The Weekly Reflektion 44/2022
Automatic safety systems fulfil an important function in the prevention of unsafe conditions and the escalation of any incident. Failure to register and react to alarms and overriding key safety functions can compromise this function and make any facility vulnerable to a Major Accident. It seems obvious that alarm handling and control of overrides should be a key focus for both personnel working in the control room and for the facility management. Experience demonstrates it may not be as obvious as one may think.
A typical console and monitors for a process control and shutdown system
Do you have satisfactory alarm handling and adequate control of overrides?
Prevention of hydrocarbon leaks is a key factor in the prevention of major accidents and a focus area for the industry and the authorities in the petroleum industry in Norway. A review of the causes of hydrocarbon leaks in the period 2018 to 2022 highlighted several incidents where gas detectors were overridden after a hydrocarbon leak was detected. This was presumably done to prevent a production shutdown and depressurisation of the process facilities. The central control room (CCR) operators presumably thought they had adequate control of the situation and the potential for escalation and decided to intervene to prevent a production loss. As in many incident investigations the reasons for the interventions are not reported presumably because the investigation team did not ask the required ‘why’ questions. That’s three presumptions so far and unfortunately, we are unlikely to get more clarity. The potential for learning is diminished, however hopefully not completely lost.
A recent leak of hydrocarbon from a subsea well in Norway was caused by a material failure on a pipe spool. The low-pressure switch on the flowline was overridden preventing the well from being automatically shut in. The leak was not discovered until half an hour after the mechanical failure, when oil was noted on the surface by the crew of the standby vessel. The reason for the mechanical failure was reported in the investigation report however the reason for the override was not, although the investigation indicated a deviation from the relevant procedure.
On modern process control and shutdown systems safety switches are overridden electronically on the monitors, normally in the CCR. Typically, an override will prevent the signal from progressing through the system logic and executing the programmed actions. Normally the change in status of the overridden switch from normal to activated will give an alarm in the CCR so that the operator is informed of the status and can take any action that may be necessary in the developing situation. It is not clear from the investigation whether the alarm was activated or noted. The alarm handling system was however criticised since there was a significant number of non-critical alarms that were continuously coming in and made it difficult for the CCR operator to distinguish critical alarms.
Inadequate control of overrides and poor alarm handling have also been identified in audits carried out by the Petroleum Safety Authority (PSA) in Norway. The reports are available on the PSA website and are worth a review for anyone interested in improving their systems.
Disabling the function of safety systems can lead to a Major Accident. While we have no reason to doubt that the overrides in the above examples were put in place with the best intentions, we would remind our readers of what the road to disaster is paved with.