asktheexperts
asktheexperts
asktheexperts
asktheexperts
asktheexperts

Failing safely with shutdown systems

Aug. 22, 2005
This month's edition of Ask The Experts focuses on a reader's need for clarification of international standards for the design of a gas and fire shutdown system for offshore oil and gas platforms.
QUESTION:

I NEED A clarification on the design of a fire and gas shutdown system for offshore oil and gas platforms. Why is that most platforms across the globe are designed with non-failsafe fire and gas shutdown system unlike fail-safe process IPS design? Is there any International Standard under ASME or ISA or IEC or equivalent which provides guidelines for the design? There is a clause in API RP 14F which says that the design should be non-fail safe to prevent some unwanted condition; e.g., starting of fire water pump / deluge system due to cable cut or solenoid coil failure in the circuit under 'no-fire' condition. Kindly clarify.


Janakiraman, Senior Instrument Engineer, Technip Geoproduction Sdn Bhd, Kuala Lumpur, Malaysia

ANSWERS

THE ISO equivalent of API 14C is ISO 10418:2003 ”Basic Surface Safety Systems.” The API 14F equivalent is ISO 13702:1999 “Control & Mitigation of Fire & Explosions.”

ISO 10418 indicates a considerable level of doubt as to the reasonableness of allocating SIL in excess of 1 for gas and fire systems, borne out by experience (see UK North Sea statistics which indicate a very high proportion of releases detected only by personnel, not the instruments). This is not due to failure of the instrumentation detecting a release when it is in a position to see it, but due to the releases subscribing to Murphy’s Law, and appearing where the detectors are not.

The following passage is from ISO 13702 Annex B2 (Informative): ESD systems should be designed in accordance with recognized codes or standards applicable to the area of operation. Methods of determining functional requirements for electrical, electronic and programmable electronic systems and guidance on how these functional requirements can be achieved are given in Parts 1, 2 and 3 of IEC 61508. Loss of power or key input signals should be considered in determining the reliability of the ESD system.

The impact of loss of power and by input signals on the functionality of the ESD system should be considered. In many applications this may require that the ESD system is inherently "fail safe," such that the system achieves a safe condition. For more information on hydraulic and pneumatic systems which may supply power for ESD system operation, see clause B.13.

Further on: If the connection to the control room is lost, the fire-water pumps should start automatically.
From B.13: The failure mode of the essential safety system supplied by a pneumatic or hydraulic system should be considered, to ensure that the required integrity is maintained. It is generally preferred to have an arrangement where the pneumatic or hydraulic supply keeps the system in a normal operating condition and that failure of the pneumatic/hydraulic supply will cause the system to move to a safe condition.

As I read this, use of a “power to initiate” system is not recommended by the ISO standard.

Yes, the practice of isolating fire pumps to minimize hazard to divers is not unknown. Unfortunately, so is the loss of a platform due to such a practice coinciding with a fire.

Ian H. Gibson

YOUR QUESTION is very timely, in that the foundations that generated the “standard design” that you describe are all under active investigation at the moment. The current industry practice is being reviewed in light of new international standards for safety instrumented systems, such as ISA 84.00.01-2004 (IEC 61511) and IEC 61508.

With regards to the current state of design for fire and gas (F&G) systems, the basis for many of the engineering decisions that you currently see is a standard from the U.S. National Fire Protection Association (NFPA). The standard – NPFA 72 – The National Fire Alarm Code, is a widely used document that many equipment vendors follow during their design, and have their equipment certified against. Use of the NFPA 72 document is somewhat difficult for offshore platform operators due to the expanded scope of a F&G system, over what is prescribed in the “Fire Alarm Code,” specifically in how to deal with combustible gas and toxic gas detection. Further defining the use of NFPA 72 as a basis for F&G system design, you will find several references in the API 14 series of recommended practices, where the NFPA 72 standard is invoked as a good engineering practice for F&G systems.

The next question would be, “why does NFPA 72 recommend energize-to-trip for signaling systems?” The short answer is that a premium is placed on avoidance of nuisance trips as opposed to fail-safe performance. The financial burden of causing a Total Platform Shutdown as the result of a broken wire or sensor failure is seen as greatly exceeding the risk of non-performance in the unlikely event the system is required to act. You must also remember that a system design in accordance with NFPA 72 will not have a significant risk of non-performance in the event of sensor failures or broken wires. This standard requires that means must be present to detect and allow repair of faulty circuits in a very short time frame; i.e., automatic circuit integrity monitoring. There is a large amount of requirements in NFPA 72 regarding circuit integrity monitoring and testing to ensure that failures in the energize-to-trip circuits are promptly detected and repaired, making the difference in safety performance between energize-to-trip and de-energize-to-trip circuits quite small.

In any case, the design basis for F&G systems, specifically for process plants, is currently under review by standards committees. The SP 84 standards panel of ISA has just established a working group with the goal of providing a technical report (TR) that considers the current state of the art. The goal of this TR is to review all of the standards which may apply to F&G systems (such as NFPA 72 and ISA 84.00.01-2004 [IEC 61511]) and determine a best work practice for the design of F&G systems that includes the relevant material from the appropriate standards and fills in for gaps where information is not currently standardized. Some of the questions that the group will be tackling include 

  1. When (if it all) should F&G systems (or functions) incorporate the concept of Safety Integrity Level (SIL) as per ISA 84.00.01-2004 [IEC61511])?
  2. What process should be used to identify the need and location for sensors?
  3. What are the requirements for signaling system hardware that is common to multiple loops? and many other issues that are important to F&G system users in the process industries.

Any one interested in the committee should feel free to contact me.

Edward M. Marszal, Director – ISA Safety Division, President, Kenexis Consulting Corp.

THE FIRST issue is to determine what code you are designing to. The more common ones are NFPA-72, 46 CFR (Shipping), and API RP 14C.

In a typical process shutdown system, the lack of integrity of the shutdown system (e.g.,  disconnected wires, tubing or hoses, as well as malfunction of relays and other devices) is elevated to the level of an abnormal process condition, resulting in taking the whole process to a safe state. Certainly there are financial implications, but generally the losses are confined to the product in process. The key issue in fire and gas systems is that the solution to the problem (release of the fire and gas protection devices) can result in equipment damage. In a fire and gas detection or suppression system, the trip actions (e.g., spraying the equipment with seawater) are not acceptable responses when there is a failure in the detection or suppression system itself. Simply, the losses are more significant, so generally you do not want to take these actions when you lose the detection system integrity.

Instead, for fire detection you use supervised circuits; where the circuits are monitored for system integrity and alarm on the loss of system integrity. This enables you to make choices on how to respond, since you can sort out a confirmed fire from failure of the detection system. So, you decide which responses to automate and which should include an operator confirmation.

API RP 14C says you have to completely shut down the platform on a confirmed fire, so you have no choice. However, control circuits for starting firewater pumps and opening deluge valves are usually non-failsafe because these are typically manned platforms. Offshore fire water pumps are designed per API standards, and testing these pumps on a weekly basis is mandatory. Typically, there are redundant pumps installed such that loss of one pump due to a mechanical failure or failure in the control circuit will automatically start the other pump(s). The system also includes a manual means to start each pump. The same goes for deluge valves. Again, you don't want to accidentally spray seawater on equipment if there's no fire.

Similarly, automatic action on detection of high levels of combustible gas is failsafe. However, we don't normally start fire water pumps automatically on high gas concentrations.

Often, these systems are PLC-type devices. As with any critical system, it is important to consider the response to loss of power or communications in all elements of the system. It is also important to consider the response to downloading a modification to the system (commonly a cycle to fail state) in the design of the logic to avoid nuisance trips and the resultant damage.

Bridget Fitzpatrick, Senior Consultant, Mustang Engineering