Joy wee ett tat det Gee ig H Brunel shell Petroleum Company Sendirian Berhad = Ree a kori CO eo neues ca) Document no. TMS1073 ‘Approved: — K. Geiger, EDE Document Owner: N, Song, EDE/SBSP - 12.S.500 Process Safeguarding Standard us1073 _BSP._12.5,500 Process Safeguarding Standagd Document Control [DOCUMENT IYPE nenysna] DOCUMENT OWNER, Ti] SECURITY CLASSIFICATION) Standard DES Confidential EDOCUMENT REFERENCE = | AUTHOR» TAPPROVED BY. Same signa nines S| TMS1073 EDEIS2 EDE KEYWORDS Ruane Se ee Safeguarding ‘Suggestions for improvement in this document should be addressed to the Document Owner via & Document Change Proposal Form in accordance with: (© Documentation Control Procedure (TMS0436), a supporting document of activity BSP-02.3 ‘Maintain Management System. Revision Record REWw | REVISION DESCRIPTION) Sua uea eee neeeen Wee Daten ‘0.1__| First draft, issued for comments (EDE/S 1/52/54/32, HSE/4) T Nov 1986 02] Second draft, issued for comments (EDE/5/3, HSE, OPD/52, SES/IB) 10 Dee 1996 0.3 | Final draft, issued for comments (EDEVS, SES/1, OPD/A/3), 28 Apr 1987 70 [Issued for implementation Changes in this document to the previous revision are identified by a vertical line in the left margin. ‘The life of this document is limited to a maximum of five years after the last revision date. Beyond this, the document must be assessed for relevancy and validated in accordance with TMS0436. ‘The current validity of this revision should be confirmed with the Document Owner (or via CoRMS) prior to application. Distribution Controt Distribution of this document is controlled by the Document Owner. The distribution is as follows: ‘All instrament and process discipline staff involved in BSP-12 design HSE, HSE/4, OPD, OPD/S SES, SBS/1/15 BSP consultant/contractor staff as requested by the line Engineering library: EDE/97 Management System Coordination Group members Archives: FOS/3 Contact the Document Owner if additional copies are required. Notice and Warning Copyright © 1997, Brunei Shell Petroleum Company Sendirian Berhad ‘This document is the property of Brunei Shell Petroleum Company Sendirian Berhad (BSP), Seria 7082, Negara Brunei Darussalam. Circulation is restricted to BSP and its designated associates, contractors and consultants. It must not be copied or used for any other purpose other than which it is supplied, without the expressed written authority of BSP. Except where provided for purposes of contractual requirements, BSP disclaims any responsibility or liability for any use or misuse of the document by any person and makes no warranty as to the accuracy or suitability of the information to any third party, Any misuse of the document is redressable by BSP. BETIS Ravan 0S Page 2 ofSChapter 1 - Introduction 1a 12 13 14 Ls 16 Chapter 2 - Output Definition and Control 21 2.2 2.3 Chapter 3 - Safeguarding General .. 3 32 Chapter 4 - Safeguarding Design Considerations 4 42 43 44 45 Chapter 5 - Operational Safeguarding .. 5.1 8.2 83 84 56 87 58 Chapter 6 - References and Attachments. 61 62 Description Purpose Scope. Definition: ‘Terminology aurea Abbreviations. Output Specifications Controls... AAA Compliance with this standard General... Levels of Protection @ @ & General, Front End Engineering. Conceptual Design... Functional Specification of Instrumented Protective Function... Mechanical Pressure Protection . 13 Shutdown Blowdown . 13 Classification and Application of Power Operated Valves (POVS) ..scssnsssnenes 16 ESD/PSD Valve Specification. 20 Checking and Testing of Instrumented Protective Functions.. 20 Wellhead and Sub Surface Safety Valves... Safeguarding of Fired Heaters Pipeline Line Break Protection. Wellstring instrumented Protective Functions... References: AttachmentsSP -12,5,500 Process Safeguarding Standard Tust073 BSP 125.500 Process Safeguarding Standard eee ‘This document is an integral part of the BSP Management System and should be read in association with activity BSP-12 Facility Design and Construction. @__BSP-12 Facility design and construction (TMS0009) Figure 1 can be used to locate the position of this document in relation to the BSP Management System structure Figure 1. How this document (box with white text) fits into the BSP Management System structure. 4.4 DESCRIPTION ‘This document provides directives on the design and application of Process Safeguarding Systems for BSP facilities, which includes mechanical and instrumentation systems. 1.2 PURPOSE ‘The purpose of this standard is to provide a logical and consistent approach in the design of Process ‘Safeguarding Systems, both primary and secondary. 1.3. SCOPE ‘This standard applies to all projects and all facility modifications (e.g. an FRPC) comprising Process Safeguarding Systems. It outlines the requirements for the Process Safeguarding design of all BSP onshore and offshore oil and gas facilities. For detailed design requirements it will refer to other, more specific, documents (see also 2.3} It does not cover items such as facility layout, fire & gas detection and protection systems, emergency power systems or evacuation, escape and rescue provisions. These are covered in: {Risk Control Manual (in draft) EP 93 0230 HSE Manual, Design © _BSP-12 Facility design and construction (TMS0009) 1.4 DEFINITIONS For the purpose of this standard the following definitions shail hold: ‘The word shall is to be understood as mandatory and the word should as strongly recommended to comply with the requirements of this manual. ‘The word may is to be understood as indicating a possible course of action. ‘The consultant/contractor is the party which carries out all or part of the design, engineering and procurement for the project. BS1a8800 Raisin 8 Page tof 25BSP. 128.500 Process Safeguarding Standard Ms1073 1.5 TERMINOLOGY Key terminology is defined on its first occurrence or as follows: Automatic Equalising Valve - A pressure equalising valve actuated by an automatic sequential start ‘up system. Demand - A process or equipment condition or event which requires the Instrumented Protective Function to take action so as to prevent a hazard condition. Emergency Shutdown (ESD) - A shutdown and isolation of a complete facility by closing appropriate ESD valves (where required, followed by depressurisation) initiated manually, through the facility's IPR, on detection of fire, gas or on a total power or instrument air/gas failure. Emergency Shutdown Valve (ESD Valve) - An automatically operated {ail-to-safe valve used for ESD isolation of a complete facility, actuated through the facility's IPF. Fail-to-safe (FTS) - The ability to return to the safe mode of the application (open or closed) under operating medium failure conditions. Final element - A device or combination of devices that manipulate a process variable or attract the attention of the operator to achieve risk reduction. The final element includes output cards or output relays, solenoid valves and cabling, Examples are (ESD/PSD) valves, switchgear (rotating equipment stop circuits) and alarms. Hazard (or Hazardous Situation) - The potential to cause harm, including ill health and injury, damage to property, products or the environment, production losses or liabilities, Initiator - A device or combination of devices that indicates whether a process or equipment item is operating outside the operating envelope. The initiator includes input cards and input relays. Examples are manual switches, position switches and measurement systems (including process connections, sensors, transmitters, cabling, and trip amplifiers or input cards). Instrumented Protective Function (IPF) - A function comprising the initiator function, logic function and final element function for the purpose of preventing or mitigating hazardous situations. Instrumented Protective System (IPS) - The ¢lectromechanical, electronic and/or programmable electronic logic solver component of the Instrumented Protective Function, complete with input and output equipment. Maintenance Shutdown - A manually initiated planned shutdown and isolation of the whole or part of a facility and, where required, followed by manual depressurisation, Motor Operated Valve (MOV) - An isolation valve powered by an electric motor to facilitate operation, not to be used for high integrity and/or safeguarding application. Operational Shutdown - A manually initiated planned shutdown of the whole or part (usually a train) of a facility with the objective of stopping the production. Power Operated Valve (POV) - Any valve using a powered (electrically, hydraulically or pneumatically) actuator for its operation. Probability of Failure on Demand - The probability of the Instrumented Protective Function failing to respond to a demand. Process Shutdown (PSD) - An automatically initiated shutdown and isolation of a process unit or piece of equipment by closing appropriate PSD valves to shut-in flow to that process unit or piece of equipment or divert flow to another process unit or piece of equipment. Process Shutdown Valve (PSD Valve) - An automatically operated fail-to-safe valve used for PSD isolation of a process unit or piece of equipment, actuated through the process unit's or piece of equipment's IPF. Revealed (Patent) Failure - A failure whose occurrence is inherently apparent due to the fail-safe design of Instrumented Protective Systems, Risk - The hazard rate (the frequency at which hazardous situations occur) multiplied by the consequence of a hazardous situation, Unrevealed (Latent) Failure - A failure that is dormant in the Instrumented Protective Function and ‘can only be revealed when the system has to perform a certain action or through testing, BST2S500 Revision 03 Page 2 of25BSP - 12.5, 500 Process Safeguarding Standard Tust073 1.6 ABBREVIATIONS cITHP Closed In Tubing Head Pressure Des Distributed Control System DP Drilling Platform EDE BSP's Engineering department ESD Emergency ShutDown FGS Fire, Gas and smoke detection System FLD Functional Logic Diagram FRPC Field Raised Plant Change FTs Fail-To-Safe HAZOP HAZard and OPerability study ms: High Integrity Protection System HSE Health, Safety and Environment or BSP's HSE department IPF Instrumented Protective Function IPs Instrumented Protective System MAWP Maximum Allowable Working Pressure Mov Motor Operated Valve opp BSP’s Operations and Production department PEFS Process Engineering Flow Scheme PLC Programmable Logic Controller Pov Power Operated Valve Psp Process ShutDown PSFS Process Safeguarding Flow Scheme RV Relief Valve SCADA Supervisory Control and Data Acquisition S.INST.FMT Standard INSTrument ForMaT drawing scssv Surface Controlled Sub-Surface Safety Valve SIEP Shell International Exploration and Production ssv Surface Safety Valve STD.MR, STanDard Material Requisition ws Well Jacket BST2S500 Revision 03 Page SotsBSP - 12.8 500 Process Safeguarding Standard TMsi073 2.1 OUTPUT SPECIFICATIONS ‘These are defined in the following chapters. 2.2 CONTROLS This standard shall be used during the design and specification of Process Safeguarding systems for all BSP’s oil and gas facilities. Process Safeguarding design shall be checked during the following stages: ~ Technical Specification (Basis for design) + approval of key drawings during conceptual design. = HAZOP study (if performed), - an IPF classification may be performed to check its adequacy. = approval of relevant drawings during detailed design. ‘The following departments are responsible for Process Safeguarding: = EDE/S, Central Engineering Instrumentation for primary safeguarding i, Instrumented Protective Function (PF) - EDE/3, Central Engineering Mechanical for secondary safeguarding i.e. mechanical protection devices such as relief valves (RVs) 2.3. COMPLIANCE WITH THIS STANDARD ‘The requirements of this standard are applicable to new onshore and offshore oil and gas facilities. It ig not the intention to apply this standard retroactively to existing instellations, however when major modifications or upgrades are undertaken the design specification shall clearly define which parts of this standard shall be applicable. NOTE: The Safety Case Remedial Action Plan address all those areas where safeguarding fell short. ‘These will be rectitied, e.g. = fail-to-safe operation of ESD valves. + inadequate blow down systems Compliance with this standard shall not relieve the user of the obligation to follow sound engineering practice throughout For any deviation from this standard, written agreement shall be obtained from BSPs Central Engineering Mechanical and/or Instrumentation Division Heads EDE/3 and EDE/S prior to execution of the related engineering and/or design work. 185125500 Rovision 0S Page 4 of 25BSP - 12.5.500 Process Safeguarding Standard sust073 SAFEGUARDING GENERAL 3.4 GENERAL For BSP’s Process Safeguarding of offshore and onshore oil and gas facilities the principles as laid down in documents BP 95-0230, API RP 14C and DEP 80.45.10.10-Gen. shall be followed. In cases where a malfunction of facility equipment or its associated instrumentation would give rise to a hazard to personnel, environmental pollution or Iead to consequential economic loss (e.g. damage of main equipment or severe production loss), Process Safeguarding shall be installed that provides: = protection against injury or loss of life to humans. = protection of the environment, ie. loss of containment. = protection of equipment against damage by fire, explosion or failure by operation outside its design conditions. Safeguarding and control functions shall be implemented separately, because the protective system will come into operation only when control equipment fails or has reached its maximum control capability. NOTE: IPF Class [ and II loops are allowed to be implemented in DCS (ref. DEP 32.80.10.10-Gen.), @_ DEP 32,80.10.10-Gen. Classification and implementation of Instrumented Protective Functions DEP 80.45.10.10-Gen. Pressure relief, emergency depressurising, flare and vent systems EP 95-0230 HSE Manual, Design API RP 14C Recommended practice for analysis, design, installation and testing of basic surface ‘safety systems on offshore production platforms 3.2. LEVELS OF PROTECTION In line with EP 95-0230 and API RP 14C section 3.4, the safeguarding system shall provide two independent levels of protection (ref. Appendix 1), Level 1, Highest Order (primary): Instrumented Protective Function (IPF). These systems operate automatically to protect the equipment when the process is approaching the unsafe operating limits. The operator is warned by the alarm {annunciator) system when the IPF has been activated by any of its input variables. Level 2, Next highest Order (secondary): Functionally different and independent safety devices (e.g. mechanical protection devices such as RVs). This is the ultimate means of protection of the facility or equipment from exceeding its design limitations and is normally only required to operate if the primary safeguarding (IPF) has failed. Where mechanical protection is impractical, High Integrity Protection Systems (HIPS) may be considered, subject to the requirements contained in BSP ES-30.04, NOTES (ref. Appendix 1) 1. Control systems and their associated pre-alarm (annunciator) systems provide the operator with the necessary information and control to keep the process within defined limits and the IPF of a facility shall not, in any way, form part of these systems (see 3.1 note). 2, Automatic process safeguarding (i. an IPF) is not normally acceptable as adequate protection for potential over-pressurisation in lieu of fully rated equipment and/or protection by a pressure RV system, BSP ES-30.04 Application of High Integrity Protection Systems DEP 32.80.10.10-Gen. Classification and implementation of Instrumented Protective Functions DEP 80.45,10.10-Gen, Pressure relief, emergency depressurising, flare and vent systems EP 95-0230 HSB Manual, Design APL RP 14C Recommended practice for analysis, design, installation and testing of basic surface safety systems on Oofishore production platforms BS1a5500 Revkion 03 Pages of25BSP - 12.8.500 Process Safeguarding Standard Tusto73 CHAPTER 4- SAFEGUARDING DESIGN CONSIDERATION, 4.1 GENERAL Identified risks (or hazards) should be designed out as far as possible; the ideal design would not require safeguarding (ref. EP 95-0230 section 5.1}. Those risks that remain shall be prevented and mitigated by the IPF. ‘The flow chart in Appendix 2 illustrates the process of designing for safety and facility integrity. For all steps the responsibility lies with the design engineers or nominated consultant/ contractor. Major outputs from the different design stages, as described in BSP-12, which contribute to the design of safeguarding systems, are highlighted in the following sections. @_BSP-12 Facility design and construction (TMS0009) EP 95-0230 HSE Manual, Design 4.2 FRONT END ENGINEERING 4.2.1 Technical Specification (Basis for Design) ‘The Technical Specification (Basis for design) shall be in line with the requirements as laid down in the BSP-12.1.1 and includes the Safeguarding Philosophy. ‘This document should cover all relevant aspects of the design, operating and maintenance philosophies, covering matters such as manned or unmanned, local or remote control and equipment monitoring, equipment redundancy requirements. ‘The basic safeguarding philosophy shall be documented in the Technical Specification (Basis for design) by the party responsible for the front-end engineering, 1. BSP-12.1.1 Project development planning (TMS0538) 4.3 CONCEPTUAL DESIGN ‘The shutdown philosophy shall be documented in the Project Specification by the party responsible for the conceptual design. The shutdown philosophy shall explain the background to particular applications, locations, maintenance, etc., as applied in the design of the facility. 4.3.1. Safeguarding Memorandum and Process Safeguarding Flow Scheme (PSFS) ‘The Safeguarding Memoranda, of which the PSFS is an integral part, shall be prepared in line with BSP-12.8.503, This Safeguarding Memoranda identifies and summarises those protective devices which are installed at all levels of protection (ref. 3.2) and addresses requirements sich as fail-to-safe design, modes of plant status, ¢,g primed but not operating plant, safe start-up, safe operating mode, safe and orderly shutdown sequence, operations and maintenance testing, etc. {2 _BSP-12-8.503 Preparation of safeguarding memoranda and process safeguarding flow schemes (1MS1023) 43.2 Shutdown Cause & Effect Matrix and Functional Logic Diagram (FLD) All functions having an Emergency shutdown (ESD) or Process shutdown (PSD) action shall be indicated in the Shutdown Cause & Effect Matrix and, where generated, detailed in the FLDs. ‘The Shutdown Cause & Effect Matrix diagram (ref, BSP-12.8.501 S.INST.FMT.40 and 42) presents a simplified matrix of causes versus effects. Due to its limitation of not incorporating eg. alarms, interlocking or sequencing, its use is limited and usually restricted to forming the basis for developing FLDs at this design stage. Even though FLDs form part of detailed design, preliminary (or partial) FLDs can be usefull at the conceptual design stage. These diagrams use logic symbols and show the full functional requirements for the IPF. The presentation shall be in line with BSP-12.S.511 A Sequential Functional Logic Diagrams (ref. Appendix 3) is mainly used for large equipment systems ‘where a well defined sequence of events such as purging, start-up, running and shutdown is required. ‘The only difference from the FLD is in the detailed logic requirements versus time. @__BSP-12.8.501 Standard drawings and forms (TMS1074) BSP-12.8.511 Symbols and identification - Instrumentation - Part 2 - Functional logic diagrams (TMS1026) Bera5500 Revision 0S Page 6 of 25BSP - 12.5.500 Process Safeguarding Standard qusi073 4.3.3. Design Reviews and Documentation A HAZOP study shall be carried out in line with the requirements as laid down in the annual HAZOP plan (only selected projects). HAZOP is a rigorous and formal analysis of the process and plant design, carried out at the end of the technical review of the conceptual design phase. For more details on HAZOP techniques refer to the EP 95-0313, In order to remove uncertainties regarding safety integrity, cost effectiveness and availability of IPFs, an IPF classification and implementation methodology review should be carried out: > following a HAZOP study. - partially on (a) small section(s) of a facility, where a full review is not justified, = onan FGS (offshore per platform) for the most onerous consequences, NOTE: IPF classification results shall be based on a test frequency of minimally 6 months (ref, 4). DEP 32,80.10.10-Gen. specifies the requirements and gives recommendations for classifying and implementation of IPFs, NOTE: A functional description of the IPF with particular reference to the operation of the ESD and PSD valves and the preparation of the FLD shall be part of the detailed design. @Q_BSP-12,W.03 Planning of HAZOP studies (TMS0757) DEP 32.80.10.10-Gen. Classification and implementation of Instrumented Protective Functions EP 95-0313 HSE Manual, HAZOP 4.4 FUNCTIONAL SPECIFICATION OF INSTRUMENTED PROTECTIVE FUNCTION ‘The functional specification addresses requirements such as measurement, logic and final elements, to detect identified hazards and bring the plant to a safe state. The definition of the functional requirements shall be presented in a diagram of digital true/not-true inputs, a combination of logic expressions and outputs to final elements, ‘This information shall be presented in the following formats: - Functional Logic Diagrams. + Sequential Functional Logic Diagrams. In general there are two instrument safeguarding systems, the process safeguarding (IPF) and the fire, gas and smoke detection system (FGS), with one way communication from the FGS logic to the IPF logic. Only for small systems shall integration of these two systems be allowed and shall be subject to written approval of BSP’s Central Engineering Instrumentation Division Head, EDE/S. 4.4.4 instrumented Protective Function Requirements Once the conceptual design and the functional specification of the IPF have been finalised the design engineer or nominated consultant/ contractor shall define the IPF design requirements. The design has to address various aspects of available Instrumented Protective System (IPS) technologies: = microprocessor based systems; Programmable Logic Controllers (PLCS) + solid state / magnetic core logic. - hard-wired relay logic. = pneumatic logic (shall only be used where a reliable source of electricity power cannot be practically made available) and where permitted by an IPF classification. ‘The IPF class shall be as determined during the IPF classification exercise or minimally IPF class IV {not applicable for pneumatic IPSs) @Q__DEP32.80.10.10-Gen. Classification and implementation of instrumented Protective Functions BST2S800 Reveion 03 Page of25BSP - 12.S.500 Process Safeguarding Standard TMS1073 4.5 MECHANICAL PRESSURE PROTECTION 4.5.1. Relief Vaive Systems For the design and selection of RVs and relief valve systems refer to DEP 80.45.10.10-Gen., which is ‘based on API RP 520 and API RP 521 Designers should keep RV systems as simple as practical. Single 100% capacity RVs without locking systems should be applied on all single unit systems. Inspection and maintenance on RVs should be carried out when the whole unit is depressurised. Wherever double 100% RVs on single pieces of equipment or block valves in RV systems are found on existing facilities the second RV and/or isolation valves shall be removed on an opportunity basis. In the exceptional case where for availability reasons an RV isolation system is required, this shall be implemented by providing a single interlocking system to isolate a whole train. Isolation of RVs shall only be allowed if fully covered by a strictly adhered to operational procedure. The procedure shall identify the proper authority levels and necessary steps to be taken for safe isolation, Air assisted RVs shall not be applied. © DEP 80.45.10.10-Gen. Pressure relief, emergency depressurising, flare and vent systems API RP 520 Sizing, selection and installation of pressure-relieving devices in refineries [API RP 521 Guide for pressure relieving and depressurising systems 45.2 Relief Valve Sizing 45.24 Sizing of Relief Valves in Multiple Well Systems. When fast acting valves, triggered by high pressure switches, are implemented, a reliability study shall be conducted to determine how many wells the relief valve sizing is to be based on. This will also ensure that there is no common mode failure mechanism capable of allowing all wells to stay open. ‘The previous practice was based on BP 55 000-2717 (pre 1990 version, no longer used) and dictated that a separator, connected to multiple well system, does not need full flow protection provided that the process trips also shut-in the individual wells (direct or cascade). The relief valve sizing could in this case be based on full flow of at least 20% of the number of wells connected and a minimum of 3. Based upon several reliability studies carried out, this practice is found to be too conservative for electronic IPFs and too optimistic for pneumatic IPFs. Based on EP 97-1745, an RV for a multiple well system can be sized for a single well (largest producer) per well platform in the system, provided an electronic IPF is in place. For most systems however pneumatic IPFs are currently used. RV sizing for pneumatic IPFs should be based on the table below. Number of wells on ‘Single SSV IPF. Double SSV IPF. ‘WS or DP. Number of wells to be added | Number of wells to be added. for RV sizing for RV sizing T 1 T 2 2 2 3 2 2 4 3 2 5 3 2 10 3 3 20 7 3 30 8 3 40 10 3 ‘To deternine the RV sizing Nowrate, the identified number highest producers, as per above table, should bbe added up per well platform. The RV should then be sized for this flow from all well platforme within the system, If sizing based on the above table is found to be impractical, a full system reliability analysis shall be performed. RVs sized for well stream protection should normally be sized for full flow (je. for liquid and gas relieving simultaneously), (2 DEP 80.45.10.10-Cen. Pressure relief, emergency depressurising, flare and vent systems EP 97-1745 Instrumentation for ultimate safeguarding protection BEaSe00 Raven 0s Page 8 0125SP - 12.5500 Process Safes ding Standard Tmst073 4.5.22 Sizing of Relief Valves for Flashing Fluid For sizing RVs for two-phase flow and flashing liquid, the Diers method as described in the DEP should be used for sizing rather than the API method. A PRO/II routine is currently developed within EDE/S that will simplify the calculation. This method should be used for all new relief calculations for system modifications. 45.23 Calculation Sheet DEP 31.36,90.94-BSP shail be used as the format for RV sizing. NOTE: Sizing of RVs for two phase flow follows the more stringent DIERS method described in DEP '80.45.10.10.Gen rather than the API method used previously. DEP 31.36.90.94-BSP Safety/reliet valve calculation sheet DEP 80.45.10. 10-Gen, Pressure relief, emergency depressurising, flare and vent systems 48.3 Restriction Orifices Use of restriction orifices in a safeguarding function (e.g. restriction orifices in blowdown lines) should bbe avoided. Where restriction orifices however have a dedicated safeguarding function they shall be sufficiently tagged and the function shall be clearly identified on the PEFS. Inspection frequency shall be similar as for RVs. 48.4 Non Return Valves Non return valves shall not be used for pressure protection (fef. EP 95-0230 section 5.3.2). (EP 95-0230 HSE Manual, Design BEaSE00 Ravaion 3 Page 8 of25BSP -12.S.500 Process Safeguarding Standard Tusto73 eae CHAPTER 5- OpeRATIONAL SAFEGUARDII 5.1 SHUTDOWN/BLOWDOWN ‘Shutdown and blowdown design shall be in line with the requirements as laid down in EP 95-0230, API RP 14C and DEP 80.45,10.10-Gen. as a minimum. The following paragraphs give the specific BSP requirements which shall be followed and take precedence over the EP and DEP/BSP documents. @_ DEP 80.45.10.10-Gen, Pressure relief, emergency depressurising, flare and vent systems EP 95-0230 HSE Manual, Design APL RP 14C Recommended practice for analysis, design, installation and testing of basic surface safety systems on offshore production platforms Definiti Normal process control functions shall be totally independent and separate from the IPF (see 3.1 note). For the design and operation of facilities the following definition of shutdowns has been derived. SAAA Emergency Shutdown (ESO) In case of an emergency the IPF shall initiate the shutdown of the whole, or part of a facility if sufficiently segregated from the remainder of the facilities (by adequate separation distance or fire and blast walls) by stopping all running equipment and closing all ESD valves, including the SCSSV and where required followed by depressurisation, n of Shutdowns. All ESD and PSD valves shall travel to their fail-to-safe position by de-energising their solenoids or pilot valves. Emergency stand-by utilities present shall be activated. Certain utilities on manned facilities may continue to operate; utilities on unmanned facilities shall be shutdown automatically. Riser-ESD valve applications shall also conform to SI-1029, A facility IPF shall shutdown, and where applicable, depressurise a facility (ref. 8.2.4) upon: + fire detection and/or area gas detection, - low pressure of instrument air or gas supply. + loss of electrie power to IPF. = manual initiation (locally operated or remotely via SCADA). NOTE: Manual initiation (locally operated) equates to a human detection of fire or gas. Therefore these should be classified as manual call points and, where possible, be part of the FS. Manual ESD push buttons (manual call points) shall be provided at the following locations (ref. API RP 14¢ (C1.1)} = central control room, = local control room, + onshore facility exit. + each end of offshore bridges. = offshore stairway exits ~ offshore boat-landings. = offshore helidecks. = offshore muster-stations. + power generation modi ESD valve operation shall never form part of an automatic start sequence, ‘The start-up (sequence) after an ESD condition shall always be initiated by operator action after the manual local reset of ESD valve(s) (ie. there shall be no automatic start-up from the control room or remote facility) APL RP 14C Recommended practice for analysis, design, installation and testing of basic surface safety systems on offshore production platforms SI-1029 The Offshore installations (emergency pipe-line valve] regulations 1989, BSTSH00 Revision 03 Page 10 of 25ring Standard usto73 8.4.1.2. Process Shutdown (PSD) One or more process trains or units may be required to shutdown because of a process upset, equipment/material failure or because of a fault in the process control system causing the relevant process variable to exceed the acceptable limit, Protection of equipment against @ process malfunction shall always be by PSD valves, which are the first level of safeguarding after the normal regulatory control. These shall be automatically actuated by the facility process unit IPF (see 3.1 note). Lifting of RVs shall always be avoided by the application of PSD valves. Cascade trips (from upstream or downstream units) should be avoided wherever possible. Unit and equipment shutdown actuation (e.g. push buttons or DCS/SCADA screens) shall be installed in the control room (where feasible), in addition to local shutdown push buttons. No depressurisation should take place unless required for equipment reasons, e.g. in the case of compressors fitted with oil seals. If the pressure of a compressor stage, after closing of the unit's PSD valves, settles out at a pressure higher than its RV settings, then the depressurising valve(s) shall also be opened. Utilities should continue to operate. Other trains may continue to operate. Depending on the instrumentation used (see note below), the start-up (sequence) after a PSD condition shall be initiated by operator action after the manual local reset of PSD valve(s) (ie. no automatic start-up from the control room or remote facility). NOTE: The use of a Distributed Control Systems (DCS) allows relevant/sufficient information to be provided to the operator at a remote location and hence reduces the risks of remote start-up operations. The chosen scheme shall not have manual actions which can defeat/override the normal start-up (after a process shutdown) arrangement and shall be subject to written approval of BSP’s Central Engineering Instrumentation Division Head, EDE/S. 5.1.4.9 Operational Shutdown A facility requires an operational shutdown because: ~ downstream facilities cannot accommodate the normal production level. + upstream facilities cannot supply production, + for maintenance. Plant design shall allow for a safe shutdown of either the whole facility or individual process trains or units, Operational shutdown and restart may be effected through PSD valves and MOVs. The operational shutdown and restart sequences may be automated if the operator is provided with relevant/ sufficient information in order to assess if it is safe to start/re-start. The automatic start-up sequence should be performed in the DCS or a dedicated PLC. 5.1.2 Hierarchy of Shutdown Levels A block diagram showing the different levels of shutdown is shown in Appendix 4 page 1; examples of shutdown levels for typical facilities are shown in Appendix 4 pages 2 to 5. For trip initiators a higher shutdown level shall always cause the shutdown of a lower level in related facilities (i.e. an S3 trip initiator shall also cause an $2 and Si trip). Examples of trip initiator levels: PSD: ~ All trip initiators on well lowlines should be $1. ~ All trip initiators on bulk separators, which result in the closing of inlet and outlet PSD valves and as a direct or cascade consequence shutting in all connected wells, should be S2. Low level liquid outlet trips that do not cause any other shutdown should be Si. ~ All trip initiators causing a total facility shutdown should be $3. ESD: - ESD initiators (ref. 5.1.1] should only cause S4. Process initiators shall never cause an S4. For final elements (e.g, BSD and PSD valves) a lower shutdown level shall also always be shutdown by a higher level (ie. an SI final elements shall also be affected by an S2 - or higher - trip) NOTE: An exception is the Riser-ESD valves. The valve is normally affected by an $1 trip initiator (line break protection) and the 84, but not by an S2 and $3. Upward cascading of shutdown levels however shall not be relied upon and appropriate pre-emptive shutdown action to other facilities shall be specified. BST25500 Revlon 03 Page 11 ofaBSP - 12.5,500 Process Safeguarding Standard Tusto73 In line with the requirements as laid down in EP 95-0230 section 6.3, BSP applies the following shutdown level terminology, with decreasing severity of risk. NOTE: In brackets and italics the EP 95-0230 designation. S4(ESD) = Total hazardous system shutdown with depressurisation and closure of Surface Controlled Sub Surface Safety Valves (SCSSVs}. ‘This means, total shutdown of a facility or a section of a facility (ref. 5.1-1.1) in case of an emergency, activating all ESD and PSD valves including the SCSSVs. Gaseous inventory shall be blown down where required (ref. 5.2.4). Shutdown of utilities. Emergency utilities may be started. 83 (PSD-1) = Total surface shutdown, no depressurisation (unless required for specific reasons). ‘This means, shutdown of all surface process systems on a facility or platform on process failure, activating all ESD and PSD valves except the SCSSVs. No blowdown required unless for equipment protection reasons (e.g. compressor seal protection). Utilities continue to operate. 82 (PSD.2) = Partial shutdown (e.g. of a processing train). ‘This means, shutdown of train or unit within the main process, activating the inlet and outlet PSD valves. No blowdown required unless for equipment protection reason (e.g. compressor seal protection}. Other units continue to operate (e.g. parallel separator trains or compressor trains}. 81 (PSD-3) = Equipment shutdown (e.g. of a compressor or pump). ‘This means, shutdown of equipment (local services) not essential to the main process (e.g. single component, ‘pump, well string, PSD valve, tank, etc.) and not resulting in an immediate process initiated upwards cascade of the shutdowns. NOTE: When blowdown/depressurisation occurs as a result of one of the above shutdown levels, the shutdown level will be sulfixed by the letter 'D', e.g, gas production platform depressurising on an S4, is represented by an S4D on the Process Engineering Flow Schemes (PEFSs) and Cause & Effect Matrix, ‘The levels of shutdown shall be shown on the PEFSs. ‘The extent to which components, units or trains are designed to provide for individual shutdown, ie. the provision of bypasses, isolation devices and/or parallel units, shall be carefully evaluated against factors such as: = safety and environmental considerations (potential extend and consequences) = mean time between failures, frequency of demand, > inspection/maintenance frequency and duration. + scheduled plant shusdowns for maintenance. = cost of robustness (potential production loss and frequency of revealed failure) * additional lifecycle cost. ‘The outcome of this evaluation shall be documented in the project Safeguarding Philosophy, which shall form part of the Project Specification. €Q_BSP-12.8.510 Symbols and identification - Instrumentation - Part 1 - Process (engineering) flow schemes (TMS1025) DEP 32,80.10.10-Gen. Classification and implementation of Instrumented Protective Functions EP 95-0230 HSE Manual, Design BSi2S%00 Reveon os Page 12 0125BSP -12.8.500 Process Safeguarding Standard ust073 5.2 CLASSIFICATION AND APPLICATION OF POWER OPERATED VALVES (POVS) ‘The classification of POVs is shown in Appendix 5. The application of shutoff valves is specified in the following paragraphs. 5.24 General Shutoff ball valves shall be opened only if the differential pressure across the valve is sufficiently low or the flow through the valve is "zero" (with a minimum volume between ESD valve and adjacent ‘solation valve}, to prevent damage to the seat. ‘The acceptable differential pressures and flows are size and seal design related and usually become too high above sizes of DN_150 Class 900. A maximum differential pressure of 400 kPa or 10% of the Maximum Allowable Working Pressure (MAWP], whichever is lower, can be taken as a guideline. 6.2.2 ESD Valves ESD valves shall be held open by a signal to the mechanism for actuating the valve (e. valve}, on failure of which the valve shall automatically close (fail-to-safe). ESD valve signals shall never be overridden, solenoid Bypasses around ESD valves shall be avoided. If an ESD bypass cannot be excluded, e.g, due to start- up requirements (pressure equalising), its inclusion shall be fully justified and approved as part of the facility safeguarding philosophy, endorsed by EDE, OPD and HSE (ref. 5.2.2.1. All bypasses shall be small (not full flow) compared with the valves they bypass (with a maximum not exceeding DN 50) NOTE: A full flow bypass arrangement may be used in "operationally critical service". Critical in this context means that regular shutdowns for BSD valve testing would be unacceptable in view of economic or business loss. Only in exceptional cases may a bypass be provided to allow for testing (for partial stroking refer to 5.4) and maintenance. Main oil lines, main gas lines and major singie-train gas systems may fall in this category. The application shall be fully documented and EDE, OPD and HSE shall endorse the justification, after review by a HAZOP committee, ESD valves shall only be used for their intended duty as laid down in EP 95-0230, Typical examples of ESD valve applications in process systems are shown in Appendix 6. In cases where ESD valves are also used as PSD valves, the ESD and PSD operation shall be segregated (e.g. separate BSD and PSD pilots or logic separation}. EP 95-0230 HSE Manual, Design 5.2.2.4 ESD Valve Pressure Equalising For ESD valve pressure equalising, one of the following facilities should be provided in order of preference: 1) Installation of a close-coupled isolation valve at the process side of the ESD valve. ‘The ESD valve and adjacent isolation valve shall be close coupled with minimum spool dimensions (e.g, SD) minimised as dictated by fitting to fitting or weld separation. ‘The pressurisation of the facility can be achieved across the mechanical isolation valve in the process line with an equalising valve and restriction orifice in the small diameter bypass (ref. 5.2.2). ‘The whole of this assembly shall be located downstream of an inlet Riser-ESD valve or upstream of an outlet Riser-ESD valve. A typical example is shown in Appendix 8 page I figure 1. In order to avoid damage to the valve seat(s}, the mechanical isolation valve and bypass valve shall be closed after a shutdown and the ESD valve opened first before the pressurisation takes place. To ensure that the correct pressurisation procedure is being followed, the isolation valve and bypass may be provided with limit switches with interlocks in the IPF. 2) Pressure equalisation across the ESD valve by a bypass across the ESD valve. ‘The pressurisation of the facility can be achieved across the main (Riser) ESD valve in the process line, with an ESD valve, an equalising valve and restriction orifice in the small diameter bypass (ref. 5.2.2). A typical example is shown in Appendix 8 page 1 figure 2. In order to avoid damage to the valve seat{s), after a shutdown, the small diameter ESD bypass valve shall be opened first and the main ESD valve opened only after pressurisation has taken place. To ensure that the pressure equalisation procedure is being followed, a differential pressure switch may be installed across the bypass line, which interlocks the main ESD valve until full pressure equalisation has taken place. ‘The chosen design shall be approved in writing by BSP's Central Engineering Mechanical and Instrumentation Division Heads, EDB/3 and EDE/3, and BSP's Technical Safety Division HSE/4. Depressurising valves shall be designed for opening against the full differential pressure, to allow direct activation without opening precautions (ref. 5.2.4) BST2SH00 Revision OS Page 19 of25BSP - 12.5.500 Process Safeguarding Standard qust073 6.2.2.2. Location of ESD Valves ESD valves shall be located in line with the EP 95-0230 requirements, ‘The precise location of ESD valves shall be optimised, during detailed design, in line with 5.2.2.2.1 and 5.2.2.2.2 below. Any deviation shall be approved by BSP's Central Engineering Mechanical and Instrumentation Division Heads EDE/3 and EDE/5. ‘The ESD valve and its actuating mechanism shall, as far as reasonably practicable, be protected from damage arising from fire, explosion or impact. Every ESD valve shall be located in a position in which it can be safely and fully inspected, maintained and tested. ESD valves shall be capable of blocking the flow of fluids within the flowline at the point at which they are incorporated: = in all facility inlet and outlet streams, to provide isolation from all potential upstream sources of oil and gas inflow and from downstream back-flow /pressurisation. ~ in every riser (offshore), designated as Riser-ESD (ref, SI-1029). + in pipework to enable isolation of large oil and/or gas inventories such as tanks, vessels, etc., from process equipment and in order to sectionalise a facility into optimal fire zones, = as depressurising valves in each section that can be isolated from a pressurised facility (ref. 5.2.4). - in fuel lines of gas fired equipment. It shall be possible to close an ESD valve: = bya person near to it = automatically by the operation of the IPF (ref. 5.1.1.1). Mechanical isolation valves and other fittings or appliances, e.g. pressure gauges and line break protection switches, shall not be installed on the pipeline side of (Riser-) ESD valves. A mechanical isolation valve with bypass may be installed on the process side of an ESD valve (e.g. to facilitate start- up). @_ EP 95-0230 HSE Manual, Design Si-1029 The Offshore installations (emergency pipe-line valve) regulations 1989 6.2.2.2.1 Onshore Facilities In onshore facilities ESD valves shall be located as close as practicable to the battery limits of the facility (within the fenced area) with the same caution for protection from fires, explosion and/or impact. 8.2.2.2.2 Offshore Facilities, In the case of a riser which serves a fixed installation, the Riser-ESD valve shall be located above the level of the highest wave crest which may reasonably be anticipated (in most cases this implies that the Riser-ESD valves will be located above the spider deck level or the “+101 elevation). Subject to inspection, safety and maintainability, every Riser-ESD valve shall be located such that the distance along the riser between the valve and the base of the riser is as close as possible to the splash 5.2.3 PSD Valves PSD valves shall be installed: > in inlet and/or outlets of process units and equipment for operational start/stop and for protection from exposure to process conditions exceeding safe operating limits (Uhe prime source should also bbe shutdown as far as practicable) ~ when both an ESD and a PSD function has to be applied to the same location, the BSD valve may bbe applied for the PSD function, subject to 5.2.2. ~ liquid outlets from process equipment containing gas and liquid shall have automatic PSD valves, which may be self-resetting, to protect the liquid system against gas breakthrough. In the case where the liquid receiving system is designed to withstand the gas pressure (blow-by case) oF is provided with gas disposal facilities, PSD valves are not required, provided the control valve is designed for long term tight shutoff (e.g, rotary disk chokes for high pressure or abrasive service]. ‘The use of PSD valves as part of a provision for maintenance isolation (e.g. double block and bleed) is possible, provided that the design has adequate facilities and/or procedures in place to ensure that: + the valve actuator is positively disconnected from any source of motive power and will remain so until the work is finished. + the automatic valve actuatioi is reinstated before any subsequent start-up. PSD valves may he part of an automatic start-up sequence. ‘Typical examples of PSD valve application in process systems are also shown in Appendix 7. BS1aS800 Reveion 03 Page 14 of25BSP - 12.5.500 Process Safegua qwsi073 5.2.3.1 PSD Valve Pressure Equalising Pressurising of a unit may be done manually via a normally locked closed equalising valve and restriction orifice in a small diameter bypass around the PSD valve. This action may be automated via an Automatic Equalising Valve controlled by a sequential logic system (e.g. compressor start-up sequence). A valve "not-closed” alarm may be installed to ensure the integrity of the process shutdown, A typical example is shown in Appendix 8 pages 2 and 3. 5.2.4 Blowdown System Considerations ‘Two types of blowdown (depressurising) systems can be distinguished for BSP's onshore and offshore facilities (ref. Appendix 7 page | figure 1} ~ a high rate depressurising system, designed to immediately evacuate the plant inventory in case of an emergency (i. serious fire or gas leak), = a low rate depressurising system for process control operational reasons including maintenance (ie. manual vent valves}. Only the emergency depressurising system (high rate) is addressed in the following sections. @__BSP-12.S.550 The instrumentation of depressurising systems (TMS1038) 8.2.4.1 Emergency Depressurising System Requirements All hydrocarbon gas inventories within a fire risk zone, irrespective of normal operating pressure, contained within 30 meters from manned control rooms or living quarters shall be depressurised in case of an emergency. In line with the recommendations provided in BSP's Risk Control Manual and the requirements in DEP 80.45.10.10-Gen., equipment on manned onshore and offshore facilities shall be automatically depressurised, in case of an ESD, to 50% of the design pressure within 15 minutes. All process equipment, process piping or systems containing, under normal operating conditions, more than 2,000 kg of liquid C4 or a more volatile liquid, shall also be depressurised irrespective of normal operating pressure. The valume of a depressurising section should include all equipment and piping in that fire risk section. The liquid volume should be calculated at normal operating level. Equipment need not be provided with a depressurising system if, as the result of a fire, the pressure in the equipment will not rise to 50% of the MAWP within 30 minutes. For a general guideline on the application of depressurising systems refer to Appendix 7 page 2 @ Risk Control Manual (in draft} DEP 80.45.10.10-Gen, Pressure relief, emergency depressurising, flare and vent systems 5.2.4.2 Design Requirements Design of depressurising systems shall be based on: = BSP-12.8.550 The instrumentation of depressurising systems (TMS1038) = DEP 80.45.10.10-Gen. Pressure relief, emergency depressurising, flare and vent systems - BP 95-0230 HSE Manual, Design If all equipment in one depressurising section have the same operating conditions (pressure, temperature and composition), all vapour and liquid volumes in that section shall be added to calculate the fire condition vapour rate, In case of a process in a fire risk zone with several operating cases, each case should be considered and the worst case taken as the basis for the design. ‘The number of depressurising valves should be kept to a minimum by sectionalising the facility in acceptable fire risk zones and fire risk zone spacing shall be in accordance with EP 95-0230. Where a pressure control valve to the flare is already installed, this may be used as a depressurising valve but only under the conditions as shown in Appendix 7 page 1 figure 2. Depressurising from equipment in one fire risk zone into normally pressurised equipment in another fire risk zone shall not be permitted. ‘The blowdown/depressurising rate often determines the sizing of the flare systems and, particularly offshore or in existing facilities, this is a reason to seek means of reducing the rate, Facilities may be divided into sections, each of which is blown down separately (ref. DEP 80.45.10.10-Gen. section 3.3) If this is done the design and layout should be such thet a fire or explosion in one section will not affect the adjacent sections. Onshore, adequate separation distances are required. Offshore separation distances may be economically provided only in shallow water, otherwise fire and blast walls are required, BS125500 Revaion 0S Page 5 of25BSP - 12.5,500 Process Safeguarding Standard Tusio73 Phased blowdown shall not be where: = segmentation is applied to accelerate the blowdown of sensitive sections of the process. In this case the flare system shall be designed to accommodate simultaneous blowdown caused by a common mode failure as the base design case. ~ the segmented process IPFs are sufficiently independent and reliable that it can be demonstrated that the risk of simultancous blowdown is negligible. Onshore process facilities with cormmon flares commonly fall into this category. In such cases it should nevertheless be demonstrated that the consequences of a simultaneous blowdown would not be catastrophic in terms of radiation, noise, vibration and backpressure. sd. Segmented blowdown systems are the recommended option In this case the depressurising times of individual facility sections shall be less than 15 minutes, However in such a case the following shall be noted: = centrifugal compressors are normally depressurised within 10-15 minutes to maintain seal integrity. = reciprocating compressors are normally depressurised within 10-15 minutes, but this may be reduced to much shorter periods if compressor mechanical criteria dictate a shorter period. This however is unlikely on an electric motor driven reciprocating compressor. ‘The consequence of a 15 minutes depressurising time should be checked with regards to vent/flare capacity, low temperatures (metals) combined with liquid and/or hydrate formation and piping (sloping) configuration desi API RP 521 section 3.16 suggests longer depressurising times for practical reasons in the case of relatively heavy walled vessels containing proportionally large inventories of light (liquid) hydrocarbons. As a guide 7,000 kPa(g) for pressure and 4 m° liquid equivalent light hydrocarbons (C4 minus) for inventories should be used. Depressurising times may then be increased to 30-60 minutes for vent/flare capacity reasons, after careful analysis of the fire case (plots of vessel stress and rupture stress versus time). It should be investigated if the associated piping has the requisite thickness in order to allow larger blowdown times. {@__BSP-12.8.550 The instrumentation of depressurising systems (TMS1038) DEP 80.45.10.10-Gen. Pressure relief, emergency depressurising, flare and vent systems EP 95-0230 HSE Manual, Design API RP 520 Sizing, selection and installation of pressure-relieving devices in refineries ‘API RP 521 Guide for pressure relieving and depressurising systems 5.2.4.3. Instrument Design Requirements ‘The instrument design of depressurising systems shall be in line with BSP-12.S.550 and the following considerations: = a high rate depressurising system shall be used, = anormally energised depressurising system shall be used. = the instrament hook-up shall follow BSP-12.S.550 Appendix 2. = amulti-orifice low noise type valve shall not be used due to possible plugging and expected leakage rate after a number of a operations, © _BSP-12.8.550 The instrumentation of depressurising systems (TMS1038) 5.2.5 Opening and Closing Requirements 6.2.5.4 Controlled Opening ESD and PSD valves shall be opened only after the applicable depressurising valve is closed and if the pressure drop or flow through the valves is minimal. The IPF may have interlocks to assure these Fequirements, In order to activate the valves a general reset of the shutdown condition, in the control room where applicable, has to be given. Afler the applicable ESD depressurising valve(s) is (are) closed the ESD valves may be opened. ESD valves shall be opened locally within direct sight of the valve position (ref. EP 95-0230 section 6.5). Local reset activation of ESD valves is required to ensure that operators will doa site check. A combination of resets is allowed. NOTE: On existing facilities, where such logic is not available to implement above, operating procedures shall cover the opening and closing requirements of ESD and PSD valves. EP 95-0230 HSE Manual, Design 5.2.5.2 Closing Maximum closing times of shutdown valves in general service shall be 3 seconds or less for valves = DN 100 and 1 second per DN 25 valve size increase for valves >DN 100 (ref. BSP-12,S.505). ESD valves in long lines for mainly liquid service, surge calculations shall be made to determine safe closing times, The closing time shall be controlled locally, pneumatically (or hydraulically) through ‘BS125500 Revision os Page 16 0f25BSP - 12.5.500 Process Safeguarding Standard ust073 fixed restrictions and independent of the remote control system. Application requires the approval of BSP's Central Engineering Mechanical and Instrumentation Division Heads EDE/3 and EDE/S, Ifthe isolation valve of an ESD valve is provided with an actuator, the isolation valve may be closed as well as the ESD valve, to facilitate start-up, @__ BSP-12.8.505 Quarter-turn on/off actuators (TMS1076) 6.2.5.3 ESDIPSD Valve Actuator Venting ESD and PSD valves with instrument air and gas as power medium shall vent their actuators directly to atmosphere. 6.2.5.4 ESDIPSD Valve Actuator Design Requirements For ESD and PSD valves, ‘spring return" pneumatic actuators should be used, subject to the design requirements as per BSP-12.$.505. Purchasing requirements shall be as per BSP-12,F.500 STD.MR.36.017 to STD.MR.26.021 and/or STD.MR.36.024 to STD.MR.36.026, Open and closed positions of BSD valves shall be monitored on manned facilities on the control panel; on unmanned facilities this may be achieved by DCS or SCADA. Open and closed positions of PSD valves should also be monitored in manned facilities. In general, the power source of all ESD and PSD valves should be instrument air. If instrument air cannot be practically made available, gas or hydraulic actuation may be applied. @_BSP-12.F.500 Instrument standard material requisitions (TMS1072) BSP-12/8.505 Quarter-turn on/off actuators (TMS1076) 5.3 ESD/PSD VALVE SPECIFICATION ESD and PSD valves except depressurising valves, should be soft seat ball valves specified in accordance with the following standard: = API6D. = BS 5951 (pressure ratings 150 and 300 Ibs}. ESD valves shall be fire-safe to: @ BS 6755 Inspection and test of steel valves for the petroleum, petrochemicals and allied industries 2 APIED Pipeline valves, end closures, connectors and swivels BS 5351 Steel ball valves for the petroleum and allied industries 6.4 CHECKING AND TESTING OF INSTRUMENTED PROTECTIVE FUNCTIONS As highlighted in EP 95-0230, failure of an IPF may not be obvious until the system is needed (also refer to DEP 32.80.10.10-Gen. sections 7 and 9). It is therefore important to check the complete system regularly. The test includes the impulse lines, initiator(s), IPS(s) and final elements). IPFs shall be tested as a minimum every 6 months (ref. 4.3.3) and after major shutdowns of and/or modifications to the system, or more frequently if so dictated by the IPF calculation or test results, For Riser-ESD valves refer also to SI-1029. NOTE: The closing of a PSD or ESD valve on a shutdown may be considered as a valid test of the valve(s} Final element testing shall include the full closing and re-opening of the (ESD and PSD) valves by the activation of the associated IPF. The design shall allow for this testing, ‘The IPF, including initiator and final elements, shall be tested by a team consisting of representatives of the instrument maintenance and operations departments. Personnel in charge of the facility shall sign the test results documentation signifying their agreement that the system has been satisfactory checked, overrides removed and is fit for its intended operation. Prior to testing, the following shall be available: = full system documentation, = acomprehensive, systematic, written check procedure, + efficient means of communication. In addition the following shall be adhered to: - equipment shall be correctly and clearly identified. + parties involved in the testing shall be aware of the timing and be familiar with the work content. = comprehensive recording with feedback of findings to the various departments involved. BSi25500 Revision > Page 17 of25BSP - 12.5.500 Process Safeguarding Stan Tusto73 NOTE: In order to optimise/reduce maintenance frequencies, consideration shall be given to automatic logging of ESD/PSD valve operations data, For a planned shutdown it is advisable to initiate the total facility shutdown via a simulated emergency shutdown signal or via SCADA. For a process train configuration which may be interrupted for testing and maintenance, refer to Appendix 9 page 1 Ifprovisions have to be made for the full stroke testing of an ESD or PSD valve and if full flow bypass is approved subject to 5.2.2, a bypass including a "not-closed" alarm may be installed, e.g, on pipeline integrity valves (see Appendix 9 page 2 figure 1). NOTE: However, for ESD or PSD valve testing purposes, partial stroke testing of the valve may be an acceptable option and should be considered in place of full flow bypasses. This option shall be subject to written approval of BSP's Central Engineering Instrumentation Division Head, EDE/S, Leak testing of ESD and PSD valves is required once every 2 years and during commissioning after a facility or platform overhaul or planned shutdown. The procedure for testing shall be prepared for inclusion in the Plant Operating Manual by the party responsible for the design of the facility. In case ho testing procedure is available, it shall be prepared by the Maintenance Department in consultation with the Engineering Department. Leak testing of ESD valves may be done in situ using the isolation valves, If additional provisions are to be made for leak testing of the ESD valve and its approved bypass (ref. 5.2.2), for valve maintenance and replacement, then a valve configuration in accordance with Appendix 9 page 2 figure 2 should be applied. ‘The design of multiple IPSs shall be such that testing of the system, excluding initiating device and output devices, can be undertaken without the need to defeat either input or output, The protection provided by the IPF shall not be impaired during testing of the system. @_ DEP 32.80.10.10-Gen. Classification and Implementation of Instrumented Protective Functions EP 95-0230 HSB Manual, Design SI-1029 The Offshore installations (emergency pipe-line valve) regulations 1989 5.5 WELLHEAD AND SUB SURFACE SAFETY VALVES ‘The SCSSV is regarded as the ultimate hydrocarbon isolating valve of the respective facility from the reservoir and is therefore classified as an ESD valve. The Surface Safety Valve (SSV) is classified as a PSD valve, For wellhead IPF design, 05.8. -quirements ref BST25500 Reveion 03 Page 18 0125SP - 12.8.500 Process Safeguaiding Standard Tusto73 5.6 | SAFEGUARDING OF FIRED HEATERS. Depending on the type of furnace and fuel, the codes for heater operation are met by a combination of strict operating procedures, controls and IPF (the controls and IPF may be contained in a dedicated “heater management system’). The system equipment used shall be based on the following considerations: = the risk of an unsafe situation being created during monitored ignition and extinction of burners is, considerably reduced. = during normal operation observation by automatic means can be carried out continuously and without any interruption. Not all operations necessarily have to be carried out automatically. During start-up (or re-start), several safety aspects are often left to the discretion of the operator, whether or not supervised by a start-up sequence interlock system. During heater operation, however, the applied system shalll always fulfil its safety functions. ‘The fired heater safeguarding phi Specification, sophy and PEFSs shall be documented as part of the Project ‘The following documents, in order of preference, shall form the basis for developing a project specification for a specific fired heater application: © MF 92-0410 Basic requirements for safe operation of fired heaters VISA-REGULATIONS For natural-gas-fired with one forced-air burner and a maximum load in excess of 600 kW" NFPA 85A Standard for prevention of furnace explosions in fuel oil and natural gas-fired single ‘burmer boiler - furnaces API RP 550 Installation of refinery instruments and control systems - Part Ill - Fired heaters and inert gas generators 6.7 PIPELINE LINE BREAK PROTECTION BSP applies the major leak detection method, as covered by API RP 14C section AQ to offshore and onshore facilities. In addition, manned facility departing gas lines, with relative stable steady state flow, should be provided with'a “flow increase/pressure decrease" method of leak detection. For leak detection on major gas lines and where the above method is not expected to detect leaks reliably, additional gas detection methods should be considered to augment the leak detection system. Appendix 10 shows the applicable leak detection systems. Leak detection should be applied on offshore platform and onshore facility departing pipelines to shutoff the input source(s} Leak detection shall not be applied on an incoming pipeline which is protected by leak protection on the upstream platform/facility. However when evidence can be provided that for long lines upstream leak detection only is not sufficient, additional down stream leak detection should be considered. Leak detection need not be provided on pipelines between bridge connected platforms within an offshore facility, however ESD valves are still required to isolate platform hydrocarbon inventories within a facility (ref. 5.2.2) ‘The ESD valve used for shutoff of the input source should be located such that the pipeline portion exposed on the platform is minimised. Bi-directional pipelines should be provided with leak detection on both the upstream and the downstream platform/ facilities. ‘The ESD valve on an outgoing/bi-directional pipeline shall be activated by the leak detection system and also by the platform /facilily IPF. @_APIRP 14C Recommended practice for analysis, design, installation and testing of basic surface safety systems on offshore production platforms. BETzSI00 Ravsion 03 Page 190125SP - 12.S.500 Process Safeguatding Standard Tusi073 5.8 WELLSTRING INSTRUMENTED PROTECTIVE FUNCTIONS ‘The design of wellstring IPFs shall be in line with EP 95-0230. Except for beam pump operated wells, level 2 as per Appendix 11-page 1 protection shall be applied for onshore and offshore wellheads. For fully rated flowlines two independent pressure switches (high and low) shall be installed on the wellhead flowline (ref. Appendix 11 page 2 figure 1) NOTE: The IPF classification may determine otherwise. wing shall apply (ref. ES-23.17): CITHP., For underrated flowlines the fol = upgrade the flowline to Ful = install a full flow RV. = install a second SSV (SSV2} with an independent high-high pressure switch and @ RV sized for the leakage rate. Refer to Appendix 11 page 2 figure 2 for the second SSV option and the Shutdown Cause & Effect Matrix. To avoid damage to the SCSSV vaive seat and causing it to lose its ESD valve tight shutoff capability, the following shall be incorporated into the wellhead IPF or into the operation procedures: = the SCSSV shall not close under well flowing conditions, except in an emergency. = the SCSSV shall only be opened in an equalised and static environment. A facility shall be installed to enable a soft start-up and to avoid hydraulic shock and a too rapid pressurisation, ‘The sequence of closing and opening of the wellhead safety valves for the ESD and PSD cases are given in the table below: WITHOUT 2ND SSV WITH 2ND ssv ‘Shutdown | Closing ‘Opening Closing Opening Sequence | Sequence | Sequence Sequence Choke * ‘ssv ‘Choke * ‘SSVI PSD ssv Choke * ssvi Choke * Choke * ‘scssv ‘Choke * scssv fon) ssv ssv ssvi ssv2** scssv Choke * ssv2** ssvi scssv Choke * * Tran actuated choke valve is installed is the upper master valve The operator interface (e.g. (local) wellhead IPF panel or DCS screen} shall be provided with an auto/manual selection (switch) providing the following facility: = AUTOMODE as per table above. = MANUAL MODE. switches for SSV1, SSV2 and SCSSV allow manual sequencing as per table above. © _ES.23.17 BSP Offshore standard well tie-in package (for existing platforms) EP 95-0230 HSE Manual, Design BS2S500 Revision 03 Page 20 of25‘CHAPTER 6 - REFERENCES AND ATTACHMENTS. 6.1 REFERENCES os arding Standard Tust073 Risk Control Manual (in draft) “7MS0009_| BSP-12 Facility design and construction “rmso538_| BSP-12.1.1 Project development planning "rMS1072 | BSP-12.F.500 Instrument standard material requisitions TMS1074 | BSP-12.8.501____| Standard drawings and forms TMS1023 | BSP-12.8.503 Preparation of safeguarding memoranda and process safeguarding flow schemes TMS1O76 | BSP-12.5.505 | Quarter-turn on/off actuators (DBP 81.40.70.50) TMS1025 | BSP-12.8.510 | Symbols and identification - Instrumentation - Part 1 — Process (engineering) flow schemes (DEP 32.10.03.10) 7wSi026 | BSP-12S11 ‘Symbols and identification - Instrumentation - Part 2 - I c Functional logic diagrams (DEP 32.10.03.11) TMS1038 | BSP-12.8.550 ‘The instrumentation of depressurising systems (DEP 32.45.10.10) TMS07S7 _| BSP-12.W.03 Planning of HAZOP studies BSP SES.30.04 ‘Application of High Integrity Protection Systems DEP 31.36.90.94-BSP_| Safety /relief valve calculation sheet DEP 32.80.10.10-Gen, | Classification and implementation of instrumented Protective Functions DEP 60.45.10.10-Gen. | Pressure relief, emergency depressurising, flare and vent systems BS-28.17 BSP Offshore standard well Gein package (or existing = platforms) [HSE Manual, Design [HSE Manual, HAZOP. EP 97-1745 Instrumentation for ultimate safeguarding protection APLOD Pipeline valves, end closures, connectors and swivels APL RP 140 Recommended practice for analysis, design, installation and testing of basic surface safety systems on offshore production platforms ‘API RP 520 Sizing, selection and installation of pressure-relieving devices in refineries APL RP 521 Guide for pressure relieving and depressurising eysteme [API RP 550 Installation of refinery instruments and control systems - | Part Ill - Fired heaters and inert gas generators [APIR? 6F ‘Recommended practice for fire test for valves BS 5146 Inspection and test of steel valves for the pelroleum, petrochemicals and allied industries BS 5351 ‘Steal bal valves for the petroleum and allied industries SI-1029 ‘The Offshore installations (emergency pipe-line valve) regulations 1989 MF 92-0410 Basic requirements for safe operation of fired-heaters NFPA 85A Standard for prevention of furnace explosions in fuel oll and natural gas-fired single burner boiler - furnaces OREDAS4 Offshore reliability data handbook VISA-REGULATIONS | For nataral-gas-fred with one forced-air burner and @ maximum load in excess of 600 kW BST2S50 Reveon os Page a1 125BSP - 12.5500 Process Safeguarding Standard TMS1073 6.2 ATTACHMENTS Appendix 1 Appendix 2 Appendix 3 Appendix 4 Appendix 5 Appendix 6 Appendix 7 Appendix 8 Appendix 9 Appendix 10 Appendix 11 ‘Typical levels of protection Safeguarding system development flow chart ‘Typical presentation of a Sequential Functional Logic Diagram BSP shutdown level hierarchy Classification of power operated valves (POVs) ‘Typical ESD/PSD valve applications ‘Typical blowdown applications/requirements ‘Typical start-up arrangements ‘Typical arrangements for checking and testing of [PFs ‘Typical arrangements for line rupture protection ‘Typical arrangements for well string IPFs BST2S500 Revision 03 Page 22 of25