Process safety systems in the Gulf of Mexico
By William M. Taggart IV
Process safety systems for the offshore oil/gas industry in the Gulf of Mexico have taken a very different path than those of their onshore brethren. Monthly and quarterly testing of safety devices in an online mode, a prescriptive safety standard written more than 40 years ago, and a governmental agency looking over their shoulder make up what could have been a recipe for disaster, but instead it has been a recipe for an exemplary process safety record coupled with high uptimes. The differences lie in API RP 14C and ISA84 and the results to facilities in the Gulf of Mexico and onshore facilities. The differences are also why their system has worked.
Process safety history
In the 1960s, offshore oil/gas operators formed a committee under the American Petroleum Institute to write Recommended Practice 14C (API RP 14C) for process safety systems. API RP 14C's official title is Recommended Practice for Analysis, Design, Installation, and Testing of Basic Surface Safety Systems for Offshore Production Platforms. API RP 14C is presently in its seventh edition and is required by government regulations for all offshore operators. It outlines the basic requirements for a process safety system by identifying the normal process components (vessels, pumps, pipelines, compressors, and the like) on an offshore facility and the minimum number and type of safety devices required. Specific exemptions are listed when a safety device may not be required. It is up to the operator to review his design and determine if each device is either required or not.
API RP 14C provides a simple standard you can easily apply to offshore oil and gas facilities where the process design is the same basic type that has seen use for years. It errs on the conservative side by requiring safety devices, which might be excluded under ISA84, IEC 61511, or IEC 61508 analysis. It does not address the implementation of the safety system, rather focusing on the required functions.
This standard was developed almost 20 years before ISA84, IEC 61511, or IEC 61508. It has created an approach to process safety that differs from the approach advocated in other industries in a few key areas.
From the government
One of the major differences between onshore and offshore operations is the involvement of the Mineral Management Service (MMS), the agency of the Department of the Interior that oversees all exploration and production activities offshore. API RP 14C requires the development of SAFE charts (cause-and-effect charts) and safety flow diagrams (P&ID diagrams showing equipment and safety devices). The MMS requires them to be submitted during the design phase of any project. The MMS will come out just after start-up to fully inspect the facility and confirm all equipment and safety devices are as depicted. After that, any changes to the SAFE charts or safety flows must be reported and approved prior to implementation. The MMS also makes a yearly trip out to the facility to inspect and report the operator is performing required testing and maintaining records.
Failure to follow these requirements can result in the MMS fining or even shutting down the facility. The MMS also reserves the right to make surprise inspections. This requirement for review and approval of safety systems receives support from 14C's easy cookbook approach, which provides for a simple framework. Each type of process equipment (pump, vessel, tank, pipeline) has a list of the required safety devices and when you can exclude those devices.
In the SAFE chart for each piece of process equipment, all the required safety devices are listed, and those that have been excluded have the reference to the safety analysis checklist, which lists all the reasons for excluding a device. The SAFE chart becomes an easy tool to check that all requirements have been met and what actions the safety devices take.
Shut it all down
In section 4.2.3, API RP 14C specifically addresses the idea of cascading shutdowns and forbids the practice. The idea of shutting in an affected vessel and letting the remainder of the process train, react, and eventually shutdown is called cascading. The 14C specification specifically forbids cascading with a few reasoned-out exceptions. The idea is any event on a process train needs to shut down the primary energy source for that process unit and not allow a process upset to ripple through systems. On an offshore oil/gas facility, that primary source is usually the oil/gas wells flowing into the facility. As such, an event on a single vessel will affect the entire facility, especially if it is a process critical vessel like a flare scrubber or process sump tank. On a typical offshore oil/gas facility, 20 safety devices will shut in the entire facility. Also, 200-400 safety devices will shut in their specific piece of equipment or a section of the process train depending on the size and complexity of the facility.
Not only do safety devices shut in the facility, but so does an extensive network of fire and gas sensors and emergency shutdown buttons. API RP 14C defines where ESD buttons must be located on an offshore facility, and they have to affect an entire facility shutdown. There are also extensive rules on the location of fusible plugs for fire detection in addition to fire/gas sensors.
This philosophy makes sense on an offshore oil/gas facility where stopping the process and restarting it are not extremely hazardous. The risk of having to perform a restart is dwarfed by the risk of having an unsafe event on what is essentially an isolated location surrounded by water with no place to flee. The assumption is this would reduce the facility uptime, but it has not. Quite a few offshore platforms have achieved long run times. It does make them vulnerable to false trips, though. But once the oil wells are closed, restarting the facility does not pose significant hazards.
Test, test again
API RP 14C was written around the technology available at the time in the 1960s and 1970s, which was pneumatic devices and logic. To provide good reliability, frequent testing was required; 14C was written around yearly testing, and the MMS imposed stricter testing requirements. Input devices (shutdown inputs or SDIs) and shutdown valves were required to be tested monthly and pressure relief valves were to be tested yearly. The advent of reliable electronic transmitters has allowed the MMS to relax the testing of SDIs using electronic transmitters to once every three months.
Running any type of process train, which is adverse to process shutdowns in the same manner as an offshore oil/gas platform, may seem like madness and probably is. The important fact is API RP 14C has not only been recommended, but it has been the law in the Gulf of Mexico for the last 40 years.
The more active safety system employed by offshore oil/gas facilities are prone to spurious trips due to operator mistakes and process upsets, but you should contrast this against the safety records achieved. In the last nine years, no process safety related fatalities on offshore oil/gas platforms have occurred in the Gulf of Mexico. While there have been fires and equipment failures, the safety systems have worked and performed as expected. During this time, the Gulf of Mexico has produced over 10 billion barrels of oil equivalent and production crews logged almost 250 million man hours without a process related fatality.
ABOUT THE AUTHOR
William M. Taggart IV is a senior staff engineer at Murphy Exploration and Production in Houston. E-mail him at [email protected].