-
OMV Exploration & Production GmbH
00 Final Issue PJ 31/5/05 JEA 31/5/05 PZ 03/6/05 MF 03/6/05
A2 Client Comments Incorporated
00 Issued for Comment/Approval PJ 3/12/04
Issue Rev
Issue or Revision Description Origin By
Date Chkd By
Date Appd By
Date Appd By
Date
Philosophy for
Emergency and Process Shutdown Systems Onshore
Document Number
TO-HQ-02-024-00
-
OMV Exploration & Production GmbH
Document Number Rev Page Philosophy for Emergency and Process
Shutdown Systems Onshore TO-HQ-02-024 00 2 of 23
Revision Description of revision A2 Client Comments
Incorporated
00 Final Issue
-
OMV Exploration & Production GmbH
Document Number Rev Page Philosophy for Emergency and Process
Shutdown Systems Onshore TO-HQ-02-024 00 3 of 23
Contents
1.0 PREFACE
.......................................................................................................................5
2.0 DEFINITIONS
.................................................................................................................5
3.0
ABBREVIATIONS...........................................................................................................5
4.0
INTRODUCTION.............................................................................................................5
5.0 APPLICABLE CODES, STANDARDS AND
REGULATIONS........................................6 5.1 Codes and
Standards List
........................................................................................................
6 5.2 References
.................................................................................................................................
7
6.0 SYSTEM GOAL
..............................................................................................................7
7.0 SYSTEM BOUNDARIES
................................................................................................8
8.0 DESIGN
PHILOSOPHY..................................................................................................9
8.1 Level 1 Shutdown - Emergency shutdown and Depressurisation of
the Overall Plant ...... 9 8.2 Level 2 Shutdown - Emergency
Shutdown for a Process Unit within the Plant. ............... 10
8.3 Level 3 Shutdown - Process Shutdown for a Process Unit within
the Plant ..................... 10 8.4 Level 4 Shutdown - Process
Train Shutdown within a Unit
................................................ 10 8.5 Level 5
Shutdown - Shutdown of Individual Equipment and Utilities
................................ 10 8.6 General
.....................................................................................................................................
11
9.0 GENERAL
REQUIREMENTS.......................................................................................11
9.1 Initiating Devices
.....................................................................................................................
11 9.2 Push-buttons and Indicators
..................................................................................................
11 9.3 Logic Solver
.............................................................................................................................
12 9.4
Capacity....................................................................................................................................
13 9.5 Power Supplies
........................................................................................................................
14 9.6 Panels
.......................................................................................................................................
14 9.7 Intertrips
...................................................................................................................................
14 9.8 Relays
.......................................................................................................................................
14 9.9 Valves
.......................................................................................................................................
15
-
OMV Exploration & Production GmbH
Document Number Rev Page Philosophy for Emergency and Process
Shutdown Systems Onshore TO-HQ-02-024 00 4 of 23
10.0 DESIGN CONSIDERATIONS
.......................................................................................15
10.1 General
.....................................................................................................................................
15 10.2 Overrides
..................................................................................................................................
15 10.3 Prealarms, Alarms and Monitoring
........................................................................................
18 10.4 Equipment
Packages...............................................................................................................
18 10.5 Safety System Distribution
.....................................................................................................
19 10.6 Safety System
Breakdown......................................................................................................
19
11.0 DESIGN
CRITERIA.......................................................................................................21
12.0 MAINTENANCE IN DESIGN
........................................................................................22
13.0 DOCUMENTATION
REQUIREMENTS.........................................................................22
14.0 CERTIFYING AUTHORITY REVIEW
REQUIREMENTS..............................................23
-
OMV Exploration & Production GmbH
Document Number Rev Page Philosophy for Emergency and Process
Shutdown Systems Onshore TO-HQ-02-024 00 5 of 23
1.0 PREFACE
This Philosophy defines the OMV Exploration & Production
GmbH corporate policy on the design of Emergency and Process
Shutdown Systems for onshore hydrocarbon production and processing
facilities. The document specifies basic requirements and criteria,
defines the appropriate codes and standards, and assists in the
standardisation of facilities design across all onshore
operations.
The design process needs to consider project specific factors
such as the location, production composition, production rates and
pressures, the process selected and the size of the plant. This
philosophy aims to address a wide range of the above variables,
however it is recognised that not all circumstances can be covered.
In situations where project specific considerations may justify
deviation from this philosophy, a document supporting the request
for deviation shall be submitted to OMV E&P for approval.
Reference should be made to the parent of this philosophy,
document number TO-HQ-02-001 for information on deviation
procedures and Technical Authorities, general requirements and
definitions and abbreviations not specific to this document.
2.0 DEFINITIONS
There are no definitions with particular relevance to this
document.
3.0 ABBREVIATIONS
The following abbreviation is relevant to this document.
TV TV Rheinland Technical Inspection Organisation
4.0 INTRODUCTION
Most of the risks to safety in the oil and gas industry are from
the production process by release of hydrocarbons. Hazards
associated with the uncontrolled release of hydrocarbons are as
follows:
Over pressure Leak
-
OMV Exploration & Production GmbH
Document Number Rev Page Philosophy for Emergency and Process
Shutdown Systems Onshore TO-HQ-02-024 00 6 of 23
Liquid overflow Gas blowby Under pressure Over temperature
Direct ignition source
Other hazards include equipment destruction due to high
vibration, part failure, chemical reactions etc. This document
describes the philosophy to be used for designing safety systems
for onshore plants to provide a means to protect and reduce the
risk associated with the hazards to ALARP.
5.0 APPLICABLE CODES, STANDARDS AND REGULATIONS
Codes, standards and regulations referred to in this philosophy
shall be of the latest edition and shall be applied in the
following order of precedence: -
Local Regulations, The provision of this document, International
standards (e.g. ISO, IEC etc), National standards.
Design of the emergency and process shutdown system shall comply
with the standards listed within this philosophy, however, for
instances where local standards are more onerous local standards
shall apply.
5.1 Codes and Standards List API 14C Recommended practice for
analysis, design, installation and
testing of basic surface safety systems for offshore production
platforms. (Note although this has been written for offshore
operations it shall also be used for the purpose of onshore
operations with exceptions noted within this document.)
IEC 60079 Electrical Apparatus for Explosive Atmospheres IEC
60529 Ingress Protection Code IEC 61508 Functional Safety of
Electrical/Electronic/Programmable
Electronic Safety Related Systems.
-
OMV Exploration & Production GmbH
Document Number Rev Page Philosophy for Emergency and Process
Shutdown Systems Onshore TO-HQ-02-024 00 7 of 23
IEC 61511 Functional Safety: Safety Instrumented Systems for the
Process Industries.
EN50081/2 CENELEC Electromagnetic compatibility generic emission
and immunity
IEC 61131-3 Programmable controllers - Part 3: Programming
languages
5.2 References TO-HQ-02-001 Develop Process Engineering
Guidelines and Design
Philosophies Overview TO-HQ-02-021 Philosophy for Process
Control Systems Onshore TO-HQ-02-022 Philosophy for Wellhead
Control Systems Onshore TO-HQ-02-023 Philosophy for Safety
Integrity Level Onshore TO-HQ-02-025 Philosophy for Fire and Gas
Systems Onshore TO-HQ-02-034 Philosophy for Isolation of Process
Systems Onshore TO-HQ-02-035 Philosophy for Overpressure Protection
and
Safeguarding Onshore TO-HQ-02-036 Philosophy for Flare, Relief
and Blowdown Onshore TO-HQ-02-039 Philosophy for Rotating and
Reciprocating Equipment
Onshore
6.0 SYSTEM GOAL
The goal of the safety system is firstly to protect personnel
and secondly to protect plant and equipment, to help prevent
pollution of the environment and to minimise process downtime.
The safety system shall achieve its goal by:
automatically sensing abnormal operation of equipment and
process running outwith the normal operating envelope,
automatically shutting down plant and utilities to a safe state
under a controlled manner on an abnormal condition,
providing process isolation and venting under certain abnormal
conditions,
-
OMV Exploration & Production GmbH
Document Number Rev Page Philosophy for Emergency and Process
Shutdown Systems Onshore TO-HQ-02-024 00 8 of 23
providing measures to prevent a consequential result from taking
place,
providing measures to limit the loss of containment, eliminate
potential ignition sources, providing measures to limit the effects
or escalation of a hazardous
consequence,
providing local and remote manual facilities for the shutdown
and/or isolation and venting of various parts of the plant,
providing audible and visual alarm information to alert the
operator and to enable the operator to assess the position,
providing audible and visual alarm information to site
personnel, where considered to be needed, for personnel to take any
necessary action,
providing economic and environmental protection.
7.0 SYSTEM BOUNDARIES
The boundary of the safety system is the:
interface to F&G system, interface to the HVAC system,
interface to equipment control systems, interface to the PA system,
interface to electrical systems,
The safety system shall include the interposing relay panels
used for the above interfaces.
Interface to the PCS and HMI Interface to High integrity
pressure protection systems Refer to
Document No TO-HQ-02-035 - Philosophy for Overpressure
Protection and Safeguarding Onshore.
PSVs and bursting discs are excluded from this philosophy. Refer
to Document No TO-HQ-02-036 - Philosophy for Flare, Relief and
Blowdown Onshore
-
OMV Exploration & Production GmbH
Document Number Rev Page Philosophy for Emergency and Process
Shutdown Systems Onshore TO-HQ-02-024 00 9 of 23
8.0 DESIGN PHILOSOPHY
To minimise the interruption to production caused by a safety
shutdown, the safety system should be divided into 5 hierarchical
levels, with progressively wider impact on production. These levels
of shutdown are as follows:
Level 1: Emergency shutdown and depressurisation of the overall
plant
Level 2: Emergency shutdown for a process unit within the plant
Level 3: Process shutdown for a process unit within the plant Level
4 Process train shutdown within a unit Level 5: Shutdown of
Individual equipment and utilities
The safety system for some plants may not require all five
levels of shutdown due to the plant being of a small physical size
or a single standalone process; making five levels of shutdown
impractical. In this situation the lower hierarchical levels of
shutdown may be omitted with the devices associated with their
levels reassigned to a higher level. Each shutdown level shall be
initiated either automatically due to: an ESD/PSD field instrument,
intertrip from the F&G system or manually from a hard-wired
push-button in the CCR or in the field. When a shutdown level is
activated all lower shutdown levels hierarchically connected to
this level shall also be activated. Each shutdown level shall have
a manual shutdown push-button and a reset push-button. A level
reset will only be enabled when all the trip initiators have
returned to a safe condition. When a level is reset all lower
shutdown levels hierarchically connected to this level shall also
be reset.
8.1 Level 1 Shutdown - Emergency shutdown and Depressurisation
of the Overall Plant A Level 1 shutdown shall be initiated by
detection of gas or fire by the F&G system in more than one
unit area. A Level 1 shutdown shall shutdown and depressurise the
overall plant. This shall include:
Isolation of all process units and blowdown all hydrocarbon
inventory
-
OMV Exploration & Production GmbH
Document Number Rev Page Philosophy for Emergency and Process
Shutdown Systems Onshore TO-HQ-02-024 00 10 of 23
Isolation of pipelines Tripping of all electrical equipment
Initiation of audible and visual alarms at the CCR and throughout
the
plant
8.2 Level 2 Shutdown - Emergency Shutdown for a Process Unit
within the Plant. A Level 2 shutdown shall be initiated by
detection of gas or fire by the F&G system in the area local to
the unit. The level 2 shutdown will shutdown the entire process
unit by:
Isolation of the process unit and blowdown its hydrocarbon
inventory Tripping of all electrical equipment within unit
Initiation of audible and visual alarms at the CCR and in the area
local to
the unit
8.3 Level 3 Shutdown - Process Shutdown for a Process Unit
within the Plant A Level 3 shutdown shall be initiated by major
process or utility failure that may affect all trains within a
unit. A Level 3 shutdown will shutdown common equipment for the
unit in which the abnormal condition occurs and initiate audible
and visual alarms at the CCR.
8.4 Level 4 Shutdown - Process Train Shutdown within a Unit A
Level 4 shutdown will shutdown the entire process train in which
the abnormal condition is occurring and initiate audible and visual
alarms at the CCR, where there is no expected potential for the
abnormal condition to propagate to a parallel train. Typical
examples include high-high levels in vessels, where carry-over of
liquid can have adverse consequences on downstream equipment.
8.5 Level 5 Shutdown - Shutdown of Individual Equipment and
Utilities A Level 5 shutdown will shutdown the piece of equipment
required to bring an abnormal situation under control and initiate
audible and visual alarms at the CCR, where the situation has a low
potential for escalation. A typical example is a low-low level in a
process vessel, which shuts an ESD valve in the vessel outlet line
to prevent gas blowby to a lower rated vessel downstream.
-
OMV Exploration & Production GmbH
Document Number Rev Page Philosophy for Emergency and Process
Shutdown Systems Onshore TO-HQ-02-024 00 11 of 23
8.6 General Care should be taken to ensure equipment is shutdown
in an orderly manner to ensure no consequential damage will occur
as a result of the shutdown. An example of this is the tripping of
a turbine where the lube oil system should be tripped by a higher
level of shutdown in order to minimise any damage to the
turbine.
9.0 GENERAL REQUIREMENTS
Design of the overall safety system shall comply with
IEC-61511.
9.1 Initiating Devices All field equipment should be of a proven
type. All field instruments located in hazardous areas should be
Exd flameproof as no auxiliary equipment is needed therefore
providing a higher reliability. All field elements measuring the
process conditions shall have a separate tie-in to the process via
an isolation valve; refer to Document No TO-HQ-02-034 - Philosophy
for Isolation of Process Systems Onshore. Transmitters, rather than
switches, are preferred for trip functions and shall be used
wherever possible. Transmitters should be of a smart type and be
HART compliant. Transmitters should be configured to fail in the
trip condition with the exception of transmitters configured as a
1oo2 input to the logic solver. Switches shall be configured for
the contacts to be closed circuit whilst under normal condition and
open circuit on abnormal condition. Fieldbus equipment shall not be
used in the safety system. All analogue inputs to the safety system
will be 4-20mA signals from which the trips will be created. The
safety system shall monitor the analogue signal for fault
conditions to create a failure alarm to the PCS. The output circuit
to a field device shall be via normally energised contacts,
de-energise and open to trip. PCS transmitters and safety system
transmitters that are monitoring the same part of the process shall
be calibrated with the same range.
9.2 Push-buttons and Indicators The following colours and types
of indicators and switches should be used: Manual shutdown
push-buttons used on the safety system should be of the mushroom
type, coloured red and should be latching in the depressed
position
-
OMV Exploration & Production GmbH
Document Number Rev Page Philosophy for Emergency and Process
Shutdown Systems Onshore TO-HQ-02-024 00 12 of 23
with twist to reset. Also these push-buttons should be provided
with protection such as covers or redundancy to prevent accidental
actuation. Lamp test switches shall be momentary spring return
coloured white. Reset switches shall be momentary spring return
coloured green. POS switches should be momentary key switches. MOR
switches should be key switches with key only removable in the non
override state. MOR and POS Override indictors should be coloured
amber. Tripped output status indicators should be coloured red. All
push-buttons causing executive action shall be double pole switches
to provide redundancy and increase their reliability.
9.3 Logic Solver The logic solver may consist of:
simple pneumatic or hydraulic logic, relay based system logic,
solid state system logic, programmable system logic, or a
combination of the above.
Selection of the system to use is dependant on; the safety and
plant availability, reliability requirement, complexity, overall
costs, and the required operability of the system. The design and
manufacture of the logic solver shall be fully compliant with
IEC-61508. The preferred selection of logic solver is as
follows:
-
OMV Exploration & Production GmbH
Document Number Rev Page Philosophy for Emergency and Process
Shutdown Systems Onshore TO-HQ-02-024 00 13 of 23
Simple pneumatic or hydraulic logic This should be used for
small units or equipment that is independent or a simple safety
system such as a local shutdown that will have no effect on the
safety or operability of other parts of the plant. Relay based
system logic, This should be used for small units or equipment that
is independent and only require a simple safety system such as a
local shutdown that will have no effect on the safety or
operability of other parts of the plant.
Solid state system logic, Solid state systems are preferred for
use with integrity levels of 3. The hardware for solid state
systems shall be of a proven design with TUV or equivalent
certification for compliance with IEC61508. Programmable system
logic, This is the preferred system for use with integrity levels
of 2 and below. Where programmable systems are used, the software
for the algorithms used to build the logic shall be of a tried and
tested product with TUV or equivalent third party approval for
compliance with IEC 61508. The hardware for programmable systems
shall be of a proven design with TUV or equivalent certification
for compliance with IEC61508. The manufacturer or supplier of a
programmable system shall have experience in the supply and design
of safety systems compliant with IEC-61508 or equivalent. Software
shall be designed in accordance with IEC-61131-1 and IEC-61511,
part 1 section 12 In order to minimise revalidation and testing
requirements, loops assigned an integrity level of 3 shall be
implemented in the safety system by a section of the logic solver
segregated and independent from all other parts of the logic
solver.
9.4 Capacity The design of the safety system should allow a
minimum of 20% spare capacity for future expansion.
-
OMV Exploration & Production GmbH
Document Number Rev Page Philosophy for Emergency and Process
Shutdown Systems Onshore TO-HQ-02-024 00 14 of 23
9.5 Power Supplies The safety system shall be powered from
redundant UPSs via redundant power distribution boards. The
incomers at the safety system, from each UPS supply, shall have an
isolation switch. The UPSs shall be fed from the emergency
switchboard and have a minimum self-sufficiency of 1hour battery
back-up. Power supply units within the safety system will be 100%
redundant. Field outputs to solenoid valves should all be 110Vdc
with a centre tap to earth i.e. +55Vdc to -55Vdc supplies or all
+24Vdc to 0Vdc. The 110Vdc supply for solenoids is the preferred
choice for large sites because of cable sizing needs over long
distances. Power supplies should be distributed into separate feeds
containing protection to various parts of the logic solver and
field I/O to minimise the possibility of common mode failure.
Design of the power distribution should ensure interference caused
by back EMF from by coils on relays and solenoids do not affect the
reliability of the logic solver.
9.6 Panels Panels used to house parts of the safety system
should be mounted in a controlled environment and shall have a
minimum ingress protection (IP) of IP42.
9.7 Intertrips All safety system intertrips to other systems
(e.g. electric generation, distribution, motor control) and remote
parts of the safety system shall power the coil of a hermetically
sealed interposing relay of which a volt free contact shall open to
provide the subsequent trip. All intertrips to the safety system
from other systems and remote parts of the safety system shall be
via a volt free contact that shall open upon a trip. This provides
segregation between systems and removes potential earth
problems
9.8 Relays Relays used within the safety system shall be of a
proven and hermetically sealed type. Relays shall be configured
de-energise to trip.
-
OMV Exploration & Production GmbH
Document Number Rev Page Philosophy for Emergency and Process
Shutdown Systems Onshore TO-HQ-02-024 00 15 of 23
9.9 Valves Solenoid valves shall de-energise to trip their
associated valve. All solenoid valves controlling boundary
isolation and blowdown valves shall have a manual reset. Valves
used by the safety system shall be of a proven type and suitable
for the process and environmental conditions. Refer to Document No
TO-HQ-02-039 - Philosophy for Rotating and Reciprocating Equipment
Onshore for valve selection. Valves used by the safety system shall
have their open and closed position status input to the PCS.
10.0 DESIGN CONSIDERATIONS
10.1 General The design of the safety system should take account
of the following:
Life cycle costs as well as the capital cost, for example
testing costs, false trip costs, commissioning and modification
costs.
Human factors. Preventing nuisance trips. Although 1ooN voting
is good from a safety
architecture position it is poor with respect to higher
probability of process interruptions. Repetitious nuisance trips
may also create a situation where operators reset the trip without
investigation which may eventually lead to an incident.
Selection and positioning of the correct field equipment
suitable for the process and environmental conditions.
The safety system shall provide protection for normal operation
and for the conditions that may arise from an abnormal
condition.
10.2 Overrides The safety system should have two types of
override, a) Maintenance Override, and b) Process start-up
override.
-
OMV Exploration & Production GmbH
Document Number Rev Page Philosophy for Emergency and Process
Shutdown Systems Onshore TO-HQ-02-024 00 16 of 23
10.2.1 Process start up override
Process and utility systems should be designed to reduce the
need for overriding inputs to the safety systems during start-up.
Process override switches (POS) may be used to enable the start up
of plant or equipment that is in an abnormal state before start-up,
for example low liquid levels. These should be key switches or
software switches on the PCS with interface to the safety system.
POS shall be momentary type provided to override the logic function
on plant or equipment during start-up where the plant or equipment
on or during start up may be in an abnormal state. POS shall
initiate a timer that will remove the logic override function at
the end of a fixed time delay. This time delay shall be of a safe
period to enable the plant or equipment to reach a stable healthy
state. If the normal process condition is not established within
this specified time a trip will be initiated. The logic override
function, initiated by the POS, will be removed automatically after
a specified time delay (10-30 seconds) of the plant or equipment
operating continuously in the safe condition. The POS shall not
override the alarm function (that will be in the alarm state until
the healthy position is reached) to the PCS for the input being
overridden.
10.2.2 Maintenance override and testing
Maintenance override switches (MOS) shall be provided to enable
testing and maintenance to take place without disturbing the
process. These may be key switches or software switches on the PCS
with interface to the safety system. MOS shall not be provided for
the following:
manual push-button inputs to the safety system, intertrips from
the F&G system intertrips from equipment package control
panels, for example
compressor control panel
on inputs where the only action is via 2oo3 voting as this would
effectively change the voting to 2oo2.
-
OMV Exploration & Production GmbH
Document Number Rev Page Philosophy for Emergency and Process
Shutdown Systems Onshore TO-HQ-02-024 00 17 of 23
on outputs from the safety system Outputs from the safety system
that may be tested without disruption to the plant should have a
manual test facility to trip the output to test the field
device.
10.2.3 Software override switches
An alternative to hard-wired override switches is to use
software overrides from switches in the PCS with a serial
communication to the safety system. This may provide an advantage
in reduced wiring, reduced space requirement and reduced cost. The
problem with software overrides is how they affect the SIL or
probability of failure on demand rate. The PCS connected to the
safety system will increase the probability of failure as the PCS
normally has a lower reliability. To solve this problem the
following precautions shall be taken:
Only safety system inputs may have software overrides Only one
override per logic unit can be activated at any one time. A
mechanism within the safety system shall ensure that only one
override per logic unit can be activated at any one time
Alarm created from a safety system input to the PCS shall not be
inhibited, only the trip action can be overridden.
Operator needs to be aware what overrides are activated. The
safety system needs to send an alarm to the PCS for each override
that is activated until the override has been removed. A periodic
realarming on the activated overrides is recommended at the start
of every shift so the operator is aware of what overrides are
activated. Dedicated redundant communication should be used between
the PCS and safety system. Communication should be by a type
approved Modbus or a package with cyclic redundancy check, address
check, and check of communication time failure. Safety system
overrides carried out by software at the PCS shall have a manual
key switch provided connected direct to the safety system logic to
make all overrides from the PCS to the safety system
ineffective.
-
OMV Exploration & Production GmbH
Document Number Rev Page Philosophy for Emergency and Process
Shutdown Systems Onshore TO-HQ-02-024 00 18 of 23
10.3 Prealarms, Alarms and Monitoring The safety system shall
send the following signals to the PCS for monitoring and alarm
purposes:
Individual input and output status: safe condition, tripped
condition, fault condition etc,
Individual MOR statuses, Individual POS statuses. Activation of
reset pushbuttons
To warn the operator that an abnormal situation is approaching,
and allow the operator to act to prevent a trip from occurring, an
associated prealarm at the PCS shall be provided. The discrepancy
between the prealarm and trip setting should be of sufficient
magnitude to provide the operator with the time to act and prevent
a trip from occurring. Under the circumstances where the transition
to abnormal state is instant or a sufficient discrepancy between
prealarm and trip, to enable the operator time to act, cannot be
achieved there is no requirement for a prealarm at the PCS.
Prealarms shall be provided at the PCS by use of a field input
device independent of the field input device used by the safety
system. A 1st up alarm facility should be provided to mark the
input that caused the trip to enable the cause of a shutdown or
partial shutdown to be determined instantly. Alarm, prealarm and
other statuses should be time stamped at the PCS with date and time
to the nearest 1 ms to enable analyses to be performed.
Transmitters that create prealarms at the PCS should be used to
create discrepancy fault alarms on a deviation of 5% by comparison
of the associated signal from the safety systems transmitter to
increase reliability. This shall also be the case where the safety
system uses voted inputs from transmitters. Discrepancy fault
alarms should also be created by the PCS upon malfunction of safety
system valves. This should be achieved by the PCS by comparing the
output signal from the safety system with the PCS inputs from the
valves open and closed position switches.
10.4 Equipment Packages Packaged equipment shutdown logic should
be carried out in the core safety system where possible. Where this
is not feasible then hard-wired intertrips shall be provided
between the packaged equipment shutdown logic and the core safety
system.
-
OMV Exploration & Production GmbH
Document Number Rev Page Philosophy for Emergency and Process
Shutdown Systems Onshore TO-HQ-02-024 00 19 of 23
10.5 Safety System Distribution Where parts of the process are
set apart and scattered over large areas, having the safety system
logic solver located in one location may be impractical. In this
situation local safety systems shall be provided with hard-wired
intertrip signals to the core of the safety system which shall
contain the highest level of the logic. Dedicated redundant
communication systems may be used where the use of hard-wired
signals is not practical. Communication should be by a package with
cyclic redundancy check (CRC), address check, and check of
communication time failure. If one part of the communication fails
then, after a time delay the intertrips that it carries shall be
activated to initiate the associated shutdown logic. If the second
line of communication coincidentally fails then after a short time
delay the intertrips that it carries shall be activated to initiate
the associated shutdown logic. These two time delays shall be
quantified by taking the mean time to repair (MTTR) into
consideration along with the integrity requirement.
10.6 Safety System Breakdown The areas covered by the safety
system can be grouped into six areas:
Reservoir Isolation Pipeline Isolation (refer to Document No
TO-HQ-02-034 - Philosophy for
Isolation of Process Systems Onshore )
Process Blowdown Manual trip initiation F&G system trips
Other process and utilities
The safety system should be divided into rational units to
reflect various process and geographical boundaries within the
plant. The safety system shall be designed to the appropriate parts
of API RP 14C
10.6.1 Reservoir Isolation
-
OMV Exploration & Production GmbH
Document Number Rev Page Philosophy for Emergency and Process
Shutdown Systems Onshore TO-HQ-02-024 00 20 of 23
Production well-heads should have local independent well-head
control panels. These provide hydraulic pressure to the well-head
valves. Refer to Document No TO-HQ-02-022 - Philosophy for Wellhead
Control Systems Onshore. The production well-head shall be tripped
by a level 5 shutdown on which a signal will be sent to the PCS to
ramp closed the well-head flow choke valve and leave the choke in
manual mode. An interlock shall be provided to ensure the flow line
choke valve is in the closed position before enabling the opening
of the well-heads valves. A Level 5 shutdown for the well-head and
flow line shall be caused by:
detection of well-head fire, detection of gas in the well-head
area, failure of the well-head control panel (WHCP) impending i.e.
low-low
hydraulic fluid pressure, battery low-low voltage,
local well-head push-button, flow line high-high and low-low
pressure, a higher level of shutdown.
10.6.2 Process Blowdown
A three second time delay on the initiation of the blowdown
valves shall be provided to enable all shutdown and isolation
valves to fully close prior to the blowdown valves being opened.
Facilities shall be provided to enable the operator to manually
initiate blowdown Once blowdown has been initiated there shall be
no means to interrupt the blowdown from commencing.
10.6.3 Manual Trip Initiation
The safety system shall be supplied with manual push-buttons at
each level of the safety system located at the CCR. Local safety
system push-buttons will be located around each process or utility
unit to enable the unit to be shutdown locally.
10.6.4 F&G System Trips
-
OMV Exploration & Production GmbH
Document Number Rev Page Philosophy for Emergency and Process
Shutdown Systems Onshore TO-HQ-02-024 00 21 of 23
The following intertrips shall be supplied as a minimum from the
F&G system:
Confirmed fire per unit Confirmed gas per unit, low and high
level Confirmed fire over multiple units Confirmed gas over
multiple units, low and high level Confirmed gas in non hazardous
area, low and high level
10.6.5 Other Process and Utilities
All other parts of the process shall have safety shutdown
facilities to provide the appropriate protection for the process or
utility
11.0 DESIGN CRITERIA
The safety systems logic solver shall be designed to take
account of the environmental conditions of the site that it is to
be located to ensure reliability is preserved. Design of the safety
system should take account of the requirements covering the full
lifecycle of the plant. The safety system shall be independent and
use diverse separation from the PCS (refer to IEC61511-2 section
11.2.4) with exception to compressor and turbine control where this
may not be practical. Other cases where segregation of the safety
system and PCS is not practical shall require approval. The safety
system shall not be affected by radio-frequency signals, from
hand-held portable radio units, and comply with EN50081/82. All
parts of the safety system should be designed as a fail-safe system
forcing all outputs to a de-energised/ open circuit state on a
failure. An exception to this is for outputs where the failure of
the output would create a hazard. Under these circumstances the
output circuit should be line monitored and configured energised to
trip. Logic parts of the safety system that cannot be designed as
fail-safe, such as timers, shall be used in redundant arrangements.
Any single failure within a redundant arrangement shall not prevent
a demanded trip. All safety system signals shall be segregated from
PCS signals. Digital and analogue signals shall be segregated from
one another.
-
OMV Exploration & Production GmbH
Document Number Rev Page Philosophy for Emergency and Process
Shutdown Systems Onshore TO-HQ-02-024 00 22 of 23
12.0 MAINTENANCE IN DESIGN
The safety system shall be designed taking maintainability into
consideration by simplifying maintenance and reducing maintenance
costs where practical. This should consider using a modular based
system for the logic solver. This safety system should have built
in test and diagnostic facilities with fault indication at each
module. This should enable the faulty module to be identified and
changed out while the system is live without any upsets. The safety
system should be designed with module redundancy. There should be
sufficient maintenance overrides to enable parts of the safety
system to be maintained and tested minimising operational down
time. The safety system shall be designed to enable parts of the
system to be tested in order to keep the Probability of Failure on
Demand within the integrity requirement The safety system should be
designed to allow modifications and development to be implemented
whilst minimising disruption to the process. A separate engineers
interface should be provided to the safety system.
13.0 DOCUMENTATION REQUIREMENTS
The following project documents should be produced as a minimum
to cover the design of the safety system:
Front end engineering design (FEED)
Plant operational philosophy Design specification for the safety
system (hardware and software). Hierarchy drawing Safe charts as
per API 14C Cause and effect drawings of safety system Functional
design specification of safety system
-
OMV Exploration & Production GmbH
Document Number Rev Page Philosophy for Emergency and Process
Shutdown Systems Onshore TO-HQ-02-024 00 23 of 23
Detailed design
Documents listed under FEED above. Matrix layout drawing General
arrangement drawings Loop Drawings Validation calculations to
demonstrate compliance with integrity level
requirements.
14.0 CERTIFYING AUTHORITY REVIEW REQUIREMENTS
Some plants may require the design to be certified or validated
by an independent certification authority due to local regulations
or as instructed by OMV. Under these circumstances the certifying
authority will require as a minimum the following documents for
review:
Basis of design document Functional design specification Cause
and effect drawings Matrix layout drawing Integrity Assessment
(refer to Document No TO-HQ-02-023 - Philosophy
for Safety Integrity Level Onshore)
Reliability assessment and calculations Copy of TUV (or
equivalent) reliability certificates where available P&IDs
These should be issued to the CA in a timely manner to obtain
approval before commencing construction.