Appendix 2 of Schedule L2

Appendix 2
of
Schedule L - 2
This document contains proprietary information and is intended for use by

AFPC staff only. The contents of this controlled document shall not be
changed without formal approval of the document custodian.
This document contains proprietary information and is intended for use by AFPC staff
only. The contents of this controlled document shall not be changed without formal
approval of the document custodian.
TESTING OF INSTRUMENTED
SAFEGAURDING SYSTEMS Rev 4
MANUAL
Manual for
Testing Instrumented
Safeguarding Systems
Content
SUMMARY..............................................................................................................................................3
RESPONSIBILITIES..............................................................................................................................3
TESTING REQUIREMENTS................................................................................................................3
ADMINISTRATION...............................................................................................................................3
GLOSSARY OF TERMS........................................................................................................................3
REFERENCE DOCUMENTS................................................................................................................3
1. INTRODUCTION...........................................................................................................................4
1.1. BACKGROUND...........................................................................................................................4
1.2. APPLICABILITY..........................................................................................................................4
2. TESTING REQUIREMENTS OF INSTRUMENTED SAFEGUARDING SYSTEMS..........5
2.1. SCOPE OF TESTING AND TEST INTERVAL..................................................................................5
2.1.1 Initiator Testing....................................................................................................................6
2.1.2 Simulated Testing of Instrumented Protective System (IPS)................................................6
2.1.3 ESD Testing..........................................................................................................................7
2.1.4 Proof Testing........................................................................................................................7
2.2 EXTENDING THE CURRENT TEST INTERVAL.....................................................................................7
2.2.1 ESD Testing..........................................................................................................................7
2.2.2 Initiator Testing....................................................................................................................8
2.3 PLANNING......................................................................................................................................8
2.3.1 Scheduled Testing.................................................................................................................8
2.3.2 Deferment of Scheduled Testing...........................................................................................8
Page 2 of 28 772468330.rtf 7/14/24

MANUAL
3 ADMINISTRATION AND REPORTING....................................................................................8

3.1 Generic Maintenance Work Instructions (MWIs).....................................................................8
3.2 Recording.................................................................................................................................8
3.3 Competent Test Team (CTT).....................................................................................................9
3.4 Crediting unplanned Trips/Shutdowns.....................................................................................9
APPENDIX 1: AFPC CLASSIFICATION RISK DIAGRAM..........................................................10
APPENDIX 2: ESD TARGET TEST INTERVAL SELECTION......................................................11
APPENDIX 3: PASS/FAIL CRITERIA...............................................................................................14
APPENDIX 4:GENERIC MAINTENANCE WORK INSTRUCTIONS.........................................17
APPENDIX 5: ESD / INITIATOR CHANGE REQUEST FORM...................................................23
APPENDIX 6: GLOSSARY OF TERMS............................................................................................25
APPENDIX 7: REFERENCED DOCUMENTS.................................................................................28
Page 3 of 28 772468330.rtf 7/14/24

MANUAL
SUMMARY
OBJECTIVE
The purpose of this document is to define the method for the Testing and establishing the test
interval of Instrumented Safeguarding Systems in Al Furat Petroleum Company (AFPC) and
thereby allow the Asset Operator to demonstrate optimum technical integrity with maximum
economic benefit.
Adherence to the contents of this Manual is mandatory.
RESPONSIBILITIES
Area Superintendents (OPXs) shall be responsible for ensuring that Testing is executed in
accordance with this document within their own areas and specifically for ensuring that any
deviation to this Manual, Test Interval or Schedule is managed in line with Deviation Control
Procedure ECD-05.
Field Instrument Support (OTS/4) shall be responsible for supporting the Area
Superintendents in the Instrument Safeguarding Testing execution in the reporting and
analysis process.
The document custodian is responsible for the approval of any changes to the process or form
of words herein.
TESTING REQUIREMENTS
All safeguarding systems shall be subject to Initiator Testing at a maximum interval of 12
months dependent on proven reliability and inhibited to ensure no deferment.
Refer to section 2.1.1 Initiator Testing
All safeguarding systems shall be subject to Emergency Shutdown (ESD) Testing at a
maximum interval defined in table 3 dependent on proven reliability.
Refer to section 2.1.3 ESD Testing
All safeguarding systems shall be subject to Simulated Testing during scheduled shutdowns
in accordance with table 2.
Refer to section 2.1.2 Simulated Testing of Instrumented Protective System
All safeguarding systems shall be subject to Proof Testing independent of the Test Interval
where the logic of the system is unknown or in doubt.
ADMINISTRATION
All Instrument Safeguarding System testing shall be administered in order to ensure that
technical integrity is maintained and deferment minimised. All testing executed and changes
made to the systems and test intervals shall be recorded so that analysis and audit may be
carried out and were applicable improvements made.
GLOSSARY OF TERMS
All technical terms and acronyms are set out in the Glossary of terms in appendix 5
REFERENCE DOCUMENTS
All documents referenced in this Manual are detailed in Appendix 6
Page 4 of 28 772468330.rtf 7/14/24

MANUAL
1. INTRODUCTION
AFPC operates a large number of Oil & Gas productions and related facilities of varying size
and complexity. In order to ensure continued safe and efficient operations it is necessary to
regularly Test the Instrumented Safeguarding Systems.
Such Testing must be properly executed and documented in order to ensure that the
Instrumented Safeguarding Systems remain fit for purpose and that AFPC's requirements for
ensuring technical integrity are met.
This document shall be the Company Manual for the Testing of Instrumented Safeguarding
Systems on all AFPC’s facilities.
1.1. Background
The Safeguarding Testing was initially revised to meet the Company requirements as
documented in the Operational Reliability Review, Action Item ORR NGF5, and the Cost
Review, Action Item CR-E4. Following implementation in 1999 a review by the Instrument
Engineers led to Revision 2 in May 2000.
It specifies the role of the Operations department in the execution of Instrumented
Safeguarding Systems Testing with minimal product deferment. It removes the reliance on
prescriptive Test Intervals, which formed the basis under which Emergency Shutdown (ESD)
and Alarm Testing was traditionally carried out in AFPC and upgrades it to a risk based
method of establishing Test Intervals.
1.2. Applicability
This document is applicable to all AFPC installations and the protective instrumentation
normally associated with Emergency Shutdown (ESD), Process Shutdown (PSD) and
Machine Protection functions that could have a significant effect on People, Production or the
Environment if the Instrumented Safeguarding System were to fail.
Page 5 of 28 772468330.rtf 7/14/24

MANUAL
2. TESTING REQUIREMENTS OF INSTRUMENTED SAFEGUARDING

SYSTEMS.
2.1. Scope of Testing and Test Interval
All Instrumented Safeguarding System functions shall be Tested to demonstrate that there are
no Unrevealed Failures. There shall be 3 separate functional Tests, (Ref. Fig 1 below).
 Initiator Testing – The inhibited Testing of all safeguarding initiators to confirm that the
Initiator(s), up to and including the input card/relay, and alarm facility function as per
design.
 Simulated Testing – Testing during planned facility shutdowns to demonstrate the entire
Instrumented Safeguarding System functions in accordance with the designed C&E
diagrams.
 ESD Testing – The uninhibited Testing of the overall ESD system for a facility initiated
by a single ESD Initiator to confirm that all Final Elements function as per design.
These Tests may be carried out separately or combined, as appropriate to the operational
circumstances of each facility as long as the overall scope and minimum Test Interval
requirements are met. Do not duplicate test requirements. i. e if a simulated test is carried out
there is no requirement for an initiator test to be carried out.
Page 6 of 28 772468330.rtf 7/14/24

MANUAL
2.1.1 Initiator Testing

Regular Initiator Testing shall be carried out for all Initiators at a maximum interval of 12
months as determined by the proven reliability of the initiator through successful testing.
Until the initiator is proven to be reliable it shall be tested at 3 monthly intervals e.g. by
previous test results or, inherently reliable design & installation. Following the acceptance of
initiator reliability at two successive tests. The current test interval may be changed to the
next test interval i.e. 6 or 12 months. Test interval change may be initiated by OPX by filling
in the form in Appendix (5) and then only after approval of the document custodian.
Initiator Type Target Test Intervals

Pneumatic 3 Months 6 Months N/A
Electric 3 Months 6 Months 12 Months
Table 1: Target Test Interval for Initiator Testing.

Maintenance Override Switches (MOS) or Inhibits should be used to allow Testing without
shutdown of the process. Their use during testing shall be subject to the application of the
Permit To Work System or suitable Operations Standing Instructions so that they cannot cause
human induced failure of the protection function after testing is complete.
Initiators shall be Tested by adjusting the process or, if this cannot be achieved safely, a
simulated process condition which replicates as closely as possible the process excursion shall
be used.
2.1.2 Simulated Testing of Instrumented Protective System (IPS)

The facility IPS shall be fully tested during planned shutdowns with the maximum Test
Interval being determined by the Logic Solver type, as follows:
Safeguarding System Type
Pneumatic Relay “Inherently Fail-safe”
2 yearly 4 yearly 10 yearly
Table 2: Target Test Interval for Simulated Testing

Testing shall be carried out to demonstrate functionality in accordance with the latest
approved C&E diagrams for the facility.
To achieve the highest possible coverage factor Initiators shall be activated by adjusting the
process or, if this cannot be achieved safely, a simulated process condition, which replicates,
as closely as possible the process excursion shall be used.
Note: Simulated testing of the Instrument Protective System (IPS) is not a substitute for ESD
testing.
2.1.3ESD Testing
Regular ESD Testing shall be carried out for all facilities at an interval no greater than its
Target Test Interval specified in table 3
Page 7 of 28 772468330.rtf 7/14/24
MANUAL
ESD System Type

Facility Daily Production Pneumatic Relay “Inherently
Failsafe”
³ 70,000 bbls/day 6 Months 12 months 2 Years
< 70,000 bbls/day 12 Months 2 years 3 Years
Table 3: Target Test Interval for ESD Testing.

See Appendix 2 (Page13 of 26) for the basis of ESD Target Test Interval selection and the
Facility Daily Production criteria. These criteria shall only be changed in consultation with
the custodian of this document.
To achieve the highest possible coverage factor, i.e. optimum positive confirmation of system
integrity, Final Elements shall be Tested live by operation of one ESD Initiator.
Note: In case that an installation is fitted with a combination of ESD System Logic Solver
Types, then the minimum interval specified in table 3 for one of the types fitted shall be
adhered to. This only applies to the Main Logic Solver. If there are individual pneumatic
process shutdown systems, which feed into a relay based Main Logic Solver, then the overall
ESD system is regarded as “Relay” based.
1.3.4 Proof Testing

Where the logic of the system is in doubt, e.g. verified Cause & Effect (C&E) diagrams are
not available or, the logic has been changed or, human induced errors are suspected. In these
situations systems shall be proof tested independently of the Test Interval.
Proof testing shall be carried out as soon as possible after identification of the requirement.
Deferment of proof tests shall only be considered if the consequences of failure of the
particular system, to People, Production or the Environment, can be shown to be negligible.
Any deferment of proof testing shall be recorded in accordance with ECD-05 Deviation
Control Procedure.
2.2 Extending the Current Test Interval.
2.2.1 ESD Testing

A current Test Interval shall only be extended after proving the reliability of the tested system
or initiator(s), at the current Test Interval after two successive tests and then only to the next
Target Test Interval as defined in table 3 (section 2.1.3). Test interval change may be initiated
by OPX filling in the form Appendix (5) and then only after approval by document
custodian.
2.2.2 Initiator Testing

A current Test Interval shall only be extended, after proving the initiator is reliable at that Test
Interval and then only to the next Target Test Interval, as identified in table 1 (section 2.1.1).
Test interval change may be initiated by OPX, only after approval by document custodian.
For the majority of plants the current Test Interval will be shorter than the Target Test interval.
Page 8 of 28 772468330.rtf 7/14/24

MANUAL
2.3 Planning
2.3.1 Scheduled Testing

All Instrumented Safeguarding System Testing that causes product deferment shall be referred
to Operations Business planning (OBP) for inclusion in the Integrated Production Plan (IPP)
and/or Integrated Operations Plan (IOP). To minimise deferment OPX shall endeavour to
use a facility shutdown prior to or exceeding the test due date by one month for testing of the
Instrumented Safeguarding system, otherwise Testing shall be carried out at the due date.
2.3.2 Deferment of Scheduled Testing

Scheduled Testing shall only be deferred and approved in accordance with the criteria below.
 1st deferment and/or rescheduling by not more than 1 month beyond the due date -
approval by Operations Area Superintendent (OPX)
 2nd deferment and/or rescheduling by not more than 3 months beyond the due date -
approval by Operations Field Manager (OFM)
 3rd deferment and/or rescheduling by more than 3 months beyond the due date - approval
by Operations Manager (OM)
All deferment of Testing shall be recorded in accordance with ECD-05 Deviation Control
Procedure.
3 ADMINISTRATION AND REPORTING
3.1 Generic Maintenance Work Instructions (MWIs)

The area production and maintenance team shall utilise the generic MWIs (Appendix 4) to
construct a Testing scheme appropriate to each facility, and generate Electronic maintenance
management System (EMMS) Immpower Work Orders.
The EMMS shall be utilised to schedule and record the results of all Testing.
3.2 Recording
The completed test sheets shall be signed and dated by OPX/1 confirming compliance of the
Testing execution with the contents of this Manual.
OPX/3 shall ensure that the test results and details of any associated corrective actions shall
be recorded in the EMMS for future reference and statistical analysis. A Test report
summarising the findings with any associated corrective actions shall be provided.
Test results shall be recorded in accordance with Appendix 3 pass/fail criteria.
Test reports shall be archived for at least 10 years or, the life of the Instrument Protective
Function (IPF), whichever is the longer.
3.3 Competent Test Team (CTT)

OPX shall ensure that a (CTT) and associated resources are available to execute the Testing
safely and assure compliance with the contents of this Manual. A competent member of the
Area Production staff shall lead the CTT.
Page 9 of 28 772468330.rtf 7/14/24

MANUAL
3.4 Crediting unplanned Trips/Shutdowns

An unplanned Trip or Shutdown may be credited as a completed Test only if both of the
following criteria are met.
 The pre-trip status of all the components to be Tested is verified by OPX/1 and/or OPX/3.
 The post-trip status of all the components to be Tested is verified by OPX/1 and/or OPX/3
prior to plant start-up.
If the Trip or Shutdown meets the above criteria then it must be recorded in the EMMS in
accordance with the above procedures and additionally noted as a “Credited Trip Test” or
“Credited Shutdown Test”.
Page 10 of 28 772468330.rtf 7/14/24

MANUAL
APPENDIX 1: AFPC Classification Risk Diagram

Instrumented Protective System Integrity (I) Test Intervals
Personal Safety (S)
Production & Equipment Loss (L)
Environmental (E)
Page 11 of 28 772468330.rtf 7/14/24

MANUAL
Page 12 of 28 772468330.rtf 7/14/24

MANUAL
Appendix 2: ESD TARGET TEST INTERVAL SELECTION
The AFPC Classification Risk Diagram was used to classify the potential consequences of
failure of a facility ESD System. The results are shown overleaf. The Target Test Interval is
the interval arrived at after a Risk Classification has been carried out.
Classification Basis
In the main, activated by manual pushbuttons, the design intent is to mitigate the
consequences of incidents such as leaks, fires, etc. from escalating and causing
serious/catastrophic loss. This is achieved through the isolation and de-pressurisation of all
process and non-essential utility systems of a production facility.
The potential worst consequences of a failure of an ESD system in all of AFPC facilities, is
considered to be the loss of a single life or, severe injury and the loss of the production
facility. Death of several persons is not considered likely due to the manning philosophy,
facility layout and ease of escape. This is based on an evaluation carried out in Tanak in
November 97 which is taken to be applicable to all AFPC installations for the purpose of Test
Interval selection.
Classification Examples
Using the AFPC Classification Risk Diagram, which has been adapted from Internationally
accepted risk graphs to reflect AFPC's actual situation. The consequence that dictates the Test
Interval for ESD systems is Production Loss, where facility throughput is in excess of 70,000
barrels of oil per day. This figure is defined as maximum risk criteria, which is 20% of
350,000 Barrels Per Day (BPD), AFPC total oil production. Below this threshold the
Personnel Safety & Environmental consequences would dominate. As these consequences
are in general common to all facilities, specific ESD Test Intervals can be determined as per
table 3 (reference 2.1.3).
Note. Consequences can be identified for failures at the Process Shutdown (PSD) or
Machine Protection level e.g. S3 - Death of several people. If this is the case, it will result in
more frequent Testing of the specific loop, which can be done by Inhibited Initiator Testing
and Final Element Testing, possibly without deferment.
Page 13 of 28 772468330.rtf 7/14/24

MANUAL
Appendix 2: Instrumented Protective System Integrity (I) ESD Target Test Intervals
Personal Safety (S) Class IV/III/II (12, 24, 36 months)
Production & Equipment Loss (L) Class V/IV/III (6, 12, 24 months)
Environmental (E) IV/III/II (12, 24, 36 months)
Page 14 of 28 772468330.rtf 7/14/24

MANUAL
Appendix 2:TARGET TEST INTERVAL FOR AFPC FACILITIES

AREA Facility Daily ESD Target
Production SYSTEM Test
TYPE Interval
Barrels of oil Months

equivalent
(BOE)
Tanak CPF 95000 Relay 12
Azrak 24000 Pneumatic 12
Maleh/Mqaat 50000 Maglog 36
Jido 20000 Maglog 36
Galban 36000 Pneumatic 12
Tayyani 6500 Pneumatic 12
Abu Hardan 11000 Pneumatic 12
Shahit/Shedea 500 Pneumatic 12
El Ward CPF 31000 Relay 24

Al Ishara 7000 Pneumatic 12
Al Ahmar 9000 Pneumatic 12
Thayyem CPF(RTS+GL) 10000 Relay 24

Al Kharata 2200 Relay 24
An Nisham 1200 Relay 24
El Isba CPF 30000 Relay 24
Omar CPF 230000 Relay 12

GSA 40000 Pneumatic 12
GSB 20000 Pneumatic 12
North Shahel 15000 Relay 24
Saban 25000 Pneumatic 12
Sijan 55000 Pneumatic 12
Ghawari 5000 Pneumatic 12
Water Lift 300000 Maglog 24
Water Plant 400000 Maglog 24
Water Injection 400000 Relay 12
Power Station 10000 Maglog 36
Gas Plant 40000 Relay 24
Gas pipeline Jander 570 Maglog 36

Homs/Kattina 95 Relay 24
Nasria 410 Maglog 36
Mahardi 275 Maglog 36
Tishrin 275 Maglog 36
Adra 25 Pneumatic 12
T3 10 Pneumatic 12
Thayyem 10 Pneumatic 12
Page 15 of 28 772468330.rtf 7/14/24

MANUAL
APPENDIX 3: Pass/Fail Criteria
Pass/Fail criteria for instrumented Protection Devices are determined by the inherent accuracy
of the instrument used.
1. Pneumatic and electronic transmitters with receiving switches should be kept within ±
2% of their set point.
2. Direct mounted process switches should be kept within ± 3% of their set point.
3. Level instruments using displacers should be kept within ±5% of their set point. If
levels are measured by DP- instrument criteria (1) shall be applicable.
The following matrix gives an overview of the recommended accuracy bands for the different
instruments:
Type of instrument
Instrument Transmitter with Direct mounted Displacer type level
function receiving switch process switch instrument
Shutdown and Alarm ≤ ± 2% of Set point ≤ ± 3% of Set point ≤ ± 5% of Set point

function
Page 16 of 28 772468330.rtf 7/14/24

MANUAL
APPENDIX 3: Initiator Pass/Fail Criteria
a) An Initiator Test is deemed to fail if

 the Initiator fails to Trip within the prescribed tolerance in the ‘Non Fail Safe’ area of its
setpoint e.g. a Hi Pressure protection switch with a setpoint of 100 Bar which operates at
102.1 Bar, or a Low Level protection switch with a setpoint set at 1000mm below datum
operates at 1055 mm etc.
 the Initiator fails to switch the associated IPS input.
These conditions shall be recorded as a Test FAIL.
b) All other non-conformance conditions such as a ‘Fail Safe’ setpoint trip i.e. outwith the
2% tolerance value in the ‘Fail Safe’ area of the setpoint value e.g. a Hi Pressure
protection switch with a setpoint of 100 Bar which operates at 97.9 Bar, or a Low Level
protection switch with a setpoint set at 1000 mm below datum operates at 945 mm etc.
shall be recorded as a Test DEFECT.
c) When a Test is deemed successful i.e. the Initiator causes a Trip within the prescribed
tolerance, the Test shall be recorded as a Test PASS.
ESD Test Pass/Fail Criteria
a) An ESD Test is deemed to fail if

 the Initiator used to initiate the Test fails as described above.
 any ESD Final Element fails to reach its final status as defined in the C&E diagrams e.g.
Valve CLOSED, Pump STOPPED, etc.
b) All other non-conformance conditions such as a non-ESD valves failing to reach its fail
safe position or is slow to start moving or reaches its final status after an extended
period, etc. shall be recorded as a Test DEFECT.
c) When a Test is deemed successful i.e. the Instrumented Safeguarding System responds in
accordance with its design intent, the Test shall be recorded as a Test PASS.
Page 17 of 28 772468330.rtf 7/14/24

MANUAL
APPENDIX 3:Instrument protective System (IPS) Simulated Test Pass/Fail

Criteria
a) An IPS Test is deemed to fail if

 Any required Trip or Shutdown action(s), as illustrated in the current C&E diagrams,
is not achieved by the initiation of any input(s).
b) All other non-conformance conditions such as additional effects being caused or the
failure of an alarm to annunciate, etc. shall be recorded as a Test DEFECT.
c) When a Test is deemed successful i.e. the IPS responds in accordance with its design
intent, the Test shall be recorded as a Test PASS.
Test Defect or Test Fail
If a Test DEFECT or Test FAIL is recorded a corrective job card or, Plant Improvement
Request (PIR) must be raised, as appropriate, and the work carried out at the earliest
opportunity thereafter. It may also be necessary to adjust the maintenance schedule of the
failed components.
Page 18 of 28 772468330.rtf 7/14/24

MANUAL
APPENDIX 4:Generic Maintenance Work Instructions
TITLE: INITIATOR TEST

EQUIPMENT: Panel XXXX RESPONSIBILITY: Production
STEP DESCRIPTION
1. This MWI has been produced in accordance with OCD 2.OOG.3.002. Any changes to
this MWI shall be made in accordance with the requirements of this document and
approved by the appropriate Authority.
2 These tests shall be conducted under the guidance of a Competent Production Person
who shall be responsible for ensuring the tests are conducted safely and that no
unplanned product deferment is caused.
3. OBJECTIVE - To ensure that the Initiator(s) operate at the required setpoint without
executing trip actions. If the objective is not achieved all necessary actions taken to
return the system to a satisfactory condition must be completed as soon as reasonably
practical and are to be logged in the history section of the EMMS along with the test
results.
4. Comply with the permit to work system and all relevant safety precautions.
5. Inhibit operation and function test each of the following initiators below in turn in
accordance with following instructions.
(Area Instrument Section Head OPX/3 in conjunction with OTS/4 as necessary
shall complete this section to reflect the actual status of the panel being tested)
TRIPPING DEVICE DESCRIPTION
XXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXX
6. Confirm that the following base design documentation and information is current and
available.
 Trip setpoint EMMS
 Loop Sheets
7. Apply the necessary maintenance over-rides or input isolation links on the specific unit
shutdown panel to ensure that actuation of the trip devices will not cause any
unnecessary plant upset or product deferment.
8. Where Maintenance Over-ride Switches are utilised, confirm the over-ride
indication/alarm is annunciated and the corresponding input indication is identified but
not indicating.
9. To achieve the highest possible test coverage factor, the initiator shall be tested by
adjusting the process, e.g. raising the level in an oil separator were the level can be
raised slowly and under control. If this cannot be achieved safely then a simulated
process condition which replicates as closely as possible the process excursion shall be
used.
Page 19 of 28 772468330.rtf 7/14/24
MANUAL
APPENDIX 4:
9 If a simulated process condition is used, isolation/blowdown of the measuring/tripping

device, the system of initiation shall be conducted using one of the following methods.
 By isolating the initiator from the process and carrying out a wet simulation e.g.
introduction of liquid into a float chamber or connection of a portable hydraulic test unit
to the device.
 By applying/removing heat, via a safe source, to a temperature sensing device.
 By injection of an electrical or pneumatic signal to the tripping device (dry simulation),
using a suitable piece of test equipment.
The chosen method shall ensure that the input loop is fully tested.
10 Reset any active trip alarms in readiness for the test actuation.
11 Increase or decrease the process or simulated process value until the trip should have
occurred.
Note the process value at which a trip occurs, check this value against the designated
Trip Set Point Value and Tolerance settings. If the trip does not occur within the Trip
Set Point Tolerance, the test should be abandoned, the appropriate failure code recorded
and the necessary corrective actions implemented.
If the initiator forms part of a voting configuration, simulate the required set of inputs to
achieve the trips.
12 Check the following takes place, when the indication change occurs.-
 The Input indication is indicated on the particular unit shutdown panel.
 Any relevant trip/alarm actions not covered by the inhibit(s) have been activated to their
"tripped" states.
 The appropriate Distributed Control System (DCS) / Supervisory Control and Data
Acquisition (SCADA) indications are obtained.
 The control room alarm annunciates.
13 On completion or abandonment of this test ensure that all valves and alarms have been
returned to their start-up state; the device is live to the process; the maintenance over-ride
switches have been reset or input isolation links removed; and that no unrevealed failures
have been introduced during testing, (impulse lines left closed), so that the system is
available for operation.
14 Record and update results in the "Work History" section of EMMS. The test results shall
be recorded utilising the appropriate codes i.e. PASS, FAIL or DEFECT.
15 If calibration or remedial action is required as a result of the test a corrective job card or,
Plant Change Proposal (PCP) must be raised, as appropriate.
Page 20 of 28 772468330.rtf 7/14/24

MANUAL
APPENDIX 4: ESD TEST
FACILITY: xxxxxxx RESPONSIBILTY: Production
STEP DESCRIPTION
1. This MWI has been produced in accordance with OCD 2.OOG.3.002. Any changes
to this MWI shall be made in accordance with the requirements of this document and
approved by the appropriate Authority.
2. This test shall be conducted under the guidance of a Competent Production Person
who shall be responsible for ensuring the test is conducted safely and that no
unplanned product deferment is caused.
3. OBJECTIVE - To ensure that all the specified Final Elements achieve their desired
position on operation of an ESD initiator. If the objective is not achieved all
necessary actions taken to return the system to a satisfactory condition must be
completed as soon as reasonably practical and are to be logged in the history section
of the Immpower along with the test results.
5. Choose an initiator by which to initiate the test from one of the following ESD
Initiators. Consult previous work history to select an ESD Initiator that has not been
previously or recently used to initiate this test.
ESD INITIATORS DESCRIPTION
XXXXXX XXXXXXXXXXXXXXXXXXXXXX
XXXXXX XXXXXXXXXXXXXXXXXXXXXX
XXXXXX XXXX XXXXXXXXXXXXXXXXXX
available.
 Trip setpoint (EMMS)
 Loop Sheets
7. To achieve the highest possible test coverage factor, the initiator shall be tested by
process condition which replicates as closely as possible the process excursion shall
be used.
If a simulated process condition is used, isolation/blowdown of the
measuring/tripping device, the system of initiation shall be conducted using one of
the following methods.
Page 21 of 28 772468330.rtf 7/14/24

MANUAL
APPENDIX 4:
 By isolating the initiator from the process and carrying out a wet simulation e.g.
introduction of liquid into a float chamber or connection of a portable hydraulic test
unit to the device.
 By applying/removing heat, via a safe source, to a temperature sensing device.
 By injection of an electrical or pneumatic signal to the tripping device, (dry simulation),
using a suitable piece of test equipment.
8. Reset any active trip alarms in readiness for the test actuation.
9. Operate the push button or increase or decrease the process or simulated process
value until the trip should have occurred.
10 If the test is not initiated by a push button then note the process value at which a trip
occurs, check this value against the designated Trip Point Set Value and Tolerance
settings. If the trip does not occur within the Trip Set Point Tolerance, the test should
be abandoned, the appropriate failure code recorded and the necessary corrective
actions implemented.
11. If the initiator forms part of a voting configuration, simulate the required set of inputs
to achieve the trips.
12. Check the following events occur after the output signal has been driven to the tripped
state.
 All Final Elements achieve their desired position within any stated times.
13. On completion or abandonment of the test ensure that all Initiators, Final Elements
and alarms have been returned to their start-up state; any vents are closed; and that no
additional unrevealed failures have been introduced during the test.
14 Record and update results in the "Work History" section of the EMMS. The test
results shall be recorded utilising the appropriate codes i.e. PASS, FAIL or DEFECT.
15 If calibration or remedial action is required as a result of the test a corrective job card
or, Plant Change Proposal (PCP) must be raised, as appropriate.
Page 22 of 28 772468330.rtf 7/14/24

MANUAL
APPENDIX 4:
INSTRUMENTED PROTECTIVE SYSTEM (IPS) TEST {SIMULATED TEST}
EQUIPMENT: Panel XXXXX RESPONSIBILITY: Production
STEP DESCRIPTION
1. This MWI has been produced in accordance with OCD 2.OOG.3.002. Any changes
to this MWI shall be made in accordance with the requirements of these documents
and approved by the appropriate Authority.
2. These tests shall be conducted under the guidance of a Competent Process Tester who
shall be responsible for ensuring the tests are conducted safely and that no unplanned
product deferment is caused.
3. OBJECTIVE - To ensure that the required trip actions, as illustrated in the current
C&E diagrams, are achieved by the initiation of the input(s). If the objective is not
achieved all necessary actions taken to return the system to a satisfactory condition
must be completed as soon as reasonably practical and are to be logged in the history
section of EMMS along with the test results.
5. Inhibit any plant/equipment not required to be shutdown by this test and initiate
test(s) by the following initiator(s).
INITIATOR DESCRIPTION
XXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
PLANT/EQUIPMENT NOT REQUIRING TEST:-

Tag No. Description.
XXXXXX XXXXXXXXXXXXXXXXXXXXXXXXX
available.
 Trip setpoint and tolerances
 Cause and Effect Matrices
 Loop diagrams
 Logic Diagrams
APPENDIX 4:
Page 23 of 28 772468330.rtf 7/14/24

MANUAL
7 To achieve the highest possible test coverage factor, the initiation shall be caused by
process condition which replicates as closely as possible the process excursion shall
be used.
If a simulated process condition is used, isolation/blowdown of the
measuring/tripping device, the system of initiation shall be conducted using one of
the following methods.
 By isolating the initiator from the process and carrying out a wet simulation e.g. introduction
of liquid into a float chamber or connection of a portable hydraulic test unit to the device.
 By applying/removing heat, via a safe source, to a temperature sensing device.
 By injection of an electrical or pneumatic signal to the tripping device, (dry simulation) using
a suitable piece of test equipment.
8. Reset any active trip alarms in readiness for the test actuation.
9. Increase or decrease the process or simulated process value until the trip should have
occurred.
Note the process value at which a trip occurs, check this value against the designated
Trip Set point Value and Tolerance settings. If the trip does not occur within the Trip
Set Point Tolerance, the test should be abandoned, the appropriate failure code
recorded and the necessary corrective actions implemented.
If the initiator forms part of a voting configuration, simulate the required set of inputs
to achieve the trips.
10. Check the following takes place, when the trip is generated.
 The relevant trip actions are initiated in accordance with the current C&E Diagram.
11. On completion or abandonment of this test ensure that all Initiators, Final Elements
and alarms have been returned to a state consistent with the plant condition; any
isolation and link test points have been removed; and that no unrevealed failures have
been introduced during testing.
12. Record and update test results in the "Work History" section of the EMMS. The test
results shall be recorded utilising the appropriate codes i.e. PASS, FAIL or DEFECT.
13. If calibration or remedial action is required as a result of the test a corrective job card
or Plant Change Request (PCP) must be raised, as appropriate.
APPENDIX 5: ESD / Initiator change request form
Page 24 of 28 772468330.rtf 7/14/24

MANUAL
ESD / Initiator Change Request Form

Part A - Initiation
ESD / Initiator Title :
ESD / Initiator Number :
ESD / Initiator Requested for:

[State Asset, Facility, Operation, ]
ESD / Initiator Details :

[All information required for Controlled Document custodian to review:
For example : 1. Existing Situation, 2. Reason for change.]
ESD / INITIATOR CHANGE REQUEST APPROVAL
Originator Section Head Department Head
Name : Name : Name :
Ref. Ind : Ref. Ind : Ref. Ind :
Sign : Sign : Sign :
Date : Date : Date :
APPENDIX 5: ESD / Initiator change request form
ESD / Initiator Change Request Form

Page 25 of 28 772468330.rtf 7/14/24
MANUAL
Part B - Technical Review & Approval

CUSTODIAN REVIEW
ESD / Initiator Number : Approved :

Yes / No
Custodian Comments :
Name : Ref. Ind : Date : Signature
CONTROLLED DOCUMENT APPROVAL AUTHORITY

[* To be defined by Custodian]
Name :* Ref. Ind :* Date : Signature :
Part C - Execution and Close Out

Execution Completion Date :
Originator Section Head Department Head
Name : Name : Name :
Ref. Ind : Ref. Ind : Ref. Ind :
Sign : Sign : Sign :
Date : Date : Date :
Page 26 of 28 772468330.rtf 7/14/24

MANUAL
APPENDIX 6: GLOSSARY OF TERMS

Classification
A method of examining the consequences of Unravelled Failure (Failure on Demand) of the
Instrumented Safeguarding System and the selection of the basis for Test Intervals, see
Appendix 1 - AFPC Classification Risk Diagram.
Cause and Effect (C&E) diagrams
C&E diagrams are the Master documents for recording the executive actions of each
Instrument protective Function (IPF) Initiator. They include all IPF Initiators and Final
Elements with their associated tag numbers and also show logic functions such as interlocks,
time delays, enables, etc.These are controlled documents, which require to be maintained as
built with any changes approved in accordance with the Plant Change Proposals (PCP)
procedure.
SD GROUP No. SD GROUP No. SD GROUP No. SD GROUP No. SD GROUP No. REFERENCE
NOTES
EFFECT Equip no. Equip no. Equip no. Equip no. Equip no. Equip no. Equip no. Equip no. Equip no.
REMARKS
ACTION
DESCRITION
SERVICE
CAUSE
SERVICE TAG
DESCRITION NUMBER
REMARKS
Equip no.
SD GROUP No.
Equip no.
Equip no.
SD GROUP No.
Equip no.
SD GROUP No.
Equip no.
NOTES FOR NEXT REVISION AL FURAT PETROLEUM CO.

DAMASCUS-SYRIA
PROJECT
REV DESCRIPTION:
TITLE
REV NO. TITLE DRAWING NO. DATE DRAWN CHECKED DRAWING NO. REV
DRW:L-YANYALI REFERENCE DRAWINGS APPROVED
Change requests and plant Improvements

There are two methods detailed in this Manual of making changes to the operating process
systems.
(PCP) Plant Change Proposal
(PIR) Plant Improvement Request
Competent test team (CTT)
A team of competent production facility personnel established to carry out safe and expedient
testing of Instrument Safeguarding Systems.
Page 27 of 28 772468330.rtf 7/14/24

MANUAL
APPENDIX 6:
Emergency Shutdown (ESD)
An Emergency Shutdown is defined as the isolation and de-pressurisation of all the process
and non-essential utility systems of a production facility.
EMMS
An Electronic Maintenance Management System, presently Immpower.
Failure on Demand
The designed function fails to respond to a plant condition or event requiring the Instrumented
Protective Function to take action to prevent a Hazard.
Final Element
A device(s) that executes the output command(s) of an Instrument protector System (IPS)
logic solver to cause the process to attain a safe state. The Final Element includes output
cards or output relays, solenoid valves and cabling, as well as valves, pumps and alarms, etc.
Hazard
The potential to cause harm, including ill health and injury; damage to property, products or
the environment; production losses or increased liabilities.
Initiator
A device(s) that measures a process variable and indicates whether a process or piece of
equipment operates outside the specified operating envelope. The Initiator includes input
cards and/or input relays as well as the manual switches, position switches and measurement
systems, (including process connections, sensors, transmitters, cabling, trip amplifier or input
card, etc.).
Instrumented Protective Function (IPF)
A function composed of Initiator(s), an Instrumented Protective System and one or more Final
Elements for the purpose of preventing Hazards.
Instrumented Protective System (IPS)
The pneumatic, relay or electronic logic solver component of the Instrumented Protective
Function complete with input and output equipment.
Instrumented Safeguarding System
The terminology used for a shutdown system designed to operate automatically in case of a
prescribed hazardous event, (collective term for all IPFs within a facility).
Maintenance Over-ride Switches (MOS)
A MOS over-rides an Initiator(s) to enable maintenance or on-line functional Testing without
causing a Trip.
Machine Protection
Protection level below the process protection level specifically for the protection of a unit such
as a gas compressor set or oil transfer pump set and comprises protection for e.g. luboil
pressure, vibration, motor winding temperature, etc.
Page 28 of 28 772468330.rtf 7/14/24

MANUAL
APPENDIX 6
Operating maintenance Staff
The following operating maintenance staff have been referenced in this document
OPX Operations Area Superintendent

OPX/1 Operations Area Section Head
OPX/3 Instrument Section Head
OTS/4 Operations Field Instrument Support
OFM Operations Field Manager
OM Operations Manager
Planning Procedures referred too

IOP Integrated Operations Plan. This is a two year look ahead
IPP Integration Production Plan. This is a three-month look ahead.
OBP Operations Business Plan
Process Shutdown (PSD)

A Process Shutdown is defined as the automatic isolation and de-activation of all or part of a
process. During a PSD the process remains pressurised.
Proof Testing
Test to establish the base line operation of a safeguarding system i.e., confirm C&E.
Risk
The combination of Hazard Rate and consequences of a hazardous event.
Terminology used for operating process controls
DCS Distributed Control System
SCADA Supervisory Control and Data Acquisition
Trip (Shutdown)
An Instrumented Protective Function action to bring the Final Elements to a safe state.
Test(s), Testing
Physical verification of the correct operation of all or part of an Instrumented Safeguarding
System.
Target Test Interval
The maximum Interval between Testing of all or part of an Instrumented Safeguarding
System. This maximum interval is arrived at by using the AFPC Classification Risk diagram
Appendix 1 of this document.
Test Interval
The current AFPC specified Interval between Testing of all or part of an Instrumented
Safeguarding System.
Unrevealed Failure
A failure that is dormant in the Instrumented Safeguarding System which can only be detected
as a result of a need for the system to take action or through Testing.
Page 29 of 28 772468330.rtf 7/14/24

MANUAL
Appendix 7: Referenced Documents
The following are a list of referenced documents used within this Manual
 Responsibilities Deviation control Procedure ECD-05

 Section 1.1 Operational Reliability Review, action item ORR NGF5.
 Section 1.1 Cost Review action item CR_E4
 Section 2.1.4 EDC-05 Deviation Control Procedure
 Appendix 2 Page 11 Risk assessment is based on Evaluation carried out in
Tanak in November1997
 Appendix 4 Page 17 The Maintenance Work Instruction (MWI) is produced in
accordance with OCD 2.OOG.3.002
Page 30 of 28 772468330.rtf 7/14/24

Appendix 2 of Schedule L2

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Appendix 2 of Schedule L2

Uploaded by

Copyright:

Available Formats

Appendix 2

This document contains proprietary information and is intended for use by

Page 2 of 28 772468330.rtf 7/14/24

3 ADMINISTRATION AND REPORTING....................................................................................8

APPENDIX 2: ESD TARGET TEST INTERVAL SELECTION......................................................11

APPENDIX 3: PASS/FAIL CRITERIA...............................................................................................14

APPENDIX 4:GENERIC MAINTENANCE WORK INSTRUCTIONS.........................................17

APPENDIX 5: ESD / INITIATOR CHANGE REQUEST FORM...................................................23

APPENDIX 6: GLOSSARY OF TERMS............................................................................................25

APPENDIX 7: REFERENCED DOCUMENTS.................................................................................28

Page 3 of 28 772468330.rtf 7/14/24

Page 4 of 28 772468330.rtf 7/14/24

Page 5 of 28 772468330.rtf 7/14/24

2. TESTING REQUIREMENTS OF INSTRUMENTED SAFEGUARDING

Page 6 of 28 772468330.rtf 7/14/24

2.1.1 Initiator Testing

Initiator Type Target Test Intervals

Table 1: Target Test Interval for Initiator Testing.

2.1.2 Simulated Testing of Instrumented Protective System (IPS)

Table 2: Target Test Interval for Simulated Testing

ESD System Type

Table 3: Target Test Interval for ESD Testing.

1.3.4 Proof Testing

2.2 Extending the Current Test Interval.

2.2.1 ESD Testing

2.2.2 Initiator Testing

Page 8 of 28 772468330.rtf 7/14/24

2.3.1 Scheduled Testing

2.3.2 Deferment of Scheduled Testing

3 ADMINISTRATION AND REPORTING

3.1 Generic Maintenance Work Instructions (MWIs)

3.3 Competent Test Team (CTT)

Page 9 of 28 772468330.rtf 7/14/24

3.4 Crediting unplanned Trips/Shutdowns

Page 10 of 28 772468330.rtf 7/14/24

APPENDIX 1: AFPC Classification Risk Diagram

Personal Safety (S)

Production & Equipment Loss (L)

Page 11 of 28 772468330.rtf 7/14/24

Page 12 of 28 772468330.rtf 7/14/24

Appendix 2: ESD TARGET TEST INTERVAL SELECTION

Page 13 of 28 772468330.rtf 7/14/24

Personal Safety (S) Class IV/III/II (12, 24, 36 months)

Environmental (E) IV/III/II (12, 24, 36 months)

Page 14 of 28 772468330.rtf 7/14/24

Appendix 2:TARGET TEST INTERVAL FOR AFPC FACILITIES

Barrels of oil Months

El Ward CPF 31000 Relay 24

Thayyem CPF(RTS+GL) 10000 Relay 24

Omar CPF 230000 Relay 12

Power Station 10000 Maglog 36

Gas Plant 40000 Relay 24

Gas pipeline Jander 570 Maglog 36

Page 15 of 28 772468330.rtf 7/14/24

APPENDIX 3: Pass/Fail Criteria

Shutdown and Alarm ≤ ± 2% of Set point ≤ ± 3% of Set point ≤ ± 5% of Set point

Page 16 of 28 772468330.rtf 7/14/24

APPENDIX 3: Initiator Pass/Fail Criteria

a) An Initiator Test is deemed to fail if

ESD Test Pass/Fail Criteria

a) An ESD Test is deemed to fail if

Page 17 of 28 772468330.rtf 7/14/24

APPENDIX 3:Instrument protective System (IPS) Simulated Test Pass/Fail

a) An IPS Test is deemed to fail if