Tools

• 1
• 2
• 3
• 4
• 5

Current Rating: 2.5
(6 votes)

Click on a star to rate this article.

Print page

Email page

Failing safely with shutdown systems

ControlGlobal.com

Keywords: shutdown systems, offshore oil platforms, process automation, process safety management, automation engineering, process automation technologies and industrial automation systems

This month's edition of Ask The Experts focuses on a reader's need for clarification of international standards for the design of a gas and fire shutdown system for offshore oil and gas platforms.

QUESTION:

I NEED A clarification on the design of a fire and gas shutdown system for offshore oil and gas platforms. Why is that most platforms across the globe are designed with non-failsafe fire and gas shutdown system unlike fail-safe process IPS design? Is there any International Standard under ASME or ISA or IEC or equivalent which provides guidelines for the design? There is a clause in API RP 14F which says that the design should be non-fail safe to prevent some unwanted condition; e.g., starting of fire water pump / deluge system due to cable cut or solenoid coil failure in the circuit under 'no-fire' condition. Kindly clarify.

Janakiraman, Senior Instrument Engineer, Technip Geoproduction Sdn Bhd, Kuala Lumpur, Malaysia

ANSWERS

THE ISO equivalent of API 14C is ISO 10418:2003 ”Basic Surface Safety Systems.” The API 14F equivalent is ISO 13702:1999 “Control & Mitigation of Fire & Explosions.”

ISO 10418 indicates a considerable level of doubt as to the reasonableness of allocating SIL in excess of 1 for gas and fire systems, borne out by experience (see UK North Sea statistics which indicate a very high proportion of releases detected only by personnel, not the instruments). This is not due to failure of the instrumentation detecting a release when it is in a position to see it, but due to the releases subscribing to Murphy’s Law, and appearing where the detectors are not.

The following passage is from ISO 13702 Annex B2 (Informative): ESD systems should be designed in accordance with recognized codes or standards applicable to the area of operation. Methods of determining functional requirements for electrical, electronic and programmable electronic systems and guidance on how these functional requirements can be achieved are given in Parts 1, 2 and 3 of IEC 61508. Loss of power or key input signals should be considered in determining the reliability of the ESD system.

The impact of loss of power and by input signals on the functionality of the ESD system should be considered. In many applications this may require that the ESD system is inherently "fail safe," such that the system achieves a safe condition. For more information on hydraulic and pneumatic systems which may supply power for ESD system operation, see clause B.13.

Further on: If the connection to the control room is lost, the fire-water pumps should start automatically.
From B.13: The failure mode of the essential safety system supplied by a pneumatic or hydraulic system should be considered, to ensure that the required integrity is maintained. It is generally preferred to have an arrangement where the pneumatic or hydraulic supply keeps the system in a normal operating condition and that failure of the pneumatic/hydraulic supply will cause the system to move to a safe condition.

As I read this, use of a “power to initiate” system is not recommended by the ISO standard.

Yes, the practice of isolating fire pumps to minimize hazard to divers is not unknown. Unfortunately, so is the loss of a platform due to such a practice coinciding with a fire.

Ian H. Gibson

YOUR QUESTION is very timely, in that the foundations that generated the “standard design” that you describe are all under active investigation at the moment. The current industry practice is being reviewed in light of new international standards for safety instrumented systems, such as ISA 84.00.01-2004 (IEC 61511) and IEC 61508.

With regards to the current state of design for fire and gas (F&G) systems, the basis for many of the engineering decisions that you currently see is a standard from the U.S. National Fire Protection Association (NFPA). The standard – NPFA 72 – The National Fire Alarm Code, is a widely used document that many equipment vendors follow during their design, and have their equipment certified against. Use of the NFPA 72 document is somewhat difficult for offshore platform operators due to the expanded scope of a F&G system, over what is prescribed in the “Fire Alarm Code,” specifically in how to deal with combustible gas and toxic gas detection. Further defining the use of NFPA 72 as a basis for F&G system design, you will find several references in the API 14 series of recommended practices, where the NFPA 72 standard is invoked as a good engineering practice for F&G systems.

The next question would be, “why does NFPA 72 recommend energize-to-trip for signaling systems?” The short answer is that a premium is placed on avoidance of nuisance trips as opposed to fail-safe performance. The financial burden of causing a Total Platform Shutdown as the result of a broken wire or sensor failure is seen as greatly exceeding the risk of non-performance in the unlikely event the system is required to act. You must also remember that a system design in accordance with NFPA 72 will not have a significant risk of non-performance in the event of sensor failures or broken wires. This standard requires that means must be present to detect and allow repair of faulty circuits in a very short time frame; i.e., automatic circuit integrity monitoring. There is a large amount of requirements in NFPA 72 regarding circuit integrity monitoring and testing to ensure that failures in the energize-to-trip circuits are promptly detected and repaired, making the difference in safety performance between energize-to-trip and de-energize-to-trip circuits quite small.