Emerson’s DeltaV SIS product manager, Mike Boudreaux, whom I’ve featured in several process safety-related posts, manages two great sources of information on safety instrumented systems (subscribe) and process safety.
My subscription to the safety instrumented systems room pointed me to a great article by Murphy Oil’s William Taggart. The article, which originally appeared in Intech magazine, is titled Process safety systems in the Gulf of Mexico (no longer available on ISA website).
Mike’s capture of the article’s opening paragraph drew my attention:
Process safety systems for the offshore oil/gas industry in the Gulf of Mexico have taken a very different path than those of their onshore brethren. Monthly and quarterly testing of safety devices in an online mode, a prescriptive safety standard written more than 40 years ago, and a governmental agency looking over their shoulder make up what could have been a recipe for disaster, but instead it has been a recipe for an exemplary process safety record coupled with high uptimes. The differences lie in API RP 14C and ISA84 and the results to facilities in the Gulf of Mexico and onshore facilities. The differences are also why their system has worked.
I’m not sure about 40 years ago, but what the author describes is exactly how it worked more than 20 years ago when I worked as a systems engineer on offshore oil & gas platforms.
The American Petroleum Institute’s Recommended Practice 14C (API RP 14C) was indeed very prescriptive for what safety shutdowns were required for each piece of the processing equipment from the wellheads to the custody transfer skids where the production was metered and ownership transferred to the pipeline companies.
The author wrote:
API RP 14C provides a simple standard you can easily apply to offshore oil and gas facilities where the process design is the same basic type that has seen use for years. It errs on the conservative side by requiring safety devices, which might be excluded under ISA84, IEC 61511, or IEC 61508 analysis. It does not address the implementation of the safety system, rather focusing on the required functions.
Based on the platform’s processing equipment, the safety instrumented functions were very clear. And, monthly testing of the safety instrumented function inputs and safety valves was required by the U.S. Department of the Interior’s Minerals Management Service. The operators worked hard to make sure the platforms they were responsible for had no MMS citations. The author notes a change over the years with the advent of reliable electronic transmitters that the safety function inputs could be tested quarterly instead of monthly.
Another key difference with other process industries is that RP 14C has philosophy to shut everything down on a safety trip:
…an event on a single vessel will affect the entire facility, especially if it is a process critical vessel like a flare scrubber or process sump tank. On a typical offshore oil/gas facility, 20 safety devices will shut in the entire facility. Also, 200-400 safety devices will shut in their specific piece of equipment or a section of the process train depending on the size and complexity of the facility.
The combination of a conservative, prescriptive approach to safety instrumented functions, federally-mandated rigorous testing, and a “shut it all down” philosophy has produced an impressive safety track record where there has been no process safety-related fatalities in more than 9 years in the Gulf of Mexico.
In his safety instrumented system room, Mike had also flagged an October 2008 ControlGlobal.com story on Murphy Oil’s use of the DeltaV and DeltaV SIS systems on some of their offshore platforms and the reasons for taking this approach.
