Offshore Oil Platform Safety System

Rationale: The duty holder has a legal obligation under the Safety Case Regulations to demonstrate that major accident hazard risks are reduced to ALARP. The safety system is the primary engineered barrier between a process upset and a catastrophic event. Without timely detection and response, minor releases escalate to fires, explosions, and potential loss of life.

Rationale: Offshore Installation Managers and platform operators need confidence that in any credible emergency scenario, the safety system provides sufficient warning, communication, and evacuation support to get all personnel off the installation before conditions become unsurvivable. This is the overriding stakeholder concern — every other safety function exists to buy time for evacuation.

Rationale: The regulatory authority (HSE in UK, BSEE in US) requires formal demonstration that safety instrumented systems meet recognised functional safety standards. Non-compliance risks enforcement action including prohibition notices that halt production. IEC 61511 is the process-sector implementation of IEC 61508 and is the universally accepted basis for SIS design in oil and gas.

Rationale: Platform operators and the duty holder need the safety system to be dependable in both directions: it must trip when needed (safety integrity) and not trip when not needed (availability). Each spurious platform shutdown costs approximately USD 1-5 million in lost production and restart costs. Excessive spurious trips also degrade operator confidence, increasing the risk of alarm overrides. The one-per-year target balances safety and operational economics per industry practice.

Rationale: Maintenance technicians on offshore platforms operate under severe logistical constraints — helicopter access, limited crew size, compressed maintenance windows during turnarounds. If proof testing requires a process shutdown, it either doesn't get done (degrading safety integrity over time) or requires costly production outages. Online testing capability is essential to maintain target SIL throughout the proof test interval.

Rationale: The 10-second detection confirmation window derives from the overall escalation timeline analysis: a typical high-pressure gas release reaches flammable cloud dimensions within 30-60 seconds. Combined with the <1s ESD actuation requirement, a 10s detection window leaves approximately 20-50s margin before ignition probability becomes significant. The 20% LEL threshold is the industry-standard alarm setpoint per EN 60079-29-1, providing early warning before reaching the 60% LEL high-alarm trip threshold.

Rationale: The 1-second actuation budget is allocated from the overall safety system response time target. Logic solver scan time (100ms) plus solenoid valve response (200ms) plus ESD valve stroke time (remaining budget) must fit within 1s. This is achievable with TMR logic solvers and spring-return fail-close actuators. Exceeding 1s delays isolation of the hydrocarbon source, allowing the flammable inventory to grow and increasing the probability and severity of ignition.

Rationale: SIL 3 allocation for ESD Level 1 functions derives from the LOPA (Layer of Protection Analysis) performed during the Safety Case. An ESD Level 1 failure leaves the platform with no automated means of isolating the entire hydrocarbon inventory during a confirmed major hazard. The 1x10^-3 PFDavg is the upper boundary of SIL 3 per IEC 61511 Table 4, and the 12-month proof test interval reflects the typical offshore maintenance cycle (annual turnaround).

Rationale: The 2-second activation time ensures the PA/GA alert reaches personnel before the physical effects of the hazard (gas migration, radiant heat). The 65 dBA above ambient threshold is the minimum per ISO 7731 to ensure alarm audibility in process areas with ambient levels of 85-95 dBA. STI >= 0.5 (the 'fair' intelligibility threshold per IEC 60268-16) is necessary for personnel to understand verbal evacuation instructions above background noise — lower STI means personnel cannot distinguish muster commands from abandon commands.

Rationale: Directly derived from the stakeholder one-per-year spurious trip target. The 8760-hour MTBST maps to this target for continuous-demand assessment. Achieving this with SIL 3 integrity requires careful architectural design — TMR voting (2oo3) in the logic solver, redundant sensors with voting, and diagnostic coverage to distinguish dangerous failures from safe failures. Without this target, the system would be over-conservative and economically unviable.

Rationale: The 10.2 L/min/m2 rate derives from NFPA 15 / EN 13565-1 for hydrocarbon pool fire suppression on offshore platforms. The 30-second delivery time accounts for deluge valve opening (5s), ring main pressurisation (10s), and system charge time (15s). The 4-hour endurance derives from the worst-case fire scenario duration identified in the Quantitative Risk Assessment, accounting for the time to depressurise and isolate all hydrocarbon inventories plus a safety margin.