Emergency Shutdown

Engineering Encyclopedia
Saudi Aramco DeskTop Standards
DEVELOPMENT AND ANALYSIS OF

EMERGENCY SHUTDOWN SYSTEMS
Note: The source of the technical material in this volume is the Professional
Engineering Development Program (PEDP) of Engineering Services.
Warning: The material contained in this document was developed for Saudi
Aramco and is intended for the exclusive use of Saudi Aramco’s employees.
Any material contained in this document which is not already in the public
domain may not be copied, reproduced, sold, given, or disclosed to third
parties, or otherwise used in whole, or in part, without the written permission
of the Vice President, Engineering Services, Saudi Aramco.
Chapter : Process Instrumentation For additional information on this subject, contact

File Reference: PCI-106.04 PEDD Coordinator on 874-6556
Engineering Encyclopedia ESD Systems
Development and Analysis of
Emergency Shutdown Systems
CONTENT PAGE
INTRODUCTION............................................................................................................4
SELECTING INPUT AND FINAL DEVICES FOR A GIVEN APPLICATION ..................5
Input Device/Sensor Selection.............................................................................5

General Criteria for Recommended Shutdown Points .............................5
General Criteria for Types of Process Instrumentation .............................9
Specific Criteria for Determination
of Shutdown Points and Types of Process Instrumentation....................13
Selection Criteria for Flow Shutdown Devices ........................................13
Selection Criteria for Level Shutdown Devices .......................................16
Selection Criteria for Pressure Shutdown Devices .................................17
Selection Criteria for Temperature Shutdown Devices ...........................18
Selection Criteria for Vibration Shutdown Devices..................................19
Final Device Selection .......................................................................................20

Types of Final Devices............................................................................22
Application Criteria for Final Devices .................................................................26
REVISING AN EXISTING APPLICATION PROGRAM AND

ASSOCIATED DOCUMENTATION FOR A CHANGE TO AN ESD SYSTEM..............27
Modification and Evaluation of Application Programs........................................27
System Modifications.........................................................................................28
Authorization Procedures........................................................................29
Typical Applications ................................................................................31
Documentation........................................................................................32
Evaluation..........................................................................................................33
Comparison of Binary Logic and Resulting PLC Ladder Logic ..........................35
Requirements for "Management of Change" to ESD Systems ..........................41
Saudi Aramco DeskTop Standards i

REFERENCES.............................................................................................................54
WORK AID 1: GUIDELINES AND TECHNICAL REFERENCES FOR REVISING

A CAUSE-AND-EFFECT MATRIX, SELECTING AN INPUT
DEVICE/SENSOR, AND SELECTING THE APPROPRIATE
FINAL DEVICE FOR A GIVEN PROCESS APPLICATION..................55
Work Aid 1A: Guidelines for Revising a Cause-and-Effect Matrix ...................55
Work Aid 1B: Guidelines and Technical References

for Selecting An Input Device/Sensor ........................................60
Work Aid 1C: Guidelines and Technical References

for Selecting The Appropriate Final Device ...............................61

AN EXISTING APPLICATION PROGRAM AND ASSOCIATED
DOCUMENTATION FOR A CHANGE TO AN ESD SYSTEM .............64
GLOSSARY .................................................................................................................72
LIST OF FIGURES
Figure 1. An Example HAZOP Worksheet ...................................................................... 7
Figure 2. Safety Integrity Level Performance Requirements ........................................... 9
Figure 3. An Example Cause-And-Effect Matrix ............................................................ 10
Figure 4. Vacuum Pump System Simplified P&ID ......................................................... 11
Figure 5. Acceptable Installation Of A Primary Element

That Is Shared Between A BPCS And An ESD System .............................. 15
Figure 6. Typical Level Shutdown Device Installation ................................................... 17
Figure 7. Vacuum Pump P&ID ...................................................................................... 21
Figure 8. Final Device Information In A HAZOP Worksheet......................................... 25
Figure 9. Modification Authorization Procedure............................................................. 31
Figure 10. Binary Logic Diagram For Vacuum Pump System ....................................... 35
Saudi Aramco DeskTop Standards ii

Figure 11. Relay Logic For Vacuum Pump System....................................................... 37
Figure 12. Ladder Logic Format .................................................................................... 38
Figure 13. Logic Function Comparison.......................................................................... 39
Figure 14. PLC Ladder Logic For Vacuum Pump System............................................. 40
Figure 15. HAZOP Worksheet For Vacuum Pump System Proposed Change ............. 45
Figure 16. Vacuum Pump System HAZOP Summary Form.......................................... 46
Figure 17. Vacuum Pump ESD System Cause-and-Effect Matrix................................. 47
Figure 18. Vacuum Pump System P&ID ....................................................................... 48
Figure 19. Vacuum Pump ESD System Logic Written Description................................ 49
Figure 20. Vacuum Pump ESD System Binary Logic Diagram ..................................... 50
Figure 21. Vacuum Pump ESD System PLC Ladder Logic........................................... 51
Figure 22. Timer Logic Function Comparison ............................................................... 52
Figure 23. Approved Change Request Form................................................................. 53
Figure 38, Sheet 1. Binary Logic Functions................................................................... 67
Figure 39. Logic Function Comparison.......................................................................... 70
Figure 40. Timer Function Comparison ......................................................................... 71
Saudi Aramco DeskTop Standards iii

INTRODUCTION
This module is a natural progression from the previous modules.

Module 1 discussed emergency shutdown (ESD) systems and
their role in an operating plant, some Saudi Aramco mandatory
requirements that govern the design and use of ESD systems,
the basic structure of an ESD system, and typical technologies
that are used in ESD system.
Module 2 discussed documentation requirements for an ESD

system. Module 3 discussed design requirements and
application criteria for an ESD system that can be used to
determine if an ESD system meets Saudi Aramco requirements.
Changes are often required for an ESD system that is installed

and operating. This module provides the necessary background
to allow these changes to be made safely. Changes to the
following three areas of an ESD system are discussed in this
module:
• Input devices
• Logic solver and associated application program
• Output devices
Saudi Aramco DeskTop Standards 4

SELECTING INPUT AND FINAL DEVICES FOR A GIVEN APPLICATION
Modifications to existing ESD systems are evaluated by revising

the cause-and-effect matrix. The revised cause-and-effect
matrix indicates the requirements for input and final devices.
The basis for selection of these devices is discussed in this
section.
Input Device/Sensor Selection
Whenever extreme process conditions (e.g., excessive

temperature) have the potential to harm personnel, process
equipment, and/or the environment, shutdown (input) devices
must be provided.
General Criteria for

Recommended Shutdown Points
Shutdown points are usually determined by one of the three

following methods:
• Based on experience with other similar installations.
• By comparison with existing codes and standards using

checklists.
• Based on specific recommendations by a HAZOP study

team.
If an existing installation has gone through an evaluation by a

HAZOP team, and this installation has been designed and
installed based on the recommendations of the HAZOP team,
this installation can often be used as the basis for the design of
future similar installations.

Checklists provide a way to verify that a design conforms to

existing codes and standards of good practice. The design must
be reviewed for conformance to codes and standards because
they provide a good basis for ensuring minimum safety
standards in a design. Checklists are very often a summary of
the applicable codes and standards that have been
supplemented by the more important "What If" type questions
that typically come up at design reviews. Checklists can be
useful particularly when designing facilities that are proven and
well understood.
The results from a HAZOP study of a proposed design is a good

choice for recommended shutdown points. These results are
usually expressed in the form of a HAZOP worksheet (see
Figure 1). The following is some of the valuable information for
the ESD system designer that is contained in the HAZOP
worksheet.
• Specific deviations (if any) for each guide word for the part
of the process being examined.
• Possible initiating causes for each deviation.
• Consequences if each deviation was allowed to occur.
• Recommended action to reduce the consequences to an

acceptable risk level.

Ref. Guide Deviation Causes Consequences Actions

No. Word
1 MORE Liquid buildup Excessive liquid Possible vacuum HH level interlock
OF in T-303 carryover from pump rupture if T-303 (Level 4) to stop
knockout pot reactor overflows vacuum pump
2 MORE Vacuum Blockage in vent Possible vacuum HH discharge

OF pump high system pump damage pressure [set point =
discharge 34.5 kPa (5 psig)]
pressure interlock (Level 4) to
close vacuum pump
discharge block valve
and stop vacuum
pump. Vacuum pump
must be stopped any
time discharge block
valve is closed.
Figure 1. An Example HAZOP Worksheet
If the recommended action is to use a shutdown interlock, the

HAZOP study team should determine the required level of
shutdown (see SAES-J-601), such as Total Plant Shutdown
(Level 1), Unit Isolation (Level 2), Equipment Isolation (Level 3),
Equipment Protection (Level 4), and Regulatory Alarms &
Permissives (Level 5) and the recommended set point for the
shutdown. Knowledge of the required level of shutdown makes
it possible to determine if an ESD system is required.
Where possible, the HAZOP study team should provide

recommendations for the integrity level required for a shutdown
interlock. The HAZOP study team should be in a good position
to provide integrity levels because the HAZOP study team has
intimate knowledge of the process plant. For example, the
HAZOP study team might recommend redundant or triplicated
pressure devices for a high pressure shutdown interlock due to
critical operational problems with a catalytic cracker or reformer.

Different criteria exist for assigning integrity levels to shutdown

interlocks. The Saudi Aramco approach is based on shutdown
levels, as discussed in Module 1. Another approach, based on
safety integrity levels (SILs), is now being used by many
companies (Refs. 1 and 2).
A safety integrity level defines the level of performance needed

to achieve the user's process safety objectives. The higher the
SIL, the more available the safety function of the ESD system
becomes. The following are some ways that performance can
be improved:
• The addition of redundancy
• More frequent testing
• The use of diagnostic fault detection
• The use of diverse sensors and final control elements
Performance is also improved through better control of design,

operation, and maintenance procedures.
References 1 and 2 define three levels of safety integrity (see

Figure 2).
More valuable information is contained in a cause-and-effect

matrix (see Figure 3) that establishes a relationship between the
inputs (causes) to the ESD system and the outputs (effects)
from the ESD system. Possible relationships are shown in the
legend at the bottom of the cause-and-effect matrix. One (or
more) of these relationships is placed at the intersection of the
cause and the effect in the cause-and-effect matrix.

Safety Integrity Level (SIL) Probability of Failure on Demand

Average Range
(PFDavg)
-1 -2
1 10 to 10
2 10-2 to 10-3
-3 -4
3 10 to 10
Figure 2. Safety Integrity Level Performance

Requirements
Recommended set points for shutdown devices should be

provided by the HAZOP team. These set points should be
shown in the HAZOP worksheet, and these set points should be
carried over to the cause-and-effect matrix.
General Criteria for Types

of Process Instrumentation
The following are some of the general criteria that are used for
determining the type of shutdown devices are:
• Analog input devices are preferred because better

diagnostics can be performed on analog signals than on
the discrete input signals that are generated from input
devices such as flow switches and pressure switches.
• Common cause failures are minimized when ESD input

devices have their own separate connections to the
process equipment.
• Redundancy may be needed to achieve reliable operation

of process measuring devices in some applications. The
following are some reasons that redundant or triplicated
input devices may be needed:
- Higher availability is needed than can be achieved

with a single input device.

- The process service conditions are severe, and poor

reliability of the input device is expected. Diversity of
the input devices may be needed to ensure reliable
service.
Vac. pump start/run permissive

EFFECT (THEN)
K-304 discharge block valve

Level 4
Equipment Protection
CAUSE (IF)
T-303 high level LSHH S
High level reset pushbutton R
K-304 high disch. press. PSHH [34.5 kPa S C
(5 psig)]
High disch. press. reset pushbutton R O
K-304 disch. valve closed S
Legend: O = Open, C = Close, R = Run, S = Stop, TD = Time Delay,

V = Vent, A = Auto, M = Manual, TS = Timed Step,
Th = Throttling
Figure 3. An Example Cause-And-Effect Matrix
• Input devices that contact process fluids must be capable

of withstanding the temperatures, pressures, and other
fluid properties of the process material.
• Input devices that are installed in the process area may

need special housings and special materials for exposed
parts so that these devices can withstand the
environmental conditions.

• Sensing devices should be selected to be as fail-safe as

possible. When de-energized to trip ESD systems are
used, the sensing device switch contacts should be closed
under normal operating conditions. These contacts will
open to initiate and ESD system shutdown.
Figure 4 shows a simplified P&ID for a vacuum pump system.

This P&ID can be used to illustrate the principles that are
involved in analyzing and evaluating failure modes of a piece of
equipment. An example is high-level switch LSH-305. Although
this switch is used only for alarm purposes, the same principles
apply as for shutdown switches.
PIC
307
PZV PI
301 308
N2
FO
PT PCV
307 307 PI
T 309
303
From
Reactor LI To
304 Vent
LAH LSH
305 305
Vacuum
Pump
Knockout
Pot
K-304
Electrical or electronic signal

To
Drain
NOTE: Some piping details (e.g., line sizes) and instrumentation details (e.g., block valves on pressure
gauges)
Figure 4. Vacuum Pump System Simplified P&ID

Switch contacts on input devices that are closed during normal

process operation and open when the shutdown or alarm
condition is reached are consistent with de-energized-to-trip
ESD systems. A mechanically operated low flow switch, for
example, should have NO (normally open) contacts that close
when the flow is above the set point (normal operation) and
open when the flow drops below the set point (alarm condition).
A mechanically operated high level switch (as in this example)
should have NC (normally closed) contacts. The contacts will be
closed under normal operation, and they will open when the
level exceeds the set point.
All failure possibilities must be considered if fail-safe operation

of an input device is to be achieved. The following are some of
the things that must be considered in order to achieve fail-safe
operation:
• What happens if a wire breaks? In this example, if a wire

breaks between the high-level switch and the logic solver,
the logic solver will see an absence of a signal from the
high-level switch. This loss of signal will actuate an alarm
or initiate a shutdown, and this action leads to a safe
condition.
• What happens if power is lost to the input device? In this

case, the effect is the same as for a broken wire, and this
loss of power results in a safe condition.
• What process conditions could affect the operation of the

input device? In this example, if there were solids present
in the knockout pot, a switch would be selected that would
not be affected by a solids buildup on the level switch.
Specific information that is needed to select an input device can

come from many sources. The following are examples of some
of these sources:
• Recommendations from a HAZOP worksheet
• Previous experience in a similar installation
• Corrosion information for the particular fluid that the input

device will be contacting

• Environmental conditions in the area where the input

device will be installed
• Plant standards for the selection of input devices
Specific Criteria for

Determination of Shutdown
Points and Types of
Process Instrumentation
Specific criteria that are used for determining the need for a
shutdown point and the type of process instrumentation that
should be used are described below for the following process
variables:
• Flow
• Level
• Pressure
• Temperature
• Vibration
Selection Criteria for

Flow Shutdown Devices
Low-low flow shutdown input devices are recommended for:
• Centrifugal and positive displacement pumps. These input

devices prevent overheating and subsequent pump failure
from operating at flow rates less than the required
minimum flow.
• Inputs to reactors or converters where damage to the

catalyst will result from failure of feed gas flow.
• In piping or heater tubes where damage will occur because

of reduced flow velocities.

An orifice meter assembly is the preferred measuring device.

The differential pressure that is generated by the orifice meter
assembly should be measured by a field-mounted analog
differential-pressure transmitter that is connected via a manifold
and impulse tubing to the orifice meter assembly. This analog
transmitter will supply a 4-20 mA DC input signal to the logic
solver in the ESD system. A digital transmitter may be used if it
has a minimum scan rate of 10 times/second.
Direct process-actuated differential-pressure switches

(indicating type) may be used where analog differential-
pressure transmitters are not practical.
The following are two ways that a single orifice flange or flow
element may be used for both a basic process control system
(BPCS) and an ESD system (see Figure 5):
• By using ESD impulse tubing and isolation valves that are

separated from regulatory control loop impulse tubing by
separate taps (see Figure 5a).
• By a parallel impulse tubing arrangement utilizing common

flow element block valves but separate impulse leg
isolation valves (see Figure 5b).

Input
Signal
Input to BPCS
Signal
to BPCS
FT
Isolation
FT Valves
Block
Valves
FE
FE
FT FT
Input Input
Signal Signal to
to ESD ESD
System System
a) Separate Flow Element Taps b) Common Flow Element Taps
Figure 5. Acceptable Installation Of A Primary Element

That Is Shared Between A BPCS And An ESD System
The example that is shown in Figure 5a has less common cause

failure points than the example that is shown in Figure 5b
because the common block valves in Figure 5b are a potential
common cause failure point.


Level Shutdown Devices
Low-low level shutdown input devices are recommended for any

vessel where loss of level would result in damage to process
equipment or release of hydrocarbons, toxic, or dangerous
materials to atmosphere, e.g., sour water systems.
High-high level shutdown input devices are recommended for

fuel gas scrubbers, compressor suction separators or knock-out
drums, or for vessels containing both liquid and vapor, where
vapor is released to a fuel gas system or to atmosphere.
The preferred input device is a field-mounted analog differential-

pressure transmitter that is connected directly to the process
equipment (see LT-107 in Figure 6 for a typical installation of a
level transmitter). This analog transmitter will supply a 4-20 mA
DC input signal to the logic solver in the ESD system. A digital
transmitter may be used if it has a minimum scan rate of 10
times/second.
Float or displacer and cage type level switches are also

recommended for ESD level inputs (see LSLL-108 in Figure 6
for a typical installation of a level switch).
Level switches or transmitters must have block valves that allow

them to be isolated from process taps, and they must
incorporate a separate drain valve and vent valve for testing and
calibration of the level device (see LT-107 and LSLL-108 in
Figure 6).

Vent
Valve
ESD System
Block
Valve
LT
107 ESD System
LSLL Actuation
108
Point
Drain
Valve
To Downstream
System
Figure 6. Typical Level Shutdown Device Installation

Pressure Shutdown Devices
Low-low pressure shutdown input devices are recommended for

process equipment that is susceptible to damage in event of
low-low inlet or outlet pressure.
High-high pressure shutdown input devices and alarms are

recommended for:
• All process systems that contain flammable or toxic fluids

and that are protected against process upsets by relief
valves.
Note: The ESD input device set point must be below the
relief valve set point.

• Seal leakage detection systems (pumps).
The preferred input device is a field-mounted analog pressure or

differential-pressure transmitter that is connected directly to the
process equipment. Differential-pressure transmitters are used
for pressure measurement when the measured pressure is
below that achievable with a pressure transmitter. A typical
example would be measuring the draft pressure in a combustion
chamber where the measured pressure is just a few inches of
water. This analog transmitter will supply a 4-20 mA DC input
signal to the logic solver in the ESD system. A digital transmitter
may be used if it has a minimum scan rate of 10 times/second.
Direct process-actuated pressure or differential pressure

switches (with associated indicating gauge) may be used where
analog pressure or differential-pressure transmitters are not
practical.

Temperature Shutdown Devices
Low-low temperature shutdown input devices are recommended

when process upsets may cause operating temperatures to
drop below design limitations of process equipment or cause
undesirable phase changes of process fluids.
High-high temperature shutdown input devices and alarms are

recommended for:
• Compressor lube-oil temperature and compressor

discharge temperature
• Rotating equipment bearing temperatures
• Process vessels, reactors, or converters where high

temperature excursions or process upsets may cause
equipment malfunction, internal damage, or unsafe
operating conditions.

The preferred temperature measuring devices are the following:
• 100-ohm platinum resistance temperature detectors

(RTDs) or Type E or Type K thermocouples that are wired
directly into a triple modular redundant (TMR) ESD system.
• A field-mounted analog temperature transmitter that uses

100-ohm platinum resistance temperature detectors
(RTDs) or Type E or Type K thermocouples as the
measuring device. This analog transmitter must be
compensated for ambient temperature changes, and it will
supply a 4-20 mA DC input signal to the logic solver in the
ESD system. A digital transmitter may be used if it has a
minimum scan rate of 10 times/second.
Capillary-tube type or bimetallic type direct process-actuated

temperature switches (with associated indicating gauge) must
be avoided unless thermocouple or RTD measurements are not
practical or feasible.

Vibration Shutdown Devices
X,Y probes, seismic sensors, proximitors, and transducers are

recommended for rotating equipment protection systems
(pumps, compressors, turbines, and gear boxes) in accordance
with SAES-J-604.
Acceptable vibration detector types are:
• Contact (piezo-electric or moving coil) type, consisting of a

separate detector and interface unit.
• Noncontact (proximity) type, consisting of a separate probe

and interface unit (oscillator-demodulator).
Each detector output must be connected to the interface unit

using a special cable that is selected and supplied by the
vibration detector vendor. The cable that links the output of the
interface unit to the panel-mounted vibration monitor must be in
accordance with the vendor's recommendation.

The monitor must have adjustable shutdown set points, and one
or more of these shutdown points must be used to activate the
ESD system. Unless specified otherwise, a three-second time
delay must be provided to prevent spurious shutdowns.
Rack-mounted monitors or monitors that are mounted at the

back of the control panel must have an indicator and a point
selector switch installed on the front of the control panel. When
a failure of the main power supply occurs, automatic switch over
to an uninterruptible power supply (UPS) system must ensure
continuous power supply to the monitor. To provide for a failure
of the UPS system, the switch action of the vibration monitor
output relays must be as follows to ensure fail-safe operation:
• The pre-alarm (alert) switch must de-energize to alarm,

and it must be nonlatching.
• The shutdown (danger) switch must de-energize to shut

down, and it must be latching with manual reset.
• The pre-alarm and shutdown indication switch (if included

in vendor's standard package) must be de-energize to
alarm, and it must be latching with manual reset.
Final Device Selection
Final devices are used to take the process to a safe state when
a shutdown occurs or if power is lost to the ESD system logic.
Vacuum pump K-304 and emergency isolation valve ZV-301 in
Figure 7 are examples of final devices in this vacuum pump
system.

PIC
307
PZV PI
308

301 ESD
System
N2 ZV
FO 301
PT LSHH PCV
307 306 307 PI
T 309
From 303
Reactor LI Vacuum To Vent
304 Pump System
LAH LSH FC
305 305 PSHH
310
Knockout
Pot
K-304
ESD
Figure 7. Vacuum Pump P&ID

System
To
Drain

NOTE: Some piping details (e.g., line sizes) and instrumentation details (e.g., block valves on pressure gauges)
are not shown to simplify the drawing.
21
ESD Systems
Types of Final Devices
The following are some of the requirements for selecting final

devices:
• Must be fail-safe.
When valves are used as the final shutdown device, they

are usually set up to fail either open or closed. Although
each application must be checked to see which way the
final device should fail, valves that supply energy to the
system normally fail closed (e.g., steam valves), while
valves that remove energy from the system normally fail
open (e.g., cooling water valves).
All components of the final device must be fail-safe,

including the actuator and solenoid valves on actuated
block valves.
Final devices that are actuated with solenoid valves are

more fail-safe if the solenoid valve is energized during
normal plant operation. The solenoid valve will cause the
final shutdown device to go to its fail-safe position when
the solenoid is de-energized. This practice is consistent
with the implementation of de-energized-to-trip ESD
systems.
The actuator that provides the most reliable, fail-safe

operation is a spring-return pneumatic actuator. Air
pressure is used to compress this spring and to move the
final shutdown device to its normal operating position. The
spring will return the final shutdown device to its fail-safe
position when the solenoid valve is de-energized or the
instrument air supply pressure is lost.
• Must be available for operation in a critical situation.
Redundancy is used to achieve this reliability. This

redundancy is achieved by providing the capability for
manually operating the valve if the actuator is not able to
provide the necessary actuation.

• Must provide bubbletight shutoff.
Isolation valves need bubbletight shutoff, which means that

leakage through the valve is expressed in bubbles of air or
gas per minute.
All automatic block valves have the potential for leaking. If

a slight leakage can cause an explosive or hazardous
condition, a double-block-and-bleed valve should be used.
• Must meet process and environmental constraints.
Those materials that are used in final devices and that

contact the process material must be able to handle the
temperature and pressure requirements of the process
materials. Consideration should also be given to the
environmental requirements, such as the ones relating to
heat, electrical noise, frost and moisture ingress protection
(including sea water deluge) when final devices are
selected.
If the design principle for the ESD system is known (e.g., de-
energized-to-trip), the HAZOP worksheet, HAZOP summary
form, or cause-and-effect matrix can provide valuable
information for selecting a final device. For example, the
HAZOP worksheet in Figure 8 provides some requirements for
the vacuum pump discharge final device. The action that the
HAZOP worksheet specifies for this valve is to close the block
valve on either high discharge pressure or low differential
pressure. This action specifies the fail-safe position of this final
device when the ESD system trips or power to the final device is
lost. If this fail-safe position is not ensured, the valve may not
close when a critical situation arises.
The selection criteria discussed above can have a significant

impact on the type of final device that is used in a given
application. If bubbletight shutoff is required, the type of final
device will be limited to valve body styles (e.g., ball valves) that
are capable of providing this type of shutoff. If fail-safe criteria is
important, spring-return pneumatic actuators are a logic choice.
If no air is available for actuating the final device, pneumatic
actuators cannot be used, and hydraulic or electric actuators
might be a good choice. If the final device might have high

availability, then final devices that can be made redundant may

be selected.
Figure 7 shows a P&ID for the vacuum pump system example.

Emergency isolation valve ZV-301 is provided on the discharge
of the vacuum pump. This valve has the following two purposes:
• To minimize pressure buildup on the discharge of the

vacuum pump because of a buildup of pressure in the vent
system or because of a restriction in the vent piping.
• To prevent backflow of oxygen-containing gases from the

vent system into the vacuum pump system.
The failure mode of this emergency isolation valve must be

analyzed, and an evaluation must be made of the various
components that make up this final device. For example,
backflow into the vacuum pump system could occur because of
a failure of the vacuum pump. One cause of this failure might be
loss of electrical power. If that power failure could also affect the
ESD system, then this emergency isolation valve must be
capable of failing to the closed position on loss of electrical
power. As stated earlier, a spring-return pneumatic actuator is
the best selection for this type of application.
Much of this type of information should be available from the

HAZOP study team. Existing installations of a similar type are
also a good source for recommendations on final devices.


No. Word
1 MORE Liquid buildup Excessive liquid Possible vacuum High level interlock
2 MORE Vacuum Blockage in vent Possible vacuum High discharge

close vacuum pump
and stop vacuum
pump. Vacuum pump
must be stopped any
valve is closed.
Figure 8. Final Device Information In A HAZOP Worksheet

Application Criteria for Final Devices
The application criteria for final devices that were discussed in

Module 3 can be very helpful for determining when final devices
are needed. The following are examples where these
application criteria apply:
• A method for isolating leaks in process plants before the

material ignites or before serious damage or injury results
should be provided. Remotely-operated emergency
isolation valves can prevent serious leaks of flammable
gases or liquids in processing plants. Emergency isolation
valves can also be used to either stop or minimize the
release of toxic or corrosive gases and liquids.
Saudi Aramco Standard SAES-B-058 is very specific on

where emergency isolation valves are needed.
• Double-block-and-bleed valves are commonly used on the

natural gas supply to boilers, furnaces, and process
heaters.
This requirement indicates where a shutoff valve is

needed, and it also helps determine the type of shutoff
valve that should be used.
• Special consideration should be given to the use of block

and/or bypass valves around final shutdown devices and
emergency isolation valves. Block and/or bypass valves
should only be used when a clear need exists.
Specific recommendations are given that identify where

block and/or bypass valves should be used.

REVISING AN EXISTING APPLICATION PROGRAM AND ASSOCIATED

DOCUMENTATION FOR A CHANGE TO AN ESD SYSTEM
Modifications can have significant impact on operating plant

safety. Processes frequently undergo changes to improve
efficiency and productivity, conserve energy, and reduce waste
materials. These changes may be in the process, in the BPCS,
and/or in the ESD system. These changes may create problems
unless an adequate safety review of the proposed changes is
performed.
These types of problems are especially true for changes relating

to PLC-based ESD systems. PLC-based ESD systems allow
changes to be implemented relatively quickly and usually
without hardware additions. Because a PLC-based system is
easy to change, ideas can be tried out before final decisions are
made. Because of this ease of implementation, key safety
issues that could lead to potentially hazardous situations could
be overlooked.
This concern also applies when software upgrades are made by

equipment vendors. A revision to system software may impact
an ESD system in an unexpected manner. Therefore, software
revisions and updates must be controlled.
Modification and Evaluation

of Application Programs
Modifications to the application program in an ESD system

require formal review and approval of the proposed changes. A
formal procedure should be in place to ensure that the safety
function provided by the ESD system is not compromised. This
procedure should include a process to evaluate the correct
implementation of the changes as the modifications are being
made.
The review process should include formal, written approval

before implementation. Testing of the changes is recommended
prior to placing the modified system in operation. The testing
required may include a full functional test of the ESD system.

Documentation of the changes, approval, and testing are all

very important for ESD systems. A modified system should
never be placed in operation unless acceptable documentation
has been completed. Appropriate personnel must have received
instructions and training on the operation of the revised ESD
system.
System Modifications
Recommendations for conducting process safety reviews

related to process or plant equipment changes currently exist.
These recommendations address the overall process safety
philosophy and cover such things as the following:
• When a formal review should take place.
• What the review should cover.
• Who should perform the review.
The ESD system is an integral part of those reviews, but

instances may arise that require a separate and independent
review of the ESD system. The makeup of the group performing
such a review should include those individuals familiar with the
detailed workings of the ESD system as well as those personnel
who are normally involved in process safety reviews. The
manufacturer of the equipment, or their representative, may also
need to participate in the review process to ensure that all
considerations relating to the operation of the system are
covered.
The reasons and considerations used to arrive at ESD system-

related decisions must be documented to ensure the correct
design. The reviews should be made by qualified process
control, process, and hardware- and software-knowledgeable
individuals with input from operations, maintenance, and safety
personnel where appropriate.

Authorization Procedures
The use of PLC-based ESD systems introduces security

concerns. Although ESD system application program changes
may be clear to some personnel, a potentially hazardous
condition could result if these changes are not communicated to
all operating personnel. Therefore, security methods and
procedures are recommended to maintain the integrity of the
ESD system application program. These procedures should
address the following:
• Who is authorized to perform these activities.
• What method will be used to prevent unauthorized access

to the ESD system.
• How authorized or approved activities will be implemented.
Although changes that are made to a BPCS may have no

adverse impact on process safety, changes to the ESD system
need an additional level of authorization over that required for
BPCSs.
Figure 9 shows a procedure that can be followed for ensuring

that all modifications to an application program are authorized.
The following elements are included in this procedure:
• Initiating a change request
A change is usually initiated through the use of a change

request form. The initiator completes one section of the
form with the name, date, proposed change, and why the
change is being proposed. The remainder of the form has
a section for identifying who and what area the change
impacts and allows for signatures of individuals who review
and approve the change.
• Performing an impact analysis study
An impact analysis must be carried out that includes the

impact of the proposed application program modification on
the functional safety of the ESD system.

A HAZOP of the proposed modification may be needed

because the complexity of some ESD systems makes
them difficult to analyze in a simple manner. This difficulty
may not be evident in the safety review technique being
used for the process. Review teams often look only at the
endpoints of the controls (i.e., the variable being measured
and the variable being controlled), and they evaluate the
effects of changes or modifications to these variables on
process safety. This type of review may miss some
obscure side effects that can occur or intermediate
conditions that could result because of the application
program being used. For example, an application program
change related to a single interlock in a complex ESD
system may impact other interlocks. A simple thing like an
address change of a variable could have a serious impact
on process safety if not handled properly. Adequate review
procedures should be established to prevent such potential
occurrences during application program changes.
• Documenting the results of the impact analysis
The decisions taken during the impact analysis must be

documented in the software modification log where details
of all software modifications are recorded.
• Authorizing the modification
Authorization to carry out the required modification

depends on the results of the impact analysis. This
authorization must also be included in the software
modification log.

Modification
Request
Initiators
Modifications to the safety

Performance below level of safety specification
Operation/production requests
Systematic faults
Modification
Request New/amended legislation
Incident/accident experience
Modifications to the process plant
Software
Modification
Log Update Impact
Analysis HAZOP
Study Analysis
Update Impact
Analysis
Report
Modification
Design
Authorization
Figure 9. Modification Authorization Procedure
Typical Applications
The following are some of the initiators that may result in

changes to an application program (see Figure 9):
• Performance below level of safety (e.g., an occurrence of

undetected fail-to-danger faults)
• Systematic faults (e.g., an error in the application program)
• Incident/accident experience (e.g., a failure rate that is

higher than desired)

• Modifications to the ESD system specifications (e.g., an

increased demand rate on the ESD system)
• Operation/production requests (e.g., changes in shutdown

device set points, changes to the application program, or
sequencing modifications)
• New/amended legislation
• Modifications to the process plant (e.g., a change to the

process or a change to an operating procedure)
Documentation
The following existing design documentation is needed as part

of the modification procedure:
• P&IDs
• ESD system specification
• HAZOP worksheets
• HAZOP summary forms
• Cause-and-effect diagrams
• Written description
• Logic diagram
The following is the design documentation that may require

updating as a result of a modification to the application program:
• P&IDs
• ESD system specification
• HAZOP worksheet
• HAZOP summary form
• Cause-and-effect diagram
• Written description

• Logic diagrams
• Ladder logic
• Specification sheets
Evaluation
Evaluation must be part of every stage of the design process

when modifications to the application program are implemented.
The application program for the ESD system was designed for
reliable operation throughout its life. The following are some of
the considerations for the original design of an application
program:
• The application program performed in accordance with the

ESD system specification.
• The application program was written in a logical, modular,

and structured manner to allow it to be readily modified to
accommodate changing user requirements.
• The application program was designed to be robust (e.g.,

tolerant of user data-entry errors) and secure (immune to
sabotage by computer viruses and inadvertent changes).
• Sufficient documentation was included to allow it to be

used and maintained properly.
The integrity of the application program must not be

compromised by any modifications to the program. Therefore,
quality control procedures that are to be used for evaluation
during the design process must be established before the start
of the modifications. These quality control procedures may
include:
• Design reviews during each stage in development.
• Checking and approval procedures at the end of each

stage in the design process and the acceptance criteria to
be satisfied before proceeding to the next stage.
• Test procedures and acceptance criteria.

Each stage in the design process must be documented

sufficiently to allow:
• Adequate communication between all participants in the

modification.
• Review of the application program as the modification

proceeds.
• Each stage in the design to be checked and approved on

completion.
• The operation of the software to be fully understood in the

future.
• Changes to be incorporated in a controlled manner.
• The full implications of changes to be evaluated.
All changes must be implemented in a controlled fashion to

ensure that:
• All possible implications of a change are considered and

that the proposed change is authorized before
implementation.
• The changes are communicated to all those personnel who

are involved in the design.
• The documentation relating to each phase of development

is kept up to date.
Verification is done at various stages of the design process.

Verification can be either qualitative (e.g., peer reviews and
comparisons against checklists) or quantitative (e.g., fault tree
analysis or application program simulations).

Comparison of Binary
Logic and Resulting
PLC Ladder Logic
The binary logic diagram for the vacuum pump example that
was described in Module 2 is shown in Figure 10. This binary
logic diagram was converted to relay logic in Module 2 (see
Figure 11).
INPUTS LOGIC OUTPUTS
T-303 High
301 Level Reset = 1 OR Output Symbol
PB Shutdown
Reset
T-303 High
Level Shutdown
T-303 High High Level = 0 A Alarm Signal LAHH
LSHH Level 306
306 (Alarm on when
Shutdown
output = 0)
K-304 Disch.
Block Valve ZV
(Closes when 301
K-304 High output = 0)
302 Disch. Reset = 1 OR
PB Press.
Shutdown
Reset K-304 High
Disch. Press.
Shutdown PAHH
K-304 High High Pressure = 0 A Alarm Signal 310
PSHH Disch.
310 Press. (Alarm on when
Shutdown output = 0)
Input Symbol
K-304 K-304 Run K

A 304
Disch. Valve Closed = 1 Permissive
XLS Block
301 Valve
Closed
Figure 10. Binary Logic Diagram For Vacuum Pump System

The ladder logic used in today's PLCs follows the same basic
rules as the schematic diagram used in relay logic systems.
PLC ladder logic is designed to emphasize logic flow. Ladder
diagrams show a "hot" line down the left side of the drawing and
a "neutral" line down the right hand side of the drawing. The
rung of logic is shown on a line running from left to right
between the hot and neutral lines. Switch contacts are usually
shown on the left side of this line, and coils or other outputs are
shown on the right side (See Figure 12). When continuity exists
through all the contacts, the coil or output in that line is
energized, causing an action to occur in a machine or a control
process.

H N
24 vDC
Circuit #21
Panel 16
Line
Number
LSHH-306
301PB Contact opens
on high level
301 302 301 T-303 High
1 CR Level Shutdown
(2, 6, 7)
301CR
2 Relay Contact
Wire Numbers Reference
PSHH-310
302PB Contact opens
on high level
303 304 302 K-304 High Disch.
3 CR Press. Shutdown
(4, 5, 6, 8)
302CR
4
ZY-301 K-304 Disch.

302CR Block Valve
305
5 (Closes when
ZY-301
ZSL-301 Deenergized)
Contact closes
when valve
301CR 302CR
501 is closed 502 503 504 K 505 K-304 Run
6 304 Permissive
301CR T-303 High

701 702 703 Level Shutdown
7 Alarm Signal
(Alarm on when
alarm input = 0)
302CR K-304 High Disch.

704 705 706 Press. Shutdown
8 Alarm Signal
(Alarm on when
alarm input = 0)
Note: All symbols shown in the operating
position.
Figure 11. Relay Logic For Vacuum Pump System

Output
Conditions Instructions
] [ ]/[ ( )
] [
Coil
Contacts
A Continuous Path
Is Needed For Logic
Continuity
Figure 12. Ladder Logic Format
The coils shown in the above figures function just like the coil in
a conventional relay. When power is applied to the coil, all its
normally open contacts are made and all its normally closed
contacts are broken. When no power is applied to the coil,
normally open contacts are open and normally closed contacts
are closed.
In this example, the conversion from binary logic to PLC ladder

logic is very simple. Figure 13 shows the equivalent PLC ladder
logic for the AND gate, the OR gate, and the memory function
that are used in binary logic diagrams.
The PLC ladder logic that corresponds to the binary logic

diagram shown in Figure 11 is shown in Figure 14. The
configuration of PLC ladder logic in many systems requires that
an I/O (input/output) address be placed at each contact and at
each coil, in addition to the textual description. In this case, this
particular PLC-based ESD system doesn't require the I/O
addresses. An I/O map is prepared that relates the textual
description to the particular input or output address.

Binary Logic PLC Ladder Logic
A ] [ ] [ ] [
a) AND Logic Function
] [
OR ] [
] [
b) OR Logic Function
S R Coil
LS ] [ ] [ ( )
Coil
] [
R
c) Memory Logic Function
Figure 13. Logic Function Comparison

LAHH-306
LSHH-306
301-PB T-303 High
High Level
Reset Shutdown Switch Level Shutdown
Alarm
] [ ] [ ( )
LAHH-306
T-303 High
Level Shutdown
Alarm
] [
PAHH-310
PSHH-310
302-PB K-304 High
High Pressure
Reset Shutdown Switch Pressure
Shutdown Alarm
] [ ] [ ( )
PAHH-310
K-304 High
Pressure
Shutdown Alarm
] [
PAHH-310 ZV-301
K-304 High
K-304 Discharge
Pressure
Shutdown Alarm Block Valve
] [ ( )
LAHH-306 PAHH-310 XLS-301
T-303 High K-304 High K-304 Disch. K-304 Run
Level Shutdown Pressure Block Valve Permissive
Alarm Shutdown Alarm Closed
] [ ] [ ] [ ( )
Figure 14. PLC Ladder Logic For Vacuum Pump System

In Figure 14, the following devices are mapped to input

addresses:
• 301-PB reset pushbutton
• 302-PB reset pushbutton
• LSHH-306 high level shutdown switch
• PSHH-310 high pressure shutdown switch
• XLS-301 K-304 discharge valve closed
The following devices in Figure 14 are mapped to output

addresses:
• LAHH-306 T-303 high level shutdown alarm
• PAHH-310 K-304 high pressure shutdown alarm
• ZV-310 K-304 discharge block valve
• K-304 run permissive
Requirements for
"Management of Change"
to ESD Systems
A written procedure must be in place to initiate, document,

review the change, and approve changes to the ESD system
other than "replacement in kind. Replacement in kind is defined
as a replacement that meets the design specification.
The following are elements involved in management of change:
• Initiation of a change (see Figure 9)
An important aspect of this topic is recognizing what

actually constitutes a change. Replacement in kind, as
discussed above, is not considered as a change. The
following are examples of what might be considered as a
change:
- A change in valve trim or orifice diameter

- A change to a setting on a pressure or vacuum relief

system
- Any bypass of equipment or interlocks
- A change to an alarm or interlock setting
- Introduction of new process chemicals, lubricants,

cleaning fluids, or treatment chemicals as they impact
components of the ESD system
- A change in the type, pressure, or flow rate of utilities
- A change in electrical area classification
- A change to an operating procedure
- Operation outside critical operating limits
- A change in the ESD system application program
• Review and approval of the change (see Figure 9).
The management of change (MOC) procedure must

ensure that the following considerations are addressed
prior to any change to an ESD system:
- The technical basis for the proposed change
- Impact of change on safety and health
- Modifications for operating procedures
- Necessary time period for the change
- Authorization requirements for the proposed change
- Availability of memory space
- Effect on response time
- On-line versus off-line change and the risks involved

The review of the change must ensure:
- that the required safety integrity of the ESD system

has been maintained (meeting this requirement may
require a HAZOP review of the proposed change)
- that personnel from appropriate disciplines have been

included in the review process.
• Updating of ESD system documentation
- Piping and instrument diagrams (P&IDs)
- HAZOP review documents (e.g., HAZOP worksheets

and HAZOP summary forms)
- Cause-and-effect matrices
- Written descriptions of ESD system logic
- Binary logic diagrams
- Relay ladder logic
- PLC ladder logic
• Interface with training:
Personnel affected by the change must be informed of the

change and trained prior to implementation of the change
or startup of the processError! Bookmark not defined.,
as appropriate.
As an example of how a modification is documented, the

following describes a case where a suggestion was made to add
backflow prevention to the vacuum pump system. This
modification was considered significant enough to fall under
management of change procedures, and a HAZOP review was
conducted. The HAZOP worksheet for this system was modified
as shown in Figure 15. Changes to the existing HAZOP
worksheet as a result of this change are shown in bold lettering.
The proposed change was approved. The following ESD system

documentation has been updated.
• HAZOP summary form (see Figure 16, change is circled)

• Cause-and-effect matrix (see Figure 17, change is circled)
• P&ID (see Figure 18, change is circled)
• Written description (see Figure 19, change is in bold

lettering)
• Binary logic diagram (see Figure 20, change is circled)
• PLC ladder logic (see Figure 21, change is circled)
The conversion from the binary logic diagram was made using
the equivalent logic functions shown in Figure 13 and the timer
logic function comparison shown in Figure 22.
Necessary training of operating and maintenance personnel was

conducted. The approved change request form is shown in
Figure 23. Note that this form is a very simple example of a
change request form. More complex forms are often used that
incorporate additional requirements such as multiple discipline
review and approval, and the use of checklists.


No. Word
1 MORE Liquid buildup Excessive liquid Possible vacuum High level interlock
2 MORE Vacuum Blockage in vent Possible vacuum High discharge

close vacuum pump
and stop vacuum
pump. Vacuum pump
must be stopped any
valve is closed.
3 MORE Oxygen in the Backflow from Possible damage to Low differential

OF system vent system vacuum pump and pressure [set point = 2
because of upstream system kPa (8" water column)
vacuum pump differential] interlock
failure or pressure (Level 4) to close
buildup in the vent vacuum pump
system discharge block valve
and stop vacuum
pump. Vacuum pump
must be stopped any
time the discharge
block valve is closed.
Figure 15. HAZOP Worksheet For Vacuum Pump System

Proposed Change

Level 4 Shutdowns
Deviation Integrity
Ref. Recommended Input Shutdown
and/or Set Point Level Comments
No. Shutdown Signal Action
Consequence Requirements
1 High level, T- Liquid buildup T-303 Level 90% of Stop vacuum
303 knockout in T-303 straight pump
pot knockout pot side of
knockout
pot
2 High pressure, K-304 high K-304 34.5 kPa Close ZV-301

K-304 discharge discharge discharge (5 psig) block valve, stop
pressure pressure vacuum pump
3 Low differential Oxygen in K-304 2 kPa (8" Close ZV-301

pressure across vacuum pump differential water block valve, stop
K-304 system pressure column) vacuum pump
Figure 16. Vacuum Pump System HAZOP Summary Form

Vac. pump start/run permissive

EFFECT (THEN)
K-304 discharge block valve

Level 4
Equipment Protection
CAUSE (IF)
T-303 high level LSHH S
High level reset pushbutton R
K-304 high disch. press. PSHH [34.5 kPa S C
(5 psig)]
High disch. press. reset pushbutton R O
K-304 disch. valve closed S
K-304 low diff. press. PDSLL [2 kPa S C

(8” W.C.)]
Note: PDSLL is bypassed for 5 seconds
on start-up of K-304
Legend: O = Open, C = Close, R = Run, S = Stop, TD = Time Delay,

V = Vent, A = Auto, M = Manual, TS = Timed Step,
Th = Throttling
Figure 17. Vacuum Pump ESD System Cause-and-Effect Matrix

PIC
307
PZV PI
301 308

ESD
System
N2 ZV
FO 301
PT LSHH PCV
307 306 307 PI
T 309
From 303
Reactor LI Vacuum To Vent
304 Pump System
LAH LSH FC
305 305 PSHH
310
Knockout
Pot
K-304
ESD
PDSLL System
311
Figure 18. Vacuum Pump System P&ID

To
Drain

NOTE: Some piping details (e.g., line sizes) and instrumentation details (e.g., block valves on pressure gauges)
are not shown to simplify the drawing.
48
ESD Systems
When the level in T-303 vacuum pump knockout pot reaches the set point
of the high level shutdown switch, the high level shutdown switch will
open. This switch action stops K-304 vacuum pump, and it actuates a
visual and audible high level shutdown alarm. When the high level
condition has been corrected, the operator can push the high level
shutdown reset pushbutton. This reset action will clear the T-303 knockout
pot high level shutdown alarm, and it provides a run permissive signal to
K-304 vacuum pump.
If K-304 vacuum pump discharge pressure increases to 34.5 kPa (5 psig)

or greater, the high discharge pressure shutdown switch will open. This
switch action stops K-304 vacuum pump, closes K-304 vacuum pump
discharge block valve, and actuates a visual and audible high discharge
pressure shutdown alarm. When the high pressure condition has been
corrected, the operator can push the high discharge pressure shutdown
reset pushbutton. This reset action clears the high discharge pressure
shutdown alarm, and it provides a run permissive signal to K-304 vacuum
pump.
If K-304 vacuum pump differential pressure decreases to 2 kPa (8"

W.C.) or smaller, the low differential pressure shutdown switch will
open. This switch action stops K-304 vacuum pump, closes K-304
vacuum pump discharge block valve, and actuates a visual and
audible low differential pressure shutdown alarm. When the operator
pushes K-304 START pushbutton, the low differential pressure
shutdown switch is bypassed for 5 seconds. If the low differential
pressure shutdown switch is not satisfied at the end of 5 seconds,
shutdown occurs, and the alarm sounds.
When K-304 vacuum pump discharge block valve closes, the closed limit
switch will close, and K-304 vacuum pump will stop.
Figure 19. Vacuum Pump ESD System Logic Written Description

INPUTS LOGIC OUTPUTS
T-303 High
301 Level Reset = 1 OR Output Symbol
PB Shutdown
Reset
T-303 High
T-303 High Level Shutdown
LSHH High Level = 0 A Alarm Signal LAHH
Level (Alarm on when 306
306 Shutdown output = 0)
K-304 Disch.
Block Valve ZV
(Closes when 301
K-304 High output = 0)
302 Disch. Reset = 1 OR
PB Press.
Shutdown
Reset K-304 High
Disch. Press.
K-304 High Shutdown PAHH
High Pressure = 0 A Alarm Signal 310
PSHH Disch.
310 Press. (Alarm on when
Shutdown output = 0)
Input Symbol
K-304 K
Disch. Valve Closed = 1 A K-304 Run 304
XLS Block Permissive
301 Valve
Closed
K-304 Low OR
Low Diff. Press. = 0
PDSLL Diff.
311 Press. K-304 Low
Diff. Press.
Shutdown Shutdown PDAHH
Alarm Signal 311
(Alarm on when
K-304 Motor DI output = 0)
Motor ON = 1
XS Auxiliary
302 Contact 5 sec
Figure 20. Vacuum Pump ESD System Binary Logic Diagram

LSHH-306 LAHH-306
301-PB High Level T-303 High
Reset Shutdown Switch Level Shutdown
Alarm
] [ ] [ ( )
LAHH-306
T-303 High
Level Shutdown
Alarm
] [
PSHH-310 PAHH-310
302-PB K-304 High
Reset High Pressure Pressure
Shutdown Switch Shutdown Alarm
] [ ] [ ( )
PAHH-310
K-304 High
Pressure
Shutdown Alarm
] [
PAHH-310 ZV-301
K-304 High
Pressure K-304 Discharge
Shutdown Alarm Block Valve
] [ ( )
LAHH-306 PAHH-310 XLS-301 PDALL-311
T-303 High K-304 High K-304 Disch. K-304 Low K-304 Run
Level Shutdown Pressure Block Valve Diff. Press. Permissive
Alarm Shutdown Alarm Closed Shutdown Alarm
] [ ] [ ]/[ ] [ ( )
PDSLL-311 PDALL-311
K-304 Low K-304 Low
Diff. Press. Diff. Press.
Shutdown Switch Shutdown Alarm
] [ ( )
XS-302
K-304 Motor
Auxiliary
Contact
] [ TMR_ACCUM
5 seconds
1 Sec
Figure 21. Vacuum Pump ESD System PLC Ladder Logic

Timer
Accumulated
Value
TMR_ACCUM
DI
5 sec 5 seconds
1 Sec
Timer
Preset Time Base
Delay Initiation Timer On-Delay Timer
The On-Delay Timer performs timing functions within the ladder logic
function block. It times logic events and performs actions based on
the power flow to the timer input legs and the timer value. Timers
time logic events in time bases ranging from 0.01 seconds to hours.
Each Timer has two input legs on the left and two output legs on the
right. The upper input leg is the time leg; the lower input leg is the
enable leg. The upper output leg is the timed-out leg; the lower
output leg is the not-timed-out leg.
When power flows to the enable leg, the Timer is enabled. While the
timer is enabled, if power flows to the time leg, the Timer
accumulates time and is retentive as long as the timer remains
enabled. When the timer is not enabled or when the accumulate is
not equal to the preset, the timed-out leg is off and the not-timed-out
leg is on. When the accumulated time reaches the specified preset
value, the timed-out leg turns on and the not-timed-out leg turns off.
The output legs remain in this state until the Timer is reset by
removing power to the enable leg.
Figure 22. Timer Logic Function Comparison

Date: May 30, 1998
Change description:
Add backflow prevention to K-304 vacuum pump system.
Change rationale:
Backflow of air from the vent system can create a hazardous situation
(and possible explosion) in the vacuum pump system and upstream
process equipment. This backflow can be caused by a vacuum pump
failure or by a buildup of pressure in the vent system.
If the change is temporary, list the pertinent dates.

Dates valid:
James Smith
Originator
This change has met the appropriate review requirements, and it has been approved.
Safety, health, and environmental concerns have been addressed, procedures, have
been revised, the appropriate training and/or communication activities have occurred,
and all affected process safety information is being updated.
Steve Wilson
Request For Change Authorizer
Figure 23. Approved Change Request Form

REFERENCES
1. ISA-S84.01-1996, Application of Safety Instrument

Systems for the Process Industries.
2. "Guidelines for Safe Automation of Chemical Processes,"

Center for Chemical Process Safety, American Institute of
Chemical Engineers, New York, 1993.


A CAUSE-AND-EFFECT MATRIX, SELECTING AN INPUT
DEVICE/SENSOR, AND SELECTING THE APPROPRIATE FINAL
DEVICE FOR A GIVEN PROCESS APPLICATION
Work Aid 1 describes guidelines that are used to select input

devices/sensors and final devices for a change to an ESD
system for a given process application. Work Aid 1A describes
guidelines for revising a cause-and-effect matrix for an ESD
system using a Change Request Form, HAZOP study results,
and a P&ID as inputs. The inputs, outputs, and relationships
between inputs and outputs that are developed are entered into
the existing (prior to the change) cause-and-effect matrix form
that is provided. A separate cause-and-effect matrix form is
provided for each level of shutdown. Work Aid 1B describes
guidelines that are used to select an input device/sensor for a
change using the information developed in Work Aid 1A. Work
Aid 1C describes guidelines that are used to select the
appropriate final device for a change using the information
developed in Work Aid 1A.
Work Aid 1A: Guidelines for Revising a Cause-and-Effect Matrix
1. Review the Change Request Form to get familiar with the

type of change that is being requested and the impact that
this change would have on the ESD system.
2. Review the Actions column of the HAZOP Worksheet that

is provided for the requested change and note each Level
1 shutdown (Total Plant Shutdown) that is recommended.
For each Level 1 shutdown, document the following
information in the existing Level 1 HAZOP Summary form
that is provided.
• Enter the recommended Level 1 shutdowns in the

Shutdowns column.
• For each Level 1 shutdown, enter the deviation that

the shutdown will detect or the consequence that the
shutdown will protect against in the Deviation and/or
Consequence column.

• For each Level 1 shutdown, enter the recommended

input signal in the Input column, and enter the
recommended set point in the Set Point column.
When the shutdown involves a sequence of steps,
each step will be an input signal.
• For each Level 1 shutdown, enter the action that is to

be taken as a result of the shutdown in the Shutdown
Action column.
• For each Level 1 shutdown, enter any integrity level

requirements in the Integrity Level Requirements
column.
• For each Level 1 shutdown, enter any comments in

the Comments column. When an input signal is a step
in a sequence, enter the conditions required to
advance to the next step in the Comments column.
• When more than one Level 1 shutdown has the same

Recommended Shutdown and the same Shutdown
Action, combine those Level 1 shutdowns into one
entry in the HAZOP Summary form.
3. Repeat the steps in Item 2 as they apply to the HAZOP

Summary Forms for Level 2 shutdowns (Unit Isolation),
Level 3 shutdowns (Equipment Isolation), and Level 4
shutdowns (Equipment Protection).

4. For each recommended shutdown on these HAZOP

Summary forms, do the following:
• Ensure that the input for each shutdown will be a

good indicator to signal the presence of either the
expected deviation or the expected consequence. For
example, if the consequence is high pressure that
could cause a reactor to rupture, reactor pressure
would be a good indicator, but reactor level probably
would not be a good indicator. If there are reasons
why the recommended input would not be a good
indicator of the deviation or the expected
consequence, discuss these reasons with the HAZOP
study team or the designated Operations or Loss
Prevention Representative to resolve this issue and to
ensure that the proper input is used. Update the
HAZOP Worksheet and the HAZOP Summary forms
as necessary.
• Review the recommended set point for each input to

ensure that this value is a reasonable actuation value
for the shutdown. If there are reasons why the
recommended set point would not be a reasonable
actuation value for this input, discuss these reasons
with the HAZOP study team to resolve this issue and
to ensure that the proper set point is used. Update the
HAZOP Worksheet and the HAZOP Summary forms
as necessary.
• Review the recommended action that is specified for

each shutdown to ensure that this action will either
mitigate the effects of the deviation and/or prevent the
consequence from occurring. If there are reasons why
the recommended shutdown action would not either
mitigate the effects of the deviation and/or prevent the
consequence from occurring, discuss these reasons
with the HAZOP study team to resolve this issue and
to ensure that the proper action will be taken when
the shutdown is actuated. Update the HAZOP
Worksheet and the HAZOP Summary forms as
necessary.

• Review the integrity level requirements for each

shutdown to ensure that these requirements are
reasonable. If there are reasons why the integrity
level requirements are not reasonable, discuss these
reasons with the HAZOP study team to resolve this
issue and to ensure that the proper integrity level
requirements will be met. Update the HAZOP
Worksheet and the HAZOP Summary forms as
necessary.
• Review the comments associated with each shutdown

to determine if these comments will affect the design
of the ESD system. Resolve any questions with the
HAZOP study team. Update the HAZOP Worksheet
and the HAZOP Summary forms as necessary.
5. Transfer the input and set point for each Level 1 shutdown
to the input column of the cause-and-effect matrix that is
provided for Level 1 shutdowns. Repeat this action for the
inputs and set points for Level 2, Level 3, and Level 4
shutdowns.
6. Add an appropriate symbol for each input device at the

expected location for this input device on the P&ID. Give
each input device a tag name (even if only preliminary),
and enter this tag name in the input column for that
shutdown on the cause-and-effect matrix and in the symbol
for that input device on the P&ID.
7. For each action to be taken in the Shutdown Action column

in the HAZOP Summary forms, determine what type of
output device will be needed to cause this action to be
taken. Enter this output on the appropriate cause-and-
effect matrix (Level 1 through 5) for that particular
shutdown. When the shutdown involves a sequence of
steps, one output should be "Advance to next step."
8. Add an appropriate symbol for each output device at the

expected location for this output device on the P&ID. Give
each output device a tag name (even if only preliminary),
and enter this tag name in the output column for that
shutdown on the cause-and-effect matrix and on the
symbol for that output device on the P&ID.

9. Determine the relationship between the input devices and

the output devices on the cause-and-effect matrix for each
shutdown level (Levels 1 through 5). The following
relationships may be used as noted at the bottom of the
cause-and-effect matrix form:
• O (Open) — Actuation of the input device opens the

output device.
• C (Close) — Actuation of the input device opens the

output device.
• R (Run) — Actuation of the input device starts the

output device.
• S (Stop) — Actuation of the input device stops the

output device.
• TD (Time Delay) — Actuation of the input device

causes some action to be taken on the output device
after a period of time that is specified by the amount
of the time delay. This relationship is normally used in
conjunction with one of the other relationships.
• V (Vent) — Actuation of the input device causes a

piece of process equipment to be vented to the
atmosphere, to a flare, or to some other process
system.
• A (Auto) — Actuation of the input device puts the

output device into the automatic control mode. This
relationship may also be used to designate the way a
sequencer advances to the next step.
• M (Manual) — Actuation of the input device puts the

output device into the manual control mode. This
relationship may also be used to designate the way a
sequencer advances to the next step.
• TS (Timed Step) — This relationship is typically used

to designate the way a sequencer advances to the
next step.

• Th (Throttling) — Actuation of the input device causes

the output device to be throttled under controller
action.
Enter that relationship at the intersection of the input

device and the output device on the cause-and-effect
matrix.
10. Determine what manual inputs are required, such as reset

pushbuttons, and enter these inputs on the cause-and-
effect matrix. Determine the relationship between the
manual input devices and the output devices. Enter that
relationship at the intersection of the manual input device
and the output device on the cause-and-effect matrix.
Work Aid 1B: Guidelines and Technical References for Selecting An Input
Device/Sensor
Determine if actuating devices are in accordance with SAES-J-

601, paragraph 6.4. Pay particular attention to the following:
• Common cause failure points, such as shared process

connections
• Potential for using analog input devices instead of discrete

input devices
• Ability to test input devices and output devices
• Capability of input devices to withstand the process and

environmental conditions
• Protection of sensing device contacts from the environment
• Proper use of redundant process measuring elements
• Fail-safe characteristics of input devices and output

devices, with particular attention given to thermocouple
and RTD devices
• Logging and display of changes of state of input devices

and output devices

Work Aid 1C: Guidelines and Technical References for Selecting The
Appropriate Final Device
1. Determine if the final shutdown devices are in accordance

with SAES-J-601, paragraph 6.7. Pay particular attention to
the following:
• The type and construction of actuator that is being

used and its failure modes
• Selection and operation of solenoid valves that are

used in conjunction with pneumatic actuators
• Capability for manual operation
• Shutoff characteristics
• Fire-safe operation
2. Verify that the final devices can meet the process and
environmental constraints of the application in accordance
with paragraph 8.1 of SAES-J-601. The following should be
considered:
• Are the wetted materials (i.e., the materials that

contact the process fluid) compatible with the flowing
fluids?
• Can the output devices withstand the environmental

conditions present?
Particular attention must be given to exposed linkages, the

types of enclosures being used, and ambient conditions.
3. Verify that the final devices have the necessary diagnostics

in accordance with paragraph 8.1 of SAES-J-601. The
following should be considered:
• Have FTD faults been identified, and have diagnostics

or tests been designed to identify these faults?
• Are active diagnostics being used where possible?

4. Determine if the final devices have been selected and

installed to allow on-line testing in accordance with
paragraph 8.1 of SAES-J-601.
5. Determine if final shutdown elements meet the

requirements of Section 10 of SAES-J-601. The following
should be considered in this evaluation:
• The type and the reliability of the power source
• The type and the reliability of the actuator
• The speed of operation of the valve and actuator

combination
• The design of the emergency air storage drum when

a double-acting pneumatic actuator is being used
6. Determine if emergency isolation valves meet the

requirements of Section 11 of SAES-J-601. The following
should be considered in this evaluation:
• Have the guidelines in SAES-B-058 been followed?
• Are power-operated valves being used where

possible?
• Has the proper fail-safe position been specified?
• The speed of operation of the valve and actuator

combination
• Does the operator have clear indication of the open

and closed position of emergency isolation valves,
both at the valve and in the control room?

7. Verify the block and bypass valves are being used in

accordance with Section 12 of SAES-J-601. Pay particular
attention to the following:
• Is a bypass valve needed in this particular

application?
• Does the bypass valve have the same capacity as the

shutdown valve?
• Does the bypass valve meet the requirements of

SAES-B-058?
• Is a bypass valve being used around a normally open

emergency isolation valve?
• Are bypass valves provided with remote indication of

the open and closed positions?


AN EXISTING APPLICATION PROGRAM AND ASSOCIATED
DOCUMENTATION FOR A CHANGE TO AN ESD SYSTEM
Work Aid 2 describes procedures that are used to develop logic

diagrams for ESD systems. Steps 1 and 2 describe the
procedures for updating the written description for the changes
made to an ESD system using a cause-and-effect matrix and a
P&ID as inputs. The written description describes the translation
of the cause-and-effect matrix to an annotated logic diagram for
the ESD system. Steps 3 through 5 describe the procedures
that are needed to update the annotated logic diagram and PLC
ladder logic diagram for an ESD system using a written
description and a P&ID as inputs. Step 6 completes the process
with the submittal of a Change of Request Form.
1. Update the written description for each revised cause-and-

effect matrix. Describe each relationship from the cause-
and-effect matrix in text as follows:
• Using the input from the cause-and-effect matrix,

including the tag name of the input device (if
available) and the set point, describe the action that
must occur with the input device to cause shutdown
actuation. Relate the input device to the actual
process equipment as defined on the P&ID. An
example follows:
"Redundant pressure transmitters (PT-153A and PT-

153B) are used to measure the pressure in the PVC
reactor. When the output of either (or both) pressure
transmitter exceeds the set point of 689 kPa (100
psig), a high pressure shutdown is actuated."

• Using the output(s) from the cause-and-effect matrix,

including the tag name of the output device(s) (if
available), describe the effect that the shutdown
actuation has on the output device(s). Relate the
output device to the actual process equipment as
defined on the P&ID. An example follows:
"The high pressure shutdown in the PVC reactor

stops the feeds of all materials into the reactor, opens
the redundant emergency vent valves ZV-155A and
ZV-155B, and actuates a visual and audible shutdown
alarm."
• Describe the method that is used to reset the

shutdown once process conditions return to normal.
Normally, shutdown resets will involve the use of
manual inputs from the cause-and-effect matrix. An
example follows:
"When the outputs of both pressure transmitters on

the PVC reactor drop below the set point of 689 kPa
(100 psig), the high pressure shutdown alarm clears.
The operator can now push the high pressure
shutdown reset pushbutton to reset the shutdown.
When the high pressure shutdown is reset, the
redundant emergency vent valves close. Operator
intervention is needed into the basic process control
system (BPCS) to restart feeds to the reactor."
2. Mark up the P&IDs as necessary.
3. Update the binary logic diagram for each revised written

description using the logic symbols shown in Figure 38,
Sheets 1 - 3. Show the input devices from the written
description in the input section of the binary logic diagram.
Put a statement describing the input in front of the input
symbol. Put the tag number of the input device (if known)
inside the circle. Put manual inputs that are used to reset
shutdowns in the field section near the input device that
causes the shutdown to actuate. Place a statement on the
input signal line that describes the state of the input device
when the input device is in the shutdown condition.

4. Show the output devices from the written description in the

output section of the binary logic diagram. Put a statement
describing the output after the output symbol. This
statement should describe the state of the output device
when the output device is in the shutdown condition. Put
the tag number of the output device (if known) inside the
circle.
5. Update the PLC ladder logic for each revised binary logic
diagram. Use the logic function equivalents in Figures 39
and 40 to make the conversion. For the sake of simplicity,
assume that analog input signals are compared to a set
point in the input module, and that the output signal from
the input module is a discrete signal that functions as the
input signal is defined in the binary logic diagram.
6. Complete the Change Request Form. Assume that training

was accomplished successfully. The Instructor will sign the
Change Request Form when the team convinces him that
they have followed the appropriate procedures and that
they have met the requirements for Management of
Change.

FUNCTION SYMBOL DEFINITION EXAMPLE
Operate pump (output = 1) if suction tank

Logic output D exists
level is high (input = 1) and discharge valve
A if and only if all
is open (input = 1).
logic inputs A, B,
A D and C exist. Tank Level
AND B
High
An AND function can A Operate
C have any number of Pump
Discharge
inputs. Valve Open
Start storage tank pump (output = 1) if

Logic output D exists
reactor A needs material (input = 1) or
A if and only if one or
reactor B needs material (input = 1).
more of logic inputs
OR D A, B, and C exists. Reactor A
OR B
Needs Material Start
An OR function can OR Storage
C have any number of Tank Pump
Reactor B
inputs. Needs Material
Open vent valve (output = 0) if pressure high

Logic output B exists (input = 0) or temperature high (input = 0).
if and only if logic Turn on pilot light (output = 1) when vent
input A does not valve commanded to open (output = 0) or test
exist. The NOT pushbutton is pushed (input = 1).
symbol may be drawn
tangent to an
adjacent logic symbol Pressure
NOT A B as shown in the High Open
example or directly A Vent
in a line as shown in Temperature Valve
the symbol. High
A NOT function can Turn On

have only one input OR Pilot
and one output. Light
Test Pushbutton Pushed
Figure 38, Sheet 1. Binary Logic Functions

S represents set memory, and R If tank pressure becomes high, vent the tank
represents reset memory. and continue venting, regardless of
pressure, until venting is stopped by manual
Logic output C exists as soon actuation of hand switch HS-1, provided that
as logic input A exists, the pressure is not high. If the venting is
regardless of the subsequent stopped, a compressor may be started.
state of A, until the memory
is reset by logic input B
existing. Logic output C will
not exist again until the Tank Pressure S
High Vent Tank
presence of logic input A
causes the memory to be set. Permit
HS-1 R Compressor
Logic output D, if used, Start
exists when C does not exist,
S and D does not exist when C
A C exists.
MEMORY
Output D should not be shown
Flip-Flop
B R D if it is not used.
If inputs A and B exist

simultaneously, and if it is
desired to have A override B,
then S should be encircled,
e.g., S .
If B is to override A, then R
should be encircled, e.g., R .
The unmodified letter S

denotes that no consideration
has been given to the action
of the memory on loss of the
power supply.
If the tank level is high, its input turns

off. The NOT gate inverts the signal and
resets the memory (even if the high level
The LS denotes that memory is signal is ON), and the feed valve closes
lost on loss of the power (signal de-energized). When the level is OK,
LS supply. This is the preferred and the reset signal turns ON, the memory is
A C
version of the Memory element set, and the valve opens.
for most ESD interlocks.
B R D
LS Close Feed
B should also override A (see High Level Reset Valve
example).
High Tank Level R
The MS denotes that memory is If standby pump operation is initiated, the

maintained on loss of the pump will operate, even on loss of the power
power supply. supply. until the process sequence is
MS terminated. The pump will operate if both
A C inputs exist simultaneously.
B R D Standby Pump MS Operate

Operation Initiated Standby
Pump
Process Sequence
R
Terminated

FUNCTION SYMBOL DEFINITION EXAMPLE
Reactor feed valve A opens (output = 1) if

storage tank A feed pump is on (input = 1) or
if storage tank B feed pump is on (input = 1)
but not if both A and B storage feed pumps
A are on (both inputs = 1).
A
Logic output C Storage
EXCLUSIVE exists if A tank A
OR OR C exists or B feed A
exists but not pump
if both A and B Reactor
OR exist. feed
OR
B valve A
Storage OR
tank B
feed
pump
The continuous If reactor temperature exceeds a high limit

existence of continuously (input = 1) for 10 seconds,
logic input A block catalyst flow (output = 1). Resume
DELAY
DI for time t cause flow (output = 0) when temperature does not
INITIATION A B
t logic output B exceed the limit (input = 0).
(DELAY TO
ON) to exist when t
expires. B Reactor DI Block
terminates when temperature 10s catalyst
A terminates. high flow
The existence of
logic input A If system pressure exceeds a high limit
causes logic (input = 1), start the vacuum pump (output =
DELAY output B to 1) at once. Stop the vacuum pump (output =
TERMINATION DT exist 0) when the system pressure is below the low
A B
(DELAY TO t immediately. B limit (input = 0) continuously for 1 minute.
OFF) terminates when
A has terminated System DT Vacuum
and has not pressure 1m pump
again existed
for time t.

A ] [ ] [ ] [
a) AND Logic Function
] [
OR ] [
] [
b) OR Logic Function
S R Coil
LS ] [ ] [ ( )
Coil
] [
R
c) Memory Logic Function
Figure 39. Logic Function Comparison

Timer
Accumulated
Value
TMR_ACCUM
DI
5 sec 5 seconds
1 Sec
Timer
Preset Time Base
Delay Initiation Timer On-Delay Timer
The On-Delay Timer performs timing functions within the ladder logic
function block. It times logic events and performs actions based on
the power flow to the timer input legs and the timer value. Timers
time logic events in time bases ranging from 0.01 seconds to hours.
Each Timer has two input legs on the left and two output legs on the
right. The upper input leg is the time leg; the lower input leg is the
enable leg. The upper output leg is the timed-out leg; the lower
output leg is the not-timed-out leg.
When power flows to the enable leg, the Timer is enabled. While the
timer is enabled, if power flows to the time leg, the Timer
accumulates time and is retentive as long as the timer remains
enabled. When the timer is not enabled or when the accumulate is
not equal to the preset, the timed-out leg is off and the not-timed-out
leg is on. When the accumulated time reaches the specified preset
value, the timed-out leg turns on and the not-timed-out leg turns off.
The output legs remain in this state until the Timer is reset by
removing power to the enable leg.
Figure 40. Timer Function Comparison

GLOSSARY
actuating device An input device or an output device in an ESD system.
alarm A deviation from normal operation that requires operator

attention.
AND function A logic function in which the output assumes the 1-state if
and only if all inputs assume the 1-state.
annotated logic A graphical method for showing ESD inputs, outputs, and
diagram internal logic using AND/OR, timer, or counter logic elements
with basic logic statements embedded in the diagram.
application program Software that is specific to the user application in that it

contains the logic program written to meet the overall
requirements for the ESD system.
availability The probability that a system will be able to perform its

designated function when required for use. As used in this
course, this term is an indication of an ESD system's ability
to react when a demand is placed on the ESD system.
basic process control The control equipment and system that is installed to regulate
system normal production functions.
binary logic diagram A method of representing the logic in binary interlock and
sequencing systems using abstract logic functions such as
AND, OR, and NOT.
BPCS An abbreviation for basic process control system.
cause dimension The section of a cause-and-effect matrix in which the ESD

system inputs are shown.
cause-and-effect matrix A form of state table that is used for showing the relationship
between a process input and an output device in binary
interlock and sequencing systems.
cause A reason why a deviation might occur.
change request form A form that is used to document management of change

procedures.

consequence The direct, undesirable result of a deviation that usually

involves a fire, explosion, or release of toxic material.
de-energize-to-trip A mode of operation for an ESD system in which inputs,

logic solver, and outputs are energized under normal
operation and de-energized under shutdown conditions.
DELAY INITIATION A time delay function in which the time delay occurs when the
(DELAY TO ON) logic input changes from the 0-state to the 1-state.
function
DELAY TERMINATION A time delay function in which the time delay occurs when the
(DELAY TO OFF) logic input changes from the 1-state to the 0-state.
function
demand A condition or event that requires the ESD system to take

appropriate action to prevent a hazardous event form
occurring or to minimize the consequence of a hazardous
event.
deviation A departure from the design intention that is discovered by

systematically applying the guide words to process
parameters during a HAZOP.
double-block-and-bleed An arrangement of three valves that is used to achieve better

valve isolation of a fluid from a downstream system by using a
valve to vent (or drain) the space between two block valves
that are installed in series.
effects dimension The section of a cause-and-effect matrix in which the ESD

system outputs are shown.
emergency isolation A valve that is installed to stop the release of fuel or

valve potentially toxic in the event of fire, rupture, or loss of
containment.
emergency shutdown A system composed of sensors, logic solvers, and isolation

system devices that takes the process to a safe state when
predetermined conditions are violated.
ESD An abbreviation for emergency shutdown system.
fail-safe A concept that defines the failure direction of a component or

system as a result of specific malfunctions. The failure
direction is toward a safer or less hazardous condition.

fail to danger fault A hardware or software failure that inhibits or delays actions
to achieve a safe operational state should a demand occur.
This type of fault is also called an "unrevealed" fault or a
"covert" fault because it can remain undetected until
revealed by testing.
functionality The way that a system is designed to work.
guide word Simple words that are used to qualify or quantify the design
intention and to guide and stimulate the brainstorming
process for identifying process hazards and/or operability
problems during a HAZOP.
hazard and operability A systematic, detailed hazards analysis technique applied to

study processes to identify and qualify deviations from design or
normal operations that have the potential to place the plant,
environment, or personnel at risk.
hazardous event An occurrence related to equipment performance or human

action, or an occurrence external to the system that causes
system upset, that has the potential for causing harm to
people, property, or the environment.
HAZOP An abbreviation for hazard and operability study.
HAZOP worksheet A tabular method for documenting the results of a HAZOP.
HH An abbreviation for high-high.
integrity level An indicator of ESD system performance.
I/O An abbreviation for input/output.
ladder diagram A diagram that uses symbols and a plan of connections to

represent the logic in binary interlock and sequencing
systems.
LL An abbreviation for low-low.
management of change A technique using written procedures to safely manage

changes to process chemicals, technology, and equipment
and changes to facilities that affect a particular process.
manual input An input for the cause dimension of a cause-and-effect

matrix that represents human action.

manual reset button A pushbutton that is used to reset an ESD system interlock
once the condition that caused the shutdown has been
corrected.
MOC An abbreviation for management of change.
normally closed (NC) A contact in an electrical device that is closed when the
device is in its non-activated state.
normally open (NO) A contact in an electrical device that is open when the device
is in its non-activated state.
NOT function A single input, single output logic function in which the output
state is the complement of the input state.
OR function A logic function in which the output assumes the 1-state if

one or more inputs assumes the 1-state.
output device Automatic block valves, motors, pilot lights, and similar
devices that accept output signals from the logic solver in an
ESD system.
P&ID An abbreviation for piping and instrument diagram.
piping and instrument A graphical method for representing the physical equipment,
diagram piping, and instrumentation in a process.
PFD An abbreviation for probability of failure on demand.
probability of failure on A value that indicates the probability of a system failing to

demand respond to a demand. The average probability of a system
failing to transpond to a demand in a specified time interval is
referred to as PFDavg.
programmable A digitally operating electronic system, designed for use in an

controller (PLC) industrial environment, that uses a programmable memory
for the internal storage of user-oriented instructions for
implementing specific functions such as logic, sequencing,
timing, counting, and arithmetic, to control, through digital or
analog INPUTS and OUTPUTS, various types of machines or
processes.
PVC An abbreviation for polyvinyl chloride.

recommended action Suggestions for design changes, procedural changes, or

areas for further study that are a result of looking at
deviations and potential consequences during a HAZOP.
reliability The probability that a component or system will function

correctly under stated conditions for a stated period of time.
As used in this course, this term is an indication of an ESD
system's ability to minimize nuisance shutdowns.
safety integrity level One of three possible discrete integrity levels (SIL 1, SIL 2,
and SIL 3) of ESD systems. SILs are defined in terms of
probability of failure on demand (PFD).
sequential function A graphical diagramming method that uses steps, transitions,

chart and directed links in order to represent a logic sequence.
shutdown interlock A device or group of devices arranged to sense a limit or off-

limit condition or improper sequence of events and to shut
down the offending or related piece of equipment, or to
prevent proceeding in an improper sequence in order to
avoid a hazardous event.
SIL An abbreviation for safety integrity level.
systematic fault A fault due to errors or omission that causes an ESD system
to fail under some particular combination of inputs or under
some particular environmental conditions.
time delay function A logic function in which the response of the output is
delayed following a change in the input.
VCM An abbreviation for vinyl chloride monomer.
written description A method of describing the translation from a cause-and-

effect matrix to an annotated logic diagram using textual
statements.

Emergency Shutdown

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Emergency Shutdown

Uploaded by

Copyright:

Available Formats

Engineering Encyclopedia

Saudi Aramco DeskTop Standards

DEVELOPMENT AND ANALYSIS OF

Chapter : Process Instrumentation For additional information on this subject, contact

SELECTING INPUT AND FINAL DEVICES FOR A GIVEN APPLICATION ..................5

Input Device/Sensor Selection.............................................................................5

Final Device Selection .......................................................................................20

Application Criteria for Final Devices .................................................................26

REVISING AN EXISTING APPLICATION PROGRAM AND

Modification and Evaluation of Application Programs........................................27

Comparison of Binary Logic and Resulting PLC Ladder Logic ..........................35

Requirements for "Management of Change" to ESD Systems ..........................41

Saudi Aramco DeskTop Standards i

WORK AID 1: GUIDELINES AND TECHNICAL REFERENCES FOR REVISING

Work Aid 1A: Guidelines for Revising a Cause-and-Effect Matrix ...................55

Work Aid 1B: Guidelines and Technical References

Work Aid 1C: Guidelines and Technical References

WORK AID 2: GUIDELINES AND TECHNICAL REFERENCES FOR REVISING

Figure 1. An Example HAZOP Worksheet ...................................................................... 7

Figure 2. Safety Integrity Level Performance Requirements ........................................... 9

Figure 3. An Example Cause-And-Effect Matrix ............................................................ 10

Figure 4. Vacuum Pump System Simplified P&ID ......................................................... 11

Figure 5. Acceptable Installation Of A Primary Element

Figure 6. Typical Level Shutdown Device Installation ................................................... 17

Figure 7. Vacuum Pump P&ID ...................................................................................... 21

Figure 8. Final Device Information In A HAZOP Worksheet......................................... 25

Figure 9. Modification Authorization Procedure............................................................. 31

Saudi Aramco DeskTop Standards ii

Figure 11. Relay Logic For Vacuum Pump System....................................................... 37

Figure 12. Ladder Logic Format .................................................................................... 38

Figure 13. Logic Function Comparison.......................................................................... 39

Figure 14. PLC Ladder Logic For Vacuum Pump System............................................. 40

Figure 16. Vacuum Pump System HAZOP Summary Form.......................................... 46

Figure 17. Vacuum Pump ESD System Cause-and-Effect Matrix................................. 47

Figure 18. Vacuum Pump System P&ID ....................................................................... 48

Figure 19. Vacuum Pump ESD System Logic Written Description................................ 49

Figure 21. Vacuum Pump ESD System PLC Ladder Logic........................................... 51

Figure 22. Timer Logic Function Comparison ............................................................... 52

Figure 23. Approved Change Request Form................................................................. 53

Figure 38, Sheet 1. Binary Logic Functions................................................................... 67

Figure 38, Sheet 2. Binary Logic Functions................................................................... 68

Figure 38, Sheet 3. Binary Logic Functions................................................................... 69

Figure 39. Logic Function Comparison.......................................................................... 70

Figure 40. Timer Function Comparison ......................................................................... 71

Saudi Aramco DeskTop Standards iii

This module is a natural progression from the previous modules.

Module 2 discussed documentation requirements for an ESD

Changes are often required for an ESD system that is installed

• Logic solver and associated application program

Saudi Aramco DeskTop Standards 4

SELECTING INPUT AND FINAL DEVICES FOR A GIVEN APPLICATION

Modifications to existing ESD systems are evaluated by revising

Input Device/Sensor Selection

Whenever extreme process conditions (e.g., excessive

General Criteria for

Shutdown points are usually determined by one of the three

• Based on experience with other similar installations.

• By comparison with existing codes and standards using

• Based on specific recommendations by a HAZOP study

If an existing installation has gone through an evaluation by a

Saudi Aramco DeskTop Standards 5

Checklists provide a way to verify that a design conforms to

The results from a HAZOP study of a proposed design is a good

• Possible initiating causes for each deviation.