Failing safely with shutdown systems

In any case, the design basis for F&G systems, specifically for process plants, is currently under review by standards committees. The SP 84 standards panel of ISA has just established a working group with the goal of providing a technical report (TR) that considers the current state of the art. The goal of this TR is to review all of the standards which may apply to F&G systems (such as NFPA 72 and ISA 84.00.01-2004 [IEC 61511]) and determine a best work practice for the design of F&G systems that includes the relevant material from the appropriate standards and fills in for gaps where information is not currently standardized. Some of the questions that the group will be tackling include 

1. When (if it all) should F&G systems (or functions) incorporate the concept of Safety Integrity Level (SIL) as per ISA 84.00.01-2004 [IEC61511])?
2. What process should be used to identify the need and location for sensors?
3. What are the requirements for signaling system hardware that is common to multiple loops? and many other issues that are important to F&G system users in the process industries.

Any one interested in the committee should feel free to contact me.

Edward M. Marszal, Director – ISA Safety Division, President, Kenexis Consulting Corp.

---

THE FIRST issue is to determine what code you are designing to. The more common ones are NFPA-72, 46 CFR (Shipping), and API RP 14C.

In a typical process shutdown system, the lack of integrity of the shutdown system (e.g.,  disconnected wires, tubing or hoses, as well as malfunction of relays and other devices) is elevated to the level of an abnormal process condition, resulting in taking the whole process to a safe state. Certainly there are financial implications, but generally the losses are confined to the product in process. The key issue in fire and gas systems is that the solution to the problem (release of the fire and gas protection devices) can result in equipment damage. In a fire and gas detection or suppression system, the trip actions (e.g., spraying the equipment with seawater) are not acceptable responses when there is a failure in the detection or suppression system itself. Simply, the losses are more significant, so generally you do not want to take these actions when you lose the detection system integrity.

Instead, for fire detection you use supervised circuits; where the circuits are monitored for system integrity and alarm on the loss of system integrity. This enables you to make choices on how to respond, since you can sort out a confirmed fire from failure of the detection system. So, you decide which responses to automate and which should include an operator confirmation.

API RP 14C says you have to completely shut down the platform on a confirmed fire, so you have no choice. However, control circuits for starting firewater pumps and opening deluge valves are usually non-failsafe because these are typically manned platforms. Offshore fire water pumps are designed per API standards, and testing these pumps on a weekly basis is mandatory. Typically, there are redundant pumps installed such that loss of one pump due to a mechanical failure or failure in the control circuit will automatically start the other pump(s). The system also includes a manual means to start each pump. The same goes for deluge valves. Again, you don't want to accidentally spray seawater on equipment if there's no fire.

Similarly, automatic action on detection of high levels of combustible gas is failsafe. However, we don't normally start fire water pumps automatically on high gas concentrations.

Often, these systems are PLC-type devices. As with any critical system, it is important to consider the response to loss of power or communications in all elements of the system. It is also important to consider the response to downloading a modification to the system (commonly a cycle to fail state) in the design of the logic to avoid nuisance trips and the resultant damage.

Bridget Fitzpatrick, Senior Consultant, Mustang Engineering