Section 7 Emergency shutdown (ESD) systems

7.1.1 An emergency shutdown (ESD) system represents a layer of protection that mitigates and attempts to prevent a hazardous situation from occurring. An ESD system is to be provided when any process presents a hazard which could affect the safety of personnel, the overall safety of the unit or the pollution of the environment. Guidance on identifying hazards and assessing risk is provided in ISO 17776, Petroleum and natural gas industries – Offshore production installations – Guidelines on tools and techniques for hazard identification and risk assessment. The system is to satisfy the requirements of this sub-Section.

7.1.2 The ESD system is to operate in association with process plant and safety critical facilities to incorporate levels of hierarchical shutdown appropriate to the degree of hazard to personnel, the unit and the environment. The arrangements are to be derived using hazard analysis techniques. Where the unit is to be connected to another installation, such as shore, vessel, other unit, etc. linked ESD systems should be provided and be capable of transmitting ESD signals to any of the connected installations and vice versa, see Pt 7, Ch 1, 7.4 Linked ESD systems.

7.1.3 The operation of the ESD system is to be initiated manually. In addition, operation is also to be initiated automatically by signals derived from the fire and gas and cryogenic spill detection systems as well as signals derived from process and other equipment sensors. Drilling equipment is to be shut down automatically in a controlled manner upon activation of a high level or drilling ESD. ESD system is also to be activated upon loss of instrument air.

NOTE

Guidance on manual and automatic inputs is given in Pt 11, Ch 18, 4.1 General 4.1.1 and Ch 18, 4.1.2 .

7.1.4 ESD initiation is to activate audible and visual alarms in the central control room (CCR) and at strategic locations outside the CCR. The activation of a manual ESD activation point is to initiate the general alarm of the unit.

7.1.6 ESD functions shall as far as practicable be functionally and physically independent from other systems/functions.

7.1.7 Manual ESD activation points for complete shutdown of the installations are to be provided at the central control room (CCR) and other suitable locations, e.g. at the helicopter deck and the emergency evacuation stations. Each manual ESD activation point on the installation is to be clearly identified. Manual ESD activation points are to be protected against inadvertent operation.

7.1.8 The ESD system is to be arranged with automatic changeover to a stand-by power supply, ensuring uninterrupted operation of the system, in the event of failure of the normal power supply.

7.1.9 Failure of any power supply to the ESD system is to operate an audible and visual alarm.

7.1.10 The stand-by power supply required by Pt 7, Ch 1, 7.1 General 7.1.8 should be capable of supplying power for ESD functions for a minimum duration of 30 minutes.

7.1.11 Upon failure of protective system, logic solvers, sensors, actuators or power source, the operation of the plant and equipment is to revert automatically to the least hazardous condition.

NOTE

This requirement is normally realised by employing a fail safe design. Special consideration is given to subsea christmas tree solenoid valves, which are not normally energised. Part of these special considerations for subsea tree valves is typically to provide high integrity solenoid valves which de-energise via the ESD system and vent the hydraulic fluid from the subsea christmas tree actuators to the topsides hydraulic skid. This process will eventually close the subsea tree valve via loss of hydraulic pressure.

7.1.12 Hydrocarbon related components are to be equipped with primary and secondary protection as defined in ISO 10418:2003, Petroleum and natural gas industries – Offshore production installations – Analysis, design, installation and testing of basic surface process safety systems, Section B.2 or alternative relevant International or National Standard, to prevent or minimise the effects of an equipment failure within the process. Where provision of two means of protection cannot be achieved, special consideration must be given to the design of the alternative means.

7.1.13 High level ESD (as defined in accordance with Pt 7, Ch 1, 7.1 General 7.1.2, e.g. platform shut-down, production shut-down) should only be provided with a capability to reset each final element locally. Elements affected by low level ESD (as defined in accordance with Pt 7, Ch 1, 7.1 General 7.1.2, e.g. equipment or component shutdown) may be reset by means of a remote manual group reset operation from the central control room.

NOTE

High level ESD is typically related to total platform shut-down, platform evacuation, etc.

Low level ESD is typically classified as a process train trip, single package trip, etc.

7.1.14 Maintenance override facilities shall only be provided for ESD sensors where a secondary form of protection for stopping the process is available to the operator, and the operator has sufficient time to respond to the event. Maintenance overrides shall not be provided for manual ESD inputs (i.e. ESD pushbuttons). Consideration should be given to the number of inhibits applied at any one time to an ESD system, to ensure that the ESD function is not impaired. Physical key switches are to be used for applying overrides to high level, safety-critical shut-down system inputs. The amount of time that the key switch is enabled shall be timed and alarmed if the allowable time is exceeded.

7.1.15 Start-up overrides may be applicable to low level and similar trips during plant start-up. These overrides are to be cancelled automatically once the normal process condition has been reached or when a fixed period of time has expired.

7.1.16 Where arrangements are provided for overriding parts of an ESD system, they should be such that inadvertent operation is prevented. When an override is operated, visual indication is to be given at the central control room.

7.1.17 Upon activation of the ESD system there shall be no means of overriding/resetting the system until such time as the conditions that triggered the system are returned to a safe state.

7.1.18 Accumulators for pneumatic and hydraulic systems are to have sufficient capacity to allow the performance of one complete shutdown followed by reset and a further shutdown without the need for recharging the accumulator. Accumulator pre-alarms will also be fitted and signals should have suitable time delays.

7.1.19 Manual valves which are part of the safety control circuits shall be secured in the correct position to ensure no inadvertent operation.

7.1.20 All emergency shut-down and blow down valves shall be fitted with open and closed position limit switches and indicators. Valve position shall be indicated in the central control room (CCR) and locally.

7.1.21 Where ESD applications are to be implemented by programmable electronic systems, a risk-based approach, as described in IEC 61508-5, Functional safety of electrical/electronic/programmable electronic safety related systems – Part 5: Examples of methods for the determination of safety integrity levels or alternative relevant International or National Standard, for the specification and design of these systems is to be adopted. The ESD system is to comply with the requirements of IEC 61508 (all parts), Functional safety of electrical/electronic/programmable electronic safety-related systems or alternative relevant International or National Standard and, as far as applicable, those of IEC 61511 (all parts), Functional safety – Safety instrumented systems for the process industry sector. Each measure to control or mitigate hazards is to be assigned an appropriate degree of risk reduction which contributes to the overall risk reduction. The risk reduction figure is to be translated into performance standards for each measure which will be specified in terms of functionality, availability, reliability, survivability and interactions (FARSI), see also Pt 6, Ch 1, 2.13 Programmable electronic systems – Additional requirements for integrated systems.

7.1.22 The implementation of a programmable electronic system to perform high safety integrity level functions or any other form of logic solver (i.e. relay/solid state magnetic core) is to be via a suitable certified Safety Integrity Level (SIL) system, acceptable to LR, which will give an appropriate SIL for all SIL classified functions associated with the ESD system. This certification is to include calculations for Probability of Failure on Demand (), architectural constraints in terms of safe failure fraction (SFF) and hardware fault tolerance (HFT), random failures as specified in IEC 61508-2:2010, Functional safety of electrical/electronic/programmable electronic safety related systems – Part 2: Requirements for electrical/electronic/programmable electronic safety-related systems, Section 7.4.2.2 or alternative relevant International or National Standard.

7.1.23 ESD control units are, where practicable, to be Type Approved in accordance with Test Specification Number 1 given in LR’s Type Approval System for an environmental category appropriate for the locations in which they are intended to operate.

7.1.24 Status, diagnostic and alarm information exchange executed by read-only soft links to remote digital systems for display purposes may be provided, as applicable, by the Integrated Control and Safety System (ICSS) or matrix panels, see Pt 6, Ch 1, 2.13 Programmable electronic systems - Additional requirements for essential services and safety critical systems 2.13.9 of the Rules for Ships.

7.1.25 Access to the system is to be restricted so that software may only be modified by suitably authorised personnel.

7.1.26 Consideration is to be given to the segregation of cabling and wiring associated with ESD functions from that associated with power cables.

7.1.27 All ESD equipment that is critical to provide an effective shut-down shall be protected against mechanical/environmental damage until the intended shut-down sequence is completed.

7.2.1 In addition to the requirements of Pt 7, Ch 1, 7.1 General, any electrical equipment which has to remain operational in a Major Accident Event (e.g. rupture of a process vessel or pipe) and is therefore capable of being subjected to a flammable atmosphere is to be of a type suitable for installation in a Zone 1 location, see Pt 7, Ch 2, 8.1 General 8.1.6.

7.2.2 Electrical equipment which, on drilling units, is required to function following an emergency shut-down and provide continued operation during an ongoing emergency should be selected in accordance with the requirements of 2009 MODU Code - Code for the Construction and Equipment of Mobile Offshore Drilling Units, 2009 – Resolution A.1023(26) and IEC 61892-7, Mobile and fixed offshore units – Electrical installations – Part 7: Hazardous areas. Such equipment should be suitable for its intended application and be suitable for installation in Zone 1 locations; however, consideration will be given to alternative arrangements where they are shown to provide an equivalent level of safety to the satisfaction of LR.

NOTE

7.3.1 Facilities are to be available for testing of both input/output devices and internal functions of the ESD system.

7.3.2 Factory Acceptance Test (FAT) is required for logic solvers implementing safety instrumented functions. A FAT is to be conducted in accordance with IEC 61511-1:2003, Functional safety – Safety instrumented systems for the process industry sector – Part 1: Framework, definitions, system, hardware and software requirements, Section 13 or alternative relevant International or National Standard.

7.3.3 Function tests are to be conducted in accordance with Pt 6, Ch 1, 7.1 General where applicable, ISO 10418:2003, Petroleum and natural gas industries – Offshore production installations – Analysis, design, installation and testing of basic surface process safety systems, Annex G, or alternative relevant International or National Standard.

7.4.1 A linked ESD system communicates ESD signals from unit to shore/vessel and vice versa, via a compatible interface.

7.4.2 A linked emergency shut-down (ESD) shall initiate a controlled cargo transfer process shut-down.

7.4.3 All relevant initiation signals at either end of the link shall be processed and transmitted through an established ESD link, as a single ESD signal and not as individual signals.

7.4.4 An independent back-up system shall be provided so that a common failure mode is reduced as far as is reasonably practicable.

7.4.5 Due consideration should be afforded to the sequence and timing of closure of ESD valves on both units, in order to mitigate for the hydraulic surge in the transfer lines.

7.4.6 A high-level functional flowchart of the linked ESD and related systems should be provided in the central control room (CCR).

7.4.7 The use of electric links should be reviewed to ensure protection against ignition during accidental cable damage and connect/disconnect operations.

7.4.8 Where an electrical ESD link is used, a standardised pin configuration should be adopted, as per ISO 28460:2010, Petroleum and natural gas industries – Installation and equipment for liquefied natural gas – Ship-to-shore interface and port operations, Section 14.4 or alternative relevant International or National Standard. Consideration will be given to use of other pin configurations.

7.4.9 Should additional information, such as telephone links, data for mooring tension monitoring systems, etc. be transferred through the linked ESD system, provision is to be made to ensure that these additional features do not interfere with the primary function of the linked ESD system.

7.4.10 Where additional services are supplied from shore, such as onshore power supply, these must be considered as part of the ESD safety analysis function evaluation charts, see Pt 7, Ch 1, 1.2 Documentation 1.2.1.(e).

7.4.11 Upon failure of ESD link between a non-manned installation and its remote control centre, there shall be an alternative facility to shut down the non-manned installation automatically.