You are on page 1of 23

OMV Exploration & Production GmbH

Philosophy for Emergency and Process Shutdown Systems Onshore

Document Number

TO-HQ-02-024-00

00 A2 00

Final Issue Client Comments Incorporated Issued for Comment/Approval

PJ

31/5/05

JEA

31/5/05

PZ

03/6/05

MF

03/6/05

PJ

3/12/04

Issue Rev

Issue or Revision Description

Origin By

Date

Chkd By

Date

Appd By

Date

Appd By

Date

OMV Exploration & Production GmbH

Revision A2 00

Description of revision Client Comments Incorporated Final Issue

Philosophy for Emergency and Process Shutdown Systems Onshore

Document Number TO-HQ-02-024

Rev 00

Page 2 of 23

OMV Exploration & Production GmbH

Contents 1.0 PREFACE .......................................................................................................................5 2.0 DEFINITIONS .................................................................................................................5 3.0 ABBREVIATIONS...........................................................................................................5 4.0 INTRODUCTION.............................................................................................................5 5.0 APPLICABLE CODES, STANDARDS AND REGULATIONS........................................6
5.1 5.2 Codes and Standards List ........................................................................................................ 6 References ................................................................................................................................. 7

6.0 SYSTEM GOAL ..............................................................................................................7 7.0 SYSTEM BOUNDARIES ................................................................................................8 8.0 DESIGN PHILOSOPHY ..................................................................................................9
8.1 8.2 8.3 8.4 8.5 8.6 Level 1 Shutdown - Emergency shutdown and Depressurisation of the Overall Plant ...... 9 Level 2 Shutdown - Emergency Shutdown for a Process Unit within the Plant. ............... 10 Level 3 Shutdown - Process Shutdown for a Process Unit within the Plant ..................... 10 Level 4 Shutdown - Process Train Shutdown within a Unit ................................................ 10 Level 5 Shutdown - Shutdown of Individual Equipment and Utilities ................................ 10 General ..................................................................................................................................... 11

9.0 GENERAL REQUIREMENTS .......................................................................................11


9.1 9.2 9.3 9.4 9.5 9.6 9.7 9.8 9.9 Initiating Devices ..................................................................................................................... 11 Push-buttons and Indicators .................................................................................................. 11 Logic Solver ............................................................................................................................. 12 Capacity.................................................................................................................................... 13 Power Supplies ........................................................................................................................ 14 Panels ....................................................................................................................................... 14 Intertrips ................................................................................................................................... 14 Relays ....................................................................................................................................... 14 Valves ....................................................................................................................................... 15
Document Number TO-HQ-02-024 Rev 00 Page 3 of 23

Philosophy for Emergency and Process Shutdown Systems Onshore

OMV Exploration & Production GmbH

10.0 DESIGN CONSIDERATIONS .......................................................................................15


10.1 10.2 10.3 10.4 10.5 10.6 General ..................................................................................................................................... 15 Overrides .................................................................................................................................. 15 Prealarms, Alarms and Monitoring ........................................................................................ 18 Equipment Packages............................................................................................................... 18 Safety System Distribution ..................................................................................................... 19 Safety System Breakdown ...................................................................................................... 19

11.0 DESIGN CRITERIA.......................................................................................................21 12.0 MAINTENANCE IN DESIGN ........................................................................................22 13.0 DOCUMENTATION REQUIREMENTS.........................................................................22 14.0 CERTIFYING AUTHORITY REVIEW REQUIREMENTS..............................................23

Philosophy for Emergency and Process Shutdown Systems Onshore

Document Number TO-HQ-02-024

Rev 00

Page 4 of 23

OMV Exploration & Production GmbH

1.0

PREFACE This Philosophy defines the OMV Exploration & Production GmbH corporate policy on the design of Emergency and Process Shutdown Systems for onshore hydrocarbon production and processing facilities. The document specifies basic requirements and criteria, defines the appropriate codes and standards, and assists in the standardisation of facilities design across all onshore operations. The design process needs to consider project specific factors such as the location, production composition, production rates and pressures, the process selected and the size of the plant. This philosophy aims to address a wide range of the above variables, however it is recognised that not all circumstances can be covered. In situations where project specific considerations may justify deviation from this philosophy, a document supporting the request for deviation shall be submitted to OMV E&P for approval. Reference should be made to the parent of this philosophy, document number TO-HQ-02-001 for information on deviation procedures and Technical Authorities, general requirements and definitions and abbreviations not specific to this document.

2.0

DEFINITIONS There are no definitions with particular relevance to this document.

3.0

ABBREVIATIONS The following abbreviation is relevant to this document. TV TV Rheinland Technical Inspection Organisation

4.0

INTRODUCTION Most of the risks to safety in the oil and gas industry are from the production process by release of hydrocarbons. Hazards associated with the uncontrolled release of hydrocarbons are as follows: Over pressure Leak
Document Number TO-HQ-02-024 Rev 00 Page 5 of 23

Philosophy for Emergency and Process Shutdown Systems Onshore

OMV Exploration & Production GmbH

Liquid overflow Gas blowby Under pressure Over temperature Direct ignition source

Other hazards include equipment destruction due to high vibration, part failure, chemical reactions etc. This document describes the philosophy to be used for designing safety systems for onshore plants to provide a means to protect and reduce the risk associated with the hazards to ALARP. 5.0 APPLICABLE CODES, STANDARDS AND REGULATIONS Codes, standards and regulations referred to in this philosophy shall be of the latest edition and shall be applied in the following order of precedence: Local Regulations, The provision of this document, International standards (e.g. ISO, IEC etc), National standards.

Design of the emergency and process shutdown system shall comply with the standards listed within this philosophy, however, for instances where local standards are more onerous local standards shall apply. 5.1 Codes and Standards List API 14C Recommended practice for analysis, design, installation and testing of basic surface safety systems for offshore production platforms. (Note although this has been written for offshore operations it shall also be used for the purpose of onshore operations with exceptions noted within this document.) IEC 60079 IEC 60529 IEC 61508 Electrical Apparatus for Explosive Atmospheres Ingress Protection Code Functional Safety of Electrical/Electronic/Programmable Electronic Safety Related Systems.

Philosophy for Emergency and Process Shutdown Systems Onshore

Document Number TO-HQ-02-024

Rev 00

Page 6 of 23

OMV Exploration & Production GmbH

IEC 61511 EN50081/2 IEC 61131-3

Functional Safety: Safety Instrumented Systems for the Process Industries. CENELEC Electromagnetic compatibility generic emission and immunity Programmable controllers - Part 3: Programming languages

5.2

References TO-HQ-02-001 TO-HQ-02-021 TO-HQ-02-022 TO-HQ-02-023 TO-HQ-02-025 TO-HQ-02-034 TO-HQ-02-035 TO-HQ-02-036 TO-HQ-02-039 Develop Process Engineering Guidelines and Design Philosophies Overview Philosophy for Process Control Systems Onshore Philosophy for Wellhead Control Systems Onshore Philosophy for Safety Integrity Level Onshore Philosophy for Fire and Gas Systems Onshore Philosophy for Isolation of Process Systems Onshore Philosophy for Overpressure Protection and Safeguarding Onshore Philosophy for Flare, Relief and Blowdown Onshore Philosophy for Rotating and Reciprocating Equipment Onshore

6.0

SYSTEM GOAL The goal of the safety system is firstly to protect personnel and secondly to protect plant and equipment, to help prevent pollution of the environment and to minimise process downtime. The safety system shall achieve its goal by: automatically sensing abnormal operation of equipment and process running outwith the normal operating envelope, automatically shutting down plant and utilities to a safe state under a controlled manner on an abnormal condition, providing process isolation and venting under certain abnormal conditions,
Document Number TO-HQ-02-024 Rev 00 Page 7 of 23

Philosophy for Emergency and Process Shutdown Systems Onshore

OMV Exploration & Production GmbH

providing measures to prevent a consequential result from taking place, providing measures to limit the loss of containment, eliminate potential ignition sources, providing measures to limit the effects or escalation of a hazardous consequence, providing local and remote manual facilities for the shutdown and/or isolation and venting of various parts of the plant, providing audible and visual alarm information to alert the operator and to enable the operator to assess the position, providing audible and visual alarm information to site personnel, where considered to be needed, for personnel to take any necessary action, providing economic and environmental protection.

7.0

SYSTEM BOUNDARIES The boundary of the safety system is the: interface to F&G system, interface to the HVAC system, interface to equipment control systems, interface to the PA system, interface to electrical systems, The safety system shall include the interposing relay panels used for the above interfaces. Interface to the PCS and HMI Interface to High integrity pressure protection systems Refer to Document No TO-HQ-02-035 - Philosophy for Overpressure Protection and Safeguarding Onshore.

PSVs and bursting discs are excluded from this philosophy. Refer to Document No TO-HQ-02-036 - Philosophy for Flare, Relief and Blowdown Onshore
Philosophy for Emergency and Process Shutdown Systems Onshore Document Number TO-HQ-02-024 Rev 00 Page 8 of 23

OMV Exploration & Production GmbH

8.0

DESIGN PHILOSOPHY To minimise the interruption to production caused by a safety shutdown, the safety system should be divided into 5 hierarchical levels, with progressively wider impact on production. These levels of shutdown are as follows: Level 1: Level 2: Level 3: Level 4 Level 5: Emergency shutdown and depressurisation of the overall plant Emergency shutdown for a process unit within the plant Process shutdown for a process unit within the plant Process train shutdown within a unit Shutdown of Individual equipment and utilities

The safety system for some plants may not require all five levels of shutdown due to the plant being of a small physical size or a single standalone process; making five levels of shutdown impractical. In this situation the lower hierarchical levels of shutdown may be omitted with the devices associated with their levels reassigned to a higher level. Each shutdown level shall be initiated either automatically due to: an ESD/PSD field instrument, intertrip from the F&G system or manually from a hard-wired push-button in the CCR or in the field. When a shutdown level is activated all lower shutdown levels hierarchically connected to this level shall also be activated. Each shutdown level shall have a manual shutdown push-button and a reset push-button. A level reset will only be enabled when all the trip initiators have returned to a safe condition. When a level is reset all lower shutdown levels hierarchically connected to this level shall also be reset. 8.1 Level 1 Shutdown - Emergency shutdown and Depressurisation of the Overall Plant A Level 1 shutdown shall be initiated by detection of gas or fire by the F&G system in more than one unit area. A Level 1 shutdown shall shutdown and depressurise the overall plant. This shall include: Isolation of all process units and blowdown all hydrocarbon inventory
Document Number TO-HQ-02-024 Rev 00 Page 9 of 23

Philosophy for Emergency and Process Shutdown Systems Onshore

OMV Exploration & Production GmbH

8.2

Isolation of pipelines Tripping of all electrical equipment Initiation of audible and visual alarms at the CCR and throughout the plant

Level 2 Shutdown - Emergency Shutdown for a Process Unit within the Plant. A Level 2 shutdown shall be initiated by detection of gas or fire by the F&G system in the area local to the unit. The level 2 shutdown will shutdown the entire process unit by: Isolation of the process unit and blowdown its hydrocarbon inventory Tripping of all electrical equipment within unit Initiation of audible and visual alarms at the CCR and in the area local to the unit

8.3

Level 3 Shutdown - Process Shutdown for a Process Unit within the Plant A Level 3 shutdown shall be initiated by major process or utility failure that may affect all trains within a unit. A Level 3 shutdown will shutdown common equipment for the unit in which the abnormal condition occurs and initiate audible and visual alarms at the CCR.

8.4

Level 4 Shutdown - Process Train Shutdown within a Unit A Level 4 shutdown will shutdown the entire process train in which the abnormal condition is occurring and initiate audible and visual alarms at the CCR, where there is no expected potential for the abnormal condition to propagate to a parallel train. Typical examples include high-high levels in vessels, where carryover of liquid can have adverse consequences on downstream equipment.

8.5

Level 5 Shutdown - Shutdown of Individual Equipment and Utilities A Level 5 shutdown will shutdown the piece of equipment required to bring an abnormal situation under control and initiate audible and visual alarms at the CCR, where the situation has a low potential for escalation. A typical example is a low-low level in a process vessel, which shuts an ESD valve in the vessel outlet line to prevent gas blowby to a lower rated vessel downstream.

Philosophy for Emergency and Process Shutdown Systems Onshore

Document Number TO-HQ-02-024

Rev 00

Page 10 of 23

OMV Exploration & Production GmbH

8.6

General Care should be taken to ensure equipment is shutdown in an orderly manner to ensure no consequential damage will occur as a result of the shutdown. An example of this is the tripping of a turbine where the lube oil system should be tripped by a higher level of shutdown in order to minimise any damage to the turbine.

9.0

GENERAL REQUIREMENTS Design of the overall safety system shall comply with IEC-61511.

9.1

Initiating Devices All field equipment should be of a proven type. All field instruments located in hazardous areas should be Exd flameproof as no auxiliary equipment is needed therefore providing a higher reliability. All field elements measuring the process conditions shall have a separate tie-in to the process via an isolation valve; refer to Document No TO-HQ-02-034 Philosophy for Isolation of Process Systems Onshore. Transmitters, rather than switches, are preferred for trip functions and shall be used wherever possible. Transmitters should be of a smart type and be HART compliant. Transmitters should be configured to fail in the trip condition with the exception of transmitters configured as a 1oo2 input to the logic solver. Switches shall be configured for the contacts to be closed circuit whilst under normal condition and open circuit on abnormal condition. Fieldbus equipment shall not be used in the safety system. All analogue inputs to the safety system will be 4-20mA signals from which the trips will be created. The safety system shall monitor the analogue signal for fault conditions to create a failure alarm to the PCS. The output circuit to a field device shall be via normally energised contacts, deenergise and open to trip. PCS transmitters and safety system transmitters that are monitoring the same part of the process shall be calibrated with the same range.

9.2

Push-buttons and Indicators The following colours and types of indicators and switches should be used: Manual shutdown push-buttons used on the safety system should be of the mushroom type, coloured red and should be latching in the depressed position

Philosophy for Emergency and Process Shutdown Systems Onshore

Document Number TO-HQ-02-024

Rev 00

Page 11 of 23

OMV Exploration & Production GmbH

with twist to reset. Also these push-buttons should be provided with protection such as covers or redundancy to prevent accidental actuation. Lamp test switches shall be momentary spring return coloured white. Reset switches shall be momentary spring return coloured green. POS switches should be momentary key switches. MOR switches should be key switches with key only removable in the non override state. MOR and POS Override indictors should be coloured amber. Tripped output status indicators should be coloured red. All push-buttons causing executive action shall be double pole switches to provide redundancy and increase their reliability. 9.3 Logic Solver The logic solver may consist of: simple pneumatic or hydraulic logic, relay based system logic, solid state system logic, programmable system logic, or a combination of the above.

Selection of the system to use is dependant on; the safety and plant availability, reliability requirement, complexity, overall costs, and the required operability of the system. The design and manufacture of the logic solver shall be fully compliant with IEC61508. The preferred selection of logic solver is as follows:

Philosophy for Emergency and Process Shutdown Systems Onshore

Document Number TO-HQ-02-024

Rev 00

Page 12 of 23

OMV Exploration & Production GmbH

Simple pneumatic or hydraulic logic This should be used for small units or equipment that is independent or a simple safety system such as a local shutdown that will have no effect on the safety or operability of other parts of the plant. Relay based system logic, This should be used for small units or equipment that is independent and only require a simple safety system such as a local shutdown that will have no effect on the safety or operability of other parts of the plant. Solid state system logic, Solid state systems are preferred for use with integrity levels of 3. The hardware for solid state systems shall be of a proven design with TUV or equivalent certification for compliance with IEC61508. Programmable system logic, This is the preferred system for use with integrity levels of 2 and below. Where programmable systems are used, the software for the algorithms used to build the logic shall be of a tried and tested product with TUV or equivalent third party approval for compliance with IEC 61508. The hardware for programmable systems shall be of a proven design with TUV or equivalent certification for compliance with IEC61508. The manufacturer or supplier of a programmable system shall have experience in the supply and design of safety systems compliant with IEC-61508 or equivalent. Software shall be designed in accordance with IEC-61131-1 and IEC-61511, part 1 section 12 In order to minimise revalidation and testing requirements, loops assigned an integrity level of 3 shall be implemented in the safety system by a section of the logic solver segregated and independent from all other parts of the logic solver.

9.4

Capacity The design of the safety system should allow a minimum of 20% spare capacity for future expansion.

Philosophy for Emergency and Process Shutdown Systems Onshore

Document Number TO-HQ-02-024

Rev 00

Page 13 of 23

OMV Exploration & Production GmbH

9.5

Power Supplies The safety system shall be powered from redundant UPSs via redundant power distribution boards. The incomers at the safety system, from each UPS supply, shall have an isolation switch. The UPSs shall be fed from the emergency switchboard and have a minimum self-sufficiency of 1hour battery back-up. Power supply units within the safety system will be 100% redundant. Field outputs to solenoid valves should all be 110Vdc with a centre tap to earth i.e. +55Vdc to -55Vdc supplies or all +24Vdc to 0Vdc. The 110Vdc supply for solenoids is the preferred choice for large sites because of cable sizing needs over long distances. Power supplies should be distributed into separate feeds containing protection to various parts of the logic solver and field I/O to minimise the possibility of common mode failure. Design of the power distribution should ensure interference caused by back EMF from by coils on relays and solenoids do not affect the reliability of the logic solver.

9.6

Panels Panels used to house parts of the safety system should be mounted in a controlled environment and shall have a minimum ingress protection (IP) of IP42.

9.7

Intertrips All safety system intertrips to other systems (e.g. electric generation, distribution, motor control) and remote parts of the safety system shall power the coil of a hermetically sealed interposing relay of which a volt free contact shall open to provide the subsequent trip. All intertrips to the safety system from other systems and remote parts of the safety system shall be via a volt free contact that shall open upon a trip. This provides segregation between systems and removes potential earth problems

9.8

Relays Relays used within the safety system shall be of a proven and hermetically sealed type. Relays shall be configured de-energise to trip.

Philosophy for Emergency and Process Shutdown Systems Onshore

Document Number TO-HQ-02-024

Rev 00

Page 14 of 23

OMV Exploration & Production GmbH

9.9

Valves Solenoid valves shall de-energise to trip their associated valve. All solenoid valves controlling boundary isolation and blowdown valves shall have a manual reset. Valves used by the safety system shall be of a proven type and suitable for the process and environmental conditions. Refer to Document No TO-HQ-02-039 Philosophy for Rotating and Reciprocating Equipment Onshore for valve selection. Valves used by the safety system shall have their open and closed position status input to the PCS.

10.0 10.1

DESIGN CONSIDERATIONS General The design of the safety system should take account of the following: Life cycle costs as well as the capital cost, for example testing costs, false trip costs, commissioning and modification costs. Human factors. Preventing nuisance trips. Although 1ooN voting is good from a safety architecture position it is poor with respect to higher probability of process interruptions. Repetitious nuisance trips may also create a situation where operators reset the trip without investigation which may eventually lead to an incident. Selection and positioning of the correct field equipment suitable for the process and environmental conditions. The safety system shall provide protection for normal operation and for the conditions that may arise from an abnormal condition.

10.2

Overrides The safety system should have two types of override, a) Maintenance Override, and b) Process start-up override.

Philosophy for Emergency and Process Shutdown Systems Onshore

Document Number TO-HQ-02-024

Rev 00

Page 15 of 23

OMV Exploration & Production GmbH

10.2.1 Process start up override Process and utility systems should be designed to reduce the need for overriding inputs to the safety systems during start-up. Process override switches (POS) may be used to enable the start up of plant or equipment that is in an abnormal state before start-up, for example low liquid levels. These should be key switches or software switches on the PCS with interface to the safety system. POS shall be momentary type provided to override the logic function on plant or equipment during start-up where the plant or equipment on or during start up may be in an abnormal state. POS shall initiate a timer that will remove the logic override function at the end of a fixed time delay. This time delay shall be of a safe period to enable the plant or equipment to reach a stable healthy state. If the normal process condition is not established within this specified time a trip will be initiated. The logic override function, initiated by the POS, will be removed automatically after a specified time delay (10-30 seconds) of the plant or equipment operating continuously in the safe condition. The POS shall not override the alarm function (that will be in the alarm state until the healthy position is reached) to the PCS for the input being overridden. 10.2.2 Maintenance override and testing Maintenance override switches (MOS) shall be provided to enable testing and maintenance to take place without disturbing the process. These may be key switches or software switches on the PCS with interface to the safety system. MOS shall not be provided for the following: manual push-button inputs to the safety system, intertrips from the F&G system intertrips from equipment package control panels, for example compressor control panel on inputs where the only action is via 2oo3 voting as this would effectively change the voting to 2oo2.
Document Number TO-HQ-02-024 Rev 00 Page 16 of 23

Philosophy for Emergency and Process Shutdown Systems Onshore

OMV Exploration & Production GmbH

on outputs from the safety system

Outputs from the safety system that may be tested without disruption to the plant should have a manual test facility to trip the output to test the field device. 10.2.3 Software override switches An alternative to hard-wired override switches is to use software overrides from switches in the PCS with a serial communication to the safety system. This may provide an advantage in reduced wiring, reduced space requirement and reduced cost. The problem with software overrides is how they affect the SIL or probability of failure on demand rate. The PCS connected to the safety system will increase the probability of failure as the PCS normally has a lower reliability. To solve this problem the following precautions shall be taken: Only safety system inputs may have software overrides Only one override per logic unit can be activated at any one time. A mechanism within the safety system shall ensure that only one override per logic unit can be activated at any one time Alarm created from a safety system input to the PCS shall not be inhibited, only the trip action can be overridden.

Operator needs to be aware what overrides are activated. The safety system needs to send an alarm to the PCS for each override that is activated until the override has been removed. A periodic realarming on the activated overrides is recommended at the start of every shift so the operator is aware of what overrides are activated. Dedicated redundant communication should be used between the PCS and safety system. Communication should be by a type approved Modbus or a package with cyclic redundancy check, address check, and check of communication time failure. Safety system overrides carried out by software at the PCS shall have a manual key switch provided connected direct to the safety system logic to make all overrides from the PCS to the safety system ineffective.

Philosophy for Emergency and Process Shutdown Systems Onshore

Document Number TO-HQ-02-024

Rev 00

Page 17 of 23

OMV Exploration & Production GmbH

10.3

Prealarms, Alarms and Monitoring The safety system shall send the following signals to the PCS for monitoring and alarm purposes: Individual input and output status: safe condition, tripped condition, fault condition etc, Individual MOR statuses, Individual POS statuses. Activation of reset pushbuttons

To warn the operator that an abnormal situation is approaching, and allow the operator to act to prevent a trip from occurring, an associated prealarm at the PCS shall be provided. The discrepancy between the prealarm and trip setting should be of sufficient magnitude to provide the operator with the time to act and prevent a trip from occurring. Under the circumstances where the transition to abnormal state is instant or a sufficient discrepancy between prealarm and trip, to enable the operator time to act, cannot be achieved there is no requirement for a prealarm at the PCS. Prealarms shall be provided at the PCS by use of a field input device independent of the field input device used by the safety system. A 1st up alarm facility should be provided to mark the input that caused the trip to enable the cause of a shutdown or partial shutdown to be determined instantly. Alarm, prealarm and other statuses should be time stamped at the PCS with date and time to the nearest 1 ms to enable analyses to be performed. Transmitters that create prealarms at the PCS should be used to create discrepancy fault alarms on a deviation of 5% by comparison of the associated signal from the safety systems transmitter to increase reliability. This shall also be the case where the safety system uses voted inputs from transmitters. Discrepancy fault alarms should also be created by the PCS upon malfunction of safety system valves. This should be achieved by the PCS by comparing the output signal from the safety system with the PCS inputs from the valves open and closed position switches.

10.4

Equipment Packages Packaged equipment shutdown logic should be carried out in the core safety system where possible. Where this is not feasible then hard-wired intertrips shall be provided between the packaged equipment shutdown logic and the core safety system.

Philosophy for Emergency and Process Shutdown Systems Onshore

Document Number TO-HQ-02-024

Rev 00

Page 18 of 23

OMV Exploration & Production GmbH

10.5

Safety System Distribution Where parts of the process are set apart and scattered over large areas, having the safety system logic solver located in one location may be impractical. In this situation local safety systems shall be provided with hard-wired intertrip signals to the core of the safety system which shall contain the highest level of the logic. Dedicated redundant communication systems may be used where the use of hard-wired signals is not practical. Communication should be by a package with cyclic redundancy check (CRC), address check, and check of communication time failure. If one part of the communication fails then, after a time delay the intertrips that it carries shall be activated to initiate the associated shutdown logic. If the second line of communication coincidentally fails then after a short time delay the intertrips that it carries shall be activated to initiate the associated shutdown logic. These two time delays shall be quantified by taking the mean time to repair (MTTR) into consideration along with the integrity requirement.

10.6

Safety System Breakdown The areas covered by the safety system can be grouped into six areas: Reservoir Isolation Pipeline Isolation (refer to Document No TO-HQ-02-034 - Philosophy for Isolation of Process Systems Onshore ) Process Blowdown Manual trip initiation F&G system trips Other process and utilities

The safety system should be divided into rational units to reflect various process and geographical boundaries within the plant. The safety system shall be designed to the appropriate parts of API RP 14C 10.6.1 Reservoir Isolation

Philosophy for Emergency and Process Shutdown Systems Onshore

Document Number TO-HQ-02-024

Rev 00

Page 19 of 23

OMV Exploration & Production GmbH

Production well-heads should have local independent well-head control panels. These provide hydraulic pressure to the well-head valves. Refer to Document No TO-HQ-02-022 - Philosophy for Wellhead Control Systems Onshore. The production well-head shall be tripped by a level 5 shutdown on which a signal will be sent to the PCS to ramp closed the well-head flow choke valve and leave the choke in manual mode. An interlock shall be provided to ensure the flow line choke valve is in the closed position before enabling the opening of the well-heads valves. A Level 5 shutdown for the well-head and flow line shall be caused by: detection of well-head fire, detection of gas in the well-head area, failure of the well-head control panel (WHCP) impending i.e. low-low hydraulic fluid pressure, battery low-low voltage, local well-head push-button, flow line high-high and low-low pressure, a higher level of shutdown.

10.6.2 Process Blowdown A three second time delay on the initiation of the blowdown valves shall be provided to enable all shutdown and isolation valves to fully close prior to the blowdown valves being opened. Facilities shall be provided to enable the operator to manually initiate blowdown Once blowdown has been initiated there shall be no means to interrupt the blowdown from commencing. 10.6.3 Manual Trip Initiation The safety system shall be supplied with manual push-buttons at each level of the safety system located at the CCR. Local safety system push-buttons will be located around each process or utility unit to enable the unit to be shutdown locally. 10.6.4 F&G System Trips
Philosophy for Emergency and Process Shutdown Systems Onshore Document Number TO-HQ-02-024 Rev 00 Page 20 of 23

OMV Exploration & Production GmbH

The following intertrips shall be supplied as a minimum from the F&G system: Confirmed fire per unit Confirmed gas per unit, low and high level Confirmed fire over multiple units Confirmed gas over multiple units, low and high level Confirmed gas in non hazardous area, low and high level

10.6.5 Other Process and Utilities All other parts of the process shall have safety shutdown facilities to provide the appropriate protection for the process or utility 11.0 DESIGN CRITERIA The safety systems logic solver shall be designed to take account of the environmental conditions of the site that it is to be located to ensure reliability is preserved. Design of the safety system should take account of the requirements covering the full lifecycle of the plant. The safety system shall be independent and use diverse separation from the PCS (refer to IEC61511-2 section 11.2.4) with exception to compressor and turbine control where this may not be practical. Other cases where segregation of the safety system and PCS is not practical shall require approval. The safety system shall not be affected by radio-frequency signals, from handheld portable radio units, and comply with EN50081/82. All parts of the safety system should be designed as a fail-safe system forcing all outputs to a de-energised/ open circuit state on a failure. An exception to this is for outputs where the failure of the output would create a hazard. Under these circumstances the output circuit should be line monitored and configured energised to trip. Logic parts of the safety system that cannot be designed as fail-safe, such as timers, shall be used in redundant arrangements. Any single failure within a redundant arrangement shall not prevent a demanded trip. All safety system signals shall be segregated from PCS signals. Digital and analogue signals shall be segregated from one another.
Philosophy for Emergency and Process Shutdown Systems Onshore Document Number TO-HQ-02-024 Rev 00 Page 21 of 23

OMV Exploration & Production GmbH

12.0

MAINTENANCE IN DESIGN The safety system shall be designed taking maintainability into consideration by simplifying maintenance and reducing maintenance costs where practical. This should consider using a modular based system for the logic solver. This safety system should have built in test and diagnostic facilities with fault indication at each module. This should enable the faulty module to be identified and changed out while the system is live without any upsets. The safety system should be designed with module redundancy. There should be sufficient maintenance overrides to enable parts of the safety system to be maintained and tested minimising operational down time. The safety system shall be designed to enable parts of the system to be tested in order to keep the Probability of Failure on Demand within the integrity requirement The safety system should be designed to allow modifications and development to be implemented whilst minimising disruption to the process. A separate engineers interface should be provided to the safety system.

13.0

DOCUMENTATION REQUIREMENTS The following project documents should be produced as a minimum to cover the design of the safety system: Front end engineering design (FEED) Plant operational philosophy Design specification for the safety system (hardware and software). Hierarchy drawing Safe charts as per API 14C Cause and effect drawings of safety system Functional design specification of safety system

Philosophy for Emergency and Process Shutdown Systems Onshore

Document Number TO-HQ-02-024

Rev 00

Page 22 of 23

OMV Exploration & Production GmbH

Detailed design Documents listed under FEED above. Matrix layout drawing General arrangement drawings Loop Drawings Validation calculations to demonstrate compliance with integrity level requirements.

14.0

CERTIFYING AUTHORITY REVIEW REQUIREMENTS Some plants may require the design to be certified or validated by an independent certification authority due to local regulations or as instructed by OMV. Under these circumstances the certifying authority will require as a minimum the following documents for review: Basis of design document Functional design specification Cause and effect drawings Matrix layout drawing Integrity Assessment (refer to Document No TO-HQ-02-023 - Philosophy for Safety Integrity Level Onshore) Reliability assessment and calculations Copy of TUV (or equivalent) reliability certificates where available P&IDs

These should be issued to the CA in a timely manner to obtain approval before commencing construction.

Philosophy for Emergency and Process Shutdown Systems Onshore

Document Number TO-HQ-02-024

Rev 00

Page 23 of 23