GENERAL SPECIFICATION SAFETY GS SAF 261 Pressure protection and relief, emergency shutdown and depressurisation

Exploration & Production

This document is the property of Total. It must not be stored, reproduced or disclosed to others without written authorisation from the Company.

GS_SAF_261 Rev 1.doc

GENERAL SPECIFICATION

SAFETY

GS SAF 261

Pressure protection and relief, emergency shutdownand depressurisation

01 10/03 Change of Group name and logo

00 04/01 Old TotalFina SP SEC 261

Rev. Date Notes


General Specification Date: 10/03

GS SAF 261 Rev: 01


GS_SAF_261 Rev 1.doc Page 2/42

Contents

1. Scope......................................................................................................................................3

1.1 Purpose of the specification ................................................................................................ 3

1.2 Applicability .......................................................................................................................... 3

2. Reference documents........................................................................................................4

3. Terminology and Definitions............................................................................................5

4. Pressure protection and relief .........................................................................................8

4.1 Requirements for pressure protection and relief................................................................. 8

4.2 Relief device setting .......................................................................................................... 11

4.3 Relief system sizing........................................................................................................... 11

4.4 Relief system configuration ............................................................................................... 12

4.5 Relief devices .................................................................................................................... 13

5. Emergency shutdown ......................................................................................................145.1 ESD purposes ................................................................................................................... 14

5.2 Architecture of the shutdown system................................................................................ 16

5.3 Definition of the shutdown matrix ...................................................................................... 22

5.4 Integration of packages ..................................................................................................... 30

5.5 Cascades........................................................................................................................... 30

5.6 Shutdown devices ............................................................................................................. 31

5.7 Physical protection ............................................................................................................ 33

5.8 Number of isolations .......................................................................................................... 34

5.9 Additional functional requirements .................................................................................... 35

6. Emergency depressurisation.........................................................................................37

6.1 Requirements for EDP...................................................................................................... 37

6.2 EDP sequence .................................................................................................................. 40

6.3 Protection and functional requirements ............................................................................ 42



GS SAF 261 Rev: 01



1. Scope

1.1 Purpose of the specification

The purpose of this general specification is to define the safety requirements for the design ofthe Pressure Protection and Relief (PPR), Emergency Shutdown (ESD) and EmergencyDepressurisation (EDP) systems of hydrocarbon production and processing installations,excepted pipelines.

In accordance with the hazard tree for production installations as per API RP 14J, thesesystems contribute to the fulfilment of the following objectives:

• Containment of hydrocarbon: Prevent the loss of containment, by limiting pressurisationin the facilities and by relieving over-pressure (PPR); limit the loss of containment bycutting off incoming hydrocarbon streams (ESD).

• Prevention of ignition: Eliminate potential sources of ignition (ESD).

• Mitigation: Unstress equipment under fire by releasing pressure (EDP); minimise (or getrid of) hydrocarbon inventory (EDP); limit the quantity released through a leak (EDP);initiate active fire-fighting (1).

Note 1: Active fire-fighting means are mentioned here although initiated by the Fire and Gassystem which is not, stricto sensu, part of the ESD system.

The present document is organised in three main sections, each section being devoted to oneof the systems listed above: pressure protection and relief, refer to Section 4. Emergencyshutdown, refer to Section 5 and Emergency depressurisation, refer to Section 6.

1.2 ApplicabilityThis specification is not retroactive. It shall apply to new installations and to major modificationsor extensions of existing installations, both onshore (1) and offshore, and including interfaceswith wells and pipeline systems. It is also applicable to VENDOR's packages.

This specification is limited to highlight safety matters and does not cover, in particular:

• Scope and content of operating philosophy (Operations Division)

• Detailed design of well shut-in panels, emergency and vital services supplied by batteries,control and safety instrumentation systems (Technical Department)

• Design of hydrocarbon disposal systems, such as flares, vents, pits, etc. (GS SAF 262)

• Detailed design of processing facilities shutdown requirements (Process Department)

• Design of the Fire and Gas detection systems (GS SAF 312)

• Pipeline proprietary safety systems (GOV, etc.).

Note 1: Applicable by default, however requirements conveyed in the present document may bemade less stringent for onshore facilities. To be assessed on a case per case basis, consideringthe nature of the process and the facilities environment.



GS SAF 261 Rev: 01



2. Reference documentsThe reference documents listed below form an integral part of this General Specification. Unlessotherwise stipulated, the applicable version of these documents, including relevant appendicesand supplements, is the latest revision published at the EFFECTIVE DATE of the CONTRACT.

Standards

Reference Title

IEC-1508 Functional safety: safety related systems

Professional Documents

Reference Title

API RP 14B Recommended Practice for Design, Installation, Repair andOperation of Sub-Surface Safety Valve (SSSV) Systems

API RP 14C Recommended Practice for Analysis, Design, installation andTesting of Basic Surface Safety Systems on Offshore ProductionPlatforms

API RP 14E Recommended Practice for Design and Installation of OffshorePlatform Piping Systems

API RP 14J Recommended Practice for Design and Hazards Analysis forOffshore Production Facilities

API RP 520 Sizing, Selection and Installation of Pressure Relieving Devices inRefineries

API RP 521 Guide for Pressure Relieving and depressuring Systems

API ST 2000 Venting Atmospheric and Low Pressure Storage Tanks

ASME 8 Pressure Vessels

BS 6755 Testing of Valves

ASME B 31-8 Gas transmission and distribution piping systems

Regulations

Reference Title

Not applicable

Codes

Reference Title

Not applicable



GS SAF 261 Rev: 01



Other documents

Reference Title

Not applicable

Total General Specifications

Reference Title

GS SAF 021 Lay-out

GS SAF 222 Safety rules for machinery and equipment handling hydrocarbonin enclosed areas

GS SAF 226 Safety-rules for wells

GS SAF 253 Impacted area, restricted area and fire zones

GS SAF 262 Hydrocarbon disposal systems

GS SAF 312 Guidelines for selecting and installing fire and gas detectionsystems

GS PVV 142 Valves

3. Terminology and DefinitionsAbnormal operatingcondition

Condition which occurs in a process equipment or unit when anoperating parameter ranges outside of its normal operating limits(API).

Availability Proportion of the total time during which a component, equipment,or system is performing in the desired manner (UKOOA).

Blow-Down Difference between the set pressure and the closing pressure of apressure relieving device (API + COMPANY).

Note: The term "blow-down" is often used in an erroneous impart inlieu of "emergency depressurisation" (see below). This practice ismisleading and hence prohibited by COMPANY.

Blow-Down, liquid Control actions undertaken in response to a hazardous situation, todispose of the liquid hydrocarbon inventory present in a capacity(COMPANY).

Blow-Down Valve(BDV)

Automatically operated (fail to open) valve used to vent the pressurefrom a process station on Shutdown (API).

Diversification/Diversity

Existence of different means of performing a required function, forexample other physical principles, other ways of solving the sameproblem, etc. in the sake of minimising the common modes of failure(IEC + COMPANY); the wording diversified redundancy should beused.



GS SAF 261 Rev: 01



EmergencyDepressurisation (EDP)

Control actions undertaken to depressurise equipment or processdown to a pre-defined threshold (generally 7 bar g or 50% of designpressure) in a given period of time (generally 15 minutes) inresponse to a hazardous situation (ISO + COMPANY).

Emergency Shutdown(ESD)

Control actions undertaken to shutdown equipment or process inresponse to a hazardous situation (ISO).

Emergency Shutdownsystem

System of manual stations and automatic devices which, whenactivated, initiate installation shutdown (COMPANY).

Emergency ShutdownValve (ESDV)

High integrity shutdown valve, handling a hazardous fluid or a fluidhaving an essential function, and located at the limit of a fire zone orwithin a fire zone to limit hydrocarbon inventory in amounts smallerthan 50 m3 (COMPANY).

Equipment Any component or group of component specifically identified anditemised on the P&I D's (COMPANY).

Failure Improper performance of a device or equipment item that preventscompletion of its design function (API).

Fire and Gas system(F&G)

Safety system monitoring temperature or energy flux (fire),concentration of flammable or toxic gases (gas), etc., initiatingalarms and shutdown functions at pre-determined levels(COMPANY).

High IntegrityProtection System(HIPS)

Instrument-based systems of sufficient integrity (involving highreliability redundant and/or diversified instruments) so as to makethe risk of exceeding the design parameters lower than 10-4 upondemand (COMPANY).

OverpressureProtection System(HIPS)

A HIPS exclusively devoted to overpressure protection(COMPANY).

Permanently mannedinstallation

Installation where personnel are routinely accommodated for morethan 12 hours per day (API).

Not permanentlymanned installation

Installation where personnel are routinely accommodated for lessthan 12 hours per day, or less than 40 hours per week (COMPANY).

Pressure Protectionand Relief device

Device, generally Pressure Safety Valve (PSV) or bursting disk,releasing hydrocarbon contained inside process equipment in orderto ensure that the prevailing pressure shall not exceed the designpressure (COMPANY).

Redundancy The existence of more than one means for performing a requiredfunction (IEC).

Reliability Probability that an item is able to perform a required function understated conditions for a stated period of time or for a stated demand(UKOOA).

Safety Integrity (SI) The probability for a safety-related system to perform satisfactorilythe required safety functions under all the sated conditions within astated period of time (IEC).



GS SAF 261 Rev: 01



Safety Integrity Level(SIL)

One of four possible discrete levels for specifying the safety integrityrequirements of the safety functions to be allocated to safety-relatedsystems (IEC).

Safety Integrity level Probability γ of failure toperform on demand (1)

Probability λ of a dangerousfailure per year (2)

4 γ ≤ 10-4 λ ≤ 10-4

3 10-4 < γ ≤ 10-3 10-4 < λ ≤ 10-3

2 10-3 < γ ≤ 10-2 10-3 < λ ≤ 10-2

1 10-2 < γ ≤ 10-1 10-2 < λ ≤ 10-1

Note 1: Applicable to normally not active systems

Note 2: Applicable to normally active systems.

Shutdown Control actions undertaken to stop operation of an equipment or aprocess. Shutdown can be automatically triggered or initiated byvoluntary action.

Shutdown Valve (SDV) Automatically operated, (generally fail to close), valve used forisolating a process station (API). SDV's are often referred to asProcess Shutdown Valves (PSDV). The acronyms SDV and PSDVare equivalent but SDV shall be used in the present specificationbecause SDV's are not always attached to a process system.

Thermal ExpansionRelief Valve (TERV orTSV)

Device releasing hydrocarbon trapped inside a capacity (usually apipeline section) submitted to heat input in order to maintainpressure below design pressure. The acronym "TSV" shall be usedin the present specification.

Ultimate Safety System Set of hardware and solid-state logic, that provides diversifiedredundancy for some essential actions taken by the ESD systems(COMPANY).

Unit Areas within the installation resulting from its partition into areasonable number of geographical and functional groups ofequipment (COMPANY).

Watchdog A combination of diagnostics and an output device (typically aswitch), the aim of which is to monitor the correct operation of theprogrammable electronic device and takes action upon detection ofan incorrect operation (IEC).



GS SAF 261 Rev: 01



4. Pressure protection and relief

4.1 Requirements for pressure protection and relief

4.1.1 Causes of over-pressurisation

The faults listed below can lead to cause an over-pressurisation; they shall therefore be takeninto account for the design of PPR systems:

• Blocked outlet, blow-by, inadvertent inlet valve opening from a high-pressure source,check-valve malfunction

• Loss of cooling: loss of power, loss of cooling agent, mechanical failure of fans, refluxfailure, etc.

• Loss of heat (some particular cases of fractionation systems in series)

• Fire, excessive heat input, unsteady process (exothermic reactions, etc.)

• Utility failure and/or loss of control (air instrument, power, etc.), uncontrolledrepressurisation

• Heat exchanger tube failure, transient pressure surges, quick-closing valves

• Severe slugging regime (multiphase flow).

Process facilities shall be designed to minimise the probability of occurrence of these causes.The rules and principles contained in this document are focused on the mitigation devices tominimise the effects of an over-pressurisation.

4.1.2 Pressure protection systems

Three main approaches are possible for pressure protection systems:

4.1.2.1 Full pressure-rated mechanical design

The system design pressure exceeds the maximum possible pressure at design temperature,including in case of process upset, and with due allowance for corrosion being made.

4.1.2.2 Relief systems

The system design pressure includes a safety margin above the system maximum operatingpressure but, in case of a process upset, the pressure prevailing in the system can neverthelessexceed the design pressure. It is therefore fitted with devices actuated by the system staticpressure and designed to open in case of upset conditions.

4.1.2.3 Over-Pressure Protection Systems (OPPS)

OPPS's belong to the HIPS category. They are instrument-based systems of sufficient integrity(involving high reliability redundant and/or diversified instruments) so as to make the risk ofexceeding the design pressure acceptable. Their integrity level shall be SIL 4.

4.1.3 Pressure protection system selection criteria

4.1.3.1 Full pressure-rated mechanical design

This type of design is mandatory downstream of wellheads up to the production manifold andfor closed drain gathering networks up to the closed drain drum.



GS SAF 261 Rev: 01



It is highly recommended for the production manifold itself and advisable up to the first stageseparator when technically realistic to do so. Any part of a compression unit should be able towithstand the equalising pressure ("settle out" pressure) after a shutdown.

Note: Thermal expansion relief valves (TSV's) may be necessary on these full pressure-ratedlines handling liquids. Refer to Paragraph 4.1.4.

4.1.3.2 Relief systems

Offshore, and in accordance with API RP 14C, a primary protection against over-pressurisationshall be provided by a PSHH (actuating a SDV or an ESDV) and a secondary protection byrelief valves.

Although not specifically meant for onshore environment, API RP 14C approach shall beapplied too as a basic rule. Possible exceptions (low hazard facilities and/or low sensitivityenvironment) shall be discussed with and approved by COMPANY.

4.1.3.3 Overpressure Protection Systems (OPPS)

OPPS's are not an option given preference by COMPANY. An OPPS shall be selected onlywhen full pressure rated designs and relief systems prove impractical, generally because ofenvironmental considerations (to avoid relief to atmosphere through relief valve) and/or lay-outconstraints (size of relief headers and associated downstream systems: vents, flares, etc.).

In all cases, an exception dossier including a reliability study based on detailed designincluding equipment brand, type and model shall be submitted, for approval, to COMPANY'sOperation, Process, and Safety Departments.

Note: Thermal expansion relief valves (TSV's) may be necessary on OPPS-protectedequipment. Refer to Paragraph 4.1.4.

4.1.4 Criteria for installation of relief devices

Pressure relief devices shall be limited to hardware devices without common failure mode.Pressure relief devices may consist in one, or a combination, of the following: Pressure safetyvalve PSV, PSV fire case, TSV, bursting discs or other specifics (1).

Note 1: In particular by-pass devices sometimes installed around HP flare staggering manifoldsin lieu of bursting disks and consisting in a disc stopping up gas path, maintained in position bya buckling stem. These devices are VENDOR specifics and are not elaborated upon any furtherin the present specification.



GS SAF 261 Rev: 01



The criteria for installation of PSV's and TSV's are as follows:

PSV(Process)

PSV(Fire case) TSV

Piping that cannot be isolated (5):

- All fluids No No No

Piping that can be isolated (5) but cannot beexposed to fire:

- Flammable gas- Liquefied HC- Liquid HC

No (1)No (1)No (1)

NoNoNo

NoYes (7) (6)Yes (7) (6)

PIPING that can be isolated (5) and can beexposed to fire (8):- Flammable gas- Liquefied HC

- Liquid HC

No (1)No (1)

No (1)

if > 3 tonnesif > 2 tonnes

if > 2 tonnes

NoYes (6)

Yes (2) (6)Vessels that cannot be isolated (5):

- All fluids Yes (3) No No

Vessels that can be isolated (5) but cannot beexposed to fire:- All fluids Yes (3) No No

Vessels that can be isolated (5) and can beexposed to fire (8):

- All fluids Yes (3) Yes No

Note 1: Assuming piping is protected against maximum possible pressure under upset condition(full pressure rated design or PSV installed upstream of it). Otherwise a process PSV is required

Note 2: The installation of TSV's on piping handling liquid hydrocarbon shall be assessed caseby case, based on service criticality and risk assessment

Note 3: As per ASME 8

Note 4: Includes pressurised hydrocarbon at ambient temperature, refrigerated hydrocarbons atatmospheric pressure or partially refrigerated pressurised hydrocarbon

Note 5: Any type of isolation, automatic or manual valves

Note 6: A TSV is not required if a PSV (process or fire case) is already installed

Note 7: A TSV is required if ambient temperature condition and/or sun radiation may lead toprevailing pressure exceeding piping design pressure

Note 8: Piping or vessels shall be considered as being possibly exposed to fire if more than10% of their external surface can be either engulfed in a pool fire or submitted to a jet fire likelyto last more than 3 minutes.

In case of toxic substances, the threshold criteria for the installation of PSV fire case and/or TSVmay be made more stringent. This issue shall be assessed on a case by case basis.



GS SAF 261 Rev: 01



4.2 Relief device setting

The setting points and other characteristics of the relief devices shall be as per API RP 520 forprocess equipment, utilities and pressure vessels for storage of liquefied hydrocarbon.API ST 2000 recommendations shall apply for liquid petroleum product tanks.

4.3 Relief system sizing

4.3.1 Failure cases

Individual relief valves shall be sized to relief the pressure resulting from the combination of anysingle safety system failure (double jeopardy not considered) with any possible process failureincluding general failure cases such as instrument air or UPS failure. Fire shall also beconsidered and relief devices sized accordingly.

4.3.2 Multiple wells system relief

The relief system shall be sized to handle the most demanding overpressure situations likely tooccur with a probability larger than 10-4 or the combinations (in terms of flowrate to be relieved)of overpressure situations whose products of individual probability to occur are larger than 10-4.

During Pre-Project and in the absence of general common mode of failure, the followingreliability figures shall be used by default:

• The probability of failure to close for each individual well ESDV (master valve and/or wingvalve) shall be 5% and at least one well (the well with the largest flow contribution) shallfail to close.

• For wells not equipped with individual ESDV's and collecting to trunk-lines equipped withESDV's, the probability of failure to close for each ESDV shall be 5% and at least onetrunk-line (the trunk-line with the largest flow contribution) shall fail to close

• In case of a riser platform receiving remote wellhead effluent through a trunk-line, theprobability of failure to close for each trunk-line incoming ESDV shall be 5% and at leastone trunk line (the trunk-line with the largest flow contribution) shall fail to close.

• The total flow shall be considered for wells and trunk-lines without ESDV.

At a later stage, i.e. during Basic Engineering, the figures mentioned above shall be ascertainedor amended following a particular study including detailed reliability figures and risk assessment.

Where relevant, a transient analysis shall be conducted to check that incoming ESDV closingtime does not lead to an overpressure situation in the flow-line, manifold or even trunk-line. Ifthis were the case, then the pressure relieving devices would be sized to avoid this occurrence,unless the piping section likely to become overpressured could be designed to withstand thewell shut-in pressure.

4.3.3 Control valves

Sizing of PSV's for protection against overpressure in case of failure of control valves fitted witha by-pass shall be covered by guidance provided by COMPANY's Process Department.



GS SAF 261 Rev: 01



4.4 Relief system configuration

4.4.1 Number of relief valves

The number of relief valves fitted onto an equipment is not driven only by safety relatedconcerns. However the following rules shall apply on top of other (e.g. process) considerations:

• For process pressure safety valves, if n is the number of PSV (or set of PSV) necessary toensure 100% relief capacity, then n + 1 PSV (or set of) shall be installed (generally 2 x100%, possibly 3 x 50%).

• Single PSV (fire case) can be provided for equipment that can be momentarily isolated formaintenance (e.g. test separator) providing the PSV fire case does not comply a processfunction too.

• Where, for capacity reasons, several pressure relief valves must be provided in parallel,the set pressures should be staggered to avoid chattering during relief. The differencebetween set points shall be less than 6% of the design pressure.

• A single TSV shall be provided for pipework thermal relief.

4.4.2 Isolation valves

The following rules shall apply:

• n + 1 sets of pressure relief valves shall be associated with car seal procedures for bothupstream and downstream isolation valves. Interlock devices with keys are to be avoided.

• Upstream isolation valves, if any, shall be of a configuration suitable with the upstreamconditions. For high pressure (P > 70 bar) or toxic gases (H2S partial pressure > 1 barg),double block and bleed systems or positive isolation shall be installed.

• For single 100% capacity pressure relief valves, the fitting of upstream isolation valve(s)shall be assessed, depending on the operating philosophy.

• If feasible, and assuming this does not create interference with other process systems, therelief discharge lines from a process unit shall be routed to a common sub-header. Noisolation valve shall be provided on each individual relief discharge line and a singleisolation valve shall be fitted on the sub-header, upstream of its connection with the mainheader.

• Where downstream isolation valves cannot be avoided, they shall be locked open innormal operating conditions. A single valve without positive isolation is considered asacceptable even for toxic gas services.

• Isolation valves shall be full bore unless specific exception is granted by COMPANY.

4.4.3 Relief system piping

The fitting of check valves downstream of relief devices is prohibited.

Relief lines shall slope downwards to the relief header, without any low point. Adequate systemsshall be installed to separate liquids before the vent or flare tip. Where a significant quantity ofliquid is expected, a K.O. drum shall be provided with its own liquid evacuation devices. Thedesign of the network and, in particular, of the drain points, shall be such that the ingress of airunder vacuum conditions is avoided. The relief headers shall slope continuously towards thevent or flare.



GS SAF 261 Rev: 01



The relief piping shall be selected from material suitable for the lowest expected dischargetemperatures. If water may be present, the risk of ice or hydrate formation shall be assessed,and methanol or glycol injection or any other suitable mitigation measure such as separateheaders to the flare K.O. drum, should be envisaged to avoid blockage.

Adequate supports shall be provided upstream and downstream the relief devices.

4.5 Relief devices

4.5.1 Spring loaded relief valves

4.5.1.1 Conventional spring-loaded relief valves

They shall be installed where back-pressure does not exceed 10% of the set pressure. They arethe recommended type for TSV's.

4.5.1.2 Balanced pressure relief valves

They are suitable for back-pressures ranging from 10% to 50% of the set pressure. They can beof two main types: balanced piston and balanced bellows. Balanced bellows shall be givenpreference where the fluid is corrosive or fouling.

If the relief valve is located where venting to atmosphere would present a hazard, the bonnetvent shall be piped to an other disposal system, independent of the relief valve dischargesystem.

4.5.2 Pilot-operated relief valves

Pilot-operated relief valves shall be selected rather than conventional spring-loaded relief valveswhen any of the requirement listed here-after is paramount: low accumulation rates, moreaccurate settings and thus higher suitability for high pressure service, calibration withoutremoving the valve, handling of large flows, etc.

They can be of two main types: piston or diaphragm. Safety-wise, none of these is givenpreference but only types with non-flowing pilots shall be used.

Where environmental constraints are stringent, modulating-action type (the pilot opens the PSVenough to satisfy the required relieving capacity) shall be given preference over pop-action type(the pilot causes the relief valve to open fully).

The type of operation shall be either specified by, or submitted for approval to COMPANY'sProcess Department.

4.5.3 Bursting discs

The use of bursting discs shall be limited to the cases listed below and avoided in all othercases:

• Fast response is required, e.g. protection of the water side of a gas cooler in case of tuberupture

• Downstream relief system must be protected from a corrosive fluid (in this case, particularattention should be paid to prevent any debris from damaging or plugging a downstreamrelief valve)

• Emergency disposal systems are normally by-passed and must be rapidly put intooperation when the flow increases, e.g. staggering manifold of a set of sonic flares (in



GS SAF 261 Rev: 01



these particular cases where the pressure differential can be low, the alternative toprovide shear pin device should be considered).

Bursting discs can be of various types:

• Conventional bursting discs: Suitable when operating conditions are stable and do notexceed 70% of the rated burst pressure. If vacuum or back-pressure can be present,bursting discs shall be fitted with an adequate support to prevent reverse flexing orimplosion.

• Scored tension-loaded bursting discs: They shall be given preference overconventional bursting discs when the system operating pressure reaches 85% of the ratedburst pressure and/or when debris resulting from disk burst are to be avoided.

• Reverse-acting bursting discs: Recommended when operating pressure reaches up to90% of the rated burst pressure. As compared to scored tension-loaded bursting disks,they present additional advantages which must be contemplated for selection: theirincreased material thickness provides improved resistance to corrosion and, in mostcases, they can withstand full vacuum without additional support.

• Composite bursting discs: To be selected when resistance to corrosion is a paramountrequirement.

- Domed type are suitable for operating pressure reaching 80% of the rated burstpressure.

- Flat type are the particularly suitable for low rated bursting pressures and shall typicallybe used as corrosion barriers in which case they may typically operate at 50% of therated burst pressure.

5. Emergency shutdown

5.1 ESD purposes

5.1.1 General philosophy

An ESD system consists in a set of safety devices, the main purposes of which being as follows:

• To limit the loss of containment, by isolating hydrocarbon production, processing andstorage equipment

• Prevention of ignition by elimination of potential sources of ignition

• Reduction of flammable inventory by depressurisation.



GS SAF 261 Rev: 01



5.1.2 Additional design considerations

The design of the ESD system shall not take into account only the needs resulting from normaloperation; it must also fulfil the requirements that may arise during other possible (and likely tooccur) abnormal or down-graded configurations. It is not the purpose of this generalspecification to define the methodology that will be used to select relevant operatingconfigurations, nevertheless the following issues shall be adequately addressed when relevant:

• Shutting-down an equipment or unit does not necessarily eliminate all sources of hazards.

• New hazards can appear as a consequence of the loss of essential utilities such asessential power, air, hydraulics, etc. These new hazards shall be identified, mitigated, andthe associated risks shall be assessed.

• All operating configurations generated by the ESD system shall be safe and steady-state.All ESD-related transients from one operating configuration to another shall be safe.

• The ESD shall be compatible with the re-start philosophy. All operating configurations ofthe re-start sequence, from the black-out status to the full production status, shall be safe,stable and reversible. The inevitable inhibitions of the control and safety systems duringthe re-start sequence shall be identified, limited in number, time and duration.

• In some circumstances, the change of control settings to overcome a fault should beconsidered as a safer alternative than shutting-down immediately the equipment or unit.

• Shutdown should be understood as a generic wording only. Shutdown does not mean thatall valves close, or all equipment trip. Some ESDV's or SDV's can be diverting valvesopening when the main flow is stopped; BDV's may be required to open; the load of somesystems, such as disposals, is increased; some equipment start upon "Shutdown" triggersignal, such as essential generator, fire-fighting facilities, etc.

5.1.3 Abnormal and simultaneous operations

A particular attention shall be paid to non-routine operating conditions and to the suitability ofthe ESD and EDP systems to deal with them. The main scenarii contemplated shall be:

• Degraded modes of operation: wireline job on a well, maintenance of a safety system,short-time deviation from product specification, etc.

• Simultaneous operations: drilling/work over and production, maintenance and production,construction and production, etc.

Each operation shall be safe, but a particular attention shall be paid to the safety of thecombination resulting from their simultaneity (example: simultaneous maintenance on twosystems).

In some cases, abnormal operating conditions may require a different shutdown logic than that,or the combination of those, applicable under normal circumstances. For instance:

• A specific ESD logic can be activated when wireline job starts (refer to Paragraph 5.3.9),or when operators come to a normally unmanned wellhead platform

• A temporary enhanced ESD logic can prove beneficial for simultaneousconstruction/major overhaul and production.



GS SAF 261 Rev: 01



5.2 Architecture of the shutdown system

5.2.1 Principles of separation of instrument systems

It is essential to distinguish five functionally different instrument systems:

Functional system Abbrev. Function

Process Control System PCS Controls and associated alarms

Process Safety System PSS Trips and associated SD actions + local(package) F&G

Emergency Shutdown system ESD Emergency SD actions

Fire and Gas System F&G Outdoors and/or general fire and gas relatedESD actions

Ultimate Safety System USS Back up of ESD actions

The PCS is not part of the present specification. It does not fulfil a safety function and shallalways be separate of other instrument systems having a safety function. It is linked to PSS,ESD and F&G by a duplex databus in case digital technology is used.

The PSS control all causes/actions pertaining to Level-3 shutdown's (i.e. individual equipment),including fire and gas at local level. In this respect the PSS can include a F&G sub-system,generally provided with the equipment and by its VENDOR, and distinct from the main F&Gsystem mentioned below. See Paragraph 5.2.6.

The ESD system manages all process-related inputs and outputs relative to Level-0 ESD (wholefacility, if applicable), or Level-1 ESD (fire zone) or Level-2 (process unit) shutdown. It is alsofed by signals from the main F&G system (see below).

The main F&G system deals with fire and gas detection outdoors and in places (e.g. technicalroom, control room, etc.) where they may result in consequences involving more than just onespecific equipment. It generates the corresponding Level-1 ESD actions, except those related toprocess that are undertaken by the ESD system. The F&G system thus provides input to theESD system. The F&G system does not generate Level-2 shutdown actions.

The USS system, at least, just backs up part of the ESD and F&G system to ensure that therequired Safety Integrity Level is reached and in particular is meant to avoid common modes offailure in electronic circuitry and/or in control softwares.

5.2.2 Reliability and availability

In order to achieve their reliability requirement, critical parts of the ESD and F&G systems mayneed to be duplicated or even triplicate. To avoid that the multiplication of systems decreasesavailability (more spurious trips) which might lead eventually to a reduction of the installationglobal safety level, the alarms and trip signals generated by redundant shutdown systems shallbe processed by a voting system. Their principles are detailed below:

5.2.2.1 Dual systems

This type of systems shall be selected for enhanced reliability but shall also be fault tolerant forsingle random hardware failure for improved availability. Internal architecture for dual systemsdifferent from the recommended arrangement described below (See Figure 1 - Typical bloc



GS SAF 261 Rev: 01



diagram for dual systems) shall be discarded unless it is demonstrated that they provide thesame level of reliability and availability.

Inputs shall be processed by two independent input modules, each module feeding its own logicunit. Outputs from each logic unit shall be routed to independent output modules, both modulesfeeding simultaneously one final element per output where the voting logic is achieved.

A "one out of two" voting is achieved in the final element, providing the output of each logic unitis confirmed by the logic unit watchdog, i.e. that the logic units operate as they should. If thewatchdog detects a logic unit malfunction then the output from this logic unit shall bedisregarded and the output from the other logic unit shall prevail. If both logic units are at faultthen the final element shall set the equipment to its safety position.

5.2.2.2 Triplicate systems

These systems shall be given preference over dual systems when performance requirement interm of safety integrity level are such that they are the only alternative left. The same generalprinciples as those valid for dual system shall apply except that three channels instead of twooperate in parallel. The major difference comes from the fact that a simple "two out of three"logic shall be achieved in the final element providing thus an enhanced availability.

Optionally and in order to further enhance reliability, but this is not a compulsory requirement forsafety purposes, each leg of the terminal element can be fitted with a built-in loopback circuitthat allows to run diagnostics on the output voter circuit so that a terminal element failure can bedetected quickly. See Figure 2 - Typical bloc diagram for triplicate systems.

XXI

M PLCOM

WATCHDOG

XXI

M PLCOM

WATCHDOG

&

&

&

&

S

-24 VDC

Fieldsensors

Inputmodules

PLC &watchdog

Outputmodules

Terminalelement

Note : Communication link between PLC's for enhanced diagnostic not shown.

Figure 1 - Typical bloc diagram for dual systems



GS SAF 261 Rev: 01



XXI

M PLCOM

XXI

M PLCOM

-24 VDC

Fieldsensors

Inputmodules

PLC &watchdog

Outputmodules

Terminalelement

XXI

M PLCOM

Note : Communication links between PLC's for enhanced diagnostic not shown.

S

Figure 2 - Typical bloc diagram for triplicate systems

Note: Totally redundant architecture (from field sensor to terminal element) as shown onFigure 1 and Figure 2 is required for systems that need redundancy to meet their reliabilitytargets and for which all channels operate in parallel. It may happen however that somesystems are partially duplicated for availability reasons (mainly maintenance and on-linemodifications) and have only one channel operating at a time. In this case multiplication offield sensors and/or input modules is not required.

5.2.3 Transmission of signals

The transmission of output signal generated by the ESD, F&G and USS systems towards fieldequipment, i.e. all ESD-0, ESD-1 and SD-2 action signals, shall be achieved by dedicated hard-wired connections. In order to further improve reliability upon demand, all ESDV's, SDV's andBDV's connected to these systems shall be fitted with two solenoid valves mounted in seriesbut kept energised by the same cable.

Considering that the reliability requirement for PSS are less stringent than for the ESD, F&Gand USS systems, signals outgoing the PSS to field equipment as well as signals outgoing theESD, F&G and USS towards the PSS can be transmitted through a data highway.

Note: It may happen that one valve is controlled simultaneously by the ESD and by the PSSsystem. In this case two solenoid valves shall be mounted in series, one connected bydedicated hard wire to the ESD system, the other connected to the PSS.

5.2.4 Means of separation

The reliability of programmable logic controller-based systems shall be critically scrutinised,particularly with regards to common failure modes. Considering also that redundancy doesimprove reliability of safety systems but that using identical systems does not eliminate all thecommon modes of failure, then safety system diversification shall be preferred wheneverfeasible. The following general principles shall be adhered to:

• Separation of tappings, sensors, transmitters (PCS and PSS or ESD)

• Separation of valves (control valves, SDV, ESDV)



GS SAF 261 Rev: 01



• Functional independence of logic treatment systems (PSS, ESD and F&G) although thisrule may suffer some exceptions (see note 1)

• Physical independence (see note 2) of safety systems (ESD and USS)

• Hard-wired back-up for ESD actions (USS).

Note 1: In some cases a gas detector part of the local F&G system and hence pertaining to thePSS can also provide an input to the main F&G system if (i) the signal is not pre-processed inthe PSS and (ii) the sensor integrity matches the requirements applicable to components of anESD system.

Note 2: Refer to Paragraph 5.2.6, Fire and Gas system, for further information about physicalindependence of ESD and F&G systems.

5.2.5 Ultimate Safety System

The USS does not duplicate ESD or F&G, it just backs-up some ESD Level-1 and Level-0essential actions initiated by these systems upon manual activation and by-passes thenormal (i.e. through the PLC's and their associated input/output modules) logic treatment. Forsimple installations such as wellhead platforms, or if it can be demonstrated that the SILrequirement is achieved by the ESD and F&G alone, then the USS is not mandatory.

The USS shall be transparent to the operator, it shall in no case lead to the installation of aspecific set of controls (e.g. push-buttons) that would come in addition to others, alreadyrequired for ESD and/or F&G. In practice the signal from, say, one ESD-1 push-button shall berouted to the ESD for appropriate treatment and also to the USS. The signal outgoing the push-button, shall input the ESD/F&G in a first instance to let these devices achieve the shutdown inan orderly fashion; it shall activate the USS only after suitable time delay.

The logic treatment within the USS shall be kept minimum and such short cuts as de-energisinga common 24 V power supply to a group of instruments are acceptable. The USS logic, if any,shall be achieved with solid state components or conventional relays.

The following actions shall be backed up by the USS:

• Closing/opening of all ESDV's/BDV's pertaining to the concerned fire zone(s)

• Upstream electrical isolation (1) of the concerned fire zone with the exception of systemspowered by batteries (controls, emergency post lube, etc.)

• Inhibit essential generator start-up, if any and relevant

• Trip, stop or shut-off all equipment likely to constitute a source of ignition (2) in theconcerned fire zone (gas or diesel engines, gas turbines, fired heaters, etc.) except dieseldriven fire pumps (3).

Note 1: The USS shall just open the circuits breaker feeding power to the fire zone from themain MCC but shall not back-up electrical isolation as possibly achieved by the ESD.

Note 2: A specific study shall be conducted during engineering phase to decide what equipmentshall be connected to the USS and what equipment shall be left dependent only on the ESDand the F&G. As a general rule, only equipment not certified for operation in hazardous areashall be tripped by the USS.

Note 3: Fire water pumps, if already running and their selector mode set on "automatic", shallnot be shutdown by the USS when it is activated.



GS SAF 261 Rev: 01



Activation of the fire-fighting means (opening of deluge valve, CO2 release, fire water pump startup, etc.) shall not be backed up by the USS. Additionally the USS shall not back up the firewater pump start up signal.

5.2.6 Fire and Gas system

The F&G manages all inputs provided by fire and/or gas detectors, performs the correspondinglogic treatment and generates the relevant outputs. The F&G deals only with safety actions ofthe highest level, namely ESD-0 and ESD-1. Fire and gas detection and logic related toequipment shall be achieved locally by a system provided by the package VENDOR.

Outputs from the F&G system can be straight to equipment (e.g. electrical isolation, activation offire-fighting means, etc.) or else feed the ESD system that shall take process related actions(e.g. close ESDV's, open BDV's, etc.). As a consequence the Safety Integrity Level of the F&Gsystems shall be at least as good as the SIL of the ESD system.

The F&G shall be always functionally independent of the ESD. It may happen that thefunctions pertaining to these two systems are performed by a common equipment, for instancewhen a sophisticated redundant PLC-based system is used. This option is sound providing theF&G reliability is not impacted and also if the softwares managing ESD and F&G are treated astwo independent functional entities and the links between themselves are clearly identified anddocumented.

5.2.7 Process Safety System

The presence of a PSS is not a compulsory requirement and it is acceptable that the functionsnormally achieved by the PSS (i.e. Level-3 shutdown actions) are controlled by the ESD. This istypically the case for very simple installations and/or very low complexity packages.

When both PSS and ESD functions are performed by the ESD, the PSS logic treatment shall behandled as if it were pertaining to ESD and is not required to be functionally independent fromESD. However input signals feeding the Level-3 shutdown logic are not required to match therequirements applicable to ESD input signals and transmission of Level-3 output signals toequipment can be achieved through a data highway (not necessarily through dedicated hard-wired connections).

5.2.8 SIL requirement

Regardless of their technology (digital, solid state electronics, hydraulic, pneumatic,conventional relays or any combination of these) HIPS shall be SIL 4, ESD and F&G shall beSIL 3 and PSS shall be SIL 2.

In addition, PLC technology based safety systems shall have their application softwaresresiding in some form of non-volatile storage memory and safety logic shall be separated fromall other programming or that interacts with safety logic or detection logic for input/outputdevices shall be separated from all other programming. In case of failure (either power supply orPLC) the system shall provide an alarm, revert to a safe default condition and maintain the safecondition till restoration of power and clearance of the faults.



GS SAF 261 Rev: 01



PBSD3

InputSD3

FireLocal

PBSD2

InputSD2

FireZone-

TO

TA

L E

LEC

TR

ICA

L S

DIN

RE

ST

RIC

TE

D A

RE

A

AC

TIV

AT

E F

IRE

FIG

HT

ING

IN F

IRE

ZO

NE

ELE

CT

RIC

AL

ISO

LAT

ION

IN F

IRE

ZO

NE

(Exc

ept v

ital c

onsu

mer

s &

con

trol

s)

TRIP

ALL

EQ

UIP

ME

NT

INFI

RE

ZO

NE

UN

IT S

HU

T D

OW

N

AC

TIV

ATE

LO

CA

L FI

RE

FIG

HT

ING

EQ

UIP

ME

NT

CLO

SE

DA

MP

ER

S A

ND

SH

UT

DO

WN

HV

AC

ELE

CT

RIC

AL

SH

UT

DO

WN

OF

EQ

UIP

ME

NT

EQ

UIP

ME

NT

SH

UT

DO

WN

OP

EN

/CLO

SE

SD

V's

PBSD0

PROCESS/PACKAGESAFETY SYSTEMS

(PLC)

FIRE & GASSYSTEM

(PLC)

ULTIMATESAFETYSYSTEM

SD-3 SD-2 ESD-1 ESD-0

DIGITALINTERFACE

Dat

abus

Hardwired link

Digital link

ESD-0ESD-1SD-2SD-3

Hardwiredback up

Legend :

InputSD1

PBSD1

GasZone-

ESDSYSTEM

(PLC)

or

or

o r

PROCESS CONTROLSYSTEM

(op. interface)

Duplex databus (1)

(2)

Note 1 : Some actions only : non certified equipment in hazardous areas.

Note 2 : Grouped by fire zone.

(3)

Note 3 : Generator incomers + all battery outgoers only.

(5)

Note 4 : Not backed-up by USS because manual activation possible.

Note 5 : Not backed-up by USS because elec. eq. suitable for hazard. areas.

(6)

Note 6 : ESD and F&G functions can be accomplished by one unique system.

TT

GasLocal

OP

EN

BD

V's

/ C

LOS

E E

SD

V's

To main F&G (7)

Note 7 : Gas detection in ventilation/combustion air duct, if required.

or (8)

Note 8 : PSS action on ESDV, if necessary.

(4)

(9) (9) (9)

Note 9 : If local fire and/or gas detection is activated.

Figure 3 - Typical shutdown system architecture



GS SAF 261 Rev: 01



5.3 Definition of the shutdown matrix

5.3.1 Definition of shutdown levels

The definition of shutdown levels varies with the type of installation, the number of fire zonesand their location, the number of independent units in each fire zone and other characteristics.Each case is specific and the following development is intended to provide guidelines ratherthan replace engineering judgement. Refer to Figure 4 and Figure 5 for two typical shutdownlogic diagrams.

It is a common practice within COMPANY to define a maximum of four shutdown levels ofdecreasing criticality, numbered 0 to 3, and affecting the whole installation (level-0), a given firezone within the facilities (level-1), a given unit within a given fire zone (level-2) and an individualequipment or package (level-3).

Level-0 and level-1 shall be called ESD levels because they involve either fire/gas detection inunconfined environment (hence a situation possibly subject to escalation) or emergency manualaction. Level-2 and level-3 shall be called (shutdown) SD levels because they correspondeither to a mere process upset or to fire/gas detection, sufficiently well contained that it does notthreaten, at least immediately, the safety of the facility and of the personnel.

5.3.2 Differences onshore/offshore

The fundamentals driving shutdown logic design are always the same, however theenvironment (onshore versus offshore) leads to three main differences:

5.3.2.1 ESD-0

ESD level-0 is applicable only for permanently manned offshore installations and if their size,the manpower level and statutory requirements impose to do so. In all other cases (all onshoreplants regardless of size and not permanently manned offshore installations), the number ofshutdown levels shall be limited to three, starting from ESD level-1. The wordings "abandon"and "prepare to abandon" denote voluntary procedures involving human beings but are not tobe considered as ESD levels.

5.3.2.2 Emergency depressurisation (EDP)

EDP is applicable to offshore and onshore installations if the criteria developed in Section 6.are met. Offshore (permanently manned or not) EDP shall be systematically automatic uponactivation of ESD-0 and/or ESD-1; this requirement is not compulsory for onshore facilities andEDP strategy shall be duly addressed in the SAFETY CONCEPT.

5.3.2.3 De-energisation

Total de-energisation, including battery powered systems can be achieved offshore throughactivation of ESD-0. Onshore this functionality does not exist and shall be compensated by theimplementation of a specific pushbutton for each fire zone that shall perform total de-energisation, including controls (24 VDC), with possible exception for emergency post-lubepumps, machinery helper, etc. and only if they are suitable for operation in zone 1 hazardousarea.



GS SAF 261 Rev: 01



5.3.3 ESD-0 (Total black shutdown)

There is one single ESD-0 for a restricted area. In the particular case where an installationconsists in several different restricted areas with different sources of power, there are as manyESD-0's as non-overlapping restricted areas.

5.3.3.1 Description

• Shutdown of all process and utility systems, with depressurisation, for all fire zones in therestricted area

• Shutdown of all potential sources of hazard and ignition including essential andemergency loads, except navigation aids and emergency lighting (1)

• Escape and evacuation if necessary automatic emergency.

Note 1: ESD-0 does not stop diesel driven fire water pumps if they have been started upautomatically (signal from F&G or ring main PSLL) while their selector was on automatic mode.

5.3.3.2 Causes

Voluntary decision considering a probable or actual, widely catastrophic situation and only afterESD-1 of all fire zones have been triggered and personnel directed to muster areas.

5.3.4 ESD-1 (Fire zone emergency shutdown)

There is one ESD-1 by fire zone. Fire and gas detection leading to different effects, ESD-1should be further split into ESD-1/F for the particular fire case, ESD-1/G for the particular gasdetection case, and subsequent generic ESD-1.

5.3.4.1 Description

• Shutdown of all process and utility systems within one fire zone. Automatic emergencydepressurisation always applicable offshore, possibly implemented onshore

• In case of gas detection: shutdown of all potential sources of hazard and ignition (exceptfire water pumps, see note 1 in Paragraph 5.3.3) in the fire zone except controls andemergency or vital equipment on individual battery systems and suitable for zone 1

• In case of fire detection: activation of fire-fighting means in the fire zone

• Escape of personnel from zone to muster areas or to an other safe fire zone.

5.3.4.2 Causes

• ESD-0 in the restricted area

• Voluntary decision considering a probable or actual, catastrophic situation

• Gas detection outdoors or in a non totally enclosed area

• Outdoors fire detection (1)

• Low UPS battery voltage shall always be considered. A specific study shall be conductedfor advisability to trigger ESD-1 by other utility failure.

Note 1: Fire detection in electrical room does not trigger ESD-1, except in remote premiseswhere intervention is not possible quickly.



GS SAF 261 Rev: 01



5.3.5 SD-2 (Unit shutdown)

There is one SD-2 for each independent functional unit.

5.3.5.1 Description

• Shutdown of one production, processing, transfer or utility unit

• Permissive to perform manually emergency depressurisation if relevant to concerned unit.

5.3.5.2 Causes

• ESD-1 in the fire zone where unit sits or voluntary decision considering a probable oractual unit failure

• Major process fault that requires the automatic shutdown of the whole unit

• LSHH in the flare KO drum(s) connected to the unit, PSLL instrument air, and possiblyPSLL fuel-gas when fuel gas is used to prevent air ingress in the flare system

• PSLL, LSLL, etc. (leak detection in American parlance) on process systems to be studiedon a case by case basis (engineering judgement)

• Loss of normal power.

Note: There is no F&G input at SD-2 level. F&G either triggers ESD-1 when outdoors detectionor initiates SD-3 when specific to an equipment.

5.3.6 SD-3 (Equipment shutdown)

In some cases, equipment can have different SD-3 sequences depending on the tripping fault.Where fire and gas detection lead to particular and different effects, SD-3 for an equipmentshould be further split into SD-3/F for the particular fire case, SD-3/G for the particular gasdetection case, and subsequent generic SD-3.

5.3.6.1 Description

• Shutdown of a production or utility equipment, with automatic de-pressurisation, ifrelevant, or unlatching of a "permissive to depressurise" chain allowing thus manualemergency depressurisation, if required

• In case of gas detection from a gas source inside an enclosure, shutdown of all potentialsources of hazard and ignition within the enclosure (including essential loads) exceptemergency or vital equipment on individual battery system and suitable for zone 1

• In case of fire detection inside an enclosure, activation of fire-fighting means in theequipment enclosure and closure of dampers (as relevant).

5.3.6.2 Causes

• SD-2 of the unit or voluntary decision considering a probable or actual equipment failure

• Fire or gas detection inside an equipment enclosure

• Process, utility or mechanics related fault.



GS SAF 261 Rev: 01



5.3.7 Logic summary

The shutdown logics (causes and actions) are summarised in next tables.

Causes Shutdown type

Pushbutton ESD-0 ESD-1 SD-2 SD-3

ESD-0 (direct action) ESD-1

Outdoors gas detection ESD-1

Outdoors fire detection ESD-1

UPS low battery voltage ESD-1

ESD-1 (direct action) SD-2

PSLL fuel gas SD-2

PSLL inst. air SD-2

LSHH flare KO drum SD-2

Process fault (relevance) SD-2

Loss of normal power SD-2

SD-2 (direct action) SD-3

Gas detection (inside) SD-3

Fire detection (inside) SD-3

Equip. fault (relevance) SD-3



GS SAF 261 Rev: 01



Shutdown type

Actions ESD-0 ESD-1 SD-2 SD-3

Fire zone ESD All Yes No No

Unit shutdown All In Zone Yes No

Equipment shutdown All In Zone In Unit Yes

ESDV closure All In Zone No No

SDV closure (4) All In Zone In Unit In Equip.

Automatic EDP Yes In Zone (2) (2)

Permis. to depressurise (NA) (NA) (2) (2)

Activate fire-fighting No In Zone(5) No In Equip. (5)

Emerg./vital loads trip Yes (3) No No Yes (6)

Essential loads trip All In Zone No Yes (6)

Non-essential loads trip All In Zone In Unit Yes

Stop HVAC All In Zone No In Equip. (7)

Evacuation of personnel Yes (1) No (1) No(1) No(1)

Muster of personnel Yes From Zone No(1) No (1)

The wording "Zone" means "Fire zone"

Note 1: Escape and evacuation, as necessary and depending on conditions

Note 2: Permissive or automatic EDP as required by process and equipment

Note 3: Except emergency lighting and navigation aids in all cases

Note 4: Some SDV's can be diverting valves opening upon SD signal

Note 5: In case of fire detection and if required by F&G monitoring equipment

Note 6: In case of gas detection and only electrical equipment not suitable for operation inzone 2 hazardous area

Note 7: In case of fire detection or gas detection in combustion/ventilation air ducts toequipment.



GS SAF 261 Rev: 01



5.3.8 Technical rooms

Gas detection inside a technical room (electrical and/or instruments) shall lead to a total de-energisation of the equipment it houses and hence shutdown of all process or utility units theyserve, including all controls. COMPANY consider however that it is desirable to conduct ashutdown sequence in an orderly fashion (refer to Chapter 5.5, Cascades) when there is stillenough time left to do so, rather than abruptly interrupting power supply. This last option is to beused as a last resort alternative, initiated by the USS (see Paragraph 5.2.5, Ultimate SafetySystem). The issue of technical rooms shall therefore be resolved as follows:

• Technical room serving only one fire zone: gas detection shall trigger first the ESD-1/G ofthe concerned fire zone and then, after suitable time delay (1) shall perform a totalelectrical isolation, including controls, of the fire zone, with the only exception ofemergency consumers suitable for operation in zone 1 hazardous area and suppliedthrough their own, independent, battery pack (emergency post lube, machinery helper,emergency telecom, etc.). In no case gas detection in a technical room shall initiate anESD-0 (when this level exist).

• Technical room serving several fire zones: the same approach as above shall be used,except that all ESD-1/G's shall be initiated simultaneously. This constitutes a commonfailure mode that shall be contemplated at design stage and taken into consideration forthe sizing of the flare system and other systems if relevant (see also Paragraph 6.2.6).

Note 1: i.e. longer than all time delays built-in into the ESD, to let achieve the shutdownsequence before switching off remaining power supplies.

As a consequence of what precedes, gas detection in air ducts to instrument or electrical roomsnot devoted to a single equipment shall be fitted with three gas detectors adhering to a 2 out of3 logic and one 20% LFL confirmed by one 50% LFL shall initiate the sequence describedabove. Furthermore a single 20% LFL detection in the air duct confirmed by a single 20% LFLby a gas detector installed inside the room shall also trigger this sequence.

5.3.9 Well work

The case of well servicing devices (work-over rig, pulling rig, wireline winch, etc.) drawing theirenergy from the platform (or installation) power supply and distribution system shall be verycarefully studied. The facts that de-energisation might lead to exceedingly hazardous situation ifachieved during a critical well-related activity, and that the resulting risk might be higher than theoriginal risk that initially triggered power isolation, shall not be overlooked.

Each configuration shall be subject to a specific study whereby adequate means to mitigate therisk shall be addressed. Such options as override keys (with corresponding alarms in CCR)cancelling the signal to open the relevant circuit breakers, along with a proper segregation andseparation of individual power supplies to well work apparatus (independent and geographicallydistinct of other power supplies to the fire zone at stake), are regarded acceptable byCOMPANY.



GS SAF 261 Rev: 01



ESD PBPBABANDON

ESD-1 FIRE ZONE EMERGENCY SHUT DOWN ESD-1 GAS

PB

F&GPB

GA

S D

ET

EC

TIO

N

IN F

IRE

ZO

NE

ESD-1 FIRE

F&GFIR

E D

ETE

CTI

ON

IN

FIR

E Z

ON

E

ESD-1 of all fire zones

T

SD-2 of all unitsin fire zone

INS

TA

LLA

TIO

N B

LAC

K O

UT

(Exc

ept N

avai

ds &

Em

erg.

ligh

t.)

AC

TIV

ATE

FIR

E F

IGH

TIN

GIN

FIR

E Z

ON

E

ELE

CT

RIC

AL

ISO

LAT

ION

(Nor

mal

&es

sent

ial c

onsu

mer

s)

CLO

SE

ES

DV

's

OP

EN

BD

V's

SD-2 UNIT SHUT DOWN

ESDPBPB

PR

OC

ES

S F

AU

LT

PO

WE

R F

AIL

UR

E

PE

RM

ISS

IVE

TO

BLO

W D

OW

N(+

par

tial B

D a

s re

leva

nt)

UN

IT S

HU

T D

OW

N A

ND

TR

IPA

LL E

QU

IPM

EN

T

SD-3 of all equipmentin unit

SD-3 EQUIPMENT SD-3 GAS SD-3 FIRE

PSSPB

PSS EQ

UIP

. FA

ULT

PB

AC

TIV

ATE

FIR

E F

IGH

TIN

GO

N E

QU

IPM

EN

T

CLO

SE

DA

MP

ER

S A

ND

SH

UT

DO

WN

HV

AC

ELE

CT

RIC

AL

SH

UT

DO

WN

OF

EQ

UIP

ME

NT

OR

EQ

UIP

ME

NT

SH

UT

DO

WN

OP

EN

/CLO

SE

SD

V's

OP

EN

EQ

UIP

ME

NT

BD

V'S

(as

rele

vant

and

if a

ny)

GA

S D

ETE

CTI

ON

(s

peci

fic e

quip

men

t)

FIR

E D

ET

EC

TIO

N

(spe

cific

equ

ipm

ent)

PB PB

Note 1 : emergency/vital systems remaining powered : Post lube (if any), telecom and PAGA.

OR

OR

OR

Note 2 : close ESDV's if no SDV's upstream of PSLL/LSLL used as leak detection device.

Embarkationposts

Though telemetryif facility remote controlled

Note 3 : if fuel-gas is used to purge flare.

UP

S B

AT

TE

RY

LOW

VO

LTA

GE

(4)

Note 4 : to avoid uncontrolled sequence of ESDV/BDV opening/closing.

OT

HE

R F

AU

LTS

ES

SE

NT

IAL

UT

IL.

if an

y

PS

LL/L

SLL

(7)

LSH

H F

LAR

E D

RU

M (

5)

PS

LL IN

ST.

AIR

(5)

PBESD

UN

IT

DE

PR

ES

.

OR

T

ESD-0 TOTAL BLACK SHUT-DOWN

Note 5 : to other units if common.

PS

LL F

UE

L G

AS

(3)

OR

(2)

TO E

SD

-1 (

6)

Note 6 : unprocessed gas detection signal to ED-1 if required.

TO

TA

L E

LEC

TR

ICA

L IS

OLA

TIO

N(E

xcep

t con

s. s

uita

ble

zone

1) (

1)

GA

S D

ETE

CTI

ON

IN

TE

CH

. RO

OM

T

OR

PB EmergencyControl Center

Note 7 : list to be assessed on a case by case basis.

Figure 4 - Typical shutdown logic diagram (offshore processing facility)



GS SAF 261 Rev: 01



PB

ESD-1 PLATFORM EMERGENCY SHUT DOWN ESD-1 GAS

GA

S D

ET

EC

TIO

N

OU

TD

OO

RS

(if a

ny)

ESD-1 FIRE

FIR

E D

ET

EC

TIO

N

OU

TD

OO

RS

T

AC

TIV

AT

E F

IRE

FIG

HT

ING

WH

ER

E A

PP

LIC

AB

LE

PLA

TFO

RM

ELE

CT

RIC

AL

SH

UT

DO

WN

CLO

SE

PLA

TF

OR

MIN

LET

& O

UT

LET

ES

DV

's

OP

EN

BD

V's

(If a

ny)

SD-2 PRODUCTION

PB

PR

OC

ES

S F

AU

LT

TRIP

SU

MP

TA

NK

PU

MP

(if

any)

CLO

SE

SD

V (i

f any

)

ES

S. U

TIL

. FA

ULT

WELL SHUT-IN

PB

PS

HH

, PS

LL

TR

IP P

UM

PS

CLO

SE

SS

V, W

V (

if an

y)

Note 1 : emergency & vital systems remaining powered : Navaids, emergency lighting, public address (if any), general alarm and telecom.

OR

OR

REMOTE ESD THROUGH TELEMETRYif any F

IRE

DE

TE

CT

ION

IN

ELE

C. R

OO

M

GA

S D

ET

EC

TIO

N

IN V

EN

TIL

. DU

CT

S

CLO

SE

DH

SV

's(if

SC

SS

SV

-type

)

CLO

SE

SD

V's

inle

t &ou

tlet

OP

EN

DIV

ER

TIN

G V

ALV

E

SD-2 PROCESS

SD-3 TEST SEP.

PB

PR

OC

ES

S F

AU

LT

SD-3 CHEM. P.

PB

PR

OC

ES

S F

AU

LT

SD-2 TRANSFER

PB

PS

HH

/PS

LLM

AN

IFO

LD

CLO

SE

TR

AN

SF

ER

INLE

T E

SD

V

Note 2 : assuming transfer manifold ties-in upstream of platform outlet ESDV.

Note 3 : downstream of production manifold where connecting with transfer manifold.

Embarkationposts

PB

PR

OC

ES

S F

AU

LT

ES

S. U

TIL

. FA

ULT

Note 4 : shut down crane engine if Diesel powered.

CLO

SE

GA

S L

IFT

INJ.

VA

LVE

S(if

app

licab

le)

(3) (2) (1) & (4)

T

Figure 5 - Typical shutdown logic diagram(well-head and riser platform with test separator)



GS SAF 261 Rev: 01



5.3.10 Methodology to define ESD matrix

Various documents are used by the different specialists involved. During design phase, theresponsibilities for approval of document shall be split as follows:

• SD block logic diagrams: by Process Department

• SAFE charts: by Process Department

• F&G causes and effects matrixes: by Safety Department

• Utility failures: by Safety Department.

In the latter stages of the project, responsibilities for issuing block logic matrix, functionalanalysis, selection, implementation, commissioning are given to Instrument specialists.

The methods and check lists to be used are that of the Safety Analysis Table (SAT) ofAPI RP 14C, even for onshore installations.

5.4 Integration of packages

It is essential that the functional analysis, carried-out during Preliminary (basic) Engineering,covers all the packages, inclusive of those that are not yet ordered. Package VENDOR's shallprovide their shutdown logic documents with the same principles as for the main shutdownlogic.

The responsibilities for integration of package shutdown logic in the main shutdown logic are thesame as for the rest of the process and equipment (see Paragraph 5.3.10).

The package shutdown logic shall be established according to the same rules and principles asfor the main shutdown logic except that the Safety Integrity Level requirement for these systemsshall be SIL-2. The inputs and outputs of the package shutdown systems shall be compatiblewith that of the main ESD system.

5.5 Cascades

COMPANY's practice is to prefer direct actions rather than cascaded actions. Direct actionsensure a better control, improved reliability and quicker response, although direct actions mayshorten the time available for operators to undertake corrective actions before the system tripsand shall eventually result in a slightly more complex system.

The response time issue shall be carefully considered and all precautions shall be taken toavoid the system to be too responsive. This shall be achieved by a suitable setting of differentialbetween alarms and trip levels and through a critical selection of triggering causes.

A detailed study shall be conducted at Basic Engineering stage to select, among allabnormalities that shall eventually result in a shutdown or an emergency shutdown, those thatshall be instrumented and wired to provide a direct input to the ESD system. Typical examplesare UPS low battery voltage or loss of normal power supply that COMPANY prefer to hook uponto the ESD.



GS SAF 261 Rev: 01



5.6 Shutdown devices

5.6.1 Safety valve definition

5.6.1.1 Wellheads

• DHSV: Down-Hole Safety Valves. Only Surface Controlled Sub-Surface Safety Valves(SCSSSV)-type DHSV's are considered in the present document (see also GS SAF 226,Safety rules for wells).

• SSV: Surface Safety Valves (Automatic master valves or wing valves) shall also beconsidered as ESDV's (1&2). Gas-lift or gas re-injection isolating valves are considered asSDV's.

5.6.1.2 Process

• ESDV: Emergency Shutdown Valve (3)

• BDV: Blow-Down Valve

• SDV: Shutdown Valve.

Other on/off motorised valves (XV's) and Hand Valves (HV's) cannot be considered as safetyvalves.

Control valves can be used, on an exception basis, as BDV's or SDV's (never ESDV's), withina process unit, in case of small upstream inventory: less than 5 m3 of liquid hydrocarbon orPV < 100 bar.m3 for gas. Cascaded action shall not be deemed acceptable (e.g. low level driftsLCV to closed position, etc.) and all control valves acting as SDV's shall be fitted with a solenoidvalve connected to the PSS and independent of the control loop.

Note 1: SSV's shall always close before DHSV's to avoid pressure differential across theDHSV. Chokes, even motorised, cannot be considered as safety valves, either ESDV's or evenSDV's.

Note 2: Wing valve re-opening through telemetry is authorised only if the concerned well wasclosed voluntarily and in absence of fault (F&G or PSHH/PSLL) and if the wing valve controlcircuit is fitted with a specific solenoid for remote re-opening, independent from the safety tripcircuits.

Note 3: Main fuel trip valves to fired heaters and/or machinery shall be considered as ESDV's,although not installed at fire zone boundary.

5.6.2 Response time

Safety valves shall actuate in less than 15 seconds (10 seconds for SSV and wing valves) aftertheir triggering mechanism has been activated, with possible exception for large valves (Ø ≥20"). The total duration of the shutdown sequence shall be less than 45 seconds fromconfirmation of abnormal condition and/or actuation on pushbuttons.

5.6.3 Actuators

Actuators shall be either spring loaded or air/hydraulic double action. Electric motor drivenactuators are not allowed for service on safety valves, either ESDV or SDV.

Local accumulators (air or hydraulic) fitted on double action actuators shall be sized forthree strokes (i.e. close-open-close) so as to allow for one operating mistake.



GS SAF 261 Rev: 01



5.6.4 ESDV by-pass

Two cases shall be considered: plant or platform battery limit ESDV's and ESDV's oninterconnections between fire zones.

• By-passes around battery limit ESDV's are prohibited. Pressure equalisation aroundESDV's can be achieved either (1) by:

- Identifying a small line with manual valves to accomplish re-pressurising (e.g. from testseparator, from main pipeline, etc.). All precautions shall be taken to avoid that the re-pressurisation line behaves in fact as a by-pass of the ESDV. The re-pressurisation lineshall always be fitted with its own ESDV that shall close when the main ESDV closes.

- Installing a by-pass around an adjacent locally operated block valve.

• By-passes around ESDV's interconnecting fire zone are authorised providing they arefitted with their own ESDV that shall close when the main ESDV receives a signal toclose.

Note 1: The use of special valve allowing slow re-pressurisation through the valve body itself(e.g. V-ball valves) shall be submitted to a special study and formal approval of COMPANY.

5.6.5 Functional requirements

Wellheads Process

DHSV SSV ESDV BDV SDV

Local reset after ESD-0 or ESD-1 Yes Yes (1) Yes Yes (2) No

Open from CCR (6) No No (1) No Yes (5) (3)

Close from CCR Yes Yes Yes No (2) (3)

Open/Close local command Yes Yes Yes Yes Yes

Open/Close status display in CCR (3) (3) Yes Yes Yes

Partial stroking facilities No No Yes No Yes (4)

ESD signal test facilities Yes Yes Yes Yes Yes (4)

Note 1: Local reset except if SSV was voluntarily closed (see Paragraph 5.6.1)

Note 2: Reset from control room may be envisaged in some cases (refer to Section 6) orautomatic reset upon reset of ESD

Note 3: As required by Process and Operations

Note 4: Recommended for the SDV's which cannot be tested during scheduled equipment SD

Note 5: Interlocked with "permissive to BD" signal

Note 6: Central Control Room.



GS SAF 261 Rev: 01



5.6.6 Pushbuttons

Pushbuttons shall be properly located, tagged and illuminated by essential lighting. They shallbe physically protected against spurious activation and fitted with a specific unlocking tool toreturn to normal position. Pushbuttons shall be fitted with suitable devices for testing purposes.Pushbuttons shall be installed as follows:

Location Offshore Platform Drilling or WO rig Onshore Plant

Helideck ESD-0 ESD-0

Boat landing ESD-0

Muster points ESD-0 ESD-0

Driller's console ESD-1, SD-2

Control room ESD-0*, ESD-1,SD-2, SD-3

ESD-1,SD-2, SD-3

ESD-1,SD-2, SD-3

Technical rooms SD-2, SD-3 SD-2, SD-3 SD-2, SD-3

Local panels† SD-2, SD-3 SD-2, SD-3 SD-2, SD-3

Outdoors ESD-1# ESD-1#

Note *: Pushbuttons in CCR only for remote facility controlled from CCR.

Note #: ESD-1 pushbuttons can be provided outdoors at convenient locations, if imposed bysite specifics (not base case).

Note †: Outdoors panel close to equipment or unit.

In case the activation of a shutdown pushbutton unlatches a "permissive to EDP" signal, thecorresponding EDP pushbutton shall be located close by.

5.7 Physical protection

Any valve used as an ESDV shall be certified fireproof as per British Standard 6755 Part 2 orequivalent and GS PVV 142.

5.7.1 Onshore

ESDV's shall be located 15 metres off equipment in the fire zone to be isolated or, if notpossible, valves and piping upstream of the inlet ESDV's, or downstream of the outlet ESDV's,and inclusive of the ESDV's themselves, shall be protected if they may be exposed to radiationgreater than 15.8 kW/m2 (5000 BTU/ft2/hr) in the event of fire or overpressure greater than0.3 bar in case of explosion.

5.7.2 Offshore

ESDV's shall be located at the limit of the fire zone to be protected. For a better protection of therisers, it is recommended that inlet and outlet ESDV's are located just above the maximumwater elevation.

Valves and piping shall be protected with the same principles as onshore.



GS SAF 261 Rev: 01



5.7.3 Actuators

Actuators shall be protected against the consequences of fire or explosion to the same level asthe valves themselves. Additional special precautions shall be taken to protect the ESDVactuator and control cabinet so that their skin temperature does not exceed 70°C.

5.7.4 Valve connections and body

Unless imposed otherwise by applicable local regulation, valves with flanged connections to thepiping and/or having a flanged body can be used as ESDV's or SDV'S if their integrity in case ofa major failure of the installation (refer to GS SAF 253) is demonstrated by a specific studysubmitted to COMPANY's approval.

This requirement may entail special precautions such as protection against dropped objects,reinforced passive fire proofing (valve body, actuator and flanges) and reinforced gaskets (RTJstrongly preferred even on low pressure piping).

5.7.5 Internal leak rate

An ESDV shall be considered fit for safety purposes if its internal leak rate does not exceed:

• For gas, expressed in Sm3/h, three times its nominal diameter expressed in inches

• For liquids, 40 litres per hour and per inch of nominal diameter.

Note: These criteria correspond to the maximum flow that would not generate a jet fire shouldthe most unfavourable (not necessarily the largest) piping rupture occur, downstream of theESDV. They are in line with API recommendations for flow line ESDV's.

5.7.6 Bunkers and pits

Under-ground ESDV's are authorised providing they are suitable marked, identified, protectedagainst traffic hazards and their actuator is normally accessible.

ESDV's cannot sit inside a pit but can be installed in concrete bunkers (e.g. for protectionagainst security threats) providing the access to the bunker is adequately controlled andregarded as an entry into a capacity.

5.8 Number of isolations

5.8.1 ESDV's and SDV's

The number of ESDV's for each stream incoming/outgoing a fire zone shall be such that theglobal SIL requirement is met: SIL 3 (probability to fail to close on demand less than 0.1%) forstandard ESD or SIL 4 (probability to fail to close on demand less than 0.01%) for HIPS. Theserequirements imply the installation of 2 ESDV's in all cases.

In practice however, other factors such as onshore versus offshore, battery limit versus fire zoneinterconnection, permanently manned or not, inter-field pipeline or export, etc. shall be takeninto account and may lead to exceptions as follows:

5.8.1.1 Fire zone interconnections

• Onshore: 1 ESD. Refer to GS SAF 253 for position.

• Offshore: 1 ESDV. Refer to GS SAF 253 for position.



GS SAF 261 Rev: 01



5.8.1.2 Battery limit isolations

• Offshore

- Inter-field pipeline (e.g. trunk-line) departing from/landing onto a not normally mannedplatform (e.g. wellhead or riser platform): 1 ESDV

- Export/import pipeline departing from/landing onto a normally manned platform (e.g.production platform): 2 ESDV's

- Inter-field pipeline departing from/landing onto a normally manned platform orexport/import pipeline departing from/landing onto a not normally manned platform:2 ESDV's or 1 ESDV + 1 SDV (3) if SDV is close enough from ESDV(1).

• Onshore

- Inter-field pipeline: 2 ESDV's or 1 ESDV + 1 SDV (3) if SDV is close enough fromESDV(1)

- Export/import land pipeline: 2 ESDV's or 1 ESDV (3) + 1 SDV if SDV is close enoughfrom ESDV (1 and 2)

- Export/import sea pipeline: 2 ESDV's.

Note 1: Engineering judgement shall be used to decide whether the piping between ESDV andSDV is short enough and/or protected enough against hazards to allow this alternative.

Note 2: Unless reinforced protection is required (e.g. security risks, landslides, earthquakes,etc.) or if environmental constraints are severe.

Note 3: Where SDV are used for this service, they cannot be control valves, even if fitted with aspecial solenoid as per Paragraph 5.6.1.

5.8.2 Isolation block valves

Isolation block valves immediately upstream/downstream of an incoming/outgoing ESDV shallbe avoided, specially offshore. However should such a valve be necessary for, say,maintenance purposes (e.g. land-fall valve), then it shall comply with the requirementsapplicable for ESDV's (fire resistance, fire and blast protection, etc.). It shall be ensured that thisblock-valve is not unduly exposed to hazards that could be created by the ESDV and that itdoes not constitute a weaker point than the ESDV, in particular because of its position (moreexposed to traffic, left unattended outside security fence, etc.).

5.9 Additional functional requirements

5.9.1 Safe state

Most safety system components should be designed as normally energised, and any failure ofone or more components should set the controlled actuator to a safe position. ESDV's shall beFail Close and BDV's Fail Open.

Special attention shall be paid to isolation of power supply. In the case of an ESD-0, theshutdown of all potential sources of hazard and ignition shall be achieved without delay. In thecase of an ESD-1 and considering that essential utilities shall be suitable for operation inzone 1, the shutdown of all non-essential utilities with a time delay where applicable, isacceptable.



GS SAF 261 Rev: 01



5.9.2 Line monitoring

Wherever a component of the ESD system cannot be of fail-safe design, the I/O loop integrityshall be continuously checked. This requirement applies specifically to signals from detectors tothe F&G panel, deluge valve signal to open, signal to release CO2 and fire pump start up inhibitby gas detection or ESD-0.

5.9.3 Telemetry

Signals transmitted through telemetry shall not be considered as a means to achieve ESDactions because of lack of reliability. Remote facilities shall therefore be always fitted with alocal ESD system independent from the main ESD system and capable of taking suitableactions in case of abnormal conditions either resulting from a local upset or from a SD of themain facility.

The telemetry link shall be provided with a built-in auto check device that will inform the CCRoperators of its availability. In case the link is severed (atmospherics, interference, receiverfailure, etc.), an alarm shall be displayed in the CCR but not further action (e.g. force the outputsof the remote facility to their safe position) shall be taken, unless otherwise stipulated in theOPERATING PHILOSOPHY.

5.9.4 Position indication

All ESDV's and SDV's shall be fitted with open and close position limit switches. BDV's shall befitted with open position limit switches.

Local open and close position indicators directly fixed on the valve shall be provided. Positionindicators shall be clearly visible from neighbouring walkways. Valve position shall be indicatedin the CCR as per requirement stated in Paragraph 5.6.5, Functional requirements.

5.9.5 Testing and maintenance facilities

Each shutdown system command chain shall be provided with inhibition or by-pass facilities soas to render possible the test of the chain by simulating the abnormal condition to the detectorand check the actuator initiates the required action, without actually shutting-down theequipment which is protected.

Each shutdown system shall be provided with facilities in order to test the total system inaccordance with local regulations or as per requirement of the OPERATING PHILOSOPHY,without unacceptable production losses. In this respect, a partial stroking capability for ESDV'sis strongly recommended.

The shutdown system shall be adaptable in order to suit minor modifications, such as trippingvalues changes, by authorised personnel. On the other hand, the possibility for operators tochange set points, tripping limits or to modify the shutdown logic should be restricted.

5.9.6 Reliability of power sources

24 V DC shall be supplied by two independent sources:

• Normal power supply via the essential load panel

• Buffer batteries dedicated to ESD and F&G with autonomy of at least 1 hour.



GS SAF 261 Rev: 01



If necessary, the power sources shall be redundant, so that power supply reliability matches theconsumers' requirement. As a general rule the following shall apply:

• 2 x 100%: battery chargers, static inverter and power cables

• 2 x 50%: battery set.

5.9.7 Re-start capabilities

Some inputs to safety systems (such as very low level LSLL, very low pressure PSLL, etc.)must be temporarily rendered inoperative so as to allow the re-start up of the facility after ashutdown.

For PLC technology-based safety systems, these inhibitions shall be either of toggle-type,disappearing by themselves when normal operating parameter is attained, or time delayed orelse interlocked with the re-start up sequence steps.

For other systems (hydraulic, pneumatic, conventional relays or any combination of these) thegreatest care shall be exercise during detail design to ensure that the number of inhibitions iskept minimal, that the status of said inhibitions is clearly displayed and visible at a glance, thatmost routine interventions can be accomplished without deactivating safety actions of highestpriority. When feasible, preference shall be given to selection of components that automaticallyrestore their functionality when normal operating conditions have resumed.

6. Emergency depressurisationThe considerations developed in the following chapters are applicable only to emergencydepressurisation when used for safety purposes but do no cover depressurisation imposed byother operating or process reasons (e.g. loss of gas compressor seal oil system, voluntarydepressurisation of a test separator, etc.).

6.1 Requirements for EDP

6.1.1 Applicability to installations

A sound EDP system is regarded by COMPANY as the most efficient mean for mitigation ofconsequences after a fire has occurred, specially when dealing with gas handling facilities.

The installation of an EDP system is mandatory on permanently manned hydrocarbon handlingfacilities, providing the criteria developed in Paragraph 6.1.3 are met. The installation of anEDP system on not permanently manned facilities is regarded as an asset and environmentprotection measure and shall be addressed in the SAFETY CONCEPT. If the decision toproceed is taken, then the same criteria as those applicable for permanently manned facilitiesshall apply.

Note: The presence of a fire water deluge system does not invalidate the need for an EDPsystem. Conversely the existence of an automatic EDP system may impact the design of adeluge system and may, in some cases such as gas handling facilities, even void delugerequirement.

6.1.2 Applicability to equipment

Equipment or piping that cannot be isolated or that cannot be exposed to fire shall not behooked up onto the EDP system.



GS SAF 261 Rev: 01



EDP capability shall be provided only for equipment or piping that can be both isolated andexposed to fire simultaneously and only if the pressure prevailing in these systems and/or thehydrocarbon inventory they contain is sufficient to justify this option (refer to Paragraph 6.1.3,Decision criteria). Furthermore the EDP system shall be such that piping associated toequipment shall be depressurised with the equipment and that no equipment or piping system,regardless of their maximum operating pressure or their volume, shall be left pressurisedbetween two equipment (or piping systems) that have been depressurised.

Applicable Codes and Standards do not impose that systems composed exclusively of pipingare depressurised; they deal only with vessels and depressurisation of piping is left toengineering judgement. It is COMPANY's practice however to consider that piping shall betreated in the same fashion as vessels and that EDP is also applicable to exclusively pipingsystems.

6.1.3 Decision criteria

The criteria that shall be used to decide whether a BDV is required are summarised in thefollowing table:

BDV required

That cannot be isolated No

That can be isolated but cannot beexposed to fire No (1)

Piping

That can be isolated and can beexposed to fire (5):

- Flammable gas

- Liquefied HC (4)

- Liquid HC

- Two-phase

- Toxic gases

- P > 7 bar g and PVgas > 100 bar.m3

- Mgas or Ml iq > 2 tonnes of C4 and more volatile

- No (3) (6)

- P > 7 bar g and PVgas > 100 bar.m3

- As required for protection of personnel

That cannot be isolated No

That can be isolated but cannot beexposed to fire No (2)

Vessel

That can be isolated and can beexposed to fire (5):

- Flammable gas

- Liquefied HC (4)

- Liquid HC

- Two-phase

- Toxic gases

- P > 7 bar g and PVgas > 100 bar.m3 (6)

- Mgas or Ml iq > 2 tonnes of C4 or C3

- No (3) (6)

- P > 7 bar g and PVgas > 100 bar.m3 (6)

- As required for protection of personnel

Note 1: Except piping interconnecting equipment subject to EDP within one process unit,regardless of pressure and volume



GS SAF 261 Rev: 01



Note 2: Except vessels between other vessels or piping within the same process unit andsubject to EDP

Note 3: TSV or PSV fire case are regarded as sufficient protection

Note 4: Both refrigerated or under pressure

Note 5: Piping or vessels shall be considered as being possibly exposed to fire if more than10% of their external surface can be either engulfed in a pool fire or submitted to a jet fire likelyto last more than 3 minutes.

Note 6: The presence of pressurised fluid "trapped" in the network after EDP shall be avoided.The position of check valves and/or control valves failing to close shall be carefullycontemplated in this respect.

P Maximum operating pressure (PAHH)

V Internal vessel (or piping or vessel + piping) volume

Vliq/Vgas Maximum liquid/gas volume inside vessel or piping or both (LAHH/LALL)

Ml iq/Mgas Maximum mass of liquefied hydrocarbon liquid phase/gaseous phaseinside vessel (or piping or both).

A few specific cases however do not adhere to this general philosophy:

• Finger-type slug catchers with sufficient distance from the process units (refer toGS SAF 253 and GS SAF 021), are not considered as equipment but as pipeline, therelevant code being ASME B 31-8. As a consequence they shall not be equipped with anEDP system matching the functional requirements developed below.

They may be fitted with a depressurisation system, if deemed necessary, with or withoutremote opening of the depressurisation valve, and sized to achieve full depressurisationover a period of time substantially longer than what is imposed by the functionalrequirements exposed below. A PSV designed for the fire case and, where necessary, aTSV shall provide adequate overpressure protection.

• Some equipment require to be depressurised after some fault, e.g. gas compressors aftera seal-oil failure. Each case shall be submitted to a specific study.

6.1.4 Applicability to liquids

Liquid Emergency Blow-Down (EBD) of a set of equipment exposed to fire is not recommended.Passive protection devices are regarded as more efficient and shall be given preferenceinstead.

Liquid EBD is however necessary in the case of volatile liquids (LPG's or condensate) toachieve the required reduction of pressure in the allowable period of time. If this were the case,a special attention would be paid to the design of the drainage network used to dispose of theliquids. In particular pipe sizing and supporting (risk of two-phase flow and subsequent unsteadyflow regime) and pipe metallurgy (effects of sudden cooling-down due to a rapid pressure drop)would be subject to a specific study.

Note: EBD must not be confused with EDP and vessels (e.g. molecular sieve dryer) containingonly liquids may need to be fitted with a BDV for EDP purposes as per requirement set forth innote 6 of Paragraph 6.1.3.



GS SAF 261 Rev: 01



6.2 EDP sequence

6.2.1 General

The EDP system shall be designed to reduce pressure from the maximum operating pressure(PAHH) down to a specified threshold over a stipulated period of time. Both parameters (finalpressure and depressuring time) shall be considered for the design of the EDP system.

6.2.2 Final pressure

Pressure shall be reduced down to 7 bar g considering the fire heat input or 50% designpressure considering no fire heat input, whichever is the most stringent. Heat input calculationshall be as per API RP 521 and shall take the presence of passive fire protection into account, ifany.

6.2.3 Depressurisation time

As a general rule, time to achieve the final pressure level after an EDP has been initiated (1)shall be, by default:

• 15 minutes for piping and vessels containing hydrocarbon, both gas or liquid

• 8 minutes for vessels containing LPG's or light condensate to avoid the risk of BLEVE.

Note 1: These requirements are applicable only to emergency depressurisation and are notvalid for depressurisation imposed by process reasons (refer to exceptions mentioned inParagraph 6.1.3).

If these criteria were to lead to unacceptably large hydrocarbon disposal devices (either flare orcold vent) then the two following exceptions could be envisaged:

• Depressuring time for capacities with a wall thickness larger than 25 mm could beenlarged on the basis of 3 more minutes for every 5 mm in excess of 25 mm and with anabsolute maximum of 30 minutes. This approach is allowed only if one vessel isconcerned (or one group of vessels with similar characteristics served by a common BDV)and if it is demonstrated that nozzles, instrument tappings and other possible spots wheremetal thickness is less than 25 mm do not represent a weak point, likely to leak before fulldepressurisation is achieved.

• Credit can be taken for passive fire protection when provided. In this case the time toachieve full depressurisation shall be as per requirements above, lengthened by the timeit takes for the vessel (or piping) wall to reach its critical temperature (generally 400°C)and considering the characteristics of the fire to which it will be submitted.

Sizing of BDV's to match the above criteria shall be based on the assumption that during a fire,all streams incoming and outgoing the system are shutdown'd and all internal heat sourceswithin the process, if any, have ceased.

6.2.4 Automatic EDP

6.2.4.1 Offshore

All EDP systems when existing (always on permanently manned installations and possibly onnot permanently manned facilities, refer to Paragraph 6.1.1) shall be triggered automatically byemergency conditions such as major gas leak, fire outdoors or voluntary activation of ESD-0 orESD-1 stations (1).



GS SAF 261 Rev: 01



6.2.4.2 Onshore

EDP systems provided on not permanently manned facilities shall be automatic and triggered byoutdoors fire or gas detection as well as activation of ESD-1 emergency stations (1).

For all other type of installation a manual EDP pushbutton, interlocked with a permissive to EDPinstruction from the ESD system, is the preferred alternative unless other site-specificconstraints impose to do otherwise.

All BDV's pertaining to one fire zone shall be provided with a common reset capability from themain control room so that depressurisation could be interrupted by the operator if he reckonsEDP is detrimental to safety (e.g. if the relief piping is damaged and relief flow fuels a fire in theprocess units). This functionality is required for both automatic and manually activated EDPsystems.

Note 1: Wherever an automatic EDP system is provided, the safety of traffic (helicopters, boats,roads, etc.) shall be contemplated. The design shall include provisions for the implementation ofparticular operating procedures, which may include the temporary overriding.

6.2.5 Phasing

It is considered that de-pressurising zones unexposed to hazard could be more dangerous thanusefull. Therefore EDP shall be split by fire zone ; in case of ESD-1, only the concerned firezone shall be depressurised.

Phasing within one fire zone is to be avoided. COMPANY's approval is requested if such aphased EDP system is proposed.

6.2.6 ESD-0 and common mode of failure

If EDP is applicable to more than one fire zone the simultaneous opening of all BDV's of all firezones, either by activation of ESD-0 or following a general fault, shall be dealt with as follows:

• If the flare/vent system can safely handle the total flow resulting from the simultaneousEDP of all fire zones, no special precaution shall be taken and no EDP phasing by firezone is required.

• If the flare/vent system cannot handle the total flow resulting from the simultaneous EDPof all fire zones, then phased EDP by fire zone in case of ESD-0 is the only option left andthe BDV's of different fire zones must not have any common failure mode.

The means implemented to avoid common modes of failure or simultaneous EDP of all firezones in case of ESD-0 shall be carefully devised. They shall cater, among other possiblecauses, for global failure of the 24 VDC to the solenoid valves controlling BDV's and forreliability of the ESD system. The installation of one UPS dedicated by to each zone is highlyrecommended along with separated cable routing. The ESD system shall be fault tolerant, itshall be regarded as a HIPS, hence its safety integrity level shall be SIL 4 (instead of SIL 3), itsoutputs shall be adequately segregated by fire zones and, furthermore, it shall be capable ofkeeping the solenoid valves energised for a while even after power supply has been switchedoff (see also Paragraph 6.2.7).

6.2.7 BDV timers

Local timers (air, gas or hydraulic) shall be installed, if necessary, on BDV's to prevent flareoverload. Their use however is acceptable only for short delays (a few seconds and in the limitsof rules set forth in Paragraph 5.6.2) just to ensure that ESDV's are closed before BDV's open.



GS SAF 261 Rev: 01



Local timers are forbidden to achieve phased depressurisation (say, one minute or more).Should this requirement become mandatory, then alternate solutions such as dedicated powersupplies comprising their own timer and suitable for operation in zone 1, independent ofessential power and not de-energised immediately after ESD-0 or ESD-1 has been initiated,shall feed these consumers.

6.2.8 Controlled de-pressurisation

Controlled depressurisation systems, monitoring flowrates and pressures at various strategiclocations of the flare system, are sometimes envisaged in order to minimise the peak flowrate.

Such systems are prohibited for new designs. In the case of a revamping a justification dossiershall be submitted for approval to COMPANY Operation, Process and Safety departments.

6.3 Protection and functional requirements

The same criteria as prevailing for shutdown devices shall apply to blow-down devices. Refer torelevant part of Chapter 5.6, Shutdown devices, 5.7, Physical protection and 5.9, Additionalfunctional requirements.