&-jib

(4.
p. &) ctccfll
*

u u$?

KUWAIT OIL COMPANY (K.S.C.)

Engineering Group

Specifics tion Number

0 15-YH- 1004
Emergency Shutdown (ESD) and Depressurising
System Requirements

5 AUG 94

ISSUED AS KOC ENG GROUP SPEC

7 MAR 94

ISSUED FOR INVITATION TO BID

Rev

Date

Revision

BY

Chkd

Section

PE

Client

Specification Number

Engineering Group
Speci'fication

01 ~ - Y H - I O O ~

Rev

Date

Sheet

05-08-94

2 of 22

CONTENTS

1.0 SCOPE

...............................................

...............................

....................................

2.0 STANDARD SPECIFICATIONS

3.0 SERVICE CONDITIONS

4.0 BASIC ENGINEERING INFORMATION . . . . . . . . . . . . . . . . . . . . . . . . . . . 4

4.1 Objective . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
4.2 System Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
4.3 General Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
4.4 Provision of Trip Initiators and Actuators . . . . . . . . . . . . . . . . . . . . 7
4.5 Reliability and Availability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
4.6 Redundancy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
4.7 Interfaces to Other Systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
4.8 OperatorJMaintenance Facilities . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
4.9 Definition of Shutdown Levels . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
4.10
Cascading Effects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
4.1 1
Logic Structure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
4.12
ESDReset . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
4.13
System Failure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
4.14
Fault Monitoring and Testing . . . . . . . . . . . . . . . . . . . . . . 13

5.0 CONSTRUCTION REQUIREMENTS . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

5.1 Control Panel . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
5.2 Initiating Devices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
5.3 Final Actuators . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
5.4 Location of Shutdown Valves . . . . . . . . . . . . . . . . . . . . . . . . . . . .
5.5 Location of Depressurising Facilities . . . . . . . . . . . . . . . . . . . . . . . .

13
13
16
17
18
18

6.0 PERFORMANCE REQUIREMENTS . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

6.1 General . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
6.2 Level 4: Local Process Element and Related Shutdown . . . . . . . . . . .
6.3 Level 3: Production Train Shutdown . . . . . . . . . . . . . . . . . . . . . . .
6.4 Level 2: Plant Shutdown without Depressurising . . . . . . . . . . . . . . .
6.5 Level 1: Plant Shutdown with Depressurising . . . . . . . . . . . . . . . . .
6.6 Depressurisation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

19
19
19
20
20
21
21

..
..

21

7.0 TYPICAL LOCATIONS OF SHUTDOWN AND DEPRESSURISING VALVES

ATTACHMENT 1: P&ID SHUTDOWN AND DEPRESSURISING SPECIFICATION

22

Engineering Group
Specification

Specification Number

Rev

Date

Sheet

0 15-YH-1004

05-08-94

3 of 22

1.0 SCOPE

1.1 This specification covers the definition of the overall requirements for the ESD
and depressurising system t o be implemented at the Facility in Kuwait.
1.2 The ESD and depressurising equipment shall fully comply with all relevant
contractual requirements specified in the Scope of Work and Technical
Specification of the Contract.
1.3 The detailed instrumentation and control functions shall be developed by the
Contractor on the basis of this specification and defined on P&IDs, instrument
index and cause and effect charts.
1.4 The ESD control system hardware needed t o implement these requirements
shall be as defined in the Engineering Group Specification entitled "Emergency
Shutdown Panel" (Number D l 5-JH-1905).

2.0 STANDARD SPECIFICATIONS

2.1

The ESD and depressurising system shall conform in design materials and
performance, except where otherwise specified, with the current issue and
amendments of the following prevailing on the effective date of the Contract:
2.1.1

2.1.2

2.1.3

International Standards
API RP 520
Parts I and II

Design and Installation of Pressure

Relieving Systems in Refineries

API RP 521

Guide for Pressure-Relieving and Depressuring

Systems

British Standards
BS 5345

Code of Practice for the Selection, Installation

and Maintenance of Electrical Apparatus for
Potentially Explosive Atmospheres

BS 5501

Electrical Apparatus for Potentially Explosive

Atmospheres

Engineering Group Specifications

0 1 5-AH-1001

Basic Design Criteria

0 1 5-AH-1002

International Codes and Standards

01 5-AH-1003

Systems Isolation

0 1 5-JH-1902

Instrument Design

QKOC

Engineering Group
Spec'fication

Specification Number

Rev

Date

Sheet

01 5-YH-1004

05-08-94

4 of 22

General Instrument
Emergency Shutdown Panel
Spare Parts and Maintenance Requirements
Piping Material Classes
Piping and Plant Layout
Packing, Marking and Documentation
Shop and Field Painting
Loss Prevention Requirements
2.2

Compliance with this specification shall not relieve the Contractor of its
responsibility t o supply equipment suited t o meet the specified service
conditions and applicable regulations.

2.3 Where conflict exists between this specification and other Drawings,
standards, codes and specifications, the most stringent shall be applied.

3.0 SERVICE CONDITIONS

3.1 The equipment shall, be suitable for continuous operation at a desert location
under high ambient temperatures and humidity. The atmosphere at the
Facility is generally dusty and corrosive and may contain traces of hydrogen
sulphide.
3.2 The ESD and depressurising system shall in all respects be suitable for
continuous operation in the service conditions stated in the Engineering Group
Specification entitled "Basic Design Criteria" (Number 0 1 5-AH-1001 ).

4.0

BASIC ENGINEERING INFORMATION

4.1

Obiective
4.1 . I

An ESD and depressurising system shall be provided at the Facility.

The system shall be designed t o provide safe shutdown and, where
necessary, depressurising of process and equipment in order t o
prevent the development of a hazardous condition which may be
caused by process upset or an external event, such as fire or gas
detected.

4.1.2

The purpose of shutdown and depressurising is t o make the

elements of the Facility safe by isolating a risk (hydrocarbon
inventory), and then reducing the system pressure t o a value set
within API guidelines.

Engineering Group
Spew'fication
4.1.3

Specification Number

01 ~ - Y H - I O O ~

Rev

Date

Sheet

05-08-94

5 of 22

The following objectives, in order of priority, are to be used as the

basis of design:
a. Protection of personnel.
b. Protection of equipment.
c. Prevention of pollution.
d. Continuity of production (by minimising spurious shutdowns).

4.1.4

The prime requirement will be to provide the simplest, most practical

and effective system possible in accordance with the requirements
of this specification, including all relevant codes and standards. In
pursuance of this, the number of trips and the complexity of the
ESD controls and logic should be minimised as far as can be done
without prejudice to the effectiveness and safety of operation of the
Facility.

4.1.5

The system shall act independently of all other systems to do the

following:
a. Sense abnormal operational or equipment conditions.

b. Automatically react to such conditions by shutting down and/or

isolating and, where appropriate, venting sections of the
installation as required in order to meet the overall objective as
defined above.
c. Provide for manual isolation and/or venting of sections of the
installation, or the entire Facility hydrocarbon inventory.
d. Interface with other system, and initiate relevant shutdowns,
e.g., inputs from the fire and gas system may require executive
action.
4.1.6

Shutdown and depressuring functions shall be limited t o those

required for safety, based on the upset condition detected. The
main production process shall not be unnecessarily interrupted. If
any section of the process has to be stopped, then it shall be left in
conditions which facilitate restart, provided that this is consistent
with safety.

4.1.7

The actual course of action to be taken by the ESD system in

response to each input signal shall be in accordance with cause and
effect charts, which shall be developed during detailed engineering
by the Contractor and submitted for Company approval.

Engineering Group
Spewfication

Specification Number

Rev

Date

Sheet

01 ~-YH-IOO~

05-08-94

6 of 22

4.2 Svstem Overview

The ESD and depressurising system shall comprise three elements:
a. Dedicated plant-mounted initiating and actuating devices.
b. ESD control panel.
c. Operator's interface.
Measurement devices shall be placed in strategic locations within
the Facility t o provide shutdown initiation when process and utility
system parameters have reached a status from which they may
create a hazardous or inoperable situation if the measured parameter
is allowed t o deviate further out of an acceptable range.
Segments of the Facility shall be isolated by ESD valves positioned
so as t o reduce the extent of the Facility at risk in the event of
upset conditions. Once isolated, systems containing hydrocarbons
can be depressurised directly t o flare, via depressurising stations.
Each station shall consist of a depressurising valve followed by a
restriction orifice and line t o flare.
The ESD control panel and operator's interface shall be housed in
the control building. They shall provide for both automatic and
manual control of shutdown and depressurising of the Facility, as
well as detailed annunciation of system status.

4.3 General Reauirements

4.3.1

Initiating devices and actuators shall be hardwired directly t o the

ESD control panel, which shall contain the required monitoring and
control equipment and shutdown logic. The operator facility shall
provide audible and visual annunciation of the status of the ESD
system, and manual controls to enable operator intervention for
control, maintenance and testing.

4.3.2

All ESD-initiating devices and actuators and their associated

connections and circuits shall be dedicated t o the ESD system and
arranged t o operate independently of other monitoring control and
alarm systems. The ESD system shall be totally stand alone and
shall not rely on communication links or interfaces t o any other
systems.

4.3.3

Inputs t o and outputs from the ESD control logic shall be digital
only. Use of analogue inputs shall be avoided unless absolutely
necessary. Where field inputs are from smart devices or analogue
inputs, then proprietary high-integrity trip amplifiers shall be included
in input circuits t o provide digital signal t o ESD logic. Analogue
outputs shall not be allowed.

QKOC

Engineering Group
Specification
4.3.4

Specification Number

Rev

Date

Sheet

015-YH-1004

05-08-94

7 of 22

Under normal operating conditions, contacts from initiating devices

shall be closed, opening to alarm. Actuating devices shall be
normally energised, de-energise to trip.

4.4 Provision of Trir, Initiators and Actuators

4.4.1

Locations of shutdown and depressurising initiators and actuators

shall, as a minimum, be as shown on the Process Safeguarding Flow
Schemes and Safety Analysis Function Evaluation (SAFE) charts
provided by the Company. Attachment 1, entitled "P&ID Shutdown
and Depressurising Specification," is included within section 7.0 (for
reference only) and shows typical locations of initiators and
actuators.

4.4.2

The contractor shall develop these requirements as a result of

detailed design work, and in particular consequences of specific
Hazard and Operability (HAZOP) and Quantified Risk Assessment
studies, and reliability analysis of the installation.

4.5 Reliabilitv and Availabilitv

The ESD system design shall aim to maximise reliability and
availability without introducing a high degree of complexity into
hardware or software configuration.
The ESD control panel shall have a calculated mean time between
failure (MTBF) in excess of 50,000 hours. This shall apply to all
failures causing spurious shutdowns, or leaving the control system
unable to respond to a valid shutdown request (dormant failure).
Calculation of this MTBF shall take account of all equipment in the
control panel: from inputloutput (110)terminals and barriers, through
interposing trip amplifiers and relays, I10 modules, logic circuits, and
power supplies.
ESD system hardware design shall be modular wherever possible to
enable first-time maintenance replacement of failed components.
Where spares are held at the Facility, MTTR, in the event of a
component failure which could contribute to system failure, shall be
less than 2 hours. Such repairlreplacement shall not necessitate
taking the system offline.
4.6 Redundancy
4.6.1

In order to maximise system availability without compromising

reliability, redundancy arrangements shall be incorporated within
those elements of the ESD system which may be subject to
common mode failure. For example, the ESD logic control system
represents a single point of failure which, in the event of failure,

Engineering Group
Spew'fication

Specification Number

Rev

Date

Sheet

01 5-YH-1004

05-08-94

8 of 22

could render the ESD system inoperative, or cause unnecessary

shutdowns.
Where the logic system is based on microprocessor or
programmable logic controller (PLC) technology, then as a minimum,
dual channels shall be provided regardless of the MTBF figures
stated elsewhere in this specification. Redundancy within the
control system shall apply to all input and output modules,
processors and memories, power supplies and any interposing
relays.
Majority voting arrangements shall be implemented to ensure that
single failures do not generate spurious shutdowns. Any failures
which leave the control system unable to respond to a valid
shutdown shall be annunciated immediately.
This redundancy shall also permit on-line testing of single channels
without requiring actual process shutdown. Failure of any single
channel shall initiate a fault annunciation within the control room.
Redundant field initiating and actuating devices shall be provided in
the following circumstances:
a. Where single device failure can cause a shutdown of the
complete Facility.
b. Where equipment for detection of a vital shutdown may need to
be overridden for maintenance.
c. Where a device is vulnerable or has an unavoidable short-life
element.
Where redundant initiating devices are required, a minimum of three
independent instruments shall be provided at the same location.
ESD logic shall be arranged to vote two out of three to initiate a trip.
Operation of a single instrument only in the group shall cause an
alarm only to be annunciated.
Redundancy of output devices where required, shall be provided by
a minimum of two independent valves mounted in series adjacent to
each other in the same length of pipe. Thermal relief facilities shall
be provided between the valves.
4.7 Interfaces to Other Svstems

4.7.1

The ESD system shall interface with other systems to receive

shutdown initiate requests or to instruct equipment to shutdown.
Typically these other systems will include:

Engineering Group
Sp~c,fication

Specification Number

01 ~ - Y H - I O O ~

Rev

Date

Sheet

05-08-94

9 of 22

a. Fire and Gas Detection System.

b. HVAC Control System.
c. Turbine Control Panel.
d. Turbine Fire and Gas Panel.
e. Motor Control Centre.
All interfaces of this nature shall be via discrete, volt-free contacts.
The ESD system shall monitor normally closed output contacts from
the other systems, and instruct shutdown via its own normally
closed output contacts, i.e., all contacts shall be closed in the
healthy condition, open to trip.
Additionally, a serial communications link shall be provided to the
Facility Distributed Control System (DCS). This link shall be for
status reporting only from the ESD to the DCS. Measures shall be
taken to ensure that implementation of this link does not impact
upon integrity of the ESD system.
Faults or malfunctions within systems which the ESD system is
interfacing to, shall not have an impact on the operation of the ESD
system.

4.8 OeeratorlMaintenance Facilities

4.8.1

A matrix-type panel display shall be provided for the ESD system.

The panel shall incorporate light-emitting diodes (LEDs), keyswitches
and pushbuttons as described herein to provide annunciation and
control of ESD inputs and outputs.

4.8.2

The matrix panel shall also include a common Facilities section

which will as a minimum, provide indication and controls for:
a. Common Fault.
b. Common Alarm.
c. Override On.
d. Accept, Mute and Lamptest Pushbuttons.
e. Two-Tone Panel Audible (Fault and Alarm).

4.8.3

All inputs to the ESD system shall be provided with individual 2position stayput maintenance override enabling keyswitches. These
keyswitches shall be used when performing any maintenance or test

QKOC

Engineering Group
Specification

Specification Number

Rev

Date

Sheet

0 15-YH-1004

05-08-94

I O O ~22

activity requiring inhibit of a shutdown logic path. The override shall

only defeat the shutdown logic function; the input alarm
annunciation shall remain operable. The key shall only be removable
in the non-override position.
4.8.4

Critical shutdown outputs from the ESD system shall have

individual pushbuttons, to initiate manual trip of the output.
Pushbuttons contacts (normally closed) shall be hardwired into the
output circuit hardwired and repeated to ESD input modules for
status reporting.

4.8.5

All inputs and outputs shall be provided with LED indication of

status, i.e., normal, alarm, override, or manual trip as applicable.
Input LEDs shall indicate true status of initiating device regardless
of override state. Override LEDs shall flash as long as the override
is on.

4.8.6

In addition, startup bypass switches shall be provided for selected

groups of inputs which are in the abnormal state until the process
has started. These switches may be protected pushbuttons, or
momentary action, spring-return keyswitches, and shall provide
inputs to logic which will inhibit shutdown functions for the relevant
areas of process only, to allow field inputs to achieve normal state.
Logic shall only be inhibited for a preset time period which will be
sufficient to allow process to stabilize. In the event that normal
condition is not achieved within this time, then the inhibit shall be
automatically canceled, and the ESD logic implemented.

4.9 Definition of Shutdown Levels

4.9.1

The ESD system shall be designed to cater for four shutdown level
hierarchy representing increasing degrees of hazard:
a. Level 4: Local Process Element and Related Shutdown.
b. Level 3: Production Train Shutdown.
c. Level 2: Plant Shutdown without Depressurisation.
d. Level 1: Plant Shutdown with Depressurisation.

4.9.2

Levels 4 and 3 generally provide protection against process upset

conditions and should normally only be automatically initiated by
plant-monitoring devices including local gas detection. Level 2
provides protection against certain critical process or utility failures.
Level 1 shutdown is initiated in the event of confirmed fire detected.

4.9.3

It should be noted that the ESD system shall interface with other
systems monitoring both process and external site conditions. It

Engineering Group
Specjfication

Specification Number

Rev

Date

Sheet

01 5-YH-1004

05-08-94

11 of 22

may therefore initiate any level of shutdown--for process upset or

external reasons--as required in order to meet the overall objective
of preventing further development of a hazardous situation. Manual
initiation shall be available for all levels of shutdown.
Level 2 and 3 shutdowns shall generate a permissive allowing
manual initiation of equipment depressurisation.
Cascadina Effects
A cascade effect is where a shutdown in one piece of equipment
causes a process upset, and subsequent shutdown in other
equipment/systems.
Cascading emergency shutdowns shall be avoided, i.e., any
shutdown signal should trip all affected equipment/systems, so that
an abnormal situation does not escalate due to the intervention of
the ESD system. However, a control instrument may take action to
prevent an abnormal situation occurring as a result of a shutdown.
Loaic Structure
The shutdown logic shall perform the shutdown actions for all
process and utility systems at all levels necessary to meet the aims
and objectives of the shutdown system philosophy, and the events
and manual actions which cause these shutdowns to take place.
Due consideration shall be given to all modes of operation. For
instance, where there is more than one separator train and operating
procedures allow crossover between trains, then this shall be
reflected in the shutdown logic.
The ESD logic shall be based on a modular structure comprising a
number of discrete sub-systems, each one defining the shutdown
logic of a discrete section of the process.
Each sub-system will be termed "Unit Shutdown Logic" (USL) and
shall be designed to maintain in operation, or shutdown in complete
safety, the section of plant that it is supervising. USL definition
shall generally coincide with the requirements of Level 4 and Level
3 shutdowns as defined within this specification.
USLs shall be maintained as simple as possible, based upon AND,
OR, NOT logic and timing functions.
USLs shall be supervised by a coordinating logic programme which
shall define the requirements for higher levels of a shutdown:
Levels 2 and 1, i.e. In the event of a Level 2 shutdown being
required, the ESD logic shall call upon and coordinate a number of
USLs in order to implement the shutdown.

QKM:

Engineering Group
Specification

Specification Number

01 ~ - Y H - I O O ~

Rev

Date

Sheet

05-08-94

1 2 0 f 22

Wherever possible, shutdown logic for packaged equipment shall be

integrated into and controlled by the main ESD system. Where a
package includes its own dedicated controller incorporating
shutdown logic, then shutdown control may be provided by the
package control unit subject t o Company approval.
The package controller shall be capable of a controlled shutdown on
receipt of signals from the ESD system. It shall also be capable of
reporting shutdown status t o the ESD system. Interface shall be via
volt-free contacts. The Approved Manufacturer of the package shall
be required to submit full details of the control unit and shutdown
logic, including calculated figures for controller failure rates, failure
modes and availability.
ESD Reset
On activation of a shutdown, the logic within the ESD system, and
the final actuator will latch in the shutdown (de-energised)
condition. The system shall be provided with manual-only reset
facilities.
In the first instance, manual reset of the logic only shall be made at
the ESD operator interface in the control room. Manual reset of the
field device shall then be made at the device. For example, a
shutdown valve may be provided with a local hand-operated control
point which restores air to the valve actuator. Means shall be
provided t o alert the process operator in the field that reset is t o be
made. This may be achieved using a local indicator panel, system
of interlocks, or adequately implemented operating procedures.
Svstem Failure
In general, the ESD system shall be failsafe in normal operation. It
is recognized that t w o failure modes will be possible within the ESD
system:
a. Spurious failures causing trips.
b. Dormant failures leaving the system unable t o respond t o a valid
input.
Failsafe shall mean that all failures will either cause a shutdown of
plant or equipment, or will be annunciated t o the operator t o enable
manual control to be actioned.
The system design shall ensure that spurious failures are reduced t o
a minimum. As well as incurring unnecessary costs, spurious trips
will also reduce operator confidence in the ESD system, and may
cause "cascade" effects in associated equipment, which will then
shut down .due to upset conditions.

Engineering Group
Sp~~~Xcation

Specification Number

Rev

Date

Sheet

05-08-94

130f 22

01 ~ - Y H - I O O ~

All dormant failures which could affect the ability of the ESD system
t o respond t o a valid input must be detected automatically by the
system, and annunciated immediately.
The ESD system design shall incorporate sufficient segregation t o
ensure that a failure in a particular part of the system would not
render other parts, or the whole, of the system inoperative.
Fault Monitorinq and Testing
The ESD panel shall include self-test and fault-detection systems.
As a minimum, the fault-detection system shall have at least one
method of monitoring and annunciating a basic fault in each of the
following:
a. Power Supply.
b. InputIOutput Circuits and Interfaces.
c. Logic controllers, including memories.
d. Output Voting Relays.
e. Miniature Circuit Breaker (MCB) Fuse Trips.
Monitoring hardware shall be kept to a minimum and as simple as
possible.
Any failure in the monitoring circuit shall be alarmed.
Test monitoring shall take place at regular. time intervals or in
response t o an operator's request. It shall be possible t o monitor
and test the components comprising the ESD panel while the
system is in normal operation.

5.0 CONSTRUCTION REQUIREMENTS

5.1

Control Panel
5.1.1

General
The ESD control panel shall contain all equipment necessary to
provide:
a. Monitoring of all field initiating devices.
b. ESD logic implementation.

Engineering Group
Spec'fication

Specification Number

Rev

Date

Sheet

01 ~-YH-IOO~

05-08-94

1 4 of 22

c. Control of shutdown outputs t o field actuators.

d. Control of depressurising outputs t o field actuators.
e. Interfaces t o other systems via volt-free contacts, and serial
communications link t o DCS.
f. Self-testing facilities.
g. Operator interface.
5.1.2

System Type
a. The control system technology and architecture t o be used shall
be based on proven technology and configurations. Prototype
equipment or systems shall not be considered except by prior
approval from the Company.
b. The ESD control system shall be based on redundant
microprocessor or PLC technology.
Dual or triplicated
configurations shall be acceptable subject t o meeting other
requirements detailed herein.

c. Equipment specifically designed for safety shutdown applications

is preferred; however, use of proprietary control PLCs may be
acceptable subject to Company approval.
d. Redundant systems shall be configured so that single failure of
I10 modules, processor, or power supplies on either path will not
cause spurious shutdown.
Systems should therefore be
configured with 2 out of 2, or 2 out of 3 output voting.
e. In the event of spurious operation of one channel only, the
system shall report a discrepancy fault, but shutdown outputs
shall not be operated. Manual controls shall be available t o allow
operator to intervene if necessary.
f. All systems shall incorporate self-testing routines which will
check the ability of all I10 channels, and any interposing relays,
t o change state when required. Such routines may be in
constant operation or periodic, but shall not prevent the system
from responding to a genuine alarm.
g. All failures shall be detected, either by system on-line
diagnostics, or periodic self-testing routine, and annunciated
immediately.

Engineering Group
Spm'fication

Specification Number

Rev

Date

Sheet

015-YH-1004

05-08-94

1 5 0 f 22

h. Systems shall incorporate self-adapting voting techniques so that

failure of any path does not create system unavailability, i.e., a
2 out of 2 should adapt to 1 out of 1 in the event of failure of
one of the redundant paths. A 2 out of 3 system should adapt to
2 out of 2, and then to 1 out of 1 in the event of second failure.
5.1.3

InputIOutput Interface
a. All input and output signals to and from the control panel shall be
galvanically or optically isolated from the logic circuits.

b. Analogue inputs, in cases where direct field-mounted process

switches are not possible, shall be interfaced via proprietary highintegrity trip amplifier units incorporating contacts for alarm and
fault conditions. Digital inputs only shall be repeated to ESD
logic.
c. Where the system is based on redundant microprocessor/PLC
technology, then all inputs and outputs shall be to and from
redundant I10 channels to maximise the integrity of the system.
d. Output circuits shall all be digital and shall cater for powered and
volt-free signals. All outputs shall be via interposing relays.
Relays shall be wired to provide adaptive voting on redundant
systems.
5.1.4

Operator lnterface
a. An operator matrix panel shall be provided containing keyoperated switches, pushbuttons and LEDs as necessary to meet
the functional requirements defined in this document.
The matrix panel shall be mounted in a normally manned control
room. It may either be part of the ESD control panel or a
separate remotely mounted panel, e.g., where the control panel
is required to be in a normally unmanned room, the matrix shall
be provided as a separate panel to be mounted in the control
room.
b. The matrix panel shall be powered from the ESD panel. All links
between the two should be hardwired; however, use of
redundant serial communication, or multiplexed, links for
annunciation and override signals shall be acceptable only on
Company approval.
c. Critical shutdown manual control signals from the matrix shall be
hardwired directly into relevant output circuits, with repeat
contacts into the ESD logic for reporting purposes.

Engineering Group
Specification
5.1.5

Specification Number

01 ~ - Y H - I O O ~

Rev

Date

Sheet

05-08-94

16 of 22

Power Supply
a. The ESD system shall be powered from a dedicated UPS, at a
voltage level compatible with efficient power distribution design,
i.e., voltage drops in distribution lines between UPS and ESD
control panel shall not impair performance of the ESD system.
Distribution from the UPS to ESD control panel shall be via dual
feeders.
b. The UPS shall have sufficient capacity to maintain the ESD
system in full operation for a period of 4 hours after failure of
Facility main and generated power in order to maintain control
over depressurising facilities.
c. The ESD control panel shall contain power supply units to
convert the UPS supply to the voltage levels required to provide
power to all system components, field devices, interfaces, logic,
and operator's matrix.
d. All ESD control panel power supply equipment shall be fully
redundant, i.e., 100% spare, and not "n
1" configuration. In
addition, cooling fans also incorporating 100% redundancy, shall
be provided for all PSUs within the control panel.

5.1.6

Expansion Capacity
a. It shall be possible to expand the input and output quantities by
at least 20% without the addition of extra cabinet bays.

b. This 20% spare capacity shall be provided in the form of power

supplies, processor and memories, tray positions (for I10 and any
other modules), panel and matrix space only.

5.2 lnitiatina Devices

5.2.1

lnput signals to the ESD system shall be primarily from process

switches and/or smart transmitters monitoring pressure, level, flow
and temperature. Analogue inputs shall only be used in cases where
direct field-mounted process switches are not possible. Where
switches are used, they should be snap-acting type arranged such
that shutdown initiation is caused by opening contacts.

5.2.2

Particular attention shall be paid to switch contact materials, with

respect to resistance to oxidation and minimum specified
voltagelcurrent conduction levels. Use of noble metals such as
platinum, rhodium or as an alternative gold-flashed contacts is
preferred. lnput circuits shall be intrinsically safe (IS) wherever
possible, and initiating contacts must be suitable for use with the
low current/voltage levels involved, without causing spurious shutdowns.

QKOC

Engineering Group
Specification

5.2.3

Specification Number

Rev

Date

Sheet

01 5-YH-1004

05-08-94

170f 22

Where initiating inputs t o the ESD system are from other systems,
typically fire and gas system, these should be arranged as normally
closed contacts, opening t o initiate shutdown. Shutdown initiating
signals from other systems shall generally be controlled by normally
de-energised output circuits from those systems.

5.3 Final Actuators

Outputs from the ESD control circuits shall operate shutdown valves
and depressurising valves installed in the process piping (via a
suitable solenoid valve), or trip other equipment (either directly or via
relevant control panels).
Valves used for isolation and depressuring purposes shall be ball
type where operating conditions permit. These shall be rated t o
contain the pipelines' rated pressure at each location. Valve bodies
shall incorporate automatic thermal relief facilities which will
discharge on the downstream side of the valve.
Shutdown valve actuators shall be air operated, and shall be spring
returned t o the safe position. Double-acting, air-operated actuators
shall only be acceptable where valve size and/or operating time
constraints require this approach.
Valves used for isolation service shall generally be open during
normal operation, i.e., air to open, spring t o close. Depressurising
valves shall be closed during normal operation, i.e., air t o close,
spring t o open.
Air supply t o shutdown and depressurising valves shall be from the
Facility instrument air supply. Local ESD air headers shall be
provided for each major item of process equipment (e.g., separator
vessel, desalter vessel), or for related items of equipment which are
geographically very close. Each air header shall incorporate filters,
check valves, low-pressure switches, and an air reservoir t o ensure
security of air supply in the event of leakage, or instrument air
failure. Each air reservoir shall have sufficient capacity (volume and
pressure) t o enable three full operations of the valve(s) it is serving.
Air t o each shutdown valve actuator shall be controlled by a
normally energized solenoid valve powered from the ESD control
circuit. On loss of power t o the solenoid, the air shall be exhausted,
thus causing the shutdown valve to move t o or stay in its
predetermined safe position.
Shutdown valves shall be fitted with status switches monitoring
both open and closed positions for status indication at the ESD
operator facility. Local indication on valve body shall also be
provided.

Engineering Group
Spea'fication

5.4

5.5

Specification Number
01 ~ - Y H - I O O ~

Rev

Date

Sheet

05-08-94

18 of 22

5.3.8

Operation time of shutdown and depressurising valves t o the safe

position shall be as fast as practical consistent with the control of
hydraulic pressure surge in the system. evaluation of the process
response t o valve openinglclosing shall be investigated by the
Contractor t o establish fastest acceptable operation. Each
valve/actuator combination shall be specified t o suit.

5.3.9

Reset of valves, after ESD action, shall be manual only, carried out
locally at the operating solenoid. Valve reset shall only be
successful if ESD system logic has been reset at the control room,
and the initiating condition is either healthy or inhibited by startup
override in operation.

5.3.10

Interfaces with other electrical equipment/systems shall be via voltfree contacts on interposing relays within the ESD corltrol panel.
Contacts shall be closed during normal operation, opening t o trip.

Location of Shutdown Valves

5.4.1

The location of shutdown valves shall be based on the pressure

rating of each system (i.e., between systems of different pressures),
fire zone consideration and equipment depressurising requirements
(e.g., compressor casings). Generally, shutdown devices (e.g.,
valves) shall be installed at the boundary between systems (and at
areas of different pressure levels e.g., high pressure (HP) and low
pressure (LP).

5.4.2

Preliminary locations have been identified by the Company on

Process Safeguarding Flow Schemes and SAFE charts. These shall
be confirmed by the Contractor during detailed design. Further
design development (such as the out come of a HAZOP study) by
the Contractor may identify additional locations.

Location of De~ressurisinaFacilities
5.5.1

Automatic depressurising facilities for equipment containing

hydrocarbons and having a design pressure in excess of 7 barg ( 100
psig) shall be provided. The depressurising system shall be designed
t o reduce the pressure contained within the equipment t o one half
of the equipment design pressure or 7 barg (100 psig), whichever
is the lower, within 15 minutes.

5.5.2

Additionally, depressurising facilities shall be located in segments

between t w o shutdown valves or a shutdown valve and a normally
closed valve or piece of equipment.
The segment t o be
depressurised may contain an item of equipment or consist of large
line sizes.

Engineering Group
Spewfieation
5.5.3

Specification Number
01 ~ - Y H - I O O ~

Rev

Date

Sheet

05-08-94

19 of 22

All systems which require depressurisation shall be fitted with either

a remotely operated depressurising system controlled from the ESD
control panel, or a locally operated manual system for systems
which are infrequently depressurised or not critical t o the operation
of the Facility. For example, a compressor train shall be fitted with
automatic depressurisation, but a small fuel gas drum may be fitted
with local manual operation system.

5.5.4

The criterion for destination of the depressurised stream shall be

evaluated by the Contractor with all due regard for the design
pressure and maximum system back-pressure of the flare systems.
6.0 PERFORMANCE REQUIREMENTS

6.1 General
The following descriptions of the levels of emergency shutdown are for
general guidance only as t o the overall philosophy. Factors causing
shutdowns and the required effects are discussed, with typical examples
given. Preliminary SAFE Charts shall be referenced for further guidance.
Detailed shutdown requirements shall be developed by the Contractor and
submitted t o Company for approval.

6.2 Level 4: Local Process Element and Related Shutdown

6.2.1

This is the lowest level of shutdown and involves shutdown of an

individual piece of equipment or localised system which is
immediately affected by an upset condition, but not affecting other
equipment.

6.2.2

A localised system may comprise a number of related pieces of

equipment or a complete package. Typically, an upset condition will
have been detected in one element of the system; however, in order
to avoid a cascade effect, the whole system shall be shut down.
Such a shutdown may be immediate or sequential, depending upon
the safe shutdown requirements of the affected system.

6.2.3

This level of shutdown shall only apply to equipment, systems or

packages where shutdown of the affected system does not
necessitate the shutdown of further systems or of a process train.
This may be because the particular system is effectively buffered
from the main process stream by vessels or tanks of sufficient
capacity t o enable process t o continue for a period.

6.2.4

Alternatively, a redundant piece of equipment or system may be

available. Where this is the case, then automatic switchover to the
standby equipment shall be initiated t o enable process t o continue
uninterrupted.

QKOC

6.3

Engineering Group
Specification

Specification Number

Rev

Date

Sheet

01 5-YH-1004

05-08-94

20 of 22

6.2.5

Manual shutdown of individual pieces of equipment shall normally

only be available locally to the equipment (stop pushbutton), or from
the DCS operator interface position.

6.2.6

Shutdown of a localised system shall be initiated automatically by

the ESD system, or manually from the ESD operator facility. In the
event of package equipment supplied with its o w n control system,
then shutdown may be under direct package control, subject to
approval by the Company. Package controllers shall include facilities
t o enable remote shutdown initiation from the ESD system.

Level 3: Production Train Shutdown

This is a shutdown of a single process train. It may be caused by
a process upset or fault condition in a single element of the train
which requires the complete train t o be shut down in order to avoid
damage t o related equipment or t o prevent a hazardous situation
from developing.
An example of this level of shutdown is a pressure switch high
(PSHH) in a separator which causes shutdown valves t o close in
order t o isolate the separator from further sources of pressure. If
there is no redundancy on the train, then this shutdown will
effectively "block" the train and hence require that all upstream and
downstream equipment is safely shut down.
In some cases, e.g., compressor trains, it may be preferable t o put
compressors into recycle, with unit shutdown then under manual
control.
Where a trip from one piece of equipment requires a Level 3
shutdown, then all affected equipment shall be shut down by the
ESD logic, and shall not be dependent upon further measured
parameters going out of acceptable range.

6.4 Level 2: Plant Shutdown without De~ressurisinq

6.4.1

Plant shutdown shall include all process and utility systems, with
the exception of the fire and gas system including firefighting
equipment, such as fire pumps. Level 2 shutdown shall generate a
permissive which enables manual depressurising facilities.
Automatic depressurising shall not occur.

6.4.2

Automatic initiation of Level 2 shutdown shall be required in the

event of any failure which disables control of the Facility, or where
continued operation would be hazardous t o equipment and
personnel. Typically, such failures shall include, but not be limited
to:

Engineering Group
SpecXcation

Specification Number

Rev

Date

Sheet

01 5-YH-1004

05-08-94

21 of 22

a. Instrument air failure.

b. Power failure.
c. Fuel gas failure.
6.4.3

Level 2 shutdown shall also be under manual control from protected

pushbutton on the ESD operator interface in the control room.

6.5 Level 1: Plant Shutdown with De~ressurisinq

6.5.1

Level 1 shutdown is essentially the same as Level 2 with the

addition that all automatic depressurising facilities shall operate.

6.5.2

Level 1 shutdown shall occur automatically upon confirmed fire

detected. It shall also be under manual control form protected
pushbutton in the control room.

6.6.1

In general, shutdowns shall cause the affected equipment or

systems t o be blocked in and isolated from other systems, or
process areas, where upset conditions have not occurred.

6.6.2

Depressurising of the blocked-in systems may then be carried out

either by operators using the ESD system operator interface in the
control room, or using local manual only facility.

6.6.3

Provision of remote control depressurising shall be reviewed on a

"per-system" and the "upset-conditions-possible" basis, in
accordance with the depressurising requirements defined in this
specification.

6.6.4

Automatic depressurising of the plant shall only occur under Level

1 shutdown, i.e., due to confirmed fire.

7.0 TYPICAL LOCATIONS OF SHUTDOWN AND DEPRESSURISING VALVES

Attachment 1, entitled "P&ID Shutdown and Depressurising Specification," shows
typical locations of safety instrumentation and valves. This drawing is included
within this specification for reference only and does not take precedence over
Process Safeguarding Flow Schemes.

Engineering Group
Spm'fication

Specification Number

01 ~ - Y H - I O O ~

Rev

Date

Sheet

05-08-94

22 of 22

ATTACHMENT 1
P&ID SHUTDOWN AND DEPRESSURISING SPECIFICATION