APPEA Emergency Support Systems Guide

GUIDELINES FOR
EMERGENCY
SUPPORT SYSTEMS
February 2000
_____________________________________________
Australian Petroleum Production & Exploration Association Limited

Level 3, 24 Marcus Clarke Street GPO Box 2201
CANBERRA ACT 2600 CANBERRA ACT 2601
Telephone: +61 2 6247 0960 Facsimile: +61 2 6247 0548
Internet: http://www.appea.com.au Email: appea@appea.com.au
ACN 000 292 713 ISBN 0 908277 25 3

APPEA Guidelines for Emergency Support Systems
PREFACE
The Australian Petroleum Production & Exploration Association Limited (APPEA) has issued
these Guidelines, on behalf of its member companies, to facilitate consistency in the safe
conduct of operations in the offshore petroleum industry.
The Petroleum (Submerged Lands) Act 1967 [P(SL)A] is the principal legislation controlling
offshore oil and gas exploration and production in Australia. The P(SL)A is supported by a
series of objective based regulations and directions that stipulate the standards required to be
achieved by the operator. The Petroleum (Submerged Lands) (Management of Safety on
Offshore Facilities) Regulations 1996 requires operators to submit a Safety Case.
The Safety Case is a detailed document that outlines the types of safety studies undertaken
and the results obtained, and the management arrangements to ensure the continued safety of
an offshore facility and persons on it. It should demonstrate that the operator knows what
technical and human activities occur, how they are to be managed and how safety will be
assured throughout the operating life of the facility. It must also identify the methods used for
monitoring and reviewing all activities on the facility.
The Commonwealth Government Department of Industry, Science and Resources (DISR)

document - Guidelines for the Preparation and Submission of Safety Cases presents
examples of the elements that would be expected to appear in a Safety Case submitted to the
Designated Authority within a given jurisdiction in Australian waters.
The three main sections are:
Facility Description (FD);
Safety Management System (SMS); and
Formal Safety Assessment (FSA).
These Guidelines are intended to assist those persons having responsibilities in the offshore
industry for implementing offshore installation operations.
APPEA, as the collective representation of the upstream petroleum industry in Australia, has
issued these Guidelines to address the requirements of a Safety Case and as a means to
achieving a standardised approach to the development of consistent and good practices in the
conduct of offshore operations. These Guidelines are not, nor should they be implied as
being, prescriptive.
The document does provide the guidance necessary to ensure that offshore operations are
conducted in accordance with safe practices that could be considered to be at an equivalent
level as good industry practice.
Disclaimer
The use of these Guidelines does not affect or diminish the responsibility of individual
operating companies or their contractors to carry out operations safely having regard to their
duty of care responsibilities, and to observe statutory requirements. APPEA cannot accept
any responsibility for any incident or consequence thereof, whether or not in violation of any
law or regulation, which arises or is alleged to have arisen from the use of these Guidelines
CONTENTS
1.0 INTRODUCTION ................................................................................................................................. 1

1.1 PURPOSE AND SCOPE ............................................................................................................................ 1
1.2 RELATIONSHIP WITH REGULATIONS ...................................................................................................... 1
2.0 SAFETY SYSTEMS GENERAL........................................................................................................ 4
2.1 SAFETY CASE ...................................................................................................................................... 4
2.1.1 Facility Description ................................................................................................................... 4
2.1.2 Safety Management System......................................................................................................... 5
2.1.3 Formal Safety Assessment .......................................................................................................... 5
2.2 HAZARD MANAGEMENT PROCESS ........................................................................................................ 5
2.2.1 Prevention ................................................................................................................................. 6
2.2.2 Detection ................................................................................................................................... 6
2.2.3 Control/Mitigation ..................................................................................................................... 6
2.3 SAFETY SYSTEM METHODOLOGIES ....................................................................................................... 7
2.3.1 Lifecycle .................................................................................................................................... 9
2.3.2 Risk Based ............................................................................................................................... 10
2.3.3 Comprehensive Analysis........................................................................................................... 12
2.3.4 Performance Standards............................................................................................................ 12
2.4 RELATIONSHIPS ................................................................................................................................. 13
2.5 ACTIVITY/FACILITY TYPE .................................................................................................................. 13
2.6 DESIGN.............................................................................................................................................. 14
2.6.1 Complexity............................................................................................................................... 14
2.6.2 Failure to Safety Concept ......................................................................................................... 14
2.6.3 Reset Philosophy...................................................................................................................... 15
2.6.4 System Integrity ....................................................................................................................... 15
2.6.5 Environmental Considerations ................................................................................................. 16
2.6.6 Operator Interfaces.................................................................................................................. 16
2.6.7 Maintenance and Test Facilities ............................................................................................... 17
2.6.8 Software................................................................................................................................... 17
2.6.9 Data Communication ............................................................................................................... 17
2.6.10 Power Requirements ................................................................................................................ 18
2.6.11 Design Change Control............................................................................................................ 19
2.6.12 Design Method for High Risk (SIL3) Applications..................................................................... 19
2.6.13 System Testing ......................................................................................................................... 20
2.6.14 Assessment and Certification.................................................................................................... 20
2.6.15 Field Equipment....................................................................................................................... 20
2.7 OPERATION & MAINTENANCE ............................................................................................................ 24
2.7.1 Responsible Person .................................................................................................................. 24
2.7.2 Maintenance and Testing.......................................................................................................... 25
2.7.3 Documentation and Records..................................................................................................... 25
2.7.4 Control of Changes .................................................................................................................. 26
2.7.5 Assessment of Protective System Integrity................................................................................. 26
2.8 FACILITY/ACTIVITY ........................................................................................................................... 26
2.8.1 Drilling.................................................................................................................................... 26
2.9 PRODUCTION ..................................................................................................................................... 28
2.10 MARINE ........................................................................................................................................ 28
2.10.1 Alarm System ........................................................................................................................... 28
3.0 PROCESS SHUTDOWN..................................................................................................................... 30
3.1 ROLE ................................................................................................................................................. 30
3.2 FUNCTION ......................................................................................................................................... 30
3.3 RELATIONSHIP ................................................................................................................................... 30
3.3.1 Emergency Shut Down (Section 5.0) ......................................................................................... 30
3.3.2 Emergency Power (Section 7.0)................................................................................................ 31
3.3.3 Hydrocarbon Disposal (Section 8.0) ......................................................................................... 31
3.4 DESIGN.............................................................................................................................................. 31

3.6 ACTIVITY/FACILITY ........................................................................................................................... 32
3.6.1 Drilling.................................................................................................................................... 32
3.6.2 Production ............................................................................................................................... 32
3.6.3 Marine..................................................................................................................................... 32
4.0 FIRE & GAS DETECTION ................................................................................................................ 33
4.1 ROLE ................................................................................................................................................. 33
4.2 FUNCTION ......................................................................................................................................... 33
4.3 RELATIONSHIP ................................................................................................................................... 33
4.3.1 Emergency Shut Down (Section 5.0) ......................................................................................... 33
4.3.2 HVAC (Section 6.0).................................................................................................................. 33
4.3.4 Fire Protection (Not part of these Guidelines) .......................................................................... 34
4.4 DESIGN.............................................................................................................................................. 34
4.4.1 Failsafe.................................................................................................................................... 34
4.4.2 Detection Types........................................................................................................................ 35
4.4.3 Detection - Personnel Observation ........................................................................................... 35
4.4.4 Detection - Automatic............................................................................................................... 35
4.4.5 Detector Certification .............................................................................................................. 36
4.4.6 Detector Selection.................................................................................................................... 36
4.4.7 Gas Detection .......................................................................................................................... 38
4.5.1 Testing..................................................................................................................................... 39
4.6.1 Drilling.................................................................................................................................... 39
4.6.2 Production ............................................................................................................................... 39
4.6.3 Marine..................................................................................................................................... 39
5.0 EMERGENCY SHUTDOWN ............................................................................................................. 41
5.1 ROLE ................................................................................................................................................. 41
5.2 FUNCTION ......................................................................................................................................... 41
5.3 RELATIONSHIP ................................................................................................................................... 41
5.3.1 Process Shut Down (Section 3.0) .............................................................................................. 41
5.3.2 Fire and Gas Detection (Section 4.0)........................................................................................ 41
5.3.3 HVAC (Section 6.0).................................................................................................................. 42
5.3.5 Hydrocarbon Disposal (Section 8.0) ......................................................................................... 42
5.4 DESIGN.............................................................................................................................................. 42
5.4.1 Documentation......................................................................................................................... 44
5.4.2 Process and Emergency Shutdown Systems............................................................................... 45
5.5.1 Documentation......................................................................................................................... 45
5.5.2 Sequence of Event Recording.................................................................................................... 45
5.6.1 Drilling.................................................................................................................................... 46
5.6.2 Production ............................................................................................................................... 48
5.6.3 Marine..................................................................................................................................... 49
6.0 HEATING, VENTILATION AND AIR CONDITIONING ............................................................... 50
6.1 ROLE ................................................................................................................................................. 50
6.2 FUNCTION ......................................................................................................................................... 50
6.3 RELATIONSHIP ................................................................................................................................... 50
6.3.1 Fire and Gas Detection (Section 4.0)........................................................................................ 50
6.4 DESIGN.............................................................................................................................................. 50
6.6.1 Drilling.................................................................................................................................... 51
6.6.2 Production ............................................................................................................................... 52
6.6.3 Marine..................................................................................................................................... 52
7.0 EMERGENCY POWER ..................................................................................................................... 53

7.1 ROLE ................................................................................................................................................. 53
7.2 FUNCTION ......................................................................................................................................... 53
7.3 RELATIONSHIP ................................................................................................................................... 53
7.4 DESIGN.............................................................................................................................................. 53
7.6.1 Drilling.................................................................................................................................... 54
7.6.2 Production ............................................................................................................................... 54
7.6.3 Marine..................................................................................................................................... 54
8.0 HYDROCARBON DISPOSAL ........................................................................................................... 59
8.1 ROLE ................................................................................................................................................. 59
8.2 FUNCTION ......................................................................................................................................... 59
8.3 RELATIONSHIP ................................................................................................................................... 59
8.4 DESIGN.............................................................................................................................................. 59
8.4.1 Blowdown Valves ..................................................................................................................... 60
8.4.2 Gas Flaring Stacks................................................................................................................... 60
8.4.3 Crude Oil Burners and Booms.................................................................................................. 60
8.6.1 Drilling.................................................................................................................................... 61
8.6.2 Production ............................................................................................................................... 61
8.6.3 Marine..................................................................................................................................... 61
APPENDIX A................................................................................................................................................ 62
GLOSSARY .............................................................................................................................................. 62
1.0 INTRODUCTION
1.1 PURPOSE AND SCOPE
The purpose of these guidelines is to provide the upstream petroleum industry with clear and
consistent guidance on assessing the needs for the design and operation of emergency support
systems for offshore facilities. They are intended to assist those persons having
responsibilities in the offshore industry for assessing emergency support system requirements
and their effectiveness for identified major accident events for an offshore facility.
1.2 RELATIONSHIP WITH REGULATIONS
This document is one of a series of guidelines for use by the upstream petroleum industry. Its
relationship with Acts and Regulations is depicted in Figures 1.1 and 1.2.
The principal components are:
1. The Petroleum (Submerged Lands) Act, which empowers the Minister to regulate.
2. Regulations, which set mandatory standards for industry to achieve.
3. Regulatory guidelines which set out the administrative procedures for the regime and
provide practical ways of meeting goals set by the regulations.
4. (a) Upstream industry guidelines, which provide consistency across the Australian
upstream petroleum industry and assist companies setting out their own
standards.
(b) General guidelines, Codes, and Standards such as Australian Standards, API
Standards, etc, which provides useful references for companies setting their
own standards.
(c) Industry approved competency standards.
5 Company standards, which should provide the demonstration of managing risks to
as low as is reasonably practicable (ALARP).
Page 1
Figure 1.1: Relationship Between the Contents of this Document and the Safety Case
Guidelines, Current Legislation and Operator Safety Documents
Guidelines for Emergency Support Systems
APPEA
DISR Guidelines for
Safety Case Emergency
Guidelines Support
Systems
Facility Description
Safety Management P(SL)A

System
Schedule of
Requirements
P(SL) (Management of Safety on Offshore Facilities) Regulations
Leadership and
Commitment
The P(SL)A contains
specific requirements for
petroleum operations
Safety Systems - General

Planning
Process Shut Down

Implementation Systems
Facility
Hazard Register
Fire and Gas Detection
Monitoring and Evaluation Systems
The hazards for each facility
are described in the Hazard
Register as determined from
use of hazard identification
Emergency Shut Down processes.
Audit and Review Systems
Formal Safety HVAC Systems Major Accident

Assessment Events
Hazard identification
Risk Assessment Studies Emergency Power With the Hazard Register,
Control measures Systems Major Accident Events for
each facility form the basis
of risk assessment. MAEs
are established from hazard
General Safety identification and QRA
Hydrocarbon Disposal processes.
Guidelines
Systems
Temporary Refuge
Fire Risk Analysis

Industry
Evacuation,
escape,rescue Incidents
Emergency safety training
Adequacy of escape
routes Results of investigations into
incidents can be used to
improve safety in this area.
ESD Systems
Fire protection systems
Work permit systems
Page 2
Figure 1.2: General Relationship Between this Document (Upstream Industry Guidelines) and
the Acts and Regulations in Australia
P(SL)A
P(SL)A
Management of
Safety Regulations
DISR Guidelines for Preparation

and Submission of Safety Cases
Upstream General Guidelines

Industry Codes of Practice
Guidelines and Standards
Company Standards
Page 3
2.0 SAFETY SYSTEMS GENERAL
The definition of safety systems for offshore facilities/activities has evolved through the
application of accepted international standards which represent best practice, to hazard
identification and analysis, and, most recently, to risk based methods.
Australian offshore operators are required to submit and maintain a Safety Case, which should
demonstrate that the risks to offshore operations are being managed to as low as reasonably
practicable (ALARP). This risk based approach provides a means to demonstrate that risks
are being managed to ALARP and is taken as one of the primary emphases for these
Guidelines.
These Guidelines are intended to provide information to the system level only. Therefore
established industry standards, which continue to represent a very useful resource for the
design, operation and maintenance of safety systems, may provide more specific guidance at
the sub-system or component level.
Specific recommendations for the frequency of maintenance, inspection and testing are
presented in the context of good industry practice. These recommendations may provide an
appropriate basis for initial system operation and maintenance, which may be adapted in
the light of operator/facility/system experience. Ultimately the responsibility for facility
management rests with the operator, including the definition of performance standards for
hardware and management systems.
2.1 SAFETY CASE
As mentioned in the preamble to these Guidelines, the statutory framework for the
representation of the management of risk, offshore Australia, is the Safety Case, comprising
the following components:
Facility Description;
Safety Management System;
Formal Safety Assessment.
2.1.1 Facility Description
The Facility Description includes a description of the safety features and systems associated
with an offshore facility/activity, as follows:
Layout;
Protective systems, including fire and gas leak detection;
Shutdown systems, including downhole, subsea and topsides;
Fire and Blast protection, passive systems;
Fire protection, active systems;
Relief and Blowdown;
Heating, Ventilation and Air Conditioning (HVAC);
Page 4
Emergency Power, Communications and Lighting;

Escape, Evacuation and Rescue;
Temporary Refuge (if designated).
2.1.2 Safety Management System
The Safety Management System (SMS) description includes details of specific provisions for
the management of safety of the facility/activity through the use of management systems (e.g.
policies, objectives, procedures, work instructions, etc.).
Of particular relevance in the definition, design, installation, operation and maintenance of

engineered or hardware safety systems, the subject of these Guidelines, are the following:
Risk Assessment and Management; (see Hazards Management Process, below)

Design, Construction and Commissioning;
Maintenance, Inspection, Testing, and Modification.
2.1.3 Formal Safety Assessment
The Formal Safety Assessment (FSA) describes the identification, analysis and assessment of
hazards to personnel. In particular, events that have the potential to cause multiple fatalities
are designated as Major Accident Events (MAEs) and are the primary focus of the FSA.
In the case of exploration and production activities, the release of hydrocarbon fluids under
pressure represents one category of accident event with the potential to result in a MAE.
Engineered safety systems for the prevention, detection and mitigation of uncontrolled
hydrocarbon releases are the subject of a mature body of experience and analysis method
which is reflected and referenced by these Guidelines.
The FSA includes an Emergency System Survivability Assessment (ESSA) which evaluates
the ability of these systems to function in an emergency event to control or mitigate the
consequences, in this case, of a hydrocarbon release.
The ESSA includes the assessment of the Functionality, Integrity (i.e. Reliability and
Maintainability) and Survivability of the safety systems, specifically in the context of
emergency/accident event risks to personnel and the facility. This approach to assessment
corresponds with the definition and structure of safety critical system performance
standards.
2.2 HAZARD MANAGEMENT PROCESS
The management of hazards which may result in an MAE is affected through the application
of a hierarchy of controls as follows:
Prevention;
Detection;
Page 5
Control/Mitigation;
Response;
Recovery.
In the context of engineered safety systems, it is the first three elements of this hierarchy that
are covered in these Guidelines.
2.2.1 Prevention
The first strategy for the prevention of MAEs is that of eliminating the hazard. In the case of
oil and gas exploration and production, one of the primary hazards is hydrocarbon fluids
under pressure.
Given that all hazards cannot be eliminated, the next strategy is to prevent an undesired
release from occurring. The Process Shutdown (PSD) system, discussed further in Section
3.0, is designed to prevent a loss of containment through shutdown of the hydrocarbon
processing system (e.g. isolation from input sources of energy, such as pressure, heat, flow,
etc.) on the basis of abnormal conditions (e.g. high/low pressure, high/low temperature, etc.)
detected within the system.
2.2.2 Detection
In the event that a hydrocarbon leak occurs, it is necessary to detect it such that control and/or
mitigation measures can be initiated.
The detection of a hydrocarbon leak is generally achieved through the use of Fire and Gas
Systems, which detect ignited and unignited hydrocarbon releases, respectively. These
systems are discussed further in Section 4.0.
2.2.3 Control/Mitigation
The control of a hydrocarbon release may prevent it resulting in a MAE. For example, if a
gas release is not ignited a fire or explosion will not occur. Safety systems which may be
used to control hydrocarbon releases, include:
Emergency Shutdown (ESD) Systems, discussed further in Section 5.0;

HVAC Systems, discussed further in Section 6.0;
Hydrocarbon Disposal Systems, discussed further in Section 8.0.
The relationship of the safety systems, in the context of the hierarchy of controls, is
summarised below.
It is common practice that, as a minimum, a facility safety system comprises an Emergency

Shut Down (ESD) system and a Fire and Gas (F&G) detection system. The ESD system
should be designed, as far as reasonably practicable, to:
Page 6
prevent an uncontrolled or hazardous situation occurring;

reduce the consequences of a hazardous event when activated during an
emergency situation;
survive severe accident conditions.
Safety systems should be maintained and tested at frequencies specified in the safety case and
test results recorded and retained for a suitable period of time.
Prevention Detection Control/Mitigation
Section 3.0: Process Shut Down

(PSD) the detection of abnormal
conditions is used as a basis for
preventing a system failure and
hydrocarbon release. If PSD does not
effect a recovery an Emergency Shut
Down (ESD) may be initiated.
Section 4.0: Fire & Gas Detection
the detection of a release of
hydrocarbons, ignited or not, is
used as a basis for initiating Control
actions.
Section 5.0: Emergency Shut
Down (ESD) in the event of a
confirmed hydrocarbon release
or an escalating process
situation, a more stringent
shutdown of facility systems is
initiated.
Section 6.0: HVAC in the
event of a gas release, may act to
prevent the accumulation of a
significant flammable cloud. It
may also act to exclude gas or
smoke from safe areas.
Section 7.0: Emergency Power
provides for the operation of
the safety systems throughout an
emergency and for the operation
of other vital systems.
Section 8.0: Hydrocarbon
Disposal Systems may act to
remove hydrocarbons
contributing to a gas cloud or
available for a fire.
2.3 SAFETY SYSTEM METHODOLOGIES
Guidance on the design, operation and maintenance of safety systems has evolved through
several distinct stages through the last 30 years, including:
a pragmatic and practical approach of what works (i.e. experience),

supplemented by a minimum standard defined as best practice and regulatory
requirements (e.g. UK HSE - SI 1974/289);
Page 7
the development of methods to identify ways that undesirable events could

happen (e.g. HAZOP, API 14C, etc.); and most recently
the use of a risk based life cycle needs analysis (e.g. IEC 61508/61511 and
UKOOA IPF).
These Guidelines seeks to reflect the best aspects of this evolutionary development as a
framework for the analysis, design, operation and maintenance of safety systems by the
Australian offshore oil and gas industry.
The evolutionary stages are compared and contrasted below.
Experience Hazard/ Deviation Risk/Lifecycle

Comments/Discussion
Based Based Based
(SI 1974/289) (API) (IEC
61508/511,
UKOOA IPF)
Experience Design oriented, Life cycle The explicit reference to a facility life cycle approach is
based. with operations and based. an attempt to ensure that all phases of activity are
maintenance appropriately considered. The lifecycle approach to risk
considerations management provides a vehicle for high level strategic/
included. project risk management. While comprehensive analysis
(e.g. API 14C) is carried out at the detail design stage.
Limited, no Comprehensive Selective The use of a risk based approach provides the basis for
analysis of analysis, hazard/ analysis, risk justification of appropriate controls whilst allowing
needs. deviation based. (i.e. demonstration that risk are managed ALARP. The
consequence/ Hazard/Deviation approach helps ensure a
frequency) comprehensive review of the system under study for
based. causes of failures/undesired events.
- Component to System to These approaches to facility design are complementary
System oriented Component ensuring a comprehensive analysis at the detail design
(i.e. bottom-up). oriented (i.e. stage whilst providing selective use/ justification of
top-down). appropriate technology consistent with managing the risk
exposure. The use of a System-Component orientation
also prompts due consideration of system interaction
issues associated with, for example, their location on the
facility.
- Criticality, Criticality, Criticality allows justification of appropriate controls
consequence frequency and whilst more readily allowing ALARP demonstration.
oriented. consequence
oriented.
Standards Implicit Explicit Formal definition of Functionality, Integrity and
according to performance performance Survivability requirements for a component/system
Regulatory standards. standards provide a basis for measuring performance and hence
requirements (Functionality/ demonstrating same to the Operator and other parties
and Integrity/ with a vested interest. These standards also provide the
Classification Survivability). basis for component/system specification and define
Society Rules. operation/maintenance/testing requirements, all of which
are required for effective ongoing operation of the facility
(i.e. purchasing, installation, modification, replacement,
testing, PM, etc.).
- Primary and Preference for Risk based approach provides for justification of less
secondary control two measures, stringent controls whilst managing risk to ALARP.
measures based selection based
upon highest order upon risk in
of protection specific
available. situation.
Page 8
In summary, the following are regarded as key aspects of the evolution of safety system
specification and should be considered/applied by industry to operations and facilities.
2.3.1 Lifecycle
The application of a life cycle approach provides a vehicle for strategic, project and
operational risk management of the design, operation, maintenance and disposal of an
offshore facility. The consideration of risk through the lifecycle of a facility allows for
appropriate economic management as well as the safety aspects of an operation, which may
affect the economic performance/viability of a project. It also provides a means to ensure that
the risk management process is an integral and coherent part of a facilitys lifecycle
development phases, through the involvement of different parties (e.g. Engineering Design,
Procurement, Fabrication Yard, Installation/Commissioning and Operations/Maintenance).
In the context of a lifecycle approach, these Guidelines have been written for a number of
safety system types, based upon the Design-Installation-Operation-Maintenance lifecycle of
these systems.
Page 9
Concept
Overall Plant
Definition
Minimise Risks
Hazard & Risk

Analysis
Allocation of Safety Operations &

Requirements to Maintenance
Safety Measures Strategy
Safety Systems - Safety Systems - Other Risk

Instrument- Other Reduction
Based Technologies Measures
Optimise and
Check Risk
Reduction
Achieved Establish
Performance
Standards
Design, Implement, Develop Operations & Test

Test, Install Procedures
Operation & To Appropriate Stage in

Maintenance Modification Lifecycle
Decommission
2.3.2 Risk Based
The use of a risk based approach from the concept stage onwards provides a means to focus
on safety/business needs of the project. Further, use of this approach allows for justification
(e.g. demonstration of ALARP) of control options based upon benefits in terms of risks to
personnel and the business, more generally.
One method of using a risk based approach to the needs for safety system integrity is based
upon the following risk graph (IEC 61508 Part 5, Annex D).
Page 10
Consequence Severity Personnel Exposure Alternatives to avoid

Danger Demand Rate
Relatively
Very Low
High
Low
Slight Injury
- - -
Possible
Rare 1 - -
Not Likely
Serious Injury/ 1 1 -
Single fatality Possible
Frequent 2 1 1
Not Likely
3 2 1
Rare
Multiple Fatalities 3 3 2
Frequent
NR 3 3
Catastrophic
NR NR NR
Safety Integrity
Level (SIL)
- No special safety features required
NR Not recommended. Consider alternatives
In determining the desired integrity level for a system/component the following parameters
are considered:
The severity of the safety consequences if the instrument protective function

does not operate on demand;
The likelihood of personnel being exposed to the hazard;
Are there alternative factors which will reduce the safety impact of the
consequences of the hazard? These may include, for example, the rate of
escalation of the incident is such that personnel in the area will have time to get
away from the immediate area, or, that there will be sufficient warning from
independent means of the impending hazard for personnel to evacuate the area;
How frequently is the instrument protective function likely to be asked to
perform its duty. Relatively high demand may be interpreted as between one
and ten times per year, low as between once per year and once per ten years,
and very low as less than once in ten years.
The Safety Integrity Level (SIL) reflects the risk inherent in a safety system application, from
High Risk (SIL 3) to lower risk levels (SIL 2/1). Since this is only one means of defining the
required integrity of a safety system/component these Guidelines will use a descriptive label
(i.e. High Risk) to correspond to/with a high level integrity requirement.
Page 11
2.3.3 Comprehensive Analysis
A comprehensive hazard/risk analysis at the detail design stage complements higher level
strategic/project risk analyses whilst ensuring that risks at the sub-system/component level are
identified and managed. One means of carrying out a comprehensive hazard based analysis is
that described in API 14C. As discussed above this analysis method may be supplemented
through the use of application risk levels (e.g. Safety Integrity Levels) to provide a basis for
justification/selection of ALARP control solutions.
2.3.4 Performance Standards
Performance Standards provide a formal vehicle for performance assurance throughout the
life cycle of a project/facility. They also complement performance standards defined to
assure performance of the facility Safety Management System.
A performance standard for safety systems covered by these Guidelines would include:
The role of the system, or system component;

What the system or component is required to do under stated circumstances
(functional specification);
With what integrity (reliability and availability) it is required to perform in
those circumstances (integrity specification); and
Any requirements for survivability after a major incident (survivability
specification).
Performance standards for safety systems can apply at a variety of levels. For example, the
overpressure protection function for a hydrocarbon vessel may have a performance standard.
The pressure sensor device and the inlet shutoff valve, both of which are components of the
overpressure protection system can also have their individual performance standards. An
ESD logic system can have a performance standard.
An example Performance Standard for High Pressure Protection on a separator is as follows:
Role Statement To prevent overpressurisation of the HP separator.

Functional Detect pressure of * Mpag, annunciate in the Control Room within *
Specification seconds, and initiate inlet valve closure and selected well shutdown within
* seconds. See Cause and Effect Chart.
Inlet valve to be failsafe close.
To close in less than * seconds from receipt of signal from ESD system.
Maximum leakage rate * kg/s at * bar differential pressure.
Wellhead valves specification see separate specification.
Integrity SIL *.
Specification
Survivability Inlet valve to be firesafe. Valve and actuator to survive overpressure of *
Specification MPa.
Wellhead valves see separate specification.
Remarks Closure of these valves initiated by ESD and F&G systems.
Page 12
2.4 RELATIONSHIPS
The functional relationship of these safety systems is presented below.
Section 4.0: Fire & Gas Section 5.0: Emergency

Detection the detection of a Shut Down (ESD) in the
release of hydrocarbons, event of a confirmed
ignited or not, is used as a hydrocarbon release or an
basis for initiating Control escalating process
actions. situation a more stringent
shutdown of facility
systems is initiated.
Manual input
Shutdown signals to process

Section 3.0: Process Shut components and ESD field
Down (PSD) the
devices
detection of abnormal
conditions is used as a
Manual input basis for preventing a Section 8.0: Hydrocarbon
system failure and Disposal Systems may act
hydrocarbon release. If to remove hydrocarbons
PSD does not effect a contributing to a gas cloud
recovery an Emergency or available for a fire.
Shut Down (ESD) may be
initiated. Section 6.0: HVAC in the
event of a gas release may
act to prevent the
accumulation of a
significant flammable
cloud. It may also act to
exclude gas or smoke from
safe areas.
2.5 ACTIVITY/FACILITY TYPE
These Guidelines cover emergency support systems for offshore facilities. This includes
exploration and production drilling, hydrocarbon processing and export. In addition these
activities may be carried on/from two types of facility, either fixed (i.e. permanent jacket) or
floating (e.g. FPSO, Semi-Submersible MODU, Drill Ship, etc.). The following phases of
activity and/or facility types are the subject of these Guidelines:
Drilling (i.e. drilling activities from any fixed installation);

Production (i.e. processing and export of hydrocarbons from a fixed
installation);
Marine (i.e. drilling and/or production of hydrocarbons from an installation not
fixed to the sea bed on a permanent basis).
Page 13
2.6 DESIGN
Safety systems may include:
Fire and Gas detectors;

Leak detectors;
Emergency Shutdown and Blowdown valves;
Fire rated cables and components;
Programmable logic.
In the execution of projects, the detailed design may not have been completed at the stage
when instrument-based protective systems need to be purchased. Orders are placed using the
best information available at the time. On completion of the detailed design, the instrument-
based protective systems should then be evaluated against their required performance
standards and any necessary modification carried out.
2.6.1 Complexity
Systems should be selected and designed to minimise complexity while still meeting the
required performance standards. Increased complexity may lead to a reduced level of
understanding by operators and higher inspection, test and maintenance requirements.
Each element of the system should be specified to performance standards consistent with the
overall required functional, safety integrity, and survivability performance standards, and not
simply to the highest level achievable.
By their nature, logic systems contribute less to the total system unreliability than the field
sensor and actuators.
2.6.2 Failure to Safety Concept
The failure to safety concept for plant and equipment is the automatic reversion to the least
hazardous condition upon failure of protective system logic, sensors, actuators or power
sources. This requirement is normally realised by employing a de-energise to trip design.
During normal operation, with the plant in a healthy condition, inputs from plant sensors, the
logic system, and outputs to the final protective devices will be energised. The systems will
interpret the de-energising of an input as a trip demand and will de-energise the appropriate
outputs to initiate a shutdown. This design would also ensure a shutdown on the loss of
electrical power to the system inputs, outputs or logic.
The failure to safety principle is preferred for all equipment on the installation. In order to
achieve such a concept, consideration should be given to each item of plant and equipment to
ensure predictability of failure modes. However, for certain applications, (e.g. Fire & Gas
equipment) an energised to trip (non failsafe) design concept is justified. Under these
circumstances, additional measures must be taken to ensure the safety integrity of these
devices, e.g. line monitoring, built in fault detection, and/or dual redundancy.
Page 14
2.6.3 Reset Philosophy
The method and location of reset facilities for protective systems should be appropriate to the
importance of each individual function, and thus may vary across the plant.
2.6.4 System Integrity
System vendors generally express reliability in terms of Mean Time Between Failures
(MTBF) or its reciprocal, failures per unit time. These expressions are useful in selecting and
specifying a system but to determine its availability the following should also be considered:
Fail to danger and fail to safety failure rates;

Failure to act on demand;
Realistic mean time to repair (MTTR).
For each High Risk (SIL3) system a reliability and availability analysis should be carried out
and formally documented to ensure that the required safety integrity can be met. This will
require data on sub-system or component reliability or failure rates, demand rate on the
system, proof test interval and mean time to repair. An iterative process will be required in
the design of the system to arrive at the optimum solution which meets the specified safety
integrity. Care must be taken to allow for the effects of common cause failures when
calculating overall system integrity.
Realistic proof test intervals and repair times should be used in reliability and availability
analyses. Manual proof test intervals of less than three months are likely to impose undue
burdens on operations and maintenance requirements.
The reliability/availability analysis can draw on either analysis of failure rates from
comparable situations or calculations using appropriate predictive methods such as fault trees
or FMEA and applying relevant reliability data. AS 3930-1992 provides guidance on
carrying out reliability and maintainability analysis.
Unrevealed (covert) failures in the system will impair its safety effectiveness. Steps should
therefore be taken to eliminate by design these failure modes. Where this is not practical, a
suitable test method and frequency should be specified that allows such failures to be
revealed.
For High Risk (SIL3) applications, it should be a design objective that no single failure can
cause the system to fail to perform its intended safety function.
The demand rate on a High Risk (SIL3) system may be determined in part by the quality of
any associated lower risk (SIL1/2) protective systems. Common cause failure mechanisms
between separate instrument-based, protective systems performing the same or related
protective functions should be minimised.
The scope and frequency of testing of High Risk (SIL3) systems to ensure the required safety
integrity and the assumptions with regard to the demand rate must be fed forward to the
operations phase and be reflected in the protective system maintenance plan and procedures.
Page 15
IEC 61508 part 2 Annex A suggests architectures of sensors, logic and final elements
appropriate to all risk levels (SIL1-3). However, these and the associated figures of mean
times between spurious trips should be viewed as generic only and not necessarily appropriate
for every application. The underlying assumptions must be understood before applying these
architectures.
Logic systems should be specified for the integrity of the highest integrity function, which is
implemented within it.
2.6.5 Environmental Considerations
Systems should be designed so that equipment has an adequate immunity to electromagnetic

disturbance at frequencies and field strengths likely to be experienced in the intended
operating environment. The measures taken to verify this requirement should be selected
according to consequences resulting from malfunction or degradation in the performance of
the equipment. Also, the equipment should not be the source of electromagnetic disturbance
at levels which may disrupt the operation of other equipment.
Protective functions should be maintained under all reasonably foreseeable climatic

conditions likely to exist at the intended operating location.
Fire, blast and dropped object protection for protective systems should be considered in
relation to the required performance standards. These should take into account the required
survival and operating modes of systems following a major incident.
2.6.6 Operator Interfaces
The operator interface should be designed using human factor principles (ISO 11064:
Ergonomic Design of Control Centres). The presentation of information to the operator
should be clear and unambiguous. The volume of alarms and messages which will be
presented to the operator in a plant upset situation should be assessed and managed.
The reliance on the operator interface should be determined and the performance
requirements should be specified. Where reliance is placed on an operator to respond, then
these cases should be analysed to ensure that the claimed performance can be achieved.
Suppression of consequential alarms resulting from a process upset or trip may be considered,
provided they occur within predetermined times. However, this should be assessed against
the additional complexity introduced.
The operator should readily be able to determine the cause of any disturbance or unusual
event.
The number of control room operators should be determined based on the ability to handle
both normal and upset situations.
Consideration should be given to use of hard wired matrix and mimic panels for information
regarding High Risk (SIL3) systems.
Page 16
Controls should be in place to ensure that only appropriate authorised personnel have access
to change data or programs. If access control is by password, these should be changed at
appropriate intervals under the control of the designated responsible person.
For audible and visual alarms, reference should be made to the APPEA Guidelines for
Offshore Emergency Management.
2.6.7 Maintenance and Test Facilities
Facilities to enable complete online testing of all system components including power
supplies and field equipment should be provided unless adequate safety integrity can be
achieved by testing during planned shutdowns. The objective is to detect and rectify covert
failures.
The maintenance and testing philosophy, including frequencies, should be developed as part
of the design process and be fed forward to, and be incorporated in, maintenance and
operating procedures.
Maintenance and test routines should be the product of cooperation between the design team
and the future operating personnel, to ensure their smooth assimilation into the operational
phase.
The status of any maintenance override should be drawn to the attention of the operator, be
documented and continuously annunciated at a suitable operator interface.
All components should be designed to achieve ease of fault finding, replacement and
maintenance.
2.6.8 Software
Appendix A of the UKOOA Guideline for Instrumented-Based Protective Systems, 1995,

provides detailed guidance on the design process to achieve a satisfactory software design for
lower risk (SIL1/2) applications.
Software based systems should incorporate an internal log to demonstrate the software
version or revision giving date and time of the last change.
2.6.9 Data Communication
Hardwired communications links are preferred, where practicable, to radio links.
Where Programmable Electronic System (PES) data is transmitted over communication links,
it should be recognised that the communication link introduces several potential sources of
common cause failure.
Page 17
The safety integrity of High Risk (SIL3) systems should not be reliant on data solely reliant
on data communications links unless adequate measures have been implemented to ensure the
availability of the link.
Physical damage to communication links may be addressed by redundant links with diverse
routing. Redundant links should be exercised regularly.
Loss of a data communication link should be identified at the transmitting and receiving ends.
Total loss of a relevant link should shut down remote controlled installations after a suitable
time delay.
Noise corrupted messages may be identified if the messages are protected by a cyclic
redundancy check of suitable length. This method, however, does not provide full protection.
Data communication systems should be specified to ensure satisfactory operation under worst
case loading conditions. Satisfactory operation may involve degradation in a predefined
manner.
It should be recognised that exception reporting communication techniques are particularly

vulnerable to saturation problems. Quoted communication data rates (bits per second) do not
by themselves provide any conclusive information regarding delay per bit.
High Risk (SIL3) systems may be interfaced with other systems via communication links.
Malfunctions of the communication links or other systems should not affect the safety
integrity of the High Risk (SIL3) system.
The quality of the total communications path should be assured. The total path includes
interfaces between processors and communications links.
2.6.10 Power Requirements
When evaluating the availability of protective systems, consideration should be given to the
security of electrical supplies under plant upset conditions and partial and complete failure of
the main electrical systems.
Diversity of supply may be required to ensure continuity of system operation. Failure of one
of these supply routes should not adversely affect the system performance.
The sizing and rating of electrical supplies should take into account the worst case load with
all elements energised. Surge currents at switch on should also be considered.
The requirements for power heat dissipation, e.g. forced cooling and HVAC, should be
considered together with the security of the heat dissipation method during power upsets.
The required duration and availability of electrical supplies following loss of main generation
should be established and documented.
Page 18
Any uninterruptible power supply systems should be properly matched to the protective
system loads particularly in terms of voltage variations, harmonic distortion, and supply
changeover times. Specific attention is drawn to this need for matching when switched mode
power supplies are used within the protective systems.
For battery back up systems careful consideration should be given to battery float charge,
boost charge, and battery depletion voltage levels over the specified duration of the supply
requirements.
After installation of the protective systems, their correct performance should be checked when
the main AC electrical supplies are interrupted and heavy loads are switched on and off the
electrical distribution system.
2.6.11 Design Change Control
The need for changes to the functionality during the system life should be assessed and
allowed for in the design.
Protective systems should be under the control of a designated responsible person or position.
Management systems and procedures, commensurate with the criticality of the system, should
be in place during both the project and operational phases to effectively control and monitor
changes.
Proposed changes should be assessed by all relevant parties before implementation.
Changes to protective systems should be fully verified, including testing, before they are
brought into service.
2.6.12 Design Method for High Risk (SIL3) Applications
For High Risk (SIL3) applications the following design activities are considered essential
requirements for an acceptable final product and should be incorporated at the correct stages
of design development:
Establish functional requirements (e.g. safety analysis tables or cause and

effect charts);
Produce functional, safety integrity, survivability and hardware specifications;
Design system to the above specifications;
Analyse safety integrity of the design, to ensure that the required performance
standard for each function has been met;
Build and test system;
Produce maintenance schedules and detailed proof test routines for each
system element during the project detailed phase;
Review operational and maintenance experience to ensure that the specified
performance standards are maintained.
Page 19
All of the above activities including maintenance, test routines and periodic reviews should be
carried out in accordance with the QA principles established in ISO 9001, and preferably by
organisations accredited to that standard.
The safety integrity analysis should be carried out by an independent authority, either from a
separately managed area of the organisation, or from outside the company entirely
2.6.13 System Testing
Testing of the logic system for all instrument-based protective systems should be carried out
in accordance with the previously agreed test programme prior to installation. Simulated
inputs and outputs may be used in testing at the vendors works. It should include a complete
verification of the operating manuals, cause and effects, logic diagrams and related
documentation. Full system testing, including all field elements, should be carried out during
commissioning.
2.6.14 Assessment and Certification
Independent assessment and/or certification of systems may be used to provide increased

confidence in vendors claims for systems performance. This can apply to vendor-standard
systems and to design specific configurations.
Independent assessment should be performed for all High Risk (SIL3) systems.
Considerations should include:
Hardware details;
Expected demand rate;
Specification proof testing and maintenance programme for the equipment;
Causes of systematic failure;
Equipment quality;
Design processes;
Maintenance facilities;
Operational and security arrangements.
It is essential that all analysis should consider the complete system, from input transducer to
the actuation of the final control element. The major contributor to system unreliability is
usually field devices with failure analysis being sensitive to variations in device design.
2.6.15 Field Equipment
The design, selection and location of sensors and actuators contribute significantly to the
overall performance of an instrument-based protective system. This section addresses those
points relevant to ensuring design and selection.
Plant located components of instrument-based protective systems should be uniquely

identified in accordance with drawings and documentation.
Page 20
Identification should be by permanent labels at equipment locations.
Diversity
Many common cause failures of redundant field devices can be avoided by properly applied
diversity of devices. Where possible, diversity should be obtained by measuring a variable
via separate tappings.
Analogue input devices are preferable to switched input devices. The ability to continuously
compare signals reduces the mean time to detection of failure and hence increases integrity.
Such methods can utilise discrepancy tracking for the early detection of equipment failure or
malfunction and may utilise the process control analogue instrumentation in such a tracking
scheme.
In the interest of standardisation, consideration should be given to reducing the variety of field
devices. While this may seem to contradict diversity, it is meant to avoid a proliferation of
equipment manufacturers and models. Excessive variety can reduce the level of
understanding of the details of maintenance, calibration and trouble shooting involved with
each device.
Initiating Devices
All system initiators should be separate and independent monitoring and control system
instrumentation.
The method of sensing an abnormal operating condition should normally be by dedicated

transmitters except in the case of vessel level trips where switches or other techniques may be
more effective. Any trip amplifier devices used to interface transmitters to non programmable
logic systems should be testable in service.
Smart (HART) transmitters can be considered suitable for High Risk (SIL3) applications if
the advice in EEMUA publication 160 section 12 is followed. In addition, the software issue
should have been proven in a sufficiently large installed base over a sufficiently long period
of time. (See Appendix B of the UKOOA Guideline for Instrumented-Based Protective
Systems, 1995) Generally this allows the use of smart transmitters in analogue mode only.
It is recommended for the foreseeable future that field instruments should not be integrated
digitally with logic systems for High Risk (SIL3) applications.
In all cases the input devices should be specified and selected for reliable operation and
should fail to a safe known condition on fault, or on interruption of power or other operating
medium. Components should be selected with built in features that drive the device output to
a prescribed status for specified failure modes.
Fire and gas detectors should be selected and located to meet the performance standards for
the detection of specific hazards in the area. This will include fire sizes, gas cloud sizes, and
response times.
Page 21
Output Devices
Output devices should be specified and selected for reliable operation and to ensure that
interruption of the operating medium (electric, pneumatic or hydraulic supply) causes failure
to a known condition.
Shutdown and depressurising valves should normally be operated via solenoid valves.
Electrical surge suppression should normally be provided when driving inductive loads such
as solenoid valves.
Duplicate solenoid valves and/or shutdown or blowdown valves may be necessary to meet the
required integrity (probability of failure on demand).
Shutdown and Blowdown Valves
All shutdown and blowdown valves should preferably be inherently failsafe e.g. spring return.
Isolation valves should fail closed and blowdown valves should fail open on loss of power
medium to the actuator or loss of control signal. However, there may be specific applications
where the flare header is not rated for simultaneous blowdown of all areas of the plant. In this
case the failure action of the blowdown should be selected to minimise risk for all the relevant
operating regimes.
Where non inherently failsafe actuators, e.g. double acting, are justified, then adequate
integrity for the application should be demonstrated. Each actuator should have a local
dedicated power source provided with appropriate protection. This should be capable of
meeting the regulatory requirements with regard to number of operations. Where these are
not stated, then three valve strokes should be possible (where stroke is defined as a
unidirectional movement).
The power medium should preferably be air. However, hydraulic or electric failsafe actuators
may be justified for some applications despite their greater system complexity. In all cases,
adequate safety integrity and survivability of the valve and associated controls should be
ensured.
Consideration should be given to the required performance of valves, actuators and ancillary
devices following long periods of inactivity in the same state.
The valves should be capable of being operated under maximum line differential pressure.
In cases where bypass repressurising around shutdown valves is justified they should also be
automatically operated by the protective system, be specified as shutdown valves, and be
inherently failsafe.
The speed of response (stroking time) of the shutdown valve should be appropriate to the
hazard being protected against. Surge effects and the potential to lock in pressure need to be
considered when selecting or specifying closure times.
Control valves should not be used as primary isolation devices, but may have a predefined trip
position on shutdown.
Page 22
They may be utilised as secondary isolation devices where SIL level requires robustness. In
these cases they should be operated by the shutdown system.
Where it is necessary to use control valves in a safety related application, e.g. for controlled
blowdown of plant to flare, the control valves and their associated systems and ancillary
devices should be suitable for the required integrity of the application.
Blowdown/Shutdown Valve (Spring to Open/Close Valve) Torque

Valve Actuator
Start to open/close torque Spring start torque (SST).
(Break-open/close torque) A safety factor of 100% (i.e. 2 times) should be applied on top of the valve start
to open/close torque. This is at the 'compressed spring state'.
Reseat torque Spring end torque (SET).
(Opening/closing torque) A safety factor of 25% (i.e. 1.25 times) should be applied on top of the valve
opening/closing torque (i.e. the spring should provide a torque of 1.25 times the
valve opening/closing torque at its relaxed state).
Running torque Spring running torque (SRT) and air running torque (ART) - minimum torque
(Resistance torque) produced by the actuator.
A safety factor of 50% (i.e. 1.5 times) should be applied and maintained on top
of the required valve running torque during closing and opening.
Start of close/open torque Air start torque (AST).
(Break-close/open torque) Pneumatic operator beginning torque should be 2 times the valve
closing/opening breakout torque.
Reseat torque Air end torque (AET).
(Closing/opening torque) Pneumatic operator end of stroke torque should be 1.25 times the valve
closing/opening torque (i.e. at the end of the closing/opening stroke).
Impulse Lines
Consideration should be given to the means of achieving process connections to reduce the
risk of blockage in isolation valves, impulse lines and instrument chambers. This applies
specifically when it is known that particulate or waxy deposits are, or can be, present in the
process medium or where scaling may occur.
Process and environmental conditions should be considered in the specification and selection
of impulse lines. This includes protection from impact damage.
The risk of stress corrosion cracking should be minimised in the selection and design of
impulse lines. Care should be taken to avoid under lagging corrosion especially where trace
heating is used.
It is recommended that double block and bleed 50 mm monoflanges are used on all impulse
line connections.
Control Lines & Cables
Consideration should be given to the protection and segregation of cables and control lines
associated with the protective system. The routing of cables should avoid running through
high risk or vulnerable areas where practicable. Diversity of routing should be considered for
energise to execute circuits as a means of reducing common mode failures in event of a
major incident. Any 'critical signals' should be hard wired.
Page 23
Consideration should be given to the segregation and shielding of cables to protect against
electromagnetic disturbance.
Cables should be fire rated to IEC 331, IEC 92-375 or AS 4193.
Fire, Blast and Dropped Object Protection
Fire, blast and dropped object protection for instrumentation, actuators, cables and other
associated devices, which are part of protective systems, should meet the required
survivability specification of the performance standards.
Maintainability and Testing
Due regard should be given in the design to the needs of maintenance and testing activities.
Specifically the method and frequency of testing to ensure adequate facilities are provided.
Facilities for physical testing of initiating devices should be provided where practicable,
unless all testing is to be carried out on shut down plant. Manual override switches should be
installed to isolate the devices prior to testing.
Environmental Considerations
In the selection of devices consideration should be given to the environmental requirements

including heat and moisture ingress protection including seawater deluge, CO2 and other
extinguishant media.
Electrical devices should be specified in accordance with the hazardous area classification and
also be consistent with the installations safety philosophy. See also the requirements of
AS 2430.
2.7 OPERATION & MAINTENANCE
The purpose of systems maintenance and testing is to ensure that the performance standards
from the original design are maintained throughout the lifecycle of the protective systems.
2.7.1 Responsible Person
Each protective system should be under the control of an identified responsible person or job
position.
The responsible person or job position is accountable for ensuring that the systems continue to
perform to the required performance standards. Specific responsibilities include:
Assurance of the competency of the operators and maintenance technicians

who work with or on the system;
Control of access to the system including use of keys and passwords;
Control of overrides;
Page 24
Coordinate testing of the system;

Control changes to the system;
Ensure appropriate records are maintained;
Assess the results of testing, maintenance activities, systems failures, and
demand rate on the system to ensure system integrity is maintained.
2.7.2 Maintenance and Testing
Design assumptions, particularly on the scope and frequency of testing, should be clearly
documented and translated into operational information and procedures.
The maintenance and testing scope, frequency and responsibilities should be clearly
documented. The maintenance and testing regime should recognise the scope and limitations
of any system self-testing.
The maintenance philosophy document should also describe how demands on the systems
will be recorded and how the systems will be assessed periodically to ensure that their safety
integrity meets or exceeds the performance standards as per the design. The implications of
any failures should be assessed, and where required, modifications to equipment or
procedures should be carried out to minimise the likelihood of repeat occurrences.
The use of maintenance overrides should be formally authorised and recorded. Their use
should be subject to instructions and procedures described in the operations procedures for the
plant. The status of overrides should be regularly assessed.
For large complex systems, consideration should be given to placing a vendor support
contract for corrective and preventative maintenance, spares management, and support for
system changes.
The necessary tools and diagnostic facilities should be available to permit technicians to
perform first line maintenance and restore system availability within a reasonable period of
time.
2.7.3 Documentation and Records
Current system documentation should be available to maintain the system throughout its life
cycle. This will include overall system description, performance specifications, key drawings,
and operation and maintenance instructions.
Records of the following should be maintained throughout the life cycle of the system or for
predefined periods as appropriate:
Inspection records;
Testing records;
Maintenance repairs;
System failures;
System demands and outcomes;
Page 25
System integrity assessments and any subsequent changes to the scope or

frequency of testing.
It is recommended that check sheets, detailed in IEC 61508, be utilised.
2.7.4 Control of Changes
Management systems and procedures, commensurate with the criticality of the system, should
be in place to effectively control and monitor proposed and actual changes to hardware,
software and operational procedures.
All changes should be shown to meet the systems safety performance standard and be fully
assessed by all relevant parties before implementation.
Any change to a protective system should be fully documented, follow a quality plan and be
reviewed by two competent personnel.
Changes to software based protective systems should be fully tested prior to implementation
on an operational host system. It should be capable of immediate return to a known working
version in the event of a fault.
The system environment should be maintained in line with the original design parameters
including temperature, humidity, vibration, and electromagnetic disturbances. The impact on
system integrity by changes to the environment should be assessed.
2.7.5 Assessment of Protective System Integrity
The results of periodic system testing should be assessed and appropriate measures taken to
maintain the required system integrity.
The use of field data to reassess the testing regime should only be used where a significant
sample of data is available. In this case the change to the testing regimes should be fully
justified, documented, and formally controlled.
For High Risk (SIL3) systems, periodic reviews are necessary to ensure that the safety
integrity is maintained during the life of the plant. These reviews should re-examine the
quantified analyses originally carried out during the design phase taking into account actual
demands on the systems, outcomes of those demands, system failure rates, any revised testing
regimes and any changed operational circumstances.
2.8 FACILITY/ACTIVITY
2.8.1 Drilling
Well Control Equipment
Page 26
Wellhead equipment may vary from well to well to suit anticipated or known pressure
conditions, and in exploration drilling it should always be of a suitable pressure rating to cope
with high, or abnormal sub-surface pressures.
Wellhead control equipment should be installed under the direct supervision of competent
personnel.
The drilling rig should be equipped with independent hydraulically operated blowout
preventer operating equipment with an automatic repressuring system (see API RP53).
A control panel for the blowout prevention equipment should be located on the rig floor at the
Drillers station, with a second panel located away from the operations areas. A position
display panel should be fitted in a third office location for supervisory personnel. The control
panels should clearly show the open or closed state of the blowout prevention equipment and
the areas around the blowout preventer control points should be kept clear and readily
accessible at all times.
Upper and lower kelly cocks of equivalent pressure rating to the wellhead control equipment
should be installed in the drill string to protect the swivel and rotary hose from high well
pressures.
When drilling into known high pressure zones, or potential high pressure zones in production
fields, the use of drill pipe safety valves is recommended.
On all drilling and well servicing operations, an inside blowout preventer and full opening
safety valve should be kept on the rig floor ready for immediate use in the drilling string or
tubing, if required. The valve should be fitted with handles for easy handling and change subs
to suit connections in use.
The valves and controls associated with the blowout preventer equipment should be clearly
labeled to indicate their specific function.
Pressure Testing
At the time of installation, well control equipment including all inside blowout preventers
(BOPs), kelly cocks and pumpdown subs should be hydraulically tested with water to the full
rated working pressure or maximum anticipated surface pressure, plus safety factor, and the
results logged. Test areas and equipment should be clearly indicated by warning notices or
public address (PA) announcements.
Inspection and routine testing of such equipment, after installation, should be carried out at
regular intervals and logged. When drilling, blowout preventer rams should be operated at
regular intervals and results logged. The complete system should be tested regularly and
always prior to drilling into an unknown reservoir section. Properly drafted BOP test sheets
should be available for guidance. (Refer API RP-53)
If unusual pressure variation or other abnormalities are observed in the system, appropriate
action should be taken and the details logged.
Page 27
Control Valves
Any valves for the shutting down and control of equipment in emergencies, such as choke
manifolds and standpipe manifolds, should be regularly tested and kept in good working
condition.
Such valves should plainly indicate whether they are open or closed and the positioning of
them should be either in line of sight to the Drillers position or a method of communication
should be established between the man stationed at the control valves and the Driller.
Well Control Practice Drills
A blowout practice drill should be carried out on each rig tour, until every member of each
drilling crew is familiar with his respective duties. In addition, each crew should have a least
one well control practice drill during each offshore duty cycle to maintain alertness.
Additional practice drills should also be considered prior to drilling into new horizon sections
of a well. Particular attention should also be given to training any new member of a crew on
his specific duties.
2.9 PRODUCTION
No specific guidance provided.
2.10 MARINE
The MODU Code defines specific requirements for safety systems.
A safety system should be provided to ensure that any serious malfunction in machinery or
boiler operations which is of immediate danger should initiate automatic shutdown and alarm.
Shutdown of the propulsion machinery should not be automatically activated except in cases
which could lead to serious damage, complete breakdown or explosion. Where an override of
the main propulsion automatic shutdown is provided, systems should be in place to prevent an
inadvertent operation. Visual means should indicate when the override has been activated.
2.10.1 Alarm System
An alarm system should be provided at the main machinery control station giving audible and
visual indication of any fault requiring attention. It should also:
activate audible and visual alarms at another normally manned control station;
activate the Engineers alarm if the original alarm has not received attention
locally within a limited time;
as far as practicable be of failsafe design;
when in marine mode, activate an audible and visual alarm at the navigating
bridge.
Page 28
The alarm system should be continuously powered with automatic change over in case of loss
of normal power supply. Such a failure should be alarmed.
The alarm system should be capable of indicating more than one fault at a time and the
acceptance of an alarm should not inhibit another alarm.
Alarms should be maintained until they are accepted and the visual indicators should remain
until the fault has been corrected, when the alarm should be automatically reset to the normal
operating condition.
Page 29
3.0 PROCESS SHUTDOWN
3.1 ROLE
The role of the Process Shut Down (PSD) system is the detection of abnormal process
conditions which may result in a release of hydrocarbons and cause the shut down of the
system to prevent such a release.
3.2 FUNCTION
In the case of hydrocarbon drilling and production systems an abnormal condition may
include, but not be limited to, the following:
High or Low Pressure;

High or Low Temperature;
High or Low Level.
An abnormal condition is characterised by the movement of system parameters (e.g. pressure,

temperature, etc.) towards or outside the operating envelope.
In some cases the abnormal condition may be the release of gas (e.g. in the case of drilling
where gas detected in the mud returns may indicate a potential problem in the well).
A PSD will result in a shut down of energy sources which are contributing to the abnormal
condition. For example, in the case of high temperature, heat inputs will be shut down or
isolated, or in the case of high pressure the pressure source will be isolated.
3.3 RELATIONSHIP
The Process Shut Down (PSD) system acts to prevent an undesired release of hydrocarbons
upon detection of variations in system parameters which are known to be indicative of a loss
of control. PSD is related to various other safety systems as follows:
3.3.1 Emergency Shut Down (Section 5.0)
The PSD if effective should return the system to a stable state with no or little threat of an
undesired hydrocarbon release. In cases where the PSD does not produce a stable state in the
hydrocarbon system an Emergency Shut Down (ESD) may be required. The ESD system
may be considered an extension of the PSD system, for cases where the limited actions taken
in a PSD are ineffective and the situation is escalating towards an emergency or Major
Accident Event (MAE).
Page 30
3.3.2 Emergency Power (Section 7.0)
In some cases, PSD will cause the shut down of electrical supplies. In this event it is
important that power is available to effect the PSD and to provide for the continued operation
of parts of the facility not affected by the PSD. Emergency Power systems may be activated
at this time although it would be more typical that emergency power supplies would be
initiated in the event of an ESD.
3.3.3 Hydrocarbon Disposal (Section 8.0)
Depending upon the part of the hydrocarbon process affected by the PSD it may be required
to remove hydrocarbons from the system, either to prevent knock-on effects to other systems
or as a precaution in case the situation escalates further towards an emergency or MAE.
Venting of hydrocarbon gases may be released through a blow down executive action. Liquid
hydrocarbons may be drained to a safe location.
3.4 DESIGN
Prevention is the preferred strategy for the management of risk due to undesired hydrocarbon
releases and fires/explosions.
The PSD system should be designed to provide a reliable means of detecting excursions of
process conditions towards or beyond operating/design limits and, providing alarms and/or
signals for executive action of other process/safety systems.
As discussed in Section 2.0, API 14C is a widely accepted method for the analysis and design
of Process Safety Systems. It requires that these systems have:
independence from other systems or reliability equivalent to an independent

system; and
two levels of protection, primary and secondary, which should be independent
and achieved through equipment which is functionally independent.
In this context, API 14C provides guidance on the selection of safety devices and protective
shut in actions for isolating a process component, in the event of an abnormal operating
condition (e.g. overpressure, leak, excessive temperature, etc.). In the case where a detected
abnormal operating condition is a release of hydrocarbons other safety systems may be caused
to operate/take effect. That is, in the event of a gas leak, the ESD and blow down systems
may act to reduce the amount/pressure of hydrocarbons for release thereby reducing the
duration/consequences of such a release. These events are considered further in Section 5.0
on Emergency Shutdown and subsequent sections of these Guidelines.
For example, in the case of overpressure, the primary means of protection is defined as a
pressure sensor to either shut off or divert inflow to the component, including fuel/heat
sources if appropriate. In this case a single device (i.e. the pressure sensor) must be
supplemented by another device (i.e. to cause shut off/divertion of flow) to affect complete
primary protection.
Page 31
The secondary means of protection should be a pressure relief or safety valve.
In the case where a shut off mechanism is employed, it should be at the primary source of the
energy, rather than at the input to the specific component effected, since this would act to
propagate the effect upstream until the primary source is caused to be shut off.
3.6 ACTIVITY/FACILITY
3.6.1 Drilling
3.6.2 Production
3.6.3 Marine
Page 32
4.0 FIRE & GAS DETECTION
4.1 ROLE
To detect the presence of hydrocarbon gas or ignited hydrocarbons and provide signals for the
initiation of Emergency Shut Down (ESD) and Fire Protection systems.
4.2 FUNCTION
The detection of hydrocarbon gas in areas of the facility is a clear indication of a potential for
a fire or explosion Major Accident Event (MAE). At this stage it may be possible to prevent
ignition of the hydrocarbons thereby preventing a fire or explosion.
The detection of ignited hydrocarbons depends upon the nature of the fire. Detection of light,
heat and/or smoke may be used to indicate an ignited hydrocarbon leak.
In either case the detection of a hydrocarbon release acts to initiate other safety systems to
control the consequences of the event.
4.3 RELATIONSHIP
The Fire and Gas (F&G) detection system acts to detect an undesired release of hydrocarbons,
which may be ignited. F&G is related to various other safety systems as follows:
4.3.1 Emergency Shut Down (Section 5.0)
F&G detection indicates that the sequence of events which may result in an MAE are well
advanced and provides the basis for executive action by the ESD system.
4.3.2 HVAC (Section 6.0)
Through the ESD system, detection of gas at the ventilation inlets of safe spaces, such as
control rooms or accommodation modules, may cause shutdown of HVAC fans and/or
dampers in HVAC trunking.
Continued operation of F&G detection in an emergency is important so that a developing

event can be monitored. (Hydrocarbon gas migration or gas ignition) Continued operation
requires provision of electrical energy through the Emergency Power system.
Page 33
4.3.4 Fire Protection (Not part of these Guidelines)
In the event of a hydrocarbon release or ignition, F&G detection may cause an active fire
protection system to come into effect in the area of the release and/or adjacent areas. Active
fire protection systems include water deluge, CO2 dumping and Dry Chemical.
4.4 DESIGN
releases and fires/explosions. As discussed in Section 3.0 Process Shut Down systems, a
hydrocarbon leak may be detected as a result of abnormal operating conditions (e.g. low
pressure, back flow and low level). However, that system is not a completely effective means
of identifying the precursors to all hydrocarbon releases, and for this reason leak and fire
detection systems are deployed.
A leak may be detected as an abnormal process operating condition or directly as hydrocarbon

in the atmosphere external to the process system. A release of hydrocarbon liquid may be
detected as an abnormal process operating condition. The exceptions to this are in cases
where the liquid releases a large amount of hydrocarbon vapour when reduced to atmospheric
pressure or where the liquid is released as a spray, creating a hydrocarbon vapour mist in the
air. The detection of liquid releases, as hydrocarbon vapours in the atmosphere, is discussed
in Section 4.4.7.
Hydrocarbon fires may be detected through heat produced or electromagnetic radiation

emitted by the fire, or by the products of combustion (e.g. smoke).
The F&G system should be designed to provide a reliable means of detecting hydrocarbon
vapour/gas in the atmosphere and fire, and provide alarms and/or signals for executive action
by other safety systems.
The definition of requirements for a F&G system should include consideration of the types of
leaks, their location and air movement patterns.
Fire and Gas systems should be specified to detect given ratings of fires and
sizes/concentrations of gas clouds. The practical difficulties of designing systems from
hazard detection through to final activation in high integrity should not be underestimated.
4.4.1 Failsafe
Fire and Gas systems are traditionally not designed to have failsafe control actions because of
the undesired consequences of spurious or inaccurate detection. This requires consideration
of automatic testing, built in fault detection, line monitoring, and voting techniques to ensure
that the system performs its intended function.
Page 34
4.4.2 Detection Types

Classified areas and locations where personnel sleep on offshore facilities should have the
following types of detector:
Fire - pneumatic fusible loops; electronic detectors (flame, heat, smoke);

Gas - ventilation and detectors; visual and audible alarms for low level of
flammable gas; shutdown upon LFL/approach to LFL.
4.4.3 Detection - Personnel Observation
Detection by personnel observation is more effective in the cases where a space/area on the
facility is manned on a regular basis. The detection of a liquid hydrocarbon leak is more
readily achieved through observation/inspection by personnel. In the case of detection by
personnel observation it is important that suitable alarm call points (break glass or push button
type) are provided for notification of a leak/fire.
This means of detection may also be a requirement in the case where a fire protection system
is used which may threaten the observers life. An example of this would be the use of CO2
to inhibit combustion, which produces a threat to personnel.
4.4.4 Detection - Automatic
Detection by an automatic system may be used where a space is not normally manned and the
hydrocarbon release or effects of combustion are readily detected. These systems normally
provide rapid response in the event of a leak/fire and may be designed to readily show the
location of an event. Such systems include:
pneumatic loops with fusible elements;

electronic systems flame, heat and product of combustion detectors.
Flame detectors can provide a speed response in the detection of fires. Flame detector
installations should consider the likely source of flame, detector cone of vision, and physical
obstructions. Flame detectors used in open areas should not be susceptible to false alarms due
to sunlight. Single spectrum detectors are susceptible to spurious alarms; therefore, it may be
desirable to arrange them in groups using appropriate voting systems or to use devices that
incorporate dual sensors of different types (e.g., UV/IR) to minimize unwarranted alarms.
Heat detectors normally require less maintenance than other types of detectors because of
their basic nature of operation and simpler construction. These factors may result in fewer
unwarranted alarms; however, since heat detectors are inherently slower in operation than
other types of electrical detectors, they should be considered for installation in areas where
high speed detection is not required.
Smoke detectors are recommended where personnel regularly or occasionally sleep and in
rooms containing heat sources such as space heaters, ovens, and clothes dryers or areas
subject to electrical fires. Quarters should contain smoke detectors within each bedroom,
corridor, hallway and office.
Page 35
4.4.5 Detector Certification
Detectors should be compatible and approved through laboratory testing/certification.
4.4.6 Detector Selection
The following considerations should be made in selecting a detector/detection system.
Effect to be Detected
See Section 4.4.4, above.
Electrical Area Classification
In the case of leak detectors it is critical that these devices provide indication of a release
without causing ignition. The classification of electrical equipment for use on facilities (i.e.
AS 2380) defines standards for the intrinsic and explosion proofing of electrical equipment in
such spaces. These classifications should be applied to detectors.
Required Speed of Response
In the case of fire detection it is generally critical to have rapid detection such that fire
protection systems can be initiated prior to significant heat build up due to the fire in the
facilities steelwork and other equipment.
IR and UV electronic detectors provide rapid response to the presence of a flame but are
relatively expensive. These detectors are used where a readily distinguishable flame is
produced by burning hydrocarbons and is not obscured by products of combustion or be
masked by background electromagnetic radiation.
Pneumatic fusible loops respond to the heat of a fire and are most effective in detecting liquid
fires. These systems are relatively inexpensive and are effective in cases where an obscured
flame is present.
Coverage for Effective Detection
Detectors must be positioned so they are exposed to the effect to be detected. This requires
consideration of the effect to be detected and the location(s) of releases.
Hydrocarbon gas and vapour/mists are most readily detected by automatic systems.
In the case of vapours/mists, these are generally the result of discharge of liquid hydrocarbons
from high pressure through a small hole. Oil mist detection systems are available which use
sampling and analysis of an atmosphere, and IR sensing. The effectiveness of these systems
for localised releases is critically dependent upon location of leaks and sampling points. It is
considered that other methods of control be applied to the prevention and detection of such
leaks.
Page 36
One mode of prevention is through the use of reduced pressures. Control occurs through the
use of shielding of flanges and separation from hot surfaces.
In the case of gaseous hydrocarbons, it is the relative density of the gas compared to that of air
which will primarily define the location of detectors. Buoyant gases (i.e. those lighter than
air) will tend to rise and detectors should be placed high in spaces where such releases may
occur. In the case of dense gases, accumulation will occur near the deck of the space and
detectors should be placed low down.
The location of detectors may also be influenced by the type of space and ventilation patterns.
Enclosed spaces will generally have some form of mechanical ventilation which acts to
prevent the build up of flammable concentrations of gaseous hydrocarbons. The location of
detectors should include consideration of ventilation air flows. Consideration may be given to
siting detectors in the exhausts from such spaces. The use of open space design may act to
disperse gaseous hydrocarbon releases through natural air movements. In either case where
significant ventilation rates are available gas detection may be impractical or require siting of
detectors close to nominated leak sources.
The number of detectors used may be determined by the required safety integrity level of
detection and/or by operational considerations. Use of a single detector may be acceptable
where the location of gas is readily known (e.g. HVAC inlets/exhausts) which would leave
only the detector as the determining factor on detection reliability. More generally, if
detection systems are used they are in the form of multiple detectors which vote to provide a
more certain indication of an undesired condition. This may include, for example, three
detectors in series (i.e. on a single loop) which requires two of the three to indicate the effect
for confirmed detection. In some cases multiple loops of detectors may be deployed to
improve detection effectiveness.
The deployment of complex detection systems should be carefully considered since these will
be expensive to purchase and maintain, and may provide a false sense of security in
operations.
Sensitivity
Use of detector voting and self testing systems may reduce the effect of spurious detectors
action (e.g. due to detector failure or environmental factors such as lighting).
Vulnerability to Damage
Detectors should be specified, positioned and protected for the environment they will work in.
Some considerations include:
corrosive environments/discharges;
the effects of cleaning chemicals;
potential for impacts during operational and/or maintenance activities.
Page 37
4.4.7 Gas Detection
Any area in which operations could lead to the emission or accumulation of flammable or
toxic gases should be provided with suitable means of ventilation.
A drilling, workover or production installation on a platform should have flammable gas

detection devices installed in any enclosed area containing petroleum handling equipment,
mud tanks, mud pumps, shale shakers or other open parts of the mud system. An operation
where an emission of flammable gases can result in hydrogen sulphide gas concentrations of
greater than 20 ppm, without the flammable gases emission being detected, should not be
carried out unless hydrogen sulphide gas detection devices have been installed and are
functioning.
A gas detection system should be capable of continuously monitoring for the presence of gas
in the area in which the detection devices are located.
The monitoring devices and the control mechanisms should be so arranged that functional
tests of the separate components and of the whole system can be carried out efficiently.
The central control for the gas detection system should:
be capable of giving an alarm at a point 10-25% of the lower explosive limit;

automatically activate shut-in sequences at a point 20-60% of the lower
explosive limit; and
in the case of hydrogen sulphide detection be capable of giving an alarm before
the concentration exceeds 20 ppm.
Internal combustion engines on a platform, other than engines operating fire pumps and
pumps required for well control or which are situated in the open and are constantly attended
when operating, should be provided with emergency shutdown devices. These should be
automatically activated when flammable gas is detected in the air intake or, where these
engines are installed in pressurised housings, in the air intake of these housings and which are,
where necessary equipped with remote control equipment that is:
accessible to the driller on a drilling and workover rig; and

at some readily accessible point on a production platform.
Further guidance on the design and installation of detectors and detection systems may be
found in NFPA 72/72E and API RP 14C/14F.

Functional tests should be carried out by a competent person:
at defined intervals; and

immediately after any event indicating that the system or any part of the
system is not operating correctly.
The results of any such test should be recorded in an approved manner.
Page 38
4.5.1 Testing
F&G Panel(s) should be tested quarterly, including shutdown tests using different initiators.
Test failures should be documented and utilised for determination of proof test periods.
Fire detectors should be tested quarterly for operation and recallibrated. Fusible loops should
be inspected as per API 14C.
4.6.1 Drilling
A drilling or workover installation should have approved degassing equipment installed in the
mud system.
4.6.2 Production
4.6.3 Marine
1974 SOLAS Convention (Regulation 13)
The operation of marine facilities is covered by a prescriptive regime. Regulation II-2/13 of

the 1974 SOLAS Convention defines minimum requirements for Fixed Fire Detection and
Alarm Systems. This Regulation is oriented towards the protection of manned spaces/quarters
from fire, not specifically hydrocarbon fires. The Regulation provides useful dos and donts
for fire detection systems design and installation.
1989 MODU Code (8.3.4, 9.7, 9.8)
In the case of MODUs, the 1989 MODU Code calls for a self-monitoring fire detection
system in periodically unattended machinery spaces. The system should allow for the rapid
detection of fire, visual and audible alarm annunciation, and should have an independent
feeder from a source of emergency power.
At the discretion of the Administration, fire detection systems should be provided in boiler air
supply casings and exhausts, and scavenging air belts of propulsion machinery.
Internal combustion engines above 2,250kW, or with a cylinder bore greater than 300mm,
should have crankcase oil mist detectors, engine bearing temperature monitors or equivalent
devices.
At the discretion of the Administration, a gas detection and alarm system should be provided
in all enclosed spaces where an accumulation of gas may be expected.
Page 39
This system should continuously monitor such spaces and provide visual and audible alarm
annunciation of the presence and location of gas at the main control point.
The fire detection system required by the 1989 MODU Code for periodically unattended
machinery spaces should be tested under varying conditions of engine operation and
ventilation.
The facility should have at least two portable gas monitoring devices.
The quarters should have a central fire detection system, zoned to allow rapid identification of
fire.
Page 40
5.0 EMERGENCY SHUTDOWN
5.1 ROLE
The role of the Emergency Shut Down (ESD) system is to isolate equipment and systems to
prevent/minimise loss of life on and property damage to the facility.
5.2 FUNCTION
The ESD system provides for the isolation of equipment systems where an emergency
situation has arisen or is imminent. This may be through escalation or worsening of abnormal
process conditions which the PSD system has not acted to control, or may be as a result of the
detection of a hydrocarbon release or fire.
In general terms the ESD system will cause segregation of the hydrocarbon process to prevent
inflow to a leaking section and thereby limit the quantity of hydrocarbons available for
release. Hydrocarbon disposal systems (Section 8.0) may be used to further reduce the
quantity of hydrocarbons available for release through blow down of gas and drainage of
liquid hydrocarbons.
5.3 RELATIONSHIP
The Emergency Shut Down (ESD) system acts to prevent or control an undesired release of
hydrocarbons through escalation of shut down level from PSD or upon operation of F&G
detection. ESD is related to various other safety systems as follows:
5.3.1 Process Shut Down (Section 3.0)
The PSD should return the system to a stable state with little or no threat of an undesired
hydrocarbon release. In cases where the PSD does not produce a stable state in the
hydrocarbon system, an ESD may be required. It many cases, ESD is considered an extension
of PSD where the more limited actions taken in a PSD are ineffective and the situation is
escalating towards an emergency or Major Accident Event (MAE).
5.3.2 Fire and Gas Detection (Section 4.0)
The primary cause of ESD is detection of a hydrocarbon leak through the Fire and Gas (F&G)
detection system. F&G detection may result in the shut down of other safety systems through
the ESD system.
Page 41
5.3.3 HVAC (Section 6.0)

The ESD system may cause the shut down of the HVAC system, including fans and/or fire
dampers, for example, detection of gas at the ventilation inlets of safe spaces, such as
control rooms or accommodation spaces.
The F&G detection system should be provided with Emergency Power to allow for ongoing
monitoring of an event after the initial event has resulted in an ESD.
5.3.5 Hydrocarbon Disposal (Section 8.0)
Through an executive action from the ESD system, segregated sections of the hydrocarbon
process/system in the vicinity of a release/fire may be blown down (i.e. hydrocarbon gas
vented to a safe location) and/or drained (i.e. liquid hydrocarbon removed/dumped to a safe
location). Both of these actions will reduce the amount of fuel available to feed a fire or
reduce the effect of any escalation of the original event to another part of the hydrocarbon
system.
5.4 DESIGN
Safety systems should be defined on the basis of the inherent risk associated with the
process/activity. Shut down systems should take due consideration of risks and in particular
event sequence in the context of the overall facility.
releases and fires/explosions. The PSD system may provide for the shut down of a system
component prior to a release or it may detect process conditions which are symptomatic of a
release. In addition the F&G system may provide indication of a release. In either case, it is
the ESD system which will cause executive action to control/mitigate the effects of the
release.
As discussed in Section 2.0, API 14C is a widely accepted method for the analysis and design
of Process Safety Systems. It requires that these systems have:
independence from other systems or reliability equivalent to an independent

system; and
two levels of protection, primary and secondary, which should be independent
and achieved through equipment which is functionally independent.
In this context, API 14C provides guidance on the selection of safety devices and protective
shut in actions for isolating a process component, in the event of an abnormal operating
condition (e.g. overpressure, leak, excessive temperature, etc.). In the case where a detected
abnormal operating condition is a release of hydrocarbons, it is the function of the ESD
system to define executive actions for the control/mitigation of the undesirable event.
Page 42
For example, in the event of a gas leak the ESD and blow down systems may act to reduce the
amount/pressure of hydrocarbons for release thereby reducing the duration/consequences of
such a release.
As far as practicable the ESD system should be designed to be failsafe. Exceptions should
be made on the basis that the overall integrity of the ESD system is not impaired. Cascade
effects should be avoided in the design of ESD systems.
The ESD system should be independent of other monitoring, control and alarm systems. The
system itself should be designed with sufficient segregation such that failure of one part of the
system would not render other parts of the system inoperative. Similarly faults in interfaced
systems should not render the ESD system inoperative.
ESD systems should be protected against sources of electromagnetic interference.
ESD activation should be enunciated at the main control station by visual and audible means
which should readily identify the location and source of the equipment initiating ESD. For
the final stage of ESD, the alarm should be part of the facilitys general alarm system.
Manual reset capability should be provided local to the equipment that has been shut down.
Appropriate hardware and/or management system controls should be implemented to ensure
that ESD system is not cancelled erroneously.
Online testing and maintenance should be allowed for whilst the system may be readily
returned to operational readiness as soon as possible. In the case that system overrides are
provided, these should not be capable of being inadvertently operated. Such overrides should
be made known to personnel at the main control station and should be limited in their scope of
affect through suitable segregation of overrides. Visual indicators of override should be
provided at control stations and locally.
Power supplies should be provided and arranged such that automatic change over is provided
for in the event of power loss. These supplies should be provided with alarms to enunciate
their failure.
Hydraulic and pneumatic systems should have sufficient capacity to perform one complete
shutdown followed by reset. Standby should preferably be from local sources. In the case of
non-failsafe actuators, capacity should be provided for three valve strokes.
Power and control lines to ESD field components should be routed to minimise the risk from
causes of damage including segregation from other control systems to prevent failure of these
systems affecting the ESD system. Where mechanical damage is possible, consideration
should be given to lines running through protective enclosures. Lines that are required to
maintain integrity during a fire should have appropriate fire resistance.
ESD system terminations should be segregated from other equipment/systems. In the case of
interface terminations, the ESD system terminations should be clearly identified.
Manual initiation points should be clearly identified.
Page 43
The final stage of ESD should include shutdown of all utilities (excluding emergency
services), production/test facilities, closure of wellhead valves, opening of all BDVs and
closure of DHSVs.
If employed, redundancy should include consideration of:
majority voting;
common mode failure mechanisms;
alarm of channel failure;
online testing of channels, a complete function test where practicable.
The use of PES should be compatible with other ESD system technologies used and should be
designed for normal and emergency environmental conditions. Essential functions should be
provided with self checking and fault diagnostic capabilities. Testing should allow for
immediate reversion to system operation in the event of an actual ESD signal. PES system
failure should be annunciated through visual and audible alarms, with consideration given to
discrimination of hardware and software malfunction. Failure of peripheral devices should
not cause the system to become ineffective. Software quality should be adequately checked
and modifications only made in accordance with the software quality assurance plan for the
system. All parts of the PES should have a no break power supply which has low levels of
superimposed electrical interference. Software should be secured from interference by
unauthorised personnel.
5.4.1 Documentation
The ESD system design should be documented to include:
philosophy details and logic diagrams;

cause and effect matrices;
loop diagrams;
alarm system schedules, diagrams and description of operation;
power supply system diagrams.
In the case of PES systems documentation should include:
functional specification and diagrams;

hardware and software particulars, usually in the form of block and flow
diagrams;
scope and function of novel features interlocks, self checking systems, auto
abort testing mechanisms, etc;
interface arrangements with field equipment and peripheral devices;
PES equipment siting;
software quality assurance plan;
I/O schedule;
Message lists.
Maintenance manuals should be produced and retained on the facility.
Page 44
Records of ESD system testing and commissioning should be retained.
5.4.2 Process and Emergency Shutdown Systems
Shutdown functionality may be implemented in programmable or non programmable systems.

Care should be taken to ensure that the system supplier is both competent and experienced in
the chosen technology.
Rigorous quantified assessment of reliability and system integrity is only usually required in
the case of High Risk (SIL3) shutdown systems. Other risk levels should be the subject of a
qualitative assessment/review.
In cases where parts of the process system are to be bypassed (e.g. start up, changeover,
maintenance, etc.), the ESD system should be designed to facilitate such activities.
Disconnection of parts of the process system and associated parts of the ESD system is
controlled through the facility Permit To Work (PTW) system.
Override of the ESD systems failure to safety function may be acceptable during manned
operations such as loading, drilling or workover, provided suitable risk analysis demonstrates
that risks are ALARP.
No process ESD should confer a hazard on drilling operations.
A recognised national or international standard for pressure testing should be applied to all
parts of the ESD pneumatic and hydraulic systems.
Commissioning should include testing of each part of the ESD system culminating with
testing of the whole system. Testing should include activation via all manual initiation
devices and/or sensors through to the final shutdown conditions. Commissioning records
should confirm satisfactory operation and response times where appropriate.
5.5.1 Documentation
For the purposes of effective operation of the ESD system the following documentation
should be provided:
Outline of testing/maintenance methods and frequency (Operations Manual);

Detailed testing/maintenance procedures (Maintenance Manual).
5.5.2 Sequence of Event Recording
An event recorder is recommended and should include initiating and ESD action signals. This
may be used to demonstrate system functionality and operation.
Page 45
5.6.1 Drilling
It is usual for ESD systems in drilling operations to be the subject of manual executive action.
Blow-out preventers and related well control equipment should be installed, operated,
maintained and tested in accordance with the manufacturers recommendations or with API RP
53, Blow-out Prevention Equipment Systems for Drilling Wells, and should be rated with a
working pressure of the casing.
Prior to drilling below the conductor casing string in exploration wells, or in development
wells in those areas having known gas accumulations, a pipe of adequate diameter with
control valves or diverter system should be installed. This should safely divert hydrocarbons
and other fluids in the event of pressures occurring below the shoe of conductor string which
may fracture the formation.
Prior to drilling below the surface casing string, the blow-out prevention equipment should
include a minimum of:
three remotely controlled, hydraulically operated blow-out preventers with a

working pressure that exceeds the maximum anticipated surface pressure,
including one equipped with pipe rams, one with blind rams and one of the
annular type;
a drilling spool with side outlets for the attachment of choke and kill lines, if
side outlets are not provided in the blow-out preventer body. These side
outlets, at least two in number, should be connected to pipelines of sufficient
strength to withstand a pressure equal to the pressure rating of the blow-out
preventer assembly to which they are connected. One of the said pipelines
should be available for the purpose of bleeding well fluid to the choke
manifold and should have a minimum internal diameter of 75 mm;
a choke manifold containing not less than two adjustable chokes connected to
one of these pipelines;
a kill pump facility connected to the kill line; and
a fill-up line.
Prior to drilling below an intermediate casing string, the blow-out prevention equipment
should include a minimum of:
four remotely controlled, hydraulically operated blow-out preventers with a

rated working pressure which exceeds the maximum anticipated surface
pressure, including at least one equipped with pipe rams, one with blind rams
and one of the annular type;
a drilling spool with side outlets for the attachment of choke and kill lines, if
side outlets are not provided in the blow-out preventer body. These side
outlets, at least two in number, should be connected to pipelines of sufficient
strength to withstand a pressure equal to the pressure rating of the blow-out
preventer assembly to which they are connected.
Page 46
One of the said pipelines should be available for the purpose of bleeding well
fluid to the choke manifold and should have a minimum internal diameter of
75 mm;
a choke manifold containing not less than two adjustable chokes connected to
one of these pipelines;
a kill pump facility connected to the kill line; and
a fill-up line.
When drilling operations are being carried out from a mobile drilling unit (other than a jack-
up platform), after drilling out of the conductor string, provision should be made so that:
equipment being run in the well may be secured in such a manner that it may
remain stationary and independent of the motion of the drilling unit; and
every blow-out preventer assembly in use should have included in it at least
one set of pipe and shear-blind rams.
It should be ensured that:
an inside blow-out preventer assembly (back pressure valve) and a full opening
drill string safety valve in the open position are kept on the rig floor at all times
whilst operations are in progress, with suitable crossover substitutes to enable
installation on all drill pipe, drill collars and tubing in use; and
a kelly cock is installed immediately below the swivel and another at the
bottom of the kelly, of such design that it can be run through the blow-out
preventers.
It should be ensured that the blow-out prevention equipment is not removed until the well has
been adequately sealed.
During operations there should be a control panel, located on the drill floor, for operating
blow-out preventers, and another located at such a distance from the drill floor as to ensure
safe and ready access in times of emergency.
Each choke manifold should have the following equipment clearly visible to the choke
operator when standing in his normal operating position for either the remote or hand
adjustable chokes:
a pressure gauge which indicates the drill pipe pressure at the drill floor; and
a pressure gauge which indicates the casing string/drill string annulus pressure
at a known point upstream of the choke.
Blow-out preventers which are installed on the ocean floor should be provided with duplicate
sets of control lines from the master control panel on the drill floor to the various components
of the blow-out preventer stack. Each control line should contain a connector-control pod
located at the top of the blow-out preventer stack to enable disconnection from the blow-out
preventer stack for essential maintenance or in times of emergency.
The following mud system monitoring equipment, with drill floor indicators, should be
installed and used during all drilling operations after setting and cementing the conductor
casing string:
Page 47
a recording mud pit level indicator to determine mud pit volume gains and
losses. This indicator should include a visual and audible warning device;
a mud volume measuring device for accurately determining the mud volumes
required to fill the hole on trips;
a mud return of full hole indicator to determine when returns have been
obtained, when they occur unintentionally, and when returns essentially equal
the pump discharge rate; and
a mud gas monitoring device to determine the concentrations of gas in the
drilling mud.
Drilling operations should not be commenced or continued unless the drilling rig is equipped
with a penetration rate recorder that will give a clear indication of a change in formation that
can be used as a guide to warn against approaching areas of abnormal pressure. This should
be maintained in good working order and be in continuous operation while drilling.
5.6.2 Production
Pipelines
A pipeline ESD valve (ESDV) capable of blocking flow should be installed and maintained.
The ESDV should be:
held open by electrical , hydraulic or other signal, failure of which will cause
auto closure;
capable of closure by a person adjacent to it and automatically as part of ESD
function;
capable of allowing passage of equipment if the pipeline is so designed (e.g.
pigs);
fire/explosion/impact protected.
Upon closure of a pipeline ESD valve:
The Person in Charge (PIC) ensures that all connected facility PICs are
informed;
valve only to be re-opened upon authorisation of facility PIC following
consultation with PICs of connected facilities;
ESDV should be used for blocking only and not for flow control.
Further, the ESDV:
should be located such that it can be safely/fully inspected, maintained and

tested;
should not be submerged or submergible if a fixed platform;
should, if non-fixed, be as near as practicable to a flexible line where part of
the riser is tensioned; otherwise above highest wave crest and quick disconnect
fittings;
Page 48
should be located such that base of riser is as short a distance as practicable

away.
Pipeline ESDVs are:
inspected for external leak/damage/external corrosion every 3 months;

motion tested from a local closure station every 6 months;
fully function tested through action of the platform ESD system every 12
months.
Test records should include:
ESDV identity;
pipeline title holder; facility owner and Person In Charge;
date of test;
name, qualifications and employer of test personnel;
test procedures and equipment particulars;
damage/defect and action taken/proposed for remedy.
Wells
A failsafe surface controlled sub-surface safety valve (SCSSV) should be installed in the
tubing string at least 30 metres below the mudline or below the depth of the deepest
installation pipe penetration, and it should be controlled through the installation emergency
shutdown system.
A well that is capable of naturally flowing hydrocarbons should have an approved subsurface
safety device. This device should close if the wellhead or production equipment is damaged
resulting in a surface leak. The device should be function tested on a regular basis and where
testing indicates it may not work, be repaired or replaced immediately.
5.6.3 Marine
The MODU Code requires that, for machinery and working spaces, the following systems
should be capable of being shut down/closed from outside the space in an emergency
situation:
ventilation fans serving an area;

doorways;
ventilators;
annular spaces around funnels and entries to such spaces;
forced/induced fan drives;
electric motor pressurisation fans;
oil fuel transfer and unit pumps; and
valves/cocks on suction lines from storage, settling tank or daily service tank,
above the double bottom.
Page 49
6.0 HEATING, VENTILATION AND AIR CONDITIONING
6.1 ROLE
Prevention of the accumulation of hydrocarbon gas to flammable concentrations.
6.2 FUNCTION
The HVAC system may act to prevent accumulations of hydrocarbon gas to flammable
concentrations through provision of a copious air flow through an area or prevent ingress by
maintaining a space at a higher pressure to an adjacent one.
In the case that a flammable concentration of gas is detected, the HVAC system in hazardous
areas may be shut down or allowed to continue operation, depending upon the overall safety
system philosophy for the facility. Normally the supply of air to non hazardous areas would
be sustained upon gas detection in a hazardous area to prevent ingress of a flammable
concentration.
In the case that hydrocarbon gas is detected at the inlets to non hazardous spaces, the HVAC
system would normally be shutdown to prevent ingress of the gas.
6.3 RELATIONSHIP
6.3.1 Fire and Gas Detection (Section 4.0)
F&G detection of gas at the ventilation inlets of safe spaces, such as control rooms or
accommodation modules, may cause shutdown of HVAC fans and/or dampers in HVAC
trunking.
6.4 DESIGN
releases and fires/explosions. In the case of hydrocarbon gas/vapour releases, it is possible to
prevent the accumulation of hydrocarbon to a flammable level through the application of
natural or forced ventilation.
Where facilities are open or partially open to the elements, careful consideration of prevailing
wind directions and the siting of vents can act to provide a significant flow of air which
prevents the build up of flammable concentrations of hydrocarbons in the event of a leak.
In the case of facilities that have enclosed spaces, a mechanical means is used to provide
ventilation for comfort and as a safety measure. In the context of the HVAC system as a
safety measure, a number of strategies may be employed, such as:
Page 50
Control rooms, spaces normally occupied by personnel, and spaces which

contain hydrocarbon processing equipment may be maintained at a positive
pressure (i.e. a pressure above atmospheric). This pressurisation acts to
exclude hydrocarbons from the safe area thereby preventing a fire in these
spaces.
The use of positive pressure to protect a space as detailed above requires that
the ventilation system inlet is not effected by a hydrocarbon release. Gas
detection and fire dampers are used to prevent the ingress of gas or smoke in
cases where HVAC inlets are inundated with gas or smoke respectively. The
selection of ventilation inlet locations should be made to ensure, as far as
practicable, that they can provide clean air at all times.
Enclosed spaces which contain hydrocarbon processing equipment are
designated hazardous areas. These spaces may be provided with forced
ventilation to dilute and carry away any gas/vapour hydrocarbon releases. The
decision to provide such ventilation will include consideration of whether the
space will be visited by personnel and may determine, or be determined by, the
ignition rating of equipment in the space. Where personnel may visit the
space, an accumulation of gas/vapour may have the potential to cause a death
by poisoning or asphyxiation through its accumulation in dead areas in the
module, particularly in the case where the hydrocarbon is heavier than air.
Protection of Non Hazardous Areas
The use of enclosed modules and positive pressurisation for the protection of non hazardous
areas from hazardous area atmospheres should be specified and applied wherever possible in
the design and construction of offshore installations.
Such modules should have airlock protection at access points and the pressurised area should
be monitored and equipped with pressure drop alarm and shutdown systems.
Separation of areas by fire and/or blast walls, appropriate to the risk from process areas, is
recommended.
Accommodation and control centres should be protected by fire and/or blast walls or located
remotely.
6.6.1 Drilling
Page 51
6.6.2 Production
6.6.3 Marine
The MODU Code defines the following requirements for the HVAC system:
enclosed hazardous areas are ventilated;

for mechanical ventilation, hazardous areas should be maintained at a pressure
below non hazardous areas;
air inlets for hazardous areas are to be taken from non hazardous areas. Where
a duct passes through a more hazardous area enroute, the pressure in the duct
should be above the pressure of the more hazardous area;
exhaust should be to an outdoor area of the same or lesser hazard than the
ventilated space.
Page 52
7.0 EMERGENCY POWER
7.1 ROLE
Provide electrical supply to enable ongoing emergency and evacuation system operation in
the event of an emergency situation.
7.2 FUNCTION
In the context of safety systems, emergency power may be required to allow ongoing
monitoring of an event through the F&G system or for its control through the ESD system.
7.3 RELATIONSHIP
In the event of an emergency situation, many power sources are shut down. Several systems
require electrical power to operate and emergency power is provided to critical systems,
such as ESD (Section 5.0) and F&G (Section 4.0), thereby allowing the effective management
of an emergency situation. The Emergency Power system enables other safety systems in the
control of MAEs.
7.4 DESIGN
Emergency Power systems may be specified to support the safety systems for a period of 24
hours. Such a supply may be dedicated for each safety system or may be a single general
system.
Emergency power sources may comprise uninterruptible power supplies (UPS) and/or a
compression ignition or gas turbine, with a fuel of flash point greater than 43 degree Celsius.
The source of emergency power should be located outside any hazardous areas and should be
independent and remote from the main electrical power source(s) for the facility.
Suggested UPS Autonomy Times

System Autonomy Time (hrs:mins)
Fire and Gas detection, and alarm. 03:00
Emergency Shutdown and depressurising. 00:30
Process monitoring and control. 00:45
PA, facility audible alarms and status lights. 03:00
SOLAS communications equipment. 24:00
Emergency and escape lighting. 01:30
Navigational aids and helideck lighting. 96:00
Note: These autonomy times should not be reduced, even in cases where an emergency diesel generator is
installed to provide back up supply to UPS units.
Page 53
The emergency power source should come into operation upon loss of main power. In the
event of a generator being the source of emergency power, it should be possible to start it
independent of the automatic start mechanism.
Emergency generator automatic starting mechanisms should not be inhibited in the event that
hydrocarbon gas is present at the generator.
7.6.1 Drilling
7.6.2 Production
7.6.3 Marine
SOLAS defines the following requirements for emergency power systems.
Starting Arrangements for Emergency Generating Sets
Emergency generating sets should be capable of being readily started in their cold condition at
a temperature of 0oC. If this is impracticable, or if lower temperatures are likely to be
encountered, provision acceptable to the Administration should be made for the maintenance
of heating arrangements, to ensure ready starting of the generating sets.
Each emergency generating set arranged to be automatically started should be equipped with
starting devices approved by the Administration, with a stored energy capability of at least
three consecutive starts. A second source of energy should be provided for an additional three
starts within 30 minutes unless manual starting can be demonstrated to be effective.
Ships constructed on or after 1 October 1994, in lieu of the provision of the second sentence
in the above paragraph, should comply with the following requirements:
The source of stored energy should be protected to preclude critical depletion

by the automatic starting system, unless a second independent means of
starting is provided. In addition, a second source of energy should be provided
for an additional three starts within 30 minutes unless manual starting can be
demonstrated to be effective.
Page 54
The stored energy should be maintained at all times, as follows:
electrical and hydraulic starting systems should be maintained from the

emergency switchboard;
compressed air starting systems may be maintained by the main or auxiliary
compressed air receivers through a suitable non return valve or by an
emergency air compressor which, if electrically driven, is supplied from the
emergency switchboard;
all of these starting, charging and energy storing devices should be located in
the emergency generator space. These devices are not to be used for any
purpose other than the operation of the emergency generating set. This does
not preclude the supply to the air receiver of the emergency generating set
from the main or auxiliary compressed air system through the non return valve
fitted in the emergency generator space.
Where automatic starting is not required, manual starting is permissible, such as manual
cranking, inertia starters, manually charged hydraulic accumulators, or powder charge
cartridges, where they can be demonstrated as being effective.
When manual starting is not practicable, the requirements of the above should be complied
with, except that starting may be manually initiated.
The MODU Code defines the following requirements for systems which are the subject of
these Guidelines.
Emergency Source of Electrical Power
Every unit should be provided with a self contained emergency source of electrical power.
The emergency source of power, the transitional source of emergency power and the
emergency switchboard should be located above the worst damage waterline and be readily
accessible. They should not be forward of the collision bulkhead, if any.
The location of the emergency source of power, the transitional source of emergency power
and emergency switchboard in relation to the main source of electrical power should be such
as to ensure to the satisfaction of the Administration that a fire or other casualty in the space
containing the main source of electrical power or in any machinery space of Category A will
not interfere with the supply or distribution of emergency power.
As far as practical, the space containing the emergency source of power, the transitional
source of emergency power and the emergency switchboard should not be contiguous to
boundaries of machinery spaces of Category A or of those spaces containing the main source
of electrical power.
Where the emergency source of power, the transitional source of emergency power, and the
emergency switchboard are contiguous to the boundaries of machinery spaces of Category A,
or to those spaces containing the main source of electrical power, or to spaces of Zone 1 or
Zone 2, the contiguous boundaries should be in compliance with 9.1 of the MODU Code.
Page 55
Provided that suitable measures are taken for safeguarding independent emergency operation
under all circumstances, the emergency switchboard may be used to supply non emergency
circuits, and the emergency generator may be used exceptionally and for short periods to
supply non emergency circuits.
For units where the main source of electrical power is located in two or more spaces which
have their own systems, including power distribution and control systems completely
independent of the systems in the other spaces and such that a fire or other casualty in any one
of the spaces will not affect the power distribution from the requirements, may be considered
satisfied without an additional emergency source of electrical power, provided that the
Administration is satisfied (see MODU Code for considerations).
The power available should be sufficient to supply all those services that are essential for
safety in an emergency, due regard being paid to such services as may have to be operated
simultaneously. The emergency source of power should be capable, having regard to starting
currents and the transitory nature of certain loads, of supplying simultaneously at least the
following services for the periods specified hereinafter, if they depend upon an electrical
source for their operation.
For a period of 18 hours:
fire and gas detection and their alarm systems;

intermittent operation of the manual fire alarms and all internal signals that are
required in an emergency; and
the capability of closing the blow-out preventer and of disconnecting the unit
from the well head arrangement, if electrically controlled;
unless they have an independent supply from an accumulator battery suitably located for use
in an emergency and sufficient for the period of 18 hours.
The emergency source of power may be either a generator or an accumulator battery.
Where the emergency source of power is a generator it should be:
driven by a suitable prime mover with an independent supply of fuel having a

flashpoint of not less than 43C;
started automatically upon failure of the normal electrical supply unless a
transitional source of emergency power is provided; where the emergency
generator is automatically started, it should be automatically connected to the
emergency switchboard; fire and gas, emergency shutdown and BOP services
should then be connected automatically to the emergency generator; and unless
a second independent means of starting the emergency generator is provided,
the single source of stored energy should be protected to preclude its complete
depletion by the automatic starting system; and
provided with a transitional source of emergency power, unless the emergency
generator is capable of supplying the emergency services and of being
automatically started and supplying the required load as quickly as is safe and
practicable but in not more than 45 seconds.
Where the emergency source of power is an accumulator battery it should be capable of:
Page 56
carrying the emergency load without recharging while maintaining the voltage
of the battery throughout the discharge period within plus or minus 12% of its
nominal voltage;
automatically connecting to the emergency switchboard in the event of failure
of the main power supply; and
immediately supplying fire and gas, emergency shutdown and BOP services.
The transitional source or sources of emergency power, where required, should consist of an
accumulator battery suitably located for use in an emergency. This should operate without
recharging whilst maintaining the voltage of the battery throughout the discharge period
within plus or minus 12% of it nominal voltage. It should be of sufficient capacity, and so
arranged, as to supply automatically in the event of failure of either the main or the
emergency source of power, critical systems (including fire and gas, emergency shutdown
and BOP services) for a minimum of thirty minutes if they depend upon an electrical source
for their operation.
The emergency switchboard should be installed as near as is practicable to the emergency

source of power and, where the emergency source of power is a generator, the emergency
switchboard should preferably be located in the same space.
No accumulator battery fitted in accordance with this requirement for emergency or

transitional power supply should be installed in the same space as the emergency switchboard,
unless appropriate measures to the satisfaction of the Administration are taken to extract the
gases discharged from the said batteries. An indicator should be mounted in a suitable place
on the main switchboard, or in the machinery control room, to indicate when the batteries
constituting either the emergency source of power or the transitional source of power are
being discharged.
The emergency switchboard should be supplied in normal operation from the main
switchboard by an interconnector feeder which should be adequately protected at the main
switchboard against overload and short circuit. The arrangement at the emergency
switchboard should be such that the interconnector feeder is disconnected automatically at the
emergency switchboard upon failure of the main power supply. Where the system is arranged
for feedback operation, the interconnector feeder should also be protected at the emergency
switchboard at least against short circuit.
In order to ensure ready availability of emergency supplies, arrangements should be made

where necessary to disconnect non emergency circuits automatically from the emergency
switchboard to ensure that power is available automatically to the emergency circuits.
The emergency generator and its prime mover and any emergency accumulator battery should
be designed to function at full rated power when upright, and when inclined up to a maximum
angle of heel in the intact and damaged condition (see MODU Code Chapter 3). In no case
need the equipment be designed to operate when inclined more than:
25 in any direction on a column-stabilized unit;

15 in any direction on a self elevating unit; and
22.5 about the longitudinal axis and/or when inclined 10 about the transverse
axis on a surface unit.
Page 57
Provision should be made for the periodic testing of the complete emergency system. This
should include the testing of automatic starting arrangements.
Alarm system
An alarm system should be provided in the main machinery control station giving audible and
visual indication of any fault requiring attention. It should also:
activate an audible and visual alarm at another normally manned control

station;
activate the engineers alarm or an equivalent alarm acceptable to the
Administration, if an alarm function has not received attention locally within a
limited time;
as far as is practicable, be designed on the fail-to-safety principle; and
when in the marine mode, activate an audible and visual alarm on the
navigating bridge for any situation which requires action by the officer on
watch or which should be brought to his attention.
The alarm system should be continuously powered with automatic changeover to a stand by
power supply in case of loss of normal power supply.
Failure of the normal power supply of the alarm system should be alarmed.
The alarm system should be able to indicate at the same time more than one fault and the
acceptance of any alarm should not inhibit another alarm.
Alarms should be maintained until they are accepted and the visual indications should remain
until the fault has been corrected, when the alarm systems should automatically reset to the
normal operating condition.
Special Requirements for Machinery, Boiler and Electrical Installations
Special requirements should be to the satisfaction of the Administration. In any case

generating capacity should be maintained for safe navigation and safety on the unit.
Where stand by machines are required for other auxiliary machinery essential to propulsion,
automatic change over devices should be provided. An alarm should be given on automatic
change over.
Automatic control systems should be designed such that they ensure services for operation of
the main propulsion machinery and its auxiliaries are maintained.
In the case of internal combustion engines, means should be provided to keep starting air
pressure at the required level.
Alarm systems, compliant with 8.7 (of the MODU Code), should be provided for all
important pressure, temperature and fluid levels and other essential parameters.
Page 58
8.0 HYDROCARBON DISPOSAL
8.1 ROLE
To divert or remove hydrocarbons from one location to another, thereby reducing the effect of
an emergency event.
8.2 FUNCTION
In the case of drilling systems in the early stages of an exploration/development well, a

diverter is deployed to deflect uncontrolled well flow, should it occur, away from the drill
floor and other manned locations.
In the case of process systems, hydrocarbon disposal is most generally the depressurisation or
blow down of process vessels. Through reduction in pressure of vessels, large quantities of
hydrocarbon gas/vapour are removed to a safe location. The depressurisation reduces the
likelihood and consequences of an existing fire escalating to other process sections. The
effective operation of the blow down system generally is dependent upon the successful
operation of the ESD system in segregating the process system into isolated sections.
8.3 RELATIONSHIP
Hydrocarbon disposal systems are used to reduce the amount of hydrocarbons available to
feed a fire or to remove hydrocarbons which an existing fire may escalate to, thereby
worsening the original event. These systems are generally initiated by the ESD system
(Section 5.0) after the hydrocarbon process has been isolated (i.e. once flow into and out of
system segments has been shut down).
8.4 DESIGN
The safe removal of hydrocarbons from process equipment in the event of a leak may reduce
the duration and size of a fire. It may also prevent the escalation of a fire from one part of the
hydrocarbon processing system to another. Both of these effects act to reduce the impact of a
hydrocarbon release, especially when the release has been ignited.
Various forms of relief devices may be used to prevent an undesired release of hydrocarbons.
Pressure relief valves and bursting discs, for example, may relieve a build up of pressure in a
process component, thereby preventing its failure. These devices are complemented by drain
(i.e. over pressure due to liquid) and vent (i.e. over pressure due to gas) systems which
remove any hydrocarbon to a safe place. Action of these devices is symptomatic of a process
system problem which must be addressed to allow production to continue. They provide for a
controlled failure of the system as a planned event rather than a undesired equipment failure.
The activation of these systems is due to an intrinsic property of the processing system (e.g.
the effect of high pressure).
Page 59
Successful activation of the ESD system to shut process components down may be followed
by the removal of hydrocarbons by executive action. The most common means of doing this
is through the activation of blow down valves (BDVs) on the gas side of process components.
Hydrocarbon gas is blown down to a safe area for venting to atmosphere through suitably
designed piping. A knock out drum may be used to remove hydrocarbon liquids prior to
venting. The design of blow down systems for pressurised hydrocarbon process equipment is
the subject of API RP 521.
The removal of hydrocarbon liquid in offshore facilities has generally received less attention
than that paid to the removal of gas. This is because the pressure driving a liquid release
rapidly drops to the hydrostatic head of liquid. In contrast the pressure driving the release of a
gas or flashing liquid is sustained by the compressible nature of the hydrocarbon being
released.
8.4.1 Blowdown Valves
See Section 2.6.15.4.
8.4.2 Gas Flaring Stacks
Gas flaring stacks and installations should incorporate a flame arrestor and/or continuous
purge. Additionally, the following precautions should be taken:
Flare stacks should be located so that any fluid carry over will not be deposited
on process or other operating areas by prevailing winds;
Reliable and safe means of remote ignition and re-ignition should be provided;
Fire control equipment should be installed in areas adjacent to the flare stack
for use in an emergency.
8.4.3 Crude Oil Burners and Booms
Crude oil burners and booms for use in oil disposal during well testing should be located as
far as possible from wellhead and separating equipment and with due regard for prevailing
wind effects. The following precautions should be taken:
the fitting of two separate burners, located to give flexibility in dealing with
wind direction effects, should be considered;
effective heat shielding of the installation structure should be provided by a
water spray curtain or similar arrangement to control heat build up when
flaring during extended tests or large production rates;
reliable and safe means of remote ignition and re-ignition should be provided;
access to flaring areas should be restricted to personnel actually involved with
the operation and the control of other operations which may be ongoing during
flaring should be considered.
Page 60
8.6.1 Drilling
8.6.2 Production
8.6.3 Marine
Page 61
APPENDIX A
GLOSSARY
Page 62
ABBREVIATIONS
The following abbreviations are used throughout these Guidelines.
AC Alternating Current
ALARP As Low As Reasonably Practicable
API American Petroleum Institute
APPEA Australian Petroleum, Production & Exploration Association Pty Ltd
AS Australian Standard
BDV Blow Down Valve
BOP Blow Out Preventer
DHSV Down Hole Safety Valve
DISR Department of Industry, Science and Resources
ESD Emergency Shut Down
ESDV Emergency Shut Down Valve
ESSA Emergency Systems Survivability Analysis
FD Facility Description
F&G Fire and Gas
FMEA Failure Modes and Effects Analysis
FPSO Floating Production, Storage and Offloading
FSA Formal Safety Assessment
HAZOP Hazard and Operability Study
HSE Health, Safety and Environment
HVAC Heating, Ventilation and Air Conditioning
IR Ionised Radiation
ISO International Standards Organisation
kW Kilowatt
LFL Lower Flammable Limit
MAE Major Accident Event
MODU Mobile Offshore Drilling Unit
MTBF Mean Time Between Failures
MTTR Mean Time to Repair
NFPA National Fire Protection Association
OIM Offshore Installation Manager
PA Public Address
PES Programmable Electronic System
PIC Person in Charge
PSD Process Shut Down
PTW Permit to Work
P(SL)A Petroleum (Submerged Lands) Act
QA Quality Assurance
SC Safety Case
SCSSV Sub-Surface Safety Valve
SIL Safety Integrity Level
SOLAS Safety of Life at Sea
SMS Safety Management System
UKOOA United Kingdom Offshore Operators Association
UPS Uninterruptible Power Supply
UV Ultra Violet
Page 63
REFERENCE DOCUMENTS
DISR
Guidelines for Preparation and Submission of Safety Cases: Section 5, General Safety
Guidelines, 1995.
UK HSE/HSC
Guidance on Design, Construction and Certification of Offshore Installations UK HSE
1990.
Prevention of Fire and Explosion, and Emergency Response on Offshore Installations
Guidance by UK HSC, 1995.
NORWEGIAN PETROLEUM DIRECTORATE (NPD)
Guidelines to regulations relating to safety and communication systems. Issued by the
Norwegian Petroleum Directorate February 1992.
AMERICAN PETROLEUM INSTITUTE
RP14C: Recommended Practice for Analysis, Design, Installation and Testing of Basic
Surface Safety Systems on Offshore Production Platforms, Sixth Edition, March 1998.
RP14G: Recommended Practice for Fire Prevention and Control on Open Type Offshore
Production Platforms, Third Edition, December 1993.
INSTITUTE OF PETROLEUM
Model Code of Safe Practice for the Petroleum Industry, Part 8: Drilling and Production
Safety Code for Operations Offshore, Third Edition, 1991.
UKOOA
Instrument Based Protective Systems, 1995.
Management of Safety-Critical Elements, 1996.
IMO
SOLAS Consolidated Edition, 1974-1998.
MODU Code, 1989.
IEC/AS
IEC/AS61508, Parts 1-7: Functional Safety of Electrical/Electronic/Programmable
Electronic Safety Related Systems.
IEC61511, Parts 1-3: Functional Safety Instrumented Systems for the Process Industry
Sector.
Page 64

APPEA Emergency Support Systems Guide

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

APPEA Emergency Support Systems Guide

Uploaded by

Copyright:

Available Formats

GUIDELINES FOR

Australian Petroleum Production & Exploration Association Limited

ACN 000 292 713 ISBN 0 908277 25 3

The Commonwealth Government Department of Industry, Science and Resources (DISR)

The three main sections are:

Facility Description (FD);

Safety Management System (SMS); and

Formal Safety Assessment (FSA).

1.0 INTRODUCTION ................................................................................................................................. 1

3.5 OPERATION & MAINTENANCE ............................................................................................................ 32

7.0 EMERGENCY POWER ..................................................................................................................... 53

1.1 PURPOSE AND SCOPE

1.2 RELATIONSHIP WITH REGULATIONS

The principal components are:

Guidelines for Emergency Support Systems

Safety Management P(SL)A

Safety Systems - General

Process Shut Down

Formal Safety HVAC Systems Major Accident

Fire Risk Analysis

Fire protection systems

Work permit systems

DISR Guidelines for Preparation

Upstream General Guidelines

2.0 SAFETY SYSTEMS GENERAL

2.1 SAFETY CASE

2.1.1 Facility Description

Emergency Power, Communications and Lighting;

2.1.2 Safety Management System

Of particular relevance in the definition, design, installation, operation and maintenance of

Risk Assessment and Management; (see Hazards Management Process, below)

2.1.3 Formal Safety Assessment

2.2 HAZARD MANAGEMENT PROCESS

Emergency Shutdown (ESD) Systems, discussed further in Section 5.0;

It is common practice that, as a minimum, a facility safety system comprises an Emergency

prevent an uncontrolled or hazardous situation occurring;

Prevention Detection Control/Mitigation

Section 3.0: Process Shut Down

2.3 SAFETY SYSTEM METHODOLOGIES

a pragmatic and practical approach of what works (i.e. experience),

the development of methods to identify ways that undesirable events could

The evolutionary stages are compared and contrasted below.

Experience Hazard/ Deviation Risk/Lifecycle

Hazard & Risk

Allocation of Safety Operations &

Safety Systems - Safety Systems - Other Risk

Design, Implement, Develop Operations & Test

Operation & To Appropriate Stage in

2.3.2 Risk Based

Consequence Severity Personnel Exposure Alternatives to avoid

The severity of the safety consequences if the instrument protective function

2.3.3 Comprehensive Analysis

2.3.4 Performance Standards

The role of the system, or system component;

An example Performance Standard for High Pressure Protection on a separator is as follows:

Role Statement To prevent overpressurisation of the HP separator.

The functional relationship of these safety systems is presented below.

Section 4.0: Fire & Gas Section 5.0: Emergency

Shutdown signals to process

2.5 ACTIVITY/FACILITY TYPE

Drilling (i.e. drilling activities from any fixed installation);

Safety systems may include:

Fire and Gas detectors;

2.6.2 Failure to Safety Concept