GENERAL SPECIFICATION SAFETY GS SAF 261 Pressure protection and relief, emergency shutdown and depressurisation
January 28, 2017 | Author: 陳國政 | Category: N/A
Short Description
Download GENERAL SPECIFICATION SAFETY GS SAF 261 Pressure protection and relief, emergency shutdown and depressurisa...
Description
Exploration & Production
GENERAL SPECIFICATION SAFETY GS SAF 261
Pressure protection and relief, emergency shutdown and depressurisation
01
10/03
Change of Group name and logo
00
04/01
Old TotalFina SP SEC 261
Rev.
Date
Notes
This document is the property of Total. It must not be stored, reproduced or disclosed to others without written authorisation from the Company.
GS_SAF_261 Rev 1.doc
Exploration & Production General Specification
Date: 10/03
GS SAF 261
Rev: 01
Contents
1. Scope......................................................................................................................................3 1.1
Purpose of the specification ................................................................................................ 3
1.2
Applicability .......................................................................................................................... 3
2. Reference documents........................................................................................................4 3. Terminology and Definitions............................................................................................5 4. Pressure protection and relief .........................................................................................8 4.1
Requirements for pressure protection and relief................................................................. 8
4.2
Relief device setting .......................................................................................................... 11
4.3
Relief system sizing........................................................................................................... 11
4.4
Relief system configuration ............................................................................................... 12
4.5
Relief devices .................................................................................................................... 13
5. Emergency shutdown ......................................................................................................14 5.1
ESD purposes ................................................................................................................... 14
5.2
Architecture of the shutdown system ................................................................................ 16
5.3
Definition of the shutdown matrix ...................................................................................... 22
5.4
Integration of packages ..................................................................................................... 30
5.5
Cascades........................................................................................................................... 30
5.6
Shutdown devices ............................................................................................................. 31
5.7
Physical protection ............................................................................................................ 33
5.8
Number of isolations .......................................................................................................... 34
5.9
Additional functional requirements .................................................................................... 35
6. Emergency depressurisation.........................................................................................37 6.1
Requirements for EDP ...................................................................................................... 37
6.2
EDP sequence .................................................................................................................. 40
6.3
Protection and functional requirements ............................................................................ 42
This document is the property of Total. It must not be stored, reproduced or disclosed to others without written authorisation from the Company.
GS_SAF_261 Rev 1.doc
Page 2/42
Exploration & Production General Specification GS SAF 261
Date: 10/03 Rev: 01
1. Scope 1.1 Purpose of the specification The purpose of this general specification is to define the safety requirements for the design of the Pressure Protection and Relief (PPR), Emergency Shutdown (ESD) and Emergency Depressuris ation (EDP) systems of hydrocarbon production and processing installations, excepted pipelines. In accordance with the hazard tree for production installations as per API RP 14J, these systems contribute to the fulfilment of the following objectives: • Containment of hydrocarbon: Prevent the loss of containment, by limiting pressurisation in the facilities and by relieving over-pressure (PPR); limit the loss of containment by cutting off incoming hydrocarbon streams (ESD). • Prevention of ignition: Eliminate potential sources of ignition (ESD). • Mitigation: Unstress equipment under fire by releasing pressure (EDP); minimise (or get rid of) hydrocarbon inventory (EDP); limit the quantity released through a leak (EDP); initiate active fire-fighting (1). Note 1: Active fire-fighting means are mentioned here although initiated by the Fire and Gas system which is not, stricto sensu, part of the ESD system. The present document is organised in three main sections, each section being devoted to one of the systems listed above: pressure protection and relief, refer to Section 4. Emergency shutdown, refer to Section 5 and Emergency depressurisation, refer to Section 6.
1.2 Applicability This specification is not retroactive. It shall apply to new installations and to major modifications or extensions of existing installations, both onshore (1) and offshore, and including interfaces with wells and pipeline systems. It is also applicable to VENDOR's packages. This specification is limited to highlight safety matters and does not cover, in particular: • Scope and content of operating philosophy (Operations Division) • Detailed design of well shut-in panels, emergency and vital services supplied by batteries, control and safety instrumentation systems (Technical Department) • Design of hydrocarbon disposal systems, such as flares, vents, pits, etc. (GS SAF 262) • Detailed design of processing facilities shutdown requirements (Process Department) • Design of the Fire and Gas detection systems (GS SAF 312) • Pipeline proprietary safety systems (GOV, etc.). Note 1: Applicable by default, however requirements conveyed in the present document may be made less stringent for onshore facilities. To be assessed on a case per case basis, considering the nature of the process and the facilities environment.
This document is the property of Total. It must not be stored, reproduced or disclosed to others without written authorisation from the Company.
GS_SAF_261 Rev 1.doc
Page 3/42
Exploration & Production General Specification
Date: 10/03
GS SAF 261
Rev: 01
2. Reference documents The reference documents listed below form an integral part of this General Specification. Unless otherwise stipulated, the applicable version of these documents, including relevant appendices and supplements, is the latest revision published at the EFFECTIVE DATE of the CONTRACT. Standards Reference IEC-1508
Title Functional safety: safety related systems
Professional Documents Reference
Title
API RP 14B
Recommended Practice for Design, Installation, Repair and Operation of Sub-Surface Safety Valve (SSSV) Systems
API RP 14C
Recommended Practice for Analysis, Design, installation and Testing of Basic Surface Safety Systems on Offshore Production Platforms
API RP 14E
Recommended Practice for Design and Installation of Offshore Platform Piping Systems
API RP 14J
Recommended Practice for Design and Hazards Analysis for Offshore Production Facilities
API RP 520
Sizing, Selection and Installation of Pressure Relieving Devices in Refineries
API RP 521
Guide for Pressure Relieving and depressuring Systems
API ST 2000
Venting Atmospheric and Low Pressure Storage Tanks
ASME 8
Pressure Vessels
BS 6755
Testing of Valves
ASME B 31-8
Gas transmission and distribution piping systems
Regulations Reference
Title
Not applicable Codes Reference
Title
Not applicable
This document is the property of Total. It must not be stored, reproduced or disclosed to others without written authorisation from the Company.
GS_SAF_261 Rev 1.doc
Page 4/42
Exploration & Production General Specification
Date: 10/03
GS SAF 261
Rev: 01
Other documents Reference
Title
Not applicable
Total General Specifications Reference
Title
GS SAF 021
Lay-out
GS SAF 222
Safety rules for machinery and equipment handling hydrocarbon in enclosed areas
GS SAF 226
Safety-rules for wells
GS SAF 253
Impacted area, restricted area and fire zones
GS SAF 262
Hydrocarbon disposal systems
GS SAF 312
Guidelines for selecting and installing fire and gas detection systems
GS PVV 142
Valves
3. Terminology and Definitions Abnormal operating condition
Condition which occurs in a process equipment or unit when an operating parameter ranges outside of its normal operating limits (API).
Availability
Proportion of the total time during which a component, equipment, or system is performing in the desired manner (UKOOA).
Blow-Down
Difference between the set pressure and the closing pressure of a pressure relieving device (API + COMPANY). Note: The term "blow-down" is often used in an erroneous impart in lieu of "emergency depressurisation" (see below). This practice is misleading and hence prohibited by COMPANY.
Blow-Down, liquid
Control actions undertaken in response to a hazardous situation, to dispose of the liquid hydrocarbon inventory present in a capacity (COMPANY).
Blow-Down Valve (BDV)
Automatically operated (fail to open) valve used to vent the pressure from a process station on Shutdown (API).
Diversification/ Diversity
Existence of different means of performing a required function, for example other physical principles, other ways of solving the same problem, etc. in the sake of minimising the common modes of failure (IEC + COMPANY); the wording diversified redundancy should be used.
This document is the property of Total. It must not be stored, reproduced or disclosed to others without written authorisation from the Company.
GS_SAF_261 Rev 1.doc
Page 5/42
Exploration & Production General Specification
Date: 10/03
GS SAF 261
Rev: 01
Emergency Control actions undertaken to depressurise equipment or process Depressurisation (EDP) down to a pre-defined threshold (generally 7 bar g or 50% of design pressure) in a given period of time (generally 15 minutes) in response to a hazardous situation (ISO + COMPANY). Emergency Shutdown (ESD)
Control actions undertaken to shutdown equipment or process in response to a hazardous situation (ISO).
Emergency Shutdown system
System of manual stations and automatic devices which, when activated, initiate installation shutdown (COMPANY).
Emergency Shutdown Valve (ESDV)
High integrity shutdown valve, handling a hazardous fluid or a fluid having an essential function, and located at the limit of a fire zone or within a fire zone to limit hydrocarbon inventory in amounts smaller than 50 m 3 (COMPANY).
Equipment
Any component or group of component specifically identified and itemised on the P&I D's (COMPANY).
Failure
Improper performance of a device or equipment item that prevents completion of its design function (API).
Fire and Gas system (F&G)
Safety system monitoring temperature or energy flux (fire), concentration of flammable or toxic gases (gas), etc., initiating alarms and shutdown functions at pre-determined levels (COMPANY).
High Integrity Protection System (HIPS)
Instrument-based systems of sufficient integrity (involving high reliability redundant and/or diversified instruments) so as to make the risk of exceeding the design parameters lower than 10-4 upon demand (COMPANY).
Overpressure Protection System (HIPS)
A HIPS exclusively (COMPANY).
Permanently manned installation
Installation where personnel are routinely accommodated for more than 12 hours per day (API).
Not permanently manned installation
Installation where personnel are routinely accommodated for less than 12 hours per day, or less than 40 hours per week (COMPANY).
Pressure Protection and Relief device
Device, generally Pressure Safety Valve (PSV) or bursting disk, releasing hydrocarbon contained inside process equipment in order to ensure that the prevailing pressure shall not exceed the design pressure (COMPANY).
Redundancy
The existence of more than one means for performing a required function (IEC).
Reliability
Probability that an item is able to perform a required function under stated conditions for a stated period of time or for a stated demand (UKOOA).
Safety Integrity (SI)
The probability for a safety-related system to perform satisfactorily the required safety functions under all the sated conditions within a stated period of time (IEC).
devoted
to
overpressure
protection
This document is the property of Total. It must not be stored, reproduced or disclosed to others without written authorisation from the Company.
GS_SAF_261 Rev 1.doc
Page 6/42
Exploration & Production General Specification
Date: 10/03
GS SAF 261
Safety Integrity Level (SIL)
Rev: 01
One of four possible discrete levels for specifying the safety integrity requirements of the safety functions to be allocated to safety-related systems (IEC).
Safety Integrity level
Probability γ of failure to perform on demand (1)
Probability λ of a dangerous failure per year (2)
4
γ ≤ 10-4
λ ≤ 10-4
3
10-4 < γ ≤ 10-3
10-4 < λ ≤ 10-3
2
10-3 < γ ≤ 10-2
10-3 < λ ≤ 10-2
1
10-2 < γ ≤ 10-1
10-2 < λ ≤ 10-1
Note 1: Applicable to normally not active systems Note 2: Applicable to normally active systems. Shutdown
Control actions undertaken to stop operation of an equipment or a process. Shutdown can be automatically triggered or initiated by voluntary action.
Shutdown Valve (SDV)
Automatically operated, (generally fail to close), valve used for isolating a process station (API). SDV's are often referred to as Process Shutdown Valves (PSDV). The acronyms SDV and PSDV are equivalent but SDV shall be used in the present specification because SDV's are not always attached to a process system.
Thermal Expansion Relief Valve (TERV or TSV)
Device releasing hydrocarbon trapped inside a capacity (usually a pipeline section) submitted to heat input in order to maintain pressure below design pressure. The acronym "TSV" shall be used in the present specification.
Ultimate Safety System Set of hardware and solid-state logic, that provides diversified redundancy for some essential actions taken by the ESD systems (COMPANY). Unit
Areas within the installation resulting from its partition into a reasonable number of geographical and functional groups of equipment (COMPANY).
Watchdog
A combination of diagnostics and an output device (typically a switch), the aim of which is to monitor the correct operation of the programmable electronic device and takes action upon detection of an incorrect operation (IEC).
This document is the property of Total. It must not be stored, reproduced or disclosed to others without written authorisation from the Company.
GS_SAF_261 Rev 1.doc
Page 7/42
Exploration & Production General Specification GS SAF 261
Date: 10/03 Rev: 01
4. Pressure protection and relief 4.1 Requirements for pressure protection and relief 4.1.1 Causes of over-pressurisation The faults listed below can lead to cause an over-pressurisation; they shall therefore be taken into account for the design of PPR systems: • Blocked outlet, blow-by, inadvertent inlet valve opening from a high-pressure source, check-valve malfunction • Loss of cooling: loss of power, loss of cooling agent, mechanical failure of fans, reflux failure, etc. • Loss of heat (some particular cases of fractionation systems in series) • Fire, excessive heat input, unsteady process (exothermic reactions, etc.) • Utility failure and/or loss of control (air instrument, power, etc.), uncontrolled repressurisation • Heat exchanger tube failure, transient pressure surges, quick-closing valves • Severe slugging regime (multiphase flow). Process facilities shall be designed to minimise the probability of occurrence of these causes. The rules and principles contained in this document are focused on the mitigation devices to minimise the effects of an over-pressurisation. 4.1.2 Pressure protection systems Three main approaches are possible for pressure protection systems: 4.1.2.1 Full pressure-rated mechanical design The system design pressure exceeds the maximum possible pressure at design temperature, including in case of process upset, and with due allowance for corrosion being made. 4.1.2.2 Relief systems The system design pressure includes a safety margin above the system maximum operating pressure but, in case of a process upset, the pressure prevailing in the system can nevertheless exceed the design pressure. It is therefore fitted with devices actuated by the system static pressure and designed to open in case of upset conditions. 4.1.2.3 Over-Pressure Protection Systems (OPPS) OPPS's belong to the HIPS category. They are instrument-based systems of sufficient integrity (involving high reliability redundant and/or diversified instruments) so as to make the risk of exceeding the design pressure acceptable. Their integrity level shall be SIL 4. 4.1.3 Pressure protection system selection criteria 4.1.3.1 Full pressure-rated mechanical design This type of design is mandatory downstream of wellheads up to the production manifold and for closed drain gathering networks up to the closed drain drum.
This document is the property of Total. It must not be stored, reproduced or disclosed to others without written authorisation from the Company.
GS_SAF_261 Rev 1.doc
Page 8/42
Exploration & Production General Specification GS SAF 261
Date: 10/03 Rev: 01
It is highly recommended for the production manifold itself and advisable up to the first stage separator when technically realistic to do so. Any part of a compression unit should be able to withstand the equalising pressure ("settle out" pressure) after a shutdown. Note: Thermal expansion relief valves (TSV's) may be necessary on these full pressure-rated lines handling liquids. Refer to Paragraph 4.1.4. 4.1.3.2 Relief systems Offshore, and in accordance with API RP 14C, a primary protection against over-pressurisation shall be provided by a PSHH (actuating a SDV or an ESDV) and a secondary protection by relief valves. Although not specifically meant for onshore environment, API RP 14C approach shall be applied too as a basic rule. Possible exceptions (low hazard facilities and/or low sensitivity environment) shall be discussed with and approved by COMPANY. 4.1.3.3 Overpressure Protection Systems (OPPS) OPPS's are not an option given preference by COMPANY. An OPPS shall be selected only when full pressure rated designs and relief systems prove impractical, generally because of environmental considerations (to avoid relief to atmosphere through relief valve) and/or lay-out constraints (size of relief headers and associated downstream systems: vents, flares, etc.). In all cases, an exception dossier including a reliability study based on detailed design including equipment brand, type and model shall be submitted, for approval, to COMPANY's Operation, Process, and Safety Departments. Note: Thermal expansion relief valves (TSV's) may be necessary on OPPS-protected equipment. Refer to Paragraph 4.1.4. 4.1.4 Criteria for installation of relief devices Pressure relief devices shall be limited to hardware devices without common failure mode. Pressure relief devices may consist in one, or a combination, of the following: Pressure safety valve PSV, PSV fire case, TSV, bursting discs or other specifics (1). Note 1: In particular by-pass devices sometimes installed around HP flare staggering manifolds in lieu of bursting disks and consisting in a disc stopping up gas path, maintained in position by a buckling stem. These devices are VENDOR specifics and are not elaborated upon any further in the present specification.
This document is the property of Total. It must not be stored, reproduced or disclosed to others without written authorisation from the Company.
GS_SAF_261 Rev 1.doc
Page 9/42
Exploration & Production General Specification
Date: 10/03
GS SAF 261
Rev: 01
The criteria for installation of PSV's and TSV's are as follows: PSV (Process)
PSV (Fire case)
TSV
No
No
No
- Flammable gas - Liquefied HC - Liquid HC
No (1) No (1) No (1)
No No No
No Yes (7) (6) Yes (7) (6)
PIPING that can be isolated (5) and can be exposed to fire (8): - Flammable gas - Liquefied HC
No (1) No (1)
if > 3 tonnes if > 2 tonnes
No Yes (6)
- Liquid HC Vessels that cannot be isolated (5):
No (1)
if > 2 tonnes
Yes (2) (6)
- All fluids
Yes (3)
No
No
Vessels that can be isolated (5) but cannot be exposed to fire: - All fluids
Yes (3)
No
No
Yes (3)
Yes
No
Piping that cannot be isolated (5): - All fluids Piping that can be isolated (5) but cannot be exposed to fire:
Vessels that can be isolated (5) and can be exposed to fire (8): - All fluids
Note 1: Assuming piping is protected against maximum possible pressure under upset condition (full pressure rated design or PSV installed upstream of it). Otherwise a process PSV is required Note 2: The installation of TSV's on piping handling liquid hydrocarbon shall be assessed case by case, based on service criticality and risk assessment Note 3: As per ASME 8 Note 4: Includes pressurised hydrocarbon at ambient temperature, refrigerated hydrocarbons at atmospheric pressure or partially refrigerated pressurised hydrocarbon Note 5: Any type of isolation, automatic or manual valves Note 6: A TSV is not required if a PSV (process or fire case) is already installed Note 7: A TSV is required if ambient temperature condition and/or sun radiation may lead to prevailing pressure exceeding piping design pressure Note 8: Piping or vessels shall be considered as being possibly exposed to fire if more than 10% of their external surface can be either engulfed in a pool fire or submitted to a jet fire likely to last more than 3 minutes. In case of toxic substances, the threshold criteria for the installation of PSV fire case and/or TSV may be made more stringent. This issue shall be assessed on a case by case basis.
This document is the property of Total. It must not be stored, reproduced or disclosed to others without written authorisation from the Company.
GS_SAF_261 Rev 1.doc
Page 10/42
Exploration & Production General Specification GS SAF 261
Date: 10/03 Rev: 01
4.2 Relief device setting The setting points and other characteristics of the relief devices shall be as per API RP 520 for process equipment, utilities and pressure vessels for storage of liquefied hydrocarbon. API ST 2000 recommendations shall apply for liquid petroleum product tanks.
4.3 Relief system sizing 4.3.1 Failure cases Individual relief valves shall be sized to relief the pressure resulting from the combination of any single safety system failure (double jeopardy not considered) with any possible process failure including general failure cases such as instrument air or UPS failure. Fire shall also be considered and relief devices sized accordingly. 4.3.2 Multiple wells system relief The relief system shall be sized to handle the most demanding overpressure situations likely to occur with a probability larger than 10-4 or the combinations (in terms of flowrate to be relieved) of overpressure situations whose products of individual probability to occur are larger than 10-4. During Pre-Project and in the absence of general common mode of failure, the following reliability figures shall be used by default: • The probability of failure to close for each individual well ESDV (master valve and/or wing valve) shall be 5% and at least one well (the well with the largest flow contribution) shall fail to close. • For wells not equipped with individual ESDV's and collecting to trunk-lines equipped with ESDV's, the probability of failure to close for each ESDV shall be 5% and at least one trunk-line (the trunk-line with the largest flow contribution) shall fail to close • In case of a riser platform receiving remote wellhead effluent through a trunk-line, the probability of failure to close for each trunk-line incoming ESDV shall be 5% and at least one trunk line (the trunk-line with the largest flow contribution) shall fail to close. • The total flow shall be considered for wells and trunk-lines without ESDV. At a later stage, i.e. during Basic Engineering, the figures mentioned above shall be ascertained or amended following a particular study including detailed reliability figures and risk assessment. Where relevant, a transient analysis shall be conducted to check that incoming ESDV closing time does not lead to an overpressure situation in the flow-line, manifold or even trunk-line. If this were the case, then the pressure relieving devices would be sized to avoid this occurrence, unless the piping section likely to become overpressured could be designed to withstand the well shut-in pressure. 4.3.3 Control valves Sizing of PSV's for protection against overpressure in case of failure of control valves fitted with a by-pass shall be covered by guidance provided by COMPANY's Process Department.
This document is the property of Total. It must not be stored, reproduced or disclosed to others without written authorisation from the Company.
GS_SAF_261 Rev 1.doc
Page 11/42
Exploration & Production General Specification
Date: 10/03
GS SAF 261
Rev: 01
4.4 Relief system configuration 4.4.1 Number of relief valves The number of relief valves fitted onto an equipment is not driven only by safety related concerns. However the following rules shall apply on top of other (e.g. process) considerations: • For process pressure safety valves, if n is the number of PSV (or set of PSV) necessary to ensure 100% relief capacity, then n + 1 PSV (or set of) shall be installed (generally 2 x 100%, possibly 3 x 50%). • Single PSV (fire case) can be provided for equipment that can be momentarily isolated for maintenance (e.g. test separator) providing the PSV fire case does not comply a process function too. • Where, for capacity reasons, several pressure relief valves must be provided in parallel, the set pressures should be staggered to avoid chattering during relief. The difference between set points shall be less than 6% of the design pressure. • A single TSV shall be provided for pipework thermal relief. 4.4.2 Isolation valves The following rules shall apply: • n + 1 sets of pressure relief valves shall be associated with car seal procedures for both upstream and downstream isolation valves. Interlock devices with keys are to be avoided. • Upstream isolation valves, if any, shall be of a configuration suitable with the upstream conditions. For high pressure (P > 70 bar) or toxic gases (H2S partial pressure > 1 barg), double block and bleed systems or positive isolation shall be installed. • For single 100% capacity pressure relief valves, the fitting of upstream isolation valve(s) shall be assessed, depending on the operating philosophy. • If feasible, and assuming this does not create interference with other process systems, the relief discharge lines from a process unit shall be routed to a common sub-header. No isolation valve shall be provided on each individual relief discharge line and a single isolation valve shall be fitted on the sub-header, upstream of its connection with the main header. • Where downstream isolation valves cannot be avoided, they shall be locked open in normal operating conditions. A single valve without positive isolation is considered as acceptable even for toxic gas services. • Isolation valves shall be full bore unless specific exception is granted by COMPANY. 4.4.3 Relief system piping The fitting of check valves downstream of relief devices is prohibited. Relief lines shall slope downwards to the relief header, without any low point. Adequate systems shall be installed to separate liquids before the vent or flare tip. Where a significant quantity of liquid is expected, a K.O. drum shall be provided with its own liquid evacuation devices. The design of the network and, in particular, of the drain points, shall be such that the ingress of air under vacuum conditions is avoided. The relief headers shall slope continuously towards the vent or flare.
This document is the property of Total. It must not be stored, reproduced or disclosed to others without written authorisation from the Company.
GS_SAF_261 Rev 1.doc
Page 12/42
Exploration & Production General Specification GS SAF 261
Date: 10/03 Rev: 01
The relief piping shall be selected from material suitable for the lowest expected discharge temperatures. If water may be present, the risk of ice or hydrate formation shall be assessed, and methanol or glycol injection or any other suitable mitigation measure such as separate headers to the flare K.O. drum, should be envisaged to avoid blockage. Adequate supports shall be provided upstream and downstream the relief devices.
4.5 Relief devices 4.5.1 Spring loaded relief valves 4.5.1.1 Conventional spring-loaded relief valves They shall be installed where back-pressure does not exceed 10% of the set pressure. They are the recommended type for TSV's. 4.5.1.2 Balanced pressure relief valves They are suitable for back-pressures ranging from 10% to 50% of the set pressure. They can be of two main types: balanced piston and balanced bellows. Balanced bellows shall be given preference where the fluid is corrosive or fouling. If the relief valve is located where venting to atmosphere would present a hazard, the bonnet vent shall be piped to an other disposal system, independent of the relief valve discharge system. 4.5.2 Pilot-operated relief valves Pilot-operated relief valves shall be selected rather than conventional spring-loaded relief valves when any of the requirement listed here-after is paramount: low accumulation rates, more accurate settings and thus higher suitability for high pressure service, calibration without removing the valve, handling of large flows, etc. They can be of two main types: piston or diaphragm. Safety-wise, none of these is given preference but only types with non-flowing pilots shall be used. Where environmental constraints are stringent, modulating-action type (the pilot opens the PSV enough to satisfy the required relieving capacity) shall be given preference over pop-action type (the pilot causes the relief valve to open fully). The type of operation shall be either specified by, or submitted for approval to COMPANY's Process Department. 4.5.3 Bursting discs The use of bursting discs shall be limited to the cases listed below and avoided in all other cases: • Fast response is required, e.g. protection of the water side of a gas cooler in case of tube rupture • Downstream relief system must be protected from a corrosive fluid (in this case, particular attention should be paid to prevent any debris from damaging or plugging a downstream relief valve) • Emergency disposal systems are normally by-passed and must be rapidly put into operation when the flow increases, e.g. staggering manifold of a set of sonic flares (in
This document is the property of Total. It must not be stored, reproduced or disclosed to others without written authorisation from the Company.
GS_SAF_261 Rev 1.doc
Page 13/42
Exploration & Production General Specification GS SAF 261
Date: 10/03 Rev: 01
these particular cases where the pressure differential can be low, the alternative to provide shear pin device should be considered). Bursting discs can be of various types: • Conventional bursting discs: Suitable when operating conditions are stable and do not exceed 70% of the rated burst pressure. If vacuum or back-pressure can be present, bursting discs shall be fitted with an adequate support to prevent reverse flexing or implosion. • Scored tension-loaded bursting discs: They shall be given preference over conventional bursting discs when the system operating pressure reaches 85% of the rated burst pressure and/or when debris resulting from disk burst are to be avoided. • Reverse-acting bursting discs: Recommended when operating pressure reaches up to 90% of the rated burst pressure. As compared to scored tension-loaded bursting disks, they present additional advantages which must be contemplated for selection: their increased material thickness provides improved resistance to corrosion and, in most cases, they can withstand full vacuum without additional support. • Composite bursting discs: To be selected when resistance to corrosion is a paramount requirement. - Domed type are suitable for operating pressure reaching 80% of the rated burst pressure. - Flat type are the particularly suitable for low rated bursting pressures and shall typically be used as corrosion barriers in which case they may typically operate at 50% of the rated burst pressure.
5. Emergency shutdown 5.1 ESD purposes 5.1.1 General philosophy An ESD system consists in a set of safety devices, the main purposes of which being as follows: • To limit the loss of containment, by isolating hydrocarbon production, processing and storage equipment • Prevention of ignition by elimination of potential sources of ignition • Reduction of flammable inventory by depressurisation.
This document is the property of Total. It must not be stored, reproduced or disclosed to others without written authorisation from the Company.
GS_SAF_261 Rev 1.doc
Page 14/42
Exploration & Production General Specification
Date: 10/03
GS SAF 261
Rev: 01
5.1.2 Additional design considerations The design of the ESD system shall not take into account only the needs resulting from normal operation; it must also fulfil the requirements that may arise during other possible (and likely to occur) abnormal or down-graded configurations. It is not the purpose of this general specification to define the methodology that will be used to select relevant operating configurations, nevertheless the following issues shall be adequately addressed when relevant: • Shutting-down an equipment or unit does not necessarily eliminate all sources of hazards. • New hazards can appear as a consequence of the loss of essential utilities such as essential power, air, hydraulics, etc. These new hazards shall be identified, mitigated, and the associated risks shall be assessed. • All operating configurations generated by the ESD system shall be safe and steady-state. All ESD-related transients from one operating configuration to another shall be safe. • The ESD shall be compatible with the re-start philosophy. All operating configurations of the re-start sequence, from the black-out status to the full production status, shall be safe, stable and reversible. The inevitable inhibitions of the control and safety systems during the re-start sequence shall be identified, limited in number, time and duration. • In some circumstances, the change of control settings to overcome a fault should be considered as a safer alternative than shutting-down immediately the equipment or unit. • Shutdown should be understood as a generic wording only. Shutdown does not mean that all valves close, or all equipment trip. Some ESDV's or SDV's can be diverting valves opening when the main flow is stopped; BDV's may be required to open; the load of some systems, such as disposals, is increased; some equipment start upon "Shutdown" trigger signal, such as essential generator, fire-fighting facilities, etc. 5.1.3 Abnormal and simultaneous operations A particular attention shall be paid to non-routine operating conditions and to the suitability of the ESD and EDP systems to deal with them. The main scenarii contemplated shall be: • Degraded modes of operation: wireline job on a well, maintenance of a safety system, short-time deviation from product specification, etc. • Simultaneous operations: drilling/work over and production, maintenance and production, construction and production, etc. Each operation shall be safe, but a particular attention shall be paid to the safety of the combination resulting from their simultaneity (example: simultaneous maintenance on two systems). In some cases, abnormal operating conditions may require a different shutdown logic than that, or the combination of those, applicable under normal circumstances. For instance: • A specific ESD logic can be activated when wireline job starts (refer to Paragraph 5.3.9), or when operators come to a normally unmanned wellhead platform • A temporary enhanced ESD logic can construction/major overhaul and production.
prove
beneficial
for
simultaneous
This document is the property of Total. It must not be stored, reproduced or disclosed to others without written authorisation from the Company.
GS_SAF_261 Rev 1.doc
Page 15/42
Exploration & Production General Specification
Date: 10/03
GS SAF 261
Rev: 01
5.2 Architecture of the shutdown system 5.2.1 Principles of separation of instrument systems It is essential to distinguish five functionally different instrument systems: Functional system
Abbrev.
Function
Process Control System
PCS
Controls and associated alarms
Process Safety System
PSS
Trips and associated SD actions + local (package) F&G
Emergency Shutdown system
ESD
Emergency SD actions
Fire and Gas System
F&G
Outdoors and/or general fire and gas related ESD actions
Ultimate Safety System
USS
Back up of ESD actions
The PCS is not part of the present specification. It does not fulfil a safety function and shall always be separate of other instrument systems having a safety function. It is linked to PSS, ESD and F&G by a duplex databus in case digital technology is used. The PSS control all causes/actions pertaining to Level-3 shutdown's (i.e. individual equipment), including fire and gas at local level. In this respect the PSS can include a F&G sub-system, generally provided with the equipment and by its VENDOR, and distinct from the main F&G system mentioned below. See Paragraph 5.2.6. The ESD system manages all process-related inputs and outputs relative to Level-0 ESD (whole facility, if applicable), or Level-1 ESD (fire zone) or Level-2 (process unit) shutdown. It is also fed by signals from the main F&G system (see below). The main F&G system deals with fire and gas detection outdoors and in places (e.g. technical room, control room, etc.) where they may result in consequences involving more than just one specific equipment. It generates the corresponding Level-1 ESD actions, except those related to process that are undertaken by the ESD system. The F&G system thus provides input to the ESD system. The F&G system does not generate Level-2 shutdown actions. The USS system, at least, just backs up part of the ESD and F&G system to ensure that the required Safety Integrity Level is reached and in particular is meant to avoid common modes of failure in electronic circuitry and/or in control softwares. 5.2.2 Reliability and availability In order to achieve their reliability requirement, critical parts of the ESD and F&G systems may need to be duplicated or even triplicate. To avoid that the multiplication of systems decreases availability (more spurious trips) which might lead eventually to a reduction of the installation global safety level, the alarms and trip signals generated by redundant shutdown systems shall be processed by a voting system. Their principles are detailed below: 5.2.2.1 Dual systems This type of systems shall be selected for enhanced reliability but shall also be fault tolerant for single random hardware failure for improved availability. Internal architecture for dual systems different from the recommended arrangement described below (See Figure 1 - Typical bloc
This document is the property of Total. It must not be stored, reproduced or disclosed to others without written authorisation from the Company.
GS_SAF_261 Rev 1.doc
Page 16/42
Exploration & Production General Specification
Date: 10/03
GS SAF 261
Rev: 01
diagram for dual systems) shall be discarded unless it is demonstrated that they provide the same level of reliability and availability. Inputs shall be processed by two independent input modules, each module feeding its own logic unit. Outputs from each logic unit shall be routed to independent output modules, both modules feeding simultaneously one final element per output where the voting logic is achieved. A "one out of two" voting is achieved in the final element, providing the output of each logic unit is confirmed by the logic unit watchdog, i.e. that the logic units operate as they should. If the watchdog detects a logic unit malfunction then the output from this logic unit shall be disregarded and the output from the other logic unit shall prevail. If both logic units are at fault then the final element shall set the equipment to its safety position. 5.2.2.2 Triplicate systems These systems shall be given preference over dual systems when performance requirement in term of safety integrity level are such that they are the only alternative left. The same general principles as those valid for dual system shall apply except that three channels instead of two operate in parallel. The major difference comes from the fact that a simple "two out of three" logic shall be achieved in the final element providing thus an enhanced availability. Optionally and in order to further enhance reliability, but this is not a compulsory requirement for safety purposes, each leg of the terminal element can be fitted with a built-in loopback circuit that allows to run diagnostics on the output voter circuit so that a terminal element failure can be detected quickly. See Figure 2 - Typical bloc diagram for triplicate systems. -24 VDC WATCH DOG
&
I M
PLC
O M
XX
I M
PLC
O M
&
&
S
XX
&
WATCH DOG
Field sensors
Input modules
PLC & watchdog
Output modules
Terminal element
Note : Communication link between PLC's for enhanced diagnostic not shown.
Figure 1 - Typical bloc diagram for dual systems
This document is the property of Total. It must not be stored, reproduced or disclosed to others without written authorisation from the Company.
GS_SAF_261 Rev 1.doc
Page 17/42
Exploration & Production General Specification
Date: 10/03
GS SAF 261
Rev: 01
XX
PLC
O M
XX
I M
PLC
O M
XX
I M
PLC
O M
Field sensors
Input modules
PLC & watchdog
Output modules
S
-24 VDC I M
Terminal element
Note : Communication links between PLC's for enhanced diagnostic not shown.
Figure 2 - Typical bloc diagram for triplicate systems Note: Totally redundant architecture (from field sensor to terminal element) as shown on Figure 1 and Figure 2 is required for systems that need redundancy to meet their reliability targets and for which all channels operate in parallel. It may happen however that some systems are partially duplicated for availability reasons (mainly maintenance and on-line modifications) and have only one channel operating at a time. In this case multiplication of field sensors and/or input modules is not required. 5.2.3 Transmission of signals The transmission of output signal generated by the ESD, F&G and USS systems towards field equipment, i.e. all ESD-0, ESD-1 and SD-2 action signals, shall be achieved by dedicated hardwired connections. In order to further improve reliability upon demand, all ESDV's, SDV's and BDV's connected to these systems shall be fitted with two solenoid valves mounted in series but kept energised by the same cable. Considering that the reliability requirement for PSS are less stringent than for the ESD, F&G and USS systems, signals outgoing the PSS to field equipment as well as signals outgoing the ESD, F&G and USS towards the PSS can be transmitted through a data highway. Note: It may happen that one valve is controlled simultaneously by the ESD and by the PSS system. In this case two solenoid valves shall be mounted in series, one connected by dedicated hard wire to the ESD system, the other connected to the PSS. 5.2.4 Means of separation The reliability of programmable logic controller-based systems shall be critically scrutinised, particularly with regards to common failure modes. Considering also that redundancy does improve reliability of safety systems but that using identical systems does not eliminate all the common modes of failure, then safety system diversification shall be preferred whenever feasible. The following general principles shall be adhered to: • Separation of tappings, sensors, transmitters (PCS and PSS or ESD) • Separation of valves (control valves, SDV, ESDV)
This document is the property of Total. It must not be stored, reproduced or disclosed to others without written authorisation from the Company.
GS_SAF_261 Rev 1.doc
Page 18/42
Exploration & Production General Specification GS SAF 261
Date: 10/03 Rev: 01
• Functional independence of logic treatment systems (PSS, ESD and F&G) although this rule may suffer some exceptions (see note 1) • Physical independence (see note 2) of safety systems (ESD and USS) • Hard-wired back-up for ESD actions (USS). Note 1: In some cases a gas detector part of the local F&G system and hence pertaining to the PSS can also provide an input to the main F&G system if (i) the signal is not pre-processed in the PSS and (ii) the sensor integrity matches the requirements applicable to components of an ESD system. Note 2: Refer to Paragraph 5.2.6, Fire and Gas system, for further information about physical independence of ESD and F&G systems. 5.2.5 Ultimate Safety System The USS does not duplicate ESD or F&G, it just backs-up some ESD Level-1 and Level-0 essential actions initiated by these systems upon manual activation and by-passes the normal (i.e. through the PLC's and their associated input/output modules) logic treatment. For simple installations such as wellhead platforms, or if it can be demonstrated that the SIL requirement is achieved by the ESD and F&G alone, then the USS is not mandatory. The USS shall be transparent to the operator, it shall in no case lead to the installation of a specific set of controls (e.g. push-buttons) that would come in addition to others, already required for ESD and/or F&G. In practice the signal from, say, one ESD-1 push-button shall be routed to the ESD for appropriate treatment and also to the USS. The signal outgoing the pushbutton, shall input the ESD/F&G in a first instance to let these devices achieve the shutdown in an orderly fashion; it shall activate the USS only after suitable time delay. The logic treatment within the USS shall be kept minimum and such short cuts as de-energising a common 24 V power supply to a group of instruments are acceptable. The USS logic, if any, shall be achieved with solid state components or conventional relays. The following actions shall be backed up by the USS: • Closing/opening of all ESDV's/BDV's pertaining to the concerned fire zone(s) • Upstream electrical isolation (1) of the concerned fire zone with the exception of systems powered by batteries (controls, emergency post lube, etc.) • Inhibit essential generator start-up, if any and relevant • Trip, stop or shut-off all equipment likely to constitute a source of ignition (2) in the concerned fire zone (gas or diesel engines, gas turbines, fired heaters, etc.) except diesel driven fire pumps (3). Note 1: The USS shall just open the circuits breaker feeding power to the fire zone from the main MCC but shall not back-up electrical isolation as possibly achieved by the ESD. Note 2: A specific study shall be conducted during engineering phase to decide what equipment shall be connected to the USS and what equipment shall be left dependent only on the ESD and the F&G. As a general rule, only equipment not certified for operation in hazardous area shall be tripped by the USS. Note 3: Fire water pumps, if already running and their selector mode set on "automatic", shall not be shutdown by the USS when it is activated.
This document is the property of Total. It must not be stored, reproduced or disclosed to others without written authorisation from the Company.
GS_SAF_261 Rev 1.doc
Page 19/42
Exploration & Production General Specification GS SAF 261
Date: 10/03 Rev: 01
Activation of the fire-fighting means (opening of deluge valve, CO2 release, fire water pump start up, etc.) shall not be backed up by the USS. Additionally the USS shall not back up the fire water pump start up signal. 5.2.6 Fire and Gas system The F&G manages all inputs provided by fire and/or gas detectors, performs the corresponding logic treatment and generates the relevant outputs. The F&G deals only with safety actions of the highest level, namely ESD-0 and ESD-1. Fire and gas detection and logic related to equipment shall be achieved locally by a system provided by the package VENDOR. Outputs from the F&G system can be straight to equipment (e.g. electrical isolation, activation of fire-fighting means, etc.) or else feed the ESD system that shall take process related actions (e.g. close ESDV's, open BDV's, etc.). As a consequence the Safety Integrity Level of the F&G systems shall be at least as good as the SIL of the ESD system. The F&G shall be always functionally independent of the ESD. It may happen that the functions pertaining to these two systems are performed by a common equipment, for instance when a sophisticated redundant PLC-based system is used. This option is sound providing the F&G reliability is not impacted and also if the softwares managing ESD and F&G are treated as two independent functional entities and the links between themselves are clearly identified and documented. 5.2.7 Process Safety System The presence of a PSS is not a compulsory requirement and it is acceptable that the functions normally achieved by the PSS (i.e. Level-3 shutdown actions) are controlled by the ESD. This is typically the case for very simple installations and/or very low complexity packages. When both PSS and ESD functions are performed by the ESD, the PSS logic treatment shall be handled as if it were pertaining to ESD and is not required to be functionally independent from ESD. However input signals feeding the Level-3 shutdown logic are not required to match the requirements applicable to ESD input signals and transmission of Level-3 output signals to equipment can be achieved through a data highway (not necessarily through dedicated hardwired connections). 5.2.8 SIL requirement Regardless of their technology (digital, solid state electronics, hydraulic, pneumatic, conventional relays or any combination of these) HIPS shall be SIL 4, ESD and F&G shall be SIL 3 and PSS shall be SIL 2. In addition, PLC technology based safety systems shall have their application softwares residing in some form of non-volatile storage memory and safety logic shall be separated from all other programming or that interacts with safety logic or detection logic for input/output devices shall be separated from all other programming. In case of failure (either power supply or PLC) the system shall provide an alarm, revert to a safe default condition and maintain the safe condition till restoration of power and clearance of the faults.
This document is the property of Total. It must not be stored, reproduced or disclosed to others without written authorisation from the Company.
GS_SAF_261 Rev 1.doc
Page 20/42
Exploration & Production General Specification
Date: 10/03
GS SAF 261
Input SD3
PB SD3
Fire Local
Rev: 01
Gas Local
PB SD2
Input SD2
Input SD1
Gas Zone-
Fire Zone-
PB SD1
PB SD0
To main F&G (7) T PROCESS CONTROL SYSTEM (op. interface)
PROCESS/PACKAGE SAFETY SYSTEMS (PLC)
ESD SYSTEM (PLC)
FIRE & GAS SYSTEM (PLC)
T ULTIMATE SAFETY SYSTEM
(6)
Duplex databus or
(1) or or
(3)
ACTIVATE FIRE FIGHTING IN FIRE ZONE
ELECTRICAL ISOLATION IN FIRE ZONE (Except vital consumers & controls)
(2)
Databus
(4) (5)
CLOSE DAMPERS AND SHUT DOWN HVAC
ACTIVATE LOCAL FIRE FIGHTING EQUIPMENT
SD-3
SD-2
ESD-1
TOTAL ELECTRICAL SD IN RESTRICTED AREA
(9)
TRIP ALL EQUIPMENT IN FIRE ZONE
(9)
UNIT SHUT DOWN
(9)
OPEN BDV's / CLOSE ESDV's
or
(8)
ELECTRICAL SHUT DOWN OF EQUIPMENT
OPEN/CLOSE SDV's
EQUIPMENT SHUT DOWN
DIGITAL INTERFACE
ESD-0
Note 1 : Some actions only : non certified equipment in hazardous areas.
Legend :
Note 2 : Grouped by fire zone. Hardwired link Digital link Hardwired back up
ESD-0 ESD-1 SD-2 SD-3
Note 3 : Generator incomers + all battery outgoers only. Note 4 : Not backed-up by USS because manual activation possible. Note 5 : Not backed-up by USS because elec. eq. suitable for hazard. areas. Note 6 : ESD and F&G functions can be accomplished by one unique system. Note 7 : Gas detection in ventilation/combustion air duct, if required. Note 8 : PSS action on ESDV, if necessary. Note 9 : If local fire and/or gas detection is activated.
Figure 3 - Typical shutdown system architecture
This document is the property of Total. It must not be stored, reproduced or disclosed to others without written authorisation from the Company.
GS_SAF_261 Rev 1.doc
Page 21/42
Exploration & Production General Specification GS SAF 261
Date: 10/03 Rev: 01
5.3 Definition of the shutdown matrix 5.3.1 Definition of shutdown levels The definition of shutdown levels varies with the type of installation, the number of fire zones and their location, the number of independent units in each fire zone and other characteristics. Each case is specific and the following development is intended to provide guidelines rather than replace engineering judgement. Refer to Figure 4 and Figure 5 for two typical shutdown logic diagrams. It is a common practice within COMPANY to define a maximum of four shutdown levels of decreasing criticality, numbered 0 to 3, and affecting the whole installation (level-0), a given fire zone within the facilities (level-1), a given unit within a given fire zone (level-2) and an individual equipment or package (level-3). Level-0 and level-1 shall be called ESD levels because they involve either fire/gas detection in unconfined environment (hence a situation possibly subject to escalation) or emergency manual action. Level-2 and level-3 shall be called (shutdown) SD levels because they correspond either to a mere process upset or to fire/gas detection, sufficiently well contained that it does not threaten, at least immediately, the safety of the facility and of the personnel. 5.3.2 Differences onshore/offshore The fundamentals driving shutdown logic design are always the same, however the environment (onshore versus offshore) leads to three main differences: 5.3.2.1 ESD-0 ESD level-0 is applicable only for permanently manned offshore installations and if their size, the manpower level and statutory requirements impose to do so. In all other cases (all onshore plants regardless of size and not permanently manned offshore installations), the number of shutdown levels shall be limited to three, starting from ESD level-1. The wordings "abandon" and "prepare to abandon" denote voluntary procedures involving human beings but are not to be considered as ESD levels. 5.3.2.2 Emergency depressurisation (EDP) EDP is applicable to offshore and onshore installations if the criteria developed in Section 6. are met. Offshore (permanently manned or not) EDP shall be systematically automatic upon activation of ESD-0 and/or ESD-1; this requirement is not compulsory for onshore facilities and EDP strategy shall be duly addressed in the SAFETY CONCEPT. 5.3.2.3 De-energisation Total de-energisation, including battery powered systems can be achieved offshore through activation of ESD-0. Onshore this functionality does not exist and shall be compensated by the implementation of a specific pushbutton for each fire zone that shall perform total deenergisation, including controls (24 VDC), with possible exception for emergency post-lube pumps, machinery helper, etc. and only if they are suitable for operation in zone 1 hazardous area.
This document is the property of Total. It must not be stored, reproduced or disclosed to others without written authorisation from the Company.
GS_SAF_261 Rev 1.doc
Page 22/42
Exploration & Production General Specification GS SAF 261
Date: 10/03 Rev: 01
5.3.3 ESD-0 (Total black shutdown) There is one single ESD-0 for a restricted area. In the particular case where an installation consists in several different restricted areas with different sources of power, there are as many ESD-0's as non-overlapping restricted areas. 5.3.3.1 Description • Shutdown of all process and utility systems, with depressurisation, for all fire zones in the restricted area • Shutdown of all potential sources of hazard and ignition including essential and emergency loads, except navigation aids and emergency lighting (1) • Escape and evacuation if necessary automatic emergency. Note 1: ESD-0 does not stop diesel driven fire water pumps if they have been started up automatically (signal from F&G or ring main PSLL) while their selector was on automatic mode. 5.3.3.2 Causes Voluntary decision considering a probable or actual, widely catastrophic situation and only after ESD-1 of all fire zones have been triggered and personnel directed to muster areas. 5.3.4 ESD-1 (Fire zone emergency shutdown) There is one ESD-1 by fire zone. Fire and gas detection leading to different effects, ESD-1 should be further split into ESD-1/F for the particular fire case, ESD-1/G for the particular gas detection case, and subsequent generic ESD-1. 5.3.4.1 Description • Shutdown of all process and utility systems within one fire zone. Automatic emergency depressurisation always applicable offshore, possibly implemented onshore • In case of gas detection: shutdown of all potential sources of hazard and ignition (except fire water pumps, see note 1 in Paragraph 5.3.3) in the fire zone except controls and emergency or vital equipment on individual battery systems and suitable for zone 1 • In case of fire detection: activation of fire-fighting means in the fire zone • Escape of personnel from zone to muster areas or to an other safe fire zone. 5.3.4.2 Causes • ESD-0 in the restricted area • Voluntary decision considering a probable or actual, catastrophic situation • Gas detection outdoors or in a non totally enclosed area • Outdoors fire detection (1) • Low UPS battery voltage shall always be considered. A specific study shall be conducted for advisability to trigger ESD-1 by other utility failure. Note 1: Fire detection in electrical room does not trigger ESD-1, except in remote premises where intervention is not possible quickly.
This document is the property of Total. It must not be stored, reproduced or disclosed to others without written authorisation from the Company.
GS_SAF_261 Rev 1.doc
Page 23/42
Exploration & Production General Specification GS SAF 261
Date: 10/03 Rev: 01
5.3.5 SD-2 (Unit shutdown) There is one SD-2 for each independent functional unit. 5.3.5.1 Description • Shutdown of one production, processing, transfer or utility unit • Permissive to perform manually emergency depressurisation if relevant to concerned unit. 5.3.5.2 Causes • ESD-1 in the fire zone where unit sits or voluntary decision considering a probable or actual unit failure • Major process fault that requires the automatic shutdown of the whole unit • LSHH in the flare KO drum(s) connected to the unit, PSLL instrument air, and possibly PSLL fuel-gas when fuel gas is used to prevent air ingress in the flare system • PSLL, LSLL, etc. (leak detection in American parlance) on process systems to be studied on a case by case basis (engineering judgement) • Loss of normal power. Note: There is no F&G input at SD-2 level. F&G either triggers ESD-1 when outdoors detection or initiates SD-3 when specific to an equipment. 5.3.6 SD-3 (Equipment shutdown) In some cases, equipment can have different SD-3 sequences depending on the tripping fault. Where fire and gas detection lead to particular and different effects, SD-3 for an equipment should be further split into SD-3/F for the particular fire case, SD-3/G for the particular gas detection case, and subsequent generic SD-3. 5.3.6.1 Description • Shutdown of a production or utility equipment, with automatic de-pressurisation, if relevant, or unlatching of a "permissive to depressurise" chain allowing thus manual emergency depressurisation, if required • In case of gas detection from a gas source inside an enclosure, shutdown of all potential sources of hazard and ignition within the enclosure (including essential loads) except emergency or vital equipment on individual battery system and suitable for zone 1 • In case of fire detection inside an enclosure, activation of fire-fighting means in the equipment enclosure and closure of dampers (as relevant). 5.3.6.2 Causes • SD-2 of the unit or voluntary decision considering a probable or actual equipment failure • Fire or gas detection inside an equipment enclosure • Process, utility or mechanics related fault.
This document is the property of Total. It must not be stored, reproduced or disclosed to others without written authorisation from the Company.
GS_SAF_261 Rev 1.doc
Page 24/42
Exploration & Production General Specification
Date: 10/03
GS SAF 261
Rev: 01
5.3.7 Logic summary The shutdown logics (causes and actions) are summarised in next tables. Causes Pushbutton
Shutdown type ESD-0
ESD-1
ESD-0 (direct action)
ESD-1
Outdoors gas detection
ESD-1
Outdoors fire detection
ESD-1
UPS low battery voltage
ESD-1
SD-2
ESD-1 (direct action)
SD-2
PSLL fuel gas
SD-2
PSLL inst. air
SD-2
LSHH flare KO drum
SD-2
Process fault (relevance)
SD-2
Loss of normal power
SD-2
SD-3
SD-2 (direct action)
SD-3
Gas detection (inside)
SD-3
Fire detection (inside)
SD-3
Equip. fault (relevance)
SD-3
This document is the property of Total. It must not be stored, reproduced or disclosed to others without written authorisation from the Company.
GS_SAF_261 Rev 1.doc
Page 25/42
Exploration & Production General Specification
Date: 10/03
GS SAF 261
Rev: 01
Shutdown type Actions
ESD-0
ESD-1
SD-2
SD-3
Fire zone ESD
All
Yes
No
No
Unit shutdown
All
In Zone
Yes
No
Equipment shutdown
All
In Zone
In Unit
Yes
ESDV closure
All
In Zone
No
No
SDV closure (4)
All
In Zone
In Unit
In Equip.
Automatic EDP
Yes
In Zone
(2)
(2)
Permis. to depressurise
(NA)
(NA)
(2)
(2)
No
In Zone(5)
No
In Equip. (5)
Yes (3)
No
No
Yes (6)
Essential loads trip
All
In Zone
No
Yes (6)
Non-essential loads trip
All
In Zone
In Unit
Yes
Stop HVAC
All
In Zone
No
In Equip. (7)
Yes (1)
No (1)
No(1)
No(1)
Yes
From Zone
No(1)
No (1)
Activate fire-fighting Emerg./vital loads trip
Evacuation of personnel Muster of personnel The wording "Zone" means "Fire zone"
Note 1: Escape and evacuation, as necessary and depending on conditions Note 2: Permissive or automatic EDP as required by process and equipment Note 3: Except emergency lighting and navigation aids in all cases Note 4: Some SDV's can be diverting valves opening upon SD signal Note 5: In case of fire detection and if required by F&G monitoring equipment Note 6: In case of gas detection and only electrical equipment not suitable for operation in zone 2 hazardous area Note 7: In case of fire detection or gas detection in combustion/ventilation air ducts to equipment.
This document is the property of Total. It must not be stored, reproduced or disclosed to others without written authorisation from the Company.
GS_SAF_261 Rev 1.doc
Page 26/42
Exploration & Production General Specification GS SAF 261
Date: 10/03 Rev: 01
5.3.8 Technical rooms Gas detection inside a technical room (electrical and/or instruments) shall lead to a total deenergisation of the equipment it houses and hence shutdown of all process or utility units they serve, including all controls. COMPANY consider however that it is desirable to conduct a shutdown sequence in an orderly fashion (refer to Chapter 5.5, Cascades) when there is still enough time left to do so, rather than abruptly interrupting power supply. This last option is to be used as a last resort alternative, initiated by the USS (see Paragraph 5.2.5, Ultimate Safety System). The issue of technical rooms shall therefore be resolved as follows: • Technical room serving only one fire zone: gas detection shall trigger first the ESD-1/G of the concerned fire zone and then, after suitable time delay (1) shall perform a total electrical isolation, including controls, of the fire zone, with the only exception of emergency consumers suitable for operation in zone 1 hazardous area and supplied through their own, independent, battery pack (emergency post lube, machinery helper, emergency telecom, etc.). In no case gas detection in a technical room shall initiate an ESD-0 (when this level exist). • Technical room serving several fire zones: the same approach as above shall be used, except that all ESD-1/G's shall be initiated simultaneously. This constitutes a common failure mode that shall be contemplated at design stage and taken into consideration for the sizing of the flare system and other systems if relevant (see also Paragraph 6.2.6). Note 1: i.e. longer than all time delays built-in into the ESD, to let achieve the shutdown sequence before switching off remaining power supplies. As a consequence of what precedes, gas detection in air ducts to instrument or electrical rooms not devoted to a single equipment shall be fitted with three gas detectors adhering to a 2 out of 3 logic and one 20% LFL confirmed by one 50% LFL shall initiate the sequence described above. Furthermore a single 20% LFL detection in the air duct confirmed by a single 20% LFL by a gas detector installed inside the room shall also trigger this sequence. 5.3.9 Well work The case of well servicing devices (work-over rig, pulling rig, wireline winch, etc.) drawing their energy from the platform (or installation) power supply and distribution system shall be very carefully studied. The facts that de-energisation might lead to exceedingly hazardous situation if achieved during a critical well-related activity, and that the resulting risk might be higher than the original risk that initially triggered power isolation, shall not be overlooked. Each configuration shall be subject to a specific study whereby adequate means to mitigate the risk shall be addressed. Such options as override keys (with corresponding alarms in CCR) cancelling the signal to open the relevant circuit breakers, along with a proper segregation and separation of individual power supplies to well work apparatus (independent and geographically distinct of other power supplies to the fire zone at stake), are regarded acceptable by COMPANY.
This document is the property of Total. It must not be stored, reproduced or disclosed to others without written authorisation from the Company.
GS_SAF_261 Rev 1.doc
Page 27/42
Exploration & Production General Specification
Date: 10/03
GS SAF 261
Rev: 01
Emergency
PB
Embarkation
PB Control Center
PB posts
FIRE DETECTION IN FIRE ZONE
ABANDON
GAS DETECTION IN FIRE ZONE
PB Though telemetry ESD if facility remote controlled ESD-0 TOTAL BLACK SHUT-DOWN
PB F&G
PB
ESD-1 FIRE ZONE EMERGENCY SHUT DOWN
ESD-1 GAS
ESD-1 FIRE OR
PB
ESD
T
PSLL/LSLL (7)
UNIT DEPRES.
PSLL INST. AIR (5)
PSLL FUEL GAS (3)
OR
LSHH FLARE DRUM (5)
POWER FAILURE
PROCESS FAULT
PB
PB F&G
T
T
SD-2 of all units in fire zone
PB ESD
GAS DETECTION IN TECH. ROOM
OTHER FAULTS ESSENTIAL UTIL. if any
UPS BATTERY LOW VOLTAGE (4)
ESD-1 of all fire zones
OR (2)
OR
SD-2 UNIT SHUT DOWN
SD-3 EQUIPMENT
SD-3 GAS
FIRE DETECTION (specific equipment)
TO ESD-1 (6)
EQUIP. FAULT
PB PSS
GAS DETECTION (specific equipment)
SD-3 of all equipment in unit
PB PSS
SD-3 FIRE
OR
INSTALLATION BLACK OUT (Except Navaids & Emerg. light.)
ACTIVATE FIRE FIGHTING IN FIRE ZONE
TOTAL ELECTRICAL ISOLATION (Except cons. suitable zone 1) (1)
ELECTRICAL ISOLATION (Normal &essential consumers)
CLOSE ESDV's
OPEN BDV's
PERMISSIVE TO BLOW DOWN (+ partial BD as relevant)
UNIT SHUT DOWN AND TRIP ALL EQUIPMENT
OR
ACTIVATE FIRE FIGHTING ON EQUIPMENT
CLOSE DAMPERS AND SHUT DOWN HVAC
ELECTRICAL SHUT DOWN OF EQUIPMENT
EQUIPMENT SHUT DOWN
OPEN/CLOSE SDV's
OPEN EQUIPMENT BDV'S (as relevant and if any)
OR
Note 1 : emergency/vital systems remaining powered : Post lube (if any), telecom and PAGA.
Note 5 : to other units if common.
Note 2 : close ESDV's if no SDV's upstream of PSLL/LSLL used as leak detection device.
Note 6 : unprocessed gas detection signal to ED-1 if required.
Note 3 : if fuel-gas is used to purge flare.
Note 7 : list to be assessed on a case by case basis.
Note 4 : to avoid uncontrolled sequence of ESDV/BDV opening/closing.
Figure 4 - Typical shutdown logic diagram (offshore processing facility)
This document is the property of Total. It must not be stored, reproduced or disclosed to others without written authorisation from the Company.
GS_SAF_261 Rev 1.doc
Page 28/42
Exploration & Production General Specification
Date: 10/03
ESD-1 PLATFORM EMERGENCY SHUT DOWN
ESD-1 GAS T
FIRE DETECTION OUTDOORS
FIRE DETECTION IN ELEC. ROOM
Embarkation PB posts
REMOTE ESD THROUGH TELEMETRY if any
GAS DETECTION OUTDOORS (if any)
Rev: 01
GAS DETECTION IN VENTIL. DUCTS
GS SAF 261
ESD-1 FIRE
T
SD-2 PRODUCTION
PSHH/PSLL MANIFOLD
ESS. UTIL. FAULT
PB
PROCESS FAULT
ESS. UTIL. FAULT
PB
PROCESS FAULT
OR
SD-2 PROCESS
PB
SD-2 TRANSFER
PROCESS FAULT
SD-3 CHEM. P.
(1) & (4)
ACTIVATE FIRE FIGHTING WHERE APPLICABLE
PLATFORM ELECTRICAL SHUT DOWN
OPEN BDV's (If any)
CLOSE DHSV's (if SCSSSV-type)
(2)
TRIP SUMP TANK PUMP (if any)
CLOSE SDV (if any)
TRIP PUMPS
CLOSE SDV's inlet &outlet OPEN DIVERTING VALVE
CLOSE GAS LIFT INJ. VALVES (if applicable)
CLOSE SSV, WV (if any)
(3)
CLOSE PLATFORM INLET & OUTLET ESDV's
SD-3 TEST SEP.
PB
CLOSE TRANSFER INLET ESDV
WELL SHUT-IN
PB
PROCESS FAULT
PB
PSHH, PSLL
OR
Note 1 : emergency & vital systems remaining powered : Navaids, emergency lighting, public address (if any), general alarm and telecom. Note 2 : assuming transfer manifold ties-in upstream of platform outlet ESDV. Note 3 : downstream of production manifold where connecting with transfer manifold. Note 4 : shut down crane engine if Diesel powered.
Figure 5 - Typical shutdown logic diagram (well-head and riser platform with test separator)
This document is the property of Total. It must not be stored, reproduced or disclosed to others without written authorisation from the Company.
GS_SAF_261 Rev 1.doc
Page 29/42
Exploration & Production General Specification GS SAF 261
Date: 10/03 Rev: 01
5.3.10 Methodology to define ESD matrix Various documents are used by the different specialists involved. During design phase, the responsibilities for approval of document shall be split as follows: • SD block logic diagrams: by Process Department • SAFE charts: by Process Department • F&G causes and effects matrixes: by Safety Department • Utility failures: by Safety Department. In the latter stages of the project, responsibilities for issuing block logic matrix, functional analysis, selection, implementation, commissioning are given to Instrument specialists. The methods and check lists to be used are that of the Safety Analysis Table (SAT) of API RP 14C, even for onshore installations.
5.4 Integration of packages It is essential that the functional analysis, carried-out during Preliminary (basic) Engineering, covers all the packages, inclusive of those that are not yet ordered. Package VENDOR's shall provide their shutdown logic documents with the same principles as for the main shutdown logic. The responsibilities for integration of package shutdown logic in the main shutdown logic are the same as for the rest of the process and equipment (see Paragraph 5.3.10). The package shutdown logic shall be established according to the same rules and principles as for the main shutdown logic except that the Safety Integrity Level requirement for these systems shall be SIL-2. The inputs and outputs of the package shutdown systems shall be compatible with that of the main ESD system.
5.5 Cascades COMPANY's practice is to prefer direct actions rather than cascaded actions. Direct actions ensure a better control, improved reliability and quicker response, although direct actions may shorten the time available for operators to undertake corrective actions before the system trips and shall eventually result in a slightly more complex system. The response time issue shall be carefully considered and all precautions shall be taken to avoid the system to be too responsive. This shall be achieved by a suitable setting of differential between alarms and trip levels and through a critical selection of triggering causes. A detailed study shall be conducted at Basic Engineering stage to select, among all abnormalities that shall eventually result in a shutdown or an emergency shutdown, those that shall be instrumented and wired to provide a direct input to the ESD system. Typical examples are UPS low battery voltage or loss of normal power supply that COMPANY prefer to hook up onto the ESD.
This document is the property of Total. It must not be stored, reproduced or disclosed to others without written authorisation from the Company.
GS_SAF_261 Rev 1.doc
Page 30/42
Exploration & Production General Specification GS SAF 261
Date: 10/03 Rev: 01
5.6 Shutdown devices 5.6.1 Safety valve definition 5.6.1.1 Wellheads • DHSV: Down-Hole Safety Valves. Only Surface Controlled Sub-Surface Safety Valves (SCSSSV)-type DHSV's are considered in the present document (see also GS SAF 226, Safety rules for wells). • SSV: Surface Safety Valves (Automatic master valves or wing valves) shall also be considered as ESDV's (1&2). Gas-lift or gas re-injection isolating valves are considered as SDV's. 5.6.1.2 Process • ESDV: Emergency Shutdown Valve (3) • BDV: Blow-Down Valve • SDV: Shutdown Valve. Other on/off motorised valves (XV's) and Hand Valves (HV's) cannot be considered as safety valves. Control valves can be used, on an exception basis, as BDV's or SDV's (never ESDV's), within a process unit, in case of small upstream inventory: less than 5 m 3 of liquid hydrocarbon or PV < 100 bar.m 3 for gas. Cascaded action shall not be deemed acceptable (e.g. low level drifts LCV to closed position, etc.) and all control valves acting as SDV's shall be fitted with a solenoid valve connected to the PSS and independent of the control loop. Note 1: SSV's shall always close before DHSV's to avoid pressure differential across the DHSV. Chokes, even motorised, cannot be considered as safety valves, either ESDV's or even SDV's. Note 2: Wing valve re-opening through telemetry is authorised only if the concerned well was closed voluntarily and in absence of fault (F&G or PSHH/PSLL) and if the wing valve control circuit is fitted with a specific solenoid for remote re-opening, independent from the safety trip circuits. Note 3: Main fuel trip valves to fired heaters and/or machinery shall be considered as ESDV's, although not installed at fire zone boundary. 5.6.2 Response time Safety valves shall actuate in less than 15 seconds (10 seconds for SSV and wing valves) after their triggering mechanism has been activated, with possible exception for large valves (Ø ≥ 20"). The total duration of the shutdown sequence shall be less than 45 seconds from confirmation of abnormal condition and/or actuation on pushbuttons. 5.6.3 Actuators Actuators shall be either spring loaded or air/hydraulic double action. Electric motor driven actuators are not allowed for service on safety valves, either ESDV or SDV. Local accumulators (air or hydraulic) fitted on double action actuators shall be sized for three strokes (i.e. close-open-close) so as to allow for one operating mistake.
This document is the property of Total. It must not be stored, reproduced or disclosed to others without written authorisation from the Company.
GS_SAF_261 Rev 1.doc
Page 31/42
Exploration & Production General Specification
Date: 10/03
GS SAF 261
Rev: 01
5.6.4 ESDV by-pass Two cases shall be considered: plant or platform battery limit ESDV's and ESDV's on interconnections between fire zones. • By-passes around battery limit ESDV's are prohibited. Pressure equalisation around ESDV's can be achieved either (1) by: - Identifying a small line with manual valves to accomplish re-pressurising (e.g. from test separator, from main pipeline, etc.). All precautions shall be taken to avoid that the repressurisation line behaves in fact as a by-pass of the ESDV. The re-pressurisation line shall always be fitted with its own ESDV that shall close when the main ESDV closes. - Installing a by-pass around an adjacent locally operated block valve. • By-passes around ESDV's interconnecting fire zone are authorised providing they are fitted with their own ESDV that shall close when the main ESDV receives a signal to close. Note 1: The use of special valve allowing slow re-pressurisation through the valve body itself (e.g. V-ball valves) shall be submitted to a special study and formal approval of COMPANY. 5.6.5 Functional requirements Wellheads
Process
DHSV
SSV
ESDV
BDV
SDV
Local reset after ESD-0 or ESD-1
Yes
Yes (1)
Yes
Yes (2)
No
Open from CCR (6)
No
No (1)
No
Yes (5)
(3)
Close from CCR
Yes
Yes
Yes
No (2)
(3)
Open/Close local command
Yes
Yes
Yes
Yes
Yes
Open/Close status display in CCR
(3)
(3)
Yes
Yes
Yes
Partial stroking facilities
No
No
Yes
No
Yes (4)
ESD signal test facilities
Yes
Yes
Yes
Yes
Yes (4)
Note 1: Local reset except if SSV was voluntarily closed (see Paragraph 5.6.1) Note 2: Reset from control room may be envisaged in some cases (refer to Section 6) or automatic reset upon reset of ESD Note 3: As required by Process and Operations Note 4: Recommended for the SDV's which cannot be tested during scheduled equipment SD Note 5: Interlocked with "permissive to BD" signal Note 6: Central Control Room.
This document is the property of Total. It must not be stored, reproduced or disclosed to others without written authorisation from the Company.
GS_SAF_261 Rev 1.doc
Page 32/42
Exploration & Production General Specification
Date: 10/03
GS SAF 261
Rev: 01
5.6.6 Pushbuttons Pushbuttons shall be properly located, tagged and illuminated by essential lighting. They shall be physically protected against spurious activation and fitted with a specific unlocking tool to return to normal position. Pushbuttons shall be fitted with suitable devices for testing purposes. Pushbuttons shall be installed as follows: Location
Offshore Platform
Drilling or WO rig
Helideck
ESD-0
ESD-0
Boat landing
ESD-0
Muster points
ESD-0
Onshore Plant
ESD-0 ESD-1, SD-2
Driller's console ESD-0*, ESD-1, SD-2, SD-3
ESD-1, SD-2, SD-3
ESD-1, SD-2, SD-3
Technical rooms
SD-2, SD-3
SD-2, SD-3
SD-2, SD-3
Local panels†
SD-2, SD-3
SD-2, SD-3
SD-2, SD-3
Control room
Outdoors
ESD-1#
ESD-1#
Note *: Pushbuttons in CCR only for remote facility controlled from CCR. Note #: ESD-1 pushbuttons can be provided outdoors at convenient locations, if imposed by site specifics (not base case). Note †: Outdoors panel close to equipment or unit. In case the activation of a shutdown pushbutton unlatches a "permissive to EDP" signal, the corresponding EDP pushbutton shall be located close by.
5.7 Physical protection Any valve used as an ESDV shall be certified fireproof as per British Standard 6755 Part 2 or equivalent and GS PVV 142. 5.7.1 Onshore ESDV's shall be located 15 metres off equipment in the fire zone to be isolated or, if not possible, valves and piping upstream of the inlet ESDV's, or downstream of the outlet ESDV's, and inclusive of the ESDV's themselves, shall be protected if they may be exposed to radiation greater than 15.8 kW/m 2 (5000 BTU/ft2/hr) in the event of fire or overpressure greater than 0.3 bar in case of explosion. 5.7.2 Offshore ESDV's shall be located at the limit of the fire zone to be protected. For a better protection of the risers, it is recommended that inlet and outlet ESDV's are located just above the maximum water elevation. Valves and piping shall be protected with the same principles as onshore.
This document is the property of Total. It must not be stored, reproduced or disclosed to others without written authorisation from the Company.
GS_SAF_261 Rev 1.doc
Page 33/42
Exploration & Production General Specification
Date: 10/03
GS SAF 261
Rev: 01
5.7.3 Actuators Actuators shall be protected against the consequences of fire or explosion to the same level as the valves themselves. Additional special precautions shall be taken to protect the ESDV actuator and control cabinet so that their skin temperature does not exceed 70°C. 5.7.4 Valve connections and body Unless imposed otherwise by applicable local regulation, valves with flanged connections to the piping and/or having a flanged body can be used as ESDV's or SDV'S if their integrity in case of a major failure of the installation (refer to GS SAF 253) is demonstrated by a specific study submitted to COMPANY's approval. This requirement may entail special precautions such as protection against dropped objects, reinforced passive fire proofing (valve body, actuator and flanges) and reinforced gaskets (RTJ strongly preferred even on low pressure piping). 5.7.5 Internal leak rate An ESDV shall be considered fit for safety purposes if its internal leak rate does not exceed: • For gas, expressed in Sm 3/h, three times its nominal diameter expressed in inches • For liquids, 40 litres per hour and per inch of nominal diameter. Note: These criteria correspond to the maximum flow that would not generate a jet fire should the most unfavourable (not necessarily the largest) piping rupture occur, downstream of the ESDV. They are in line with API recommendations for flow line ESDV's. 5.7.6 Bunkers and pits Under-ground ESDV's are authorised providing they are suitable marked, identified, protected against traffic hazards and their actuator is normally accessible. ESDV's cannot sit inside a pit but can be installed in concrete bunkers (e.g. for protection against security threats) providing the access to the bunker is adequately controlled and regarded as an entry into a capacity.
5.8 Number of isolations 5.8.1 ESDV's and SDV's The number of ESDV's for each stream incoming/outgoing a fire zone shall be such that the global SIL requirement is met: SIL 3 (probability to fail to close on demand less than 0.1%) for standard ESD or SIL 4 (probability to fail to close on demand less than 0.01%) for HIPS. These requirements imply the installation of 2 ESDV's in all cases. In practice however, other factors such as onshore versus offshore, battery limit versus fire zone interconnection, permanently manned or not, inter-field pipeline or export, etc. shall be taken into account and may lead to exceptions as follows: 5.8.1.1 Fire zone interconnections • Onshore: 1 ESD. Refer to GS SAF 253 for position. • Offshore: 1 ESDV. Refer to GS SAF 253 for position.
This document is the property of Total. It must not be stored, reproduced or disclosed to others without written authorisation from the Company.
GS_SAF_261 Rev 1.doc
Page 34/42
Exploration & Production General Specification GS SAF 261
Date: 10/03 Rev: 01
5.8.1.2 Battery limit isolations • Offshore - Inter-field pipeline (e.g. trunk-line) departing from/landing onto a not normally manned platform (e.g. wellhead or riser platform): 1 ESDV - Export/import pipeline departing from/landing onto a normally manned platform (e.g. production platform): 2 ESDV's - Inter-field pipeline departing from/landing onto a normally manned platform or export/import pipeline departing from/landing onto a not normally manned platform: 2 ESDV's or 1 ESDV + 1 SDV (3) if SDV is close enough from ESDV(1). • Onshore - Inter-field pipeline: 2 ESDV's or 1ESDV + 1 SDV (3) if SDV is close enough from ESDV(1) - Export/import land pipeline: 2 ESDV's or 1 ESDV (3) + 1 SDV if SDV is close enough from ESDV (1 and 2) - Export/import sea pipeline: 2 ESDV's. Note 1: Engineering judgement shall be used to decide whether the piping between ESDV and SDV is short enough and/or protected enough against hazards to allow this alternative. Note 2: Unless reinforced protection is required (e.g. security risks, landslides, earthquakes, etc.) or if environmental constraints are severe. Note 3: Where SDV are used for this service, they cannot be control valves, even if fitted with a special solenoid as per Paragraph 5.6.1. 5.8.2 Isolation block valves Isolation block valves immediately upstream/downstream of an incoming/outgoing ESDV shall be avoided, specially offshore. However should such a valve be necessary for, say, maintenance purposes (e.g. land-fall valve), then it shall comply with the requirements applicable for ESDV's (fire resistance, fire and blast protection, etc.). It shall be ensured that this block-valve is not unduly exposed to hazards that could be created by the ESDV and that it does not constitute a weaker point than the ESDV, in particular because of its position (more exposed to traffic, left unattended outside security fence, etc.).
5.9 Additional functional requirements 5.9.1 Safe state Most safety system components should be designed as normally energised, and any failure of one or more components should set the controlled actuator to a safe position. ESDV's shall be Fail Close and BDV's Fail Open. Special attention shall be paid to isolation of power supply. In the case of an ESD-0, the shutdown of all potential sources of hazard and ignition shall be achieved without delay. In the case of an ESD-1 and considering that essential utilities shall be suitable for operation in zone 1, the shutdown of all non-essential utilities with a time delay where applicable, is acceptable.
This document is the property of Total. It must not be stored, reproduced or disclosed to others without written authorisation from the Company.
GS_SAF_261 Rev 1.doc
Page 35/42
Exploration & Production General Specification GS SAF 261
Date: 10/03 Rev: 01
5.9.2 Line monitoring Wherever a component of the ESD system cannot be of fail-safe design, the I/O loop integrity shall be continuously checked. This requirement applies specifically to signals from detectors to the F&G panel, deluge valve signal to open, signal to release CO2 and fire pump start up inhibit by gas detection or ESD-0. 5.9.3 Telemetry Signals transmitted through telemetry shall not be considered as a means to achieve ESD actions because of lack of reliability. Remote facilities shall therefore be always fitted with a local ESD system independent from the main ESD system and capable of taking suitable actions in case of abnormal conditions either resulting from a local upset or from a SD of the main facility. The telemetry link shall be provided with a built-in auto check device that will inform the CCR operators of its availability. In case the link is severed (atmospherics, interference, receiver failure, etc.), an alarm shall be displayed in the CCR but not further action (e.g. force the outputs of the remote facility to their safe position) shall be taken, unless otherwise stipulated in the OPERATING PHILOSOPHY. 5.9.4 Position indication All ESDV's and SDV's shall be fitted with open and close position limit switches. BDV's shall be fitted with open position limit switches. Local open and close position indicators directly fixed on the valve shall be provided. Position indicators shall be clearly visible from neighbouring walkways. Valve position shall be indicated in the CCR as per requirement stated in Paragraph 5.6.5, Functional requirements. 5.9.5 Testing and maintenance facilities Each shutdown system command chain shall be provided with inhibition or by-pass facilities so as to render possible the test of the chain by simulating the abnormal condition to the detector and check the actuator initiates the required action, without actually shutting-down the equipment which is protected. Each shutdown system shall be provided with facilities in order to test the total system in accordance with local regulations or as per requirement of the OPERATING PHILOSOPHY, without unacceptable production losses. In this respect, a partial stroking capability for ESDV's is strongly recommended. The shutdown system shall be adaptable in order to suit minor modifications, such as tripping values changes, by authorised personnel. On the other hand, the possibility for operators to change set points, tripping limits or to modify the shutdown logic should be restricted. 5.9.6 Reliability of power sources 24 V DC shall be supplied by two independent sources: • Normal power supply via the essential load panel • Buffer batteries dedicated to ESD and F&G with autonomy of at least 1 hour.
This document is the property of Total. It must not be stored, reproduced or disclosed to others without written authorisation from the Company.
GS_SAF_261 Rev 1.doc
Page 36/42
Exploration & Production General Specification GS SAF 261
Date: 10/03 Rev: 01
If necessary, the power sources shall be redundant, so that power supply reliability matches the consumers' requirement. As a general rule the following shall apply: • 2 x 100%: battery chargers, static inverter and power cables • 2 x 50%: battery set. 5.9.7 Re-start capabilities Some inputs to safety systems (such as very low level LSLL, very low pressure PSLL, etc.) must be temporarily rendered inoperative so as to allow the re-start up of the facility after a shutdown. For PLC technology-based safety systems, these inhibitions shall be either of toggle-type, disappearing by themselves when normal operating parameter is attained, or time delayed or else interlocked with the re-start up sequence steps. For other systems (hydraulic, pneumatic, conventional relays or any combination of these) the greatest care shall be exercise during detail design to ensure that the number of inhibitions is kept minimal, that the status of said inhibitions is clearly displayed and visible at a glance, that most routine interventions can be accomplished without deactivating safety actions of highest priority. When feasible, preference shall be given to selection of components that automatically restore their functionality when normal operating conditions have resumed.
6. Emergency depressurisation The considerations developed in the following chapters are applicable only to emergency depressurisation when used for safety purposes but do no cover depressurisation imposed by other operating or process reasons (e.g. loss of gas compressor seal oil system, voluntary depressurisation of a test separator, etc.).
6.1 Requirements for EDP 6.1.1 Applicability to installations A sound EDP system is regarded by COMPANY as the most efficient mean for mitigation of consequences after a fire has occurred, specially when dealing with gas handling facilities. The installation of an EDP system is mandatory on permanently manned hydrocarbon handling facilities, providing the criteria developed in Paragraph 6.1.3 are met. The installation of an EDP system on not permanently manned facilities is regarded as an asset and environment protection measure and shall be addressed in the SAFETY CONCEPT. If the decision to proceed is taken, then the same criteria as those applicable for permanently manned facilities shall apply. Note: The presence of a fire water deluge system does not invalidate the need for an EDP system. Conversely the existence of an automatic EDP system may impact the design of a deluge system and may, in some cases such as gas handling facilities, even void deluge requirement. 6.1.2 Applicability to equipment Equipment or piping that cannot be isolated or that cannot be exposed to fire shall not be hooked up onto the EDP system.
This document is the property of Total. It must not be stored, reproduced or disclosed to others without written authorisation from the Company.
GS_SAF_261 Rev 1.doc
Page 37/42
Exploration & Production General Specification
Date: 10/03
GS SAF 261
Rev: 01
EDP capability shall be provided only for equipment or piping that can be both isolated and exposed to fire simultaneously and only if the pressure prevailing in these systems and/or the hydrocarbon inventory they contain is sufficient to justify this option (refer to Paragraph 6.1.3, Decision criteria). Furthermore the EDP system shall be such that piping associated to equipment shall be depressurised with the equipment and that no equipment or piping system, regardless of their maximum operating pressure or their volume, shall be left pressurised between two equipment (or piping systems) that have been depressurised. Applicable Codes and Standards do not impose that systems composed are depressurised; they deal only with vessels and depressurisation engineering judgement. It is COMPANY's practice however to consider treated in the same fashion as vessels and that EDP is also applicable systems.
exclusively of piping of piping is left to that piping shall be to exclusively piping
6.1.3 Decision criteria The criteria that shall be used to decide whether a BDV is required are summarised in the following table: BDV required That cannot be isolated
No
That can be isolated but cannot be exposed to fire
No (1)
That can be isolated and can be exposed to fire (5): Piping - Flammable gas
- P > 7 bar g and PVgas > 100 bar.m 3
- Liquefied HC (4)
- Mgas or Mliq > 2 tonnes of C4 and more volatile
- Liquid HC
- No (3) (6)
- Two-phase
- P > 7 bar g and PVgas > 100 bar.m 3
- Toxic gases
- As required for protection of personnel
That cannot be isolated
No
That can be isolated but cannot be exposed to fire
No (2)
That can be isolated and can be exposed to fire (5): Vessel - Flammable gas
- P > 7 bar g and PVgas > 100 bar.m 3 (6)
- Liquefied HC (4)
- Mgas or Mliq > 2 tonnes of C4 or C3
- Liquid HC
- No (3) (6)
- Two-phase
- P > 7 bar g and PVgas > 100 bar.m 3 (6)
- Toxic gases
- As required for protection of personnel
Note 1: Except piping interconnecting equipment subject to EDP within one process unit, regardless of pressure and volume
This document is the property of Total. It must not be stored, reproduced or disclosed to others without written authorisation from the Company.
GS_SAF_261 Rev 1.doc
Page 38/42
Exploration & Production General Specification GS SAF 261
Date: 10/03 Rev: 01
Note 2: Except vessels between other vessels or piping within the same process unit and subject to EDP Note 3: TSV or PSV fire case are regarded as sufficient protection Note 4: Both refrigerated or under pressure Note 5: Piping or vessels shall be considered as being possibly exposed to fire if more than 10% of their external surface can be either engulfed in a pool fire or submitted to a jet fire likely to last more than 3 minutes. Note 6: The presence of pressurised fluid "trapped" in the network after EDP shall be avoided. The position of check valves and/or control valves failing to close shall be carefully contemplated in this respect. P
Maximum operating pressure (PAHH)
V
Internal vessel (or piping or vessel + piping) volume
Vliq/Vgas
Maximum liquid/gas volume inside vessel or piping or both (LAHH/LALL)
Mliq/Mgas
Maximum mass of liquefied hydrocarbon liquid phase/gaseous phase inside vessel (or piping or both).
A few specific cases however do not adhere to this general philosophy: • Finger-type slug catchers with sufficient distance from the process units (refer to GS SAF 253 and GS SAF 021), are not considered as equipment but as pipeline, the relevant code being ASME B 31-8. As a consequence they shall not be equipped with an EDP system matching the functional requirements developed below. They may be fitted with a depressurisation system, if deemed necessary, with or without remote opening of the depressurisation valve, and sized to achieve full depressurisation over a period of time substantially longer than what is imposed by the functional requirements exposed below. A PSV designed for the fire case and, where necessary, a TSV shall provide adequate overpressure protection. • Some equipment require to be depressurised after some fault, e.g. gas compressors after a seal-oil failure. Each case shall be submitted to a specific study. 6.1.4 Applicability to liquids Liquid Emergency Blow-Down (EBD) of a set of equipment exposed to fire is not recommended. Passive protection devices are regarded as more efficient and shall be given preference instead. Liquid EBD is however necessary in the case of volatile liquids (LPG's or condensate) to achieve the required reduction of pressure in the allowable period of time. If this were the case, a special attention would be paid to the design of the drainage network used to dispose of the liquids. In particular pipe sizing and supporting (risk of two-phase flow and subsequent unsteady flow regime) and pipe metallurgy (effects of sudden cooling-down due to a rapid pressure drop) would be subject to a specific study. Note: EBD must not be confused with EDP and vessels (e.g. molecular sieve dryer) containing only liquids may need to be fitted with a BDV for EDP purposes as per requirement set forth in note 6 of Paragraph 6.1.3.
This document is the property of Total. It must not be stored, reproduced or disclosed to others without written authorisation from the Company.
GS_SAF_261 Rev 1.doc
Page 39/42
Exploration & Production General Specification GS SAF 261
Date: 10/03 Rev: 01
6.2 EDP sequence 6.2.1 General The EDP system shall be designed to reduce pressure from the maximum operating pressure (PAHH) down to a specified threshold over a stipulated period of time. Both parameters (final pressure and depressuring time) shall be considered for the design of the EDP system. 6.2.2 Final pressure Pressure shall be reduced down to 7 bar g considering the fire heat input or 50% design pressure considering no fire heat input, whichever is the most stringent. Heat input calculation shall be as per API RP 521 and shall take the presence of passive fire protection into account, if any. 6.2.3 Depressurisation time As a general rule, time to achieve the final pressure level after an EDP has been initiated (1) shall be, by default: • 15 minutes for piping and vessels containing hydrocarbon, both gas or liquid • 8 minutes for vessels containing LPG's or light condensate to avoid the risk of BLEVE. Note 1: These requirements are applicable only to emergency depressurisation and are not valid for depressurisation imposed by process reasons (refer to exceptions mentioned in Paragraph 6.1.3). If these criteria were to lead to unacceptably large hydrocarbon disposal devices (either flare or cold vent) then the two following exceptions could be envisaged: • Depressuring time for capacities with a wall thickness larger than 25 mm could be enlarged on the basis of 3 more minutes for every 5 mm in excess of 25 mm and with an absolute maximum of 30 minutes. This approach is allowed only if one vessel is concerned (or one group of vessels with similar characteristics served by a common BDV) and if it is demonstrated that nozzles, instrument tappings and other possible spots where metal thickness is less than 25 mm do not represent a weak point, likely to leak before full depressurisation is achieved. • Credit can be taken for passive fire protection when provided. In this case the time to achieve full depressurisation shall be as per requirements above, lengthened by the time it takes for the vessel (or piping) wall to reach its critical temperature (generally 400°C) and considering the characteristics of the fire to which it will be submitted. Sizing of BDV's to match the above criteria shall be based on the assumption that during a fire, all streams incoming and outgoing the system are shutdown'd and all internal heat sources within the process, if any, have ceased. 6.2.4 Automatic EDP 6.2.4.1 Offshore All EDP systems when existing (always on permanently manned installations and possibly on not permanently manned facilities, refer to Paragraph 6.1.1) shall be triggered automatically by emergency conditions such as major gas leak, fire outdoors or voluntary activation of ESD-0 or ESD-1 stations (1).
This document is the property of Total. It must not be stored, reproduced or disclosed to others without written authorisation from the Company.
GS_SAF_261 Rev 1.doc
Page 40/42
Exploration & Production General Specification GS SAF 261
Date: 10/03 Rev: 01
6.2.4.2 Onshore EDP systems provided on not permanently manned facilities shall be automatic and triggered by outdoors fire or gas detection as well as activation of ESD-1 emergency stations (1). For all other type of installation a manual EDP pushbutton, interlocked with a permissive to EDP instruction from the ESD system, is the preferred alternative unless other site-specific constraints impose to do otherwise. All BDV's pertaining to one fire zone shall be provided with a common reset capability from the main control room so that depressurisation could be interrupted by the operator if he reckons EDP is detrimental to safety (e.g. if the relief piping is damaged and relief flow fuels a fire in the process units). This functionality is required for both automatic and manually activated EDP systems. Note 1: Wherever an automatic EDP system is provided, the safety of traffic (helicopters, boats, roads, etc.) shall be contemplated. The design shall include provisions for the implementation of particular operating procedures, which may include the temporary overriding. 6.2.5 Phasing It is considered that de-pressurising zones unexposed to hazard could be more dangerous than usefull. Therefore EDP shall be split by fire zone ; in case of ESD-1, only the concerned fire zone shall be depressurised. Phasing within one fire zone is to be avoided. COMPANY's approval is requested if such a phased EDP system is proposed. 6.2.6 ESD-0 and common mode of failure If EDP is applicable to more than one fire zone the simultaneous opening of all BDV's of all fire zones, either by activation of ESD-0 or following a general fault, shall be dealt with as follows: • If the flare/vent system can safely handle the total flow resulting from the simultaneous EDP of all fire zones, no special precaution shall be taken and no EDP phasing by fire zone is required. • If the flare/vent system cannot handle the total flow resulting from the simultaneous EDP of all fire zones, then phased EDP by fire zone in case of ESD-0 is the only option left and the BDV's of different fire zones must not have any common failure mode. The means implemented to avoid common modes of failure or simultaneous EDP of all fire zones in case of ESD-0 shall be carefully devised. They shall cater, among other possible causes, for global failure of the 24 VDC to the solenoid valves controlling BDV's and for reliability of the ESD system. The installation of one UPS dedicated by to each zone is highly recommended along with separated cable routing. The ESD system shall be fault tolerant, it shall be regarded as a HIPS, hence its safety integrity level shall be SIL 4 (instead of SIL 3), its outputs shall be adequately segregated by fire zones and, furthermore, it shall be capable of keeping the solenoid valves energised for a while even after power supply has been switched off (see also Paragraph 6.2.7). 6.2.7 BDV timers Local timers (air, gas or hydraulic) shall be installed, if necessary, on BDV's to prevent flare overload. Their use however is acceptable only for short delays (a few seconds and in the limits of rules set forth in Paragraph 5.6.2) just to ensure that ESDV's are closed before BDV's open.
This document is the property of Total. It must not be stored, reproduced or disclosed to others without written authorisation from the Company.
GS_SAF_261 Rev 1.doc
Page 41/42
Exploration & Production General Specification GS SAF 261
Date: 10/03 Rev: 01
Local timers are forbidden to achieve phased depressurisation (say, one minute or more). Should this requirement become mandatory, then alternate solutions such as dedicated power supplies comprising their own timer and suitable for operation in zone 1, independent of essential power and not de-energised immediately after ESD-0 or ESD-1 has been initiated, shall feed these consumers. 6.2.8 Controlled de-pressurisation Controlled depressurisation systems, monitoring flowrates and pressures at various strategic locations of the flare system, are sometimes envisaged in order to minimise the peak flowrate. Such systems are prohibited for new designs. In the case of a revamping a justification dossier shall be submitted for approval to COMPANY Operation, Process and Safety departments.
6.3 Protection and functional requirements The same criteria as prevailing for shutdown devices shall apply to blow-down devices. Refer to relevant part of Chapter 5.6, Shutdown devices, 5.7, Physical protection and 5.9, Additional functional requirements.
This document is the property of Total. It must not be stored, reproduced or disclosed to others without written authorisation from the Company.
GS_SAF_261 Rev 1.doc
Page 42/42
View more...
Comments
