Process safety history

In the 1960s, offshore oil/gas operators formed a committee under the American Petroleum
Institute to write Recommended Practice 14C (API RP 14C) for process safety systems. API RP
14C's official title is Recommended Practice for Analysis, Design, Installation, and Testing of
Basic Surface Safety Systems for Offshore Production Platforms. API RP 14C is presently in its
seventh edition and is required by government regulations for all offshore operators. It outlines
the basic requirements for a process safety system by identifying the normal process
components (vessels, pumps, pipelines, compressors, and the like) on an offshore facility and
the minimum number and type of safety devices required. Specific exemptions are listed when a
safety device may not be required. It is up to the operator to review his design and determine if
each device is either required or not.
API RP 14C provides a simple standard you can easily apply to offshore oil and gas facilities
where the process design is the same basic type that has seen use for years. It errs on the
conservative side by requiring safety devices, which might be ded under ISA84, IEC
61511, or IEC 61 508 analysis. It does not address the implementation of the safety system,
rather focusing on the required functions.
This standard was developed almost 20 years before ISA84, IEC 61 51 1 , or IEC 61 508. It has
created an approach to process safety that differs from the approach advocated in other
industries in a few key areas.
From the government
One of the major differences between onshore and offshore operations is the involvement of the
Mineral Management Service (MMS), the agency of the Department of the Interior that oversees
all exploration and production activities offshore. API RP 14C requires the development of SAFE
charts (cause-and-effect charts) and safety flow diagrams (P&ID diagrams showing equipment
and safety devices). The MMS requires them to be submitted during the design phase of any
project. The MMS will come out just after start-up to fully inspect the facility and confirm all
equipment and safety devices are as depicted. After that, any changes to the SAFE charts or
safety flows must be reported and approved prior to implementation. The MMS also makes a
yearly trip out to the facility to inspect and report the operator is performing required testing and
maintaining records.
Failure to follow these requirements can result in the MMS fining or even shutting down the
facility. The MMS also reserves the right to make surprise inspections. This requirement for
review and approval of safety systems receives support from 14Cs easy cookbook approach,
which provides for a simple framework. Each type of process equipment (pump, vessel, tank,
pipeline) has a list of the required safety devices and when you can exclude those devices.
In the SAFE chart for each piece of process equipment, all the required safety devices are listed,
and those that have been excluded have the reference to the safety analysis checklist, which
lists all the reasons for excluding a device. The SAFE chart becomes an easy tool to check that
all requirements have been met and what actions the safety devices take.
Shut it all down
In section 4.2.3, API RP 14C specifically addresses the idea of cascading shutdowns and forbids
the practice. The idea of shutting in an affected vessel and letting the remainder of the process
train, react, and eventually shutdown

is called cascading. The 14C specification specifically forbids cascading with a few reasonedout exceptions. The idea is any event on a process train needs to shut down the primary energy
source for that process unit and not allow a process upset to ripple through systems. On an
offshore oil/gas facility, that primary source is usually the oil/gas wells flowing into the facility. As
such, an event on a single vessel will affect the entire facility, especially if it is a process critical
vessel like a flare scrubber or process sump tank. On a typical offshore oil/gas facility, 20 safety
devices will shut in the entire facility. Also, 200-400 safety devices will shut in their specific piece
of equipment or a section of the process train depending on the size and complexity of the
facility.
Not only do safety devices shut in the facility, but so does an extensive network of fire and gas
sensors and emergency shutdown buttons. API RP 14C defines where ESD buttons must be
located on an offshore facility, and they have to affect an entire facility shutdown. There are also
extensive rules on the location of fusible plugs for fire detection in addition to fire/gas sensors.
This philosophy makes sense on an offshore oil/gas facility where stopping the process and
restarting it are not extremely hazardous. The risk of having to perform a restart is dwarfed by
the risk of having an unsafe event on what is essentially an isolated location surrounded by
water with no place to flee. The assumption is this would reduce the facility uptime, but it has
not. Quite a few offshore platforms have achieved long run times. It does make them vulnerable
to false trips, though. But once the oil wells are closed, restarting the facility does not pose
significant hazards.
Test, test again
API RP 14C was written around the technology available at the time in the 1960s and 1970s,
which was pneumatic devices and logic. To provide good reliability, frequent testing was
required; 14C was written around yearly testing, and the MMS imposed stricter testing
requirements. Input devices (shutdown inputs or SDIs) and shutdown valves were required to be
tested monthly and pressure relief valves were to be tested yearly. The advent of reliable
electronic transmitters has allowed the MMS to relax the testing of SDIs using electronic
transmitters to once every three months.
Running any type of process train, which is adverse to process shutdowns in the same manner
as an offshore oil/gas platform, may seem like madness and probably is. The important fact is
API RP 14C has not only been recommended, but it has been the law in the Gulf of Mexico for
the last 40 years.
The more active safety system employed by offshore oil/gas facilities are prone to spurious
trips due to operator mistakes and process upsets, but you should contrast this against the
safety records achieved. In the last nine years, no process safety related fatalities on offshore
oil/gas platforms have occurred in the Gulf of Mexico. While there have been fires and equipment
failures, the safety systems have worked and performed as expected. During this time, the Gulf of
Mexico has produced over 10 billion barrels of oil equivalent and production crews logged almost
250 million man hours without a process related fatality.