Welcome to

TÜV Rheinland Vietnam

CONCEPT IN SAFETY & LAYERS OF

PROTECTION
About us
Building trust and credibility – in all markets
TÜV Rheinland
 Founded in 1872 as part of
the German Steam Boiler Association
 Now a worldwide service provider for
testing, inspection, certification,
consulting and training
 Aiming at quality and safety of people,
technology and the environment
2
Our Academy
 Leading technical training provider
Skilling globally.  More than 200,000 participants per
year, at over 30,000 training and
education events, in about 25 countries
Focusing locally. worldwide
 Different learning forms from face to
face training to digital learning solutions
 Academy & Life Care

3
 SAFETY & STANDARDS

4
SAFETY

• People
Workers
Public
• Environment
• Assets
5
 Public Interest in Safety is Emerging

Health, Safety, and Environment are more of concern to the public than ever before
 More news coverage than ever and increasing
 This is shaping public opinion and is setting higher standards of care
 It is an indicator of the new awareness of safety
 More public involvement in risk decisions

6
 SAFETY of the Process Plant

Engineer’s job is to insure that the process plant is safe

Safety has been defined as the freedom from unacceptable risk

7
 Role of Standards

• Initially to promote commerce

Rail / Storage Tanks
• Public Safety
Bridges
• Environmental
• Worker Safety
• Food Safety

8
 Safety Life Cycle
Philosophy
Documentation from Conceptual Engineering through
Operations to final Decommissioning

Requirement that all persons involved with the system at all

stages in the life cycle shall be of demonstrated competence
to perform their function

9
Standards

• Product
• Materials: Chemicals / Plastics / Metals
• Process
• Management System Standards

• Prescriptive
• Performance

10
Voluntary Standard
If a company accepts a higher standard
than generally accepted industry
practice, then it will be held to that higher
standard

11
 Generic Management System Standards

Common Features
• Certification by 3rd Party Assessor
Conformity Assessment
• Registration
Maintain Registration by Audit

• Accreditation of 3rd Party Assessor

• Continual Improvement

12
 One Management System

Many Common features suggest Single Management systems for

Quality, Environmental and Safety

Some companies are trying this approach

13
Technical Societies And Special Interest Groups

• NFPA • ILO
• ASME • OIML
• API • ASTM
• TAPPI • SOCMA
• ISA • ACC (MCA)
• NEMA • AIChE
• IMO • Chlorine Institute

14
Equipment Hardware and Software
Certification
• Technische Űberwachung Verein (TŰV)

• US Factory Mutual

• Underwriters Laboratory

• And more ……………

15
Professional Certification
as a measure of “competency”
• Professional Engineer / Chartered Engineer
Recognized by Law

• ISA Certified Control Technician

• TUV Certified Functional Safety Expert

• API certified Tank / Piping Inspector (510 / 570)

• Company Job description as a basis for competency

Backed by Training records

16
CONFORMITY ASSESSMENT
documenting compliance
• Documenting that products, materials, services, systems or people measure up to
the specifications of a relevant standard.

• Also called Compliance Review or Audit

• By Paragraph number within the standard

• Now often a required deliverable document by project engineering contract

17
Common Features

• Performance or Goal oriented

• Risk based decisions

• Increased Documentation

• Audit

• Management of Change

• Formal Compliance Reviews

18
SAFETY CONCEPTS

19
HAZARD

A possible source of danger is called hazard. A hazard is an agent which has the potential to

cause harm to a vulnerable target.

The terms "hazard" and "risk" are often used interchangeably.

hoán đổi nhau

20
In Risk Assessment

Two very distinct terms.

A hazard is any agent that can cause harm or damage to humans, environment or property.

Risk is defined as the probability that exposure to a hazard will lead to a negative consequence.

A hazard poses no risk if there is no exposure to that hazard.

21
Hazards can be dormant or potential, with only a theoretical probability of harm.

An event that is caused by interaction with a hazard is called an incident.

The likely severity of the undesirable consequences of an incident associated with a hazard,
combined with the probability of this occurring, constitute the associated risk.

If there is no possibility of a hazard contributing towards an incident, there is no risk.

22
What is a hazard?

Hazard is 'inherent physical or chemical characteristics that have the potential to harm humans, environment
or property.‘

In a chemical process: "a combination of hazardous materials, operating environment, and certain unplanned
events that can cause accidents."

23
What is a risk?

Risk is usually defined as a combination of the severity and probability of an event.

In other words, how often can it happen and how bad does it happen?

Risk can be evaluated qualitatively and quantitatively

RISK = FREQUENCY × SEVERITY OF HAZARD

24
The points

If we cannot face the danger we must be able to reduce risk

Reducing the frequency and / or reducing the consequences

25
Risk reduction

Risk reduction is the work of protection measures.

In some cases this will be an alternative way to do something or it can become a

protection system such as an instrumented safety system (SIS).

26
Risk reduction

When starting to design a protection system, you have to decide how to do it well.

We need to decide how much risk reduction we need (and this can be one of the
most difficult things to approve).

The goal is to reduce the risk rather than be unacceptable, to tolerable.

27
Risk reduction: design principles

28
ALARP (as low as reasonably practicable)

29
 3
broad categories of risk
Negligible Risk: broadly accepted by most people as they go about their everyday lives, these would
include the risk of being struck by lightning or of having brake failure in a car.

Tolerable risk: We would rather not have the risk but it is tolerable in view of the benefits obtained by
accepting it. The cost in inconvenience or in money is balanced against the scale of risk and a
compromise is accepted. This would apply to traveling in a car, we accept that accidents happen but we
do our best to minimize our chances of disaster. Does it apply to Bungee jumping?

Unacceptable risk: The risk level is so high that we are not prepared to tolerate it. The losses far
outweigh any possible benefits in the situation. Essentially this principle guides the hazard analysis
participants into setting tolerable risk targets for a hazardous situation. This is the first step in setting up
a standard of performance for any safety system.

30
 Risk Control

Target Risk Risk inherent

Level in the process

SIS Alarms BPCS Others

Process

Risk

31
32
33
34
DIFFERENCE Self-Diagnosis Methods

35
De-energized To Safe (DTS/ESD, trip)

36
Energized To Safe (ETS/F&G system)

37
38
Independent Protection Layers

M Plant and/or
I Emergency Emergency response layer
T Response
I
G
A
Dike Passive protection layer
T
I
Relief valve,
O Rupture disk Active protection layer
N
Safety Emergency Shut
Instrumented
System Down action Isolated protection layer
Trip level alarm
P
R Operator Wild process
E Process control layer
Intervention parameter
V High level alarm
E High level
N Basic
T Process Process
Control value Process control layer
I
System
Normal behavior
O Low level
N Plant
Design

39
Safety & Layers of Protection

40
 Layers of Protection

Giữ lại, ko cho

nổ/ thoát ra

41
 Key Concepts in Process Safety

42
 Safety Through Layers of Protection

Plant and x x
Emergency Emergency response layer
Response
Mitigate Dike Passive protection layer
Relief valve,
Rupture disk ESDActive protection layer
Safety Emergency failed
Instrumented
System Shut Down Operator Safety layer
Prevent Trip level alarm
Operator
Process failed
Intervention Shutdown ControlProcess control layer
Basic failed Process alarm
Process
Process Process control layer
Normal behaviour
Control Value
System

43
 Safety Instrumented System

SIS are designed for the purpose of :

1. Monitor an industrial process for potentially dangerous conditions.

2. Automatically taking an industrial process to a safe state when specified

conditions are violated.

3. Permit a process to move forward in a safe manner when specified

conditions allow.

4. Taking action to mitigate the consequences of an industrial hazard.

44
 Safety Instrumented System

A SIS may be responsible for :

1. Shutdown functions.

2. Permissive functions.

3. Event consequence reduction functions.

45
 Safety Instrumented System

Therefore, an SIS :

1. Does not improve the yield of a process.

2. Does not increase process efficiency.

Năng suất

3. Saves money by loss reduction.

4. Reduces risk cost.

46
 Safety Instrumented System

BPCS vs SIS :

Similiarities
 A Basic Process Control System (BPCS), like a SIS, is also composed of
sensors, controllers/logic solvers, and final elements.

Differencies
 The primary function of a BPCS is generally to maintain a process variable
within prescribed limits. A SIS monitors a process variable and inititates
action when required.

47
 Safety Instrumented System

• PROCESS CONTROL VS SAFETY INSTRUMENTED

• ACTIVE • PASSIVE
• DYNAMIC • DORMANT
• FOULT IS SELF • FOULT IS NOT SELF
REVEAL REVEAL
• SEPARATION PRINCIPLE SEPARATION MANDATED BY:
• ANSI/ISA 84
SIS BPCS
INPUT OUTPUT INPUT OUTPUT
• IEC 61508
LT • API 14C & RP 554
• AIChE CCPS
TANK LT

SDV CV
48
 Layers of Protection Analysis

Layers of protection analysis (LOPA) is a semi-quantitative methodology that

can be used to indentify safeguards that meet the independet protection
layer (IPL) criteria established by Center for Chemical Process Safety.
Tiêu chuẩn

- How safe is - providing rational,

safe enough semi-kuantitatif
- How many protection LOPA - reducing emotionalism
layers are - providing clarity and
- How much risk consistency RÕ RÀNG & NHẤT QUẤN

reduction

49
 Layers of Protection Analysis

when is used

Sumber : Center for Chemical Process Safety, Layers of Protection Analysis,

New York: American Institute of Chemical Engineers, 2001.

50
 Layers of Protection Analysis

How LOPA works

NGHẶT NGHÈO/KHỐC
LIỆT Kịch bản, tình huống

Sumber : Center for Chemical Process Safety, Layers of Protection Analysis,

New York: American Institute of Chemical Engineers, 2001.

51
 Layers of Protection Analysis

Estimating Consequences and Severity

Sumber : Center for Chemical Process Safety, Layers of Protection Analysis,

New York: American Institute of Chemical Engineers, 2001.
52
 Layers of Protection Analysis

Estimating Consequences and Severity

Sumber : Center for Chemical Process Safety, Layers of Protection Analysis,

New York: American Institute of Chemical Engineers, 2001.
53
 Layers of Protection Analysis

Estimating Consequences and Severity

TẦM QUAN TRỌNG/ ĐỘ LỚN

Sumber : Center for Chemical Process Safety, Layers of Protection Analysis,

New York: American Institute of Chemical Engineers, 2001.
54
 Layers of Protection Analysis

Developing Scenarios
Không mong muốn
đc dự đính/ mong
đợi
IPL operates as intended Undesired consequence
Bắt đầu
prevented by action of the
Initiating event IPL

Enabling event
Undesired consequence
occurs despite the
IPL fails to operates as presence of the IPL
intended hậu quả không mong muốn xảy ra mặc dù có
sự xuất hiện của IPL

55
 Layers of Protection Analysis

Developing Scenarios

i.e loss of cooling can result in a runaway exothermic reaction in a

batch reactor and overpressure, but only during a portion of the
reaction when the system is in the reaction exotherm phase and
thus vulnerable to loss of cooling.

What is :
1. Initiating event ?
2. Enabling condition ?
3. IPL ?
4. Consequences ?
56
 Layers of Protection Analysis

Identifying Initiating Event & Frequency

Sumber : Center for Chemical Process Safety, Layers of Protection Analysis,

New York: American Institute of Chemical Engineers, 2001.
57
 Layers of Protection Analysis

Identifying Initiating Event & Frequency

Sumber : Center for Chemical Process Safety, Layers of Protection Analysis,

New York: American Institute of Chemical Engineers, 2001.
58
 Layers of Protection Analysis

Identifying independent protection layers

IPL1 IPL2 IPL3

giảm nhẹ rủi ro

Rủi ro tuyệt đối Mitigated Risk =
Unmitigated Risk =
reduced frequency * same
frequency * consequence
PFD1 PFD2 PFD3 consequence

Key:
Impact
Thickness of arrow represents frequency of the frequency
Event
consequence if later IPLs are not successful
59
 Layers of Protection Analysis

Identifying independent protection layers

60
 Layers of Protection Analysis

Identifying independent protection layers

In order to be considered an IPL, a device, system, or action must be

1. Effective in preventing the consequence when it functions as designed.
2. Independent of the initiating event and the components of any other IPL
already claimed for the same scenario.
3. Auditable; the assumed effectiveness in terms of consequence
prevention and PFD must be capable of validation in some manner.

61
 Layers of Protection Analysis

Determining the frequency of the scenarios

General Calculations

With additional outcomes

62
 Layers of Protection Analysis

Make Risk Decisions

63
 Layers of Protection Analysis

Make Risk Decisions

64
 US ARMY Chemical Weapon Destruction Project
Hazard Severity Level Definition

Agent Release Personnel

Severity Level In-Plant Injury/Illness System Loss

I—Catastrophic > IDLH outside engineering Illness, death, or injury involving >25% and/or >1 month to
controls permanent total disability repair

II—Critical ³ AEL outside of engineering Injury involving permanent partial 10% to 25% and/or
controls disability 1 week to 1 month to
repair

III—Marginal ³ AEL inside nonagent areas Injury involving temporary total disability <10% and/or 1 day to
1 week to repair

IV—Negligible < AEL nonagent areas Injury involving only first aid or minor No system loss downtime,
supportive treatment or repairs completed
within 1 day

AEL = airborne exposure level (VX = 0.00001 mg/m3)

IDLH = immediately dangerous to life and health (VX = 0.02 mg/m3)

65
 US ARMY Chemical Weapon Destruction Project
Hazard Frequency Level Definition (event/year)

Qualitative Agent Release Personnel

Frequency In-Plant Injury/Illness System Loss

A — frequent 1E–01 10.0 1.0

B — probable 1E–01 > 1E–02 10.0 > 1.0 1.0 > 1E–01

C — occasional 1E–02 > 1E–03 1.0 > 1E–02 1E–01 > 1E–02

D — remote 1E–03 > 1E–04 1E–02 >³ 1E–04 1E–02 >³ 1E–03

E — improbable 1E–04 > 1E–06 1E–04 > 1E–06 1E–03 > 1E–06

F — rare .> 1E–06 > 1E–06 > 1E–06

66
Table 3—RAC Matrixa

Severity Level

Qualitative I II III IV
Frequency (catastrophic) (critical) (marginal) (negligible)

A — frequent 1 1 1 3

B — probable 1 1 2 3

C — occasional 1 2 3 4

D — remote 2 2 3 4

E — improbable 3 3 3 4

F — rare 4 4 4 4

aAcceptability criteria:
RAC Description Resolution Authority
1 Unacceptable ASA
2 Undesirable PMCD
3 Acceptable with controls PMATA-Safety
4 Acceptable
ASA = Assistant Secretary of the Army / PMATA = Product Manager for Alternative Technologies and Approaches /
67 PMCD = Office of Program Manager for Chemical Demilitarization
 Risk Control

Target Risk Risk inherent

Level in the process

SIS Alarms BPCS Other

Process

Risk

68
Hardware Fault Tolerance (IEC61508)

69
• The architectural constraints of a device are a function of the device type, (Type A or Type B),
and its Safe Failure Fraction (SFF).

• A type A device is a “non-‐complex” subsystem using discrete elements. A type B device is a

“complex” subsystem, using micro controllers or programmable logic. For further details see
7.4.3.1.3. of IEC 61508-‐2.

70
71
72
Redundancy for System Control

73
Risk assessment

Risk assessment is like a captured spy. If you torture it long enough, it will
tell you anything you want.

William Ruckelshaus

Former EPA Administrator

74
 From Reactive to Proactive

• Develop a program for risk management

• Train employees in risk principles

• Address key risks using these methods

• Make risk management a way of doing business – imbedded in the culture of the company as a standard
work process

75
 RISK ASSESSMENT

is now
an integral requirement

of the world wide

Processing Industry

76
Control and Safety Systems

A process control system is used to monitor data and control equipment on the plant.

Very small installations may use hydraulic or pneumatic control systems, but larger plants with up
to 30.000 signals to and from the process require a dedicated distributed control system.

The purpose of this system is to read values from a large number of sensors, run programs to
monitor the process and control valves switches etc. to control the process.

At the same time values, alarms, reports and other information are presented to the operator and
command inputs accepted.

77
78
Field instrumentation: sensors and switches that sense process conditions such as temperature, pressure or flow. These
are connected over single and multiple pair electrical cables (hardwired) or communication bus systems called
fieldbus.

• Control devices, such as Actuators for valves, electrical switchgear and drives or indicators are also hardwired or
connected over fieldbus.

• Controllers execute the control algorithms so that desired actions are taken. The controllers will also generate events
and alarms based on changes of state and alarm conditions and prepare data for operators and information systems.

• A number of servers perform the data processing required for data presentation, historical archiving, alarm processing
and engineering changes.

• Clients such as operator stations and engineering stations are provided for human interfaces.

• The communication can be laid out in many different configurations, often including connections to remote facilities,
remote operations support and similar.

79
80
The main function of the control system is to make sure the production, processing and utility systems
operate efficiently within design constraints and alarm limits.

The control is typically specified in programs s a combination of logic and control function blocks such as
AND, ADD, PID.

For a particular system, a library of standard solutions such as Level Control Loop, Motor Control is defined.

This means that the system can be specified with combinations of typical loops, consisting of one or more
input devices, function blocks and output devices, rather than formal programming.

81
 The system is operated from the Central Control Room (CCR) with a combination of graphical process
displays, alarm lists, reports and historical data curves.

Desk screens are often used in combination with large wall screens as shown on the right.

With modern system the same information is available to remote locations such as an onshore corporate
operations support centre.

82
 Field devices in most process areas must be protected not to act as ignition sources
for potential hydrocarbon leaks.

Equipment is explosive hazard classified e.g. as safe by pressurization (Ex.p), safe

by explosive proof encapsulation (Ex.d) or intrinsically safe (Ex.i).

All areas are mapped into explosive hazard zones from

 Zone 0 (Inside vessels and pipes),

 Zone 1 (Risk of hydrocarbons),

 Zone 2 (Low risk of hydrocarbons) and

 Safe Area.

83
Beyond the basic functionality the control system can be used for more advanced control and optimization functions.
Some examples are:

• Well control may include automatic startup and shutdown of a well and/or a set of wells. Applications can include
optimization and stabilization of artificial lift such as Pump off control and Gas lift Optimization.

• Flow assurance serves to make sure that the flow from wells, in pipelines and risers are stable and maximized under
varying pressure, flow and temperatures. Unstable flow can result in slug formation, hydrates etc.

• Optimization of various processes to increase capacity or reduce energy costs.

• Pipeline Management modeling, leak detection and pig tracking

• Support for Remote Operations, where facility data is available to company specialists located at a central support
center.

• Support for remote operation where the entire facility is unmanned or without local operators full or part time, and is
operated from a remote location.

84
Emergency Shutdown and Process Shutdown

The process control system should control the process when it is operating within normal constrains such as level,
pressure and temperature.

The Emergency Shutdown (ESD) and Process Shutdown (PSD) systems will take action when the process goes into a
malfunction or dangerous state.

For this purpose the system maintains four sets of limits for a process value, LowLow (LL), Low (L), High (H) and HighHigh
(HH). L and H are process warning limits which alert to process disturbances.

LL and HH are alarm conditions and detects that the process is operating out of range and there is a chance of undesirable
events and malfunction.

85
86
Separate transmitters are provided for safety systems. One example is the LTLL (Level Transmitter LowLow) or LSLL
(Level Switch Low Low) alarm on the oil level.

When this condition is triggered, there is a risk of Blow-by which means gas leaks out of the oil output and gives high
pressure in the next separation stage or other following process equipment such as a desalter.

Transmitters are preferred over switches because of better diagnostics.

87
Emergency shutdown actions are defined in a cause and affect chart based on a study of the process.

This HAZOP study identifies possible malfunctions and how they should be handled.

On the left of the chart we have possible emergency events; on top we find possible shutdown actions.

On an oil and gas facility the primary response is to isolate and depressurize In this case the typical action would be to
close the inlet and outlet Sectioning valves (EV 0153 20, EV 0108 20 and EV 0102 20 in the diagram), and open the
blowdown valve (EV 0114 20).

This will isolate the malfunctioning unit and reduce pressure by flaring of the gas.

88
These actions are handled by the Emergency Shutdown System and Process Shutdown System.

System requirements are set by official laws and regulations and industry standards such as IEC
61508/61511. which set certification requirements for process safety systems and set criteria for the safety
integrity level (SIL) of each loop.

89
Events are classified on a scale, e.-g. 1 to 5 plus and Abandon Platform level.

On this scale, the lowest level, APS means a complete shutdown and evacuation of the facility.

The next levels (ESD1, ESD2) define emergency complete shutdown.

The upper levels (i.e. PSD 3, PSD 4, PSD 5), represent single equipment or process section shutdowns.

A split between APS/ESD and PSD is done in large installations because most signals are PSD and could be
handled with less strict requirements.

90
The main requirements concern availability and diagnostics both on the system itself and connected
equipment.

The prime requirement is on demand failure, or the system’s ability to react with a minimum probability, to an
undesirable event with a certain time with.

The second criteria is not to cause actions due to a spurious event or malfunction.

Smaller ESD systems, e.g on wellhead platforms can be hydraulic or nonprogrammable..

91
Control and Safety configuration

Piping and Instrumentation Diagrams (P&ID) show the process, additional information is needed for the
specification of the Process Control and Safety Systems.

The illustration shows one typical format common format for the Norwegian offshore industry: The Njård
Separator 1 and 2 Systems Control Diagram (SCD.

Essentially, the P&ID mechanical information has been removed, and control loops

and safety interlocks drawn in with references to typical loops.

92
93
Fire and Gas Systems

The Fire and Gas System is not generally related to any particular process.

Instead it divides into fire areas by geographical location. Each fire area should be designed to be self
contained, in that it should detect fire and gas by several types of sensors, and control fire protection and fire
fighting devices to contain and fight fire within the fire area.

In case of fire, the area will be partially shut off by closing ventilation fire dampers.

A fire area protection data sheet typically shows what detection exists for each fire area and what fire
protection action should be taken in case of an undesirable event.

94
95
A separate package related to fire and gas is the diesel or electrically driven fire water pumps for
the sprinkler and deluge ring systems.

The type and number of the detection, protection and fighting devices depend on the type of
equipment and size of the fire area and is different for e.g. Process areas, electrical rooms and
accommodations.

96
Fire detection:

- Gas detection: Combustible and Toxic gas, Electro catalytic or optical (IR) detector.

- Flame detection: Ultraviolet (UV) or Infra Red (IR) optical detectors

- Fire detection: Heat and Ionic smoke detectors

- Manual pushbuttons

Firefighting, protection:

- Gas based fire-fighting such as CO2

- Foam based fire-fighting

- Water based fire-fighting: Sprinklers, Mist (Water spray) and deluge

- Protection: Interface to emergency shutdown and HVAC fire dampers.

- Warning and escape: PA systems, beacons/lights, fire door and damper release

97
For detection, coincidence and voting is often used to false alarms. In such schemes, it is required that
several detectors in the same area detect a fire condition or gas leakage for automatic reaction.

This will include different detection principles e.g. To trig on fire but not welding or lightening.

Action is controlled by a fire and gas system. Like the ESD system, F&G action is specified in a cause and
action chart called the Fire Area Protection Datasheet.

This chart shows all detectors and fire protection systems in a fire area and how the system will operate.

98
99
The F&G system often provides supervisory functions, either in the F&G or the PIMS to handle such tasks as
maintenance, calibration, replacement and hot work permits e.g. welding.

Such action may require that one or more Fire and Gas detectors or systems are overridden or bypassed.

Specific work procedures should be enforced, such as a placing fire guards on duty and make sure all
devices are re-enabled when the work permit expires or work is complete.

100
At Emerson Exchange last year, Rafael Lachmann presented on the topic of Fire & Gas System (FGS)
solutions with DeltaV SIS.

In his presentation, he provided a basic overview of FGS concepts and then he described how DeltaV SIS
could be used for FGS applications.

He described how emergency shutdown (ESD) systems are different from FGS, how onshore FGS differs
from offshore FGS applications, and how DeltaV SIS can be used for FGS applications.

101
For an ESD, a process upset will result in a process shutdown. ESD systems are preventative layers of
protection, meaning that they act to prevent a hazardous event like a chemical release, fire, or explosion from
occurring.

A FGS is a mitigating layer of protection, because the purpose is to reduce the consequence severity of such
an event when it occurs. When a combustible gas, a toxic gas, smoke, flame, or heat is detected, then the
FGS will respond by annunciating audible and visual alarms and initiate a water deluge, fire suppression
system, or a process shutdown.

In the event of a gas leak, the FGS can act to prevent it from becoming a fire or explosion by isolating the
leak and ignition sources. In the Deepwater Horizon Accident Investigation Report that was issued by BP in
September 2010, this was listed as one of the 8 barriers that were breached.

102
The fire and gas system did not prevent hydrocarbon ignition. Hydrocarbons migrated beyond areas on Deepwater Horizon
that were electrically classified to areas where the potential for ignition was higher.

The heating, ventilation and air conditioning system probably transferred a gas-rich mixture into the engine rooms, causing
at least one engine to overspeed, creating a potential source of ignition.

A typical ESD safety instrumented function (SIF) is typically quite simple when compared to what is implemented for a
FGS. A FGS SIF can be very complex and highly distributed, with 1ooN or 2ooN voting from a large number of detector
devices located throughout a unit, process, and plant area.

In some cases, a FGS event can initiate a site-wide emergency shutdown.

103
Another important difference is that an ESD is typically designed as normally energized (de-energize-to-trip)
so that it is fail-safe.

This way, if there is loss of power or connectivity between system components then the SIS will respond by
tripping.

This results in higher safety integrity, but it can result in increased spurious trips of the process. For FGS, a
spurious trip can have dangerous results.

For example, initiating a water deluge system inside a building can cause damage to equipment and can be
hazardous to personnel. Chemical fire suppression can be dangerous to personnel, and false alarms degrade
the willingness to respond by plant personnel.

For this reason, it is common to design a FGS as normally de-energized (NDE).

104
In a NDE design, the loop must be energized in order to initiate a trip of the FGS. This means that failures
such as loss of power or connectivity between components are covert failures unless there is adequate
diagnostics to detect the failures.

In a NDE design, line monitoring is essential to detect open and short circuit failures in wiring between logic
solver I/O and field devices.

The major differences between offshore and onshore FGS design result from the difficulty to evacuate and
limited offsite emergency response assistance when an offshore incident occurs.

105