Raphael, whom you may recall from an earlier marine and offshore safety post, is an SIS implementation manager for the European region.
Here’s Mike’s post:
At Emerson Exchange last year, Rafael Lachmann presented on the topic of Fire & Gas System (FGS) solutions with DeltaV SIS. In his presentation, he provided a basic overview of FGS concepts and then he described how DeltaV SIS could be used for FGS applications. He described how emergency shutdown (ESD) systems are different from FGS, how onshore FGS differs from offshore FGS applications, and how DeltaV SIS can be used for FGS applications.
For an ESD, a process upset will result in a process shutdown. ESD systems are preventative layers of protection, meaning that they act to prevent a hazardous event like a chemical release, fire, or explosion from occurring. A FGS is a mitigating layer of protection, because the purpose is to reduce the consequence severity of such an event when it occurs. When a combustible gas, a toxic gas, smoke, flame, or heat is detected, then the FGS will respond by annunciating audible and visual alarms and initiate a water deluge, fire suppression system, or a process shutdown. In the event of a gas leak, the FGS can act to prevent it from becoming a fire or explosion by isolating the leak and ignition sources. In the Deepwater Horizon Accident Investigation Report that was issued by BP in September 2010, this was listed as one of the 8 barriers that were breached.
The fire and gas system did not prevent hydrocarbon ignition. Hydrocarbons migrated beyond areas on Deepwater Horizon that were electrically classified to areas where the potential for ignition was higher. The heating, ventilation and air conditioning system probably transferred a gas-rich mixture into the engine rooms, causing at least one engine to overspeed, creating a potential source of ignition.
A typical ESD safety instrumented function (SIF) is typically quite simple when compared to what is implemented for a FGS. A FGS SIF can be very complex and highly distributed, with 1ooN or 2ooN voting from a large number of detector devices located throughout a unit, process, and plant area. In some cases, a FGS event can initiate a site-wide emergency shutdown.
Another important difference is that an ESD is typically designed as normally energized (de-energize-to-trip) so that it is fail-safe. This way, if there is loss of power or connectivity between system components then the SIS will respond by tripping. This results in higher safety integrity, but it can result in increased spurious trips of the process. For FGS, a spurious trip can have dangerous results. For example, initiating a water deluge system inside a building can cause damage to equipment and can be hazardous to personnel. Chemical fire suppression can be dangerous to personnel, and false alarms degrade the willingness to respond by plant personnel. For this reason, it is common to design a FGS as normally de-energized (NDE).
In a NDE design, the loop must be energized in order to initiate a trip of the FGS. This means that failures such as loss of power or connectivity between components are covert failures unless there is adequate diagnostics to detect the failures. In a NDE design, line monitoring is essential to detect open and short circuit failures in wiring between logic solver I/O and field devices.
The major differences between offshore and onshore FGS design result from the difficulty to evacuate and limited offsite emergency response assistance when an offshore incident occurs. Rafael’s discussion on how onshore FGS differs from offshore FGS will soon be covered in another blog post.