You are on page 1of 56

Engineering Encyclopedia

Saudi Aramco DeskTop Standards

ESD PROJECT
DOCUMENTATION REQUIREMENTS

Note: The source of the technical material in this volume is the Professional
Engineering Development Program (PEDP) of Engineering Services.
Warning: The material contained in this document was developed for Saudi
Aramco and is intended for the exclusive use of Saudi Aramcos employees.
Any material contained in this document which is not already in the public
domain may not be copied, reproduced, sold, given, or disclosed to third
parties, or otherwise used in whole, or in part, without the written permission
of the Vice President, Engineering Services, Saudi Aramco.

Chapter : Process Instrumentation For additional information on this subject, contact


File Reference: PCI-106.02 PEDD Coordinator on 874-6556
Engineering Encyclopedia ESD Systems

ESD Project Documentation Requirements

CONTENT PAGE

INTRODUCTION........................................................................................................... 3

ESD DESIGN DOCUMENTATION PROCESS ............................................................. 4

P&ID ................................................................................................................... 9

HAZOP Study ..................................................................................................... 10

Cause-and-Effect Matrix..................................................................................... 14

Written Description ............................................................................................. 17

Annotated Logic Diagram ................................................................................... 18


Binary Logic Diagrams............................................................................. 18
Ladder Diagrams ..................................................................................... 24

DEVELOPING A CAUSE-AND-EFFECT MATRIX FOR AN ESD SYSTEM.................. 27

HAZOP Study Results Interpretation .................................................................. 27

Cause Dimension (Inputs) Development ............................................................ 28

Effects Dimension (Outputs) Development......................................................... 29

Causes, Effects, and Manual Input Relationships .............................................. 29

DEVELOPING LOGIC SYSTEM DOCUMENTATION................................................... 30

Written Description ............................................................................................. 30

Logic Diagram .................................................................................................... 30

WORK AID 1: RECOMMENDED METHODOLOGY FOR DEVELOPING


A CAUSE-AND-EFFECT MATRIX FOR AN ESD SYSTEM.................. 38

WORK AID 2: PROCEDURES USED TO DEVELOP LOGIC DIAGRAMS


FOR ESD SYSTEMS ............................................................................ 46

Work Aid 2A: Procedure for Developing Written Descriptions ........................... 46

Work Aid 2B: Procedure for Developing Logic Diagrams .................................. 48

GLOSSARY .................................................................................................................. 53

Saudi Aramco DeskTop Standards i


Engineering Encyclopedia ESD Systems

ESD Project Documentation Requirements

LIST OF FIGURES

Figure 1. ESD Design Documentation Process Flowchart .............................................. 5

Figure 2. Vacuum Pump System Simplified P&ID ........................................................... 9

Figure 3. HAZOP Worksheet For Vacuum Pump System (Figure 2) ............................ 14

Figure 4. Cause-And-Effect Matrix For Vacuum Pump System (Figure 2) .................... 15

Figure 5. Written Description For Vacuum Pump System (Figure 2)............................. 17

Figure 6. Binary Logic Diagram For Vacuum Pump System (Figure 2)......................... 19

Figure 7, Sheet 1. Binary Logic Functions..................................................................... 22

Figure 8. Ladder Diagram For Vacuum Pump System (Figure 2) ................................. 25

Figure 9. Cause-and-Effect Matrix and Written Description Linkage ............................. 31

Figure 10. Basic Elements In A Sequential Function Chart........................................... 33

Figure 11. Sequential Function Chart Showing Overall Sequence................................ 36

Figure 12. Sequential Function Chart Showing


Control Steps For Adding Ingredient A ....................................................... 37

Figure 20. Cause-And-Effect Matrix Form Example ...................................................... 39

Figure 21. HAZOP Summary Form Example ................................................................ 40

Figure 22. Binary Logic Diagram Template ................................................................... 49

Figure 23. Binary Logic Diagram Example .................................................................... 50

Figure 24. Using Sequential Function Chart Actions In Binary Logic Diagrams ........... 52

Saudi Aramco DeskTop Standards ii


Engineering Encyclopedia ESD Systems

ESD Project Documentation Requirements

INTRODUCTION

Personnel working with emergency shutdown (ESD) systems in


Saudi Aramco must understand how an ESD system is intended
to function. In this module, several types of project
documentation are used to describe the functionality of an ESD
system. This project documentation should be understandable
by people without control systems backgrounds, such as the
people involved in operating and maintaining process plants. If
operating and maintenance personnel do not have a good
understanding of the requirements of an ESD system, the
complete functionality and performance of the system may be
difficult to achieve.

This module provides the necessary background to understand


the types of project documents that are used in an ESD system
project in Saudi Aramco. The P&ID and the HAZOP study
results are the two project documents that are used as the basis
for the specific project documents for an ESD system. A P&ID
illustrates the process and control equipment that already exists
in a process plant. ESD instrumentation must be added to the
P&ID. The HAZOP study results define the requirements for an
ESD system. Specific project documentation for an ESD system
includes a cause-and-effect matrix, a written description, and
logic diagrams (binary logic, function block, and/or relay ladder
logic).

Saudi Aramco DeskTop Standards 3


Engineering Encyclopedia ESD Systems

ESD Project Documentation Requirements

ESD DESIGN DOCUMENTATION PROCESS

The purpose of documentation for an ESD system is to provide


a structure to use for ESD system design purposes, to provide
reference materials that can be used to understand the
operation and maintenance of an ESD system, and to provide
reference materials that can be used to continuously improve an
ESD system. A flowchart of the documentation process for ESD
system design is shown in Figure 1. The double horizontal lines
in this figure show that the P&IDs are updated as the cause-
and-effect matrix and the written description are being
developed. The documents required for an ESD system are
identified below. The reasons why each document is used and
the time when, in the design process, each document is
developed are also discussed.

P&ID (Piping and Instrument Diagram)

Up-to-date P&IDs are the documents that are needed as


the starting point for the ESD system design process.
These drawings show equipment (e.g., pumps, valves,
piping, and tanks) and related instrumentation. P&IDs also
show the connections between the process and the
instrumentation. P&IDs are the basis for all subsequent
design work, and P&IDs provide a single source from
which the remaining documents in the ESD system design
process are derived.

P&IDs are a necessary document for doing a HAZOP


study, but the P&IDs must be up-to-date with the current
state of the process plant for which an ESD system is
being designed.

HAZOP (Hazards and Operability) study

Performing the HAZOP study is the next step in the ESD


system design process. The HAZOP study is a structured
method that is used to identify potential hazards in a
process plant and to identify operability problems that,
though not hazardous, could compromise the plant's ability
to achieve design productivity. A HAZOP study may be
applied to equipment, controls, and procedures. The
HAZOP study is used to evaluate process system safety
for new installations or for modifications to an existing

Saudi Aramco DeskTop Standards 4


Engineering Encyclopedia ESD Systems

ESD Project Documentation Requirements

process plant. In a HAZOP study, the likelihood that


hazardous events will occur and the severity of the
consequences of hazardous events are considered.

Obtain New
and/or Updated
P&IDs

Perform HAZOP
Study

Create Cause-
and-Effect
Matrix
Add ESD System
Components to
P&IDs
Write Written
Description

Develop
Annotated Logic
Diagrams

Figure 1. ESD Design Documentation Process Flowchart

Saudi Aramco DeskTop Standards 5


Engineering Encyclopedia ESD Systems

ESD Project Documentation Requirements

Because the HAZOP study must address all types of


hazards and operability problems, this study is performed
by a multi-disciplinary team of experts in various aspects of
process design and operations. The advantage of the team
approach is that it brings together people with varying
knowledge, expertise, and experience. The team members
should understand the dynamics of group brainstorming
sessions.

A HAZOP study usually results in a number of


recommendations for design, equipment, and/or operating
procedure improvements. The HAZOP team considers the
protection layers that exist for a process plant and that
prevent and/or reduce the severity of each hazardous
event. The HAZOP recommendations may also include the
need for additional protection layers, such as an ESD
system. The HAZOP team recommendations are important
inputs for the development of a cause-and-effect matrix for
an ESD system.

Cause-and-Effect Matrix

Once the HAZOP study has been completed, the cause-


and-effect matrix can be developed. The cause-and-effect
matrix correlates ESD system output actions (by device
description and tag number) in response to process
shutdown inputs (by instrument tag number and shutdown
set point). The cause-and-effect matrix does not detail all
of the logic decisions that take place and cannot, therefore,
replace the annotated logic diagram. The cause-and-effect
matrix is used (1) to show the relationships between
process shutdown inputs and output actions, (2) to update
the P&IDs with instruments that are used for the ESD
system, and (3) as an input to the development of the
written description for the ESD system. The P&ID is used
in conjunction with the HAZOP study results to develop the
cause-and-effect matrix because the P&ID allows the
developer of the cause-and-effect matrix to relate the ESD
system to the process and equipment that the ESD system
is being designed to protect.

Saudi Aramco DeskTop Standards 6


Engineering Encyclopedia ESD Systems

ESD Project Documentation Requirements

Written Description

Once the cause-and-effect matrix has been completed, the


written description can be developed. The written
description documents the translation of the cause-and-
effect matrix to an ESD system annotated logic diagram.
The written description is used to update the P&IDs with
instruments that are used for the ESD system and as an
input to the development of the annotated logic diagram.
The P&ID is used in conjunction with the cause-and-effect
matrix to develop the written description because the P&ID
allows the developer of the written description to relate the
ESD system to the process and equipment that the ESD
system is being designed to protect.

As Figure 1 shows, the ESD system components are


added to the P&IDs as the cause-and-effect matrix and the
written description are being developed.

Annotated Logic Diagram

Using AND/OR, timer, or counter logic elements that are


embedded in the diagram, an annotated logic diagram
graphically shows ESD inputs, outputs, and internal logic.
Inputs are identified by device tag numbers and shutdown
set points. Outputs are identified by device tag numbers
and by device description.

Two types of annotated logic diagrams are used in Saudi


Aramco: binary logic diagrams and ladder diagrams. The
binary logic diagram is a representative drawing in
symbolic form of ESD system logic that is binary in nature.
The symbols that are used in the binary logic diagram
(e.g., AND, OR, and NOT) are abstract representations of
the logic functions that are performed. Binary logic
diagrams are mandatory for ESD systems in Saudi
Aramco.

Saudi Aramco DeskTop Standards 7


Engineering Encyclopedia ESD Systems

ESD Project Documentation Requirements

The ladder diagram uses relay contacts, relay coils,


switches and other input devices, and output devices to
show the logic involved in an ESD system. The ladder
diagram is essentially an electrical "binary logic" diagram.
Ladder diagrams were originally developed to show relay
logic. Ladder diagrams, with some modifications, are also
used for representing programmable controller logic. When
ladder diagrams are used for relay logic, the ladder
diagrams represent physical devices. When ladder
diagrams are used to represent programmable controller
logic, the ladder diagrams represent the functions that the
programmable controller logic performs but they do not, in
such cases, necessarily represent the devices themselves.
Because ladder diagrams are binary in nature (i.e.,
possessing two states), ladder diagrams work well for
depicting binary (on-off) logic.

Saudi Aramco DeskTop Standards 8


Engineering Encyclopedia ESD Systems

ESD Project Documentation Requirements

P&ID

A P&ID is a detailed graphical description of a specific system


within a process plant. A P&ID shows all the piping, the
equipment, and much of the instrumentation associated with a
given system. An example of a simplified P&ID for a vacuum
pump system is shown in Figure 2.

PIC
307

PZV PI
301 308

N2
FO
PT PCV
307 307 PI
T 309
303
From
Reactor LI To Vent
304 System
LAH LSH
305 305
Vacuum
Pump
Knockout
Pot
K-304

Electrical or electronic signal


To
Drain

NOTE: Some piping details (e.g., line sizes) and instrumentation details (e.g., block valves on pressure gauge
are not shown to simplify the drawing.

Figure 2. Vacuum Pump System Simplified P&ID

A P&ID typically shows all the pieces of equipment in a plant


system whether major or minor (including all motors and
agitators). Each piece of equipment is identified by an
equipment number, a short description, and perhaps a few
details about capacity. The piping that connects the equipment
together and the piping that connects the main utility headers to
the equipment are also shown on a P&ID. Additional piping that
is shown on a P&ID includes bypasses around control valves,
tank drain lines, and tank overflows.

Saudi Aramco DeskTop Standards 9


Engineering Encyclopedia ESD Systems

ESD Project Documentation Requirements

A P&ID also shows each control loop and each manual valve in
a plant system. Varying levels of detail may be used to show
control loops and other instrumentation on P&IDs. For example,
each loop may be shown in its entirety on a P&ID, including the
measurement element, the transmitter, the control function and
location of controller, and the control valve or other final control
element. This loop representation adds much detail to a P&ID
and requires the process to be shown on numerous drawings
for clarity of presentation. Alternatively, a simpler method of
indicating a control loop is sometimes chosen. In this simpler
method, the measurement element and transmitter are not
shown. The control element symbol that identifies the control
loop function is connected to the measured stream with a
connecting line.

P&IDs are used as the basis for the ESD design process
because P&IDs simplify the understanding of the process and
the relationship of the process to the associated piping,
equipment, and instrumentation.

HAZOP Study

A HAZOP study is a systematic, comprehensive method that is


used to study major events (e.g., explosions, fires, and
significant releases of toxic or corrosive chemicals) that pose an
immediate danger to life and health. However, the HAZOP team
must also give consideration to all hazards, including
mechanical and electrical hazards, and to potential operability
problems. Typical aspects considered in a HAZOP study are
normal plant operation; foreseeable changes in normal
operation; plant startup and shutdown; suitability of plant
materials, equipment and instrumentation; provision for failure of
plant services; provision for maintenance; and safety.

The HAZOP team systematically examines each part of the


process to determine how deviations from the intention of the
process design can occur. This examination is done by using a
set of guide words that stimulate individual thought and induce
group discussion. For example, the guide word NONE might be
used to examine a particular part of the process to look for flow
deviations. NONE, for example, means no forward flow or
reverse flow when there should be forward flow. In response to
this guide word, the HAZOP team would ask the following
questions:

Could there be no flow?

Saudi Aramco DeskTop Standards 10


Engineering Encyclopedia ESD Systems

ESD Project Documentation Requirements

If so, how could no flow happen?

What are the consequences of no flow?

Are the consequences hazardous OR do the


consequences prevent efficient operation?

If the consequences are hazardous or if the


consequences would prevent efficient operation,
can no flow be prevented (or is there a way to
protect against the consequences) by changing the
design or operating method?

The same questions are applied to reverse flow, and the team
moves on to the next guide word for this part of the process.
This method is used to determine the deviations from normal
design intent, the causes of these deviations, and the
consequences if no action is taken.
The need for action, or changes, is determined based on the
severity of the consequences and the likelihood of occurrence of
the deviations. Potentially hazardous events should be
evaluated as these potentially hazardous events are identified.
A decision should be reached on whether these potentially
hazardous events merit further consideration or action. If the
consequence of any deviation is considered hazardous and
likely to occur, the consequence is documented on the HAZOP
worksheet along with any means to detect and/or prevent this
deviation.
To establish the requirements for the design of the ESD system,
the HAZOP team should develop a comprehensive list of
deviations, and it should identify possible initiating causes for
each deviation. These potentially hazardous deviations and
possible initiating causes are systematically reviewed to identify
the layers of protection that are provided in the process design,
equipment, BPCS, and procedures. If the risk level is low and
the hazard is adequately controlled, no further action is needed.
If the risk level does not meet desired criteria, the HAZOP team
explores possibilities for incorporating additional layers of
protection within the process design/BPCS framework. When
such practical possibilities are exhausted, the HAZOP team may
require further risk control by addition of an emergency
shutdown (ESD) system interlock.
As a result of this work, the HAZOP study team should generate
the following results:

Saudi Aramco DeskTop Standards 11


Engineering Encyclopedia ESD Systems

ESD Project Documentation Requirements

Specific deviations (if any) for each guide word for


the part of the process being examined.

Possible initiating causes for each deviation.

Consequences if each deviation was allowed to


occur.

Recommended action to reduce the consequences


to an acceptable risk level.

If the recommended action is to use a shutdown interlock, the


HAZOP study team should determine the required level of
shutdown (see SAES-J-601) (i.e., Total Plant Shutdown (Level
1), Unit Isolation (Level 2), Equipment Isolation (Level 3),
Equipment Protection (Level 4), or Regulatory Alarms &
Permissives (Level 5) and the recommended set point for the
shutdown. Knowledge of the required level of shutdown makes
it possible to determine if an ESD system is required.

Where possible, the HAZOP study team should provide


recommendations for the integrity level required for a shutdown
interlock. The HAZOP study team should be in a good position
to provide integrity levels because the HAZOP study team has
intimate knowledge of the process plant. For example, the
HAZOP study team might recommend redundant or triplicated
pressure devices for a high pressure shutdown interlock due to
critical operational problems with a catalytic cracker or reformer.

Quite often, when a HAZOP team in Saudi Aramco has


completed its review and findings, the integrity levels have not
been specified, and the detail is not available that is needed to
enable an instrumentation design team to determine the
required integrity levels. In these cases, the lead instrument
engineer may need either to contact the former HAZOP team
leader and ask for definition or to assemble a different working
group to further define ESD and integrity level requirements.

Saudi Aramco DeskTop Standards 12


Engineering Encyclopedia ESD Systems

ESD Project Documentation Requirements

The HAZOP study team results are usually documented in a


HAZOP worksheet. An example of a HAZOP worksheet is
shown in Figure 3. This HAZOP worksheet was developed for
the vacuum pump system that is shown in the simplified P&ID in
Figure 2.

When the recommended shutdown interlocks and the required


shutdown levels for these interlocks are provided, the ESD
system can be designed to ensure that the required system
integrity is met or exceeded in the design. Often, different
shutdown level interlocks may be grouped together to avoid
having two different levels of design and equipment. When
integrity level recommendations are provided, the ESD system
can be designed with the necessary levels of redundancy
(including process sensors and final control devices) to meet the
required risk levels.

Ideally, Saudi Aramco would always like to perform a HAZOP


analysis prior to the detailed design of a process plant, however,
in some cases (e.g., where facilities are being duplicated, such
as a gas/oil separation facility design), a HAZOP analysis is not
always performed. In these cases, the lead instrument engineer
may have to initiate action to convene a meeting between
operations, maintenance, engineering, and loss prevention
personnel to review previous ESD designs/implementations for
similar plant designs.

Saudi Aramco DeskTop Standards 13


Engineering Encyclopedia ESD Systems

ESD Project Documentation Requirements

Ref. Guide Deviation Causes Consequences Actions


No. Word
1 MORE Liquid buildup Excessive liquid Possible vacuum HH level interlock
OF in T-303 carryover from pump rupture if T-303 (Level 4) to stop
knockout pot reactor overflows vacuum pump
2 MORE Vacuum Blockage in vent Possible vacuum HH discharge
OF pump high system pump damage pressure [set point =
discharge 34.5 kPa (5 psig)]
pressure interlock (Level 4) to
close vacuum pump
discharge block valve
and stop vacuum
pump. Vacuum pump
must be stopped any
time discharge block
valve is closed.

Figure 3. HAZOP Worksheet For Vacuum Pump System (Figure 2)

Cause-and-Effect Matrix

An example of the typical format of a cause-and-effect matrix is


shown in Figure 4 for the vacuum pump system described in
Figure 2 and Figure 3. The cause-and-effect matrix is used to
establish a relationship between the inputs (causes) to the ESD
system and the outputs (effects) from the ESD system. Possible
relationships are shown in the legend at the bottom of the
cause-and-effect matrix. One (or more) of these relationships is
placed at the intersection of the cause and the effect in the
cause-and-effect matrix.

Saudi Aramco DeskTop Standards 14


Engineering Encyclopedia ESD Systems

ESD Project Documentation Requirements

Vac. pump start/run permissive


K-304 discharge block valve
EFFECT (THEN)
Level 4
Equipment Protection

CAUSE (IF)
T-303 high level LSHH S
High level reset pushbutton R
K-304 high disch. press. PSHH [34.5 kPa S C
(5 psig)]
High disch. press. reset pushbutton R O
K-304 disch. valve closed S

Legend: O = Open, C = Close, R = Run, S = Stop, TD = Time Delay,


V = Vent, A = Auto, M = Manual, TS = Timed Step,
Th = Throttling

Figure 4. Cause-And-Effect Matrix For Vacuum Pump System (Figure 2)

Saudi Aramco DeskTop Standards 15


Engineering Encyclopedia ESD Systems

ESD Project Documentation Requirements

The relationships shown in the legend list are described below:

O (Open) Actuation of the input device opens the output


device.

C (Close) Actuation of the input device closes the output


device.

R (Run) Actuation of the input device starts the output


device.

S (Stop) Actuation of the input device stops the output


device.

TD (Time Delay) Actuation of the input device causes


some action to be taken on the output device after a period
of time that is specified by the amount of the time delay.
This relationship is normally used in conjunction with one
of the above relationships.

V (Vent) Actuation of the input device causes a piece of


process equipment to be vented to the atmosphere, to a
flare, or to some other process system.

A (Auto) Actuation of the input device puts the output


device into the automatic control mode. This relationship
may also be used to designate the way a sequencer
advances to the next step.

M (Manual) Actuation of the input device puts the output


device into the manual control mode. This relationship may
also be used to designate the way a sequencer advances
to the next step.

TS (Timed Step) This relationship is typically used to


designate the way a sequencer advances to the next step.

Th (Throttling) Actuation of the input device causes the


output device to be throttled under controller action.

Saudi Aramco DeskTop Standards 16


Engineering Encyclopedia ESD Systems

ESD Project Documentation Requirements

Written Description

A cause-and-effect matrix cannot adequately describe all the


logic functions needed in an ESD system. Therefore, a written
description is used to describe the translation from a cause-and-
effect matrix to an annotated logic diagram. The written
description uses the same inputs (causes) and outputs (effects)
that are used in the cause-and-effect matrix. The written
description describes in text the relationship between these
inputs and outputs. The written description shown in Figure 5 is
based on the cause-and-effect matrix shown in Figure 4.

When the level in T-303 vacuum pump knockout pot reaches the set point
of the high level shutdown switch, the high level shutdown switch will
open. This switch action stops K-304 vacuum pump, and it actuates a
visual and audible high level shutdown alarm. When the high level
condition has been corrected, the operator can push the high level
shutdown reset pushbutton. This reset action will clear the T-303 knockout
pot high level shutdown alarm, and it provides a run permissive signal to
K-304 vacuum pump.

If K-304 vacuum pump discharge pressure increases to 34.5 kPa (5 psig)


or greater, the high discharge pressure shutdown switch will open. This
switch action stops K-304 vacuum pump, closes K-304 vacuum pump
discharge block valve, and actuates a visual and audible high discharge
pressure shutdown alarm. When the high pressure condition has been
corrected, the operator can push the high discharge pressure shutdown
reset pushbutton. This reset action clears the high discharge pressure
shutdown alarm, and it provides a run permissive signal to K-304 vacuum
pump.

When K-304 vacuum pump discharge block valve closes, the closed limit
switch will close, and K-304 vacuum pump will stop.

Figure 5. Written Description For Vacuum Pump System (Figure 2)

Saudi Aramco DeskTop Standards 17


Engineering Encyclopedia ESD Systems

ESD Project Documentation Requirements

Annotated Logic Diagram

Binary Logic Diagrams

Binary logic diagrams are typically used for design and


operational approval and as the basis for ladder diagrams. The
binary logic diagram in Figure 6 represents the logic described
in the written description of Figure 5.

Saudi Aramco DeskTop Standards 18


INPUTS LOGIC OUTPUTS

T-303 High
Engineering Encyclopedia

PB Level Reset = 1 OR Output Symbol


301 Shutdown
Reset
T-303 High

Saudi Aramco DeskTop Standards


T-303 High Level Shutdown
LSHH High Level = 0 A Alarm Signal LAHH
Level 306
306 Shutdown (Alarm on when
output = 0)

K-304 Disch.
Block Valve ZV
(Closes when 301
K-304 High output = 0)
PB Disch. Reset = 1 OR
302 Press.
Shutdown
Reset K-304 High
Disch. Press.
K-304 High Shutdown PAHH
High Pressure = 0 A Alarm Signal 310
PSHH Disch.
310 Press. (Alarm on when
Shutdown output = 0)

Input Symbol

K-304 K-304 Run K


A 304
Disch. Valve Closed = 1 Permissive
ZSL Block
301 Valve
Closed

Figure 6. Binary Logic Diagram For Vacuum Pump System (Figure 2)

19
ESD Systems

ESD Project Documentation Requirements


Engineering Encyclopedia ESD Systems

ESD Project Documentation Requirements

Two states of input and output signals are defined in binary


logic, the 0-state and the 1-state. Most faults in pneumatic
signals, electrical signals, and power transmission lines result in
a loss of energy. For this reason, the following assignments are
used:

The 0-state shall define an absence of energy. The 0-state


shall represent the open-circuit switch or open-circuit
connection for input signals. For final output signals, the 0-
state shall represent the direction or action desired for fail-
safe operations. Contact opening shall create the 0-state
signal. Alarms and interlocks are actuated by the 0-state
signal.

The 1-state shall define a presence of energy. The 1-state


shall represent the normal or desired condition for input
signals. For final output signals, the 1-state shall represent
whatever is opposite to the fail-safe action or direction.
Contact closing shall create the 1-state signal.

Logic statements shall define the 1-state. Addition of information


such as "momentary" or "continuous" or "for a specified time"
shall be considered, if necessary, for safety or better
understanding. All process inputs and outputs are labeled.

The following binary logic functions may be used in a binary


logic diagram (see Figure 7, Sheets 1 to 3 for additional details):

AND Function The output of the AND function assumes


the 1-state if and only if all the inputs assume the 1-state.

OR Function The output of the OR function assumes the


1-state if one or more inputs assume the 1-state.

NOTE: AND and OR functions are symbolic only and are


not always the actual components. Therefore, an unlimited
number of inputs and outputs per AND or OR function can
be shown.

NOT Function The NOT function has only one input and
one output. The output assumes the 1-state if and only if
the input assumes the 0-state. The output assumes the 0-
state if and only if the input assumes the 1-state.

Saudi Aramco DeskTop Standards 20


Engineering Encyclopedia ESD Systems

ESD Project Documentation Requirements

EXCLUSIVE OR Function The output of the


EXCLUSIVE OR function assumes the 1-state if one and
only one input assumes the 1-state.

The EXCLUSIVE OR function shall not be given a separate


symbol but shall be shown as an assembly of NOT, AND,
and OR functions.

Memory Flip-Flop The memory flip-flop has two inputs


(A and B) and two outputs (C and D). Input A corresponds
to set memory (S), and input B corresponds to reset
memory (R).

Logic output C exists as soon as logic input A exists,


regardless of the subsequent state of A, until the memory
is reset by logic input B existing. Logic output C will not
exist again until the presence of logic input A causes the
memory to be set.

Logic output D, if used, exists when C does not exist, and


D does not exist when C exists. Output D should not be
shown if it is not used.

Time Delay Functions The time delay functions exist in


two basic forms. These forms are DELAY INITIATION
(DELAY TO ON) and DELAY TERMINATION (DELAY TO
OFF). All other time delay functions should be shown as an
assembly of logic functions. This assembly of logic
functions should consist of one of these basic time delay
functions in combination with other logic functions.

DELAY INITIATION (DELAY TO ON) Whenever the


input assumes the 0-state, the output immediately
assumes the 0-state. Following any input transition from
the 0-state to the 1-state, the output remains in the 0-state
for the time delay period before going to the 1-state.

DELAY TERMINATION (DELAY TO OFF) Whenever


the input assumes the 1-state, the output immediately
assumes the 1-state. Following any input transition from
the 1-state to the 0-state, the output remains in the 1-state
for the time delay period before going to the 0-state.

Saudi Aramco DeskTop Standards 21


Engineering Encyclopedia ESD Systems

ESD Project Documentation Requirements

Note: The logic functions described above, along with the


symbols and additional detail that is shown in Figure 7, were
taken from the following standard: ANSI/ISA-S5.2-1976
(R1992), Binary Diagrams for Process Operations.

FUNCTION SYMBOL DEFINITION EXAMPLE

Operate pump (output = 1) if suction tank


Logic output D exists
level is high (input = 1) and discharge valve
A if and only if all
is open (input = 1).
logic inputs A, B,
A D and C exist. Tank Level
AND B
High
An AND function can Operate
A
C have any number of Pump
Discharge
inputs. Valve Open

Start storage tank pump (output = 1) if


Logic output D exists
reactor A needs material (input = 1) or
A if and only if one or
reactor B needs material (input = 1).
more of logic inputs
OR D A, B, and C exists. Reactor A
OR B
Needs Material Start
An OR function can OR Storage
C have any number of Tank Pump
Reactor B
inputs. Needs Material

Open vent valve (output = 0) if pressure high


Logic output B exists (input = 0) or temperature high (input = 0).
if and only if logic Turn on pilot light (output = 1) when vent
input A does not valve commanded to open (output = 0) or test
exist. The NOT pushbutton is pushed (input = 1).
symbol may be drawn
tangent to an
adjacent logic symbol Pressure
NOT A B as shown in the High Open
example or directly A Vent
in a line as shown in Temperature Valve
the symbol. High

A NOT function can Turn On


have only one input OR Pilot
and one output. Light
Test Pushbutton Pushed

Figure 7, Sheet 1. Binary Logic Functions

Saudi Aramco DeskTop Standards 22


Engineering Encyclopedia ESD Systems

ESD Project Documentation Requirements

S represents set memory, and R If tank pressure becomes high, vent the tank
represents reset memory. and continue venting, regardless of
pressure, until venting is stopped by manual
Logic output C exists as soon actuation of hand switch HS-1, provided that
as logic input A exists, the pressure is not high. If the venting is
regardless of the subsequent stopped, a compressor may be started.
state of A, until the memory
is reset by logic input B
existing. Logic output C will
not exist again until the Tank Pressure S
presence of logic input A High Vent Tank
causes the memory to be set. Permit
HS-1 R Compressor
Logic output D, if used, Start
exists when C does not exist,
S and D does not exist when C
A C exists.
MEMORY Output D should not be shown
Flip-Flop if it is not used.
B R D
If inputs A and B exist
simultaneously, and if it is
desired to have A override B,
then S should be encircled,
e.g., S .

If B is to override A, then R
should be encircled, e.g., R .

The unmodified letter S


denotes that no consideration
has been given to the action
of the memory on loss of the
power supply.

If the tank level is high, its input turns


off. The NOT gate inverts the signal and
resets the memory (even if the high level
The LS denotes that memory is signal is ON), and the feed valve closes
lost on loss of the power (signal de-energized). When the level is OK,
LS supply. This is the preferred and the reset signal turns ON, the memory is
A C
version of the Memory element set, and the valve opens.
for most ESD interlocks.
B R D
LS Close Feed
B should also override A (see High Level Reset Valve
example).
High Tank Level R

The MS denotes that memory is If standby pump operation is initiated, the


maintained on loss of the pump will operate, even on loss of the power
power supply. supply. until the process sequence is
MS terminated. The pump will operate if both
A C inputs exist simultaneously.

B R D Standby Pump MS Operate


Operation Initiated Standby
Pump
Process Sequence R
Terminated

Figure 7, Sheet 2. Binary Logic Functions (cont.)

Saudi Aramco DeskTop Standards 23


Engineering Encyclopedia ESD Systems

ESD Project Documentation Requirements

FUNCTION SYMBOL DEFINITION EXAMPLE

Reactor feed valve A opens (output = 1) if


storage tank A feed pump is on (input = 1) or
if storage tank B feed pump is on (input = 1)
but not if both A and B storage feed pumps
A are on (both inputs = 1).
A
Logic output C Storage
EXCLUSIVE exists if A tank A
OR OR C exists or B feed A
exists but not pump
if both A and B Reactor
OR exist. feed
OR
B valve A

Storage OR
tank B
feed
pump

The continuous If reactor temperature exceeds a high limit


existence of continuously (input = 1) for 10 seconds,
logic input A block catalyst flow (output = 1). Resume
DELAY
DI for time t cause flow (output = 0) when temperature does not
INITIATION A B
t logic output B exceed the limit (input = 0).
(DELAY TO
ON) to exist when t
expires. B Reactor DI Block
terminates when temperature 10s catalyst
A terminates. high flow

The existence of
logic input A If system pressure exceeds a high limit
causes logic (input = 1), start the vacuum pump (output =
DELAY output B to 1) at once. Stop the vacuum pump (output =
TERMINATION DT exist 0) when the system pressure is below the low
A B
(DELAY TO t immediately. B limit (input = 0) continuously for 1 minute.
OFF) terminates when
A has terminated System DT Vacuum
and has not pressure 1m pump
again existed
for time t.

Figure 7, Sheet 3. Binary Logic Functions (cont.)

Ladder Diagrams

A ladder diagram shows, by means of graphic symbols, the


electrical and/or instrument connections and functions of a
specific circuit arrangement (see Figure 8). A ladder diagram
facilitates tracing the circuit and the circuit functions without
regard to the actual physical size, shape, or location of the
component devices. Ladder diagrams should show the ESD
interlocks and their relationship to the rest of the system.

Saudi Aramco DeskTop Standards 24


Engineering Encyclopedia ESD Systems

ESD Project Documentation Requirements

H N
24 vDC
Circuit #21
Panel 16
Line
Number
LSHH-306
PB301 Contact opens
on high level
301 302 CR T-303 High
1 301 Level Shutdown
(2, 6, 7)

CR301

2 Relay Contact
Wire Numbers Reference
PSHH-310
PB302 Contact opens
on high level
303 304 CR K-304 High Disch.
3 302 Press. Shutdown
(4, 5, 6, 8)

CR302
4

ZY-301 K-304 Disch.


CR302 Block Valve
305
5 (Closes when
ZY-301
XSL-301 Deenergized)
Contact closes
when valve
CR301 CR302
501 is closed 502 503 504 K 505 K-304 Run
6 304 Permissive

CR301 T-303 High


701 702 703 Level Shutdown
7 Alarm Signal
(Alarm on when
alarm input = 0)

CR302 K-304 High Disch.


704 705 706 Press. Shutdown
8 Alarm Signal
(Alarm on when
alarm input = 0)
Note: All symbols shown in the operating
position.

Figure 8. Ladder Diagram For Vacuum Pump System (Figure 2)

Saudi Aramco DeskTop Standards 25


Engineering Encyclopedia ESD Systems

ESD Project Documentation Requirements

A ladder diagram is intended to identify and to show the function


(logic) of the component devices in an ESD system. A ladder
diagram serves the two-fold purpose of showing complete circuit
connections and of showing the manner in which the equipment
will function. A ladder diagram can be considered as the
"translation" of a written description or binary logic diagram into
electrical symbols.

All the logic elements are shown between the two vertical lines.
These vertical lines represent the source of electrical power.
Input devices such as pushbuttons and relay contacts are
shown starting at the left-hand vertical line the hot line (H).
Device tag numbers and descriptive labels are placed above the
device. The descriptive labels should clarify, where necessary,
the operation of the device (e.g., limit switch opens when valve
is open). Relay coils, timer coils, solenoid valves, and other
output devices are shown next to the right-hand vertical line
the neutral line (N). The power source is identified at the top of
the drawing.

Each line of logic receives a sequential number. A descriptive


statement for each line of logic is placed to the right of the right-
hand vertical line. The line numbers are referenced under the
descriptive statement for a line of logic that includes a relay,
timer, or counter. For example, the three numbers under the
descriptive statement for line 1 show that normally open
contacts from relay CR301 are used in lines 2, 6, and 7. The
numbers that reference normally closed contacts are
underlined. Wires are consecutively numbered, starting with the
upper left-hand corner. The wire number is changed at each
device in the line that is capable of breaking the circuit (e.g., a
pushbutton or a pressure switch).

Saudi Aramco DeskTop Standards 26


Engineering Encyclopedia ESD Systems

ESD Project Documentation Requirements

DEVELOPING A CAUSE-AND-EFFECT MATRIX FOR AN ESD SYSTEM

This section describes the relationship between the HAZOP


study team results and the various parts of the cause-and-effect
matrix. The cause-and-effect matrix is the first step in using the
HAZOP study team results by putting them into a document
form that is useful as the basis for ESD system design. In order
to create a cause-and-effect matrix, the input devices that are
needed for the Cause dimension of the matrix are determined
from the HAZOP study team results. The next step is to
determine what output devices are needed for the Effect
dimension of the matrix. Then, the relationship between these
inputs and outputs are defined. Manual inputs are added as
needed, and the relationships between the manual inputs and
the outputs are defined.

HAZOP Study Results Interpretation

Typical HAZOP study team results are documented in a HAZOP


Worksheet (see Figure 3). The Deviation, Consequences, and
Actions columns in this figure contain the information needed to
develop a cause-and-effect matrix. The Deviation and
Consequences columns define the process and/or equipment
condition that must be detected with an ESD system input
device. The Actions column defines the action that should be
taken to prevent that deviation from escalating to a hazardous
event. The information from the Actions column is used in
conjunction with the P&ID to determine what the ESD system
output device should be.

Saudi Aramco DeskTop Standards 27


Engineering Encyclopedia ESD Systems

ESD Project Documentation Requirements

If the shutdown levels for the ESD system interlocks have not
been defined, the other columns must be used as the basis for
determining the shutdown level classification for each interlock.
For example, assume that the process consists of a reactor that
is used to polymerize vinyl chloride monomer into polyvinyl
chloride. The consequence of a particular deviation is a potential
reactor rupture. The reaction material in this example is vinyl
chloride monomer, and it is flammable, has toxic combustion
products, and is a known carcinogen. A Level 4 shutdown
(Equipment Protection) classification for the ESD interlocks for
this deviation would not be sufficient because the potential
impact of a reactor rupture is greater than just the loss of the
reactor. The potential impact of a reactor rupture involves
significant environmental considerations. Therefore, a Level 3
(Equipment Isolation) classification is the minimum acceptable
classification.

A separate cause-and-effect matrix is created for each of the


different shutdown levels needed for the application.

Cause Dimension (Inputs) Development

In order to determine what physical devices are needed to


define the Cause dimension of the cause-and-effect matrix, the
following information is needed:

The deviation and/or the consequence that the ESD


system interlock is being designed to protect against.

The equipment configuration in which the input device will


be installed.

Special requirements for the physical devices, such as the


need for redundant sensors.

Saudi Aramco DeskTop Standards 28


Engineering Encyclopedia ESD Systems

ESD Project Documentation Requirements

The Deviation and Consequences columns in the HAZOP


worksheet define the process and/or equipment condition that
must be sensed. Knowledge of a process and/or equipment
condition that must be sensed defines the need for an input
device for the Cause dimension of the cause-and-effect matrix.
The P&ID defines the equipment configuration in which the
physical input device must be installed, and the equipment
configuration may have a significant effect on the type and size
of physical input device that can be used. Special requirements
(e.g., severe process conditions or difficult process
measurements) may dictate the number and type of physical
devices that are needed.

Effects Dimension (Outputs) Development

The Actions column in the HAZOP worksheet defines the action


that must be taken to prevent a hazardous event from occurring
as a result of a deviation. A physical output device is needed to
cause the action to occur. The P&ID defines the equipment
configuration in which the physical output device must be
installed, and the equipment configuration may have a
significant effect on the type and size of physical output device
that can be used.

Causes, Effects, and Manual Input Relationships

Operator intervention is often needed as part of the operation of


an ESD system. For example, once a shutdown has occurred
and the process and/or equipment condition has been
corrected, the operator is usually required to push a reset
pushbutton in order to put the process and/or equipment back
into normal operation. The operator may also be required to
manually start and/or stop a particular piece of equipment.
These manual input devices should be shown on the cause-
and-effect matrix because manual input devices have a direct
effect on the output devices.

Saudi Aramco DeskTop Standards 29


Engineering Encyclopedia ESD Systems

ESD Project Documentation Requirements

DEVELOPING LOGIC SYSTEM DOCUMENTATION

This section describes the information needed for developing a


written description of an ESD system. The linkage between the
written description and the cause-effect relationship in the
Cause-and-Effect Matrix is explained.

The information that is needed for developing logic diagrams for


an ESD system is also discussed. The relationship between the
logic diagram and the contents of a written description is
explained.

Written Description

Information required for developing a written description of an


ESD system includes the following:

Cause-and-effect matrix for the ESD system.

P&ID for the plant system that the ESD system is


protecting.

HAZOP study team results.

The written description uses the same inputs (causes) and


outputs (effects) that are used in the cause-and-effect matrix.
The written description describes in text the cause-effect
relationship that exists between the causes and effects of the
cause-and-effect matrix. Figure 9 graphically shows the linkage
between the written description and the cause-and-effect matrix.

A separate written description should be developed for each


cause-and-effect matrix.

Logic Diagram

Information required for developing a logic diagram for an ESD


system includes the following:

P&ID for the plant system that the ESD system is


protecting.

Written descriptions for each cause-and-effect matrix.

Saudi Aramco DeskTop Standards 30


Engineering Encyclopedia ESD Systems

ESD Project Documentation Requirements

Vac. pump start/run permissive


EFFECT (THEN)

K-304 discharge block valve


Cause-and-
Effect Matrix Level 4
Equipment Protection
Effect

CAUSE (IF)
Cause K-304 high disch. press. PSHH [34.5 kPa S C Relationship

(5 psig)]
High disch. press. reset pushbutton R O
K-304 disch. valve closed S

Legend: O = Open, C = Close,


R = Run, S = Stop
Add pressure switch to P&ID Add valve to P&ID

FO
PV
307 PI
PSHH
309
To Vent
FC System
Vacuum ZV
Pump
K-304
P&ID

Written Description

If K-304 vacuum pump discharge pressure increases to 34.5 kPa (5 psig)


or greater, the high discharge pressure shutdown switch will open.

This switch action stops K-304 vacuum pump, closes K-304 vacuum pump
discharge block valve, and actuates a visual and audible high discharge
pressure shutdown alarm.

When the high pressure condition has been corrected, the operator can
push the high discharge pressure shutdown reset pushbutton. This reset
action clears the high discharge pressure shutdown alarm, and it provides
a run permissive signal to K-304 vacuum pump.

Figure 9. Cause-and-Effect Matrix and Written Description Linkage

Saudi Aramco DeskTop Standards 31


Engineering Encyclopedia ESD Systems

ESD Project Documentation Requirements

The logic diagram uses the same inputs (causes) and outputs
(effects) that are used in the written description and the cause-
and-effect matrix. The logic diagram represents in graphical
form the cause-effect relationship that exists between the
causes and effects of the cause-and-effect matrix as described
by the written description. A separate logic diagram should be
developed for each written description.

Although the logic functions and symbols described in Figure 7


can be used to define the logic for sequences, the binary logic
diagram can become very complicated and can be difficult to
understand. When sequences are involved in the shutdown
logic, use sequential function charts to describe the sequences.
Sequential function charts provide a much more intuitive method
of representing sequences.

Sequential function charts were specifically designed for


describing sequential control systems, which are very common
in batch processes. Because Saudi Aramco has a number of
processes that utilize batch/sequential logic, sequential function
charts are very relevant to Saudi Aramco operations. The
following are some examples of where batch/sequential process
control are used within Saudi Aramco:

CCR

Gasoline/Kero blending

Gas/Kero bulk plants

Distribution operations

Demineralizers

R. O. plants

Sulfur prilling operations

Pipelining different batches of oil or associated products,


separated by a scraper

Saudi Aramco DeskTop Standards 32


Engineering Encyclopedia ESD Systems

ESD Project Documentation Requirements

Three basic elements are used to develop a sequential function


chart: steps, transitions, and directed links (including double
links) (see Figure 10). Steps are represented by squares. The
initial step in a sequence is represented by a square within a
square. Steps are given either a sequential number or a
description. Transitions are represented by horizontal lines
between the steps. Directed links tie steps and transitions
together to form complete sequential function charts. Double
links are used when steps must operate concurrently.

GRAPHIC
ELEMENT NAME

INITIAL
STEP

STEP

TRANSITION

DIRECTED
LINKS

DOUBLE
LINK

Figure 10. Basic Elements In A Sequential Function Chart

Saudi Aramco DeskTop Standards 33


Engineering Encyclopedia ESD Systems

ESD Project Documentation Requirements

Each step in the sequential function chart represents a


command or action that is either active or inactive. Control
passes from an active step to the next step based on the
condition of the transition (true or false) between these two
steps. If the transition condition is true, control passes to the
next step. When control passes to the next step, the next step
becomes active, and the previous step becomes inactive. An
example of a sequential function chart is shown in Figure 11.
This example shows an overall batch reactor sequence. There
are five steps in this sequence. When the pumpout step is
active, and the "pumpout step complete" transition goes true,
the sequence recycles back to the initialization step. Each step
in this overall sequence is given a descriptive name. Most
sequences start with an initialization step. As the name
"initialization" implies, initialization is the step where things get
initialized to their starting values. Some typical examples are
shown below:

Verify that all shutdown interlocks have been cleared

Verify that there is enough ingredient A and ingredient B in


storage to complete the batch

Reset ingredient A flow totalizer accumulated value and


ingredient B flow totalizer accumulated value to zero

Put ingredient A flow controller and ingredient B flow


controller in the automatic mode with their set points set to
zero

Figure 11 also shows an example of concurrent steps. In Figure


11, ingredient A and ingredient B are charged concurrently.
Sequential function charts also provide for alternative paths (see
Figure 11). When the hold step is active, the flow of the
sequence is determined by the two transition conditions
following the hold step. The transition condition that goes true
first will determine which path the sequence will follow. If the
sample that was sent to the laboratory is approved, the
sequence will continue normally, and the pumpout step will
become active. If the sample that was sent to the laboratory is
rejected, the sequence will branch back to feeding ingredient A
and ingredient B.

Saudi Aramco DeskTop Standards 34


Engineering Encyclopedia ESD Systems

ESD Project Documentation Requirements

Two levels of sequential function charts are usually needed to


describe a shutdown interlock sequence. Figure 11 shows the
overall batch reactor sequence using a sequential function
chart. Figure 12 shows a further breakdown of the "Add
ingredient A" step using a sequential function chart. This
sequential function chart is shown differently than the sequential
function chart in Figure 11 (overall reactor sequence) because
this sequential function chart interacts directly with the input
devices, the output devices, and the binary logic in the binary
logic diagram. In Figure 11, the steps were given descriptive
names, but the steps were not given step numbers. Step
numbers were not used in Figure 11 because the descriptive
names have more meaning than step numbers do at this level of
the sequence. In Figure 12, step numbers are used, but
descriptive names are not used. Descriptive names generally do
not have as much meaning when the sequential function chart
interacts directly with equipment and the binary logic. For
example, several actions may be taken when a particular step is
active, as shown by step 6, and it may be difficult to find a
suitable descriptive name for this step.

Saudi Aramco DeskTop Standards 35


Engineering Encyclopedia ESD Systems

ESD Project Documentation Requirements

Initialize
1

Initialization Complete

Add ingredient A Add ingredient B

Ingredient A and Ingredient B


feeds complete

Heat

Reactor at desired temperature

Hold
Sample rejected by lab

Sample approved by lab

Pumpout

Pumpout complete

Figure 11. Sequential Function Chart Showing Overall Sequence

Saudi Aramco DeskTop Standards 36


Engineering Encyclopedia ESD Systems

ESD Project Documentation Requirements

1 Reset ingredient A flow totalizer to zero

Ingredient A flow totalizer reset to zero

2 Open and hold ingredient A charge valve

Ingredient A charge valve open

3 Start ingredient A storage tank pump

Enough of ingredient A charged to cover agitator blades

4 Start agitator

95% of ingredient A charged

5 Close ingredient A valve to the dribble position

100% of ingredient A added

6 Close and hold ingredient A charge valve


Turn off ingredient A storage tank pump

Figure 12. Sequential Function Chart Showing


Control Steps For Adding Ingredient A

Saudi Aramco DeskTop Standards 37


Engineering Encyclopedia ESD Systems

ESD Project Documentation Requirements

WORK AID 1: RECOMMENDED METHODOLOGY FOR DEVELOPING A


CAUSE-AND-EFFECT MATRIX FOR AN ESD SYSTEM.

Using HAZOP study results and a P&ID as inputs, Work Aid 1


provides a methodology for developing a cause-and-effect
matrix for an ESD system. The inputs, outputs, and relationships
between inputs and outputs that are developed are entered into
the cause-and-effect matrix form that is provided. An example
cause-and-effect matrix form is shown in Figure 20. A separate
cause-and-effect matrix form is provided for each level of
shutdown. The recommended methodology is shown below.

1. Review the Actions column of the HAZOP Worksheet and


note each Level 1 shutdown (Total Plant Shutdown) that is
recommended. For each Level 1 shutdown, document the
following information in the Level 1 HAZOP Summary form
that is provided. An example HAZOP Summary form is
shown in Figure 21.
Enter the recommended Level 1 shutdowns in the
Shutdowns column.
For each Level 1 shutdown, enter the deviation that
the shutdown will detect or the consequence that the
shutdown will protect against in the Deviation and/or
Consequence column.
For each Level 1 shutdown, enter the recommended
input signal in the Input column, and enter the
recommended set point in the Set Point column.
When the shutdown involves a sequence of steps,
each step will be an input signal.
For each Level 1 shutdown, enter the action that is to
be taken as a result of the shutdown in the Shutdown
Action column.
For each Level 1 shutdown, enter any integrity level
requirements in the Integrity Level Requirements
column.
When more than one Level 1 shutdown has the same
Recommended Shutdown and the same Shutdown
Action, combine those Level 1 shutdowns into one
entry in the HAZOP Summary form.

Saudi Aramco DeskTop Standards 38


Engineering Encyclopedia ESD Systems

ESD Project Documentation Requirements

EFFECT (THEN)
CAUSE (IF)

Legend: O = Open, C = Close, R = Run, S = Stop, TD = Time Delay,


V = Vent, A = Auto, M = Manual, TS = Timed Step,
Th = Throttling

Figure 20. Cause-And-Effect Matrix Form Example

Saudi Aramco DeskTop Standards 39


Engineering Encyclopedia ESD Systems

ESD Project Documentation Requirements

Figure 21. HAZOP Summary Form Example

Saudi Aramco DeskTop Standards 40


Engineering Encyclopedia ESD Systems

ESD Project Documentation Requirements

2. Repeat the steps in Item 1 as they apply to the HAZOP


Summary Forms for Level 2 shutdowns (Unit Isolation),
Level 3 shutdowns (Equipment Isolation), Level 4
shutdowns (Equipment Protection), and Level 5 shutdowns
(Regulatory Alarms & Permissives).

3. For each recommended shutdown on these HAZOP


Summary forms, do the following:

Ensure that the input for each shutdown will be a


good indicator to signal the presence of either the
expected deviation or the expected consequence. For
example, if the consequence is high pressure that
could cause a reactor to rupture, reactor pressure
would be a good indicator, but reactor level probably
would not be a good indicator. If there are reasons
why the recommended input would not be a good
indicator of the deviation or the expected
consequence, discuss these reasons with the HAZOP
study team or the designated Operations or Loss
Prevention Representative to resolve this issue and to
ensure that the proper input is used. Update the
HAZOP Worksheet and the HAZOP Summary forms
as necessary.

Review the recommended set point for each input to


ensure that this value is a reasonable actuation value
for the shutdown. If there are reasons why the
recommended set point would not be a reasonable
actuation value for this input, discuss these reasons
with the HAZOP study team to resolve this issue and
to ensure that the proper set point is used. Update the
HAZOP Worksheet and the HAZOP Summary forms
as necessary.

Saudi Aramco DeskTop Standards 41


Engineering Encyclopedia ESD Systems

ESD Project Documentation Requirements

Review the recommended action that is specified for


each shutdown to ensure that this action will either
mitigate the effects of the deviation and/or prevent the
consequence from occurring. If there are reasons why
the recommended shutdown action would not either
mitigate the effects of the deviation and/or prevent the
consequence from occurring, discuss these reasons
with the HAZOP study team to resolve this issue and
to ensure that the proper action will be taken when
the shutdown is actuated. Update the HAZOP
Worksheet and the HAZOP Summary forms as
necessary.

Review the integrity level requirements for each


shutdown to ensure that these requirements are
reasonable. If there are reasons why the integrity
level requirements are not reasonable, discuss these
reasons with the HAZOP study team to resolve this
issue and to ensure that the proper integrity level
requirements will be met. Update the HAZOP
Worksheet and the HAZOP Summary forms as
necessary.

Review the comments associated with each shutdown


to determine if these comments will affect the design
of the ESD system. Resolve any questions with the
HAZOP study team. Update the HAZOP Worksheet
and the HAZOP Summary forms as necessary.

4. For each input that is to be entered in an input row, do the


following:

Transfer the input and set point for each Level 1


shutdown to the input column of the cause-and-effect
matrix that is provided for Level 1 shutdowns.

Repeat this action for the inputs and set points for
Level 2, Level 3, and Level 4 shutdowns.

Saudi Aramco DeskTop Standards 42


Engineering Encyclopedia ESD Systems

ESD Project Documentation Requirements

5. For each input device that is to be added to a P&ID, do the


following:

Add an appropriate symbol for each input device at


the expected location for this input device on the
P&ID.

Give each input device a tag name (even if only


preliminary).

Enter this tag name in the input column for that


shutdown on the cause-and-effect matrix and in the
symbol for that input device on the P&ID.

6. For each action to be taken in the Actions column in the


HAZOP Summary forms, do the following:

Determine what type of output device will be needed


to cause this action to be taken.

Enter this output on the appropriate cause-and-effect


matrix (Level 1 through 4) for that particular
shutdown.

When the shutdown involves a sequence of steps,


one output should be "Advance to next step."

7. For each output device that is to be added to the P&ID, do


the following:

Add an appropriate symbol for each output device at


the expected location for this output device on the
P&ID.

Give each output device a tag name (even if only


preliminary).

Enter this tag name in the output column for that


shutdown on the cause-and-effect matrix and on the
symbol for that output device on the P&ID.

Saudi Aramco DeskTop Standards 43


Engineering Encyclopedia ESD Systems

ESD Project Documentation Requirements

8. For relationships between input devices and output


devices, do the following:

Determine the relationship between the input devices


and the output devices on the cause-and-effect matrix
for each shutdown level (Levels 1 through 4).

The following relationships may be used as noted at


the bottom of the cause-and-effect matrix form:

- O (Open) Actuation of the input device opens the


output device.

- C (Close) Actuation of the input device opens the


output device.

- R (Run) Actuation of the input device starts the


output device.

- S (Stop) Actuation of the input device stops the


output device.

- TD (Time Delay) Actuation of the input device


causes some action to be taken on the output device
after a period of time that is specified by the amount
of the time delay. This relationship is normally used in
conjunction with one of the other relationships.

- V (Vent) Actuation of the input device causes a


piece of process equipment to be vented to the
atmosphere, to a flare, or to some other process
system.

- A (Auto) Actuation of the input device puts the


output device into the automatic control mode. This
relationship may also be used to designate the way a
sequencer advances to the next step.

- M (Manual) Actuation of the input device puts the


output device into the manual control mode. This
relationship may also be used to designate the way a
sequencer advances to the next step.

Saudi Aramco DeskTop Standards 44


Engineering Encyclopedia ESD Systems

ESD Project Documentation Requirements

- TS (Timed Step) This relationship is typically used


to designate the way a sequencer advances to the
next step.

- Th (Throttling) Actuation of the input device causes


the output device to be throttled under controller
action.

Enter that relationship at the intersection of the input


device and the output device on the cause-and-effect
matrix.

9. For each manual input that is to entered in an input row, do


the following:

Determine what manual inputs are required, such as


reset pushbuttons.

Enter these inputs on the cause-and-effect matrix.

Determine the relationship between the manual input


devices and the output devices.

Enter that relationship at the intersection of the


manual input device and the output device on the
cause-and-effect matrix.

Saudi Aramco DeskTop Standards 45


Engineering Encyclopedia ESD Systems

ESD Project Documentation Requirements

WORK AID 2: PROCEDURES USED TO DEVELOP LOGIC DIAGRAMS FOR


ESD SYSTEMS

Work Aid 2 describes procedures that are used to develop logic


diagrams for ESD systems. Using a cause-and-effect matrix and
a P&ID as inputs, Work Aid 2A describes the procedures for
developing a written description for an ESD system. The written
description describes the translation of the cause-and-effect
matrix to an annotated logic diagram for the ESD system. Work
Aid 2B describes the procedures that are needed to develop an
annotated logic diagram for an ESD system using a written
description and a P&ID as inputs.

A two-step procedure is needed to develop an annotated logic


diagram from a cause-and-effect matrix. The first step of the
procedure is described in Work Aid 2A. The second step of the
procedure is described in Work Aid 2B. A P&ID is used as input
to both steps of this procedure.

Work Aid 2A: Procedure for Developing Written Descriptions

1. Develop a separate written description for each cause-and-


effect matrix.

2. Describe each relationship from the cause-and-effect


matrix in text as follows:

Using the input from the cause-and-effect matrix,


including the tag name of the input device (if
available) and the set point, describe the action that
must occur with the input device in order to cause
shutdown actuation.

Relate the input device to the actual process


equipment as defined on the P&ID. An example
follows:

"Redundant pressure transmitters (PT-153A and PT-


153B) are used to measure the pressure in the PVC
reactor. When the output of either (or both) pressure
transmitter exceeds the set point of 689 kPa
(100 psig), a high pressure shutdown is actuated."

Saudi Aramco DeskTop Standards 46


Engineering Encyclopedia ESD Systems

ESD Project Documentation Requirements

Using the output(s) from the cause-and-effect matrix,


including the tag name of the output device(s) (if
available), describe the effect that the shutdown
actuation has on the output device(s).

Relate the output device to the actual process


equipment as defined on the P&ID. An example
follows:

"The high pressure shutdown in the PVC reactor


stops the feeds of all materials into the reactor, opens
the redundant emergency vent valves ZV-155A and
ZV-155B, and actuates a visual and audible shutdown
alarm."

Describe the method that is used to reset the


shutdown once process conditions return to normal.
Normally, shutdown resets will involve the use of
manual inputs from the cause-and-effect matrix. An
example follows:

"When the outputs of both pressure transmitters on


the PVC reactor drop below the set point of 689 kPa
(100 psig), the high pressure shutdown alarm clears.
The operator can now push the high pressure
shutdown reset pushbutton to reset the shutdown.
When the high pressure shutdown is reset, the
redundant emergency vent valves close. Operator
intervention is needed into the basic process control
system (BPCS) to restart feeds to the reactor."

3. Mark up the P&IDs as necessary.

Saudi Aramco DeskTop Standards 47


Engineering Encyclopedia ESD Systems

ESD Project Documentation Requirements

Work Aid 2B: Procedure for Developing Logic Diagrams

1. Develop a separate binary logic diagram for each written


description. An example binary logic diagram template is
shown in Figure 22.

2. For each input device in the written description, do the


following:

Show the input device from the written description in


the input section of the binary logic diagram. An
example of the format that is used for input devices is
shown in Figure 23.

Put a statement describing the input in front of the


input symbol.

Put the tag number of the input device (if known)


inside the circle.

Put manual inputs that are used to reset shutdowns in


the field section near the input device that causes the
shutdown to actuate.

Place a statement on the input signal line that


describes the state of the input device when the input
device is in the shutdown condition (see Figure 23).

Saudi Aramco DeskTop Standards 48


Engineering Encyclopedia ESD Systems

ESD Project Documentation Requirements

OUTPUTS
LOGIC
INPUTS

Figure 22. Binary Logic Diagram Template

Saudi Aramco DeskTop Standards 49


INPUTS LOGIC OUTPUTS

T-303 High
PB Level Reset = 1 OR
Engineering Encyclopedia

Output Symbol
301 Shutdown
Reset
T-303 High

Saudi Aramco DeskTop Standards


T-303 High Level Shutdown
High Level = 0 A Alarm Signal LAHH
LSHH Level
306 (Alarm on when 306
Shutdown
output = 0)

K-304 Disch.
Block Valve ZV
(Closes when 301
K-304 High output = 0)
PB Disch. Reset = 1 OR
302 Press.
Shutdown
Reset K-304 High
Disch. Press.
Shutdown PAHH
K-304 High High Pressure = 0
PSHH Disch. A Alarm Signal 310
310 Press. (Alarm on when
Shutdown output = 0)

Input Symbol

Figure 23. Binary Logic Diagram Example


K-304 K-304 Run K
A 304
Disch. Valve Closed = 1 Permissive
ZSL Block
301 Valve
Closed

50
ESD Systems

ESD Project Documentation Requirements


Engineering Encyclopedia ESD Systems

ESD Project Documentation Requirements

3. For each output device from the written description, do the


following:

Show the output devices from the written description


in the output section of the binary logic diagram. An
example of the format that is used for output devices
is shown in Figure 23.

Put a statement describing the output after the output


symbol. This statement should describe the state of
the output device when the output device is in the
shutdown condition.

Put the tag number of the output device (if known)


inside the circle.

4. When the shutdown logic does not include sequencing, do


the following:

Show the logic devices that represent the logic


described in the written description in the logic section
of the binary logic diagram.

Use horizontal lines to connect input devices and


output devices with the logic. An example is shown in
Figure 23.

5. When sequential function charts are used to describe


sequences in the shutdown interlocks, do the following:

Use binary logic diagrams to represent the remainder


of the shutdown logic.

Use the actions described in the sequential function


charts as inputs to the binary logic diagrams.

Use logic developed in the binary logic diagrams to


activate the transitions in the sequential function
chart.

The binary logic diagram in Figure 24 shows how the


actions described in a sequential function chart
interact with the binary logic diagram.

Saudi Aramco DeskTop Standards 51


INPUTS LOGIC OUTPUTS

T-501 Reactor
PB High Level Reset = 1 OR
501 Shutdown
Reset
T-501 Reactor
Engineering Encyclopedia

High Level
T-501 Reactor Shutdown LAHH
LSHH High Level = 0 A Alarm Signal
High Level 506
506 Shutdown (Alarm on when
output = 0)

Saudi Aramco DeskTop Standards


T-501 Reactor
PB High Pressure Reset = 1 OR
502 Shutdown
Reset
T-501 Reactor
High Pressure
T-501 Reactor Shutdown PAHH
High Pressure = 0 A Alarm Signal 510
PSHH High Pressure
510 Shutdown (Alarm on when
output = 0)

T-501 Reactor
Batch Sequence In Step Active = 1 OR
ADD INGREDIENT A,
Step 2 T-501 Reactor
Ingredient A
T-501 Reactor A Block Valve ZV
Batch Sequence In 501
ADD INGREDIENT A, Step Active = 1 (Closes when
output = 0)

Figure 24. Using Sequential Function


Step 6

Chart Actions In Binary Logic Diagrams


T-501 Reactor
Batch Sequence In Step Active = 1 OR
ADD INGREDIENT B,
Step 2 T-501 Reactor
T-501 Reactor Ingredient B
A Block Valve ZV
Batch Sequence In (Closes when 502
ADD INGREDIENT B, Step Active = 1
output = 0)
Step 6

52
ESD Systems

ESD Project Documentation Requirements


Engineering Encyclopedia ESD Systems

ESD Project Documentation Requirements

GLOSSARY

0-state A state of input and output signals in binary logic that defines
the absence of energy.

1-state A state of input and output signals in binary logic that defines
the presence of energy.

AND function A logic function in which the output assumes the 1-state if
and only if all inputs assume the 1-state.

annotated logic A graphical method for showing ESD inputs, outputs, and
diagram internal logic using AND/OR, timer, or counter logic
elements with basic logic statements embedded in the
diagram.

basic process control A system that responds to input signals from the equipment
system (BPCS) under control and/or from an operator and generates output
signals, causing the equipment under control to operate in
the desired manner.

binary logic diagram A method of representing the logic in binary interlock and
sequencing systems using abstract logic functions such as
AND, OR, and NOT.

cause dimension The section of a cause-and-effect matrix in which the ESD


system inputs are shown.

cause-and-effect matrix A form of state table that is used for showing the
relationship between a process input and an output device
in binary interlock and sequencing systems.

cause A reason why a deviation might occur.

consequence The direct, undesirable result of a deviation that usually


involves a fire, explosion, or release of toxic material.

DELAY INITIATION A time delay function in which the time delay occurs when
(DELAY TO ON) logic the input changes from the 0-state to the 1-state.
function

DELAY TERMINATION A time delay function in which the time delay occurs when
(DELAY TO OFF) logic the input changes from the 1-state to the 0-state.
function

Saudi Aramco DeskTop Standards 53


Engineering Encyclopedia ESD Systems

ESD Project Documentation Requirements

deviation A departure from the design intention that is discovered by


systematically applying the guide words to process
parameters during a HAZOP.

effects dimension The section of a cause-and-effect matrix in which the ESD


system outputs are shown.

emergency shutdown A system composed of sensors, logic solvers, and isolation


system (ESD) devices that takes the process to a safe state when
predetermined conditions are violated.

exclusive OR function A logic function in which the output assumes the 1-state if
one, and only one, input assumes the 1-state.

fail-safe A concept that defines the failure direction of a component or


system as a result of specific malfunctions. The failure
direction is toward a safer or less hazardous condition.

functionality The way that a system is designed to work.

guide word Simple words that are used to qualify or quantify the design
intention and to guide and stimulate the brainstorming
process for identifying process hazards and/or operability
problems during a HAZOP.

hazard and operability A systematic, detailed hazards analysis technique applied to


study (HAZOP) processes to identify and qualify deviations from design or
normal operations that have the potential to place the plant,
environment, or personnel at risk.

hazardous event An occurrence related to equipment performance or human


action, or an occurrence external to the system that causes
system upset, that has the potential for causing harm to
people, property, or the environment.

HAZOP worksheet A tabular method for documenting the results of a HAZOP.

integrity level An indicator of ESD system performance.

ladder diagram A diagram that uses symbols and a plan of connections to


represent the logic in binary interlock and sequencing
systems.

manual input An input for the cause dimension of a cause-and-effect


matrix that represents human action.

Saudi Aramco DeskTop Standards 54


Engineering Encyclopedia ESD Systems

ESD Project Documentation Requirements

memory flip-flop A logic function that provides memory capability.

NOT function A single input, single output logic function in which the output
state is the complement of the input state.

OR function A logic function in which the output assumes the 1-state if


one or more inputs assumes the 1-state.

piping and instrument A graphical method for representing the physical equipment,
diagram (P&ID) piping, and instrumentation in a process.

protection layer A grouping of equipment and/or administrative controls that


functions to avoid the occurrence of or reduce the effect of a
specific hazardous event.

PVC An abbreviation for polyvinyl chloride.

recommended action Suggestions for design changes, procedural changes, or


areas for further study that are a result of looking at
deviations and potential consequences during a HAZOP.

sequential function A graphical diagramming method that uses steps,


chart transitions, and directed links in order to represent a logic
sequence.

shutdown interlock A device or group of devices that functions to avoid a


hazardous event. A shutdown interlock operates by sensing
a limit or off-limit condition or improper sequence of events,
and then shutting down the offending or related piece of
equipment or preventing progress in an improper sequence.

time delay function A logic function in which the response of the output is
delayed following a change in the input.

VCM An abbreviation for vinyl chloride monomer.

written description A method of using textual statements to describe the


translation from a cause-and-effect matrix to an annotated
logic diagram.

Saudi Aramco DeskTop Standards 55