Engineering Photos,Videos and Articels (Engineering Search Engine): PLANT SHUTDOWN SYSTEMS

PLANT SHUTDOWN SYSTEMS

Contents

1.0 INTRODUCTION

2.0 SAFETY SYSTEMS – GENERAL

3.0 PROCESS SHUTDOWN

4.0 FIRE & GAS DETECTION

5.0 EMERGENCY SHUTDOWN

6.0 HEATING, VENTILATION AND AIR CONDITIONING

7.0 EMERGENCY POWER

8.0 HYDROCARBON DISPOSAL

1.0 INTRODUCTION

1.1 PURPOSE AND SCOPE

The purpose of these guidelines is to provide the upstream petroleum industry with clear and consistent guidance on assessing the needs for the design and operation of emergency support systems for production facilities. They are intended to assist those persons having

responsibilities in the petroleum industry for assessing emergency support system requirements and their effectiveness for identified major accident events for production facility.

1.2 RELATIONSHIP WITH REGULATIONS

This document is one of a series of guidelines for use by the upstream petroleum industry. Its relationship with Acts and Regulations is depicted in Figures 1.1 .

The principal components are:

1. The Petroleum (Submerged Lands) Act, which empowers the Minister to regulate.

2. Regulations, which set mandatory standards for industry to achieve.

3. Regulatory guidelines which set out the administrative procedures for the regime and provide practical ways of meeting goals .

(a) General guidelines, Codes, and Standards such as API Standards, etc, which provides useful references for companies setting their own standards.

(b) Industry approved competency standards.

4. Company standards, which should provide the demonstration of managing risks to as low as is reasonably practicable (ALARP).

2.0 SAFETY SYSTEMS – GENERAL

The definition of safety systems for production facilities/activities has evolved through the application of accepted international standards which represent ‘best practice’, to hazard identification and analysis, and, most recently, to risk based methods.

Production operators are required to submit and maintain a Safety Case, which should demonstrate that the risks to production operations are being managed to as low as reasonably practicable (ALARP). This risk based approach provides a means to demonstrate that risks are being managed to ALARP and is taken as one of the primary emphases for these Guidelines.

These Guidelines are intended to provide information to the ‘system’ level only. Therefore established industry standards, which continue to represent a very useful resource for the design, operation and maintenance of safety systems, may provide more specific guidance at the sub-system or component level.

Specific recommendations for the frequency of maintenance, inspection and testing are presented in the context of good industry practice. These recommendations may provide an appropriate basis for initial system operation and maintenance, which may be adapted in the light of operator/facility/system experience. Ultimately the responsibility for facility management rests with the operator.

2.1 SAFETY CASE

As mentioned in the preamble to these Guidelines, the statutory framework for the representation of the management of risk, is the Safety Case, comprising the following components:

• Facility Description;

• Safety Management System;

• Formal Safety Assessment.

2.1.1 Facility Description

The Facility Description includes a description of the safety features and systems associated with pr0duction facility/activity, as follows:

• Layout;

• Protective systems, including fire and gas leak detection;

• Shutdown systems

• Fire and Blast protection, passive systems;

• Fire protection, active systems;

• Heating, Ventilation and Air Conditioning (HVAC);

• Emergency Power, Communications and Lighting;

• Escape, Evacuation and Rescue;

• Temporary Refuge (if designated).

2.1.2 Safety Management System

The Safety Management System (SMS) description includes details of specific provisions for the management of safety of the facility/activity through the use of management systems (e.g. policies, objectives, procedures, work instructions, etc.) of particular relevance in the definition, design, installation, operation and maintenance of engineered or hardware safety systems, the subject of these Guidelines, are the following:

• Risk Assessment and Management; (see Hazards Management Process, below)

• Design, Construction and Commissioning;

• Maintenance, Inspection, Testing, and Modification.

2.1.3 Formal Safety Assessment

The Formal Safety Assessment (FSA) describes the identification, analysis and assessment of hazards to personnel. In particular, events that have the potential to cause multiple fatalities are designated as Major Accident Events (MAEs) and are the primary focus of the FSA. In the case of exploration and production activities, the release of hydrocarbon fluids under pressure represents one category of accident event with the potential to result in a MAE. Engineered safety systems for the prevention, detection and mitigation of uncontrolled hydrocarbon releases are the subject of a mature body of experience and analysis method which is reflected and referenced by these Guidelines. The FSA includes an Emergency System Survivability Assessment (ESSA) which evaluates the ability of these systems to function in an emergency event to control or mitigate the consequences, in this case, of a hydrocarbon release.

The ESSA includes the assessment of the Functionality, Integrity (i.e. Reliability and Maintainability) and Survivability of the safety systems, specifically in the context of emergency/accident event risks to personnel and the facility. This approach to assessment corresponds with the definition and structure of safety critical system ‘performance standards’.

2.2 HAZARD MANAGEMENT PROCESS

The management of hazards which may result in an MAE is affected through the application of a ‘hierarchy of controls’ as follows:

• Prevention;

• Detection;

• Control/Mitigation;

• Response;

• Recovery.

In the context of engineered safety systems, it is the first three elements of this hierarchy that are covered in these Guidelines.

2.2.1 Prevention

The first strategy for the prevention of MAEs is that of eliminating the hazard. In the case of oil and gas exploration and production, one of the primary hazards is hydrocarbon fluids under pressure.

Given that all hazards cannot be eliminated, the next strategy is to prevent an undesired release from occurring.

The Process Shutdown (PSD) system, discussed further, is designed to prevent a loss of containment through shutdown of the hydrocarbon processing system (e.g. isolation from input sources of energy, such as pressure, heat, flow, etc.) on the basis of abnormal conditions (e.g. high/low pressure, high/low temperature, etc.) detected within the system.

2.2.2 Detection

In the event that a hydrocarbon leak occurs, it is necessary to detect it such that control and/or mitigation measures can be initiated.

The detection of a hydrocarbon leak is generally achieved through the use of Fire and Gas Systems, which detect ignited and un-ignited hydrocarbon releases, respectively. These systems are discussed further.

2.2.3 Control/Mitigation

The control of a hydrocarbon release may prevent it resulting in a MAE. For example, if a gas release is not ignited a fire or explosion will not occur. Safety systems which may be used to control hydrocarbon releases, include:

• Emergency Shutdown (ESD) Systems.

• HVAC Systems.

• Hydrocarbon Disposal Systems.

It is common practice that, as a minimum, a facility safety system comprises an Emergency Shut Down (ESD) system and a Fire and Gas (F&G) detection system. The ESD system should be designed, as far as reasonably practicable, • reduce the consequences of a hazardous event when activated during an

emergency situation;

to:

• prevent an uncontrolled or hazardous situation occurring;

• survive severe accident conditions.

Safety systems should be maintained and tested at frequencies specified in the safety case and test results recorded and retained for a suitable period of time.

Prevention

Section 3.0: Process Shut Down (PSD) – the detection of abnormal

conditions is used as a basis for preventing a system failure and hydrocarbon release. If PSD does not effect a recovery an Emergency Shut Down (ESD) may be initiated.

Detection

Section 4.0: Fire & Gas Detection

the detection of a release of hydrocarbons, ignited or not, is used as a basis for initiating Control actions.

Control/Mitigation

Section 5.0: Emergency Shut Down (ESD) –

in the event of a confirmed hydrocarbon release or an escalating process situation, a more stringent shutdown of facility systems is initiated.

Section 6.0: HVAC

in the event of a gas release, may act to prevent the accumulation of a

significant flammable cloud. It may also act to exclude gas or smoke from ‘safe’ areas.

Section 7.0: Emergency Power

provides for the operation of the safety systems throughout an emergency and for the operation of other vital systems.

Section 8.0: Hydrocarbon

Disposal Systems – may act to remove hydrocarbons contributing to a gas loud or available for a fire.

2.3 SAFETY SYSTEM METHODOLOGIES

Guidance on the design, operation and maintenance of safety systems has evolved through several distinct stages through the last 30 years, including:

• a pragmatic and practical approach of ‘what works’ (i.e. experience),

supplemented by a minimum standard defined as ‘best practice’ and regulatory requirements (e.g. UK HSE - SI 1974/289);

• the development of methods to identify ways that undesirable events could

happen (e.g. HAZOP, API 14C, etc.); and most recently

• the use of a risk based life cycle needs analysis (e.g. IEC 61508/61511 and

UKOOA IPF).

These Guidelines seeks to reflect the best aspects of this evolutionary development as a framework for the analysis, design, operation and maintenance of safety systems.

In summary, the following are regarded as key aspects of the evolution of safety system specification and should be considered/applied by industry to operations and facilities.

2.3.1 Lifecycle

The application of a life cycle approach provides a vehicle for strategic, project and operational risk management of the design, operation, maintenance and disposal of an production facility. The consideration of risk through the lifecycle of a facility allows for appropriate economic management as well as the safety aspects of an operation, which may affect the economic performance/

viability of a project. It also provides a means to ensure that the risk management process is an integral and coherent part of a facility’s lifecycle

development phases, through the involvement of different parties (e.g. Engineering Design, Procurement, Fabrication Yard, Installation/ Commissioning and Operations/Maintenance).

2.3.2 Risk Based

The use of a risk based approach from the concept stage onwards provides a means to focus on safety/business ‘needs’ of the project. Further, use of this approach allows for justification (e.g. demonstration of ALARP) of control options based upon benefits in terms of risks to personnel and the business, more generally.

One method of using a risk based approach to the needs for safety system integrity is based upon the following risk graph

- No special safety features required

NR Not recommended. Consider alternatives

In determining the desired integrity level for a system/component the following parameters are considered:

• The severity of the safety consequences if the instrument protective function does not operate on demand;

• The likelihood of personnel being exposed to the hazard;

• Are there alternative factors which will reduce the safety impact of the

consequences of the hazard? These may include, for example, the rate of

escalation of the incident is such that personnel in the area will have time to get away from the immediate area, or, that there will be sufficient warning from independent means of the impending hazard for personnel to evacuate

• the area ;How frequently is the instrument protective function likely to be asked to perform its duty. Relatively high demand may be interpreted as between one and ten times per year, low as between once per year and once per ten years, and very low as less than once in ten years.

The Safety Integrity Level (SIL) reflects the risk inherent in a safety system application, from High Risk (SIL 3) to lower risk levels (SIL 2/1). Since this is only one means of defining the required integrity of a safety system/

component these Guidelines will use a descriptive label (i.e. High Risk) to correspond to/with a high level integrity requirement.

2.3.3 Comprehensive Analysis

A comprehensive hazard/risk analysis at the detail design stage complements higher level strategic/project risk analyses whilst ensuring that risks at the system/component level are identified and managed. One means of carrying out a comprehensive hazard based analysis is that described in API 14C. As discussed above this analysis method may be supplemented through the use of application risk levels (e.g. Safety Integrity Levels) to provide a basis for

justification/selection of ALARP control solutions.

2.3.4 Performance Standards

‘Performance Standards’ provide a formal vehicle for performance assurance throughout the life cycle of a project/facility. They also complement performance standards defined to assure performance of the facility Safety Management System.

A performance standard for safety systems would include:

• The role of the system, or system component;

• What the system or component is required to do under stated circumstances (functional specification);

• With what integrity (reliability and availability) it is required to perform in

those circumstances (integrity specification); and

• Any requirements for survivability after a major incident (survivability

specification).

Performance standards for safety systems can apply at a variety of levels. For example, the overpressure protection function for a hydrocarbon vessel may have a performance standard. The pressure sensor device and the inlet shutoff valve, both of which are components of the overpressure protection system can also have their individual performance standards. An ESD logic system can have a performance standard.

2.4 DESIGN

Safety systems may include:

• Fire and Gas detectors;

• Leak detectors;

• Emergency Shutdown and Blow-down valves;

• Fire rated cables and components;

• Programmable logic.

In the execution of projects, the detailed design may not have been completed at the stage when instrument-based protective systems need to be purchased. Orders are placed using the best information available at the time. On completion of the detailed design, the instrument based protective systems should then be evaluated against their required performance standards and any necessary modification carried out.

2.4.1 Complexity

Systems should be selected and designed to minimize complexity while still meeting the required performance standards. Increased complexity may lead to a reduced level of understanding by operators and higher inspection, test and maintenance requirements.

Each element of the system should be specified to performance standards consistent with the overall required functional, safety integrity, and survivability performance standards, and not simply to the highest level achievable.

By their nature, logic systems contribute less to the total system unreliability than the field sensor and actuators.

2.4.2 Failure to Safety Concept

The failure to safety concept for plant and equipment is the automatic reversion to the least hazardous condition upon failure of protective system logic, sensors, actuators or power sources. This requirement is normally realized by employing a de-energize to trip design. During normal operation, with the plant in a healthy condition, inputs from plant sensors, the logic system, and outputs to the final protective devices will be energized. The systems will interpret the de-energising of an input as a trip demand and will de-energise the appropriate outputs to initiate a shutdown. This design would also ensure a shutdown on the loss of electrical power to the system inputs, outputs or logic. The failure to safety principle is preferred for all equipment on the installation. In order to achieve such a concept, consideration should be given to each item of plant and equipment to ensure predictability of failure modes. However, for certain applications, (e.g. Fire & Gas

equipment) an energized to trip (non failsafe) design concept is justified. Under these circumstances, additional measures must be taken to ensure the safety integrity of these devices, e.g. line monitoring, built in fault detection, and/or dual redundancy.

2.4.3 Reset Philosophy

The method and location of reset facilities for protective systems should be appropriate to the importance of each individual function, and thus may vary across the plant.

2.4.4 System Integrity

System vendors generally express reliability in terms of Mean Time between Failures (MTBF) or its reciprocal, failures per unit time. These expressions are useful in selecting and specifying a system but to determine its availability the following should also be considered:

• Fail to danger and fail to safety failure rates;

• Failure to act on demand;

• Realistic mean time to repair (MTTR).

For each High Risk (SIL3) system a reliability and availability analysis should be carried out and formally documented to ensure that the required safety integrity can be met. This will require data on system or component reliability or failure rates, demand rate on the system, proof test interval and mean time to repair. An iterative process will be required in the design of the system to arrive at the optimum solution which meets the specified safety

integrity. Care must be taken to allow for the effects of common cause failures when calculating overall system integrity.

Realistic proof test intervals and repair times should be used in reliability and availability analyses. Manual proof test intervals of less than three months are likely to impose undue burdens on operations and maintenance requirements.

The reliability/availability analysis can draw on either analysis of failure rates from comparable situations or calculations using appropriate predictive methods.

Unrevealed (covert) failures in the system will impair its safety effectiveness. Steps should therefore be taken to eliminate by design these failure modes. Where this is not practical, a suitable test method and frequency should be specified that allows such failures to be revealed.

For High Risk (SIL3) applications, it should be a design objective that no single failure can cause the system to fail to perform its intended safety function.

The demand rate on a High Risk (SIL3) system may be determined in part by the quality of any associated lower risk (SIL1/2) protective systems. Common cause failure mechanisms between separate instrument-based, protective systems performing the same or related protective functions should be minimised.

The scope and frequency of testing of High Risk (SIL3) systems to ensure the required safety integrity and the assumptions with regard to the demand rate must be fed forward to the operations phase and be reflected in the protective system maintenance plan and procedures.

Logic systems should be specified for the integrity of the highest integrity function, which is implemented within it.

2.4.5 Environmental Considerations

Systems should be designed so that equipment has an adequate immunity to electromagnetic disturbance at frequencies and field strengths likely to be experienced in the intended operating environment. The measures taken to verify this requirement should be selected according to consequences resulting from malfunction or degradation in the performance of the equipment. Also, the equipment should not be the source of electromagnetic disturbance at levels which may disrupt the operation of other equipment.

Protective functions should be maintained under all reasonably for climatic conditions likely to exist at the intended operating location.

Fire, blast and dropped object protection for protective systems should be considered in relation to the required performance standards. These should take into account the required survival and operating modes of systems following a major incident.

2.4.6 Operator Interfaces

The operator interface should be designed using human factor principles (ISO 11064: Ergonomic Design of Control Centre). The presentation of information to the operator should be clear and unambiguous. The volume of alarms and messages which will be presented to the operator in a plant upset situation should be assessed and managed.

The reliance on the operator interface should be determined and the performance requirements should be specified. Where reliance is placed on an operator to respond, then these cases should be analysed to ensure that the claimed performance can be achieved.

Suppression of consequential alarms resulting from a process upset or trip may be considered, provided they occur within predetermined times. However, this should be assessed against the additional complexity introduced.

The operator should readily be able to determine the cause of any disturbance or unusual event.

The number of control room operators should be determined based on the ability to handle both normal and upset situations.

Consideration should be given to use of hard wired matrix and mimic panels for information regarding High Risk (SIL3) systems.

Controls should be in place to ensure that only appropriate authorised personnel have access to change data or programs. If access control is by password, these should be changed at appropriate intervals under the control of the designated responsible person.

2.4.7 Maintenance and Test Facilities

Facilities to enable complete online testing of all system components including power supplies and field equipment should be provided unless adequate safety integrity can be achieved by testing during planned shutdowns. The objective is to detect and rectify covert failures.

The maintenance and testing philosophy, including frequencies, should be developed as part of the design process and be fed forward to, and be incorporated in, maintenance and operating procedures.

Maintenance and test routines should be the product of cooperation between the design team and the future operating personnel, to ensure their smooth assimilation into the operational phase.

The status of any maintenance override should be drawn to the attention of the operator, be documented and continuously annunciated at a suitable operator interface.

All components should be designed to achieve ease of fault finding, replacement and maintenance.

2.4.8 Software

Software based systems should incorporate an internal log to demonstrate the software version or revision giving date and time of the last change.

2.4.9 Data Communication

Hardwired communications links are preferred, where practicable, to radio links. Where Programmable Electronic System (PES) data is transmitted over communication links, it should be recognised that the communication link introduces several potential sources of common cause failure.

The safety integrity of High Risk (SIL3) systems should not be reliant on data solely reliant on data communications links unless adequate measures have been implemented to ensure the availability of the link.

Physical damage to communication links may be addressed by redundant links with diverse routing. Redundant links should be exercised regularly.

High Risk (SIL3) systems may be interfaced with other systems via communication links.

Malfunctions of the communication links or other systems should not affect the safety integrity of the High Risk (SIL3) system.

The quality of the total communications path should be assured. The total path includes interfaces between processors and communications links.

2.4.10 Power Requirements

When evaluating the availability of protective systems, consideration should be given to the security of electrical supplies under plant upset conditions and partial and complete failure of the main electrical systems. Diversity of supply may be required to ensure continuity of system operation. Failure of one of these supply routes should not adversely affect the system performance.

The sizing and rating of electrical supplies should take into account the worst case load with all elements energised. Surge currents at switch on should also be considered.

The required duration and availability of electrical supplies following loss of main generation should be established and documented.

Any uninterruptible power supply systems should be properly matched to the protective system loads particularly in terms of voltage variations, harmonic distortion, and supply changeover times. Specific attention is drawn to this need for matching when switched mode power supplies are used within the protective systems.

After installation of the protective systems, their correct performance should be checked when the main AC electrical supplies are interrupted and heavy loads are switched on and off the electrical distribution system.

2.4.11 Design Change Control

The need for changes to the functionality during the system life should be assessed and allowed for in the design.

Protective systems should be under the control of a designated responsible person or position.

Management systems and procedures, commensurate with the criticality of the system, should be in place during both the project and operational phases to effectively control and monitor changes.

Proposed changes should be assessed by all relevant parties before implementation.

Changes to protective systems should be fully verified, including testing, before they are brought into service.

2.4.12 Design Method for High Risk (SIL3) Applications

For High Risk (SIL3) applications the following design activities are considered essential requirements for an acceptable final product and should be incorporated at the correct stages of design development:

• Establish functional requirements (e.g. safety analysis tables or cause and

effect charts);

• Produce functional, safety integrity, survivability and hardware specifications;

• Design system to the above specifications;

• Analyse safety integrity of the design, to ensure that the required performance standard for each function has been met;

• Build and test system;

• Produce maintenance schedules and detailed proof test routines for each

system element during the project detailed phase;

• Review operational and maintenance experience to ensure that the specified performance standards are maintained.

The safety integrity analysis should be carried out by an independent authority, either from a separately managed area of the organisation, or from outside the company entirely

2.4.13 System Testing

Testing of the logic system for all instrument-based protective systems should be carried out in accordance with the previously agreed test programme prior to installation. Simulated inputs and outputs may be used in testing at the vendor’s works. It should include a complete verification of the operating manuals, cause and effects, logic diagrams and related

documentation. Full system testing, including all field elements, should be carried out during commissioning.

2.4.14 Assessment and Certification

Independent assessment and/or certification of systems may be used to provide increased confidence in vendor’s claims for systems’ performance. This can apply to vendor-standard systems and to design specific confil.gurations.

Independent assessment should be performed for all High Risk (SIL3) systems. Considerations should include:

• Hardware details;

• Expected demand rate;

• Specification proof testing and maintenance programme for the equipment;

• Causes of systematic failure;

• Equipment quality;

• Design processes;

• Maintenance facilities;

• Operational and security arrangements.

It is essential that all analysis should consider the complete system, from input transducer to the actuation of the final control element. The major contributor to system unreliability is usually field devices with failure analysis being sensitive to variations in device design.

2.4.15 Field Equipment

The design, selection and location of sensors and actuators contribute significantly to the overall performance of an instrument-based protective system. This section addresses those points relevant to ensuring design and selection.

Plant located components of instrument-based protective systems should be uniquely identified in accordance with drawings and documentation.

Identification should be by permanent labels at equipment locations.

Diversity

Many common cause failures of redundant field devices can be avoided by properly applied diversity of devices. Where possible, diversity should be obtained by measuring a variable via separate tappings.

Analogue input devices are preferable to switched input devices. The ability to continuously compare signals reduces the mean time to detection of failure and hence increases integrity.

Such methods can utilise discrepancy tracking for the early detection of equipment failure or malfunction and may utilise the process control analogue instrumentation in such a tracking scheme.

In the interest of standardisation, consideration should be given to reducing the variety of field devices. While this may seem to contradict diversity, it is meant to avoid a proliferation of equipment manufacturers and models. Excessive variety can reduce the level of understanding of the details of maintenance, calibration and trouble shooting involved with each device.

Initiating Devices

All system initiators should be separate and independent monitoring and control system instrumentation.

The method of sensing an abnormal operating condition should normally be by dedicated transmitters except in the case of vessel level trips where witches or other techniques may be more effective. Any trip amplifier devices used to interface transmitters to non programmable logic systems should be testable in service.

Smart (HART) transmitters can be considered suitable for High Risk (SIL3) applications if the advice in EEMUA publication 160 section 12 is followed. In addition, the software issue should have been proven in a sufficiently large installed base over a sufficiently long period of time. (See Appendix B of the UKOOA ‘Guideline for Instrumented-Based Protective Systems, 1995’) Generally this allows the use of smart transmitters in analogue mode only.

It is recommended for the foreseeable future that field instruments should not be integrated digitally with logic systems for High Risk (SIL3) pplications.

In all cases the input devices should be specified and selected for reliable operation and should fail to a safe known condition on fault, or on interruption of power or other operating medium. Components should be selected with built in features that drive the device output to a prescribed status for specified failure modes.

Fire and gas detectors should be selected and located to meet the performance standards for the detection of specific hazards in the area. This will include fire sizes, gas cloud sizes, and response times.

Output Devices

Output devices should be specified and selected for reliable operation and to ensure that interruption of the operating medium (electric, pneumatic or hydraulic supply) causes failure to a known condition.

Shutdown and depressurising valves should normally be operated via solenoid valves.

Electrical surge suppression should normally be provided when driving inductive loads such as solenoid valves.

Duplicate solenoid valves and/or shutdown or blowdown valves may be necessary to meet the required integrity (probability of failure on demand).

Shutdown and Blowdown Valves

All shutdown and blowdown valves should preferably be inherently failsafe e.g. spring return. Isolation valves should fail closed and blowdown valves should fail open on loss of power medium to the actuator or loss of control signal. However, there may be specific applications where the flare header is not rated for simultaneous blowdown of all areas of the plant. In this case the failure action of the blowdown should be selected to minimise risk for all the relevant operating regimes.

Where non inherently failsafe actuators, e.g. double acting, are justified, then adequate integrity for the application should be demonstrated. Each actuator should have a local dedicated power source provided with appropriate protection. This should be capable of meeting the regulatory requirements with regard to number of operations. Where these are not stated, then three valve strokes should be possible (where stroke is defined as a unidirectional movement).

The power medium should preferably be air. However, hydraulic or electric failsafe actuators may be justified for some applications despite their greater system complexity. In all cases, adequate safety integrity and survivability of the valve and associated controls should be ensured.

Consideration should be given to the required performance of valves, actuators and ancillary devices following long periods of inactivity in the same state.

The valves should be capable of being operated under maximum line differential pressure.

In cases where bypass repressurising around shutdown valves is justified they should also be automatically operated by the protective system, be specified as shutdown valves, and be inherently failsafe.

The speed of response (stroking time) of the shutdown valve should be appropriate to the hazard being protected against. Surge effects and the potential to lock in pressure need to be considered when selecting or specifying closure times.

Control valves should not be used as primary isolation devices, but may have a predefined trip position on shutdown.

They may be utilised as secondary isolation devices where SIL level requires robustness. In these cases they should be operated by the shutdown system.

Where it is necessary to use control valves in a safety related application, e.g. for controlled blowdown of plant to flare, the control valves and their associated systems and ancillary devices should be suitable for the required integrity of the application.

Blowdown/Shutdown Valve (Spring to Open/Close Valve) Torque

Valve Actuator

Start to open/close torque

(Break-open/close torque)

Spring start torque (SST).

A safety factor of 100% (i.e. 2 times) should be applied on top of the valve start

to open/close torque. This is at the 'compressed spring state'.

Reseat torque

(Opening/closing torque)

Spring end torque (SET).

A safety factor of 25% (i.e. 1.25 times) should be applied on top of the valve

opening/closing torque (i.e. the spring should provide a torque of 1.25 times the

valve opening/closing torque at its relaxed state).

Running torque

(Resistance torque)

Spring running torque (SRT) and air running torque (ART) - minimum torque

produced by the actuator.

A safety factor of 50% (i.e. 1.5 times) should be applied and maintained on top

of the required valve running torque during closing and opening.

Start of close/open torque

(Break-close/open torque)

Air start torque (AST).

Pneumatic operator beginning torque should be 2 times the valve

closing/opening breakout torque.

Reseat torque

(Closing/opening torque)

Air end torque (AET).

Pneumatic operator end of stroke torque should be 1.25 times the valve

closing/opening torque (i.e. at the end of the closing/opening stroke).

Impulse Lines

Consideration should be given to the means of achieving process connections to reduce the

risk of blockage in isolation valves, impulse lines and instrument chambers. This applies

specifically when it is known that particulate or waxy deposits are, or can be, present in the

process medium or where scaling may occur.

Process and environmental conditions should be considered in the specification and selection

of impulse lines. This includes protection from impact damage.

The risk of stress corrosion cracking should be minimised in the selection and design of

impulse lines. Care should be taken to avoid under lagging corrosion especially where trace

heating is used.

It is recommended that double block and bleed 50 mm monoflanges are used on all impulse

line connections.

Control Lines & Cables

Consideration should be given to the protection and segregation of cables and control lines

associated with the protective system. The routing of cables should avoid running through

high risk or vulnerable areas where practicable. Diversity of routing should be considered for

“energise to execute” circuits as a means of reducing common mode failures in event of a major incident. Any 'critical signals' should be hard wired.

Consideration should be given to the segregation and shielding of cables to

Fire, Blast and Dropped Object Protection

Fire, blast and dropped object protection for instrumentation, actuators, cables and other associated devices, which are part of protective systems, should meet the required survivability specification of the performance standards.

Maintainability and Testing

Due regard should be given in the design to the needs of maintenance and testing activities. Specifically the method and frequency of testing to ensure adequate facilities are provided.

Facilities for physical testing of initiating devices should be provided where practicable, unless all testing is to be carried out on shut down plant. Manual override switches should be installed to isolate the devices prior to testing.

2.5 OPERATION & MAINTENANCE

The purpose of systems maintenance and testing is to ensure that the performance standards from the original design are maintained throughout the lifecycle of the protective systems.

2.5.1 Responsible Person

Each protective system should be under the control of an identified responsible person or job position.

The responsible person or job position is accountable for ensuring that the systems continue to perform to the required performance standards. Specific responsibilities include:

• Assurance of the competency of the operators and maintenance technicians who work with or on the system;

• Control of access to the system including use of keys and passwords;

• Coordinate testing of the system;

• Control changes to the system;

• Ensure appropriate records are maintained;

• Assess the results of testing, maintenance activities, systems failures, and

demand rate on the system to ensure system integrity is maintained.

2.5.2 Maintenance and Testing

Design assumptions, particularly on the scope and frequency of testing, should be clearly documented and translated into operational information and procedures.

The maintenance and testing scope, frequency and responsibilities should be clearly documented. The maintenance and testing regime should recognise the scope and limitations of any system self-testing.

The maintenance philosophy document should also describe how demands on the systems will be recorded and how the systems will be assessed periodically to ensure that their safety integrity meets or exceeds the performance standards as per the design. The implications of any failures should be assessed, and where required, modifications to equipment or

procedures should be carried out to minimise the likelihood of repeat occurrences.

The use of maintenance overrides should be formally authorised and recorded. Their use should be subject to instructions and procedures described in the operations procedures for the plant. The status of overrides should be regularly assessed.

For large complex systems, consideration should be given to placing a vendor support contract for corrective and preventative maintenance, spares management, and support for system changes.

The necessary tools and diagnostic facilities should be available to permit technicians to perform first line maintenance and restore system availability within a reasonable period of time.

2.5.3 Documentation and Records

Current system documentation should be available to maintain the system throughout its life cycle. This will include overall system description, performance specifications, key drawings, and operation and maintenance instructions. Records of the following should be maintained throughout the life cycle of the system or for predefined periods as appropriate:

• Inspection records;

• Testing records;

• Maintenance repairs;

• System failures;

• System demands and outcomes;

• System integrity assessments and any subsequent changes to the scope or

frequency of testing.

It is recommended that check sheets, detailed in IEC 61508, be utilised.

2.5.4 Control of Changes

Management systems and procedures, commensurate with the criticality of the system, should be in place to effectively control and monitor proposed and actual changes to hardware, software and operational procedures.

All changes should be shown to meet the systems safety performance standard and be fully assessed by all relevant parties before implementation.

Any change to a protective system should be fully documented, follow a quality plan and be reviewed by two competent personnel.

Changes to software based protective systems should be fully tested prior to implementation on an operational host system. It should be capable of immediate return to a known working version in the event of a fault.

The system environment should be maintained in line with the original design parameters including temperature, humidity, vibration, and electromagnetic disturbances. The impact on system integrity by changes to the environment should be assessed.

2.5.5 Assessment of Protective System Integrity

The results of periodic system testing should be assessed and appropriate measures taken to maintain the required system integrity.

The use of field data to reassess the testing regime should only be used where a significant sample of data is available. In this case the change to the testing regimes should be fully justified, documented, and formally controlled.

For High Risk (SIL3) systems, periodic reviews are necessary to ensure that the safety integrity is maintained during the life of the plant. These reviews should re-examine the quantified analyses originally carried out during the design phase taking into account actual demands on the systems, outcomes of those demands, system failure rates, any revised testing regimes and any changed operational circumstances.

2.6 FACILITY/ACTIVITY

2.6.1 Drilling

Well Control Equipment

Wellhead equipment may vary from well to well to suit anticipated or known pressure conditions, and in exploration drilling it should always be of a suitable pressure rating to cope with high, or abnormal sub-surface pressures. Wellhead control equipment should be installed under the direct supervision of competent personnel.

The drilling rig should be equipped with independent hydraulically operated blowout preventer operating equipment with an automatic repressuring system A control panel for the blowout prevention equipment should be located on the rig floor at the Driller’s station, with a second panel located away from the operations areas. A position display panel should be fitted in a third office location for supervisory personnel. The control panels should clearly show the open or closed state of the blowout prevention equipment and the areas around the blowout preventer control points should be kept clear and readily accessible at all times.

Upper and lower kelly cocks of equivalent pressure rating to the wellhead control equipment should be installed in the drill string to protect the swivel and rotary hose from high well pressures.

When drilling into known high pressure zones, or potential high pressure zones in production fields, the use of drill pipe safety valves is ecommended.

On all drilling and well servicing operations, an inside blowout preventer and full opening safety valve should be kept on the rig floor ready for mmediate use in the drilling string or tubing, if required. The valve should be fitted with handles for easy handling and change subs to suit connections in use. The valves and controls associated with the blowout preventer equipment should be clearly labeled to indicate their specific function.

Pressure Testing

At the time of installation, well control equipment including all inside blowout preventers (BOP’s), kelly cocks and pumpdown subs should be hydraulically tested with water to the full rated working pressure or maximum anticipated surface pressure, plus safety factor, and the

results logged. Test areas and equipment should be clearly indicated by warning notices or public address (PA) announcements.

Inspection and routine testing of such equipment, after installation, should be carried out at regular intervals and logged. When drilling, blowout preventer rams should be operated at regular intervals and results logged. The complete system should be tested regularly and always prior to drilling into an unknown reservoir section. Properly drafted BOP test sheets

should be available for guidance.

If unusual pressure variation or other abnormalities are observed in the system, appropriate action should be taken and the details logged.

Control Valves

Any valves for the shutting down and control of equipment in emergencies, such as choke manifolds and standpipe manifolds, should be regularly tested and kept in good working condition.

Such valves should plainly indicate whether they are open or closed and the positioning of them should be either in line of sight to the Driller’s position or a method of communication should be established between the man stationed at the control valves and the Driller.

Well Control Practice Drills

A blowout practice drill should be carried out on each rig tour, until every member of each drilling crew is familiar with his respective duties. In addition, each crew should have a least one well control practice drill during each offshore duty cycle to maintain alertness. Additional practice drills should also be considered prior to drilling into new horizon sections

of a well. Particular attention should also be given to training any new member of a crew on his specific duties.

2.7.1 Alarm System

An alarm system should be provided at the main machinery control station giving audible and visual indication of any fault requiring attention. It should also:

• activate audible and visual alarms at another normally manned control station;

• activate the Engineers alarm if the original alarm has not received attention locally within a limited time;

• as far as practicable be of failsafe design;

The alarm system should be continuously powered with automatic change over in case of loss of normal power supply. Such a failure should be alarmed. The alarm system should be capable of indicating more than one fault at a time and the acceptance of an alarm should not inhibit another alarm. Alarms should be maintained until they are accepted and the visual indicators should remain until the fault has been corrected, when the alarm should be automatically reset to the normal operating condition.

PROCESS SHUTDOWN

3.0 PROCESS SHUTDOWN

3.1 ROLE

The role of the Process Shut Down (PSD) system is the detection of abnormal process conditions which may result in a release of hydrocarbons and cause the shut down of the system to prevent such a release.

3.2 FUNCTION

In the case of hydrocarbon drilling and production systems an abnormal condition may include, but not be limited to, the following:

• High or Low Pressure;

• High or Low Temperature;

• High or Low Level.

An abnormal condition is characterised by the movement of system parameters (e.g. pressure, temperature, etc.) towards or outside the operating envelope.

In some cases the abnormal condition may be the release of gas (e.g. in the case of drilling where gas detected in the mud returns may indicate a potential problem in the well). A PSD will result in a shut down of energy sources which are contributing to the abnormal condition. For example, in the case of high temperature, heat inputs will be shut down or isolated, or in the case of high pressure the pressure source will be isolated.

3.3 RELATIONSHIP

The Process Shut Down (PSD) system acts to prevent an undesired release of hydrocarbons upon detection of variations in system parameters which are known to be indicative of a loss of control. PSD is related to various other safety systems as follows:

3.3.1 Emergency Shut Down (Section 5.0)

The PSD if effective should return the system to a stable state with no or little threat of an undesired hydrocarbon release. In cases where the PSD does not produce a stable state in the hydrocarbon system an Emergency Shut Down (ESD) may be required. The ESD system may be considered an extension of the PSD system, for cases where the limited actions taken

in a PSD are ineffective and the situation is escalating towards an emergency or Major Accident Event (MAE).

3.3.2 Emergency Power (Section 7.0)

In some cases, PSD will cause the shut down of electrical supplies. In this event it is important that power is available to effect the PSD and to provide for the continued operation of parts of the facility not affected by the PSD. Emergency Power systems may be activated at this time although it would be more typical that emergency power supplies would be initiated in the event of an ESD.

3.3.3 Hydrocarbon Disposal (Section 8.0)

Depending upon the part of the hydrocarbon process affected by the PSD it may be required to remove hydrocarbons from the system, either to prevent knock-on effects to other systems or as a precaution in case the situation escalates further towards an emergency or MAE.

Venting of hydrocarbon gases may be released through a blow down executive action. Liquid hydrocarbons may be drained to a ‘safe’ location.

3.4 DESIGN

Prevention is the preferred strategy for the management of risk due to undesired hydrocarbon releases and fires/explosions.

The PSD system should be designed to provide a reliable means of detecting excursions of process conditions towards or beyond operating/design limits and, providing alarms and/or signals for executive action of other rocess/safety systems.

As discussed in Section 2.0, API 14C is a widely accepted method for the analysis and design of Process Safety Systems. It requires that these systems have:

• independence from other systems or reliability equivalent to an independent system; and

• two levels of protection, primary and secondary, which should be independent and achieved through equipment which is functionally independent.

In this context, API 14C provides guidance on the selection of safety devices and protective shut in actions for isolating a process component, in the event of an abnormal operating condition (e.g. overpressure, leak, excessive temperature, etc.). In the case where a detected abnormal operating condition is a release of hydrocarbons other safety systems may be caused to operate/take effect. That is, in the event of a gas leak, the ESD and blow down systems may act to reduce the amount/pressure of hydrocarbons for release thereby reducing the duration/consequences of such a release.

For example, in the case of overpressure, the primary means of protection is defined as a pressure sensor to either shut off or divert inflow to the component, including fuel/heat sources if appropriate. In this case a single device (i.e. the pressure sensor) must be supplemented by another device (i.e. to cause shut off/divertion of flow) to affect complete primary protection.

The secondary means of protection should be a pressure relief or safety valve. In the case where a shut off mechanism is employed, it should be at the primary source of the energy, rather than at the input to the specific component effected, since this would act to propagate the effect upstream until the primary source is caused to be shut off.

4.0 FIRE & GAS DETECTION

4.1 ROLE

To detect the presence of hydrocarbon gas or ignited hydrocarbons and provide signals for the initiation of Emergency Shut Down (ESD) and Fire Protection systems.

4.2 FUNCTION

The detection of hydrocarbon gas in areas of the facility is a clear indication of a potential for a fire or explosion Major Accident Event (MAE). At this stage it may be possible to prevent ignition of the hydrocarbons thereby preventing a fire or explosion. The detection of ignited hydrocarbons depends upon the nature of the fire. Detection of light, heat and/or smoke may be used to indicate an ignited hydrocarbon leak.

In either case the detection of a hydrocarbon release acts to initiate other safety systems to control the consequences of the event.

4.3 RELATIONSHIP

The Fire and Gas (F&G) detection system acts to, detect an undesired release of hydrocarbons, which may be ignited. F&G is related to various other safety systems as follows:

4.3.1 Emergency Shut Down (Section 5.0)

F&G detection indicates that the sequence of events which may result in an MAE are well advanced and provides the basis for executive action by the ESD system.

4.3.2 HVAC (Section 6.0)

Through the ESD system, detection of gas at the ventilation inlets of ‘safe’ spaces, such as control rooms or accommodation modules, may cause shutdown of HVAC fans and/or dampers in HVAC trunking.

4.3.3 Emergency Power (Section 7.0)

Continued operation of F&G detection in an emergency is important so that a developing event can be monitored. (Hydrocarbon gas migration or gas ignition) Continued operation requires provision of electrical energy through the Emergency Power system.

4.3.4 Fire Protection (Not part of these Guidelines)

In the event of a hydrocarbon release or ignition, F&G detection may cause an active fire protection system to come into effect in the area of the release and/or adjacent areas. Active fire protection systems include water deluge, CO2 dumping and Dry Chemical.

4.4 DESIGN

Prevention is the preferred strategy for the management of risk due to undesired hydrocarbon releases and fires/explosions. As discussed in Section 3.0 Process Shut Down systems, a hydrocarbon leak may be detected as a result of abnormal operating conditions (e.g. low pressure, back flow and low level). However, that system is not a completely effective means

of identifying the precursors to all hydrocarbon releases, and for this reason leak and fire detection systems are deployed.

A leak may be detected as an abnormal process operating condition or directly as hydrocarbon in the atmosphere external to the process system. A release of hydrocarbon liquid may be detected as an abnormal process operating condition. The exceptions to this are in cases where the liquid releases a large amount of hydrocarbon vapour when reduced to atmospheric

pressure or where the liquid is released as a spray, creating a hydrocarbon vapour mist in the air. The detection of liquid releases, as hydrocarbon vapours in the atmosphere, will be discussed

Hydrocarbon fires may be detected through heat produced or electromagnetic radiations emitted by the fire, or by the products of combustion (e.g. smoke).

The F&G system should be designed to provide a reliable means of detecting hydrocarbon vapour/gas in the atmosphere and fire, and provide alarms and/or signals for executive action by other safety systems.

The definition of requirements for a F&G system should include consideration of the types of leaks, their location and air movement patterns.

Fire and Gas systems should be specified to detect given ratings of fires and

sizes/concentrations of gas clouds. The practical difficulties of designing systems from hazard detection through to final activation in high integrity should not be underestimated.

4.4.1 Failsafe

Fire and Gas systems are traditionally not designed to have failsafe control actions because of the undesired consequences of spurious or inaccurate detection. This requires consideration of automatic testing, built in fault detection, line monitoring, and voting techniques to ensure that the system performs its intended function.

4.4.2 Detection Types

Classified areas and locations where personnel in facilities should have the following types of detector:

• Fire - pneumatic fusible loops; electronic detectors (flame, heat, smoke);

• Gas - ventilation and detectors; visual and audible alarms for low level of

flammable gas; shutdown upon LFL/approach to LFL.

4.4.3 Detection - Personnel Observation

Detection by personnel observation is more effective in the cases where a space/area on the facility is manned on a regular basis. The detection of a liquid hydrocarbon leak is more readily achieved through observation/inspection by personnel. In the case of detection by personnel observation it is important that suitable alarm call points (break glass or push button type) are provided for notification of a leak/fire. This means of detection may also be a requirement in the case where a fire protection system is used which may threaten the observers’ life. An example of this would be the use of CO2 to inhibit combustion, which produces a threat to personnel.

4.4.4 Detection - Automatic

Detection by an automatic system may be used where a space is not normally manned and the hydrocarbon release or effects of combustion are readily detected. These systems normally provide rapid response in the event of a leak/fire and may be designed to readily show the location of an event. Such systems include:

• pneumatic loops with fusible elements;

• electronic systems – flame, heat and product of combustion detectors.

Flame detectors can provide a speed response in the detection of fires. Flame detector installations should consider the likely source of flame, detector cone of vision, and physical obstructions. Flame detectors used in open areas should not be susceptible to false alarms due to sunlight. Single spectrum detectors are susceptible to spurious alarms; therefore, it may be desirable to arrange them in groups using appropriate voting systems or to use devices that incorporate dual sensors of different types (e.g., UV/IR) to minimize unwarranted alarms.

Heat detectors normally require less maintenance than other types of detectors because of their basic nature of operation and simpler construction. These factors may result in fewer unwarranted alarms; however, since heat detectors are inherently slower in operation than other types of electrical detectors, they should be considered for installation in areas where high speed detection is not required.

Smoke detectors are recommended where personnel regularly or occasionally sleep and in rooms containing heat sources such as space heaters, ovens, and clothes dryers or areas subject to electrical fires. Quarters should contain smoke detectors within each bedroom, corridor, hallway and office.

4.4.5 Detector Certification

Detectors should be compatible and approved through laboratory testing/certification.

4.4.6 Detector Selection

The following considerations should be made in selecting a detector/detection system.

Effect to be Detected

See Section 4.4.4, above.

Electrical Area Classification

In the case of leak detectors it is critical that these devices provide indication of a release without causing ignition. The classification of electrical equipment for use on facilities (i.e. AS 2380) defines standards for the intrinsic and explosion proofing of electrical equipment in such spaces. These classifications should be applied to detectors.

Required Speed of Response

In the case of fire detection it is generally critical to have rapid detection such that fire protection systems can be initiated prior to significant heat build up due to the fire in the facilities steelwork and other equipment.

IR and UV electronic detectors provide rapid response to the presence of a flame but are relatively expensive. These detectors are used where a readily distinguishable flame is produced by burning hydrocarbons and is not obscured by products of combustion or be masked by background electromagnetic radiation.

Pneumatic fusible loops respond to the heat of a fire and are most effective in detecting liquid fires. These systems are relatively inexpensive and are effective in cases where an obscured flame is present.

Coverage for Effective Detection

Detectors must be positioned so they are exposed to the effect to be detected. This requires consideration of the effect to be detected and the location(s) of releases.

Hydrocarbon gas and vapour/mists are most readily detected by automatic systems.

In the case of vapours/mists, these are generally the result of discharge of liquid hydrocarbons from high pressure through a small hole. Oil mist detection systems are available which use sampling and analysis of an atmosphere, and IR sensing. The effectiveness of these systems for localised releases is critically dependent upon location of leaks and sampling points. It is considered that other methods of control be applied to the prevention and detection of such

leaks. One mode of prevention is through the use of reduced pressures. Control occurs through the use of shielding of flanges and separation from hot surfaces.

In the case of gaseous hydrocarbons, it is the relative density of the gas compared to that of air which will primarily define the location of detectors. Buoyant gases (i.e. those lighter than air) will tend to rise and detectors should be placed high in spaces where such releases may occur. In the case of dense gases, accumulation will occur near the deck of the space and detectors should be placed low down.

The location of detectors may also be influenced by the type of space and ventilation patterns.

Enclosed spaces will generally have some form of mechanical ventilation which acts to prevent the build up of flammable concentrations of gaseous hydrocarbons. The location of detectors should include consideration of ventilation air flows. Consideration may be given to siting detectors in the exhausts from such spaces. The use of open space design may act to disperse gaseous hydrocarbon releases through natural air movements. In either case where significant ventilation rates are available gas detection may be impractical or require siting of detectors close to nominated leak sources.

The number of detectors used may be determined by the required safety integrity level of detection and/or by operational considerations. Use of a single detector may be acceptable where the location of gas is readily known (e.g. HVAC inlets/exhausts) which would leave only the detector as the determining factor on detection reliability. More generally, if detection systems are used they are in the form of multiple detectors which ‘vote’ to provide a more certain indication of an undesired condition. This may include, for example, three detectors in series (i.e. on a single loop) which requires two of the three to indicate the effect for ‘confirmed’ detection. In some cases multiple ‘loops’ of detectors may be deployed to improve detection effectiveness.

The deployment of complex detection systems should be carefully considered since these will be expensive to purchase and maintain, and may provide a false sense of security in operations.

Sensitivity

Use of detector voting and self testing systems may reduce the effect of spurious detectors action (e.g. due to detector failure or environmental factors such as lighting).

Vulnerability to Damage

Detectors should be specified, positioned and protected for the environment they will work in. Some considerations include:

• corrosive environments/discharges;

• the effects of cleaning chemicals;

• potential for impacts during operational and/or maintenance activities.

4.4.7 Gas Detection

Any area in which operations could lead to the emission or accumulation of flammable or toxic gases should be provided with suitable means of ventilation.

A drilling, workover or production installation on a platform should have flammable gas detection devices installed in any enclosed area containing petroleum handling equipment, mud tanks, mud pumps, shale shakers or other open parts of the mud system. An operation where an emission of flammable gases can result in hydrogen sulphide gas concentrations of greater than 20 ppm, without the flammable gases emission being detected, should not be carried out unless hydrogen sulphide gas detection devices have been installed and are

functioning.

A gas detection system should be capable of continuously monitoring for the presence of gas in the area in which the detection devices are located.

The monitoring devices and the control mechanisms should be so arranged that functional tests of the separate components and of the whole system can be carried out efficiently.

The central control for the gas detection system should:

• be capable of giving an alarm at a point 10-25% of the lower explosive limit;

• automatically activate shut-in sequences at a point 20-60% of the lower

explosive limit; and

• in the case of hydrogen sulphide detection be capable of giving an alarm before the concentration exceeds 20 ppm.

Internal combustion engines on a platform, other than engines operating fire pumps and pumps required for well control or which are situated in the open and are constantly attended when operating, should be provided with emergency shutdown devices. These should be automatically activated when flammable gas is detected in the air intake or, where these engines are installed in pressurised housings, in the air intake of these housings and which are,

where necessary equipped with remote control equipment that is:

• accessible to the driller on a drilling and workover rig; and

• at some readily accessible point on a production platform.

4.5 OPERATION & MAINTENANCE

Functional tests should be carried out by a competent person:

• at defined intervals; and

• immediately after any event indicating that the system or any part of the

system is not operating correctly.

The results of any such test should be recorded in an approved manner.

4.5.1 Testing

F&G Panel(s) should be tested quarterly, including shutdown tests using different initiators.

Test failures should be documented and utilised for determination of proof test periods. Fire detectors should be tested quarterly for operation and recallibrated. Fusible loops should be inspected as per API 14C.

5.0 EMERGENCY SHUTDOWN

5.1 ROLE

The role of the Emergency Shut Down (ESD) system is to isolate equipment and systems to prevent/minimise loss of life on and property damage to the facility.

5.2 FUNCTION

The ESD system provides for the isolation of equipment systems where an emergency situation has arisen or is imminent. This may be through escalation or worsening of abnormal process conditions which the PSD system has not acted to control, or may be as a result of the detection of a hydrocarbon release or fire.

In general terms the ESD system will cause segregation of the hydrocarbon process to prevent inflow to a leaking section and thereby limit the quantity of hydrocarbons available for release. Hydrocarbon disposal systems (Section 8.0) may be used to further reduce the quantity of hydrocarbons available for release through blow down of gas and drainage of liquid hydrocarbons.

5.3 RELATIONSHIP

The Emergency Shut Down (ESD) system acts to prevent or control an undesired release of hydrocarbons through escalation of shut down level from PSD or upon operation of F&G detection. ESD is related to various other safety systems as follows:

5.3.1 Process Shut Down (Section 3.0)

The PSD should return the system to a stable state with little or no threat of an undesired hydrocarbon release. In cases where the PSD does not produce a stable state in the hydrocarbon system, an ESD may be required. It many cases, ESD is considered an extension of PSD where the more limited actions taken in a PSD are ineffective and the situation is escalating towards an emergency or Major Accident Event (MAE).

5.3.2 Fire and Gas Detection (Section 4.0)

The primary cause of ESD is detection of a hydrocarbon leak through the Fire and Gas (F&G) detection system. F&G detection may result in the shut down of other safety systems through the ESD system.

5.3.3 HVAC (Section 6.0)

The ESD system may cause the shut down of the HVAC system, including fans and/or fire dampers, for example, detection of gas at the ventilation inlets of ‘safe’ spaces, such as control rooms or accommodation spaces.

5.3.4 Emergency Power (Section 7.0)

The F&G detection system should be provided with Emergency Power to allow for ongoing monitoring of an event after the initial event has resulted in an ESD.

5.3.5 Hydrocarbon Disposal (Section 8.0)

Through an executive action from the ESD system, segregated sections of the hydrocarbon process/system in the vicinity of a release/fire may be blown down (i.e. hydrocarbon gas vented to a safe location) and/or drained (i.e. liquid hydrocarbon removed/’dumped’ to a safe location). Both of these actions will reduce the amount of fuel available to feed a fire or reduce the effect of any ‘escalation’ of the original event to another part of the hydrocarbon system.

5.4 DESIGN

Safety systems should be defined on the basis of the inherent risk associated with the process/activity. Shut down systems should take due consideration of risks and in particular event sequence in the context of the overall facility.

Prevention is the preferred strategy for the management of risk due to undesired hydrocarbon releases and fires/explosions. The PSD system may provide for the shut down of a system component prior to a release or it may detect process conditions which are symptomatic of a release. In addition the F&G system may provide indication of a release. In either case, it is the ESD system which will cause executive action to control/mitigate the effects of the release.

As discussed in Section 2.0, API 14C is a widely accepted method for the analysis and design of Process Safety Systems. It requires that these systems have:

• independence from other systems or reliability equivalent to an independent

system; and

• two levels of protection, primary and secondary, which should be independentand achieved through equipment which is functionally independent.

In this context, API 14C provides guidance on the selection of safety devices and protective shut in actions for isolating a process component, in the event of an abnormal operating condition (e.g. overpressure, leak, excessive temperature, etc.). In the case where a detected abnormal operating condition is a release of hydrocarbons, it is the function of the ESD system to define executive actions for the control/mitigation of the undesirable event.

For example, in the event of a gas leak the ESD and blow down systems may act to reduce the amount/pressure of hydrocarbons for release thereby reducing the duration/consequences of such a release.

As far as practicable the ESD system should be designed to be ‘failsafe’. Exceptions should be made on the basis that the overall integrity of the ESD system is not impaired. ‘Cascade effects’ should be avoided in the design of ESD systems.

The ESD system should be independent of other monitoring, control and alarm systems. The system itself should be designed with sufficient segregation such that failure of one part of the system would not render other parts of the system inoperative. Similarly faults in interfaced systems should not render the ESD system inoperative.

ESD systems should be protected against sources of electromagnetic interference.

ESD activation should be enunciated at the main control station by visual and audible means which should readily identify the location and source of the equipment initiating ESD. For the final stage of ESD, the alarm should be part of the facility’s general alarm system.

Manual reset capability should be provided local to the equipment that has been shut down.

Appropriate hardware and/or management system controls should be implemented to ensure

that ESD system is not cancelled erroneously.

Online testing and maintenance should be allowed for whilst the system may be readily returned to operational readiness as soon as possible. In the case that system overrides are provided, these should not be capable of being inadvertently operated. Such overrides should be made known to personnel at the main control station and should be limited in their scope of affect through suitable segregation of overrides. Visual indicators of override should be

provided at control stations and locally.

Power supplies should be provided and arranged such that automatic change over is provided for in the event of power loss. These supplies should be provided with alarms to enunciate their failure.

Hydraulic and pneumatic systems should have sufficient capacity to perform one complete shutdown followed by reset. Standby should preferably be from local sources. In the case of non-failsafe actuators, capacity should be provided for three valve strokes.

Power and control lines to ESD field components should be routed to minimise the risk from causes of damage including segregation from other control systems to prevent failure of these systems affecting the ESD system. Where mechanical damage is possible, consideration should be given to lines running through protective enclosures. Lines that are required to maintain integrity during a fire should have appropriate fire resistance.

ESD system terminations should be segregated from other equipment/systems. In the case of interface terminations, the ESD system terminations should be clearly identified. Manual initiation points should be clearly identified.

The final stage of ESD should include shutdown of all utilities (excluding emergency services), production/test facilities, closure of wellhead valves, opening of all BDVs and closure of DHSVs.

If employed, redundancy should include consideration of:

• majority voting;

• common mode failure mechanisms;

• alarm of channel failure;

• online testing of channels, a complete function test where practicable.

The use of PES should be compatible with other ESD system technologies used and should be designed for normal and emergency environmental conditions. Essential functions should be provided with self checking and fault diagnostic capabilities. Testing should allow for immediate reversion to system operation in the event of an actual ESD signal. PES system failure should be annunciated through visual and audible alarms, with consideration given to discrimination of hardware and software malfunction. Failure of peripheral devices should

not cause the system to become ineffective. Software quality should be adequately checked and modifications only made in accordance with the software quality assurance plan for the system. All parts of the PES should have a ‘no break’ power supply which has low levels of superimposed electrical interference. Software should be secured from interference by unauthorised personnel.

5.4.1 Documentation

The ESD system design should be documented to include:

• philosophy details and logic diagrams;

• cause and effect matrices;

• loop diagrams;

• alarm system schedules, diagrams and description of operation;

• power supply system diagrams.

In the case of PES systems documentation should include:

• functional specification and diagrams;

• hardware and software particulars, usually in the form of block and flow

diagrams;

• scope and function of novel features – interlocks, self checking systems, auto

abort testing mechanisms, etc;

• interface arrangements with field equipment and peripheral devices;

• PES equipment siting;

• software quality assurance plan;

• I/O schedule;

• Message lists.

Maintenance manuals should be produced and retained on the facility.

Records of ESD system testing and commissioning should be retained.

5.4.2 Process and Emergency Shutdown Systems

Shutdown functionality may be implemented in programmable or non programmable systems.

Care should be taken to ensure that the system supplier is both competent and experienced in the chosen technology.

Rigorous quantified assessment of reliability and system integrity is only usually required in the case of High Risk (SIL3) shutdown systems. Other risk levels should be the subject of a qualitative assessment/review.

5.5 OPERATION & MAINTENANCE

In cases where parts of the process system are to be bypassed (e.g. start up, changeover, maintenance, etc.), the ESD system should be designed to facilitate such activities. Disconnection of parts of the process system and associated parts of the ESD system is controlled through the facility Permit To Work (PTW) system. Override of the ESD system’s failure to safety function may be acceptable during manned operations such as loading, drilling or workover, provided suitable risk analysis demonstrates that risks are ALARP.

No process ESD should confer a hazard on drilling operations.

A recognised national or international standard for pressure testing should be applied to all parts of the ESD pneumatic and hydraulic systems.

Commissioning should include testing of each part of the ESD system culminating with testing of the whole system. Testing should include activation via all manual initiation devices and/or sensors through to the final shutdown conditions. Commissioning records should confirm satisfactory operation and response times where appropriate.

5.5.1 Documentation

For the purposes of effective operation of the ESD system the following documentation should be provided:

• Outline of testing/maintenance methods and frequency (Operations Manual);

• Detailed testing/maintenance procedures (Maintenance Manual).

5.5.2 Sequence of Event Recording

An event recorder is recommended and should include initiating and ESD action signals. This may be used to demonstrate system functionality and operation.

5.6 FACILITY/ACTIVITY

5.6.1 Drilling

It is usual for ESD systems in drilling operations to be the subject of manual executive action. Blow-out preventers and related well control equipment should be installed, operated, maintained and tested in accordance with the manufacturers recommendations or with company requirements, ‘Blow-out Prevention Equipment Systems for Drilling Wells’, and should be rated with a

working pressure of the casing. Prior to drilling below the conductor casing string in exploration wells, or in development wells in those areas having known gas accumulations, a pipe of adequate diameter with control valves or diverter system should be installed. This should safely divert hydrocarbons

and other fluids in the event of pressures occurring below the shoe of conductor string which may fracture the formation.

Prior to drilling below the surface casing string, the blow-out prevention equipment should include a minimum of:

• three remotely controlled, hydraulically operated blow-out preventers with a

working pressure that exceeds the maximum anticipated surface pressure,

including one equipped with pipe rams, one with blind rams and one of the

annular type;

• a drilling spool with side outlets for the attachment of choke and kill lines, if

side outlets are not provided in the blow-out preventer body. These side

outlets, at least two in number, should be connected to pipelines of sufficient

strength to withstand a pressure equal to the pressure rating of the blow-out

preventer assembly to which they are connected. One of the said pipelines

should be available for the purpose of bleeding well fluid to the choke

manifold and should have a minimum internal diameter of 75 mm;

• a choke manifold containing not less than two adjustable chokes connected to

one of these pipelines;

• a kill pump facility connected to the kill line; and

• a fill-up line.

Prior to drilling below an intermediate casing string, the blow-out prevention equipment should include a minimum of:

• four remotely controlled, hydraulically operated blow-out preventers with a

rated working pressure which exceeds the maximum anticipated surface

pressure, including at least one equipped with pipe rams, one with blind rams

and one of the annular type;

• a drilling spool with side outlets for the attachment of choke and kill lines, if

side outlets are not provided in the blow-out preventer body. These side

outlets, at least two in number, should be connected to pipelines of sufficient

strength to withstand a pressure equal to the pressure rating of the blow-out

preventer assembly to which they are connected.

One of the said pipelines should be available for the purpose of bleeding well

fluid to the choke manifold and should have a minimum internal diameter of

75 mm;

• a choke manifold containing not less than two adjustable chokes connected to

one of these pipelines;

• a kill pump facility connected to the kill line; and

• a fill-up line.

When drilling operations are being carried out from a mobile drilling unit (other than a jackup platform), after drilling out of the conductor string, provision should be made so that:

• equipment being run in the well may be secured in such a manner that it may

remain stationary and independent of the motion of the drilling unit; and

• every blow-out preventer assembly in use should have included in it at least

one set of pipe and shear-blind rams.

It should be ensured that:

• an inside blow-out preventer assembly (back pressure valve) and a full opening

drill string safety valve in the open position are kept on the rig floor at all times

whilst operations are in progress, with suitable crossover substitutes to enable

installation on all drill pipe, drill collars and tubing in use; and

• a kelly cock is installed immediately below the swivel and another at the

bottom of the kelly, of such design that it can be run through the blow-out

preventers.

It should be ensured that the blow-out prevention equipment is not removed until the well has been adequately sealed.

During operations there should be a control panel, located on the drill floor, for operating blow-out preventers, and another located at such a distance from the drill floor as to ensure safe and ready access in times of emergency.

Each choke manifold should have the following equipment clearly visible to the choke operator when standing in his normal operating position for either the remote or hand adjustable chokes:

• a pressure gauge which indicates the drill pipe pressure at the drill floor; and

• a pressure gauge which indicates the casing string/drill string annulus pressure

at a known point upstream of the choke.

Blow-out preventers which are installed on the ocean floor should be provided with duplicate sets of control lines from the master control panel on the drill floor to the various components of the blow-out preventer stack. Each control line should contain a connector-control pod located at the top of the blow-out preventer stack to enable disconnection from the blow-out preventer stack for essential maintenance or in times of emergency.

The following mud system monitoring equipment, with drill floor indicators, should be installed and used during all drilling operations after setting and cementing the conductor casing string:

• a recording mud pit level indicator to determine mud pit volume gains and

losses. This indicator should include a visual and audible warning device;

• a mud volume measuring device for accurately determining the mud volumes

required to fill the hole on trips;

• a mud return of full hole indicator to determine when returns have been

obtained, when they occur unintentionally, and when returns essentially equal

the pump discharge rate; and

• a mud gas monitoring device to determine the concentrations of gas in the

drilling mud.

Drilling operations should not be commenced or continued unless the drilling rig is equipped with a penetration rate recorder that will give a clear indication of a change in formation that can be used as a guide to warn against approaching areas of abnormal pressure. This should be maintained in good working order and be in continuous operation while drilling.

5.6.2 Production

Pipelines

A pipeline ESD valve (ESDV) capable of blocking flow should be installed and maintained.

The ESDV should be:

• held open by electrical , hydraulic or other signal, failure of which will cause

auto closure;

• capable of closure by a person adjacent to it and automatically as part of ESD

function;

• capable of allowing passage of equipment if the pipeline is so designed (e.g.

pigs);

• fire/explosion/impact protected.

Upon closure of a pipeline ESD valve:

• The Person in Charge (PIC) ensures that all connected facility PICs are

informed;

• valve only to be re-opened upon authorisation of facility PIC following

consultation with PICs of connected facilities;

• ESDV should be used for blocking only and not for flow control.

Further, the ESDV:

• should be located such that it can be safely/fully inspected, maintained and

tested;

• should not be submerged or submergible if a fixed platform;

• should, if non-fixed, be as near as practicable to a flexible line where part of

the riser is tensioned; otherwise above highest wave crest and quick disconnect

fittings;

• should be located such that base of riser is as short a distance as practicable

away.

Pipeline ESDVs are:

• inspected for external leak/damage/external corrosion every 3 months;

• motion tested from a local closure station every 6 months;

• fully function tested through action of the platform ESD system every 12

months.

Test records should include:

• ESDV identity;

• pipeline title holder; facility owner and Person In Charge;

• date of test;

• name, qualifications and employer of test personnel;

• test procedures and equipment particulars;

• damage/defect and action taken/proposed for remedy.

Wells

A failsafe surface controlled sub-surface safety valve (SCSSV) should be installed in the tubing string at least 30 metres below the mudline or below the depth of the deepest installation pipe penetration, and it should be controlled through the installation emergency shutdown system.

A well that is capable of naturally flowing hydrocarbons should have an approved subsurface safety device. This device should close if the wellhead or production equipment is damaged resulting in a surface leak. The device should be function tested on a regular basis and where testing indicates it may not work, be repaired or replaced immediately.

6.0 HEATING, VENTILATION AND AIR CONDITIONING

6.1 ROLE

Prevention of the accumulation of hydrocarbon gas to flammable concentrations.

6.2 FUNCTION

The HVAC system may act to prevent accumulations of hydrocarbon gas to flammable concentrations through provision of a copious air flow through an area or prevent ingress by maintaining a space at a higher pressure to an adjacent one.

In the case that a flammable concentration of gas is detected, the HVAC system in hazardous areas may be shut down or allowed to continue operation, depending upon the overall safety system philosophy for the facility. Normally the supply of air to non hazardous areas would be sustained upon gas detection in a hazardous area to prevent ingress of a flammable concentration.

In the case that hydrocarbon gas is detected at the inlets to non hazardous spaces, the HVAC system would normally be shutdown to prevent ingress of the gas.

6.3 RELATIONSHIP

6.3.1 Fire and Gas Detection (Section 4.0)

F&G detection of gas at the ventilation inlets of ‘safe’ spaces, such as control rooms or accommodation modules, may cause shutdown of HVAC fans and/or dampers in HVAC trunking.

6.4 DESIGN

Prevention is the preferred strategy for the management of risk due to undesired hydrocarbon releases and fires/explosions. In the case of hydrocarbon gas/vapour releases, it is possible to prevent the accumulation of hydrocarbon to a flammable level through the application of natural or forced ventilation.

Where facilities are open or partially open to the elements, careful consideration of prevailing wind directions and the siting of vents can act to provide a significant flow of air which prevents the build up of flammable concentrations of hydrocarbons in the event of a leak.

In the case of facilities that have enclosed spaces, a mechanical means is used to provide ventilation for comfort and as a safety measure. In the context of the HVAC system as a safety measure, a number of strategies may be employed, such as:

• Control rooms, spaces normally occupied by personnel, and spaces which

contain hydrocarbon processing equipment may be maintained at a positive

pressure (i.e. a pressure above atmospheric). This pressurisation acts to

exclude hydrocarbons from the ‘safe’ area thereby preventing a fire in these

spaces.

• The use of positive pressure to protect a space as detailed above requires that

the ventilation system inlet is not effected by a hydrocarbon release. Gas

detection and fire dampers are used to prevent the ingress of gas or smoke in

cases where HVAC inlets are inundated with gas or smoke respectively. The

selection of ventilation inlet locations should be made to ensure, as far as

practicable, that they can provide ‘clean’ air at all times.

• Enclosed spaces which contain hydrocarbon processing equipment are

designated hazardous areas. These spaces may be provided with forced

ventilation to dilute and carry away any gas/vapour hydrocarbon releases. The

decision to provide such ventilation will include consideration of whether the

space will be visited by personnel and may determine, or be determined by, the

ignition rating of equipment in the space. Where personnel may visit the

space, an accumulation of gas/vapour may have the potential to cause a death

by poisoning or asphyxiation through its accumulation in ‘dead’ areas in the

module, particularly in the case where the hydrocarbon is heavier than air.

Protection of Non Hazardous Areas

The use of enclosed modules and positive pressurisation for the protection of non hazardous areas from hazardous area atmospheres should be specified and applied wherever possible in the design and construction of offshore installations.

Such modules should have airlock protection at access points and the pressurised area should be monitored and equipped with pressure drop alarm and shutdown systems.

Separation of areas by fire and/or blast walls, appropriate to the risk from process areas, is recommended.

Accommodation and control centres should be protected by fire and/or blast walls or located remotely.

7.0 EMERGENCY POWER

7.1 ROLE

Provide electrical supply to enable ongoing emergency and evacuation system operation in the event of an emergency situation.

7.2 FUNCTION

In the context of safety systems, emergency power may be required to allow ongoing monitoring of an event through the F&G system or for its control through the ESD system.

7.3 RELATIONSHIP

In the event of an emergency situation, many power sources are shut down. Several systems require electrical power to operate and emergency power is provided to ‘critical’ systems, such as ESD (Section 5.0) and F&G (Section 4.0), thereby allowing the effective management of an emergency situation. The Emergency Power system enables other safety systems in the control of MAEs.

7.4 DESIGN

Emergency Power systems may be specified to support the safety systems for a period of 24 hours. Such a supply may be dedicated for each safety system or may be a single general system.

Emergency power sources may comprise uninterruptible power supplies (UPS) and/or a compression ignition or gas turbine, with a fuel of flash point greater than 43 degree Celsius.

The source of emergency power should be located outside any hazardous areas and should be independent and remote from the main electrical power source(s) for the facility.

Suggested UPS Autonomy Times

System Autonomy Time (hrs:mins)

Fire and Gas detection, and alarm. 03:00

Emergency Shutdown and depressurising. 00:30

Process monitoring and control. 00:45

PA, facility audible alarms and status lights. 03:00

SOLAS communications equipment. 24:00

Emergency and escape lighting. 01:30

Navigational aids and helideck lighting. 96:00

Note: These autonomy times should not be reduced, even in cases where an emergency diesel generator is installed to provide back up supply to UPS units.

The emergency power source should come into operation upon loss of main power. In the event of a generator being the source of emergency power, it should be possible to start it independent of the automatic start mechanism.

Emergency generator automatic starting mechanisms should not be inhibited in the event that hydrocarbon gas is present at the generator.

8.0 HYDROCARBON DISPOSAL

8.1 ROLE

To divert or remove hydrocarbons from one location to another, thereby reducing the effect of an emergency event.

8.2 FUNCTION

In the case of drilling systems in the early stages of an exploration/development well, a ‘diverter’ is deployed to deflect uncontrolled well flow, should it occur, away from the drill floor and other manned locations.

In the case of process systems, hydrocarbon disposal is most generally the depressurisation or blow down of process vessels. Through reduction in pressure of vessels, large quantities of hydrocarbon gas/vapour are removed to a ‘safe’ location. The depressurisation reduces the likelihood and consequences of an existing fire escalating to other process sections. The effective operation of the blow down system generally is dependent upon the successful operation of the ESD system in segregating the process system into ‘isolated sections’.

8.3 RELATIONSHIP

Hydrocarbon disposal systems are used to reduce the amount of hydrocarbons available to feed a fire or to remove hydrocarbons which an existing fire may ‘escalate’ to, thereby worsening the original event. These systems are generally initiated by the ESD system (Section 5.0) after the hydrocarbon process has been isolated (i.e. once flow into and out of system segments has been shut down).

8.4 DESIGN

The safe removal of hydrocarbons from process equipment in the event of a leak may reduce the duration and size of a fire. It may also prevent the escalation of a fire from one part of the hydrocarbon processing system to another. Both of these effects act to reduce the impact of a hydrocarbon release, especially when the release has been ignited.

Various forms of relief devices may be used to prevent an undesired release of hydrocarbons.

Pressure relief valves and bursting discs, for example, may relieve a build up of pressure in a process component, thereby preventing its failure. These devices are complemented by drain (i.e. over pressure due to liquid) and vent (i.e. over pressure due to gas) systems which remove any hydrocarbon to a safe place. Action of these devices is symptomatic of a process system problem which must be addressed to allow production to continue. They provide for a

controlled failure of the system as a planned event rather than a undesired equipment failure.

The activation of these systems is due to an intrinsic property of the processing system (e.g. the effect of high pressure).

Successful activation of the ESD system to shut process components down may be followed by the removal of hydrocarbons by executive action. The most common means of doing this is through the activation of blow down valves (BDVs) on the gas side of process components.

Hydrocarbon gas is blown down to a safe area for venting to atmosphere through suitably designed piping. A knock out drum may be used to remove hydrocarbon liquids prior to venting.

The removal of hydrocarbon liquid in offshore facilities has generally received less attention than that paid to the removal of gas. This is because the pressure driving a liquid release rapidly drops to the hydrostatic head of liquid. In contrast the pressure driving the release of a gas or flashing liquid is sustained by the compressible nature of the hydrocarbon being released.

8.4.1 Blowdown Valves

See Section 2.6.15.4.

8.4.2 Gas Flaring Stacks

Gas flaring stacks and installations should incorporate a flame arrestor and/or continuous purge. Additionally, the following precautions should be taken:

• Flare stacks should be located so that any fluid carry over will not be deposited on process or other operating areas by prevailing winds;

• Reliable and safe means of remote ignition and re-ignition should be provided;

• Fire control equipment should be installed in areas adjacent to the flare stack

for use in an emergency.

8.4.3 Crude Oil Burners and Booms

Crude oil burners and booms for use in oil disposal during well testing should be located as far as possible from wellhead and separating equipment and with due regard for prevailing wind effects. The following precautions should be taken:

• the fitting of two separate burners, located to give flexibility in dealing with

wind direction effects, should be considered;

• effective heat shielding of the installation structure should be provided by a

water spray curtain or similar arrangement to control heat build up when

flaring during extended tests or large production rates;

• reliable and safe means of remote ignition and re-ignition should be provided;

• access to flaring areas should be restricted to personnel actually involved with

the operation and the control of other operations which may be ongoing during

flaring should be considered.

APPENDIX A

GLOSSARY

ABBREVIATIONS

The following abbreviations are used throughout these Guidelines.

AC Alternating Current

ALARP As Low As Reasonably Practicable

API American Petroleum Institute

APPEA Australian Petroleum, Production & Exploration Association Pty Ltd

AS Australian Standard

BDV Blow Down Valve

BOP Blow Out Preventer

DHSV Down Hole Safety Valve

DISR Department of Industry, Science and Resources

ESD Emergency Shut Down

ESDV Emergency Shut Down Valve

ESSA Emergency Systems Survivability Analysis

FD Facility Description

F&G Fire and Gas

FMEA Failure Modes and Effects Analysis

FPSO Floating Production, Storage and Offloading

FSA Formal Safety Assessment

HAZOP Hazard and Operability Study

HSE Health, Safety and Environment

HVAC Heating, Ventilation and Air Conditioning

IR Ionised Radiation

ISO International Standards Organisation

kW Kilowatt

LFL Lower Flammable Limit

MAE Major Accident Event

MODU Mobile Offshore Drilling Unit

MTBF Mean Time Between Failures

MTTR Mean Time to Repair

NFPA National Fire Protection Association

OIM Offshore Installation Manager

PA Public Address

PES Programmable Electronic System

PIC Person in Charge

PSD Process Shut Down

PTW Permit to Work

P(SL)A Petroleum (Submerged Lands) Act

QA Quality Assurance

SC Safety Case

SCSSV Sub-Surface Safety Valve

SIL Safety Integrity Level

SOLAS Safety of Life at Sea

SMS Safety Management System

UKOOA United Kingdom Offshore Operators Association

UPS Uninterruptible Power Supply

UV Ultra Violet

REFERENCE DOCUMENTS

DISR

- Guidelines for Preparation and Submission of Safety Cases: Section 5, General Safety

Guidelines, 1995.

UK HSE/HSC

- Guidance on Design, Construction and Certification of Offshore Installations – UK HSE

1990.

- Prevention of Fire and Explosion, and Emergency Response on Offshore Installations –

Guidance by UK HSC, 1995.

NORWEGIAN PETROLEUM DIRECTORATE (NPD)

- Guidelines to regulations relating to safety and communication systems. Issued by the

Norwegian Petroleum Directorate February 1992.

AMERICAN PETROLEUM INSTITUTE

- RP14C: Recommended Practice for Analysis, Design, Installation and Testing of Basic

Surface Safety Systems on Offshore Production Platforms, Sixth Edition, March 1998.

- RP14G: Recommended Practice for Fire Prevention and Control on Open Type Offshore

Production Platforms, Third Edition, December 1993.

INSTITUTE OF PETROLEUM

- Model Code of Safe Practice for the Petroleum Industry, Part 8: Drilling and Production

Safety Code for Operations Offshore, Third Edition, 1991.

UKOOA

- Instrument Based Protective Systems, 1995.

- Management of Safety-Critical Elements, 1996.

IMO

- SOLAS Consolidated Edition, 1974-1998.

- MODU Code, 1989.

IEC/AS

- IEC/AS61508, Parts 1-7: Functional Safety of Electrical/Electronic/Programmable

Electronic Safety Related Systems.

- IEC61511, Parts 1-3: Functional Safety Instrumented Systems for the Process Industry

Sector.

PART YWO

PROJECT DESCRIPTION

Engineering Photos,Videos and Articels (Engineering Search Engine)

Pages

Search For Electrical Stuff

Wednesday, July 3, 2013

PLANT SHUTDOWN SYSTEMS

No comments: