Restarting is the big problem, especially since your valves cannot close fast enough to prevent the problem. Items 1, 2 and 4 are not barriers since they cannot stop the problem once the choke is opened. This leaves a simple operator error causing the problem. Double jeopardy is not an issue. The problem needs to be reframed.
What interlocks are in place that prevent restarting? The systems that I've worked on have one or more shut down valves (SDV) upstream of the choke. These valves cannot be opened if the flowline pressure exceeds pressure safety high (PSH). In order to restart, a bypass choke is installed to bleed the flowline pressure to either process equipment or if needed, to a flare. The bypass choke, not the production choke, is one of the sizing cases for the HP Separator PSV. Once the PSH is cleared, there cannot be a high differenctial pressure (PDSH) across the SDV or else it will not be allowed to open. In additon, SDV cannot be opened unless the choke is closed. In all cases, the SDV's, PSH, and PDSH are parts of the instrumented protective system (IPF). The IPF is evaluated to make sure it meets the proper SIL level. Then this equipment is routinely tested according to both internal and regulatory specifications to maintain the SIL rating.
Now we are talking about several failures before the SDVs can open:
- The PSH must fail and
- The PDSH must fail and
- The Choke postion indicator must fail.
- Or the SDV(s) (fail closed) spontaneously opens while the choke is wide open.