a= f Gu aa Date : March.06,'05 QCS/SO/00/N/OP/NA/OO1 CONTROL AND SHUTDOWN PHILOSOPHY Rev: Et Page 3 of 13 1. 4A 4.2 2. 24 22 INTRODUCTION FOR CONTROL SYSTEM Scope This philosophy outlines basic principles for an integrated process information and control system for the Qatargas 384 Onshore Project only. The control system requirements for the Offshore part of the Project (gas collection and transmission) will be developed by a separate project team. The interface requirements between the Offshore and Onshore are addressed in the “Offshore Interface Philosophy’ document, which will be provided by others. Objective The basic contro! and monitoring objectives of the Onshore facilities shall be accomplished through a fully integrated information and control system that provides the means to provide all information, control, and safeguarding of the facilities, DISTRIBUTED CONTROL SYSTEM ‘Scope of DCS ‘A Distributed Control System (DCS) performs the basic process control and monitoring of the facilities. It shall be capable of providing the necessary interfaces to other subsystems such as Instrumented Protective Systems (IPS) Fire and Gas System (FGS) Gas Turbine/Compressor Control and Safeguarding Systems (GTCCS) Analyzer Data Acquisition System (ADAS) Machine Monitoring System (MMS) Package Equipment Control Systems Ship Loading and Navigational Systems provided by others. Fiscal Metering Systems (FMS) for Custody Transfer and Allocation Pipeline Management System (PMS) Burner Management System (BMS), if applicable Electrical Integrated Power Generation and Distribution Control Systems (ELICS) Instrument Asset Management System (IAMS) Laboratory Information Management System (LIMS) Plan Operations Information System (POIS) The DCS shall also. support higher level connectivity to the plant information Ethernet LAN that allows plant personnel to view and monitor process information in an integrated fashion. Facility Controls The basic control philosophy for the Onshore plant is to implement centralized operational control. The focal point for the process, offsites and utlity control systemsaa ae Date : March.06,06 QCS/50/00/IN/IOP/NA/00T CONTROL AND SHUTDOWN PHILOSOPHY Rev: Et Page 4 of 13 2.3 shall be a continuously staffed Main Control Room (MCR). in addition to the facilities for basic process control, the MCR shall include provisions for safety system monitoring, facility start up and operational and emergency shutdown, plant communications, UPS and batteries as needed. The MCR shall communicate with normally non-staffed Instrument Technical Rooms (TR). The ITRs shall be environmentally conditioned (pressurization, temperature, air filtration) to house the field instrumentation /O termination panels, DCS/IPS cabinets, UPS and batteries. Generally one ITR will be located within each operating area. The ITRs shall meet the electrical area classification requirements. The option to integrate the operator shelters with the ITRs will be explored during the design. Control panels for utility packages and auxiliary controls for mechanical packages may be located in the ITR or (where appropriate) in the field and interfaced with the ITR equipment. The detailed requirements (e.g., location, blast resistance) for the ITRs shall be developed during the design. Alternatively, use of remote field-mounted /O cabinets instead of ITR’s will be explored during the design. Power for all control system equipment will be designed to be reliable. Communication Networks 2.3.4 DCS LAN A secure and fully redundant communication network shall be used as the backbone of the DCS network for process control purposes. Redundant data highway cables shall be used for connection of all system components that are located within the same bullding. Communication between the buildings shall be accomplished by use of a redundant fiber optic network routed on separate paths. ‘The DCS network shall not extend beyond the Onshore facilities battery limits. 2.3.2. Plant Information LAN ‘An Ethemet LAN, based on a widely accepted operating system in the industry such as NT, shall be distributed to the MCR and ITR's for operations, maintenance and supervisory personnel. As a minimum, it shall: + Provide read-only live and historized process data for maintenance and supervisory personnel, * Connect to the business information network via a router for passing of live and historized process data. Connect to geographically distributed package equipment subsystems. Exchange data with office automation system.aan ee A ae a aD Date: March.06,05 (QCSIS0/00/INOP/NAIOO1 Re CONTROL AND SHUTDOWN PHILOSOPHY [oe 25 General Requirements Following are general requirements for the DCS: 1. DCS controllers shall be fully redundant. All /O (Input/Output) modules that are used for analog control functions shall be redundant. 2. DCS controllers and I/O modules shall be partitioned by process unit and by logical systems within each unit to allow for maximum flexibility for the plant maintenance personnel. 3. DCS operating consoles shall be designed such that operator workstations are essentially redundant so that a single point of failure does not prevent operators from monitoring or controlling the Onshore facilities. DCS consoles shall also contain communication equipment (eg. Hotlines, radio communications with field operators) and selected IPS Emergency Shut Down (ESD) pushbuttons. 4. The DCS system shall be capable of providing a prioritized Alarm Message System and Sequence Of Events (SOE) functionality, 5. The operating system shall be compatible with the OPC (Object Link Embedded [OLE] for Process Control) or MODBUS RTU standards. OPC or MODBUS RTU shall provide the primary interface protocol for IPS, FGS, GTCCS, ADAS, MMS, TOMS, FMS, BMS, ELICS and other packaged control subsystems. The DCS shall provide a seamless highly secure connectivity of the control LAN to the Plant Information LAN (PIN). 6. The system spares requirements shall be established early in the design. These requirements shall consider the system growth during the design and post startup phases of the project in terms of control processors, /O modules, termination panels, point types, and rack space. 7. The system design shall allow for future online modular and incremental expansion of the system without upsetting the process operations. 8. The routing of the system communication media (cables, fiber optics) and wiring shall be such that a single point of failure does not compromise the integrity of the entire system. Options to consider include separate routings of redundant links and use of underground routings. 9. The system shall allow for secure access from remote locations for diagnostics purposes. 10. All DCS and IPS, control and communication equipment shall have redundant Uninterruptible Power Supplies (UPS). Dual redundant power supply units shall be fitted for power distribution within the systems, Human Machine Interface (HMI) Process control and monitoring via the DCS shall ensure a safe, continuous and stable operation of the entire QG 3&4 Onshore facility. Engineering and operator stations shall be arranged in multi station consoles and be equipped with redundant communication ports to both the DCS and the plant information Ethemet LAN's. Based on operations philosophy, the number of CRT stations per console shall be determined during the design. Each station shall be capable of being independently powered, shutdown, and restarted. Under proper access level authorization, each station shall be capable of providing process monitor, alarm management and contro! functions for the entire facility. It shall also be possible to access QGIl data from these stations if required through connectiona= ee J au aw Date: March.06,'06 QCSISOIDOMNIOPINAIOOT CONTROL AND SHUTDOWN PHILOSOPHY Rev: Et Page 6 of 13 of the QGII_and QG384 communications networks. The stations shall provide the Tequired “single window” access into the facility control and safeguarding systems. An engineering console will be provided in an area of the MCR to allow control application development and configuration modifications. This will consist of multiple workstations capable of being switched between Engineer and Operator functionality. The engineering console shall be capable of being switched between any of the plant operating units with proper access authorization. Multivariable Predictive Control (MPC) Multivariable model-based Predictive Control shall be implemented as per QCS/S0/00/IN/TSINA/042 “Multivariable Model-Based Predictive Control’ Instrumented Protective Systems (IPS) The IPS shall function independently of the DCS, and shall have independent UPS power supplies and other power supply equipment. Secure flow of information from the IPS to the DCS shall be provided via a redundant serial link. There shall be no possibility of breaching the IPS integrity by inadvertent DCS control actions. Any Emergency Shut Down (ESD) information required by the IPS from the DCS Consoles shall be transmitted by hardwired connections. However, to the extent possible, the DCS and IPS shall be closely integrated. All IPS diagnostics information shall be displayed on the DCS operator consoles through the Alarm Management System and DCS graphical HMI of the IPS. ‘The Safety Integrity Level (SIL) is established for each IPS ESD loop for the entire life cycle of the facilities, beginning with the FEED and EPC design and ending with the decommissioning of the Onshore Plant. Once the IPS is commissioned, maintenance personnel are required to proof test the IPS components (ESD loop Initiators and Actuators) at intervals sufficient to demonstrate the IPS will perform its protective functions upon demand. Consequently, during the FEED and EPC design phase maintenance and operating management shall endorse the minimum test intervals for IPS components since these test interval guidelines are used during the FEED and EPC design phase. ANSI/ISA $84.01 1996, as updated in the 2003 edition, and IEC 61511 2003 edition are the primary industrial standards used as the guiding documents to establish other IPS design requirements including but not limited to redundancy and separation of basic process control and the safety functions, in conjunction with COMPANY risk matrix methodology for the SIL assignments and fault tree methodology for the SIL assessments. In compliance with these industrial safety standards for the Safety instrumented System (SIS, or IPS) design, the SIL for each Safety instrumented Function (SIF, or individual ESD loop) is identified. SIL targets are identified by the COMPANY SIL Team, which uses a semi-quantitative risk matrix methodology, as described in COMPANY document “Project Safely Integrity Level Target Identification” Revision A, October 3, 2003. SIL calculations are performed using Fault Tree Analysis (FTA) by an independent qualified third party contracted by Company. The calculations determine the level of redundancy for SIF initiators and Actuators that meet the SIL target assignment. The SIS logic solverMarch.06,'06 QCSISO/OOINOP/NAVOD1 D SHUT HI CONTROL AN! DOWN PHILOSOPHY |S or 4g 28 for SIF Initiators and Actuators that meet the SIL target assignment. The SIS logic solver shall be of Triple Modular Redundant (TMR) or 2004 D design. ‘The EPC Contractor is responsible to provide the Safety Requirements Specification (SRS) referenced in the ANSV/ISA standard, along with all other IPS documentation during the QG 3 FEED and EPC Project phases. The EPC Contractor is also responsible to provide all related IPS documentation, including but not limited to SIL documentation on Cause and Effects diagrams and logic drawings, the P&ID's showing all IPS or ESD loops, IPS loop drawings with SIL assignments, and all other supporting documentation requested by COMPANY to perform the SIL assignments and assessments to demonstrate the SIF performance on demand. The Company shall approve all changes to the IPS SIF and related drawings and documents through the Company SIL and / or HAZOP Team, throughout the FEED or EPC design phase. The FEED and EPC Contractor shall request COMPANY approval for all IPS document changes that affect. either the SIL assignment or the SIL assessment of required instrumentation to meet the SIL assignments for each IPS ESD loop. The “Safety Requirement Specification” QCS/SO/IN/DB/NAQ0S (presently-numbered-ac. QCS/S9/004N/DB/NA/006} document includes the details of the IPS. Machinery Control and Monitoring Systems In general, the Machinery Control and Monitoring Systems shall meet the Subsystem Interface requirements stated in section 2.9 of this document. Dedicated control panels, located in the ITRs, shall be provided for gas turbines, compressors, expanders, blowers, and other important rotating equipment. The dedicated control systems shall include the functionality for performance and alarm monitoring, transient data analyzer and recorders, equipment testing, start-up/shut-down, and remote operations. Machinery shut-down (ESD) loops shall be provided according to the safely guidelines described in section 2.7, and shall have an identified SIL assignment established by the COMPANY SIL. Team. The data transferred on either OPC links or serial links shall allow for remote process operation including control, emergency shut-down (as a back up) and monitoring. There shall be no remote start-up fired equipment. For supervisory and maintenance purposes, all machinery monitoring systems shall be securely connected, via a router to the Plant Information Ethemet LAN or serial communication and the data shall be remotely accessible via HMIs connected on the LAN. It shall be possible to monitor, operate and shutdown machinery from the MCR. ‘There shall be no remote start up of fired equipment. Subsystem Interface Subsystems inciude stand-alone data monitoring and control systems that perform dedicated and/or specialized functions. Examples of such systems include analyzers, surge controllers, and custody transfer fiscal metering systems. Integration of subsystems to the DCS shall be accomplished through industrial standard44 March.06,°06 QCS/50/00/INOP/NAIOO1 CONTROL AND SHUTDOWN PHILOSOPHY [554g OPC or serial communication protocols. As part of the overall design philosophy, the use of “custom” driver software packages shall be avoided. These protocols shall be evaluated and defined during the design. Train based analyzer systems shall consist of the analyzers, sample handlinglpre- conditioning system and Analyzer Data Acquisition System (ADAS) interfaced to the DCS via an OPC or serial communication link. The link transmits analyzer data to the DCS for process monitoring and enables analyzer Statistical Quality Control (SQC) status monitoring from the DCS console. Similarly, a similar link is provided to maintenance personnel for maintenance monitoring, dispatch of maintenance technicians, and remote calibration and / or validation from the Headquarter building. In general, analyzer signals shall not be configured directly in closed loop contro! or shutdown functions. When an analyzer is used in closed loop process control, the sample conditioning system shall include a flow switch that detects if fresh sample is continuously flowing to the analyzer; loss of sample flow shall switch the control loop from automatic to manual. Gas (or Liquid) Chromatograph-based (GC) control shall also remain in automatic only when the GC SQC parameters, un-normalized denominator and retention times, are within tolerable limits and the analyzer status is healthy. a iS Gu aD Date Rev: Et 2.40 Packaged Equipment Controls Package controls shall meet the project design requirements in terms of separation of control and shutdown functions, pre-alarms, shutdown bypass testing and annunciation, and either the OPC or serial interface. All safeguarding or IPS functions shall be designed in accordance with the requirements of section 2.7. Design shall be in accordance with QCS/SO/O0/IN/TS/NA/001 “Instrument Furnish with Package Equipment”. As far as practical, controls supplied with the package units shall be of the same manufacturer and model as the rest of the QG 3&4 Onshore plant, to ensure commonality for ease of interface and maintenance. Economically justified deviations from this requirement shall be approved by the COMPANY. Each main package unit may have its own control/logic system, to be installed in the relevant instrument enclosure. The package controls shall be interfaced with the DCS. It will be necessary to provide process control commands such as remote set-points via the DCS from the MCR. Critical controls and alarm functions shall be hardwired to the DCS. OPC or Serial communication links (industrial standard of OPC or serial communication) shall be used for non-critical operations. Any interface to the IPS shall be via hard-wired connections. Alternatively, local panels may be considered, but only when absolutely necessary for package operation. When provided, the local pane! shall be suitable for the environment. Local indicators and/or operator interface shall be provided as necessary for equipment and process monitoring. Sequence-of-events monitoring or first-out alarm annunciation shall be provided within each applicable packaged equipment control system. As a minimum a common “unit tripped” signal shall be hardwired from each packaged equipment control system to the Control System (DCS) sequence of events recorder.12 QCS/SO/00/N/OP/NAVO01 ——— Gu aa Date Rev CONTROL AND SHUTDOWN PHILOSOPHY Page 9 of 13 214 242 2413 Tank Gauging Refer to section 4.0 of QCS/50/00/IN/DP/NA/O01 — Instrumentation and Analytical ‘System Philosophy. Marine Terminal Control Refer to section 4.0 of QCS/S0/00/IN/DP/NA/O01 — Instrumentation and Analytical ‘System Philosophy. Training/Hot Spare System A separate system, offline configuration and training DCS/IPS system provided during QGIl Project will be shared by QG 384. This system shall include one of each type of the ‘components of control system used in the online system. QG 3&4 Onshore Project shall supplement parts which are not spared during QGIl such as new and/or different models implemented in QG 3&4. This system shall be used for training, offline configuration, and a “hot” standby spare system. 3. INTRODUCTION FOR SHUTDOWN SYSTEMS 34 3.2 Scope This paragraph describes the Emergency Shutdown (ESD) and Emergency Depressurizing (EDP) systems for the Onshore facilities. These two systems and the Process Shuidown System (PSS) are integral parts of the overall instrumented Protective System (IPS) provided for the plant. IPS design is addressed in the QCS/SO/OD/INIDPINAIDO2 - Safety Requirement Philosophy (Presently-numbered—as QES/SG/AN/DP/NAL092-) section 2.7. IPS does not include Fire & Gas (F&G), and Machinery Monitoring and Control (MMS) systems. Objective Early detection and isolation of hazardous releases and reduction of certain hazardous inventories can substantially limit the consequences resulting from an emergency situation such as a major release of flammable material / hydrocarbon or fire. An Emergency Shutdown (ESD) and emergency vapor space depressurization (EDP) system shall be provided in situations where rapid isolation of uncontrolled releases is desirable, to shut off secondary fuel sources that could feed a fire or vapor cloud, and to minimize releases through the use of rapid depressurization. When along with a fire and gas detection system, strategically located and properly designed ESD and EDP valves can significantly reduce exposure from fire and vapor clouds. These systems do not replace any requirements for providing pressure safety relief valves as required by ASME, but are a supplement to the plant PSV protection. The ESD13 QCSIS0/00/NOPINAIO01 CONTROL AND SHUTDOWN PHILOSOPHY Rev: 1 Page 10 of 13 and EDP systems shall have a simple interface with plant operators to allow a safe shutdown, 3.3. Referenced Documents National Fire Protection Association (NFPA) NFPA-SSA “Standard for the Production, Storage, and Handling of Liquefied Natural Gas" American Petroleum Institute (API) API RP 520: Recommended Practices for Design & Installation of Pressure Relieving System in Refinery, Part ! and Il. API RP 521: Guide to Pressure Relieving and De-pressuring System. API RP 2001 : Fire Protection in Refineries. Instrument Society of America (ISA) ISA S.84.01 : Application of Safety instrumented System for the Process Industries. International Electrotechnical Commission (IEC) IEC 61511: Functional Safety — Safety Instrumented Systems for the Process Industry Sector 4. GENERAL FOR SHUTDOWN SYSTEM The ESD and EDP systems, and PSS shall be reliable and failsafe based on proven design concepts utilizing instrumented Protective Systems (IPS). The systems shall interface to the Distributed Control System (DCS), but shall function independent of the DCS. In general, a de- energize-to-trip approach will be adopted. For more details, refer to the QCS/S0/00/IN/DP/NA/002 - Safety Requirement Philosophy {presently—numbered—as QCS/SO/O0/N/DP/NAI002}-section 2.7. All IPS shall comply with Safety Integrity Level assessments that will be determined during the FEED and EPC phases of the Project. In case of activation of ESD manual switch, the ESD and EDP systems shall perform as a minimum the following functions: ‘* Stop inlet/outlet hydrocarbon streams by closing dedicated Emergency Shutdown Valves (ESDVs). ‘+ Stop fiow of thermal energy or heat sources within ESD zone (such as steam to reboiler, if any). * Stop selected drivers on pumps, compressors and air coolers. Some facilities such as lube oil and seal oil system for compressors, turbines and lighting system are not stopped or tripped. ‘+ Stop outlet liquid hydrocarbon streams by closing Emergency Shutdown Valves ESDVs on vessels requiring inventory containment. + Enable opening of dedicated Emergency Depressurizing Valves (EDPVs)14 QCSIS0/00/INOPINAI001 CONTROL AND SHUTDOWN PHILOSOPHY Page 11 of 13 EMERGENCY SHUTDOWN SYSTEM The ESD system is comprised of hierarchical levels (i.e. individual item, local geographical “zone, and the entire facility). Factors that affect the zone and level definitions include, but are not limited to, operating philosophy, flare restrictions, and fire fighting facilities, For definition of ESD Zone and level, refer to QCS/S0/00/PRIDP/NA/OO3 “Emergency Shutdown and Isolation Philosophy’ Each ESD loop or SIF Actuator shall be classified as Primary, Backup or Secondary Operating Aid output as defined by the SIL requirements in section 2.7. Primary and Backup outputs are those SIF Actuators essential to take the QG 384 facilities to a safe state; these outputs will be determined by COMPANY SIL Team during the SIL assignment. Activation of ESD is manual at the discretion of operator and typically accomplished via hard- wired manual switches that are located in the Main Control Room (MCR) and Instrument Technical Room (ITR) for ESD-1 and ESD-2 level and at strategic locations in field for ESD-3 level. Note that ESD valves may be shared with PSS. Automatic activation of a shared ESD valve by PSS is allowed, however, manual activation of the valve by the ESD system overrides automatic shutdown, Refer to the Safety Requirement Philosophy for details and the SIL requirements in section 2.7. EMERGENCY SHUTDOWN VALVES: Refer to EMERGENCY SHUTDOWN AND ISOLATION "PHILOSOPHY QCS/50/00/PRIDP/NA/003 for ESDV locations. All safeguarding, ESD or IPS functions shall be designed in accordance with the SIL requirements of section 2.7. The SIL requirements described in section 2.7 shali determine whether single or double block ESD valves are necessary in specific locations for proper isolation of the QG 3&4 facilities. ESDVs dedicated to isolate different “zones” shall be located at the boundary of a “zone”. Upon activation, the ESDV shall stop the flow of all inlet and outlet process streams, and fue! supply to the affected “zone”. Generally, an ESDV shall be a tight shut-off (either ANSI Class V or VI), “fail close” (on loss of signal or power source), air / pneumatic operated block vaive using a dedicated solenoid. More than one solenoid may be utilized for each ESD valve; however, under no circumstances shall an individual solenoid be used to drive multiple ESD valves to their safe state. An ESDV valve body will be of fire safe design and the actuator and its accessories will be of fire proof design as per QCS/SO/O0/MPITSINAJO71 {presently —numbered—as—QCS/SO/O0/MPFFSINA/OZ4) “Technical Specification for Fire Proofing”. Cables connected to ESDV shall have fire protection as stipulated in paragraph 6.2 of QCS/SO/OO/IN/TS/NA/O0S (presently —rumbered—as QCSISO/Q0ANAESINA/006) “Instrumentation - Wiring For Instrument And Computers” LNG service ESDVs should be located in accordance with NFPA-59A. For applications not subject to NFPA-59A, ESDVs should not be located at ong cistances from the process unit just to avoid installation in the fire zone without considering the consequences of having a potentiallyQCS/SO/00/INOP/NAIOD1 CONTROL AND SHUTDOWN PHILOSOPHY Page 12 of 13 1b larger hazardous material release. In general, ESDVs should be located outside of buildings housing hazardous processes or utllty equipment. Where necessary, a hydraulic actuating system in lieu of air may be used; however, each solenoid used in this service shall be dedicated to a single actuator or isolation ESD valve, If hydraulic valves are selected, these shall be equipped with a secured supply of actuating fluid with back-up system and be protected as necessary against potential hazards. In general, spring retum air operated valves shall be selected for the ESDVs for reliability and maintainability. However, for large size valves and others which require large torque, the application of double acting air cylinder or hydraulic types shall be investigated ‘with consideration of constructability and maintainability. Where double acting air cylinders or hydraulic valves are used as ESDVs, an air bottle or hydraulic accumulator sized to provide an independent air or hydraulic supply to provide motive energy to move the valve to its fail safe position shall be provided for at least three-(3) two (2) strokes, i.e. close-open-close-open,. Additionally, all valve and actuator components, including wiring and air supply should be protected against potential hazardous exposure. In all such cases, the ESD valve and loop instrumentation shall be determined by the SIL. requirements described in section 2.7. ESD valves shall not be provided with hand-wheels. ESD valves shall be equipped with smart digital positioners DVC000ESD: openiclose indication shall be displayed on the DCS in addition to providing a partial stroke testing capability, The scope and requirements to provide online partial-closure testing of the ESDVs shall be developed during design. All partial or full closure testing of ESD valves shall be determined by the SIL requirements outlined in section 2.7. Control valves shall not be used as ESDVs as a rule unless accepted, for example, as backup double block valves to a Primary ESD Valve per the SIL requirements described in section 2. ‘The type of ESD valve (ball / butterfly valves) will be defined according to service requirements and the size of the valve. EMERGENCY DEPRESSURIZING SYSTEM Activation of EDP is typically accomplished via hard-wired manual switches that are located in the Main Control Room (MCR) and Instrument Technical Room (ITR). EDP for each zone is enabled only after activation of the ESD system, which usually implies an ESD permissive before EDP is activated. The scope and details of EDP shall be developed during design, and shall be designed in accordance with the SIL requirements described in section 2.7. The EDP system shall have adequate venting capacity to achieve reduction of stress in any equipment affected by fire to a level at which stress rupture is not an immediate concem. In addition, it shall be designed. to enable minimization of fuel inventory that might othenwise aggravate a fire and to minimize the uncontrolled release of flammable or toxic gases. EDP system (once activated) shall be able to reduce the pressure of the system to less than 8.0 bar.a or 50% of the initial maximum operating pressure whichever is lower. The maximum timeQCS/SO/00/INIOP/NA/OO1 AND SHUTD CONTROL WUTDOWN PHILOSOPHY Taos oF aa allowed to depressurize a vessel or system shall be 2 minutes per 3 mm (1/8 inch) of vessel wall thickness less than. Operator response time to initiate the depressurization (normally 3 minutes), but shall not be less than 6 minutes. Refer to QCS/S0/00/PRIDP/NA/002 “Emergency Depressurizing Philosophy” (presently numbered-as-QCS/50/00/PR/DP/NA/002}or details. EMERGENCY DEPRESSURIZING VALVES Depressurizing valves (termed BDV: Blow Down Valve) shall, in general, be tight shut-off (to avoid loss of hydrocarbons during normal operation) air operated block valves. The BDVs will typically be designed to “fail open’. However, the failure position of each valve shail be reviewed during the design hazard review. In order to prevent simultaneous BDV opening due to Instrument Air failure, an air bottle shall be provided sized to provide an independent air supply to move the valve to its fail-safe position for at least two (2) strokes, i.e. close-open-close_open. A.BDV valve body will be of fire safe design and the actuator and its accessories will be of fire proof design as__per_—QCS/B0/00/MP/TS/NA/O71 {presently —aumbered—as. “Technical Specification for Fire Proofing’. Cables connected to BDV shall have fire protection as stipulated in paragraph 6.2 of QCS/SO/00/IN/TSINA/OOS {presently numbered-as- QCS/50/09/INC'S/NA/008 “Instrumentation - Wiring For Instrument And Computers” BDVs shall be equipped with a smart digital positioner DVC6000ESD: open/close indication shall be displayed on the DCS in addition to providing an online testing capability. The scope and requirements to provide online testing of the BDVs shall be developed during design. All testing of BDVs shall be determined by the SIL requirements outlined in general in section 2.7. The type of BDVs (Ball / Butterfly valves) will be defined to depend on service requirements and the size of the valve. The use of BDV is not envisaged for operational reasons, such as preparation for shutdown, controlling pressure, reducing levels, etc. Process control valves and manual isolation valves are provided for this purpose. REPRESSURIZING Immediate re-pressurization after EDP activation is not necessary. ‘Temperature monitoring shall be provided to permit re-start / re-pressurization after EDP activation.