DNVGL.com

Unintended activation of safety functions leading to blackout of MOUs

SHARE:
PRINT:
Single failures in the safety system caused a blackout of rigs after an unintended activation of the safety systems. Such single failures resulted in more than one detector lost.
  • Published:
  • Author:
  • Keywords: Casualty information
In-the-controle-room

Relevant for design offices, flag states and owners/managers of mobile offshore units.

Course of events

Single failures in the safety system caused a blackout of rigs after an unintended activation of the safety systems. Such single failures (e.g. failure of I/O cards) resulted in more than one detector lost, which the safety logic treated as multiple-activated detectors and that, in return, led the logic to perform shutdown actions. Especially for DP units, this can lead to a dangerous situation, as the position is lost and an emergency disconnection might be the result. A blackout also disrupts operations and leads to downtime until all systems have been restarted.

Lessons learned and new requirements for mobile offshore units

This incident is related to a specific requirement in the offshore standard for Automation, Safety and Telecommunication Systems DNVGL-OS-D202 Ch.2 Sec.1 [3.2.2]. The requirement specifies in general that failure of a fire or gas detector shall be considered equivalent to detection and cause fail-safe action. This requirement shall, however, not overrule the fail-safe principles in the offshore standard for Safety Principles and Arrangements DNVGL-OS-A101 Ch.2 Sec.4 as in the following section.

In order to minimize the unintended shutdown of DP and drilling-related systems, the safety system outputs for these shutdowns are configured as NDE (Normally De-Energized, fail-to-maintain). Other safety system outputs are generally configured as NE (Normally Energized, fail-to-tripped state). Thus, the fail-safe condition for equipment handled with an NDE output is to continue to operate, while equipment handled with an NE output is shut down or tripped. 

Failure of a fire or gas detector should result in the associated equipment (as defined by the Cause & Effect) going to the fail-safe state. If a detector fails, the associated equipment with NDE outputs shall continue to operate, while the equipment with NE outputs shall be tripped. This will ensure that the operation of critical equipment will function even in the case of activation of several detectors due to faults. 

The rules in DNVGL-OS-D202 will be updated accordingly to better reflect this requirement.

Recommendations  

Owners of mobile offshore units, which have been designed and constructed to DNVGL-OS-D202 from 2008 revision and later, should evaluate if there is an inappropriate logic in the control system. Such an inappropriate logic could lead to total shutdown/blackout in the case of loss of (fire or gas) detector signal(s) at the same time due to a fault in the system or equipment.

In particular, owners of DP units should evaluate the current logic carefully to prevent blackout during DP operations.

Modification of such input logic is normally limited to configuration changes in the safety system and does not require modifications to hardware or cabling. 

The revised documentation should be submitted to DNV GL.

Reference

DNV GL offshore standards (OS) - Automation, safety and telecommunication systems - Document: DNVGL-OS-D202

Contact

Please email to Control Systems