Shutdown Level Hierarchy & Shutdown Philosophy

When a process condition on a process plant, or oil production platform deviates from
normal e.g. a SIL rated temperature transmitter detects high temperature in a vessel,
then corrective action needs to be taken. This is achieved by the process control
system, perhaps by modulating an acuated control valve to allow more cold feed fluid
to enter the vessel.

However, if the process control system fails to correct the deviation and it continues
until a potentially dangerous situation arises then the plant will "trip" the Emergency
Shutdown System (ESD). The ESD system is designed to shut down the plant and
prevent escalation of the situation thus protecting plant personnel, the plant itself (often
refered to as the asset), and the environment.

What is Shutdown Level Hierarchy?

How the ESD system achieves this will depend on many factors, and can be regarded
as a balance between minimising the loss of production and inventory, and the
requirements for achieving a safe state, e.g. an excessively high temperature in a
pump motor winding may not require the whole plant to be shut down and inventory
sent to flare. Therefore the concept of Shutdown Levels has been developed and the
relationship between the levels is called the Shutdown Level Hierarchy.

Who Decides the Shutdown Level Hierarchy?

The shutdown level hierarchy is defined in the Shutdown Philosophy document. This
document, usually written by the chief process engineer, with input from the instrument
group, is plant specific and though it may be similar to that for other plants it will be
different.

1
The actions to be taken for each level of shutdown will be explained in general terms,
and the interaction between levels will be defined. The basic system philosophy is that
a shutdown on a certain level shall never initiate shutdowns on higher levels, but shall
always include shutdowns on lower levels.

ESD System Interaction with Fire and Gas System

The shutdown philosophy will also define what action the ESD system will take if the
main fire and gas (F&G) system detects a fire, or a gas release. In this instance the
F&G system would "hand off" signals to the ESD sytem.

ESD System and Depressurisation (Blowdown)

When ESD valves are actuated, fluids will be trapped in the system. If these fluids
remain in the system they could, due to pressure or temperature build up, become a
potential danger. Therefore they must be released.

The type of fluid will determine how it is handled. Flammable gases will in general be
routed to a flare system where they will be combusted. This is commonlly referred to
as "gas blowdown".

This loss of inventory is both uneconomic and an environmental issue, so not all levels
of shutdown will require a blowdown. Again, the Shutdown Philosophy document will
define which shutdown levels will initiate blowdown.

How many Shutdown Levels are there?

All plants are different therefore the number of levels may differ, obviously a plant with
a small physical size, and/or a single stand alone process unit will need fewer levels
2
than a large onshore process plant or oil production platform. The number, as defined
in the shutdown philosophy document will be determined by considering all safety
factors to suit the needs and conditions of the plant under consideration. Although there
may be fewer shutdown levels, the actions required will still broadly be the same
therefore these actions will be promoted to occurr in a higher level.

Having said all this, it is usual to have between 3 and 5 levels of shutdown.

What are the Levels of Shutdown called?

The levels are ususally numbered, though it is not unknown for colours to be used.
Generally a lower number equates to a more severe shutdown i.e. a Level 0 shutdown
will shutdown more items of plant than a Level 4 shutdown.

If colours are used it is usual for red to denote a more severe shutdown e.g. a red
shutdown will shutdown more items of plant than a yellow shutdown.

What are the Levels of Shutdown?

As discussed above, all plants are different and therefore the shutdown initiators and
actions for each level of shutdown will differ from plant to plant. Therefore the following
should only be taken as a general guide:

Level 0 Shutdown - Abandon plant or platform

Level 1 Shutdown - Emergency shutdown and depressurisation of the overall plant
Level 2 Shutdown - Emergency shutdown for a process unit within the plant
Level 3 Shutdown - Total Process Shutdown
Level 4 Shutdown - Process Shutdown for a Process Unit within the Plant
Level 5 Shutdown - Process train shutdown within a unit
Level 6 Shutdown - Shutdown of Individual Equipment and Utilities

The shutdown level hierarchy graphic below, for an oil platform, shows in a little more
detail what can be expected in the higher levels of an emergency shutdown.

3
Safety Integrity Levels
What are Safety Integrity Levels?
Safety Integrity Level, or as more usually referred to "SIL" or "SIL level", is a unit of
measurement for quantifying risk reduction.

There are four integrity levels, i.e.

SIL 1 - represents the integrity required to avoid relatively minor incidents and is likely
to be satisfied by a certain degree of fault tolerant design using guidelines that follow
good practice.
SIL 2 - represents the integrity to avoid more serious, but limited, incidents some of
which may result in serious injury or death to one or more persons.
SIL 3 - represents the integrity required to avoid serious incidents involving a number

4
of fatalities and/or serious injuries.
SIL 4 - represents the integrity level required to avoid disastrous accidents

Each of the 4 levels of SIL represents an order of magnitude of risk reduction.

SIL Reviews
A SIL review, or SIL Study is a formal, documented method that enables a team of
suitably qualified and experienced engineers to determine a SIL level, based on
relevant criteria and analyses for any particular control or safety loop. The basis of a
SIL review involves establishing the risk reduction required for each identifiable part,
sometimes called sub-system, of a system e.g. loop. From this a safety system is
selected with the required technical specification and architecture to satisfy the
required reduction in risk for each of the subsystems. SIL reviews take place after the
HAZOP analyses are completed. Documents used in a SIL review include P&IDs
(Piping and Instrumentation Diagrams), and Cause & Effect Charts, and often a Failure
Modes and Effects Analysis (FMEA) report.

Determining SIL Level (SIL Rating)

The safety integrity levels risk graph (sometimes called a SIL Tree) method is a
common tool used in determining the safety integrity levels rating of a sub-system. A
SIL tree is shown below:

5
Definitions of terms used on the SIL Tree table:

Consequence Severity

- No safety consequence. Exactly as it says.

- Slight Injury. Injuries not requiring immediate/emergency medical evacuation.
- Serious Injury or 1 death. All injuries requiring emergency medical evacuation and up
to one fatality.
- Multiple deaths. All incidents resulting in more than one fatality and any number of
injuries.
- Catastrophic. All incidents involving many fatalities.

Personnel Exposure

- Frequent. Personnel will be close enough to be affected and failure of the system
precludes the possibility of mitigating action.
- Rare. Either personnel are not in the vicinity of the event, or if they are, fully
independent means exist to initiate possible mitigation actions e.g. evacuation.

Alternatives to Avoid Danger

- Possible. The rate of escalation is such that personnel in the area will have time to
get away from the immediate area or that there is sufficient warning from independent
means to allow evacuation.
- Not Likely. All cases other than those explained previously are Possible.

Demand Rate

- Relatively High. Occurs between 1 and ten times a year.

- Low. Occurs between once per year and once in every 10 years.
- Very Low. Occurs less than once in every 10 years.

In general, the higher the specification of the safety system the higher will be its
associated SIL rating, and the lower its probability of failure on demand (PFD), as
described in the SIL Rating chart below:

What is Probability of Failure on Demand?

6
Probability of Failure on Demand (PFD) is a measure of the effectiveness of an
instrument or a safety function. It expresses the likelihood that the instrument or safety
function does not work when required to.

The PFD for a loop depends on the failure rates of all the components in the loop,
hence the need to know PFD data for all items in a loop when determining safety
integrity level of a loop. Just buying a SIL 2 or SIL 3 certified transmitter does not
ensure a SIL 2 or SIL 3 loop.

What is SIL Rated Equipment?

SIL Rated equipment, to the appropriate SIL level, are required in SIL rated systems.
Therefore all instruments used in a SIL rated system, including each instrument’s sub
components such as sensors, logic solvers and integral components are required to
work safely and meet the Probability of Failure on Demand (PFD) requirements.

SIL standards allow for a manufacturer’s proven, in-use data as well as fully assessed,
third party analysis to demonstrate reliability. SIL certification is a tool to measure the
amount of risk reduction provided by a Safety Instrumented Function. It assesses the
tolerable/acceptable failure rate of an individual device.

Hazardous Area Classification

Definition of a Hazardous Area
Any area that could have a potentially explosive atmosphere in quantities such as to
require special precautions to protect the safety of workers is defined as a Hazardous
Area. And, a potentially explosive atmosphere is said to exist where there is a risk of
explosion due to mixtures of gas/air, vapour/air, dust/air or other flammable
combinations.

Why are Hazardous Areas Important?

Instrument engineers introduce a potential ignition source into a Hazardous Area when
they locate an electrical or electronic instrument, e.g. a guided wavel radar level
transmitter or an electrical or electronic final element e.g. shut down valve actuators in
that area. Understanding the degree of risk, and the design of the instrument, or final
element, allows the instrument engineer to minimise the likelihood of an explosion
occuring.

7
Hazardous Area Assessment for Gases
Process plants, refineries, oil and gas platforms etc are divided into Hazardous Area
Zones (European and IEC method) or Divisions (North American method) according
to the frequency and duration of a potentially explosive atmosphere being present, e.g.

Zone 0 Hazardous Area

An area in which an explosive mixture is continuously present, or present for long

periods, typically for more than 1,000 hours per year.

Zone 1 Hazardous Area

An area in which an explosive mixture is likely to occur in normal operation, typically

for more than 10, but less than 1,000 hours per year.

Zone 2 Hazardous Area

An area in which an explosive mixture is not likely to occur in normal operation and if
it occurs it will exist only for a short time, typically for less than 10 hours per year, but
still sufficiently likely as to require controls over ignition sources.

Hazardous Area Assessment for Dusts

Hazardous area classification for flammable dusts should be undertaken in the same
manner as that for flammable gases and vapours. The zone numbers used are 20, 21
and 22, corresponding to 0,1 and 2 used for gases/vapours

International Standards for Hazardous Area

Classification
The following international standards are used to define hazardous area classification
zones, or their equivalent:
- EN 1127-1:1997; Explosive atmosphere - Explosion prevention and protection. Part
1: Basic concepts and methodology
- EN 60079-10:2003; Electrical apparatus for explosive gas atmospheres. Part 10:
Classification of potentially explosive atmospheres
- EN 50281-3:2002; Electrical apparatus for use in the presence of combustible dust.
Part 3: Classification of areas where dusts are or may be present
- NFPA 497; Recommended Practice for the Classification of Flammable Liquids,
Gases, or Vapors and of Hazardous (Classified) Locations for Electrical Installations
in Chemical Process Areas.
- NFPA 70; National Electrical Code Chapter 5 Article 500.

8
A comparison of Zones to Divisions is shown below:

It is worth noting that many - though by no means all - countries outside of Europe and
North America use the IEC Standards as a basis for their own national standards.

Hazardous Area Drawings

Hazardous area zones are usually marked on a drawing of the plant, the drawing being
referred to as the Hazardous Area Classifiaction Drawing, or Hazardous Area Chart.
These drawings show areas where flammable liquids, gasses or vapors are handed,
processed or stored. The hazardous area drawing also includes temperature
classification information and gas group information. By using these drawings the
engineer can specify instruments and equipment suitable for the area in which it is to
be located.

Valve Actuators - Types and Specification

What is a Valve Actuator?
A valve actuator is a mechanical or electrical device that is fitted to a valve that converts
motive power e.g. pneumatic power as used in compressed air actuators, into
movement of the valve stem. The movement of the valve stem opens, closes or
modulates the valve.

9
Types of Valve Actuator
Valve actuators are generally split into one of four types, dependant on the motive
force they receive. The four actuator types are:

Manual Actuators

Manual actuators rely on a person supplying the motive force, either through a hand
wheel, lever or chain block.

A manual valve actuator assembly does not lend itself to control or fast acting shutoff
applications and for this reason they are rarely, if ever, considered by the instrument
engineer.

The assembly of valve and actuator are most often specified by the piping engineer,
and the valves are referred to simply as "piping valves".

Pneumatic Valve Actuators

10
Pneumatic actuators are the most commonly used actuator for valves in the process
and oil industries. Compressed air is used to move either a diaphragm, or piston, which
in turn moves the valve stem.

Air operated valve actuators are usually equipped with a spring, and the air pressure
overcomes the spring to provide movement. This allows the pneumatic actuator to be
either configured as spring-close or spring-open. For spring-close valves, the valve will
"fail" to the closed position and air is required to open it. The opposite applies to spring-
open valves.

Some pneumatic valve actuators are "double acting" which means that they don't rely
on a spring for the return movement but instead compressed air is required to both
open and close it. This allows thes valves to be "fail stay put" on loss of air supply.

Hydraulic Actuators

Hydraulic valve actuators rely on a virtually non-compressible fluid, e.g. hydraulic oil to
provide the motive force. Hydraulic actuators can provide greater force than pneumatic
actuators and this leads to them often being used in high pressure piping systems, or
for valves in large diameter pipes.

See our page on Hydraulic Oil Cleanliness for further details on hydraulic systems.

Electric Actuators

11
Electric valve actuators use an electric motor to provide torque to operate a valve.

Electric motor valve actuators are not equipped with springs, therefore on a loss of
power the valve will fail in its current position unless there is a back up power supply
to move it to the fully open or fully closed position.

Electric motor valve actuators are commonly used in remote locations where it would
be impractical to pipe hydraulics or compressed air.

Things to Consider when Specifying Valve Actuators

Valve and Actuator Compatability

An oversized actuator i.e. one that provides excessive power, can damage the valve
stem therefore it is important that the strength of the valve stem is considered in relation
to the actuator selected. This is often called the valve safety factor, and can be
considered as the ratio between "torque produced by an actuator" to the "torque
required to move the valve stem". Typical values of safety factor are between 1.5 and
2. Maximum torque to move the valve stem is dependant on the maximum differential
pressure across the valve, i.e. when the valve is fully closed and has full line pressure
upstream and low downstream pressure. The instrument engineer should select an
actuator that will supply the necessary torque to move the stem in this worse case
scenario (the so called breakout torque) but still be within the valve safety factor.

Actuator Motive Power Available

- For pneumatic valve actuators what pressure of air supply is available? How much
air will be consumed by the air actuator, and does this have a detrimental effect on the
air supply system? Do you need a pressure regulator? Air Pressure Regulators
maintain constant output pressure despite variances in input pressure. These are
invariably used in conjunction with pneumatic actuators. It is common for them to be
fitted with a filter so to ensure that no contaminants pass into the air actuator, and in
this case they are referred to as air filter regulators.
- For hydraulic valve actuators what pressure of hydraulic fluid is available? What
volume of fluid will be required to be added to the system for this actuator? Is the
hydraulic fluid clean? The small clearances within the ports of hydraulic actuators
require the hydraulic fluid to be clean and free of contaminants - see our page
on hydraulic oil cleanliness for more details.
- For electric valve actuators what voltage is available locally? If the valve is required
to operate in shutdown conditions will the electric power supply be fed from a
switchboard that will still be live in these conditions?

12
Hazardous Area

Will the actuator be located in a potentially hazardous area? If so the actuator assembly
must not act as an ignition source therefore hot surfaces on the actuator and ignition
sparks created by the actuator valve have to be avoided. This can be achieved through
design and certification of all internal electric and electronic assemblies. See our pages
on Hazardous Area Certification and surface temperature classification for more
information on hazardous areas and temperature classification.

Enclosure Ingress Protection

Location of the valve actuator assembly, e.g. in a splash zone, may require a higher
IP rating than normally specified for other actuators on the plant. See our page on IP
ratings for more information on Ingress Protection.

Ambient Conditions

As always, thought should be given to ambient temperature, humidity etc. Also will the
actuator be located in saliniferous atmosphere? If so then consider what type of coating
it should have e.g. perhaps a two part epoxy resin.

Electric Connections

What size of electrical entry connections are required. Signal cables usually use
M20x1.5 ISO. See our page on cable glands for further discussion on cable entries.

Limit Switches

Limit switches are often fitted to valves and or actuators to provide positive indication
to the control system that the valve is either fully open, partially open, or fully closed.

Solenoid Valve

Solenoid valves are required for on/off valves, and may also be required for pneumatic
control valves that are required to fully close or fully open in emergency situations.

Explosion Protection Concepts and Codes

The practice of dividing potentially explosive atmospheres into zones was established
to allow the degree of risk of an explosion occuring to be understood. This classification
of hazardous area zones takes the different dangers from explosive atmospheres into

13
account and allows explosion protection concepts for instrumentation, and other
equipment, located in the zones to be established.

These Explosion Protection Concepts were conceived to prevent equipment and

components from becoming ignition sources. There are three conditions which must
co-exist in order to create an explosion, fuel, air and an ignition source. This is often
referred to as the Ignition Triangle. The protection concepts are designed to break this
triangle by excluding one or more of its components, e.g. excluding an ignition source,
or segregating the fuel source from an oxygen supply.

Types of Protection Concepts

Intrinsically Safe - Ex ia, ib, ic

Intrinsically safe circuits are circuits that are designed such that a spark or thermal
effect occurring in the circuit will not able to ignite the surrounding explosive
atmosphere. Voltage and current, including a safety margin, are kept permanently so
low that no unacceptable temperatures can occur, and, in the event of open circuit or
short-circuit, sparks and electric arcs possess so little energy that they are unable to
ignite an explosive atmosphere.

Intrinsically safe circuits are very commonly used in control and instrumentation
applications. You can expect to find them in measuring and monitoring instrumentation
applications, and remote I/O technology based on several fieldbus applications.

14
Increased Safety - Ex e

Often used for instrument junction boxes and enclosures where the construction
ensures reliable prevention of unacceptably high temperatures and sparks or electrical
arcs.

Pressurized Enclosures - Ex p

The ingress of the surrounding atmosphere into the enclosure of electrical equipment
is prevented by maintaining a protective gas (clean dry air, inert or a different suitable
gas) inside it at a pressure above atmospheric pressure. Strength of the enclosure; the
purged enclosure must withstand 1.5 times the overpressure experienced during
normal operation.

Common areas where you may find this protection concept include switch cabinets,
control cabinets and analyser cabinets housing analytical equipment.

Encapsulation - Ex ma, mb, mc

Parts that could ignite an explosive atmosphere by means of sparks or heat are potted
so as to prevent ignition of the explosive atmosphere. This is achieved by
encapsulating (molding) the components in a casting compound, resistant to physical
- especially electrical, thermal and mechanical - and chemical influences.

Encapsulation techniques are often used in solenoid valves, relays and other control
gear of limited power.

Liquid Immersion - Ex ob, oc

Parts which might ignite an explosive atmosphere are immersed in oil or other non-
flammable, insulating liquid so that gases and vapours above the oil level and outside
the enclosure cannot be ignited by electric arcs or sparks generated below the liquid
level, or by hot residual gases from the switching process or by hot surfaces.

This concept is not often used for instrumentation, however it is not unusual to find
electronic circuits completely imeersed in liquid inside gearboxes.

Powder Filling - Ex q

By filling the enclosure with a finely grained powder from for example quartz glass, an
arc within the enclosure is unable to ignite the explosive atmosphere outside. There
must be no risk of ignition by flames, nor by increased temperatures at the surface of
the enclosure.

15
Flameproof Enclosures - Ex d

A type of protection in which the parts which could ignite an explosive atmosphere are
located inside an enclosure which can withstand the pressure of an explosion of the
explosive mixture inside, and prevents the transmission of the explosion to the
explosive atmosphere surrounding the enclosure.
Technically unavoidable gaps are so long and narrow that hot gases jetting out will
have lost their power to cause ignition by the time they reach the outside of the
enclosure, or, alternatively, if the gaps are only required for the manufacturing process
they might be sealed with adhesive.

Flameproof certified instrumentation is very common.

Standards and codes for Explosion Protection

The following international standards and codes are used for explosion protection:
- EN 1127-1:1997; Explosive atmosphere - Explosion prevention and protection. Part
1: Basic concepts and methodology
- EN 60079-10:2003; Electrical apparatus for explosive gas atmospheres. Part 10:
Classification of potentially explosive atmospheres
- EN 50281-3:2002; Electrical apparatus for use in the presence of combustible dust.
Part 3: Classification of areas where dusts are or may be present
- NFPA 70; National Electrical Code Chapter 5 Article 500.

It is worth noting that many - though by no means all - countries outside of Europe and
North America use the IEC Standards as a basis for their own national standards.

Electric, Hydraulic & Electronic Control Systems

It is usual to have three installation wide control systems on a process plant, and a
host of local control systems.

Plant Wide Control Systems

The Process Control System (PCS)

The PCS takes care of running the process and utility systems within normal
parameters. Some operators call this system a SCADA system: Supervisory, Control
And Data Acquisition.

16
The Emergency Shut Down System (ESD)

The ESD supervises important /critical parameters in the process and utility systems
and will shut down the plant if predetermined values are superseded, e.g. a hi hi
pressure level is reached. The ESD system normally has graduated shutdowns with
each shutdown level given a name e.g. ESD1, ESD2, ESD3 etc. The levels correspond
to severity with an ESD 1 shutting down the complete plant, an ESD 2 perhaps closing
down a complete system, etc. See our page on Levels of Shutdown for more details.
The lower levels of the ESD system are known as the Process Shut Down
(PSD) system.

The Fire and Gas System (F&G)

The F&G system, unlike a PCS or ESD system, is not process related but is instead
facility related. While the first two supervise and control the process, the F&G system
supervises and controls hazardous situations i.e. a fire is detected or a gas release,
on the facility.

Local Control Systems

Not every plant will have all the systems mentioned below, however some or all of
them will be present in most plants.

High Integrity Process Protection System (HIPPS)

A HIPPS system is typically a local and normally small control system. In principle this
is an ESD system but it is totally independent from the plant wide ESD to ensure a
sufficiently high Safety Integrity Level (SIL) according to IEC 61508: Functional safety
of electrical/electronic/programmable electronic safety-related systems and IEC
61511: Functional safety - Safety instrumented systems for the process industry
sector.

Local Control System (LCP)

17
Local control systems are usually housed in a panel close to the piece of machinery
that the LCP controls e.g. compressed air unit, water maker unit, HVAC unit. A Local
Control System has typically a limited interface to the PCS.

Unit Control System (UCP)

A UCP is very similiar to a local control system though typically has a lot more two way
communication with the PSD and ESD. An example of a UCP would be the system
that controls a compressor package driven by a gas turbine.

Specialist Control Systems

It is not unusual to find "Specialist Control Systems" that feed into LCPs, UCPs or even
the PCS or ESD. For example, both an anti surge system on a compressor, or a
vibration monitoring system on a piece of rotating equipment would be considered as
specialist control systems.

Process and Plant Safety

Major safety incidents in the process industries like the Piper Alpha disaster in the UK,
the Bhopal gas tragedy in India, and the Texas City refinery explosion in the USA, and
a host of more minor though just as tragic incidents have all highlighted the necessity
of having a disciplined framework for the design, operation and maintenance of
operating systems and processes that handle hazardous substances. This disciplined
framework is called "Process Safety".

It is worth noting the difference between process safety and personal safety. Process
safety addresses major hazards that are more likely to result in major incidents with
big consequences whereas personal safety addresses incidents at an individual level
with small consequences.

Process safety focuses on preventing fires, explosions and accidental release of

process fluids. Specialist process safety engineers and consultants lead this work,
however Instrument engineers and designers also play a major part in Process Safety.
They need to be aware of, and use the many practices employed in providing systems
that ensure the safety of an industrial process through the use of instrumentation.

Examples of these practices include a method of analysing and classifying the

environment where explosive gas atmospheres may occur, known as hazardous area
classification; the ignition and explosion prevention techniques as outlined in the ATEX
directive; the use of over pressure devices like pressure relief valves and rupture disks;
the intricacies of the Pressure Equipment Directive; and process safety risk
assessments.

18
Instrument Junction Boxes
Instrument Junction Boxes (commonly referred to as JBs) are an integral part of every
control and instrumentation installation. They protect electrical connections from the
weather, help prevent operators and technicians from suffering accidental electric
shocks, and offer a convenient entry into a circuit for maintenance and fault finding.

In this article we will look at the considerations and options available when specifying
a junction box, and also at some of the documentation used by instrument designers
and technicians relating to Junction Boxes.

What is a Junction Box?

An instrument junction box is an enclosure housing terminals that allows

interconnection between field devices (i.e. instruments, switches etc) in the
process/production areas, and control or monitoring equipment typically located in the
control room.

Typically, numerous field cables of a common system are joined, via the terminal
blocks within the JB, to a multicore cable. Examples could be analogue signals to the
DCS, switch signals to DCS, analogue signals from DCS, analogue signals to ESD etc.

Specifying a Junction Box

Like every part of an instrument loop, it is essential that the JB selected is suitable for
the required application. Consideration needs to be given to:
- Materials of construction,
- Suitbility for use in hazardous areas,
- Degree of ingress protection,
- Type and quantity of terminals to be housed within the JB,
- Number of cable entries and their direction,
- Earthing,
- Requirement for breather or drain plug,
- Junction box size and mounting,

19
- Labeling,
- Doors.

Below, we will look at each of these considerations in turn.

Junction Box Materials of Construction

Junction boxes can be manufactured in a variety of materials including stainless steel,

mild steel, glass reinforced polyester, aluminum, polycarbonate and ABS (Acrylonitrile
butadiene styrene - a thermoplastic polymer). These are all suitable for a wide range
of industrial and OEM applications.

For outdoor areas that are exposed to changing environmental conditions like those
encountered in many process and petrochemical plants, and Oil & Gas installations,
the use of materials with good corrosion resistance, the ability to tolerate high ambient
temperatures and high creep strength, is important. That is why stainless steel is most
often selected, with GRP being a popular second choice.

The preferred grade of stainless steel is 316L, as this offers superior protection against
pitting-type corrosion than other grades like types 303 and 304.

Glass Reinforced Polyester (GRP) has a high resistance to contamination from oils,
has excellent mechanical properties (e.g. strength), and offers a long life expectancy.

Junction Boxes in Hazardous Areas

Junction boxes, certified suitable for use in potentially Hazardous Areas are available
from many manufacturers. Common certification standards include the ATEX
Standard, and the IEC 60079-series of explosion prevention standards. For JBs, the
most common types of protection used are Ex d "flameproof" and Ex e "increased
safety". Though it is not uncommon to see Ex"N", or indeed Ex"P". Ex e is often used
for junction boxes in intrinsically safe circuits.

For Ex e certified JBs there are two main criteria to consider;

- Are the internal components e.g. terminals etc acceptable for use in the JB i.e. only
terminals or other components which are specifically allowed for in the JB's certificate
of compliance, and
- Will any internal components, or wiring, be hotter than the temperature
classification of the JB allows.

In all Ex certified enclosures it is important that an earth facility is provided. For metallic
enclosures the earth facility must earth the enclosure body and can be provided by
earth terminals connected to the body through the terminal mounting rail and/or by
means of an internal/external earth stud.

20
Ingress Protection

A major secondary form of protection for the internals of a JB is its IP rating. Moisture
or dust, if allowed to come into contact with the JB internals, could lead to either
sparking or physical breakdown of the components and interfere with the explosion
protection method being used. It is for this reason that IP56 is usually considered the
minimum rating that should be used for junction boxes, especially if they are located
outside.

If the junction box could be subject to deluge conditions, as is common in many

offshore oil and gas platforms, then greater ingress protection will be required. For
deluge service consider specifying that the equipment should meet the requirements
of Shell DTS:01.

Terminals

As already mentioned above, only terminals which are specifically allowed for in the
JB's certificate of compliance should be used. Most reputable manufacturers offer
junction boxes that can accept terminals from the a wide range of brands e.g.
Weidmüller, Pheonix Contact, ABB, Legrand, Rockwell automation etc.

The terminal should be matched to the type and size of cable being used and attention
should be paid to the current and voltage ratings of both the terminal and cable.

A removable "gear plate" (or component mounting plate) is usually provided. DIN
standard terminal rails can be fixed to the gear plate, before the plate is mounted in
the box. This makes for easy and quicker assembly of the box.

The number of terminals, and width of each one, will determine the size of box required.
It is good practice to consider future expansion by leaving two or more unused pairs in
the main multicore cable.

21
Cable Entries

Cable glands should be selected according to the cable type, screen or armour
earthing requirements and the IP rating required. For junction boxes used in hazardous
areas the gland must must have the same criteria as the enclosure to which they are
connected.

Ex e junction boxes are usually supplied with gland plates which are drilled to accept
cable glands which allow cable entry. The gland plate is bolted to the JB and supplied
with a gasket to maintian IP rating. It is important to always allow enough clearance
around multiple gland entries to allow for fixing nuts etc. Note, the choice of gland, and
by implication its size, may limit the number of entries possible in any given gland plate.

Ex d junction boxes are not usually supplied with gland plates. Instead, the housing is
drilled and tapped to accept the required glands. Unused ways are fitted with certified
blanking plugs.

There is no hard and fast rule about where cables should enter a box. It is often the
case however that incoming cables enter the box from the side, and the multicore exits
from the bottom of the box. Different configurations of cable entry may impact on the
size of box required.

Earthing

As mentioned above, all Ex certified enclosures must be provided with an earth facility.
These are usually an M6 internal to M10 external SS316L earth stud. It is common for
Earth studs to be welded to the enclosure wall to maintain integrity of the IP rating.

Bonding wire (usually Green and Yellow) should be fitted inside the JB between the
door and body, and between the componenet mounting plate and the body.

Breather and Drain Plugs

22
The Breather part of a Breather Drain plug provides pressure compensation between
the inside of the junction box and the external atmosphere. This minimises moisture
build up caused by temperature fluctuations and humid environments.
The Drain part of the plug allows any condensed water present within the junction box
to be drained before it accumulates and causes problems.

If fitted, and it is good practice to fit these on JBs mounted externally, breather drains
must have the same Hazardous Area certification and IP rating as the junction box to
which they are fitted.

Breather Drains are sometimes referred to as Breather Vent Plugs or Conduit Drains.

Junction Box Size & Mounting

The size of a JB is dependant on the number and type of cables being terminated
within it. The more cables the more cable entries, and cables with screens require more
terminals. The more cable entries, and the more terminals the bigger a JB is required.
Further, ergonomics and ease of access for wiring mean that when considering JB size
a larger rather than smaller box should be selected. Generally, boxes in the range of
200 to 500mm wide by 200 to 500mm tall should be considered.

Junction boxes should be located in well lit, easily accesible areas. Boxes should be
specified with at least four external mounting lugs, two top and two bottom. Due to their
weight, especially Ex d boxes, 10 mm diameter or larger fixing holes should be drilled
in the mounting lugs.

Labeling

All JBs should be labelled externally with their unique JB number. And if the box
contains Intrinsically Safe signals, an additional external tag, coloured blue with white
lettering stating "Intrinsically Safe Circuits" should be fitted.

Lable material choice will usually be either stainless steel, or traffolyte (also written as
traffolite). Traffolyte is multi-layered phenolic plastic sheets where each layer is a
different colour so engraved letters are a different colour from the unengraved portions.
Labels should be fixed to the box ensuring that IP rating and hazardous area protection
is not compromised.

Junction Box Doors

Doors should be capable of full 180 degree opening. Increased ease of access can be
obtained by specyfing removable doors.

Ensure doors are fitted with seals or gaskets that allow the IP rating of the box to be
maintained.

23
Prevention of unauthorised access to the box needs to be considered. Simple quarter
turn door latches may be adequate, though in some applications a padlockable door
may be prefered.

A pocket on the inside of the door is useful for storing JB wiring diagrams - see below
for further details.

Junction Box Documentation

Junction Box Diagram

A junction box diagram, or as sometimes called - a JB drawing, as a minimum will

show:
- the junction box number,
- field instruments and their cable number,
- the terminal numbers to which the instrument is terminated,
- the multicore number and its destination,
- which multicore pair each field instrument is connected to.

Additional information may also be included to help with maintenance and fault finding.

24
Junction Box Schedule

The junction box schedule is a document, likely to be derived from a database or in the
form of a spreadsheet, listing all the junction boxes that have been installed on a plant.
It is used extensively during plant design as an aid to procurement as it provides an
easy source for material take off. Most operators As-Build the schedule following
construction to allow for easily locating junction boxes, and to allow new boxes to follow
the established numbering system.

A typical JB Schedule will contain the following fields:

- JB Number,
- JB Type / Specification e.g. GRP, Ex e etc,
- JB Size,
- JB Location/Area,
- Signal type e.g. analogue, digital etc,
- Number and size of incoming pairs,
- Size of multicore leaving box e.g. number of pairs, outside diameter etc,

25
 Emergency Shutdown System or ESD System
(With PDF)
An emergency shutdown system or ESD system is a highly reliable control system for
providing a safety layer during emergency situations. It helps to prevent situations from having
catastrophic impacts economically, environmentally, or operationally. Emergency Shutdown
Systems in any plant minimize injury to working personnel & the environment or damage to
equipment, by protecting against leaks, hydrocarbon escape, fire outbreaks, explosions, etc.
The application of emergency shutdown systems has been substantiated in the oilfields (oil
wellheads), Nuclear plants, oil and gas processing plants, steam and gas turbine power plants,
chemical & petrochemical plants, boilers, geothermal industries, etc. During an emergency
situation, the process operations are stopped by the ESD system, therefore, isolating the
hazard to escalate.

Table of Contents

Functions of an Emergency Shutdown System
 Emergency Shutdown system design considerations
 Working of Emergency Shutdown System
 Components of an Emergency Shutdown System

Functions of an Emergency Shutdown System

All emergency shutdown systems should always work at the back end throughout the
plant operation as it is one of the main security systems. The major functions of an
emergency shutdown system are:

 Shut down of the system or equipment during a critical situation

 Isolate electrical equipment
 Proper control of ventilation during an emergency
 Stop or isolate hydrocarbon sources from potential hazard situations.
 Blowdown and depressurization.
 Prevent dangerous event escalation like prevention of ignition and explosion.
 To protect personnel, asset, and the environment.
Note that critical situations may be triggered in any plant by various factors but
emergency shutdown systems should be able to handle those in an effective manner.

Emergency Shutdown system design considerations

The design of the Emergency Shutdown or ESD system shall take into account the
needs resulting from normal operation and shall also fulfill the requirements that may
arise during other possible (and likely to occur) abnormal or down-graded
configurations. Depending on the type of operating plant and functions, ESD system
design will vary.

26
However, the below-listed issues shall be adequately addressed when relevant:

 Tripping or stopping a unit or equipment does not necessarily eliminate all sources
of hazards.
 Due to the loss of essential utilities like air, essential power, hydraulics, etc., new
hazards can appear anytime. The emergency shutdown system should be designed
to identify and mitigate or alarm regarding the risk of such hazards.
 All operating configurations that the ESD system generates shall be stable, safe,
and reversible.
 The ESD system shall be compatible with the re-start philosophy. The inevitable
inhibitions of the control and safety systems during the re-start sequence shall be
identified and shall be limited in number, time, and duration.
 ESD system design shall provide specific attention to non-routine operating
conditions, simultaneous operations, and down-graded situations.
 Particular operating conditions may require a different shutdown logic than that, or
the combination of those, applicable under normal circumstances. For example, An
installation normally operates under different conditions, e.g. high, medium, or low
pressure. Each condition may require a different ESD logic, but the differences shall
be limited to process shutdowns. Emergency shutdowns shall result in the same
actions independent of the condition. Before switching over between different ESD
logics, the proper line-up of equipment and the status of valves need to be verified.
 The Emergency Shutdown system shall be used to continuously monitor the safety
parameters of the plant and shall take actions to maintain the safety of the plants
on demand.
 The ESD system diagnostics shall show the following minimum fault / healthy state
status but not limited to:
 Circuit breakers tripped
 Power feeders healthy
 Fuse Failure
 Power supply removed
 CPU fault
 Battery failure
 Power supply failure
 Communication Failure
 Input/ Output Module failure
 The input/ Output Module removed
 Each channel failure
 Panel internal temperature high
 Others as supplied by the manufacturer.

27
Working of Emergency Shutdown System
An emergency shutdown system works by monitoring the plant condition using field-
mounted sensors, valves, trip relays, and inputs to a control system as alarms. The
control system performs a cause-and-effect analysis of the above parameters to
determine plant health. The system will minimize the effects in case of abnormal
behavior by reducing the number of plant items available or shutting down part of the
system. For example, In case of a fire hazard, a Fire Damper control system may
override the existing controls to open or close vents as needed, and close fire doors.

Normally, for plants, a shutdown matrix is defined. Three to four shutdown levels based
on decreasing criticality are decided and the complete plant is categorized. In the
process control system, various safety loops and devices are organized as
complementary barriers. For each installation, an ESD/SD logic shall be defined
covering all the installations and represented in an ESD/SD logic diagram.

Components of an Emergency Shutdown System

The following components shall be part of an emergency shutdown system:

 Dedicated Process Transmitters

 Shut Down Valves, Normally Fail to Close Type
 Logic Solver
 Blowdown valves
Fig. 1 below shows a Typical Emergency Shutdown System in its basic

Fig. 1: Typical Emergency Shutdown System

Cause and Effect Drawings

28
 Table of Contents
 What is cause-and-effect drawing?
o Detailed Explanation of Cause & Effect Drawings
 What are documents Required for Preparation of Cause-and-
Effect Drawing?
 What is the purpose of the cause and effect drawing?
o Cause and Effect Example:

o Cause and Effect Template:

 Excel template for Cause and effect is available for

download at the link below

What is cause-and-effect drawing?

The cause-and-effect diagram offers information about

different causes and their trip effects on the field equipment.

29
This document is mostly used in emergency shutdown (ESD)
and fire and gas systems (FGS) to identify various causes and
their associated trips in a matrix style for better and simpler
interpretation.

Causes can include a change in the state of a digital input, a

High High/Low Low alarm from an analogue input, and
interlock logic, among other things. Effects can include tripping
a motor or pump, closing a valve, opening a pressure relief
valve, activating an emergency alarm, Beacon/Hooter, and so
on.

Detailed Explanation of Cause & Effect Drawings

Some projects categorize Cause and Effect is included in

process documentation, and other ventures consider Cause
and effect are included in the instrument’s deliverables.

A cause is something that makes something else happen, and

an effect is what happens because of the cause.

Cause-and-effect relationships can range from simple to

complex. The concept of cause and effect is depicted as a
matrix. The effects are mentioned in the top area, while the
causes are given in the left section. Both are characterized by a
tag number and their descriptions.

The clear intersection between the two indicates a cause-and-

effect relationship. Marks could be in the form of the letters “X”
for effect activation, “T” for effect activation with a time delay,
and “P” for cause permitting effect activation.

There are two kinds of cause-and-effect charts:

30
  Fire and Gas C&E Diagram
 ESD C&E Diagram
What are documents Required for Preparation of
Cause-and-Effect Drawing?

Reference document required for preparation of the cause

and effect drawing:

 SAFE Chart: This Chart shows which safety devices are

needed for each piece of process equipment. SAFE Chart
will make sure that all safety requirements have been met
and will show what actions the safety devices take.
 Philosophy: It provides the narrative, while the engineer
translates it into cause-and-effect interaction so that the
plant operates in accordance with the intended
philosophy.
 ESD Logic Diagram: This Diagram illustrates the plant
shutdown hierarchy and describes the inputs that initiate
the shutdown as well as the outputs that follow from the
shutdown.
What is the purpose of the cause and effect drawing?

The main purpose of the cause-and-effect document is to give

clear direction to control system engineer to implement the
correct control logic into ESD & FGS Systems using the defined
programming language. This logic will always monitor the plant
while it is operating condition and will activate if a
predetermined condition is met.

31
Cause and Effect Example:

Cause and Effect Template:

Excel template for Cause and effect is available for download at the link below

32