GENERAL SPECIFICATION SAFETY

Transcription

1 GENERAL SPECIFICATION SAFETY GS EP SAF 261 Emergency Shutdown and Emergency De-Pressurisation (ESD & EDP) 03 01/2011 General review 02 10/2005 Completely reviewed and moved PPR to GS EP SAF /2003 Change of group name and logo 00 04/2001 Old TotalFina SP SEC 261 Rev. Date Notes Owner: EP/HSE Managing entity: EP/SCR/ED/ECP

2 Contents 1. Scope Purpose of the specification Application Reference documents Terminology and definitions Emergency Shutdown (ESD) ESD purposes Definition of the shutdown matrix Integration of packages Cascades and response time Emergency De-Pressurisation (EDP) EDP application EDP requirements Architecture of the safety shutdown system General Principles of separation of Safety Instrumented Systems Reliability requirements Transmission of signals Means of segregation Shutdown devices, protection and other requirements Shutdown devices Physical position and protection Isolations by ESDVs and SDVs Additional functional requirements EDP system - Protection and additional requirements Appendix 1 Ultimate Safety System Page 2/46

3 1. Scope 1.1 Purpose of the specification The purpose of this General Specification is to define the safety requirements for the design of the Emergency Shutdown (ESD) and Emergency De-Pressurisation (EDP) systems of hydrocarbon production, processing and storage installations. Transportation pipelines are excluded from this General Specification. In accordance with the API RP 14J hazard tree for production installations, these systems contribute to the fulfilment of the following objectives: Containment of hydrocarbon: Limit the loss of containment by isolating incoming and outgoing hydrocarbon flows (ESD). Prevention of ignition: Isolate and de-energise potential sources of ignition (ESD). Mitigation: Depressurise equipment under fire (EDP); reduce or minimise hydrocarbon inventory by routing to the flare/vent (EDP); reduce the quantity released through a leak (EDP); initiate active fire-fighting. 1.2 Application This General Specification is not retroactive. It shall apply to new installations and to major modifications or extensions of existing installations, both onshore and offshore, and including interfaces with wells and pipeline systems. It is also applicable to Vendor packages. It contains also the functional requirements of Fire & Gas systems. This General Specification is limited to safety matters and does not cover in particular: Design of well-head control panels (GS EP INS 147) Design of control and safety instrumented systems (GS EP INS 134) Strict application to sub-sea control systems (GS EP SPS 019) Design of High Integrity Protection Systems (HIPS) (GS EP SAF 260) Design of pressure protection relief, such as PSVs, TSVs, etc. (GS EP SAF 262) Design of hydrocarbon disposal systems, such as flares, vents, pits, etc. (GS EP SAF 262) Design and sizing criteria of process (GS EP ECP 103) Design of the Fire & Gas detection systems (GS EP SAF 312) Hardware design and construction of Fire & Gas (GS EP INS 134) Design of Burner Management Systems (GS EP SAF 227) Emergency Release Systems (ERS) of (un-)loading arms Pipeline proprietary safety systems (SSIV, GOV, etc.). Page 3/46

4 2. Reference documents The reference documents listed below form an integral part of this General Specification. Unless otherwise stipulated, the applicable version of these documents, including relevant appendices and supplements, is the latest revision published at the EFFECTIVE DATE of the CONTRACT. Standards Reference IEC IEC ISO / API RP 14B ISO / API STD 521 Title Functional safety of electrical/electronic/programmable electronic safety-related systems Functional safety Safety instrumented systems for the process industry sector Petroleum and natural gas industries - Subsurface safety valve systems - Design, installation, operation and redress Petroleum and natural gas industries Pressure-relieving and depressuring systems Professional Documents API RP 14C API RP 14J Reference Title Recommended Practice for Analysis, Design, Installation, and Testing of Basic Surface Safety Systems for Offshore Production Platforms Recommended Practice for Design and Hazards Analysis for Offshore Production Facilities Regulations Reference Not applicable Title Codes Reference Not applicable Title Page 4/46

5 Other documents Reference Title Operating Philosophy Safety Concept Statement Of Requirements (SOR) Total General Specifications Reference GS EP ECP 103 GS EP INS 120 GS EP INS 134 GS EP INS 137 GS EP INS 147 GS EP INS 150 GS EP INS 196 GS EP INS 198 GS EP PLR 100 GS EP PLR 104 GS EP PVV 112 GS EP PVV 142 GS EP PVV 211 GS EP SAF 021 GS EP SAF 226 GS EP SAF 227 GS EP SAF 253 GS EP SAF 260 GS EP SAF 262 GS EP SAF 312 GS EP SAF 337 GS EP SAF 371 GS EP SPS 019 Title Process sizing criteria Control Valves Design and supply of integrated control and safety system On/off valve control panels and actuators functional and construction requirements Design and supply of wellhead control panels Design method for system configuration - standard functions Input and Output Standard Functions Safety and Fire & Gas Standard Functions Submarine pipeline systems Onshore pipeline systems Piping material classes Valves Design and fabrication of pressure vessels according to ASME VIII Layout Completed wells safety systems and safety rules Safety rules for fired heaters Impacted area, restricted area and fire zones Design of High Integrity Protection Systems (HIPS) Pressure protection relief and hydrocarbon disposal systems Fire and gas detection systems Passive fire protection: Basis of design Emergency control facilities Subsea production control system Page 5/46

6 3. Terminology and definitions There are five types of statements in this specification, the shall, should, may, can and must statements. They are to be understood as follows: Shall Should May Can Must Is to be understood as mandatory. Deviating from a shall statement requires derogation approved by Company. Is to be understood as strongly recommended to comply with the requirements of the specification. Alternatives shall provide a similar level of protection and this shall be documented. Is to be understood as permission. Is to be understood as a physical possibility. Expresses a regulatory obligation Note that will is not to be understood as a statement. Its use is to be avoided, unless it is necessary to describe a sequence of events. For the purpose of this specification, the following definitions shall apply: Abnormal operating condition Availability Blowdown (gas) Blowdown (liquid) Condition which occurs in a process equipment or unit when an operating parameter ranges outside of its normal operating limits. (API) Proportion of the total time during which a component, equipment, or system is performing in the desired manner. (UKOOA) Used as a synonym for emergency depressurisation (see below). Control actions undertaken in response to a hazardous situation, to dispose of the liquid hydrocarbon inventory present in a capacity (Company). Blowdown Valve (BDV) Actuated fail-to-open valve, remotely operated by the ESD system to vent the pressure-containing unit or equipment to a safe location upon an emergency shutdown action (Company). Boiling Liquid Expanding Vapour Explosion (BLEVE) Cascade Sudden rupture due to fire impingement of a vessel and/or system containing liquefied flammable gas under pressure; the pressure burst and the flashing of the liquid to vapour creates a blast wave and potential missile damage, and immediate ignition of the expanding fuel-air mixture leads to intense combustion creating a fireball. (UKOOA) It is caused by the reduction of the vessel metal strength due to heat competing with the increasing pressure of the liquefied gases inside the vessel. In the context of ESD, a cascade is a series of actions; cascaded actions are not direct actions; they are either process-cascaded (e.g. high pressure propagates downstream from source) or instrument-cascaded (e.g. high shutdown level triggers lower shutdown levels). Page 6/46

7 Confirmed Diversity (Diversification) Emergency De- Pressurisation (EDP) Emergency Shutdown (ESD) Emergency shutdown system Emergency Shutdown Valve (ESDV) Equipment Failure Fire and Gas (F&G) system Fire zone In the context of Fire & Gas detection, means that at least two out of N sensors have detected Fire or Gas Different means of performing a required function. Diversity may be achieved by different physical methods or different design approaches (with the aim of minimising the common mode of failure) (IEC + Company). Control actions undertaken to depressurise equipment or process down to a pre-defined threshold (generally 7 barg or 50% of design pressure) in a given period of time (generally 15 minutes) in response to a hazardous situation (ISO + Company). Control actions undertaken to shutdown equipment or process in response to a hazardous situation. (ISO) Safety Instrumented System (SIS) consisting of manual release stations and automatic devices which, when activated, initiate installation shutdown (Company). Actuated fail-to-close valve, handling a hazardous fluid, remotely operated by the ESD system upon an emergency shutdown action, and being located either: a) at the limit of a fire zone b) within a fire zone to limit hydrocarbon inventory in isolatable sections c) at fuel distribution points to fired equipment.(company). Any component or group of components specifically identified and itemised on the P&IDs (Company). Termination of the ability of a device or equipment item to perform a required function. (IEC + API) Safety Instrumented System (SIS) which monitors the temperature or the energy flux (fire), the concentration of flammable or toxic gases (gas), and initiates relevant actions (alarm, ESD, EDP active fire-fighting, electrical isolation, etc.) at pre-determined levels (Company). Area within the installation where equipment is grouped by nature and/or homogeneous level of risk attached to them. The partition of an installation into fire zones results in a significant reduction of the level of risk. This implies that consequences of a fire, flammable gas leak or an explosion corresponding to the credible event likely to occur in the concerned fire zone, shall not impact other fire zones to an extent where their integrity could be put at risk (GS EP SAF 253). Page 7/46

8 High Integrity Protection System (HIPS) Installation Not permanently manned installation Package Permanently manned installation Pressure Safety Valve (PSV) Process Safety System (PSS) Redundancy Reliability Reset Independent Safety Instrumented System (SIS) designed to protect a particular part of the installation against a possible particular operating condition (e.g. pressure, temperature, flow, level) exceeding the design parameters of that part of the installation. It does not duplicate the PSS or ESD system, but provides an independent additional layer of protection, with a sufficient reliability and response time faster than possible occurrence of the excessive operating condition, so as to make the probability of exceeding the design parameters lower than the target value. (refer to GS EP SAF 260) Technical unit in which dangerous substances are produced, used, handled or stored, including all the equipment, structures, pipework, machinery, tools, private railway sidings, docks, unloading quays serving the installation, jetties, warehouses or similar structures, floating or otherwise, necessary for the operation of the installation (Company from European Directive 96/82/EC, dated December 9 th, 1996) (GS EP SAF 021). Installation where personnel can be present, but less than 12 hours per day or less than 40 hours per week (Company). Prefabricated process or utility self-contained unit, generally able to operate on its own, supplied fully tested and ready for immediate installation, being supplied by a designated package Vendor (GS EP INS 120). Installation where personnel are routinely present for more than 12 hours per day (API + Company). Valve releasing fluid contained inside process equipment in order to ensure that the prevailing pressure shall not exceed the design pressure (Company). Safety Instrumented System (SIS) dedicated to shutdown to a safe state of particular units or equipment (e.g. SD3) (Company). Existence of means, in addition to the means that would be sufficient for a functional unit to perform a required function or for data to represent information. (IEC) Probability that an item is able to perform a required function under stated conditions for a stated period of time or for a stated demand. (UKOOA) Return of a system or component from its safety shutdown state to its normal shutdown state, to enable normal start-up procedure; reset can be local and/or remote, it can be manual or automatic (Company). Page 8/46

9 Safety Instrumented System (SIS) Safety Integrity Safety Integrity Level (SIL) Shutdown (SD) Shutdown Valve (SDV) Temperature Safety Valve (TSV) Ultimate Safety System (USS) A Safety Instrumented System (SIS) is a system comprising of dedicated sensors, logic solvers and final control elements for the purposes of taking a process automatically to a safe state when normal predetermined set points are exceeded, or when safe operating conditions are violated. (IEC, ISO, API) Multiple independent SIS normally exist at one installation (e.g. PSS, ESD, F&G, HIPS), forming together the safety shutdown system. Each SIS is entirely independent (logic and hardware) of the Process Control System (PCS) or from another SIS as to avoid any common cause failure, meaning separate sensors, logic solvers and final control elements (GS EP INS 134). Average probability of a safety instrumented system satisfactorily performing the required safety instrumented functions under all the stated conditions within a stated period of time. (IEC) Discrete level (one of the four) for specifying the safety integrity requirement of the Safety Instrumented Functions (SIF) to be allocated to the Safety Instrumented System (SIS). Safety Integrity Level 4 has the highest level of safety integrity; Safety Integrity Level 1 has the lowest. (IEC) SIL is a measure of risk reduction provided by a Safety Instrumented Function (SIF), based on four levels. Each level represents an order of magnitude of risk reduction. Every Safety Instrumented Function (SIF) has a SIL assigned to it. Control actions undertaken to stop operation of equipment or a process. The word Shutdown normally implies the shut-in of wells, the tripping of machines, the closing of valves and dampers, the opening of certain valves, the electrical isolation of consumers, and the shut-off of ignition sources. Shutdown can be automatically triggered or initiated by voluntary action. Actuated fail to close valve, remotely operated by the Process Shutdown System (PSS) to isolate individual unit/equipment. Note: SDVs are sometimes referred to as Process Shutdown Valves (PSDV). The acronyms SDV and PSDV are considered equivalent but SDV is used in this specification because SDVs may be installed in non-process applications (Company). Device releasing hydrocarbon trapped inside a capacity (usually a pipeline section) submitted to heat input in order to maintain pressure below design pressure (Company). Optional Safety Instrumented System (SIS) designed to act in parallel with the ESD system (Company). Page 9/46

10 Uninterruptible Power Supply (UPS) Unit System comprising battery chargers, stationary batteries and distribution panels, and supplying without interruption DC control power for switchgear, instrumentation and telecommunication systems, and/or emergency or essential services (Company). Division of the installation in a reasonable number of geographic and functional groups of equipment having the same type (hydrocarbon, pressure, inventory, ignition, etc.) and levels (high, medium, low) of risks (Company). 4. Emergency Shutdown (ESD) 4.1 ESD purposes ESD system is here used as a generic term and consists in fact of process shutdown (SD) and emergency shutdown (ESD) functions General philosophy A safety shutdown system consists of independent safety instrument systems at different levels: process (PSS), emergency (ESD), fire & gas (F&G) and optionally an ultimate safety system (USS), each of them consisting in a set of safety loops. In general safety loops themselves consist of field sensors (initiators), logic solvers and final elements (e.g. valves). The ESD system is associated with other independent safety systems (e.g. PSVs, HIPS) and safeguard systems (fire fighting, escape evacuation and rescue, personnel protection systems, etc.) to reduce the industrial risk of the installation. The main purposes of the safety shutdown system are: To limit the loss of containment, by isolating hydrocarbon production, processing and storage equipment, To protect personnel, environment and asset, To execute automatically a set of remedial actions, upon manual or automatic triggering, To prevent ignition by elimination of potential sources of ignition, To reduce flammable or toxic inventory by depressurisation through the EDP system, when appropriate Additional design considerations The design of the ESD system shall take into account the needs resulting from normal operation and shall also fulfil the requirements that may arise during other possible (and likely to occur) abnormal or down-graded configurations. It is not the purpose of this General Specification to define the methodology that will be used to select relevant operating configurations. Nevertheless the following issues shall be adequately addressed when relevant: Tripping or stopping of an equipment or unit does not necessarily eliminate all sources of hazards. New hazards can appear as a consequence of the loss of essential utilities such as essential power, air, hydraulics, etc. These new hazards shall be identified, mitigated, and the associated risks shall be assessed. Page 10/46

11 All operating configurations generated by the ESD system shall be safe, stable and reversible. All ESD related transitions from one operating configuration to another shall be safe. The ESD shall be compatible with the re-start philosophy. All operating configurations of the re-start sequence, from total black shutdown status to the full production status, shall be safe, stable and reversible. The inevitable inhibitions of the control and safety systems during the re-start sequence shall be identified, and shall be limited in number, time and duration Particular operations Specific attention shall be paid to non-routine operating conditions and to the suitability of the ESD system, in combination with the EDP system, to deal with them. The main scenarios contemplated shall be: Abnormal or down-graded situations; well servicing, e.g. wireline job on a well, short-time deviation from product specification, maintenance of a safety system, etc. Simultaneous operations: drilling/work-over and production, construction and production, maintenance and production, etc. Each operation shall be safe, but a specific attention shall be paid to the safety of the combination resulting from their simultaneity (example: simultaneous maintenance on two systems). In some cases, particular operating conditions may require a different shutdown logic than that, or the combination of those, applicable under normal circumstances. For instance: A specific ESD logic can be activated when wireline job starts or when operators come to a not permanently manned wellhead platform. A temporary enhanced ESD logic can prove beneficial for simultaneous construction/major overhaul and production. An installation can operate under different conditions, e.g. high, medium or low pressure. Each condition may require a different ESD logic, but the differences shall be limited to process shutdowns. Emergency shutdowns shall result in the same actions independent of the condition. Before switching over between different ESD logics, the proper line-up of equipment and the status of valves need to be verified. This particular operation shall be addressed in the Safety Concept and the Operating Philosophy. 4.2 Definition of the shutdown matrix Definition of shutdown levels It is a common practice within Company to define a maximum of four typical shutdown levels with decreasing criticality, numbered 0 to 3 and affecting: all installations within a single restricted area (level-0) a given fire zone within the installation (level-1) a given unit within a given fire zone (level-2) an individual equipment or package within a given unit (level-3) = ESD-0 = ESD-1 = SD-2 = SD-3 Page 11/46

12 Level-0 and level-1 shall be called ESD levels because they involve either fire/gas detection in unconfined environment (hence a situation subject to possible escalation) or manual emergency action. Level-2 and level-3 shall be called SD levels because they correspond either to a mere process upset or to confined fire/gas detection (sufficiently well contained) not threatening immediately the safety of the installation and of the personnel. The safety shutdown system of an installation, consisting in a set of safety loops and devices, comprises different sub-systems organised as complementary barriers to the Process Control System, as represented in the following schematic in figure 1. Offshore Pre-Abandonment Emergency Situation Deviation Outside Operating Limits Process Unit Deviation Outside Operating Limits Equipment / Package Normal Operation (PCS) SD 3 (PSS) SD 2 (ESD) ESD-1 (ESD) ESD-0 (ESD) Figure 1 - Schematic of safety shutdown system operation For each installation an ESD/SD logic shall be defined and represented in an ESD/SD logic diagram. This logic is based on the hierarchy of ESD and SD levels, the level N activating the level N+1. The ESD/SD logic diagram shows the hierarchy of ESD and SD levels, all their causes and actions in the form of a shutdown logic diagram (see also section 4.2.8). The ESD/SD logic diagram shall cover all the installation. The causes and actions shall be described at a functional level (type and location of detection, closure/ opening of valve, tripping of equipment, etc.). Each level is subdivided into several safety bars (up to one bar per equipment). The number of safety bars varies with the type of installation, the number of fire zones and their location, the number of independent units in each fire zone and other characteristics. Each case is specific and the following development is intended to provide guidelines and simplified examples. Reference is made to figure 2 and figure 3 with two typical shutdown logic diagrams respectively an offshore processing installation and a wellhead & riser platform with test separator. At detailed engineering phase, each inhibit required to start-up the installation shall be clearly indicated on the safety bar diagrams for each item concerned. Safety bars presentation can be either vertical bars or horizontal, but the presentation shall be consistent within a Company subsidiary. Page 12/46

13 4.2.2 Differences onshore/offshore The fundamentals driving shutdown logic design are always the same, however the environment (onshore versus offshore) leads to three main differences: ESD-0 The ESD-0 level shall be applicable for permanently manned offshore installations, unless statutory requirements do not impose to do so and a risk assessment (size, lay-out and manning criteria) demonstrates the non-necessity of ESD-0. In all other cases, not permanently manned offshore installations and all onshore plants (regardless of size), the number of shutdown levels may be limited to three, starting from ESD-1 level. The wordings muster & evacuation of personnel and muster denote voluntary procedures involving personnel but are not to be considered as ESD levels Emergency De-Pressurisation (EDP) EDP is applicable to offshore and onshore installations if the criteria developed in section are met. For all offshore installations (permanently and not permanently manned) EDP shall be (if installed) automatic upon activation of ESD-1 level. This requirement is not compulsory for onshore installations and EDP strategy shall be duly addressed in the Safety Concept. Page 13/46

14 SD Muster points SD Emergency control centre ESD-0 total black shutdown Muster alarm & evacuation alarm ESD-1 of all fire zones (1) (2) (9) SD Remote ESD-1 through telemetry (if any) UPS battery low voltage Other faults essential utilities (if any) (10) BD Confirmed gas from package Gas detection in fire zone ESD-1 fire zone emergency shutdown SD-2 of all units in fire zone Muster alarm (3, 4) (3) (5) SD SD Equipment fault Gas detection (specific equipment) Fire Fire detection (specific equipment) & SD-3 equipment / package SD-3 gas SD-3 fire T T Open/Close SDVs Electrical shutdown of equipment Close fire dampers and shutdown HVAC Activate local fire fighting equipment Unit shutdown and trip all equipment Open BDVs of unit (after permissive to BD) Open equipment BDVs (as relevant and if any) Shutdown non-essential utilities Shutdown equipment Process fault Power failure LSHH flare drum PSLL instrum. air PSLL fuel gas PSLL / LSLL SD-2 unit shutdown SD-3 of all equipment in unit Permissive to blowdown unit Unit depressurisation BD Close ESDVs Electrical isolation (normal & essential consumers) Open BDVs of fire zone Total electrical isolation (except cons. suitable Zone 1) Activate fire fighting in fire zone Gas detection in techical room (10) BD Fire detection in fire zone ESD-1 gas ESD-1 fire (6) (11) T (7) (8) Activate fire fighting in fire zone SD-3 SD-2 ESD-1 ESD-0 Note 1: To avoid uncontrolled sequence of ESDV/BDVs closing/opening Note 2: Confirmed gas detection from a package F&G system, only if required, e.g. HVAC Note 3: Also to other units if common Note 4: As an alternative, LSHH flare drum could also initiate an ESD-1 (risk assessment) Note 5: List to be assessed on a case by case basis Note 6: Close ESDVs if no SDVs upstream PSLL/LSLL used as leak detection devices Note 7: Closing of fuel gas ESDVs serving the concerned equipment Note 8: Emergency/vital systems remaining powered: telecom, PA/GA, and post lube (if any) Note 9: Pressurised shutdown of entire fire zone Note 10: Depressurised shutdown of entire fire zone Note 11: HMI annunciation Permissive to Blowdown when SD-2 has been activated. Figure 2 - Typical shutdown logic diagram (offshore processing installation) Page 14/46

15 remote ESD-1 through telemetry (if any) ESD-1 platform emergency shutdown muster alarm muster points gas detection in ventil. ducts ESD-1 gas gas detection outdoor (if any) fire detection in elec. room fire detection outdoor ESD-1 fire (5) process fault ess. util. fault SD-2 production / process PSHH departure SD-2 departure PSLL departure PSHH/PSLL manifold SD-2 transfer T T SD-3 all wells SD-3 test sep. SD-3 chem. p. (1) (2) (3) (4) close gaslift inj. valves (if applicable) close WV (wing valve) trip pump(s) of chemical package(s) trip sump tank pump (if any) open BDVs (if any) close SSV (master valve) close SDVs inlet & outlet open by-pass valve close SDVs (if any) close DHSVs (if SCSSV type) close departure ESDV(s) (outlet) close transfer ESDV(s) (inlet) platform electrical shutdow activate firefighting where applicable process fault process fault PSHH / PSLL well shut-in SD-3 SD-2 ESD-1 note 1 : downstream of production manifold where connectig with transfer manifold note 2 : assuming transfer manifold ties-in upstream of platform outlet ESDV note 3 : emergency & vital systems remaining powered : navaids, emergency lighting, general alarm, telecom and public address (if any) note 4 : shutdown crane engine if diesel powered note 5 : as alternative and based on risk assessment, LSHH flare drum can also initiate an ESD-1 Figure 3 - Typical shutdown logic diagram (wellhead & riser platform with test separator) Page 15/46

16 De-energising De-energising including battery powered systems, but with the exception of emergency devices (emergency lighting, navigation aids, etc.) shall be achieved on permanently manned offshore installation through activation of ESD-0. Onshore this functionality does not have to exist and shall then be compensated by the implementation of a specific push button for each fire zone that shall perform total deenergising, including UPS powered equipment. Possible exception (onshore and offshore) is for emergency post-lube pumps, machinery helper, etc. and only if they are suitable for operation in Zone 1 hazardous area ESD-0 (total black shutdown) This is the highest level of ESD, intended to make an installation safe before evacuation. This level concerns the restricted area of a petroleum installation. There shall be one ESD-0 for each restricted area. Although very rare, within the property boundaries of the same site two or more completely independent installations may be present, i.e. each installation runs independently with different sources of power and controls and are at sufficient distance, creating thus several (non-overlapping) restricted areas. Each restricted area has its own ESD-0 instead of a common site ESD Causes It is manually initiated, only once the voluntary decision has been taken by the person in charge, i.e. RSES (French abbreviation for Responsable Sécurité Environnement de Site, translated in English as Site Safety Environment Manager), to evacuate the installation. Exceptionally it is automatically initiated. This is only the case when the ESD and F&G systems have to be de-energised due to presence of a flammable atmosphere in the building where the ESD and F&G systems are located (generally in the CCR). Whenever possible, an installation should be designed to avoid the need for automatic ESD-0 initiation. ( 1 ) ( 2 ) ( 1 ): As far as practicable, buildings containing the ESD and F&G systems (I/O cabinets, racks, power supplies and PLCs) should be located outside the restricted area of the installation. If so the initiation of ESD-0 shall only be manual. ( 2 ): If not practicable, the probability of a spurious ESD-0 on false gas detection in the CCR shall be minimised by implementing a 2oo3 voting in air inlets and air locks and gas detectors located downstream of the HVAC inlet shutter (fire dampers) closing first the dampers before initiating ESD Actions ESD-1 of all fire zones within the restricted area. Shutdown of all process and utility systems, with depressurisation, for all fire zones in the restricted area. ( 1 ) ( 2 ) Shut-off or isolation of all potential sources of hazard and ignition including essential and emergency loads, except navigational aids (marine and aviation) and emergency lighting. Page 16/46

17 Shut-off or isolation of all potential sources of hazard and ignition is achieved without delay. Shutdown after a pre-set time (normally not exceeding 1 hour) of the critical communications within the installation (public address) and with external parties (radio, satellite, etc.). Audible alarm and visual signals for personnel to muster and prepare for evacuation. All the equipment and their associated power supply systems, staying operational after an ESD-0, shall be certified for Zone 1 hazardous area and shall have their own dedicated uninterruptible power supply (UPS). ( 1 ): ESD-0 does not stop diesel engine driven firewater pumps if they were already started up automatically (selector on automatic mode and signal from F&G system, or PSLL ring main). ( 2 ): Some post-lubrication pumps may need to be kept in service to prevent damage of a major rotating equipment. To prevent major loss in the event of an ESD-0, this equipment may be kept in service. It shall however be stopped after a pre-set time, i.e. the run-down of the machine, and this shall be duly addressed in the Safety Concept ESD-1 (fire zone emergency shutdown) There is one ESD-1 for each fire zone within the restricted area and it is the highest level of shutdown which allows the presence of personnel on site. All hydrocarbon flows within the fire zone shall be stopped and hydrocarbon inventories blocked-in and possibly released upon an ESD-1. As fire and gas detection leads to different actions, the ESD-1 shall be further split into ESD-1/F for the particular fire case, ESD-1/G for the particular gas detection case and the subsequent generic ESD-1 fire zone Causes The list of causes given below is not exhaustive, and other causes may be identified in Safety Concept, HAZID, HAZOP etc. ESD-0 within the restricted area. Manual initiation through push button (based on a probable or actual, catastrophic situation). A signal from the installation F&G system: ( 1 ) ( 2 ) - Outdoor (or in a not totally enclosed area) f lam m able gas detection in the fire zone, - Gas detection in the HVAC inlets of technical rooms located in the fire zone, - Gas detection in the air inlets of fired equipment located in the fire zone, - Outdoor fire de t ect i on in the fire zone. Detection of inevitable loss of a utility which is essential for the safety of the installation: - PSLL flare purge gas, unless the flare or vent system has been designed for internal deflagration, see GS EP SAF 262, Page 17/46

18 - UPS low voltage (loss of power supply to ESD and F&G systems), - Other utility failures, as advised by a specific study ( 3 ). ( 1 ): Fire detection inside a instrument technical room does not result in an ESD-1, as the local fire extinguishing and HVAC isolations are deemed effective. ( 2 ): Fire detection in an electrical room does not result in an ESD-1, except in remote and not permanently manned premises where intervention is not quickly possible. ( 3 ): On permanently manned facilities, extreme temperatures in ICSS cabinets will trigger an alarm only (TSL or TSH) to operator. No automatic ESD1 is required. On nonpermanently manned installations, the approach by default is the same. Leak detection (PSLL, LSLL, etc.) on process systems shall be studied on a case by case basis. PSLL on incoming or departing pipeline, or inlet or outlet piping, shall trigger ESD1G if there is no dedicated FGS in the installation Actions SD-2 of all units, process and utilities ( 4 ) systems, within the fire zone Close all ESDVs. Close the SCSSV (Surface Controlled Subsurface Safety Valve) of the wells located within the fire zone. ( 1 ) Main power supply (and power generation if located in the fire zone) electrical isolation, thereby tripping of all motors in the fire zone. Tripping of the large electrical motors (redundant with main power supply isolation). Upon confirmed fire and/or gas detection, automatic emergency de-pressurisation (EDP) offshore, and optional onshore. Open all the BDVs (Blowdown Valves) in the fire zone with a pre-set time delay (30 s to 1 min.). If de-pressurisation is not automatically initiated upon ESD-1/F and/or ESD-1/G, a push button located in the CCR initiates ESD-1/F and/or ESD-1/G and opens all BDVs with a pre-set time delay. Initiate the SD-2 of the hydrocarbon units located outside the ESD-1 fire zone, which send hydrocarbons to the ESD-1 fire zone. In case of gas detection, shut-off of all potential sources of hazard and ignition (except running firewater pumps, see ( 1 ) in section ) in the fire zone and except controls and emergency or vital equipment on individual battery systems and suitable for Zone 1. ( 2 ) ( 3 ) In case of confirmed fire detection, activation of fire-fighting means in the fire zone. Audible alarm and visual signals for personnel to escape from fire zone and to muster. ( 1 ): SSVs (Surface Safety Valves) of the wells are closed on the SD-3 level (via the SD-2 level) and SCSSVs and SSVs are regarded as ESDVs. ( 2 ): List of controls and emergency or vital equipment on individual battery systems includes:. Controls: F&G, ESD, PSS, PCS, at least one radar Page 18/46

19 . Emergency: PA/GA, part of external telephone, marine/aero VHF/UHF, post-lube where relevant, fire pumps. Vital: emergency escape signs, navaids, emergency lighting on batteries if any. ( 3 ): Confirmed gas detection outdoors inside a given FZ does not require immediate electrical isolation of the FZ technical room, if HVAC system is designed for recirculation mode with gas-tight dampers" ( 4 ): A time delay to shutdown the utilities, where applicable, may be acceptable SD-2 (unit shutdown) There is one SD-2 for each independent functional unit. SD-2 shuts down one production, processing, transfer or utility unit within a fire zone. In the case of cascaded SD-2 involving different units, the shutdown of the fuel-gas system that is still required for power generation or flare purge gas shall be avoided, and thus the fuel gas supply shall have redundant sources. There is no F&G input at SD-2 level. F&G initiates either ESD-1 (outdoor detection) or SD-3 (specific to an equipment or package) Causes The list of causes given below is not exhaustive, and other causes may be identified in safety Concept, HAZID, HAZOP etc. ESD-1 of the fire zone to which the unit belongs. ESD-1 of another fire zone from which the concerned unit fire zone sends or receives hydrocarbons. Manual initiation through push button (based on a probable or actual unit failure). Process fault or failure that requires the automatic shutdown of the unit and would have inevitably resulted in a complete shutdown of the production/process unit by cascade. Detection of inevitable loss of a utility, which is essential for production/process in the unit: - LSHH in the flare KO drum(s) connected to the unit, - PSLL instrument air/gas serving the unit, - Loss of normal power. Leak detection (PSLL, LSLL, etc.) on process systems shall be studied on a case by case basis. PSLL on incoming or departing pipeline, or inlet or outlet piping, shall trigger SD-2 if there is a dedicated FGS in the installation. LSLL triggers SD-3 (SDV to close) or SD-2 of the unit, case-by-case basis Actions SD-3 of all equipment within the unit, close the associated SDVs. Page 19/46

20 To avoid cascaded shutdown, shutdown of some non-hydrocarbon treatment units, which are directly linked to production/process but not required when production/process is stopped (e.g. chemical injection into production/process hydrocarbon flow). Send a signal (e.g. by telemetry) to close remotely operated choke valves of the wells outside the unit, which send hydrocarbons to the concerned unit. To close departing pipeline ESDVs upon their corresponding leak detection PSLL. Permissive to perform manually depressurisation if relevant to concerned unit SD-3 (equipment shutdown) There is one SD-3 for each process or utility equipment within a unit. The objectives of an SD-3 shutdown are to put the equipment in a safe position and to provide the operator the opportunity to prevent escalation to a higher (SD-2 or ESD-1) shutdown level. In some cases, equipment can have different SD-3 sequences depending on the tripping fault. Where fire and gas detection lead to particular and different actions, SD-3 of an equipment shall be further split into SD-3/F for the particular fire case, SD-3/G for the particular gas detection case, and the subsequent generic SD-3 equipment. The SD-3 logic is mainly processed into the PSS system (process equipment) but in some cases into the ESD system (utility equipment). For PSS and ESD systems refer to chapter Causes SD-3 The list of causes given below is not exhaustive, and other causes may be identified in safety Concept, HAZID, HAZOP etc. SD-2 of the unit. Manual initiation through push button (based on a probable or actual equipment failure). For prime movers and machinery, manual initiation (push button) from a local panel. Trip of a process or utility operating parameter (excursion outside operating limits). Fire or gas detection inside an equipment enclosure. Leak detection (PSLL, LSLL, etc.) on process systems shall be studied on a case by case basis. LSLL triggers SD-3 (SDV to close) or SD-2 of the unit, case-by-case basis Actions SD-3 Close SDVs or open SDVs (for diverting purposes) through PSS system. Close some specific ESDVs (e.g. fuel supply to packages) through ESD system. Close the SSV (Surface Safety Valve) of the wells located within the fire zone. ( 1 ) Stop motors. Initiate package shutdown, e.g. compressor package. Shutdown of a production or utility equipment, with either (if relevant) automatic depressurisation or (if required) unlatching of a permissive to depressurise lock thereby allowing manual emergency depressurisation. Page 20/46

21 In case of gas detection inside an enclosure (from an internal gas source), shut-off of all potential sources of hazard and ignition within the enclosure (including essential loads) except emergency or vital equipment on individual battery system and suitable for Zone 1. In case of fire detection inside an enclosure, activation of fire-fighting means in the equipment enclosure and closure of dampers (as relevant). ( 1 ): SCSSVs (Surface Controlled Subsurface Safety Valves) of the wells are closed through the ESD-1 level and SCSSVs and SSVs are regarded as ESDVs Technical rooms Fire detection inside a technical room has no interface with the ESD system, as local firefighting and HVAC isolations are handled by the F&G system with local actions only, see also ( 1 ) in section Gas detection inside a technical room (electrical and/or instruments) shall lead to a total deenergising of the equipment it houses, resulting in the stopping of all process or utility units they serve, including their controls. However, Company consider it is desirable to follow the shutdown sequence in an orderly fashion (refer to section 4.4) rather than abruptly interrupting power supply. The issue of gas detection in technical rooms shall therefore be resolved as follows: Technical room serving only one fire zone: - Gas detection triggers first the ESD-1/G of the concerned fire zone, resulting in closing/opening of ESDVs/BDVs and electrical isolation of normal and essential consumers of the concerned fire zone, - Subsequently, after a suitable time delay ( 1 ), follows the total electrical isolation of the vital and emergency consumers of the concerned fire zone, including the controls ( 2 ), - After de-energisation of controls, some emergency consumers suitable for operation in Zone 1 hazardous area and supplied with their own independent batteries may remain live (e.g. emergency post lube, emergency telecom, escape lighting appliances etc.), - Gas detection in a technical room does not initiate an ESD-0 (if this level exist). Technical room serving several fire zones: Same approach as above is used, whereby all ESD-1/Gs of the several fire zones are initiated simultaneously. - The simultaneous opening of several fire zones BDVs constitutes a common failure mode that shall be contemplated at design stage and taken into consideration for the sizing of the flare system (see section 5.2.6), and if relevant other systems. ( 1 ): i.e. longer than all time delays built-in into the ESD, to allow the completion of the shutdown sequence before switching off remaining power supplies. ( 2 ): Manual actuation of de-energisation of emergency/vital systems including controls is acceptable only if the three following conditions are met:. onshore plant with sufficient spacing between process units and technical rooms. control room is permanently manned. there are two barriers for gas detection: i) air inlets and air locks ii) inside room Page 21/46

22 As a consequence of what precedes, particular attention shall be paid to gas detection in air ducts to instrument or electrical rooms, which is further developed in GS EP SAF Definition of ESD documents The safety of all process units shall comply with API RP 14C, both offshore and onshore. The methods described herein of SATs (Safety Analysis Table) and SACs (Safety Analysis Checklist) are to be used. The following ESD documents shall be prepared and submitted for Company's approval: During pre-project: ESD block logic diagrams (also named safety bar diagrams ) During Basic Engineering / FEED: SAFE charts, ESD cause and effect matrices, and shall be adequately maintained through all following design and construction phases until the final as-built revision has been approved by Company. If the ESD shutdown logic diagram requires more than one page, the first page(s) should give priority to the higher levels (ESD-0, ESD-1 and SD-2 should appear on the first page). One item, cause or action, should in principle only appear once in the logic diagram Well work If well servicing devices are (partly) drawing their energy from the installation (or platform) power supply and distribution system, then all hazardous well situations that could result upon the de-energising of the installation (or platform), shall be carefully assessed, studied and addressed in the SIMOPS dossier. As de-energising might lead to an exceedingly hazardous situation, if achieved during a critical well-related activity, it is Company s philosophy to use only autonomous well servicing devices (work-over rig, pulling rig, wireline winch, etc.). Page 22/46

23 Logic summary The shutdown actions are summarised in next table. Shutdown type Actions ESD-0 ESD-1 SD-2 SD-3 Fire zone ESD all yes no no Unit shutdown all in fire zone yes no Equipment shutdown all in fire zone in unit yes ESDV closure all in fire zone no ( 1 ) no ( 1 ) SDV closure ( 2 ) all in fire zone in unit in equipment Automatic EDP (offshore) Yes in fire zone ( 3 ) ( 3 ) Automatic EDP (onshore) (n.a.) ( 3 ) ( 3 ) ( 3 ) Permissive to depressurise (n.a.) (n.a.) offshore ( 3 ) onshore ( 3 ) ( 3 ) Activate fire-fighting no in fire zone ( 4 ) no in equipment ( 4 ) Emerg./vital loads trip yes ( 5 ) no no yes ( 6 ) Essential loads trip all in fire zone no yes ( 6 ) Non-essential loads trip all in fire zone in unit yes Stop HVAC ( 9 ) all in fire zone no in equipment ( 7 ) Evacuation of personnel yes ( 8 ) no ( 8 ) no ( 8 ) no ( 8 ) Muster of personnel yes from fire zone no ( 8 ) no ( 8 ) ( 1 ): Some ESDVs can already be closed upon SD-2 or SD-3 signal (see figures 2 and 3) ( 2 ): Some SDVs can be diverting valves opening upon SD signal ( 3 ): Permissive or automatic EDP as required by process and equipment ( 4 ): In case of confirmed fire detection ( 5 ): Except emergency lighting and navigation aids in all cases ( 6 ): In case of gas detection and only electrical equipment not suitable for operation in Zone 1 hazardous area ( 7 ): In case of fire detection or gas detection in combustion/ventilation air ducts to equipment. ( 8 ): Escape and evacuation, as necessary and depending on conditions ( 9 ): Depending on shutdown cause, HVAC can go to recirculation mode if suitably designed (e.g. fire and gas-tight dampers). Page 23/46

24 4.3 Integration of packages It is essential that the shutdown logic diagrams integrate all safety functions related to packages inclusive of those that are not yet ordered. Package Vendors shall provide their shutdown logic documents with the same principles as for the main shutdown logic. The same ESD documents as for the rest of the process and equipment plus the integration of package shutdown logic into the main shutdown logic shall be submitted during design phase for Company s approval (see section 4.2.8). 4.4 Cascades and response time It is Company practice to prefer direct actions rather than cascaded actions, and to prefer instrumented cascades than process cascades. This means that faults or failures, which would inevitably by cascade result in an ESD/SD level N, shall initiate directly this ESD/SD level N through the ESD/SD logic. Although direct actions normally ensure the fastest response time, the response time issue shall be carefully considered and all precautions shall be taken to avoid the system to be too responsive. This shall be achieved by an appropriate differential between alarm set points (in the PCS system) and trip set points (in the PSS/ESD systems), and through a critical selection of triggering causes. 5. Emergency De-Pressurisation (EDP) The considerations developed in this chapter are only applicable to emergency depressurisation when used for safety purposes, these do no cover operational depressurisation imposed by other operating conditions or process status. Some equipment require to be depressurised after some fault, e.g. gas compressors after a seal-oil failure, or the voluntary depressurisation of a test separator. Such operational cases shall be subject to a specific study. The main purposes of EDP are: To reduce the risk of vessel or piping rupture due to thermal stress during a fire To minimize the fuel inventory which could supply a fire To minimize the release of flammable or toxic product in case of non-ignited loss of containment. 5.1 EDP application Applicability to installations An EDP system is regarded by Company as the most efficient means, upon confirmed fire and/or gas detection, for mitigation of consequences (especially for gas handling installations). On permanently manned hydrocarbon handling installations, an EDP shall be installed according to the decision criteria set out in section On not permanently manned hydrocarbon handling installations, the installation of an EDP system is regarded as an asset / environment protection measure and shall be addressed in the Safety Concept. If an EDP is required, then the same criteria as those applicable for permanently manned hydrocarbon handling installations shall apply. Page 24/46

25 The presence of a fire water deluge system does not invalidate in any way the need for an EDP system. Conversely the existence of an automatic EDP system may impact the design of a deluge system and may reduce overall deluge requirement, e.g. on onshore gas handling facilities where hydrocarbon inventories are quickly reduced by the EDP system Applicability to equipment EDP capability shall be provided for equipment (constituting in itself of vessels, piping and/or machinery) or piping that can be both isolated and exposed to fire simultaneously and only if the pressure prevailing in these systems and/or the hydrocarbon inventory they contain is sufficient to justify this option (refer to section 5.1.3). For scenarios of non-ignited loss of containment of flammable/toxic product, the need for EDP will be assessed on a case by case basis. Furthermore the EDP system shall be such that piping associated to equipment shall be depressurised with the equipment and that no equipment or piping system, regardless of their maximum operating pressure or their volume of their exposure to fire, shall be left pressurised between two equipment (or piping systems) that have been depressurised. A specific case for not adhering to the Company practice, as stated above, is the finger-type slug catcher. Finger-type slug catchers with sufficient distance from the process units (refer to GS EP SAF 021 and GS EP SAF 253), can be considered as pipeline, refer to GS EP PLR 104. A PSV, and where necessary a TSV, designed for the fire case shall provide adequate overpressure protection and consequently they shall not be equipped with an EDP system. If deemed necessary, they may be fitted with a depressurisation system, with or without remote opening of the depressurisation valve(s), and sized to achieve full depressurisation over a period of time substantially longer than what is imposed by the functional requirements presented below Decision criteria The criteria used to decide whether a BDV shall be required are summarised in the following table: Piping or Vessel That cannot be isolated That can be isolated but cannot be exposed to fire ( 1 ) That can be isolated and can be exposed to fire ( 1 ) ( 3 ): - Flammable gas - Liquefied HC ( 4 ) - Liquid HC - Two-phase - Toxic gases BDV required No No ( 2 ) - P > 7 barg and PV gas > 100 bar.m 3 ( 5 ) - M gas or M liq > 2 tonnes of C 4 and more volatile - No ( 6 ) - P > 7 barg and PV gas > 100 bar.m 3 ( 5 ) - As required for protection of personnel P : Maximum operating pressure (based on PSHH, see section 5.2.2) V gas : Maximum gas volume inside vessel or piping or both (based on LSLL) Page 25/46

26 M gas : Maximum mass of hydrocarbon gaseous phase inside vessel and/or piping M liq : Maximum mass of liquefied hydrocarbon liquid phase inside vessel and/or piping ( 1 ): Isolation preformed manually and/or automatically ( 2 ): Except piping interconnecting equipment or vessels between other vessels already subject to EDP within the same process unit, regardless of pressure and volume ( 3 ): Piping or vessels shall be considered as being possibly exposed to fire if part or the whole of it is inside the 3D Fire Scenario Envelope (FSE) defined as a cylinder with a default radius = 12 m and height = 7.5 m or submitted to a jet fire lasting more than 3 minutes. Default values may be adapted to specific hydrocarbons risks. ( 4 ): Either refrigerated or under pressure ( 5 ): The presence of pressurised fluid trapped in the network after EDP shall be avoided (the position of control valves failing to close and/or check valves shall be carefully contemplated) ( 6 ): PSV or TSV fire case shall be considered as sufficient protection (refer to GS EP SAF 262) Applicability to volatile liquids Liquid (crude oil or stabilised condensate) Emergency Blowdown (EBD) ( 1 ) of a set of equipment exposed to fire is not recommended as it reduces the thermal capacity of the concerned vessel and increases the risks of fire escalation to adjacent fire zones. Passive fire protection devices are regarded as more efficient and shall therefore be given preference. Liquid EBD may however be appropriate in the case of volatile liquids (LPG or unstabilised condensate) to achieve the required reduction of pressure in the allowable period of time. The major risk, upon loss of containment, for these installations could be a BLEVE and hence the requirement for quick disposal through a liquid EBD. If this would be the case on onshore installations, a special attention should be paid to the design of the drainage network used to dispose of the liquids. In particular pipe sizing and supporting (risk of two-phase flow and subsequent unsteady flow regime) and pipe metallurgy (effects of sudden cooling-down due to a rapid pressure drop) shall be subject to a specific study. ( 1 ) EBD must not be confused with EDP. Vessels containing only liquids (e.g. molecular sieve dryer) may still need to be fitted with a BDV for EDP purposes as per requirement set forth in note 4 of section EDP requirements General The EDP system shall be designed to reduce pressure from an initial pressure down to a specified threshold over a stipulated period of time. Both parameters (initial/intermediate pressures and depressurisation time) shall be considered for the design of the EDP system. An EDP shall continue till atmospheric pressure, no regret/interrupt procedure is allowed. Sizing of BDVs and their downstream restriction orifices, to match the requirements below, shall be based on the assumption that during a fire all flows incoming and outgoing the system are stopped and all internal heat sources within the process, if any, have ceased. Page 26/46

27 5.2.2 Initial and intermediate pressures The initial pressure to be considered shall be the maximum operating pressure, which will normally correspond to the PSHH. The intermediate pressure to be considered shall be either 7 barg or 50% design pressure, whichever is the most stringent, with the fire heat input being taken into account. This permits more rapid control of the situation in which the source of fire is the leakage of flammable materials from the equipment being depressurised, refer to ISO / API STD 521, section This fire heat input calculation shall be as per ISO / API STD 521and shall take into account the presence of passive fire protection, if any Depressurisation time As a general rule, the time to achieve the intermediate pressure level after an EDP has been initiated shall be by default 15 minutes for piping and vessels containing hydrocarbon, both gas or liquid. This default depressurisation time is for vessel wall thickness of 25 mm; for thinner walls, the depressurisation time shall be reduced i.e. 3 minutes for each 5 mm. For thicker walls, the depressurisation time cannot be longer than 15 minutes unless a specific study is validated by Company. This default depressurisation time does not depend on the type of HC fluids. It is based on pool fire scenarios, not jet fires nor pool fires with high Surface Emissive Power. A specific study may be necessary to refine calculations and assess the whole fire risk. Where passive fire protection is applied on vessels or piping, the depressurisation time may be extended up to 30 minutes maximum. The wall temperature shall not exceed 400 C. For this application Company s approval is required and it shall be supported by a specific study Automatic EDP On hydrocarbon handling installations an EDP shall always be installed when permanently manned and is optional (addressed in the Safety Concept) when not permanently manned. Wherever an automatic EDP system is provided, the safety of traffic (helicopters, boats, roads, etc.) shall be taken into consideration and particular operating procedures be implemented; e.g. provisions to apply and conditions to invoke a temporary overriding Offshore All offshore EDP systems shall be triggered automatically by emergency conditions such as major gas leak and/or fire outdoor (confirmed fire and/or gas detection) or voluntary activation of ESD-0 or ESD-1/F or ESD-1/G push buttons Onshore On onshore permanently manned installations a manual EDP push button at a strategic location, interlocked with a permissive to EDP instruction from the ESD system, is the preferred alternative, unless other site-specific constraints impose to do otherwise. Page 27/46

28 On onshore not permanently manned installations the EDP systems, if installed, shall be automatic and triggered by outdoor fire and/or gas detection as well as activation of ESD-1 emergency push buttons Phasing It is considered that depressurising zones unexposed to hazard could be more dangerous than useful. Therefore the EDP system shall be split by fire zone. In case of confirmed fire and/or gas detection, only the concerned fire zone shall be depressurised. Phasing within one fire zone shall be avoided. If such phasing is deemed necessary, a proposal shall be submitted for Company s approval indicating its justification and technical provisions selected to ensure that common mode failures will not impair the flare/vent system integrity ESD-0 and common mode of failure If EDP is applicable to more than one fire zone, the simultaneous opening of all BDVs of all fire zones (either by activation of ESD-0 or following a general fault) shall be dealt with as follows: If the flare/vent system can safely handle the total flow resulting from the simultaneous EDP of all fire zones, no special precaution shall be taken and no EDP phasing by fire zone is required. If the flare/vent system cannot handle the total flow resulting from the simultaneous EDP of all fire zones, then phased EDP by fire zone in case of ESD-0 is the only option left provided the BDVs of the different fire zones have no common mode of failure. The means implemented to avoid common mode of failure or simultaneous EDP of all fire zones in case of ESD-0 shall be carefully designed. They shall cater, among other possible causes, for global failure of the UPS to the solenoid valves controlling BDVs and for reliability of the ESD system: The installation of one UPS dedicated to each fire zone is highly recommended along with separated cable routing or with independent technical (battery) rooms. The installation of a dedicated ESD PLC for each fire zone is highly recommended, and it shall be capable of keeping the solenoid valves energised for a while even after power supply has been switched off (see also section 5.2.7) BDV timers In order to prevent flare overload, local BDV timers (pneumatic or hydraulic) shall be installed to ensure that ESDVs are closed before BDVs are opened (short delays in the order of a few seconds and in the limits of rules set forth in section 7.1.2). BDV electronic timers can be considered in case that UPS remains active for a sufficient time to avoid flare overload scenarios. Such local timers shall be forbidden to achieve phased depressurisation as mentioned in section If such phasing is necessary, a proposal shall be submitted for Company s approval indicating its justification and technical provisions selected to ensure that common mode failures will not impair the flare/vent system integrity Controlled de-pressurisation Restriction orifices are accepted to limit the flow from each BDV. Page 28/46

29 Controlled depressurisation systems, monitoring flow-rates and pressures at various strategic locations of the flare header(s), are sometimes envisaged in order to limit the peak flow-rate. Such systems shall be prohibited for new designs. In the case of a revamping a justification dossier shall be submitted for Company s approval. 6. Architecture of the safety shutdown system 6.1 General Two different approaches may be envisaged to define the architecture of the safety shutdown system (i.e. PSS + ESD + F&G + USS if any + HIPS if any), for which Company s choice will be indicated in the Statement of Requirements. Alternative 1: by applying prescriptive requirements further developed as from section 6.2, Alternative 2: through a complete dedicated study (for which the main emphasis is the risk reduction on the installation) addressing the design of the instrumented protection systems applying the methodology developed in IEC and IEC Alternative 1 This alternative corresponds to the architecture implemented by Company on most of its installations. Where Company has gained a well established operational experience with prescriptive requirements (onshore typical oil & gas plants and clusters, conventional offshore platforms), this application is selected for similar installations. Alternative 2 If the IEC / IEC option is selected, then the IEC / IEC 61511standard shall strictly be applied with respect to the procedures, steps, verifications and all other constraints. The IEC / IEC option may be selected for installations where Company has not gained sufficient experience and involves amongst others: A preliminary Risk Analysis to identify the relevant hazards and associated risks, The identification of the Safety Instrumented Systems necessary to ensure the appropriate risk reduction, The specification of these systems (technical and functional requirements like SIL assessment and test frequency), A global life cycle approach specifying the detailed activities to be performed at the different stages (design and development installation and commissioning operation and maintenance modifications decommissioning). API RP 14C principles, e.g. an independent and self-acting second protection layer against over-pressurisation of a different technology such as PSVs and/or rupture discs, remain appropriate along with the application of the IEC / IEC approach. Alternative 2 shall only be considered when: Local regulations imply application of the IEC / IEC approach, Page 29/46

30 The features of the considered installation are out of the area covered by Company s experience with the Alternative 1 typical solution, e.g.: - Installations with a very high level of complexity requiring to ascertain the different SIL requirements (in particular, but not limited to, for logic solvers), - Unusually simple installations where Alternative 1 requirements may be overprescriptive, - Specific designs where the application of the prescriptions included in Alternative 1 is at present too limited in number, - All SIF passing through a telemetry link. Company shall decide on the application of either Alternative 1 or Alternative 2, unless already implied by local regulations. The decision shall be taken before commencement of basic engineering, and defined in SOR and safety concept. If Alternative 2 is selected, the SIL assignment shall be performed before the end of basic engineering. SIL demonstration and final SIL assessment shall be completed during detailed engineering. SIL assignment shall be performed or validated by Company. SIL demonstration shall be the responsibility of EPC Contractor and shall be performed by Company approved Third Party. Final SIL assessment shall be performed or validated by Company. The following table provides the relationship between SIL, RRF, PFD (γ) and failure rate (λ), with the objective to use IEC / IEC terminology in the Alternative 1 option although the notions SIL and RRF are strictly related to Alternative 2. SIL (level) RRF Risk Reduction Factor Probability γ of failure to perform on demand ( 1 ) Frequency λ of a dangerous failure per hour ( 2 ) to γ < λ < to γ < λ < to γ < λ < to γ < λ < 10-5 ( 1 ): Applicable to low demand mode ( 2 ): Applicable to high demand mode or continuous mode What follows hereafter in section 6.2 to section 6.5 shall apply to Alternative 1. Page 30/46

31 6.2 Principles of separation of Safety Instrumented Systems It is essential to distinguish three functionally different Safety Instrumented Systems (SIS): SIL (level) RRF Risk Reduction Factor Probability γ of failure to perform on demand ( 1 ) Frequency λ of a dangerous failure per hour ( 2 ) to γ < λ < to γ < λ < to γ < λ < to γ < λ < 10-5 The PSS controls all causes/actions pertaining to SD-3 shutdowns (i.e. individual equipment). See section The ESD system manages all process-related inputs and outputs relative to ESD-0 (whole facility, if applicable), or ESD-1 (per fire zone), or SD-2 (process unit) shutdowns. It is also fed by signals from the main F&G system (see below), and optional systems such as USS and HIPS. The main F&G system deals with all fire and gas detection outdoor and indoor (e.g. technical room, control room, etc.), except those individual packages that are equipped with a dedicated F&G system; otherwise the package F&G sensors are directly connected to the main F&G system. The corresponding ESD-1 actions are executed by the ESD system, except for the activation of the fire fighting system(s). The main F&G system thus provides input to the ESD system, while the package F&G system thus provides input to the package control panel. In general, the F&G system does not execute SD-2 or SD-3 actions. A direct action and monitoring link with the HVAC system is implemented, refer to figure 4. Besides the above mentioned three Safety Instrumented Systems there are two additional instrumented systems, whereby one is optional. Functional system Abbrev. Function Process Control System PCS Controls and associated alarms Ultimate Safety System USS Back up of ESD actions The PCS is not part of this General Specification. It does not fulfil a safety function and shall always be separated from other instrumented systems fulfilling a safety function. It is linked to the PSS, ESD and F&G systems for data acquisition, alarm handling and monitoring only. The USS system, being an optional system, supplements part of the ESD and F&G system to ensure that the required PFD is obtained when ESD and F&G systems are insufficient. It is in particular meant to avoid common mode of failure in electronic circuitry and/or in control software. The implementation of an USS system is not mandatory. The architecture of the above systems (except USS, see section 6.5.4) is illustrated in figure 4. This functional architecture, although typical for Alternative 1, may also be retained when applying Alternative 2 (the IEC / IEC methodology). The Human-Machine-Interface (HMI) is a key element of the safety shutdown systems between the operating personnel and the installation. As such it shall be adequately designed to provide Page 31/46

32 a clear safety status of the plant and indicate the extent and fulfilment of automatic actions after their execution. The SIS shall include means to perform safety related actions (triggered by operating personnel during testing) and ensure a safe restart without permanent inhibitions. Operater Interface CCR HMI Workstation(s) LIVING QUARTER ADDRESSABLE FIRE DETECTION SYSTEM ICSS Network (12) Safety Network (12) Input Field Input Pack. SD3 Input SD3 SD2 Input SD2 Input ESD1 ESD1 Fire Gas Gas Pack. ESD0 (1) (1, 9) (1) (1) (1) (2) PCS logic solver PSS logic solver (3) ESD logic solver (3) F&G logic solver (3) (9) (9) (14) (4) Final Element Pack. Element Pack. Element (13) Input Pack. Fire Pack. Gas Pack. Input Pack. (1) (1) Pack. Control F&G PACKAGE logic solvers (10, 11) Safety (14) Control Element Safety Element Hard-Wired Interface (5) (6) (6) (7) (7) Close SDVs / Open BDVs Close Fuel (E)SDV Shutdown equipment Electrical shutdown of equipment Close fire dampers and shutdown HVAC Activate local fire fighting equipment Unit Shutdown Open BDVs Close ESDVs Trip all equipment in Fire Zone Electrical isolation in Fire Zone (8) Active fire fighting in Fire Zone Total electrical shutdown in restricted area Audible & visual alarm for muster & evacuation SD-3 SD-2 ESD-1 ESD-0 OS Jan 2010 Legend: Hard-wired link ESD-0 Note 1: Note 2: Input = field sensors or initiators. All safety field instruments shall be SIL-2 rated (refer to GS EP INS 101) Gas detection in package ventilation / combustion air duct, if compatible Serial bus link ESD-1 SD-2 SD-3 Note 3: Note 4: Note 5: Note 6: PSS, ESD and F&G may be a common system, but segregated hardware and functionally independent (see 6.5.2) Main (essential) power supply and all battery outgoers PSS action on particular ESDVs and BDVs, as necessary In case of confirmed gas detection, refer to section Note 7: In case of confirmed fire detection Note 8: Except vital (critical) consumers and control/safety systems Note 9: In case of P1 and P2 type packages (refer to GS EP INS 110) Note 10: In case of P3 type packages (refer to GS EP INS 110), however F&G part may be integrated in main F&G system Note 11: Package control and safety may be a common system, but shall have segregated inputs, final elements and I/O cards to avoid common mode failures, without degrading SIL rating of safety part. F&G to be separate system Note 12: ICSS and Safety networks shall be separate networks for reasons of cyber security (refer to GS EP INS 135), to exclude common mode failures, and to meet adequate reliability & availability requirements Note 13: Redundant link only in case when a reliability & availability assessment requires so Note 14: Only in case of HVAC package for direct action & monitoring of HVAC system Figure 4 - Typical safety shutdown system architecture Page 32/46

33 6.3 Reliability requirements General Objective The safety shutdown systems and their associated safety devices shall ensure that the critical functions will operate with a level of reliability sufficient to guarantee that the major risks of hazard escalation of the installation upon credible events remain in line with the Company risk acceptance criteria Logic Solvers For Alternative 1, by default when no specific SIL assessment (or more generally hazard and risk analysis) is performed, the following shall apply: Logic solvers shall be SIL2 certified minimum (i.e. capable of supporting safety functions up to SIL-2) Logic solver SIL certification is not depending on manning level On installations where a technical room is possible, logic solvers for ESD/main F&G shall be SIL3 certified (i.e. capable of supporting safety functions up to SIL-3) On installations where a technical room is not possible, logic solvers for ESD/main F&G SIL2 certified (i.e. capable of supporting safety functions up to SIL-2) may be acceptable, subject to Company approval. The following table summarises the requirements for the different SIS: Logic solvers Technical room is possible Technical room not possible Main F&G 10-4 γ < 10-3 (SIL-3) 10-3 γ < 10-2 (SIL-2) ( 1 ) ESD 10-4 γ < 10-3 (SIL-3) 10-3 γ < 10-2 (SIL-2) ( 1 ) PSS 10-3 γ < 10-2 (SIL-2) 10-3 γ < 10-2 (SIL-2) Package F&G 10-3 γ < 10-2 (SIL-2) 10-3 γ < 10-2 (SIL-2) Package 10-3 γ < 10-2 (SIL-2) 10-3 γ < 10-2 (SIL-2) ( 1 ): subject to Company approval The PFD values mentioned in the table above shall be considered as minimum requirements and may be adjusted with consideration to possible complementary asset protection requirements, being further developed in the Safety Concept. Above requirements shall apply to logic solvers, regardless of their technology (programmable, solid state electronics, hydraulic, pneumatic, conventional relays or any combination of these). Although only logic solvers are specified, other safety loop elements (and in particular the final critical elements ESDVs, SDVs, BDVs and circuit breakers) should have a matching safety integrity requirement. Page 33/46

34 6.3.3 Safety loops The safety loops, from field sensor/initiator to final element, shall comply with the following requirements: Loop architecture - For some specific safety loops within the ESD and F&G systems, particular requirements in terms of reliability combined with availability constraints ( loss of production ) may require to duplicate or even triplicate specific critical parts. In these cases, they shall be processed by a voting system. - These above principles, including peripheral accessories, are described in more detail in GS EP INS 150, GS EP INS 196 and GS EP INS 198. Typical requirements for F&G detection systems are also provided in GS EP SAF 312. Tests - The safety devices shall be specified and their local arrangement shall be designed so as to ensure the feasibility of required periodic tests, normally combined with dedicated maintenance interventions (see GS EP INS 134 and GS EP INS 137). - These periodic tests shall be carried out to check the functional performance of the safety shutdown system and of their individual elements (e.g. gas detectors, ESDVs closure and internal leak rate, etc.). Corrective actions shall be undertaken whenever the test results do not meet the acceptance criteria. - The test frequencies shall be compatible with the targeted level of loops reliability, as prescribed by GS EP SAF Single components The specification and selection of the safety devices, i.e. field sensors - push buttons - final elements (like valves, circuit breakers), etc., shall ensure that the selected equipment: Are proven in use components for which extensive operating experience has been gained in a similar environment. Have sufficient hardware failure data relevant to the proposed environment, application and complexity level. Have a PFD value, derived from field experience, which is not below the average value of the same type of component benchmarked within the oil & gas industry. Correspond to a type of component and a providing manufacturer previously agreed by Company Quality Assurance Adequate factory acceptance and integration testing, pre-commissioning and commissioning operations shall be considered as key activities within the overall quality assurance and control process to ensure that the safety shutdown system will further operate with the expected level of reliability. Page 34/46

35 6.4 Transmission of signals The transmission of input and output signal to/from the ESD, F&G, PSS and optional USS or HIPS systems to/from field equipment, i.e. all ESD-0, ESD-1, SD-2 and SD-3 action signals, shall be achieved by dedicated hard-wired connections. Data transmissions between PCS/PSS/ESD/F&G systems may be through a serial bus communication link, adequately adapted to the required reliability and availability of each link, and shall be at least redundant. The redundant/triplicate cables of a serial bus communication link connecting components (logic solvers) of one system at different locations together shall each follow a different route passing different fire zones. Action signals between ESD and USS / HIPS systems if any shall always be hard-wired connections, but their status monitoring or data acquisition may be through a serial bus communication link. 6.5 Means of segregation Principles The following general segregation principles shall be adhered to: Segregation of tapping points, sensors and transmitters (PCS vs. PSS, PCS vs. ESD) ( 1 ) Segregation of valves (control valves, XV, SDV, ESDV) Functional independence of safety systems (ESD and F&G) (see section 6.5.2) Functional independence of logic treatment systems (PSS, ESD and F&G). Hard-wired back-up for ESD actions (USS). ( 1 ) If one single stand pipe is used for control and safety sensors, it shall be 3" minimum and non isolatable from the vessel, refer to GS EP PVV Fire and Gas system versus ESD system The F&G manages all inputs provided by fire and/or gas detectors, performs the corresponding logic treatment and generates the relevant outputs. The F&G deals only with safety actions of the highest level, i.e. ESD-0 and ESD-1. Fire and gas detection and logic relating to packages shall be achieved locally by a system provided by the package Vendor. Outputs from the F&G system shall be either directly to equipment (e.g. electrical isolation, activation of fire-fighting means, etc.) or else shall feed the ESD system that performs the process related actions (e.g. close ESDVs, open BDVs, etc.). The F&G and ESD systems shall always be functionally independent, even if these two functions are performed by a common equipment. This option is sound providing the F&G reliability is not impacted and also if the softwares managing ESD and F&G are treated as two independent functional entities and the links between ESD and F&G are clearly identified and documented Process Safety System The physical existence of a separate PSS is not compulsory and it is acceptable that the functions normally achieved by such PSS (i.e. SD-3 shutdown actions) are controlled by the ESD. This is typically the case for very simple installations and/or very low complexity packages. Page 35/46

36 The PSS and ESD systems shall always be functionally independent, even if these two functions are performed by a common equipment, and the I/O cards, racks and logic solvers shall be clearly segregated Ultimate Safety System A USS system is not mandatory, but is an optional system in case the ESD and F&G systems alone are insufficient in terms of reliability, i.e. PFD requirement. It provides a highly reliable means of closing ESDVs and opening BDVs. For further details on a USS system, reference is made to Appendix Shutdown devices, protection and other requirements 7.1 Shutdown devices Safety valve definition Wellheads DHSV: Down-Hole Safety Valves (SCSSVs) shall be considered as ESDVs. - Only SCSSV (Surface Controlled Sub-surface Safety Valves)-type DHSVs are considered in this General Specification (see also GS EP SAF 226) SSV: Surface Safety Valves (automatic upper master valves) shall be considered as ESDVs. - SSVs shall always close before SCSSVs to avoid pressure differential across the SCSSV. WV: Wing Valves (automatic wing valves) shall be used. They shall be considered as SDVs. - WVs shall always close before SSVs to avoid pressure differential across the SSV. - WVs may be remotely controlled if their control circuit is fitted with a specific solenoid independent from the safety trip circuits, - Remote WV re-opening through telemetry is authorised only if the concerned well was closed voluntarily and in absence of fault (F&G or PSHH/PSLL). Gas-lift or gas re-injection isolating valves are considered as SDVs. Chokes, even motorised, cannot be considered as safety valves, neither ESDVs nor SDVs Process ESDV: Emergency Shutdown Valve ( 1 ) BDV: Blowdown Valve SDV: Shutdown Valve. Other on/off motorised valves (XVs) and Hand Valves (HVs) cannot be considered as safety valves, neither ESDVs nor SDVs. Page 36/46

37 It is possible that an ESDV or SDV is controlled simultaneously by the ESD system and by the PSS system. In this case two solenoid valves shall be mounted in series, one connected by dedicated hard wire to the ESD system, the other connected to the PSS system. Control valves within a process unit can exceptionally be used as BDVs in packages or SDVs (never ESDVs), on the basis of small upstream inventories, i.e. less than 5 m 3 of liquid hydrocarbon or PV < 100 bar. m 3 for gas. Control valves acting as BDVs in packages or SDVs shall be fitted with a solenoid valve connected to the PSS system, thus being independent of the control loop (PCS system). In order to improve reliability upon demand ESDVs, SDVs and BDVs connected to their PSS or ESD systems can be fitted with a second solenoid valve mounted in series, whereby the two solenoid valves are kept energised by the same cable. ( 1 ): Main fuel trip valves to fired heaters and/or machinery shall be considered as ESDVs, although not installed at fire zone boundary Response time Safety valves shall move from their normal to fail-safe positions in less than 15 seconds (10 seconds for SSVs and WVs) after their triggering mechanism has been activated, with possible exception for large valves (Ø 20 ). The total duration of the shutdown sequence shall be less than 45 seconds from confirmation of abnormal operating condition and/or actuation on push buttons to the complete actuation of the final elements Actuators For safety valves exposed to Fire or Explosion, spring return actuators shall be used. Double acting actuators and associated accumulators are only acceptable after demonstration they are not exposed to, or adequately protected against Fire and Explosion. Electric motor driven actuators shall not be authorised for service on safety valves, neither ESDV nor SDV. For actuator sizing and for local (pneumatic or hydraulic) accumulators, reference is made to GS EP INS 137. Page 37/46

38 7.1.4 ESDV by-pass Two cases are considered; ESDVs at installation battery limit (incoming or departing) and ESDVs on interconnections between fire zones, see figure 5. Incoming Battery limit ESDV by-pass line ESDV valve or (E)SDV Installation battery limit ESDV pressurising line Fire Zones interconnecting lines by-pass line ESDV ESDV Departing Battery limit ESDV's by-pass line valve or (E)SDV Main ESDV pressurising line ESDV Installation battery limit Figure 5 - Typical ESDV by-pass solutions By-passes around battery limit ESDVs shall be prohibited. Moreover there shall be no weak points (tapping point, insulating joints) outboard of the battery limit ESDV. The use of a special valve allowing slow re-pressurisation through the valve body itself (e.g. V-ball valve) shall be prohibited. Pressure equalisation around ESDVs, can be achieved by: - Installing a by-pass around an adjacent locally operated block valve, and/or - Identifying a small line with manual valves to accomplish re-pressurising (e.g. from test separator, from main pipeline, etc.). The re-pressurisation line shall not by-pass the main ESDV. The re-pressurisation line shall always be fitted with its own ESDV that will close when the main ESDV closes. By-passes around ESDVs interconnecting fire zone are authorised providing they are fitted with their own ESDV that shall close when the main ESDV is commanded to close. Page 38/46

39 7.1.5 Push buttons Push buttons shall be installed as follows: Location Offshore Platform Drilling or WO rig Onshore Plant Emergency control centre ESD-0 ESD-0 ( 1 ) Muster points/temporary refuge ESD-0 ESD-0 Driller s console Control room (CCR) ESD-0 ( 2 ), ESD-1, SD-2, SD-3 ESD-1, SD-2 ESD-1, SD-2, SD-3 ESD-1, SD-2, SD-3 Unit local panels ( 3 ) SD-2, SD-3 SD-2, SD-3 SD-2, SD-3 Outdoor ESD-1 ( 4 ) ESD-1 ( 4 ) ( 1 ): Relates to drilling rig shutdown at an ESD-0 level (no ESD-0 level on a wellhead platform) - SIMOPS dossier to define the relevant actions ( 2 ): Push buttons in CCR only for remote installation controlled from CCR ( 3 ): Outdoor panel close to equipment or unit ( 4 ): ESD-1 push buttons can be provided outdoor at convenient locations, if imposed by site specifics (not base case) Push buttons shall be properly located, tagged and illuminated by essential lighting. They shall be physically protected against spurious activation and fitted with a specific unlocking tool to return to normal position. In case the activation of a shutdown push button unlatches a permissive to EDP signal, the corresponding EDP push button shall be located close by Functional requirements Location Offshore Platform Drilling or WO rig Onshore Plant Emergency control centre ESD-0 ESD-0 ( 1 ) Muster points/temporary refuge ESD-0 ESD-0 Driller s console ESD-1, SD-2 Control room (CCR) ESD-0 ( 2 ), ESD-1, SD-2, SD-3 ESD-1, SD-2, SD-3 ESD-1, SD-2, SD-3 Unit local panels ( 3 ) SD-2, SD-3 SD-2, SD-3 SD-2, SD-3 Outdoor ESD-1 ( 4 ) ESD-1 ( 4 ) ( 1 ): Except if WV was voluntarily closed from CCR (see section 7.1.1) ( 2 ): Automatic reset upon reset of ESD level may be envisaged from CCR ( 3 ): As required by Process and Field Operations ( 4 ): For SDVs partial stroking is required case by case, depending on SIL target and schedule maintenance periodicity Page 39/46

40 ( 5 ): Interlocked with permissive to EDP signal ( 6 ): Partial stroking and test facilities are not required on ESDV and SDV bypasses ( 7 ): Local open/close command for ESDV, BDV and SDV shall be inside an enclosed valve control panel Electrical Final Elements Final elements of SIS are not limited to safety valves and include as well electrical devices (e.g. circuit breakers, contacts), and shall be considered during SIL assignment / demonstration / assessment. Circuit breakers and contacts which are to open in case of ESD1G shall be either located in safe location (apart from flammable gas cloud risks) or within enclosure suitable for use in Zone Physical position and protection Any valve used as an ESDV, BDV, SDV shall be certified fire-safe as per GS EP PVV 142. Furthermore, all ESDVs shall be class E Onshore position Battery limit ESDVs shall by default be located according to GS EP SAF 253 with a minimum safety distance of 15 meters between Fire Zone limit and ESDV. Inter Fire Zones ESDVs shall by default be located at least 15 metres off equipment in the fire zone they pertain to. If not possible, ESDVs and piping upstream inclusive of the incoming ESDVs, or downstream inclusive of the outgoing ESDVs, shall be protected against the fire and explosion cases (PFP details reference is made to GS EP SAF 337) Offshore position ESDVs shall be located at the limit of the fire zone to be protected. For a better protection of the risers, it is recommended that incoming and outgoing ESDVs are located at the lowest practical elevation. ESDVs and piping upstream inclusive of the incoming ESDVs, or downstream inclusive of the outgoing ESDVs, shall be protected against the fire and explosion cases with the same principles as for onshore Actuators Spring-return actuators do not require, unless defined otherwise by risk analysis, any fire or blast protection. Double acting actuators shall be protected against the consequences of fire or explosion to the same level as the valves themselves. Based on the fail safe mode, control panel do not require fire & explosion protection. Additional special precautions shall be taken to protect the ESDV actuator and local control panel from sun and flares radiation so that their skin temperature does not exceed 70 C. Page 40/46

41 7.2.4 ESDV connections and body Battery limit ESDVs shall meet the following requirements: a. Offshore the ESDVs shall be hub-connected or welded top entry for ratings 1500# and above. For offshore installation with pressure rating 900# and lower flanged RTJ valves are acceptable. b. If any, the SSIV can be of flanged or welded type, depending on the conclusions of the SSIV assessment study. c. The presence of flanges at the bottom of risers shall be justified by a risk assessment in compliance with GS EP PLR 100. d. Offshore sealine shall be provided with a welded land fall automatically activated valve (GOV) and two ESDVs, first ESDV shall be buried (or in-pit) welded top entry valve, second ESDV has no specific requirement. GOV can be either remotely manually activated, activated by a stand-alone local PSLL tapped downstream. e. Onshore, flanged ESDVs are acceptable providing gasket ring design is upgraded for rating 600# and lower (i.e. 600 with RTJ joint instead of spiral wounded SPWD). Lines with rating 900# have normally RTJ type flanges. Hub connectors shall be used for high ratings (refer to GS EP PVV 112). f. Large transmission onshore pipelines shall be provided with two ESDVs, first ESDV shall be buried (or in-pit) welded top entry valve, second ESDV has no specific requirement ESDV internal leak rate The acceptance criteria for well valves, i.e. SCSSVs and SSVs, are defined by ISO / API RP 14B. Leakage rates of process safety valves ESDV, SDV, BDV shall be in accordance with GS EP PVV ESDV bunkers Under-ground ESDVs are authorised providing they are suitably marked, identified, protected against traffic hazards and their actuator is normally accessible. ESDVs shall then be installed in concrete bunkers provided that the access to the bunker is adequately controlled and regarded as an entry into a confined space (implying permit to work, atmosphere testing, etc.). 7.3 Isolations by ESDVs and SDVs The number of isolation valves (ESDVs, SDVs) for each flow incoming / outgoing a fire zone shall be such that the risk (probability x consequences) of flow supplied to the installation in case of major incident within this installation (fire, explosion, etc.) is acceptable with respect to Company risk acceptance criteria. Such isolations requirement shall be verified by a dedicated Technological Risk Assessment. By default, the principle is that two safety valves in series are required to achieve a reliable isolation in case of ESD-1, at least one being an ESDV. Requirements for ESDVs and SDVs are mentioned hereafter. Page 41/46

42 7.3.1 Fire zone isolations (interconnections) One ESDV for fire zone isolation is a minimum. In addition, SDVs are provided inside fire zones. Note that two ESDVs are required if several upstream fire zones in parallel flows to several downstream fire zones in parallel through a common manifold. The final number of valves shall be based on a specific review Battery limit isolations In this context an trunk line has the meaning of a pipeline between two Company installations in a same field, whereas an export/import pipeline has the meaning of a pipeline between a Company installation and a Third Party installation. Onshore: - Trunk line with Normal Operating Pressure < 70 barg: 1 ESDV. - Trunk line with Normal Operating Pressure 70 barg: 2 ESDVs or 1 ESDV + 1 SDV ( 1 ), if SDV is close enough to the ESDV ( 2 ). - Export/import pipeline: 2 ESDVs. Offshore - Trunk line departing from or landing onto a not permanently manned platform (e.g. wellhead or riser platform): 1 ESDV. - Trunk line departing from or landing onto a permanently manned platform: 2 ESDVs or 1 ESDV + 1 SDV ( 1 ) if SDV is close enough to the ESDV ( 2 ). - Export/import pipeline departing from or landing onto a not permanently manned platform: 2 ESDVs or 1 ESDV + 1 SDV ( 1 ) if SDV is close enough to the ESDV ( 2 ). - Export/import pipeline departing from or landing onto a permanently manned platform (e.g. (integrated) production platform): 2 ESDVs. Offshore-Onshore pipelines - Offshore end: same as above. - Onshore end: 2 ESDVs at plant battery limit, plus landfall valve as required. ( 1 ): Where SDV is used for this service, it cannot be a control valve, even if fitted with a special solenoid as per section ( 2 ): Risk assessment is used to decide whether the piping between ESDV and SDV is short enough and/or protected enough against hazards to allow this alternative Vessels liquid outlet isolations Pressure vessels whose liquid inventory of flammable product exceeding 5 m 3 (LAH) or combustible product exceeding 10 m 3 (LAH) shall be fitted with a SDV on liquid outlet. It is a recommended practice to install a ESDV at liquid outlet of pressure vessels containing more than 50 m 3 of flammable liquids (LAH). Page 42/46

43 7.4 Additional functional requirements Safe state Safety system components shall be designed as normally energised, and any failure of one or more components should set the controlled actuator to a safe position. ESDVs shall be Fail Close and BDVs shall be Fail Open. Exception is made for the components of the ESD and F&G systems that cannot be of fail safe design. In that case the I/O loop integrity shall be continuously checked. This requirement applies specifically to signals from detectors to the F&G panel, deluge valve signal to open, signal to release CO 2 and fire pump start up inhibit by gas detection or ESD Telemetry Because of lack of reliability, signals transmitted through telemetry cannot be considered as a secure means to achieve ESD or PSS actions. Remote installations shall therefore always be fitted with local ESD and PSS systems (independent from the main ESD and PSS systems) and capable of taking suitable actions in case of an emergency or abnormal operating conditions either resulting from a local upset or from a shutdown of the main installation. In case the telemetry link is lost (atmospherics, interference, receiver failure, etc.), an alarm is displayed in the CCR but no further action (e.g. force the outputs of the remote installation to their safe positions) will be taken, unless otherwise stipulated in the Operating Philosophy Position indication All ESDVs, SDVs and BDVs shall be fitted with visual position indication. Local open and close position indicators directly fixed on the valve shall be provided. Position indicators shall be clearly visible from neighbouring walkways. Valve position shall be indicated in the CCR as per requirement stated in section Refer to GS EP INS 137 for further information Testing and maintenance facilities Reference is made to the GS EP INS 196 and to the GS EP INS 198 for testing, inhibition and by-pass. The safety shutdown system shall be provided with facilities to test the total system, in accordance with local regulations or as per the Operating Philosophy requirements. In this respect a partial stroking capability for ESDVs to limit production losses is strongly recommended, as stated in section Each shutdown loop shall be provided with inhibition or by-pass facilities in order to test the loop by simulating the abnormal operating condition to the detector and check the actuator initiates the required action, without an actual shutdown of the equipment which it protects. The safety shutdown system shall be adaptable in order to suit minor modifications (e.g. changing trip values) by authorised personnel. On the other hand, the possibility to change set points, trip values or to modify the shutdown logic shall be restricted and be traceable and documented. Page 43/46

44 7.4.5 Reliability of power sources UPS shall be supplied by two independent sources: Normal power supply via the essential load panel Buffer batteries dedicated to ESD and F&G with autonomy of at least 1 hour. In order that power supply reliability matches the consumer requirement, following shall apply: 2 x 100%: battery chargers, static inverter and power cables 2 x 50%: battery set Re-start capabilities Some inputs to safety shutdown system (such as very low level LSLL, very low pressure PSLL, etc.) must temporarily be rendered inoperative to allow the re-start of the installation after a shutdown. For PLC technology based shutdown systems, these inhibitions can be either of toggle-type, or time delayed or else interlocked with the re-start sequence steps. For other shutdown systems (hydraulic, pneumatic, conventional relays or any combination of these) the number of inhibitions should be kept to a minimum, as most routine interventions should be accomplished without deactivating safety actions of the highest priority. The status and number of said inhibitions shall be clearly displayed and visible at a glance. Nevertheless when feasible, preference shall be given to selection of components that automatically restore their functionality when normal operating conditions have resumed. 7.5 EDP system - Protection and additional requirements General The requirements as prevailing for ESD devices shall also apply to EDP devices, BDVs shall follow the same principles as mentioned for ESDVs: Response time (refer to section 7.1.2) Safe state (refer to section 7.4.1) Position indication (refer to section 7.4.3) Protection of actuators BDVs shall have spring-return actuators and do not require, unless defined otherwise by risk analysis, any fire or blast protection. Based on the fail safe mode, their control panels do not require fire & explosion protection. Additional special precautions shall be taken to protect the BDV actuator and local control panel from sun and flares radiation so that their skin temperature does not exceed 70 C Testing and maintenance facilities The preferred option is to test BDV with the downstream block valve closed. Partial stroking on BDVs is not recommended as it will complicate the system. (refer to section and section 7.4.4). Page 44/46

45 Appendix 1 Appendix 1 Ultimate Safety System A USS system is not mandatory, but is an optional system in case the ESD and F&G systems alone are insufficient in terms of reliability, i.e. PFD requirement. It provides a highly reliable means of closing ESDVs, opening BDVs and ensuring a total electrical isolation. The USS bypasses the normal ESD and F&G logic treatment, i.e. the logic solvers and their associated input/output modules. The USS does not duplicate ESD or F&G, it backs-up some ESD-0 and ESD-1 essential actions initiated by these systems upon manual activation. The architecture of the USS system in relation with ESD/F&G system is illustrated in figure 6. ESD1 ESD0 SD2 Input SD2 Input ESD1 Fire Gas Gas Pack. For continuation see figure 4 (1) (1) (2) ESD logic solver (3) F&G logic solver (3) T (4) T (4) ULTIMATE SAFETY SYSTEM (5) (7) (6) Unit Shutdown Open BDVs Close ESDVs Trip all equipment in Fire Zone Electrical isolation in Fire Zone (8) Active fire fighting in Fire Zone Total electrical shutdown in restricted area Audible & visual alarm for muster & evacuation SD-2 ESD-1 ESD-0 Note 1: Input = field sensors or initiators. All safety field instruments shall be SIL-2 rated Hard-wired link ESD-0 (refer to GS EP INS 101) Hard-wired back-up ESD-1 SD-2 Note 2: Gas detection in package ventilation / combustion air duct, if compatible Note 3: PSS, ESD and F&G may be a common system, but segregated hardware and functionally independent (see 6.5.2) Note 4: High reliable timer Note 5: Grouped by fire zone Note 6: Note 7: Note 8: Not backed-up by USS since manual start-up is always possible Not backed up by USS because electrical equipment suitable for hazardous area Except vital (critical) consumers and control/safety systems Figure 6 - Typical USS with ESD/F&G systems architecture The USS is transparent to the operator, the same ESD push buttons shall be used for the USS and hence there shall be no ESD-0 and ESD-1 push buttons dedicated to the USS function. In Page 45/46

46 Appendix 1 practice the signal from a limited number of ESD-0 or ESD-1 push buttons shall be routed to the ESD/F&G for appropriate treatment and also to the USS. The outgoing push-button signal reaches firstly the ESD/F&G to let these devices achieve the shutdown in an orderly fashion and secondly the USS after a suitable time delay. The ESD-0 and ESD-1 push buttons shall be hardwired via a timer to a non-programmable logic solver (solid state components, conventional relays), hardwired to breakers which de-energise the UPS to the solenoids of the ESDVs and BDVs (additional solenoids dedicated to the USS are not necessary). The following actions shall be backed up by the USS: Closing/opening of all ESDVs/BDVs pertaining to the concerned fire zone(s) Upstream electrical isolation ( 1 ) of the concerned fire zone(s) with the exception of systems powered by batteries (controls, emergency post lube, etc.) Inhibit essential generator start-up, if any and relevant Trip, stop or isolate all equipment likely to constitute a source of ignition ( 2 ) in the concerned fire zone (gas or diesel engines, gas turbines, fired heaters, etc.) except diesel driven fire pumps ( 3 ). The following actions shall not be backed up by the USS: Activation of the fire-fighting means (opening of deluge valve, CO 2 release, etc.). Fire water pump start up signal. ( 1 ): The USS opens the circuit breakers feeding power to the fire zone from the main MCC, but does not back-up electrical isolation as normally performed by the ESD. ( 2 ): A specific study is conducted during engineering phase to decide what equipment shall be connected to the USS and what equipment is only dependent from ESD/F&G. As a general rule, only equipment not certified for operation in hazardous area is tripped by the USS. ( 3 ): Fire water pumps, if already running and their selector mode set on automatic, are not stopped by the USS, when being activated. Page 46/46