Critical industries rely on IEC functional safety Standards
Functional safety is the part of the overall safety that depends on a system or equipment operating correctly in response to its inputs. It is a concept applicable across all industry sectors. The oil and gas industry rely heavily on functional safety to achieve safety for the equipment giving rise to hazards. This was clearly illustrated in the condensate leak incident on the Gudrun North Sea offshore platform operated by Norway's Statoil company.
IEC International Standards on functional safety are developed by IEC Subcommittee (SC) 65 A: Industrial-process measurement, control and automation – Systems aspects. They include the IEC 61511 series, Functional safety – Safety instrumented systems for the process industry sector, as well as the IEC 61508 series, Functional safety of electrical/electronic/programmable electronic safety-related systems, and other Standards applicable to industrial processes.
As indicated in its scope "The IEC 61511 series addresses the application of Safety instrumented systems (SISs) for the process industries. The IEC 61511 series also addresses a process Hazard and Risk Assessment (H&RA) to be carried out to enable the specification for SISs to be derived. Other safety systems' contributions are only considered with respect to the performance requirements for the SIS. The SIS includes all devices necessary to carry out each SIF from sensor(s) to final element(s)."
According to the incident report published by the Gudrun platform operating company, Statoil, the leak was caused by a crack in a 2-inch condensate outlet line of a separator. The flow conditions in the undersized condensate outlet control valve led to excessive vibrations. This was a failure mechanism that had not been identified as a risk and had not been dealt with in the governing documentation.
The incident report drew some important lessons. The following ones can be added:
All risk-related elements should be considered as safety-critical
The first lesson is that all elements identified as initiating risk or reducing risk to tolerable limits should be considered as safety-critical elements including control loop elements.
As per the UK Health and Safety Executive regulations guidelines: "Any structure, plant, equipment, system (including computer software) or component part whose failure could cause or contribute substantially to a major accident is safety critical, as is any which is intended to prevent or limit the effect of a major accident. Identifying an item as safety critical should follow from identifying major accident hazards as required by regulation."
This also comes from the risk-based and performance-based approach in plant safety engineering following the IEC 61511 series, which adopts the Layer of Protection Analysis (LOPA) method in Guidance for the determination of the required safety integrity levels, found in Annex F of IEC 61511-3:2003, Guidance for the determination of the required safety integrity levels. Most control loops (including their control valves of course) are either included in initiating causes of hazardous events or acting as protection layers. Hence many are safety-critical by definition.
The recently-built platform’s gas leak revealed the fact that many control valves are safety-critical as the valve failure was the initiating event. No Safety Instrumented Function (SIF) can be designed to safeguard against such failure of the valve except gas detection and the associated ESD (Emergency Shutdown).
Being safety-critical will require more rigorous inspection and maintenance planning instead of being just run-to-failure equipment as is the case for control valves in many plants today.
Hence for the Gudrun incident, as the control valve failure by itself could lead to gas blow-by, it was involved in an initiating event and hence safety-critical, even if it was sized correctly and in spite of the fact that the condensate line had its own safety/shutdown valve.
That being said, old practices that are still in-use by many operator companies disregard control valves from their safety-critical element list and one of the practices observed by this author stated clearly that control valves should not be part of the safety-critical elements group.
However, some relatively more recent engineering practices include LOPA protection layer elements in the safety-critical elements.
Functional safety assessments and validation activities are critical
The second lesson is that the incident also revealed the importance of functional safety assessments (FSAs) and validation activities, such as Factory Acceptance Tests (FATs), Site Acceptance Tests (SATs), etc. done prior to the start-up of the plant. They are central to detecting errors and prove the importance of planning and conducting such activities and training on how these should be done.
For many projects, stage 3 of the FSA (defined in section 126.96.36.199 of IEC 61511-1:2015, Framework, definitions, system, hardware and application programming requirements) is carried out in the form of yes/no checklists. For instance, the assessment team is asking the design, construction and commissioning teams: "have you done your job well?" and of course the answer is usually "yes" to the yes/no questions, thus ending the FSA easily with minor recommendations only, which should not be the aim of IEC 61511 as it highlights the importance of skills of the assessment team, who should have practical field experience and proper training.
In addition, the incident clearly shows that safety-critical control valves should be part of that assessment in terms of design and testing during the FAT and testing during the operational period. This is often overlooked as the valve is just for control purpose not shutdown. IEC 61511 is focused on safety-instrumented systems, while not all-safety critical elements are part of safety-instrumented systems. Therefore it is important to extend the scope of FAT and FSA in the Standard to safety-critical elements such as control valves.
What does it mean if a plant passes a functional safety assessment after investing in such an assessment but that valves fail and fire or explosion occur? In some organizations which implement a PSSR (Pre-Startup Safety Review) as an equivalent replacement for stage 3 of FSA, there have been fire or explosion incidents although the PSSR was done, as happened in the Bayer CropScience explosion in 2008.
Section 188.8.131.52 of IEC 61511-2:2003, Guidelines for the application of IEC 61511-1, states that "the use of Functional Safety Assessment (FSA) is fundamental in demonstrating that a Safety Instrumented System (SIS) fulfils its requirements regarding safety instrumented function(s) and Safety Integrity Level (SIL). The basic objective of this assessment is to demonstrate compliance with agreed standards and practices through independent assessment of the system’s development process."
Feedback at manufacturing stage, not just site, is important
The third lesson is that the incident also exposed the importance of testing position feedback signals at the manufacturer’s factory and not just leave this to the site activities as a secondary unimportant matter.
Finally, as the improper valve size was the cause, the incident shows also the importance of doing proper control valve sizing by the engineering, procurement, construction (EPC) contractor and not just leave it to the supplier (and pay the supplier more for that!) which is not a good practice done by some oil and gas EPC contractor engineers.
Observing the guidelines contained in the IEC 61511 series should help reduce the likelihood of incidents similar to the one that took place on the Gudrun platform
*Ahmad Hosni, is a Functional Safety Engineer (FS Eng), Certified Functional Safety Expert/Professional (CFSE/CFSP) with TÜV SÜD/CFSE Board CFSP, TÜV Rheinland, as well as a National Fire Protection Association/Certified Fire Protection Specialist (NFPA/CFPS)