Keystone Pipeline Facilities: Process ESD Philosophy

KE YS T O NE P I P E L I N E F A C IL I T I E S
P R O CE S S E S D P HI L O S O P HY
Keystone Pipeline Facilities

Process ESD Philosophy
Revision Level: 0 – Issued for Use

Issue Date: 19-Jul-12
Rev 0 Page i 19-Jul-12

P:\405-FAC-AUTOMATION\6.0 Design Standards\1.0 I&C\2.0 ESD Philosophy\Keystone Process ESD Philosophy Rev 0.doc
Revision Index
REV DESCRIPTION PREPARED BY REVIEWED BY APPROVED BY
0 Issued for Use J. Patrick R. Knopp V. Cabrejo

19-Jul-12 M. Malinowski R. Stichbury
R. Stichbury
T. Pollock
D. Wascherol
Rev 0 Page ii 19-Jul-12

TABLE OF CONTENTS
TABLE OF CONTENTS ........................................................................................................................................... 1
1. INTRODUCTION .............................................................................................................................................. 3
1.1 OVERVIEW..................................................................................................................................................... 3
1.2 DOCUMENT SCOPE AND PURPOSE.................................................................................................................. 3
1.3 ACRONYMS AND ABBREVIATIONS ................................................................................................................. 3
1.4 DEFINITIONS .................................................................................................................................................. 5
2. GUIDING PRINCIPLES ................................................................................................................................... 6

2.1 FACILITY ESD RATIONALE ........................................................................................................................... 6
2.2 LOSS OF CONTAINMENT RISK ........................................................................................................................ 7
2.2.1 Loss of Containment – Sump Tanks ...................................................................................................... 7
2.2.2 Loss of Containment – Product Tanks .................................................................................................. 8
2.2.3 Loss of Containment – Elevation Differences at Terminals.................................................................. 8
2.3 FACILITY ESD INITIATORS ............................................................................................................................ 9
2.3.1 Manual Facility ESD Pushbuttons...................................................................................................... 10
2.3.2 Confirmed Fire in a Facility Electric Equipment Shelter ................................................................... 10
2.3.3 Sump Tank Level High High ............................................................................................................... 10
2.3.4 Facility PLC Failure........................................................................................................................... 11
2.3.5 Control System Power Failure............................................................................................................ 11
2.4 FACILITY ESD PUSHBUTTON LOCATION CRITERIA ..................................................................................... 11
2.5 FACILITY ESD – HARDWIRED BACK-UP ...................................................................................................... 11
2.6 EQUIPMENT E-STOP RATIONALE ................................................................................................................. 12
2.7 EQUIPMENT E-STOP – HARDWIRED BACK-UP ............................................................................................. 13
2.8 VALVE ACTUATORS .................................................................................................................................... 13
3. FACILITY ESD ................................................................................................................................................ 13

3.1 PUMP STATIONS .......................................................................................................................................... 13
3.1.1 Pump Stations Without Pig Traps....................................................................................................... 13
3.1.2 Pump Stations With Pig Traps............................................................................................................ 14
3.1.3 Pump Station ESD .............................................................................................................................. 15
3.2 TERMINALS ................................................................................................................................................. 16
3.2.1 Overview ............................................................................................................................................. 16
3.2.2 Terminal ESD ..................................................................................................................................... 16
3.3 DELIVERY STATIONS ................................................................................................................................... 16
3.3.1 Overview ............................................................................................................................................. 16
3.3.2 Delivery Station ESD .......................................................................................................................... 17
3.4 INTERCONNECT FACILITIES ......................................................................................................................... 18
3.4.1 Overview ............................................................................................................................................. 18
3.4.2 Interconnect Facility ESD .................................................................................................................. 18
Rev 0 Page 1 19-Jul-12

3.4.3 Third Party Connected Facilities........................................................................................................ 18

3.5 IMLV SITES ................................................................................................................................................ 18
4. EQUIPMENT E-STOP .................................................................................................................................... 19

4.1 PUMP STATIONS .......................................................................................................................................... 19
4.2 TERMINALS ................................................................................................................................................. 19
4.3 INTERCONNECT FACILITIES ......................................................................................................................... 19
5. BUILDING/SYSTEM ESD.............................................................................................................................. 19
5.1 QUALITY MEASUREMENT BUILDINGS ......................................................................................................... 19
5.1.1 Quality Measurement Overview ......................................................................................................... 19
5.1.2 Quality Measurement System ESD ..................................................................................................... 19
5.2 GAUGERS LABS ........................................................................................................................................... 20
5.3 FIELD SERVICE BUILDINGS .......................................................................................................................... 21
6. PRESSURE RELIEF SYSTEMS .................................................................................................................... 21

6.1 OVERVIEW................................................................................................................................................... 21
6.2 TERMINALS ................................................................................................................................................. 21
6.3 DELIVERY STATIONS ................................................................................................................................... 21

1. INTRODUCTION
1.1 Overview
Keystone XL pipeline consists of a crude oil pipeline and related facilities located in both Canada and the
United States. There are a number of different types of facilities on the pipeline:
• Pump Stations
• Terminals
• Delivery Stations
• Interconnect Facilities
• Intermediate Block Valve (IMLV) sites
With the exception of IMLV sites, each facility has an Emergency Shutdown (ESD) system. The intent of
this document is to define the TCPL ESD Philosophy for each facility type on the Keystone Pipeline
system.
1.2 Document Scope and Purpose
The scope of this document is limited to facility ESD systems on the Keystone Pipeline system. The
Keystone Pipeline system includes Keystone Pipeline Phases 1 and 2, KXL Pipeline, Gulf Coast Pipeline
and future expansions to this system. This document may be applicable to other non-Keystone crude oil
pipeline systems, however the suitability of using this document needs to assessed by the designers of
those systems.
The document provides the ESD philosophy associated with Pump Stations, Terminals, Delivery Stations
and Interconnect Facilities, but does not cover philosophies associated with overall pipeline ESD (e.g.
line trip).
The primary purpose of this document is to provide the philosophical design basis for Keystone Pipeline
Facility ESD systems. These fundamental concepts are used in both the Front End Engineering Design
(FEED) and detailed engineering phases of the project development.
The secondary purpose of this document is to provide a reference for other interested or affected groups
within TCPL – Project Engineering, OCC Operations, Oil Pipeline Engineering (OPE), Field Operations,
Operations Engineering.
1.3 Acronyms and Abbreviations
• EES – Electrical Equipment Shelter
• ESD – Emergency Shut Down

• E-Stop – Equipment Shutdown
• FEED – Front End Engineering and Design
• FSB – Field Service Building
• IMLV – Intermediate Main Line (Block) Valve
• KS – Keystone (pipeline)
• KXL – Keystone XL (pipeline)
• LOV – Launcher Outlet Valve (LOV)
• LKV – Launcher Kicker Valve (LKV)

• LBV – Launcher Bypass Valve (LBV)
• MCS – Metering Control System
• MOP – Maximum Operating Pressure

• MOV– Motor Operated Valve
• MPR – Motor Protection Relay
• OCC – Operations Control Center
• OPE – Oil Pipeline Engineering
• OPP – Over Pressure Protection
• PCV – Pressure Control Valve
• PLC – Programmable Logic Controller
• QMU – Quality Measurement Unit
• QMB – Quality Measurement Building
• RIV – Receiver Inlet Valve (RIV)
• RKV – Receiver Kicker Valve (RKV)
• RBV – Receiver Bypass Valve (RBV)

• RTU – Remote Terminal Unit
• SSV – Station Suction Side Valve (SSV)
• SDV – Station Discharge Side Valve (SDV)

• SBV – Station Bypass Valve (SBV)
• SCADA – Supervisory Control And Data Acquisition
• TCPL – TransCanada Pipeline

• UPS – Uninterruptible Power Supply

• WDT – Watchdog Timer
1.4 Definitions
Abnormal Operating Condition – a condition that may indicate a malfunction of a component or

deviation from normal operations that may indicate a condition exceeding design limits or result in a
hazard to persons, property, or the environment (ref: DOT CFR 195.503).
Facilities – Mechanical equipment, electrical/control systems and structures that are situated at various
locations along the main pipeline, including the following:
• Pump Stations
• Terminals
• Delivery Stations
• Interconnect Facilities
• Mainline Block Valve Sites (IMLVs)

Pump Station – a facility that transfers product along the pipeline (by increasing product pressure).
These facilities contain product pumping and pigging facilities (where applicable). Stations are located in
between terminal and delivery facilities.
Terminal – a facility that includes product tanks, valve manifolds, booster pumps, product quality
measurement and custody transfer metering.
Delivery Station – a facility where the product custody is transferred from the pipeline (Keystone) to a
third party.
Interconnect Facility – a facility upstream of a Terminal where product pressure is boosted so that it is
at a pressure acceptable to enter a Keystone Terminal or Pipeline. Custody transfer metering may or may
not be present. Interconnect facilities are owned and operated by TCPL.
Third Party Upstream Connected Facilities – facilities (owned and operated by others) upstream of a
Keystone Terminal. Third party upstream connected facilities generally consist of Piping, Tanks and/or
Booster Pumps.
Third Party Downstream Connected Facilities – facilities (owned and operated by others) downstream
of a Keystone Delivery Station. Third party downstream connected facilities generally consist of Piping
and Tanks.
Mainline Block Valve – a valve capable of segmenting the pipeline.

Intermediate Mainline Valve (IMLV) Site – a facility containing only a Mainline Block Valve.
Station Suction and Discharge Side Valves – Main facility inlet and outlet valves.
Station Bypass Valve – Mainline block valve located at a pump station.

Facility PLC – The control hardware and software system employed to monitor and control the facility
(i.e. Terminal, Pump Station, Delivery Station or Interconnect Facility). Facility PLC is a generic term.
More specifically this PLC is referred to as the Terminal PLC at a Terminal and the Station PLC at a
Pump Station, Delivery Station and Interconnect Facility. An IMLV site uses a RTU for this purpose.
Facility ESD – although “ESD” is a common term used throughout the process and pipeline industries, it
has a very specific definition within Keystone Facilities. Facility ESD is defined as follows:
• A manually or automatically initiated sequence of events to take the facility process conditions to
a pre-defined safe state via automated action upon the occurrence of a severe abnormal
operating condition. A “safe state” is one that is intended to prevent loss of control or loss of
containment due to the severe abnormal operating event.
• This document will discuss the Facility ESD system in detail.

Equipment Shutdown – the facility process piping and equipment are protected by various automated
control systems (Station Control, Unit Control, Metering Control, etc.). These control systems takes action
as necessary to shut down equipment and operate valves. However, only the Facility ESD system
operates independently of these systems and acts specifically to maintain the integrity of the facility
process conditions under severe abnormal situations. Equipment shutdown is discussed at length in other
Keystone documents – i.e. KXL Control Narrative, KXL Control System Architecture Philosophy.
Electrical Protection Systems – the electrical protection system is not part of the Facility ESD System.
The electrical protection system is an independent system that acts to protect electrical equipment by de-
energizing it when necessary.
2. GUIDING PRINCIPLES
2.1 Facility ESD Rationale
The rationale for having a “Facility ESD” function is to provide a predefined automatic response which will
take the facility to a safe operational state upon detection of potentially severe abnormal conditions. In
general the safe operational state for crude oil facilities is simply the removal of hydraulic power from the
system.
Severe abnormal operating conditions that will trigger a crude oil facility ESD can be summarized into the
following:
• Predicted imminent loss of control system functionality. Non-functionality in this context means
that the control system loses its ability to monitor, control and protect the facility.
• Predicted imminent loss of containment of oil within Facility piping. Loss of containment is
interpreted to mean that an oil spill is a likely outcome.
Removing Hydraulic Power means that action is taken to remove all sources of energy that could cause
product to flow within the Facility piping or vessels. By stopping movement of oil within the Facility it has
been brought to a safe state. To achieve this end result the following actions are taken:

Terminals:
• Stop all pumps that move oil within the facility piping
• Stop upstream pumps at interconnected facilities that are moving oil into the facility
• If upstream pump shut down cannot be positively established (such as third party controlled
pumps), or when stopping upstream pumps alone, will not stop the movement of oil (such as due
to elevation differences) close the facility inlet valve.
• Close Inter-tank Booster Pump Isolation Valves if an Inter-tank transfer valve alignment mode is
active – thereby isolating the source tank from the destination tank
Pump Stations:
• Bypass the facility (open the Station Bypass Valve) and then Isolate (close Station Suction and
Discharge valves)
Delivery Stations:
• Stop all upstream mainline pumps that move oil into the facility piping
• Isolate (close inlet valves) and, if back flow from downstream facilities cannot be prevented via
other means such as check valves, close outlet valves.
Upstream Interconnected Facilities (TCPL owned and operated):
• Isolate (close inlet valves).
2.2 Loss of Containment Risk
Two types of vessels are the primary sources of potential loss of containment – Sump Tanks and Product
Tanks. Sump Tanks are installed at every facility while Product Tanks are only installed at Terminals. As
described below, the spill risk is different for the two types of tanks.
2.2.1 Loss of Containment – Sump Tanks
Sump Systems provide holding capacity for oil drained from thermal relief valves, manual drain valves
and Pump Mechanical Seal drains (at locations where Mainline or Booster Pumps are installed). Under
normal process operations, oil will not be flowing into the sump tank. An abnormal operating condition
including thermal relief, manual drain down or pump seal failure must occur for oil to flow to the sump.
The Sump Tank level is continuously monitored and high level conditions are alarmed to the OCC. Sump
Pumps operate on the basis of tank level to remove oil from the Sump Tank.
Loss of containment from a Sump Tank occurs when the tank is overfilled. However, in order for the
Sump Tank to overfill a number of unrelated failures must occur concurrently:

• An abnormal operating condition or failure exists causing oil to flow into the Sump Tank; AND
• Sump Pump control fails to respond properly to remove oil prior to the high level alarm condition;
AND
• Operations personnel were not able to respond to the high level alarm condition in a timely and
appropriate fashion; AND
• ESD system control was not able to respond to the high high level alarm and remove hydraulic
power from the Facility; AND
• The oil level actually increased to the point that there is an overflow from the Tank
Considering the co-incident events that must take place for a spill to occur from a Sump Tank, there is a
low risk of loss of containment.
Periodically oil within a facility can be intentionally drained down to the Sump Tank. This type of operation
is strictly controlled and undertaken locally by trained personnel following approved procedures.
2.2.2 Loss of Containment – Product Tanks
Product Tanks are large vessels that provide storage capacity for oil to be shipped on the Keystone
Pipeline System. Since Product Tanks are, as part of normal process operations, open to product
streams from inlet piping there is a more significant risk of overfilling a Product Tank if Hydraulic Power is
not removed during an ESD event than there is for Sump Tanks. During an ESD event, a simple loss of
commercial power or control system failure, rendering the Inlet or Inter-tank Transfer valves unable to
operate could lead to an over-fill event.
In that regard, two additional protective measures are in place to prevent overfilling of Product Tanks:
• Facility inlet valves that must close to isolate a source of hydraulic power during an ESD event
are designed with back up power mechanisms such that even in the event of loss of primary
electrical power, the valves can be closed. This same additional level of protection is not applied
to Pump Stations, Delivery Stations or Interconnect Facilities given the considerably lower risk of
loss of sump tank containment at those facilities.
• Product Tank inlet valves will close when a tank high-high level is detected to stop the flow of oil
into a tank thereby preventing the tank from over-filling
2.2.3 Loss of Containment – Elevation Differences at Ter minals
During Inter-tank transfer operations at Terminals, oil from one Product Tank is moved through a Booster
Pump, control valve, MOVs and piping to another Product Tank. During this operation there is an open
flow path between tanks. Overflow protection is provided at the destination tank if a high-high level
condition is detected by the following measures:
• Close destination Tank Inlet valves
• Shut down Inter-tank Booster Pump

• Isolate the flow path by closing Inter-tank Booster Pump inlet and outlet valves
However, special consideration is given to the circumstance where the two tanks in question are at
significantly different elevation.
• The elevation difference is significant when the maximum working level of the upper tank is
higher than the overflow level of the lower tank.
The protective measures described above will continue to be in place but the differences in elevation
pose an increased loss of containment risk if either of the following conditions exists:
• If a single PLC system controls both tank systems. A failure of this single PLC would result in the
inability to isolate the flow path between the two tanks; OR
• If a single Primary Power Supply system supplies both tanks systems. A failure of this single
power system would result in the inability to isolate the flow path between the two tanks.
If either of these two conditions is present, a valve that isolates the flow path between the two tanks must
close when there is a Terminal ESD. This valve will be designed with back up power mechanisms such
that even in the event of loss of Primary Power Supply system, the valve can be closed.
2.3 Facility ESD Initiators
The following Facility ESD initiators are common to all Facilities on the Keystone Pipeline:
• Manual Facility ESD pushbuttons:

o Physical buttons (hardwired) located locally at the Facility
o Buttons on a local HMI (at some Terminal facilities only)
o Buttons located remotely at the OCC (via the SCADA System).

• Confirmed fire in a Facility electrical building
• Sump Tank level high high
• Facility PLC failure

• Control system power failure
Each of these initiators is indicative of a severe abnormal operating condition as described in the
preceding section of this document.
High-high level in a product tank does not cause a Facility ESD because adequate independent
protective means are in place local to the tank. These measures are described in section 2.2.2 of this
document.

2.3.1 Manual Facility ESD Pushbuttons
Activation of an ESD Pushbutton is indication that either site personnel or OCC personnel have
recognized a severe abnormal operating condition that is not monitored by the facility control system, but
in the opinion of the site or OCC personnel requires the Facility ESD response.
Facility ESD Pushbuttons are strategically located at all Facilities. Contacts from the ESD Pushbuttons
are fed into both the Hardwired Back-up ESD System and the Facility PLC. Activating any of these
pushbuttons will cause a Facility ESD.
Site personnel at Terminals have the ability to activate a Facility ESD via the local HMI. Other Facilities
do not have ESD pushbuttons on the local HMI.
Operators at the OCC have the ability to activate a Facility ESD via a HMI display pushbutton on their
Operating consoles. This command is transmitted to the Facility PLC via the SCADA System.
The Facility PLC logic treats local and remote Facility ESD pushbuttons in the same way – the PLC
initiates a Facility ESD.
2.3.2 Confirmed Fire in a Facility Electri c Equipment Shelter
Each Facility has one or more Electric Equipment Shelters (EES). These structures house medium and
low voltage electrical switchgear and control (PLCs) and communication equipment. A confirmed fire
within the EES is a serious event that jeopardizes the ability of the control system to bring the Facility to a
known safe state. Therefore the appropriate response to detecting a confirmed fire within the EES is to
initiate a Facility ESD.
Each EES is equipped with multiple smoke and heat detectors that are used for detecting a fire with the
structure. A confirmed fire is declared when any two or more detectors have detected a fire.
2.3.3 Sump Tank Level High High
Sump tanks are located at all Keystone Facilities. Sump tanks provide holding capacity for oil drained
from all thermal relief valves (PSVs), pump seals (where applicable) and drain valves. The facility sump
system consists of an underground fiberglass sump tank collecting oil from all underground drain lines. A
sump pump and sump injection pump are used to pump out product collected in this tank – either re-
injected back into mainline piping or to a tanker truck.
Sump tank product level is measured by redundant level devices. A Facility ESD is initiated when either
level device has detected a high high level. The rationale for initiating a Facility ESD is to prevent
overfilling (i.e. possible loss of containment) of the sump tank by “Removing Hydraulic Power” in the
Facility Piping.

2.3.4 Facility PLC Fail ure
Facility PLC health is monitored by an external watchdog timer (WDT) circuit. The PLC cycles an output
to the WDT and if cycling ceases it indicates that the PLC has failed (i.e. stopped functioning normally). A
contact from the PLC Failure WDT is fed into the Hardwired Back-up ESD System. In this situation the
Hardwired Back-up ESD System ensures that appropriate action is taken.
2.3.5 Control Syst em Power Failure
The Facility PLC is electrically supplied by redundant power supplies – both UPS and non-UPS power
systems. Control power to the Facility PLC is monitored and if an imminent failure is detected, a control
system power failure is declared. A control system power failure is a serious event that jeopardizes the
ability of the control system to bring the Facility to a known safe state. Therefore the appropriate
response to detecting an imminent control system power failure is to initiate a Facility ESD.
2.4 Facility ESD Pushbutton Location Criteria
Facility ESD Pushbuttons are strategically located at all Facilities. The criteria for determining the location
of ESD Pushbuttons is as follows:
• Main points of egress from the Facility.
• Main points of egress from commonly occupied buildings on site.
• Site specific considerations

ESD Pushbuttons are typically placed at the following locations:
• At the main gate(s)
• On the front of the Panel Door of the Facility Control Panel housing the Facility PLC Processor
• At Facilities with a single EES, on the exterior wall of the EES (adjacent to one entry/exit door)
• At Facilities with multiple EESs’, on the exterior wall of all EESs that personnel would routinely
work within on site (for example control buildings, but not VFD buildings) (adjacent to one
entry/exit door). Site specific conditions are taken into consideration.
• At Field Services Buildings (typically only at Terminals), on the exterior wall of the main entrance
to the FSB.
2.5 Facility ESD – Hardwired Back-up
The Facility PLC ESD software logic is backed up by a hardwired relay based back-up ESD system. The
rationale for having this independent redundant ESD system is that a Facility ESD is considered so
critical that a second independent system is warranted. The trip string is intended to replicate certain ESD
responses of the PLC. That is, upon failure of the PLC, an unsafe process condition could result if certain

devices are not actuated or tripped. Therefore, those devices are actuated or tripped by the back-up ESD
trip string.
The back-up ESD circuit is designed to shut down all pumps (i.e. pressure producing equipment) and, at
terminals only, close selected Inlet and Inter-tank Transfer Valves independently of the PLC. The back-up
ESD circuit consists of a series of contacts controlling a Master Facility ESD Relay. Contacts from this
Master Facility ESD Relay are used in each pump motor circuit and at Terminals only, selected Inlet and
Inter-tank Transfer Valve control circuits.
The Master Facility ESD Relay circuit is designed as fail safe; i.e. failure of ESD initiator components will
open the initiator contacts in the ESD circuit thereby triggering an ESD.
The following initiators are wired into the Master ESD Relay circuit:
• Manual ESD Pushbuttons

• PLC Failure WDT
• ESD output from Facility PLC
The following Pump Motors are typically de-energized from the Master ESD Relay:
• Mainline Pumps (Pump Station)
• Booster Pumps (Terminals, Interconnect Facilities)
• Sump Pumps (All Facilities)
• Pumps in Quality Measurement Buildings (Terminals, Delivery Stations, Interconnect Facilities)
The following valves are actuated from the Master ESD Relay:
• Terminal Inlet Valves if upstream pump shut down cannot be positively established (such as third
party controlled pumps), or when stopping upstream pumps does not stop the movement of oil
(such as due to elevation differences)
• One Inter-tank Transfer Isolation Valve if the rationale described in section 2.2.3 is met.
Pump Station, Delivery Station and Interconnect Facility isolation valves are not actuated from the Master
ESD Relay due to the low risk of loss of containment during a PLC failure event (see section 2.2.1).
2.6 Equipment E-Stop Rationale
The rationale for having an “E-Stop” function is that there needs to be a means of immediately stopping a
large pump available to maintenance staff while they are working in the near vicinity of this equipment.
Therefore an E-Stop Pushbutton is placed adjacent to each Keystone Mainline Pump (at a Pump Station)
and each Booster Pump (at a Keystone Terminal or Keystone Interconnect Facility).

2.7 Equipment E-Stop – Hardwired Back-up
The Equipment E-Stop PLC software logic is backed up by a hardwired relay based E-Stop system. The
E-Stop circuit is designed to individually shut down each large pump motor independently of the PLC.
The emergency shutdown circuit consists of a series of contacts controlling an Equipment E-Stop Relay.
A contact from the Equipment E-Stop Relay is used in the pump motor control circuit.
The Equipment E-Stop Relay circuit is designed as fail safe; i.e. failure of E-Stop initiator components will
trigger an E-Stop.
The following initiators are wired into the Equipment E-Stop Relay circuit:
• Manual E-Stop Pushbutton

• Unit PLC Failure WDT (where applicable)
• E-Stop output from the PLC
• Contact from the Facility ESD circuit
2.8 Valve Actuators
All valves on the Keystone Pipeline system are “Fail Last”. Fail Last means that the valves stay in their
current position on failure of motive force (i.e. electrical supply).
With few exceptions, all valves at facilities on the Keystone Pipeline system have electric actuators – i.e.
electric motor operated valves (MOV).
However in certain circumstances the MOV actuator is replaced by a stored energy type actuator. A
stored energy actuator makes it possible to operate the valve in the absence of electrical power. A valve
will have a stored energy actuator if the following conditions are met:
• If failure of the valve to close on demand could result in an unacceptable loss of containment risk;
AND
• The site Main Power Supply is non-redundant
o Redundancy in this case means either dual Utility supplies or a Utility supply and a Back-
up Generator Power supply
3. FACILITY ESD
3.1 Pump Stations
3.1.1 Pump Stati ons Without Pig Traps
Pump Stations without a Pig Receiver and Pig Launcher Trap have three Stations Valves:

• Station Suction Side Valve (SSV)
• Station Discharge Side Valve (SDV)
• Station Bypass Valve (SBV)
During normal operation the Station Valves are configured with the SSV and SDV open and the SBV
closed. The following sketch shows their position relative to the mainline piping:
SBV
SSV SDV
3.1.2 Pump Stati ons With Pig Traps
Pump Stations with a Pig Receiver and Pig Launcher Trap have trap valves additional to the three
Stations Valves:
• Station Suction Side Valve (SSV)
• Station Discharge Side Valve (SDV)
• Station Bypass Valve (SBV)
• Receiver Inlet Valve (RIV)

• Receiver Kicker Valve (RKV)
• Receiver Bypass Valve (RBV)
• Launcher Outlet Valve (LOV)

• Launcher Kicker Valve (LKV)
• Launcher Bypass Valve (LBV)
Normal operation is for flow to travel through both the Pig Receiver and Pig Launcher. The normal
operation valve position is summarized below:
• Open – SSV, SDV, RIV, RKV, LOV, LKV

• Closed – SBV, RBV, LBV
The following sketch shows the valve positions relative to the mainline piping:
RIV LOV
RBV RKV LKV LBV
SBV
SSV SDV
3.1.3 Pump Stati on ESD
At a Pump Station, an ESD signal will trip all pumps, open the bypass valve and then isolate the Pump
Station from the pipeline. Specifically the following actions are taken:
• All Mainline Pumps are shut down.
• All Mainline Pump Unit Suction and Discharge Isolation Valves are closed
• The SBV is opened.

• When the SBV is confirmed open, the SSV and SDV are closed.
• The Sump Pumps are shut down.
• Pumps in Quality Measurement Buildings (at Batch Detection sites only) are shut down.
• Quality Measurement Building Inlet and Outlet valves are closed.
At Pump Station with Pig Traps a Pump Station ESD will also isolate the trap in the following sequence:
• The Trap Bypass valve is opened

• When the Trap Bypass is fully open, the Trap isolation valves are closed
Note: in the event of a Station ESD caused by a Station PLC Failure or a Control System Power Failure,
it is unlikely that the SSV, SBV and SDV will be able to move and will therefore remain in their last
position. However the Pump Isolation Valves will close as they are controlled by a separate control
system – i.e. the Unit PLC.

The ESD condition must be cleared and reset locally to allow re-start of pumps and realignment of the
Station valves.
3.2 Terminals
3.2.1 Overview
Terminals are operated remotely from the OCC. Crude oil is both received into a Terminal and delivered
from a Terminal.
Oil enters a Terminal through an Inlet Valve Manifold. Oil is sampled at a QMU and then flows through
custody transfer metering. Booster Pumps can be placed either upstream or downstream of the custody
metering. Typically from there oil is routed by the distribution valve manifold to product tanks or Mainline
Pumps.
Terminals are typically complex facilities with many inlet paths to the Terminal and many outlet paths out
of the Terminal.
3.2.2 Terminal ESD
The following actions are taken in the event of a Terminal ESD:

• Terminal Booster Pumps are shut down
• Upstream Keystone Interconnect Facility Booster Pumps are shut down
• Upstream third party connected facilities Booster Pumps are requested to shut down
o If the Booster Pump shut down command is not failsafe, then the inlet valve to the
Terminal from the third party connected facility is closed
• In specific circumstances Inter-tank Transfer Valves are closed (refer to Section 2.2.3)
• Terminal Sump Pumps are shut down
• Pumps in Quality Measurement Buildings are shut down.

• Connected downstream Mainline Pumps are shut down.
The ESD condition must be cleared and reset locally to allow re-start of pumps and realignment of the
isolation valve(s).
3.3 Delivery Stations
3.3.1 Overview
Oil enters the Delivery Station through a Station Inlet Isolation Valve and an inlet PCV. Oil is sampled at a
QMU and then flows through one of the Meter Banks – all custody transfer metering takes place on the

Delivery Station site facility. At some Delivery Stations there is a PCV on the outlet from each of the
Meter Banks. From there product is routed to the connected Terminal.
3.3.2 Delivery St ation ESD
The following actions are taken in the event of a Delivery Station ESD:
• The ESD condition is automatically communicated to the downstream facilities
o Communication of the ESD condition to the Third Party connected facility is on a best
efforts basis and no response by the third party is required or expected.
• The Station inlet isolation valve is closed.
• The Sump Pumps are shut down.
• Pumps in Quality Measurement Buildings are shut down
The ESD condition will be communicated to the SCADA system and the SCADA System will initiate an
automatic pipeline shutdown.
Note: in the event of a Delivery Station ESD caused by a Station PLC Failure or a Control System Power
Failure, it is unlikely that the inlet isolation valve will be able to move and will therefore remain in its last
position. However the ESD condition will still be communicated to the SCADA System and the SCADA
System will initiate an automatic pipeline shutdown.
The ESD condition must be cleared and reset locally to allow realignment of the inlet isolation valve.

3.4 Interconnect Facilities
3.4.1 Overview
Interconnect Facilities are located at the receipt into the Pipeline rather than at the supply from the
Pipeline (i.e. Delivery Stations). Oil enters the Interconnect Facility through the Inlet Valve Manifold and is
then increased in pressure by Booster Pumps. Interconnect Facilities are owned and operated by
TransCanada. Third party connected facilities (both upstream and downstream) are owned and operated
by others. The ESD interaction with these types of facilities is discussed later in this section of the
document.
If a Custody Measurement system is installed, the oil is firstly sampled at a QMU and then flows through
one of the Meter Banks. From there oil is routed to the connected Facility – usually a Keystone Terminal.
3.4.2 Interconnect Facility ESD
At an Interconnect Facility, a Facility ESD will result in the following actions:

• Interconnect Facility Inlet Isolation Valves is closed
• Interconnect Facility Booster Pumps are shut down
• Interconnect Facility Sump Pumps are shut down.

• Pumps in Quality Measurement Building (at custody transfer metering sites only) are shut down
• Quality Measurement Building (at custody metering sites only) Inlet and Outlet valves are closed.
The ESD condition must be cleared and reset locally to allow realignment of the inlet isolation valve(s).
3.4.3 Third Part y Connected Facilities
Third Party Upstream Connected Facilities are located upstream of Keystone Terminals and generally
consist of Piping, Tanks and/or Booster Pumps. An ESD at a Keystone Terminal will result in a shutdown
command to the Third Party facility Booster Pumps. The command will be considered a “request” only if
the shut down command cannot be made failsafe.
Third Party Downstream Connected Facilities are located downstream of Keystone Delivery Stations and
generally consist of Piping and Tanks. An ESD at a Keystone Delivery Station will be communicated to
the Third Party connected facility on a best efforts basis and no third party response is required or
expected.
3.5 IMLV Sites
There is no ESD system at IMLV sites.

4. EQUIPMENT E-STOP
4.1 Pump Stations
All Mainline Pumps at Pump Stations have local E-Stop pushbuttons and a hardwired back-up E-Stop
Relay system.
4.2 Terminals
All Booster Pumps at Terminals have local E-Stop pushbuttons and a hardwired back-up E-Stop Relay
system.
4.3 Interconnect Facilities
All Booster Pumps at Keystone Interconnect Facilities have local E-Stop pushbuttons and a hardwired
back-up E-Stop Relay system.
5. BUILDING/SYSTEM ESD
5.1 Quality Measurement Buildings
5.1.1 Quality Measur ement Over view
The Facility PLC is used to monitor, control and protect the equipment and devices in the QMB. Density
and Viscosity analyzers provide uncorrected values to the MCS. Continuous sampling (via a fast loop
sample pump) and measurement of product will occur.
Normal operation is for the QMB inlet and outlet isolation valves to be open and for the fast loop sample
pump to be running. Product is measured by the analyzers and the results provided to the MCS.
Quality Measurement Building contains a QMB ESD Pushbutton, Flame Detector, H2S Detector,
Combustible Gas Detector and Smoke Detector. Beacons and horns annunciate a warning in the case of
any fire or an abnormal gas condition. The color of each beacon indicates the specific condition. Yellow
strobe warning beacon indicates the presence of H2S. Blue strobe warning beacon indicates the
presence of combustible gas. Red strobe warning indicates the presence of fire.
The malfunction of any fire or gas detector causes the appropriate beacon to blink.
5.1.2 Quality Measur ement Syst em ESD
A Quality Measurement System ESD will stop the sample pumps and isolate the QMB process by closing
the inlet and outlet isolation valves.

The Quality Measurement System ESD Initiators are listed below:
• Local QMB ESD pushbutton
• OCC “QMB ESD” command via SCADA
• Local HMI “QMB ESD” command
• Contact from the Facility ESD circuit
• Combustible Gas High-High (LEL)
• H2S Gas High-High (ppm)
• Fire detected (Flame Detector or Smoke Detector)

• Loss of open limit on any QMB inlet or outlet valve
• QMB sump level High-High
NOTE: Quality Measurement System ESD activation require a trip to site to manually reset the initiating
condition, open inlet/outlet valve and restart pumps.
The Facility PLC Quality Measurement System ESD software logic is backed up by a QMU hardwired
relay based ESD system. The ESD trip circuit is designed to shut sample pumps independently of the
PLC. The ESD circuit consists of the Terminal ESD trip circuit contact and the QMU Building ESD
Pushbutton contact in series in the pump motor control circuit.
The ESD trip circuit is designed fail safe; i.e. failure of ESD initiator components will trigger a ESD.
5.2 Gaugers Labs
The Gaugers Lab is typically a standalone building used to manually analyze oil samples. A Gaugers Lab
is normally located at any facility that contains custody transfer metering – Terminals, Delivery Stations
and Interconnect Facilities.
The Gaugers Lab building contains Flame, H2S, Combustible Gas and Smoke detectors. These detectors
are wired to a hardwired relay system.
On detection of a fire or 40% LEL combustible gas or 10 ppm H2S all electrical motors in the building will
be de-energized.
Beacons are located both inside and outside of the building. The color of each beacon indicates the
specific condition. Yellow strobe warning beacon indicates the presence of H2S. Blue strobe warning
beacon indicates the presence of combustible gas. Red strobe warning indicates the presence of fire.
The malfunction of any fire or gas detector causes the appropriate beacon to blink.

5.3 Field Service Buildings
The FSB has its own commercial fire detection system. Fire detected by this system or a malfunction of
this system are communicated to the Terminal PLC system and subsequently alarmed at the OCC. No
automated action is taken other than to alarm these conditions.
6. PRESSURE RELIEF SYSTEMS
6.1 Overview
The piping system at some facilities is protected from over-pressuring by a full flow pressure relief
system. Relief flow is typically directed to a dedicated relief tank or a product tank where volume has
been dedicated for relief volumes.
If oil pressure exceeds the relief setpoint pressure, the nitrogen loaded pressure relief valve will open and
route the incoming fluid into a downstream reservoir. A pressure transmitter is used by the Facility PLC
to detect that a surge event has occurred. In-line flow switches provide indication of a leaking relief valve.
6.2 Terminals
A relief event at a Terminal will initiate the following:
• The relief event alarm is communicated to the SCADA System
• The Facility PLC will close the appropriate Terminal inlet isolation valve(s)
• The Facility PLC will send a command to shut down the appropriate upstream Booster Pumps
(they may already have shut down).
6.3 Delivery Stations
A relief event at a Delivery Station will initiate the following:

• The relief event alarm is communicated to the SCADA System
• The SCADA System initiates an automatic pipeline shutdown of all upstream Pump Stations
• The Facility PLC will close the Station inlet isolation valve(s)


Keystone Pipeline Facilities: Process ESD Philosophy

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Keystone Pipeline Facilities: Process ESD Philosophy

Uploaded by

Copyright:

Available Formats

KE YS T O NE P I P E L I N E F A C IL I T I E S

Keystone Pipeline Facilities

Revision Level: 0 – Issued for Use

Rev 0 Page i 19-Jul-12

REV DESCRIPTION PREPARED BY REVIEWED BY APPROVED BY

0 Issued for Use J. Patrick R. Knopp V. Cabrejo

Rev 0 Page ii 19-Jul-12

2. GUIDING PRINCIPLES ................................................................................................................................... 6

3. FACILITY ESD ................................................................................................................................................ 13

Rev 0 Page 1 19-Jul-12

3.4.3 Third Party Connected Facilities........................................................................................................ 18

4. EQUIPMENT E-STOP .................................................................................................................................... 19

6. PRESSURE RELIEF SYSTEMS .................................................................................................................... 21

Rev 0 Page 2 19-Jul-12

• Intermediate Block Valve (IMLV) sites

1.2 Document Scope and Purpose

1.3 Acronyms and Abbreviations

• EES – Electrical Equipment Shelter

• ESD – Emergency Shut Down

Rev 0 Page 3 19-Jul-12

• E-Stop – Equipment Shutdown

• FEED – Front End Engineering and Design

• FSB – Field Service Building

• IMLV – Intermediate Main Line (Block) Valve

• KXL – Keystone XL (pipeline)

• LOV – Launcher Outlet Valve (LOV)

• LKV – Launcher Kicker Valve (LKV)

• MCS – Metering Control System

• MOP – Maximum Operating Pressure

• MPR – Motor Protection Relay

• OCC – Operations Control Center

• OPE – Oil Pipeline Engineering

• OPP – Over Pressure Protection

• PCV – Pressure Control Valve

• PLC – Programmable Logic Controller

• QMU – Quality Measurement Unit

• QMB – Quality Measurement Building

• RIV – Receiver Inlet Valve (RIV)

• RKV – Receiver Kicker Valve (RKV)

• RBV – Receiver Bypass Valve (RBV)

• SSV – Station Suction Side Valve (SSV)

• SDV – Station Discharge Side Valve (SDV)

• SCADA – Supervisory Control And Data Acquisition

• TCPL – TransCanada Pipeline

Rev 0 Page 4 19-Jul-12

• WDT – Watchdog Timer

Abnormal Operating Condition – a condition that may indicate a malfunction of a component or

• Mainline Block Valve Sites (IMLVs)

Mainline Block Valve – a valve capable of segmenting the pipeline.

Station Bypass Valve – Mainline block valve located at a pump station.

Rev 0 Page 5 19-Jul-12

• This document will discuss the Facility ESD system in detail.

2.1 Facility ESD Rationale

Rev 0 Page 6 19-Jul-12

• Isolate (close inlet valves).

2.2 Loss of Containment Risk

2.2.1 Loss of Containment – Sump Tanks

Rev 0 Page 7 19-Jul-12

2.2.2 Loss of Containment – Product Tanks

2.2.3 Loss of Containment – Elevation Differences at Ter minals

• Shut down Inter-tank Booster Pump

Rev 0 Page 8 19-Jul-12

2.3 Facility ESD Initiators