Single failures in the safety system caused a blackout of rigs after an unintended activation of the safety systems. Such single failures (e.g. failure of I/O cards) resulted in more than one detector lost, which the safety logic treated as multiple-activated detectors and that, in return, led the logic to perform shutdown actions. DNV GL says that especially for DP units, this can lead to a dangerous situation, as the position is lost and an emergency disconnection might be the result. A blackout also disrupts operations and leads to downtime until all systems have been restarted.
Lessons learned and new requirements for mobile offshore units
DNV GL refers to an incident which is related to a specific requirement in the offshore standard for Automation, Safety and Telecommunication Systems to provide lessons learned for mobile offshore units. The requirement specifies in general that failure of a fire or gas detector shall be considered equivalent to detection and cause fail-safe action.
In order to minimize the unintended shutdown of DP and drilling-related systems, the safety system outputs for these shutdowns are configured as NDE (Normally De-Energized, fail-to-maintain). Other safety system outputs are generally configured as NE (Normally Energized, fail-to-tripped state). Thus, the fail-safe condition for equipment handled with an NDE output is to continue to operate, while equipment handled with an NE output is shut down or tripped.
Failure of a fire or gas detector should result in the associated equipment (as defined by the Cause & Effect) going to the fail-safe state. If a detector fails, the associated equipment with NDE outputs shall continue to operate, while the equipment with NE outputs shall be tripped. This will ensure that the operation of critical equipment will function even in the case of activation of several detectors due to faults.
Recommendations
Owners of mobile offshore units, which have been designed and constructed to DNVGL-OS-D202 from 2008 revision and later, should evaluate if there is an inappropriate logic in the control system. Such an inappropriate logic could lead to total shutdown/blackout in the case of loss of (fire or gas) detector signal(s) at the same time due to a fault in the system or equipment.
In particular, owners of DP units should evaluate the current logic carefully to prevent blackout during DP operations.
Modification of such input logic is normally limited to configuration changes in the safety system and does not require modifications to hardware or cabling.
Source & Image Credit: DNV GL