD Rotate 0 0
Fail
not a concern,
273 Block BUW Close 0 0
positive indicator
not a concern,
274 TD Not Valid 0 0
positive indicator
Slips Enable Signal or Sensor not important
275 0 0
Indicator Fail
Verify If use command
from valve +
Signal or Sensor
276 Slips closed 0 feedback on ''CONFIDENTIAL'' 0
Fail
ZMS Slips switch - it will be
safer
Signal or Sensor Comms Loss
277 Block Slip close Duplicate 0 0
Fail
278 Block Slip Open Duplicate 0 0
Fail
If unhealthy DFMA Manually move Alarm, and HMI
Signal or Sensor become unavailable. DFMA and visual, ZMS
279 DFMA Data Valid Which is verification 4 5 Continue indication 3 60 Y ''Client'' 4 5 3 60 Y 0.0
Fail
of Linear Transducer
Spares
ZMS DFMA Block DFMA Signal or Sensor Comms Loss
280 Duplicate 0 0
Extend Fail
Have indication of DFMA Alarm
DFMA Position Signal or Sensor problem and unavailable
281 5 5 4 100 Y 5 5 4 100 Y 0.0
Indication Fail assume broken
Depends on last
MP Block command to IBOP
282 ZMS MP Interlock 0 0
Pumping by ''Confidential''
not a concern,
Floor Wrench Signal or Sensor covered by lost
283 0 0
Data Valid Fail comms, or other
positive indicator
284 RN Rotation Pos 0 0
Fail
RN Horizontal Signal or Sensor duplicate
285 0 0
Pos Fail
Signal or Sensor duplicate
286 ZMS RN RN Vertical Pos 0 0
Fail
RN Hori Signal or Sensor Covered by Comms
287 Lost 0 0
Retracted Fail
Spin Clamps Signal or Sensor Duplicate
288 0 0
Closed Fail
289 Tongs Closed 0 0
Fail
Signal or Sensor optional? Covered
290 Breaking out by Comms Lost 0 0
Fail

Rank New New rank %
t k e in RPN
Signal or Sensor optional? Covered
291 Making up by Comms Lost 0 0
Fail
Signal or Sensor Covered by Comms
292 Block RN Extend Lost 0 0
Fail
Block RN make Signal or Sensor Possibly not Needed
293 0 0
up Fail
Block RN Break Signal or Sensor Possibly not Needed
294 0 0
Out Fail
Block RN Rotate Signal or Sensor Covered by Comms
295 Lost 0 0
CW Fail
Block RN Rotate Signal or Sensor Covered by Comms
296 Lost 0 0
CCW Fail
If unhealthy CW can use CW Alarm, and HMI
become unavailable. locally (hydraulic visual, ZMS
Signal or Sensor
297 CW Data Valid Linear Transducer 5 5 control) indication 4 100 Y ''Client'' 5 5 4 100 Y 0.0
ZMS CW Fail
on piston is used for
Height of arm Spares
298 Block Lift up indicator only NA 0 0
How to tell if RT
locked? And why
Signal or Sensor is this on ZMS
299 RT Locked 0 0
Fail Table? Verify that
ZMS RT
this is still Needed
300 Block RT Rotate Duplicate 0 0
Fail
301 ZMS on for STV indicator only NA 0 0
No Indication prox Will need to User detection via
STV Travel at Signal or Sensor fails ignore STV with visual conflict with
302 4 7 4 112 N ''Client'' 4 7 3 84 Y 25.0
WC Fail PTW and operate panel Training, Maint,
STV with caution Spares
Signal or Sensor fails ignore STV with visual conflict with
303 STV Slew DS 4 7 4 112 N ''Client'' 4 7 3 84 Y 25.0
Fail PTW and operate panel Training, Maint,
STV Clamps Signal or Sensor fails ignore STV with visual conflict with
304 4 7 4 112 N ''Client'' 4 7 3 84 Y 25.0
Open Fail PTW and operate panel Training, Maint,
ZMS STV No Indication prox Will need to User detection via
STV Arm Signal or Sensor fails ignore STV with visual conflict with
305 4 7 4 112 N ''Client'' 4 7 3 84 Y 25.0
Retracted Fail PTW and operate panel Training, Maint,
Signal or Sensor fails ignore STV with visual conflict with
306 STV Slew ODS 4 7 4 112 N ''Client'' 4 7 3 84 Y 25.0
Fail PTW and operate panel Training, Maint,
Block Arm Signal or Sensor Comms Loss
307 Duplicate 0 0
Extend Fail
Block Clamp Signal or Sensor Comms Loss
308 Duplicate 0 0
Open Fail
Block Arm Signal or Sensor Comms Loss
309 Duplicate 0 0
Retract Fail
DW Data Valid NA
310 ZMS DW indicator only 0 0
Signal

Rank New New rank %
t k e in RPN
If unhealthy DW Assess, repair, Alarm, and HMI Spares
stop, recalibrate if Potential visual, ZMS
possible or replace downtime - Do indication Suggested, when
prox switch have CREEP 1 encoder is bad,
capability trigger alarm,
Should activate
Signal or Sensor ZMS, protect
311 TB Position 5 5 3 75 Y ''Client'' 5 4 3 60 Y 20.0
Fail machines from
colliding with TB.
Operator disable
measurement,
reset alarm and
ZMS interlock go
away
If unhealthy DW Assess, repair, Alarm, and HMI
stop, recalibrate if Potential visual, ZMS
Signal or Sensor
312 TB Speed possible or replace 5 5 downtime - Do indication 3 75 Y ''Client'' 5 4 3 60 Y 20.0
Fail
prox switch have CREEP
capability Spares
313 Block TB up Duplicate 0 0
Fail
314 Block TB Down Duplicate 0 0
Fail
MH home Signal or Sensor Removed
315 0 0
position Fail
ZMS Mud Signal or Sensor Removed
316 MB park position 0 0
Bucket Fail
Signal or Sensor Removed
317 Block MB extend 0 0
Fail
318 ZMS ZMS Override fail Comms Loss 0 0
Comms Loss Suggest Invisible
feature have
password
Before
319 ZMS ZMS Invisible fail 0 Protection ''CONFIDENTIAL'' 0
final test
Suggest Invisible
requires PTW
Blackout ?
320 Ground fault 0 0
VFDs available?, Via Semi Controlled None - immediate
UPS have control, (no hydraulic)
Lose HPU, shut down to
Computers still on repair.
Main breaker (Q8) Operation
321 5 7 7 245 N ''Client'' 5 7 6 210 N 14.3
RIG Power fault/Trip Can start standby s
600VAC BUS
station or emergency Confirm Drilling
Gen, and then SOP and training
start MCC and for
get safe on well Blackout/Brownout
PontentialTrip/ Black Potential None - immediate Suggest
>>THD Total
out & Permanent Blackout ''CONFIDENTIAL'' Operation
322 Harmonic 5 8 7 280 N ''Client'' 4 8 2 64 Y 77.1
Damage to Electrical Response review filtering and s
Distortion
Equipment monitoring options
Could go into Power if power limit, Alarm on Power Confirm Drilling
RIG Power One or more limit but low manage and start limit SOP and Operation
323 GEN 1 to GEN 5 7 6 4 168 N ''Client'' 5 6 3 90 Y 46.4
station faulty generators probability another Gen Maintenance s
Training
Potential Blackout Respond to Have monitoring - Confirm Drilling
RIG Power Blackout, Make SOP and training Operation
324 Transformer -T1 Ground fault 3 9 4 108 N ''Client'' 3 7 4 84 Y 22.2
station well safe and for s
repair Blackout/Brownout

Rank New New rank %
t k e in RPN
Potential Maintence to Alarmed?
325 High temperature Transformer Failure 4 5 Respond 2 40 Y 5 4 2 40 Y 0.0
and Damage
Potential Maintence to Alarmed?
326 Low oil Transformer Failure 4 5 Respond 2 40 Y 4 5 2 40 Y 0.0
and Damage
Double failure post Blackout, make None - immediate Confirm Drilling
600VAC fail well safe, SOP and training
System interlock Blackout Maintenance to for Operation
327 3 9 7 189 N ''Client'' 2 9 4 72 N 61.9
failure Respond Blackout/Brownout s
RIG Power ,
400VAC BUS PMs
station
Need to Verify
328 400Vac RCD trip 0 0
impact
Breaker -Q9 Need to Verify
329 impact 0 0
fault/Trip
Lose VFD and May not be able Alarmed Operating,
Equipment, but not to Restart VFD.. Maintenance and
Hydraulics and Aux Plan for safe well Repair SOP
equipment without TD ''CONFIDENTIAL''/''Client
330 Unit fault 3 8 5 120 N 3 7 4 84 Y 30.0
May not be able to Rotation Suggestion: ''
restart VFD Install a Breakover
switch between
RIG Power TD and MP1 VFD
VFD TD
station Lose TD have Investigate and Alarmed Operating,
Hydraulics restart Maintenance and
Repair SOP
''CONFIDENTIAL''/''Client
331 Unit trip 5 8 4 160 N 5 7 4 140 N 12.5
Suggestion: ''
Install a Breakover
switch between
TD and MP1 VFD
Lose VFD and May not be able Alarmed
Equipment, but not to restart
Hydraulics and Aux Operation
332 Unit fault equipment 3 7 4 84 Y ''Client'' 3 7 4 84 Y 0.0
Operating, s
RIG Power May not be able to
VFD MP1 Maintenance and
station restart VFD
Repair SOP
Lose Equipment for Investigate and Alarmed Operating,
Operation
333 Unit trip short time 5 7 restart 4 140 N Maintenance and ''Client'' 5 7 4 140 N 0.0
s
Repair SOP
Operating, s
station restart VFD
Repair SOP
Operation
s
Repair SOP
Operating, s
station restart VFD
Repair SOP
Operation
s
Repair SOP

Rank New New rank %
t k e in RPN
Lose VFD and Hard stop Alarmed
Equipment, but not May not be able
Hydraulics and Aux to restart Operation
338 Unit fault equipment 3 7 Plan for ops with 4 84 Y ''Client'' 3 7 4 84 Y 0.0
Operating, s
RIG Power May not be able to One Motor
VFD DW A Maintenance and
station restart VFD
Repair SOP
Investigate and Alarmed Operating,
Operation
339 Unit trip 5 7 restart 4 140 N Maintenance and ''Client'' 5 7 4 140 N 0.0
s
Repair SOP
Lose VFD and Hard stop Alarmed
Equipment, but not May not be able
Hydraulics and Aux to restart Operation
340 Unit fault equipment 3 7 Plan for ops with 4 84 Y ''Client'' 3 7 4 84 Y 0.0
Operating, s
RIG Power May not be able to One Motor
VFD DW B Maintenance and
station restart VFD
Repair SOP
Operation
s
Repair SOP
Operating, s
VFD RT Maintenance and
station restart VFD
Repair SOP
Operation
s
Repair SOP
Should be OKAY, No impact unless Alarmed
but will need to both trip then Operating, Operation
344 Unit fault 3 5 4 60 Y ''Client'' 3 5 4 60 Y 0.0
repair soon Hard Stop and Maintenance and s
Lose DW Repair SOP
RIG Power Braking resistor
Fine, reset and No impact unless Alarmed
station BU1 or BU2
restart both trip then
Operation
345 Unit trip 5 5 Hard Stop and 4 100 Y Operating, ''Client'' 5 5 4 100 Y 0.0
s
Lose DW. Less Maintenance and
Impact Repair SOP
EN END END END EN EN EN EN

END END END END END END END END
D D END END END END D D D END
Disclaimer: Kingston Systems LLC assumes no responsibility for any loss, physical or financial, or damage from actions taken or not taken in light of the comments or recommendations given or not given in this or any project communication


Kingston FMEA Report Example

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Kingston FMEA Report Example

Uploaded by

Copyright:

Available Formats

''CLIENT''

Dragan Lovre, Nebojša Stanivuk,

Confidential to ACES GQS - Evaluation Only 2

Confidential to ACES GQS - Evaluation Only 3

 some design considerations or recommendations

 ZMS Failure Points

Confidential to ACES GQS - Evaluation Only 4

Chart 2: RANK RISK Reduction Before and After

Confidential to ACES GQS - Evaluation Only 5

 Robustness of the ZMS system as implemented

Confidential to ACES GQS - Evaluation Only 6

In general, an FMEA requires the identification of the following basic information:

Confidential to ACES GQS - Evaluation Only 7

The process used was as follows:

Confidential to ACES GQS - Evaluation Only 8

Confidential to ACES GQS - Evaluation Only 9

3.2.3. Severity Scoring

Confidential to ACES GQS - Evaluation Only 10

3.2.5. Detection Rank

Table 4: Detection Matrix

Confidential to ACES GQS - Evaluation Only 11

N = No corrective action needed.

3.3. Risk Ranking Interpretation

Confidential to ACES GQS - Evaluation Only 12

Attendees at the FMEA session were:

Table 5: FMEA Workshop Participants

4.1. Number of nodes reviewed

Confidential to ACES GQS - Evaluation Only 13

Table 6: Risk Matrix BEFORE FMEA Actions

Table 7: Risk Matrix AFTER FMEA Actions

Confidential to ACES GQS - Evaluation Only 14

Chart 4: Severity Reduction

Confidential to ACES GQS - Evaluation Only 15

Chart 5: Rank Scoring BEFORE vs. AFTER

Confidential to ACES GQS - Evaluation Only 16

Confidential to ACES GQS - Evaluation Only 17

5.1. Top Failure Modes

5.1.1. VFD House

New Occurrence: 5 New Severity: 5 New Detection: 4

Confidential to ACES GQS - Evaluation Only 18

New Occurrence: 3 New Severity: 8 New Detection: 4

Confidential to ACES GQS - Evaluation Only 19

Confidential to ACES GQS - Evaluation Only 20

Confidential to ACES GQS - Evaluation Only 21

Confidential to ACES GQS - Evaluation Only 22

5.1.3. HDCR Driller’s Control Room

Recommendation: SOP for this failure…

Test by ''CONFIDENTIAL'' options extensively

Confidential to ACES GQS - Evaluation Only 23

Recommendation: SOP for this failure…

Test by ''CONFIDENTIAL'' options extensively

Recommendation: SOP for this failure, Training

Confidential to ACES GQS - Evaluation Only 24

Recommendation: SOP for this failure, Training

Confidential to ACES GQS - Evaluation Only 25

Confidential to ACES GQS - Evaluation Only 26

Confidential to ACES GQS - Evaluation Only 27

Confidential to ACES GQS - Evaluation Only 28

Recommendation: Test by ''CONFIDENTIAL''

Suggest: HMIs on different 24VDC supply and Fuses

Confidential to ACES GQS - Evaluation Only 29

Confidential to ACES GQS - Evaluation Only 30

5.1.4. ''Confidential'' WR Cabinet