AramcoStandard PDF

Engineering Encyclopedia
Saudi Aramco DeskTop Standards
Safety Design Considerations for Hydrocarbon Facilities
Warning: The material contained in this document was developed for Saudi
Aramco and is intended for the exclusive use of Saudi Aramco’s
employees. Any material contained in this document which is not already
in the public domain may not be copied, reproduced, sold, given, or
disclosed to third parties, or otherwise used in whole, or in part, without the
written permission of the Vice President, Engineering Services, Saudi
Aramco.
Chapter : Loss Prevention For additional information on this subject, contact

File Reference: LPD_ENCY A.M. Alotaibi on 873-4444
Engineering Encyclopedia Loss Prevention
CONTENTS PAGE
BASIC PRINCIPLES ...............................................................................................1
MINIMIZING THE RISK OF FIRES, EXPLOSIONS ............................................8
FACILITIES AND EQUIPMENT SPACING........................................................15
FIREFIGHTING FACILITIES...............................................................................16
FIREPROOFING....................................................................................................18
EMERGENCY SHUTDOWN, ISOLATION AND BLOWDOWN

FACILITIES ........................................................................................................19
PIERS, WHARVES/SEA ISLANDS, TRUCK LOADING RACKS,

OFFSHORE PLATFORMS.................................................................................22
PRESSURE RELIEF ..............................................................................................23
STORAGE OF LPG, NGL AND SIMILAR MATERIALS...................................35
PIPELINE AND WELLSITE SAFETY .................................................................36
Saudi Aramco DeskTop Standards

BASIC PRINCIPLES
This section provides the general basic principles which are to be used in applying safety
considerations to the design of hydrocarbon facilities.
Definitions
Plant Plot Limits
The boundary lines of the smallest hydrocarbon handling equipment area containing a
complete operation or group of operations which may be shut down as a unit for turnaround,
with at least a 15 m (50 ft) separation from other hydrocarbon handling facilities.
Flammable Materials
Flammable materials should be defined as follows:
• Inside Plant Area Battery Limits: Vapors and liquids having flash points of 55 degrees
C (130 degrees F) or below, or being handled at temperatures above their flash point.
• Outside Plan Area Battery Limits: Liquids having flash points of 55 degrees C (130
degrees F) or below, or being handled at temperatures above their flash point.
Flash Point
The minimum temperature at which a liquid gives off vapor in sufficient concentration to
form an ignitable mixture with the air near the surface of the liquid within the vessel as
determined by appropriate test procedure and apparatus in accordance with NFPA 321.
The flash point of liquids having a viscosity less than 5.84 mm2/s (45 SSU) at 38 degrees C
(100 degrees F) and a flash point below 80 degrees C (175 degrees F), should be determined
in accordance with the Standard Method of Test for Flash Point by the Tag Closed Tester,
ASTM D-56.
The flash point of liquids having a viscosity of 5.84 mm2/s (45 SSU) or more at 38 degrees C
(100 degrees F) or a flash point of 80 degrees C (175 degrees F) or higher should be
determined in accordance with the Standard Method of Test for Flash Point by the Pensky
Martens Closed Tester, ASTM D-93. This is the test method normally used for fuel oils and
asphalt.
Saudi Aramco DeskTop Standards 1

Low Flash Stocks
Those hydrocarbons having a flash point of less than 55 degrees C (130 degrees F), and any
other materials which may be handled at temperatures above or within 8 degrees C (15
degrees F) of the flash point.
High Flash Stocks
Those hydrocarbons having a flash point of 55 degrees C (130 degrees F) and over. Materials
handled at temperatures less than 8 degrees C (15 degrees F) below their flash point are not
included in this category.
Light Ends
A hydrocarbon material having a Reid Vapor Pressure of 100 kPa (abs) (15 psia) or greater, as
determined by the standard ASTM test. This applies only to materials when they are in the
liquid phase or a combination of liquid and vapor phases. These materials normally vaporize
partially or completely if exposed to the atmosphere and are therefore a greater fire hazard
than heavier hydrocarbons due to the large volumes of vapor generated by a liquid leak or
spill. This includes material like natural gas liquids (NGL) and LPG.
Reid Vapor Pressure (RVP)
The vapor pressure of a liquid at 38 degrees C (100 degrees F), as determined by a standard
laboratory procedure (ASTM Test D-323), expressed in kPa (abs) (psia). This test is applied
only to crude oils, napthas, gasolines and materials of similar volatility. The vapor pressure of
LPG and similar materials is determined by ASTM Test D-1267.
Explosive Limits
The range between the minimum and maximum concentrations of flammable vapor in air
which form explosive (flammable) mixtures. The concentration is usually expressed as a
percentage by volume. The limits are normally expressed as L.E.L. (Lower Explosive Limit)
and U.E.L. (Upper Explosive Limit). Below the L.E.L. the vapor concentrations are too lean
to form a flammable mixture, above the U.E.L. the mixture is too rich to form a flammable
mixture.
Toxic Material
A material which is capable of causing injury to personnel once it reaches a susceptible site on
or in the human body. The following sub-classifications are to be used as a basis for the
specification of safety features in the design phase:

Severely Toxic Materials
Materials which are harmful by inhalation or by skin or eye contact, of sufficient severity to
require the use of special protective equipment such as breathing apparatus or special clothing
by operators to guard against even minor exposures that might occur during normal
operations. Examples of such materials are hydrogen sulfide, sulfuric acid, tetraethyl lead and
tetramethyl lead.
Moderately Toxic Materials
Materials which are harmful by inhalation or by eye or skin contact, but where the hazard is
such that standard protective clothing provided for the operators (gloves, coveralls, goggles,
hard hats) is adequate to protect them against minor exposures during normal operations.
Examples of such materials are dilute chemical solutions, steam and most hydrocarbons.
Threshold Limit Value (T.L.V.)
The highest concentration of a toxic substance in the air to which personnel may be exposed
for eight hours per day for an indefinite period without danger to their health.
Emergency
An interruption from normal operations in which personnel or equipment are endangered.
Contingency
An abnormal event which is the cause of an emergency condition. A single contingency is a

single abnormal event causing an emergency.
Single Risk
The equipment affected by a single contingency.
Autoignition Temperature
Autoignition Temperature is the lowest temperature required to cause self-sustaining

combustion, without the introduction of an ignition source, of a flammable material when its
vapor is mixed with air in a flammable concentration. The autoignition temperatures of most
hydrocarbons fall in the range of 200 degrees C to 540 degrees C (400 degrees F to 1000
degrees F). An arbitrary autoignition temperature of 315 degrees C (600 degrees F) is often
used as a criterion of a materials flammability hazard in certain phases of safety design.

Electrical Area Classification
Class I Location
A location in which flammable gases or vapors are or may be present in the air in quantities
sufficient to produce explosive or ignitable mixtures. Within this and other classes there are
two divisions which should be recognized.
Division I
Those areas in which hazardous concentrations of flammable gases or vapors are likely to be
present under normal operating conditions, viz., those where the probability of flammable
atmospheres occurring is estimated to be more than one hour in 10,000 hours. Such
atmospheres may occur through frequent releases, or through infrequent releases, or releases
of small amounts of flammable vapors under conditions of inadequate natural or artificial
ventilation.
Division II
Areas likely to have flammable gases or vapors present under abnormal conditions, viz., those
where the probability of flammable atmospheres occurring is estimated to be less than one
hour in 10,000 hours and more than one hour in 1,000,000 hours. Such atmospheres may
occur under conditions of adequate natural or artificial ventilation, through infrequent release
or release of small quantities of flammable vapors.
Unclassified Areas
Area located completely outside Division I and II classified areas. (These are areas where the
probability of flammable atmosphere occurring is estimated to be less than one hour in
1,000,000 hours).
Enclosed spaces in Division II classified areas which are ventilated or pressurized by air taken
from unclassified area locations, and where the enclosed space itself is free of a release
source. Ventilation should be provided artificially or by pressurizing the enclosed space.
Pyrophoric Material
A material which is spontaneously combustible upon exposure to air at ambient temperatures.
Detonation
A high-severity explosion of a flammable vapor/air mixture which develops in such a way that
pressure waves build up to extremely high pressures.

Fires and Explosions
The basic approach to facilities design should be toward minimizing the risk of fires and
explosions as follows:
Elimination of Flammable Mixtures
Many processes and procedures involve the use of air within the equipment, or potential entry
of air by leakage or entrainment. Examples of this are various types of combustion
equipment, plant startup and shutdown, regeneration and de-coking systems and vacuum
processes. Since only the introduction of a source of ignition is necessary to initiate an
explosion, these formations of a flammable vapor/air mixture in the explosive range within
process equipment represents one of the most dangerous situations that can exist in a
hydrocarbon facility.
Prevention of Uncontrolled Releases and Location of Controlled Releases
Equipment failure or operating error are usually the cause of uncontrolled releases of
flammable vapors or liquids. Equipment failure may be a function of the inherently more
vulnerable nature of such components as furnace tubes, piping systems or machinery, or it
may be due to construction materials being subjected to operating conditions more severe than
those which they are capable of withstanding.
Adequate equipment drainage and safe disposal facilities should also be provided to avoid
dangerous accumulations of flammable hydrocarbons when equipment is taken out of service.
Another potential source of a release of flammable hydrocarbons is atmospheric tankage. The

releases may result from over-filling, excessive vapor evolution or boil-over under fire
conditions.
Minimize Ignition Sources
Recognizing that it is not always possible to completely control the preceding factors by
design, the next step is to design with a minimum of ignition sources being present.
Overstressing
Many vessels, columns, towers, etc., in a hydrocarbon facility are operated under elevated
pressures and temperatures. These vessels are designed with a factor of safety large enough to
prevent failures of the material under normal operating parameters. Upsets in the normal
conditions may result in the yield stresses of the material being exceeded due to excessive
pressure or temperature, or both. These upsets could be caused by heat from an exposing fire,
overfilling, instrument failure, thermal expansion of fluids, improper closing of valves, and
many other acts of omission or commission by operators.

It is not possible to design out all the above contingencies; therefore, the design should
include protective features to prevent a catastrophic failure when the upset does occur.
Consideration of Contingencies
In order to establish basis for the design of pressure relief facilities, all possible contingencies
which could result in overstressing should be considered and the resulting overpressures
evaluated. This will also help establish a basis for the selection of materials to be used in the
design of equipment to withstand the highest pressures that may occur. Overstressing due to
excessive temperature contingencies cannot be eliminated by the installation of pressure
relieving devices; therefore, a basis for appropriate temperature alarms or control
instrumentation should be established.
Protective facilities are normally sized on the basis of handling the largest release resulting
from a single contingency, without exceeding the design pressure of the equipment.
Operational Factors Affecting Safety
Facility design should include provisions which will allow operating and maintenance
personnel to carry out their assigned duties safely and effectively, without being unduly
exposed to the risk of fire, explosion or accident to them or the facility. This goal can be
achieved by the mandatory features outlined below:
Adequate access platforms, ladders, guards on equipment, safety showers and similar facilities
which help insure safe working conditions for personnel.
Adequate instrumentation, controls and alarm systems to enable the operating crew to provide
safe and effective operation of the facility.
Facilities such as purge connections, drainage systems, etc., which will permit the safe startup
and shutdown of individual items of equipment or an entire facility.
Process Factors Associated with Safety
The complexity of modern processes introduces additional factors which affect the safety of
facilities. These factors should be taken into consideration in the design of facilities, with the
actual and potential hazards of the process identified. Some of these factors are:
(a) Increased severity of operating conditions such as very high temperatures or

pressures.

(b) Unstable processes where decompositions, temperature runaways, or other

unstable reactions are possible.
(c) Fluid properties and characteristics such as flammability, vapor pressure, auto-
refrigeration, corrosion, toxicity, and chemical reactivity. This includes
allowing for the variations in the above properties which may occur under
abnormal operating conditions.
(d) Processes undergoing frequent startup and shutdown, where the opportunities
for operating error are greater than normal.
Environmental Factors Affecting Safety of Facilities
Environmental or climatic hazards can pose serious problems, and should be recognized and
taken into consideration in facilities design. Dust and sand storms create problems in
machinery lubrication systems, lightning is a source of ignition of atmospheric vents of
hydrocarbons, and high winds can cause damage to equipment or personnel injury.
Appropriate Engineering Standards or special design measures should be applied when these
problems exist.

MINIMIZING THE RISK OF FIRES, EXPLOSIONS
This section contains considerations which should be incorporated in the design of facilities in
order to minimize the risks of fires and explosions.
Safe Disposal of Equipment Drainage, Contaminated Effluents and Vents
The drainage and vent discharges from equipment can be serious fire and personnel hazards if
they are not provided with safe means of disposal.
Minimizing the Potential for Heater Tube Failure
The following features should be provided:
a. A provision for low process flow to actuate shutoff valves in all fuel streams to
the heater except pilot gas.
b. All heaters to be provided with a high temperature alarm in the coil
outlet, independent of the temperature controller for process fluid.
c. Steam connections for purging or reduction of coke formation should be
installed.
d. The heater feed pump is to be provided with a reliable spare. This may be an
electric motor driven unit with a separate power supply, or a steam turbine
driven unit may be used if the electric power source is not available. Provisions
for automatic cut-in of the spare pump are required only under special
situations such as remote location or high coking rates.
e. To insure equalized flow distribution in multi-pass furnaces, install means of
controlling flow in the inlet to each pass.
f. Process temperature measurement should be provided in accordance with
Refinery and Producing Instruction Manuals.
Static Electricity
The movement of petroleum products will result in the generation of an electrostatic charge.
Under certain conditions this charge can accumulate to sparking potential. With an
understanding of the mechanisms involved and appropriate design procedures, the hazard of
ignition of flammable concentrations of vapors may be effectively eliminated.
Lightning
The potential of damage from lightning is greatest around tank farms where flammable vapors
are normally present.

Autoignition
Many of the common processes in use today operate at temperatures within the normal 200
degrees C to 540 degrees C (400 degrees F to 1000 degrees F) autoignition temperature range
of most hydrocarbons.
Pyrophoric Materials
The spontaneous ignition of pyrophoric materials when exposed to the atmosphere can be
prevented by keeping them damp until they can be safely disposed of. This is accomplished
by steaming out before opening equipment except in remote areas where water should be
used.
Sparks from Electrical Equipment
In order to minimize the chances of a spark from electrical equipment igniting flammable
releases in a facility, the following steps should be taken in designs:
A. An electrical area classification map should be prepared.

B. After the areas are classified according to the above, all electrical equipment
should be specified and installed accordingly.
Prevention of Fires and Explosions in Combustion Equipment
Air is mixed with fuel gas for combustion in such equipment as steam boilers, fired process
heaters, combustion gas turbines, inert gas generators and sulfur recovery plant reactor
furnaces. All of this equipment has the inherent hazard of explosion rather than controlled
combustion in the case of:
A. Flameout with subsequent re-ignition.

B. Explosion during initial light-up if the proper pre-purge of gas from the
combustion chamber and downstream equipment has not been carried out. To
protect against these hazards, all combustion equipment should be provided
with flame-out protection devices and a means of purging any combustible
mixture before initial or subsequent light off of the equipment.
Flameout protection should be provided by flame detection devices which detect the presence
of a flame and shut off the main fuel supply valves if the flame goes out, or use of pilot gas
from an independent source.

Air Intakes
The location of air intakes in relation to hydrocarbon release points is very critical to their
safety, since any gas in the vicinity may be drawn in, thus introducing the potential for an
internal explosion since ignition sources are normally present. This applies to air intakes for
all plant purposes, such as combustion air for furnaces, internal combustion engines and
combustion gas turbines, pressure ventilation or air conditioning of control rooms and
switchgear and substation buildings, regeneration and oxidation processes, cooling and
compressed air systems, analyzer houses, offshore GOSPs, etc.
Vent stacks at atmosphere from equipment are used for safety valve releases and various
purge and noncondensable streams, when permitted by design criteria of pollution, radiant
heat, dispersion, ground level concentration, etc.
A small or intermittent flow of flammable vapor into an atmospheric vent stack introduces the
potential for a flammable vapor/air mixture to be formed in the vent line by buoyancy and/or
diffusion effects at the open end. An alternative mechanism for the formation of potentially
flammable mixtures exists when air as well as flammable vapor can enter a system vented to
atmosphere or to flare. Although designs should not permit such air discharges into vent or
flare headers, the inadvertent entry of air may occur under some conditions such as by leakage
if there should be a draft in the header system.
Ignition of such flammable mixtures in vent systems may occur by lightning, causing
explosion and possibly detonation. In the case of flares, the pilot constitutes a continuous
ignition source for any flammable vapor/air mixture which may be formed in the stack or
upstream system.
Deposits of pyrophoric materials in vent or flare systems should also be considered as possible
ignition sources.
Flare systems should always be provided with flashback protection, normally a water seal or
continuous gas purge.
Condensable blowdown tanks and drums, and water disengaging drums, when vented to the
atmosphere, should be provided with flashback protection, by means of continuous steam or
inert gas purge.
Design of Flashback Protection for Atmospheric Vents
Flashback protection, when required, may be as follows:
a. Continuous steam or inert gas purge to the vent line is the preferred method.
Low point drainage should be provided if steam is used. The purge connection
should be provided with a restriction orifice to control the required flow.

b. A water seal at the base of the vent stack, designed on the same basis as a flare
seal.
c. Flame arrester. This is the least desirable alternative since arresters are subject
to corrosion and blockage. A flame arrester is not permissible in any safety
valve release system. Flame arresters are normally installed with isolating
valves for maintenance. Location is critical to their effectiveness and they
should be installed near the discharge end of the vent. Locations upstream of
the open end should be used only after checking that the type of arrester and
flame propagation properties of the gas are suitable.
Snuffing Connections for Atmospheric Vents
In addition to the above requirements for flashback protection, means of snuffing vent fires
are required in certain cases. A nominal 1 inch steam snuffing connection, manually operated
at grade at least 7.5 m (25 ft) horizontally from the vent, can be provided for vents handling
continuous or intermittent releases of hydrogen (35%), methane (35%) or vapors above
autoignition temperature.
Atmospheric Tankage
Boilovers occur when the temperature of product in a storage tank is sufficient to boil any
water that is introduced into the tank. This boiling produces steam below the surface of the
oil, resulting in the formation of oil froth, often with sufficient violence to rupture the weak
shell-roof weld seam of a cone roof tank. The resulting spill of low density oil froth may
rapidly fill and overflow the tank dike and spread to a source of ignition, causing a major fire.
Boilovers are usually caused by:
a. Routing water or a product stream containing water into a "hot" tank {a tank
operating above 75 degrees C (165 degrees F)}. This may be the result of
incorrect stream routing, or heat exchanger tube leakage if the plant stream to
the hot tank passes through a water cooled exchanger with higher pressure on
the water side.
b. Light hydrocarbons inadvertently routed to "hot" tanks have the same effect as
water, incorrect routing or exchanger leakage may be the basic cause, as above.
c. Routing a hot stream to a "cold" tank (i.e., a tank normally operating below 95
degrees C (200 degrees F) long enough to raise the tank temperature to the
boiling point of the water present in the tank bottom. This may be the result of
incorrect stream routing, or the loss of cooling capacity on a plant product
stream.
Overfilling and other tank spills. Fire hazards may also arise from other types of spillage of
tank contents into the surrounding area. These may include:

a. Overfilling.
b. Failure of tank connections or associated piping.
c. Unattended withdrawal of water from the tank bottom. Failure of a floating
roof drain, with the external drain valve left open.
e. Sinking of a floating roof, due to mechanical failure or accumulation of water,
resulting in the hazardous exposure of the entire tank liquid surface.
Excessive Vapor Evolution
A limit of 90 kPa (abs) (13 psia) true vapor pressure at storage temperature is established to
define the lightest petroleum fraction which can be safely stored in atmospheric without the
risk of excessive vapor evolution. If, however, lighter hydrocarbons are routed into an
atmospheric tank, or if the tank temperature is allowed to rise such that the true vapor pressure
of the contents approaches atmospheric pressure, then a hazardous uncontrolled release of
hydrocarbon vapor from the tank vent will result. The basic cause of such incidents may be
incorrect stream routing, faulty upstream blending operations, exchanger tube leakage, loss of
level or loss of stabilization in upstream process plant, or loss of cooling capacity on a plant
product stream.
Internal Explosion
Floating roof tanks do not contain a vapor space and are not subject to internal explosion,
except during initial filling operations before the roof is floated. There is always a vapor-air
mixture in the vapor space of a cone-roof atmospheric storage tank; however, with the
composition of the mixture depending on the quality and temperature of the liquid in the tank
and the physical operations involved such as filling, mixing or emptying. For some petroleum
fractions such as jet fuel the vapor space is in the flammable range at normal storage
temperatures, and is therefore subject to the risk of an internal explosion if an ignition source
is present. In considering the explosion hazard in cone-roof tanks, it should be recognized that
the true vapor composition may vary appreciably from the normal composition as a result of
contamination or upstream plant problems.
Protection Features to Handle Tankage Hazard
The design features required to protect tankage and minimize damage in the event of fire,
explosion or excessive vapor evolution are summarized below:
a. Install adequate vent capacity in accordance with API Standard 2000.

Selection of open or pressure-vacuum type of vents should be in accordance
with API Standard 2000.
b. Overpressure protection for all cone roof tanks should be provided.
Two methods are allowed by API Standard 650:

1. A weak roof-shell weld seam.

2. Emergency venting devices in accordance with API RP 2000.
The preferred method on Saudi Aramco tankage is the weak roof seam method, since it has
the advantage of protecting against both internal explosion and excessive vapor evolution.
Dome roof tanks cannot use the API 650 weak roof seam and should be protected by
emergency venting devices in accordance with API RP 2000.
c. Provide spacing and diking.

d. Provide fixed air foam systems for tanks.
Cross Contamination Between Plant Systems
Inadvertent leakage or flow reversal in different process systems may result in hazardous
situations. For example, the contamination of a steam header by leakage of hydrocarbon into
it at one point may spread to a number of steam consuming points. The entrained
hydrocarbon may eventually be released to the atmosphere through steam traps, or if steam is
injected into a regeneration system, a flammable vapor/air mixture could be formed. It should
be noted that local depressuring of a steam supply header may permit back-flow from the
process equipment, even though the normal steam supply pressure is higher than the process
pressure. The following design requirements should be included where appropriate, to
minimize cross-contamination hazards.
Heat Exchanger Leakage Contamination of product streams as a result of heat exchanger tube
leakage may introduce a hazardous change of conditions in the receiving tankage.
Adequate purging of air at startup and of process fluids at shutdown of process equipment is
essential to avoid formation of air/gas mixtures which might pass through the explosive range.
The same applies to the purging of furnace and boiler combustion spaces before any burners
are lit, to be sure that a flammable mixture is not present which could result in an explosion.
Designs should cover consideration of the purging methods to be used (steam, water, inert gas,
evacuation) and include adequate purging and venting connections.
If water flooding is to be used for purging, checks should be made to insure that the
equipment is mechanically capable of handling any in creased loads resulting from the weight
of purging water. Similarly, if steam purging is to be used, equipment may be exposed to
temperatures higher than those in normal operation, and design temperatures should be
specified accordingly. Even small items of equipment such as pumps or exchangers, which
traditionally have not been purged before commissioning should be reviewed to determine
whether explosive mixtures and adiabatic compression heating to ignition temperature could
occur. If so, then purging should be required.

Facility Design for Safe Startup and Shutdown
The following items are to be included in design:
A. The design and layout of piping systems and valving should be such that all
lines within the plant plot limits can be taken out of service during turnarounds.
B. Sufficient spare equipment, bypasses, and isolation valves to permit anticipated
onstream maintenance without interruption to plant operations.
C. A means of safe disposal of equipment contents when the equipment is being
taken out of service for maintenance.
D. Disposal means for diversion of process streams and off specification products,
purge connections, feed and product manifolding, unit bypasses, etc., should be
included for startup, shutdown and upset situations.
E. Fired process heaters with stacks connected into a common header should be
provided with a flange and blinding plate in the flue gas ducting to permit safe
individual isolation for maintenance. The blind should be downstream of the
damper to allow maintenance access to the damper.
F. Steam boilers discharging steam into a common header should have a shutoff
valve for isolation from the header in accordance with ASME Boiler Code,
Section I - Power Boilers.

FACILITIES AND EQUIPMENT SPACING
This section presents considerations in the design and layout of new facilities, and in the
expansion or modification of existing facilities.
Plant layouts for new construction should provide for a maximum of safety from the spread of
fire, with ease of operation and maintenance consistent with economical design.
Requirements for future expansion should be recognized and reasonable allowances made.
The basic objectives of spacing design are as follows:
• To minimize involvement of adjacent facilities in a fire.
• To permit access for fire fighting.
• To insure that critical emergency facilities will be accessible for operators to perform
emergency shutdown actions in the event of a fire or explosion.
• To segregate high risk facilities or equipment from less hazardous operations and
equipment.
• To separate continuous ignition sources from probable sources of release of flammable

materials.
• To permit access by plant personnel for normal operation and maintenance of

equipment.
• To avoid danger or nuisance to persons or facilities beyond the adjacent property lines.
• To insure site security.
• To insure that there are reasonable avenues of escape for personnel in the event of a
fire.
Details of facilities safety requirements can be found in SAES-B-055.

FIREFIGHTING FACILITIES
This section covers design considerations for the various equipment components of the
firefighting systems.
Single Fire Concept
The extent and capacity of the firefighting equipment to be provided in a hydrocarbon

processing plant or handling facility is based on the assumption that only one major fire will
occur at any one time. Thus the design of the major firefighting facilities will be determined
by the requirements of the largest single fire contingency. However, the sizing of the
firefighting system components may not be set by the same single fire contingency, since
different firefighting techniques are required on various hydrocarbon processing plants and
offsite facilities. For example, fire water capacity is usually a function of process unit
requirements, whereas the capacity of the foam system is usually determined by tankage
requirements.
Major Fire Risks and Firefighting Methods
The areas of major fire risk are process units, tankage areas, piers, wharves and Sea Islands,
and GOSPs. Water is the most effective medium to be used in controlling fires in process
areas. Proper application of water streams will keep adjacent structures and equipment cooled
so as to prevent further failures which can add to the fuel supply feeding the fire. Foam can
be used effectively to control some fires, such as in liquid spills, but the application of water
is still of primary importance as far as design capacity of a firewater system is concerned.
Tankage areas and pressurized storage areas are of particular concern due to the large
flammable liquid inventories involved. Foam is the primary extinguishing agent for tank seal
fires on floating roof tanks only, with water normally used for the cooling of adjacent tanks.
For pressurized or refrigerated LPG storage, water is the primary agent to be used in cooling
exposed facilities until the fuel supply feeding the fire can be isolated or reduced by water
flooding of the vessel involved.
Tanker loading facilities such as piers, wharves and Sea Islands and offshore producing
facilities such as GOSPs present unique problems due to limited access for firefighting
purposes; consequently they require special firefighting equipment. Water and foam are both
needed for extinguishment. Oil spills on water can be more effectively controlled by the
application of foam, while releases of volatile materials such as LPG are more effectively
controlled with water.
Water is the primary agent to be used in onshore GOSPs for fire protection. Water and foam
are both applicable for use on offshore GOSPs.

Proper accessways for firefighting equipment should be included in the design.
For offshore GOSPs, piers, wharves and Sea Islands with limited or no access by land based
equipment, provisions should be made for fire boat protection and fixed protection systems.

FIREPROOFING
This section covers design considerations to be used in the fireproofing of load-bearing steel
structural members supporting vital hydrocarbon handling facilities.
The basis of safe facility design is to eliminate the foreseeable risks of fire and explosion.
Experience has proven that this goal is not possible or feasible to attain because of equipment
failure or operating error. For this reason, design features should be included to minimize the
resulting damage. Of the feasible design features available, fireproofing is of major
importance.
Fireproofing of certain critical equipment and supporting structures in fire hazardous areas
enables a fire exposure to be tolerated while a fire is being brought under control and
extinguished, without major collapse or further failures which would increase the fuel supply
to the fire.
Fireproofing should also be considered in conjunction with fire protection and controls for
emergency facilities such as emergency shutdowns, isolation valves and blowdowns, fixed
water spray systems, and specialized firefighting equipment.
Basically, fireproofing is warranted for steel, load-bearing structural members that support
operating equipment and piping and other auxiliary equipment, if an exposure to fire could
result in the failure of these members, and thus significantly contribute to increasing the loss,
either by physical damage or release of additional fuel to the fire.
Fireproofing is not warranted where:
• Failure of structural members, which support any operating equipment, piping and
other auxiliary equipment, would not significantly affect the overall loss through
increased fire intensity or its duration, or greater physical damage.
• Plant layout, exposure and degree of fire protection is such as to minimize the
probability of structural failure due to fire exposure.
• Approved reinforced concrete structures should be considered sufficiently fire-resistant

so as not to require any additional fireproofing.

EMERGENCY SHUTDOWN, ISOLATION AND BLOWDOWN FACILITIES
This section covers basic requirements for emergency shutdown and isolation systems.
Emergency Shutdown System
A system which will shut down plant or other facility under emergency conditions, either
automatically or by pushing one remote pushbutton which will actuate remote block valves to
stop the flow of flammable liquids or gases, stop the heat input to process furnaces or
reboilers, and stop the rotation of associated machinery (especially pumps).
Emergency Isolation System
A system of valves to isolate a piece of equipment or unit involved in a fire or other

emergency, thus limiting the supply of fuel. This may be an individual pump, vessel or
compressor, etc., or it may encompass the entire area inside the plant plot limits of a process
unit.
The basis of safe facility design is to eliminate the foreseeable risks of fire and explosion.
Since it is recognized and proven by past experience that such incidents may still occur,
facility designs should therefore include features to minimize the resulting damage when an
incident does occur. The provision of emergency facilities to stop, as rapidly as possible, the
release of flammable material that is feeding the fire is of major importance in this respect.
Facilities to be provided include the following:
(a) Remote shutdown systems.

(b) Equipment isolation provisions.
(c) A means of removing the flammable material inventory from the equipment.
(d) Liquid displacement of flammable materials by water.
Each of the above four subject areas will be covered in this section.
Remote Shutdown Systems
Allow the operators to expedite the shutdown of a plant in an emergency situation by remotely
carrying out functions such as shutting major machinery, stopping heat input to furnaces and
reboilers, and shutting off critical flows such as air to oxidation processes. They also serve as
a means by which machinery may be remotely shut down in the event of mechanical
malfunctions when there is a possibility of imminent catastrophic failure due to the mass of
the machinery involved.

Remote shutdown systems are normally required for all hydrocarbon handling plants and
facilities. Individual ESD systems may be required for components such as pumps,
compressors and furnaces.
Emergency Isolation Systems
With valves installed at strategic points throughout the facility and manually or remotely
operated from a location, permit the affected section to be isolated from other sections of the
plant or facility. This permits the inventory of fuel feeding a fire to be limited to a small area
or group of vessels. In the event of a widespread fire, it is necessary to shut-in the whole unit
by closing valves at plant plot limits. Mechanical failures of machinery, furnace tubes and
some other vulnerable equipment are recognized as common causes of major fires.
The best method of reducing the duration and intensity of a fire is to provide a method of
quickly removing the supply of flammable material in the affected section of the facility. This
generally involves the removal of liquids or depressuring, or both. This may be accomplished
by the use of normal process disposal means and routes, or by the use of special vapor
blowdown or liquid pulldown facilities. Although it is not necessarily a design requirement to
be able to completely empty the equipment within a specified time, it is intended that the
overall combination of emergency facilities and fire protection be capable of bringing the fire
under control within one hour.
Instrument Failure Considerations
Consideration of instrumentation failure should be included in the design of emergency

systems, both on plant-wide and individual basis (e.g., action of individual emergency
controls under failure from fire exposure).
Action of process control valves on failure of signal and actuating utility supplies is required
to minimize the overall hazards arising from a plant-wide failure such as of instrument air.
This objective is generally achieved by requiring sources of heat input and feed and product
streams to be shut off. This boxes the plant in, any resulting pressure being relieved through
the pressure relief valves; and since there is no need for emergency removal of the plant
inventory, this situation is considered safer than uncontrolled dumping of plant contents into
tankage or other units. Thus, plant-wide instrumentation failure results in a plant shutdown
but does not remove the flammable inventory. Operator action is necessary to effect the latter
step, using the available blowdowns, pulldowns, or normal disposal routes, as described
above.

Water flooding connections are installed on spheres and spheroids which are designed for
pressures in excess of 70 kPa(ga) (10 psig), and are some times provided on other equipment,
to protect against uncontrolled release of flammable material at the bottom connections or at
the pumps withdrawing liquid from the vessel. In such a contingency, injected water will
displace the liquid hydrocarbon up the vessel, so that only water escapes through the point of
failure. This method requires a source of water at a pressure higher than the vessel design
pressure, plus accumulation and static head, and should not be provided if the operating
temperature is above 95 degrees C (200 degrees F). Water flooding connections have limited
application but may be considered as an alternative to isolation or liquid pulldown facilities on
large volatile liquid inventories in high risk areas.

PIERS, WHARVES/SEA ISLANDS, TRUCK LOADING RACKS, OFFSHORE

PLATFORMS
This section covers the safety in design of offsite hydrocarbon handling facilities listed above.
Loading Arms
Loading arms are the preferred means of product transfer. They should be of Chiksan or other
approved design, constructed of steel pipe with swivel joint. They should be equipped with
insulating flanges in order to electrically isolate the ship from shore facilities.
General
Truck loading racks present an additional degree of potential fire risk not unlike that of a
marine terminal. Many of the same potentials apply: the possibility of a spill in the event of a
hose or loading arm failure, the venting of nonpressurized tanks to atmosphere during loading,
possible overfilling, and the hazards associated with tank truck near process equipment.
Facility design should therefore minimize the possibility of uncontrolled release of flammable
materials, minimize ignition sources, and include adequate fire protection.
Offshore GOSP platforms and related facilities introduce problems which do not arise in the
design of other facilities covered in other sections of this Design Practice. Examples are:
isolation from normal land-based firefighting equipment, increased restrictions to access by
firefighting personnel, adverse effects of weather on the approach of fire tugboats which
forces increased reliance on fixed systems which can easily be put out of operation by an
explosion on the platform, and increased difficulties in the evacuation of personnel in an
emergency situation.
In view of the importance of the offshore platforms to the overall operations, it is necessary to
minimize the fire and explosion hazard by minimizing potential sources of hydrocarbon
release, minimizing ignition sources, and providing adequate fire protection and firefighting
capability by good design and effective operating procedures.
More information can be found in SAES-B-009.

PRESSURE RELIEF
This section describes the basic safety principles for the evaluation of overpressure potential
in plant equipment.
Normal Contingencies
All contingencies which may result in equipment overpressure should be considered,

including external fire exposure of equipment, utility failure, equipment failures and
malfunctions, abnormal processing conditions, thermal expansion, start-up and shutdown, and
operator error.
For each contingency, the resulting overpressure is evaluated and the need for appropriately
increased design pressure (to withstand the emergency pressure), or pressure relieving
facilities to prevent overpressure (with calculated relieving rates), is established.
Overpressure which may occur at normal or below normal pressures, due to the reduced
permissible stresses at higher than design temperatures, are also evaluated and appropriate
protective features applied in the design. For example, such conditions may result from
chemical reactions, start-up or upset conditions. Likewise, low metal temperatures should be
considered such as from autorefrigeration to ascertain that brittle fracture conditions do not
develop.
Remote Contingencies
There can be contingencies which can occur on occasion but are remote and are not to be
considered within the code allowable pressure. There can be situations where two or more
simultaneous contingencies should be taken into account where there is some remote
interrelationship between them, and the overpressure develop could result in catastrophic
failure. Such contingencies should be considered, but higher than code allowable pressures
could be acceptable. Some of the remote contingencies are:
(1) Tube failures in heat exchanger equipment.

(2) Operator closure of a process valve which is car sealed open.
(3) Double contingencies with remote interrelationship where catastrophic failure
could result.
(4) Plugging of catalyst beds.
(5) Failure of a control valve in the open position while its bypass is open.
(6) Complete failure of multi-plant overall utility system.

Typical Overpressure Producing Contingencies to be Protected Against
Every pump, compressor, steam turbine, process furnace, shell and tube equipment, power
boiler, unfired pressure vessel, pressure reducing station, and piping which can be blocked in,
should be studied individually and every possible operating contingency should be evaluated
that could lead to an overpressure above the design pressure of any of the above.
The principal operational contingencies to be protected against are as follows:
• Exterior fires
• Failure of pressure control
• Chemical reaction
• Closed outlets on vessels
• Utility failure - electric power, cooling water, steam, instrument air, instrument
power, fuel,
• Equipment malfunctions
• Reflux flow failure
• Abnormal process heat input
• Hydraulic expansion in blocked-in piping
• Pressure increase due to reduction of system friction losses at reduced flows.
• Increase in pump discharge pressure at reduced flows due to shape of the pump
characteristic curve.
Equipment to be Protected
All vessels subject to overpressure by fire should be protected by PZV valves, with the
following exceptions:
(a) On small vessels with volumes of 150 L (5 ft**3) or less and normally contain
no liquid, since failure of the shell from overheating could occur even if a PZV
were provided. Examples of this are fuel gas knockout drums, compressor
suction knockout drums, air surge and storage drums used on large, piston
operated valves.
(b) Vessels less than 600 mm (2 ft) in diameter do not need to be considered for
fire exposure if they basically are constructed with pipe and pipe fittings. This
is on the basis that piping is not provided with protection against overpressure
from this contingency. If overpressure can result from contingencies other than
fire, however, PZV valves are required.

(c) Pressure relief devices are not provided for fire exposure of heat exchangers,
condensers, coolers, air fin coolers, or piping, nor should the wetted surface of
such equipment be considered in calculating fire heat input to the system. An
exception would be where such vessels have inlet and outlet control valves
which could fail closed under fire exposure.
Another exception would be reboilers directly associated with towers if the reboiler normally
contains more than 3800 L (1000 gal) of liquid. Usually, any block valve on the vapor line
between the reboiler and the associated tower will be car sealed open and the vapor generated
by heat input to the reboiler would be added in sizing the tower relief valves.
Protection of Vessels From Fire Exposure, In Addition to Pressure Relief
Pressure relief valves cannot protect a vessel that becomes locally overheated on an un-wetted
surface, although they do prevent the pressure from rising beyond the accumulation pressure
on the valve. However, in such cases the vessel may be effectively protected against failure
by either one of two methods for mitigating the effect of fire:
(a) The Reduction of Pressure by Depressurizing. The reduction of pressure in a

vessel exposed to fire has the advantage of not only reducing the metal stress to
a value that will not result in failure, but also of reducing markedly the quantity
of fuel that might feed the fire.
(b) An Effective Limitation of the Heat Input. Application of firewater from fixed
and mobile fire fighting facilities is the primary method of cooling equipment
which is exposed to fire. Further protection by fixed water deluge or spray
systems, or fireproofing, is applied in areas of particularly high fire risk.
However, in sizing PZV valves, no credit is taken for reduced heat input due to
application of cooling water since it can not be considered 100% effective in all
fire conditions.
Utility Failure as a Cause of Overpressure
General Considerations
Failure of the utility supplies (e.g., electric power, cooling water, steam, instrument air,
instrument power, or fuel) to refinery plant facilities and related hydrocarbon handling and
processing facilities will in many instances result in emergency conditions with potential for
overpressuring equipment. Although utility supply systems are designed for reliability by the
appropriate selection of multiple electric generating and distribution systems, spare
equipment, backup systems, etc., the possibility of failure still remains.
For the purpose of these pressure relief design considerations, a process unit is defined as one
which meets all the following criteria:

(1) It is segregated within its own clearly identifiable plant plot limit boundary.
(2) It is supplied with each utility through one or two laterals from an offsite
header.
(3) It can shut down and operate independently.
(4) It constitutes a complete processing function.
The basic rules for considerations of overpressure protection required because of such failures
are as follows:
(a) Loss of any utility to any one plant or unit should be considered only on a
single contingency basis.
(b) Failure is considered on a local basis; i.e., loss of utility supply to one item of
equipment such as electric power to a pump motor. Total plant-wide utility
failure in multi-unit facilities would be considered a remote contingency.
(c) For a process unit for facility with its own segregated and self- contained closed
PZV disposal system, only a utility failure to that unit need be considered for
the purpose of sizing the safety facilities. However, when two or more units
share a closed disposal system (e.g., a common blowdown drum and/or flare),
the design procedure should include consideration of the potential for single
contingency utility supply failures are not normally used as a basis of sizing the
safety facilities, see (b) above.
(d) Evaluation of the effect of overpressure, attributable to the loss of a particular

utility supply, should include the chain of developments that could occur and
the reaction time involved. In situations where an item of equipment fails due
to failure of its utility supply, but is in parallel with equipment having a
different energy source, credit may be taken for the unaffected and functioning
equipment to the extent that operation is maintained. For example, consider a
cooling water circulating system consisting of two parallel pumps in continuous
operation, with drivers having different and unrelated sources of power. If one
of the two energy sources should fail, credit may be taken for continued
operation of the unaffected pump.
Backup systems which depend upon the action of automatic cut-in devices
(e.g., a turbine driven standby spare for a motor driven cooling water pump,
with low pressure cut-in control), would not be considered an acceptable means
of preventing a utility failure for normal pressure relief design purposes, even
though their installation is fully justified by improved continuity and reliability
of plant operations.

(e) Consideration should also be given to the direct effect of one utility on another.
If a supply failure in one utility system, as a result of a single contingency,
results in a complete or partial loss of another inter-related utility, then the dual
failure should be considered. For example, in a plant where electricity is
generated by steam turbine generators, loss of steam production would cause
direct loss of power. Another example is the High Lift Pump house in Ras
Tanura, where a loss of steam would cause a complete shutdown of pumping
facilities for cooling water to refinery units.
Utility Failure Contingencies to be Considered
The application of the above design considerations to the major utility systems for typical
installations is described below.
In some cases, the loss of utility supply is not a direct cause of overpressure, but it initiates a
plant upset or emergency (e.g., power failure leading to loss of tower reflux) which in turn
may result in overpressure. Reference should be made to the procedures for evaluating such
upset or emergency situations and for determination of relieving rates, described later in this
section.
Electric Power
(a) The following single contingencies should be considered as the normal basis for
evaluating overpressure that can result from electric power failures:
(1) Individual failure of power supply to any one item of consuming

equipment.
(2) Total failure of power to all consuming equipment in a process unit.
(3) General failure of power to all equipment supplied from any one motor
control center, distribution center, or bus bar in a substation serving one
or more process units. Failure of power to all drivers connected to a
single bus can occur if the bus itself fails, regardless of any
interconnecting features.
The single risk concept assumes failure of one power supply to any consumer
or bus at a time.
(b) Although not normally used as a basis for sizing pressure relieving facilities,
the following general power failure on a facility-wide scale should be
considered:
(1) Failure of own generated power supply to the facility.

(2) Total power failure in any one substation.

Adequate backup features should be included to reduce the probability of these

major failures to an acceptable low level. The following backup arrangements
are normally required as a minimum:
(1) Two or more parallel generators where power is generated in the

refinery or facility.
(2) More than one fuel to boilers generating steam for turbine generators.
(3) Load shedding arrangements to preferentially maintain supply to critical
facilities.
(4) Secondary selective power distribution system.
Cooling Water
evaluating overpressure that can result from cooling water failures.
(1) Individual failure of water supply to any one cooler or condenser.

(2) Total failure of any one lateral supplying a process unit from the offsite
main.
the following general cooling water failures should be considered:
(1) Failure of any section of offsite cooling water main.

(2) Loss of all the cooling tower that would result from single contingency in
the utility systems supplying or controlling the pump drivers.
(3) Loss of all the fans on a cooling tower that would result from any single
contingency in the utility systems supplying or controlling the fan
drivers.
Adequate backup features should be provided to reduce the probability of these

major failures to an acceptably low level. As a minimum, the following should
normally be provided:
(1) At least 30 minutes holdup in the sump of a cooling tower, based on loss
of make-up water.
(2) Multiple cooling water pumps with different drives and automatic cut-in
of spare pump.
(3) Secondary selective power supply to cooling tower fan motors.

(4) Adequate instrumentation and alarms to give warning of potential

cooling water system failures.

Application of the following should also be considered, in appropriate cases:
(1) Multiple cooling towers.

(2) Cross-connected or looped distribution headers.
Steam
evaluating overpressure that can result from steam failures:
(1) Individual steam failure to any one item of consuming equipment.

main.
(b) Although normally not used as a basis for sizing pressure relieving facilities,
the following general steam failures should be considered:
(1) Failure of any section of offsite steam main.

(2) Loss of any one steam generator.
The probability of these major failures should be reduced to an acceptably low

level by backup features, such as the following:
(1) Multiple boilers fired by multiple fuels.

(2) Adequate control and alarm systems, load shedding arrangements, etc.
(3) Looped distribution headers.
Instrument Air
evaluating overpressure that can result from instrument air failures:
main. The correct air failure response of instruments and control valves
is assumed ("Remain Stationary" valves drifting to open or closed).
the following general instrument air failures should be considered:
(1) Failure of any section of offsite instrument air main.

(2) Loss of all the air compressors that would result from any single
contingency failure in the utility systems supplying or controlling the
compressor drivers.
(3) Loss of flow through any one set of instrument air dryers.
The following minimum requirements should be met to reduce the probability

of these major failures to an acceptable low level:
(1) Multiple air compressors with different drives and automatic cut-in of
the spare machine.
(2) Multiple instrument air dryers.
(3) Automatic cut-in from the maintenance air system.
(4) Looped instrument headers.
Instrument Power
Included in normal considerations for PZV sizing should be the failure of power supply to all
instruments in and controlled from a single control room.
Fuel
Fuel supplies to boilers, furnaces, combustion gas turbine and engine drives, etc., are designed
with features such as multiple fuels, propane vaporizer back-up, and liquid fuel surge tanks, to
promote reliability. The failure of any one fuel to a process or utility generation facility is
used as the basis for evaluating potential over-pressure.
Other Utilities
Failure of other utilities, such as inert gas to seals and purge systems, or compressed air (when
used by the process) may in some cases determine pressure relief requirements. These cases
are evaluated on a similar single contingency failure basis to the above.
Equipment Malfunctions and Operator Error as Causes of Overpressure
In addition to failure as a result of their utility supply, items of equipment are subject to
individual failure through mechanical malfunction. Such items include pumps, fans,
compressors, mixer instruments and control valves. The process upset resulting from such
malfunctions (e.g., loss of a reflux pump) may in turn result in emergency conditions and the
potential for overpressure.

Operator error is also considered as a potential cause of overpressure, although contingencies

of gross negligence or incompetence are disregarded. Typical examples of operator error
which should be considered are inadvertent opening or closing of valves.
Evaluation of Overpressure Resulting From Emergency Conditions and Determination of

Relieving Rates
The following paragraphs describe a range of typical plant emergency situations which may
result from utility failures, equipment malfunctions, or plant upsets, and which may result in
equipment overpressure.
Failure of Automatic Controls
Automatic control devices are generally directly actuated from the process or indirectly
actuated from a process variable; e.g., pressure, flow, liquid level or temperature. When the
transmission signal or operating medium fails, the control devices will assume either a fully
open or fully closed position according to their basic design, although some devices can be
designed to remain stationary in the last controlled position. Such "Remain Stationary"
control valves will, however, drift in the direction of drive and this should be considered. The
failure of a process-measuring element in a transmitter or controller without coincidental
failure of the operating power to the final controlled element should also be reviewed to
determine the effect on the final controlled element.
However, when examining a process system for over-pressure potentials, it is assumed that
any one automatic control device could fail either open or closed, regardless of its action
under loss of its transmission signal or operating medium.
The operation of manual control valve bypasses should also be taken into consideration.
Failure of a control valve to the open position while the manual bypass is fully or partially
open may be considered adequately covered in the requirements of the 1.5 times design
pressure rule
The designer should assume proper control valve sizing and unit operation at design
conditions in evaluating relief considerations.
Instrument Air Failure or Power Failure Action
Instrument action under failure of instrument air or power should be designed to minimize the
hazards of the resulting emergency situation.
Generally, this is achieved by specifying the closure of control valves in sources of heat input,
water draw-offs and feed and product streams.

Boxing in the plant equipment in this way, on the basis that any resulting overpressure is
relieved by properly designed PZV valves, is considered safer than the uncontrolled dumping
of plant contents into tankage, other units and sewers.
Control valves in heating circuits such as furnace outlets should generally be set to fail open,
to prevent blocking-in the system which could result in overheating or thermal expansion
failures.
Control Valve System Analysis
To evaluate system relieving capacity requirements for any single contingency (other than
failure of the utility which affects valve movement), such as opening or closing of a single
valve or cooling water failure, it is assumed that all control valves in the system under
consideration remain in the position required for normal processing flow. Therefore, credit
may be taken for the normal capacity of these valves, corrected to relieving conditions,
provided the downstream system is capable of handling any increased flow. While some
controllers may respond correctly by increasing valve openings, capacity credit should only be
taken to the extent corresponding to their normal operating position. This will avoid
subjective decisions involved in evaluating response times and effects of controller settings,
such as proportional band, reset, and rate action.
Failure of Individual Control Valves
The following individual control valve failures should be included in the analysis of control
systems for determination of pressure relief requirements:
(a) Failure in the wide open position of a control valve admitting fluid from a high
pressure source into a lower pressure system.
(b) Failure in the wide open position of a control valve which normally passes
liquid from a high pressure source into a lower pressure system followed by
loss of liquid level in the upstream vessel and flow of high pressure vapor.
(c) Failure in the closed position of a control valve in an outlet stream from a
vessel or system.
In cases (a) and (b) above, credit may be taken, where applicable, for the reduction in pressure
of a high pressure source due to net inventory depletion during the period that the downstream
equipment pressure is rising to relieving pressure. However, the pressure relieving facilities
should be sized to handle the calculated peak flow condition.

Special Capacity Considerations
Although control devices, such as diaphragm operated control valves, are specified and sized
for normal operating conditions, they are also expected to operate during upset conditions,
including periods when pressure-relieving devices are relieving. Valve design and valve-
operator capability should be selected to properly position the valve plug in accordance with
control signals during abnormal conditions.
When determining pressure relief requirements, capacities of control valves should be

calculated for the relieving conditions of temperature and pressure, since these are in many
cases significantly different from capacities at normal operating conditions.
Types of Pressure Relief Devices
Conventional Pressure Relief Valves
The spring loaded, top guided, high-lift, nozzle type safety relief valve is the type most
commonly used in both liquid and vapor hydrocarbon service.
Balanced Bellows Safety Relief Valves
Pilot Operated Valves
Rupture Discs
Rupture discs are thin diaphragms held between two flanges and are designed to rupture at a
designated pressure. Rupture discs may not be used in hydrocarbon service where liquid
would be discharged to atmosphere.

STORAGE OF LPG, NGL AND SIMILAR MATERIALS
This section briefly covers the design aspects of storage of LPG and NGL products.
Storage facilities of Light Ends and similar volatile flammable liquids such as LPG, NGL,
pentane, etc., represent one of the high risk areas of a refinery or other hydrocarbon handling
facility. Whether such materials are stored under pressure at ambient temperature or in
refrigerated tankage, spills of any of these volatile liquids will produce large volumes of
flammable vapors. These vapors tend to flow along the ground and may reach a source of
ignition great distances from the point of the spill. In addition, the auto-refrigeration
properties of some of these materials introduces potential embrittlement and freezing
problems.

PIPELINE AND WELLSITE SAFETY
Pipelines
The transmission of crude oil, natural gas, and refined products by cross-country pipelines
constitutes a potential hazard to industrial and residential areas if a major pipeline failure
occurs near these locations. Pipeline failures may occur due to many causes including third
party interaction (struck by a vehicle or backhoe), internal and external corrosion, hydrogen
induced cracking, or operational problems such as pressure surges. Any one or combination
of these causes may result in a pipeline failure of a size sufficient to expose local populations
to crude oil spills or flammable gas clouds which may contain toxic gas concentrations (e.g.
H2S). To prevent this from occurring, both active and passive design measures have been
incorporated into pipeline construction and operating standards to reduce the hazards.
Passive safety features include the use of thicker walled pipe in high density population areas.
Other methods of protection include additional space between pipelines and areas where large
groups of people are normally found such as schools, hospitals, hotels or shopping malls.
Corrosion protection is also important, as is adequate separation of pipelines from the induced
current from adjacent power lines.
One of the most important passive design safety features of a pipeline is its location class.
Location class specifies the maximum allowable operating pressure as a fraction of the design
pressure, and is rated on a scale of 1 - 4. In general, pipelines located in remote areas carrying
low hazard products (e.g. stabilized crude oil) are rated Location Class 1 or 2, while pipelines
located near populated areas carrying hazardous products (e.g. sour gas, NGL, etc.) are
normally Location Class 3 or 4. Additionally, special rules specify that pipelines which carry
hazardous products close to sensitive population areas such as schools or hospitals shall be
designed as Location Class 4. The location class for a pipeline is determined by the pipeline
rupture exposure radius (RER) and the population density in the geographical area near the
pipeline. The RER is a function of the product composition, the maximum shut-in pressure
and temperature, and the pipeline diameter,
Active safety measures are also employed to reduce the likelihood of hydrocarbon releases
from pipelines. Two of the most important are pipeline scraping to help control corrosion and
the use of emergency isolation valves. For pipelines in high location class areas (equivalent to
high potential population exposure), more frequent pipeline scraping can assist operating
departments to identify problem areas more rapidly. If a major pipeline release does occur,
emergency isolation valves can be remotely actuated by the operating department to shut-in
the line as soon as practicable.
More details can be found in Saudi Aramco Engineering Standard SAES-B-064, Onshore and
Nearshore Pipeline Safety and in industry standard ASME B31.8, Gas Transmission and
Distribution Piping Systems.

Wellsites
There are several potential hazards associated with drilling and workover activities at oil and
gas wellsites. Many of these concerns are similar to those described for pipelines above.
Protective measures against exposure to crude oil spills or flammable or toxic gas leaks are
required to ensure the safety of field personnel during normal wellsite operations, as well as
additional safety features to protect populated areas from large hydrocarbon releases that may
result from a major failure or blowout under abnormal conditions.
Using the well fluid composition, temperature, pressure, and the flow area of the production
tubing, the downwind dispersion distance is either calculated or taken from existing tables in
Saudi Aramco Engineering Standard SAES-B-062. This distance is called the rupture
exposure radius (RER) for the well and is used with local population data to establish a level
of risk to a populated area.
Several methods are used to protect wellsites from damage in populated areas. Spacing
requirements are used to specify the minimum safe separation between wellsites and
residential areas. Wellsite barriers such as guard posts (vehicular crash protection) and
fencing are also required to minimize the potential for third parties to interact with the
wellsite.
A further important safety feature for wellsites in populated areas are the additional safety
shut-in valves required for wells in these locations. In remote locations, wells are required to
have a manual isolation block valve installed downstream of the wellhead piping and a second
block valve for flow line isolation. In addition to these requirements, oil wells in populated
areas have an automated fail-safe surface safety valve and a subsurface safety valve, both of
which are closed on detection of a fire.
More details can be found in Saudi Aramco Engineering Standard SAES-B-062, Onshore
Wellsite Safety and in industry standards API RP 14B-90, Design, Installation, Repair, and
Operation of Subsurface Safety Valve Equipment and API Specification 6A, Specification for
Wellhead and Tree Equipment.

AramcoStandard PDF

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

AramcoStandard PDF

Uploaded by

Copyright:

Available Formats

Engineering Encyclopedia

Saudi Aramco DeskTop Standards

Safety Design Considerations for Hydrocarbon Facilities

Chapter : Loss Prevention For additional information on this subject, contact

BASIC PRINCIPLES ...............................................................................................1

MINIMIZING THE RISK OF FIRES, EXPLOSIONS ............................................8

FACILITIES AND EQUIPMENT SPACING........................................................15

EMERGENCY SHUTDOWN, ISOLATION AND BLOWDOWN

PIERS, WHARVES/SEA ISLANDS, TRUCK LOADING RACKS,

PRESSURE RELIEF ..............................................................................................23

STORAGE OF LPG, NGL AND SIMILAR MATERIALS...................................35

PIPELINE AND WELLSITE SAFETY .................................................................36

Saudi Aramco DeskTop Standards

Plant Plot Limits

Flammable materials should be defined as follows:

Saudi Aramco DeskTop Standards 1

Low Flash Stocks

High Flash Stocks

Reid Vapor Pressure (RVP)

Saudi Aramco DeskTop Standards 2

Severely Toxic Materials

Moderately Toxic Materials

Threshold Limit Value (T.L.V.)

An interruption from normal operations in which personnel or equipment are endangered.

An abnormal event which is the cause of an emergency condition. A single contingency is a

The equipment affected by a single contingency.

Autoignition Temperature is the lowest temperature required to cause self-sustaining

Saudi Aramco DeskTop Standards 3

Electrical Area Classification

A material which is spontaneously combustible upon exposure to air at ambient temperatures.

Saudi Aramco DeskTop Standards 4

Fires and Explosions

Elimination of Flammable Mixtures

Prevention of Uncontrolled Releases and Location of Controlled Releases

Another potential source of a release of flammable hydrocarbons is atmospheric tankage. The

Minimize Ignition Sources

Saudi Aramco DeskTop Standards 5

Operational Factors Affecting Safety

Process Factors Associated with Safety

(a) Increased severity of operating conditions such as very high temperatures or

Saudi Aramco DeskTop Standards 6

(b) Unstable processes where decompositions, temperature runaways, or other

Environmental Factors Affecting Safety of Facilities

Saudi Aramco DeskTop Standards 7

MINIMIZING THE RISK OF FIRES, EXPLOSIONS

Safe Disposal of Equipment Drainage, Contaminated Effluents and Vents

Minimizing the Potential for Heater Tube Failure

The following features should be provided:

Saudi Aramco DeskTop Standards 8

Sparks from Electrical Equipment

A. An electrical area classification map should be prepared.

Prevention of Fires and Explosions in Combustion Equipment

A. Flameout with subsequent re-ignition.

Saudi Aramco DeskTop Standards 9

Design of Flashback Protection for Atmospheric Vents

Flashback protection, when required, may be as follows:

Saudi Aramco DeskTop Standards 10

Snuffing Connections for Atmospheric Vents

Saudi Aramco DeskTop Standards 11

Excessive Vapor Evolution

Protection Features to Handle Tankage Hazard

a. Install adequate vent capacity in accordance with API Standard 2000.