You are on page 1of 41

Safety System/Emergency

Shutdown System (ESD)

The Need for Safety


Managing and equipping industrial plant with the right

components and sub-systems for optimal operational
efficiency and safety is a complex task. Safety
Systems Engineering (SSE) describes a disciplined,
systematic approach, which encompasses hazard
identification, safety requirements specification,
safety systems design and build, and systems
operation and maintenance over the entire lifetime of
plant. The foregoing activities form what has become
known as the safety Life-cycle model, which is at
the core of current and emerging safety related
system standards.

Risk and Risk Reduction

Safety Methods employed to protect against or mitigate

harm/damage to personnel, plant and the environment,

and reduce risk include:
Changing the process or engineering design
Increasing mechanical integrity of the system
Improving the Basic Process Control System (BPCS)
Developing detailed training and operational procedures
Increasing the frequency of testing of critical system
Using a safety Instrumented System (SIS)
Installing mitigating equipment

Other terms used for safety

systems are:

Safety Instrumented Systems (SIS),

Emergency Shutdown System (ESD),
Safety Related System (SRS), or
E/E/PE Safety Related System (E/E/PE =

objectives of a shutdown
control system

1- Protection of life
2- Protection of plant equipment
3- Avoidance of environmental pollution
4- Maximizing plant production i.e avoiding
unnecessary shutdowns

Safety, Reliability, and


a) Safety
Safety means a sufficient protection from
Safety related controls are needed e.g. for
trains, lifts, escalators, burns, etc. The
safe controls must be designed in a way
that any component fault and other
imaginable influences do not cause
dangerous states in the plant.

The safe state

is the state to which a system can be put out of
its current operational state and which has a
system specific lower hazard potential than the
operational state. The absolutely safe with the
lowest amount of energy involved. Quite often it
is not possible to obtain the safe state without
any danger involved, just by switching the device
off (e.g. a plane). The plane in the airtaken as a
system- has no safe state. Here the risk can only
be reduced by redundant equipment (e.g. for
propulsion and navigation systems).

is measured primarily by a parameter
called Average Probability of Failure
on Demand (PFDavg). This indicates
the chance that a SIS will not perform
its preprogrammed action during a
specified interval of time (usually the
time between periodic inspections).

Reliability is the ability of a technical device to fulfill its
function during its operation time.
This is often no longer possible if one component has a
failure. So the MTBF (Mean Time
Between Failure) is often taken as a measurement of
reliability. It can either be calculated
statistically via systems in operation or via the failure
rates of the components applied.
The reliability does not say anything about the safety of a
system! Unreliable systems are safe if
an individual failure put the plant to the safe state each

Availability is the probability of a system being a
functioning one. It is expressed in per cent and defines
the mean operating time between two failures (MTBF)
and the mean down time (MDT), according to the
following formula:

The mean down time (MDT) consists of the fault detection time andin modular systems- the time it takes to replace defective modules.
The availability of a system is greatly increased by a short fault
detection time. Fast fault detection in modern electronic systems is
obtained via automatic test routines and a detailed diagnostic display.

The availability can be increased through redundancy, e.g. central devices working
in parallel, IO modules or multiple sensors on the same measuring point. The
redundant components are put up in a way that the function of the system is not
affected by the failure of one component.
Here as well a detailed diagnostic display is an important element of availability.
Measures designed to increase availability have no effect on the safety. The safety
of redundant systems is however only guaranteed, if there are automatic test
routines during operation or if e.g. nonsafety related sensor circuits in 2-oo-3
order are regularly checked. If one component fails, it must be possible to switch
off the defective part in a safe way.
A related measure is called Safety Availability. It is defined as the probability that a
SIS will perform its preprogrammed action when the process is operating. It can be
calculated as

Safety Availability = 1 PFDavg

Another parameter is called the Risk Reduction Factor (RRF). It represents the
ratio of risk
without a SIS divided by the risk with a SIS. It can be calculated as follows:

PRF = 1/PFDavg

What is hazard and what is


A hazard is an inherent physical or

chemical characteristic that has the
potential for causing harm to people,
property, or the environment. In chemical
processes, It is the combination of a
hazardous material, an operating
environment, and certain unplanned
events that could result in an accident.

Hazards Analysis
Generally, the first step in determining the levels of
protective layers required involves conducting a detailed
hazard and risk analysis. In the process industries a
Process Hazards Analysis (PHA) is generally
undertaken, which may range from a screening analysis
through to a complex Hazard and Operability (HAZOP)
study, depending on the complexity of operations and
severity of the risks involved. The latter involves a
rigorous detailed process examination by a multidisciplinary team comprising process, instrument,
electrical and mechanical engineers, as well as safety
specialists and management representatives.

Risk is usually defined as the combination
of the severity and probability of an event.
In other words, how often can it happen
and how bad is it when it does happen?
Risk can be evaluated qualitatively or
quantitatively. Roughly,

Risk reduction
Risk reduction can be achieved by reducing either the
frequency of a hazardous event or its consequences or by
reducing both of them. Generally, the most desirable
approach is to first reduce the frequency since all events are
likely to have cost implications, even without dire
Safety systems are all about risk reduction. If we cant take
away the hazard we shall have to reduce the risk. This
means: Reduce the frequency and / or reduce the
The basic definitions of the safety related terminologies will
be studied in this course; there are three main examples of
the required safety actions as follow:

Emergency Shutdown (ESD)

Typical actions from ESD systems are:
Shutdown of part systems and equipment;
Isolate hydrocarbon inventories;
Isolate electrical equipment;
Prevent escalation of events;
Stop hydrocarbon flow;
Depressurize / Blow down;
Emergency ventilation control;
Close watertight doors and fire doors.

Process Shutdown (PSD)

A process shutdown is defined as the automatic isolation
and de-activation of all or part of a process. During a PSD
the process remains pressurized. Basically PSD consists of
field-mounted sensors, valves and trip relays, a system
logic unit for processing of incoming signals, alarm and HMI
units. The system is able to process all input signals and
activating outputs in accordance with the applicable Cause
and Effect charts.
Typical actions from PSD systems are:
Shutdown the whole process;
Shutdown parts of the process;
Depressurize / Blowdown parts of the process.

Fire and Gas Control (F&G)

This is denoted as Fire Detection and Protection system
FDP in some other definitions. FDP provides early and
reliable detection of fire or gas, wherever such events are
likely to occur, alert personnel and initiate protective
actions automatically or manually upon operator activation.
Basically the system consists of field-mounted detection
equipment and manual alarm stations, a system logic unit
for processing of incoming signals, alarm and HMI units.
The system shall be able to process all input signals in
accordance with the applicable Fire Protection Data Sheets
or Cause & Effect charts. FDP SIL requirements typically
range from SIL 2, SIL 1 or defined as a system without SIL
requirement pending on the risk analysis.

Typical actions from FDP

systems are:

Alert personnel;
Release fire fighting systems;
Emergency ventilation control;
Stop flow of minor hydrocarbon sources such as
diesel distribution to consumers;
Isolate local electrical equipment (may be done
by ESD);
Initiating ESD and PSD actions;
Isolate electrical equipment;
Close watertight doors and fire doors.

Emergency Shutdown (ESD)

The Emergency Shutdown System (ESD) shall minimize
the consequences of emergency situations, related to
typically uncontrolled flooding, escape of hydrocarbons,
or outbreak of fire in hydrocarbon carrying areas or
areas which may otherwise be hazardous. Traditionally
risk analyses have concluded that the ESD system is in
need of a high Safety Integrity Level, typically SIL 2 or 3.
Basically the system consists of field-mounted sensors,
valves and trip relays, system logic for processing of
incoming signals, alarm and HMI units. The system is
able to process input signals and activating outputs in
accordance with the Cause & Effect charts defined for
the installation.

Typical actions from ESD

systems are:
Shutdown of part systems and equipment
Isolate hydrocarbon inventories
Isolate electrical equipment (*)
Prevent escalation of events
Stop hydrocarbon flow
Depressurize / Blowdown
Emergency ventilation control (*)
Close watertight doors and fire doors(*)

Process Shutdown (PSD)

The Process Shutdown system ensures a rapid detection and
safe handling of process upsets.
Traditionally risk analyses have concluded that the PSD
system is in need of low to medium Safety Integrity Level.
The reason for a low to medium requirement, being that PSD
systems built in accordance with API RP 14C have
requirements for both primary (the computerized system) and
secondary (mechanical devices) protection. Basically the
system consists of fieldmounted sensors, valves and trip
relays, a system logic unit for processing of incoming signals,
alarm and HMI units. The system is able to process all input
signals and activating outputs in accordance with the
applicable Cause & Effect charts.

Typical actions from PSD

systems are:
Shutdown the whole process
Shutdown parts of the process
Depressurize /Blowdown parts of the

Fire / gas Detection and

Protection (FDP)
Typical actions from FDP systems are:
Alert personnel
Release fire fighting systems
Emergency ventilation control (*)
Stop flow of minor hydrocarbon sources such as diesel
distribution to consumers. (*)
Isolate local electrical equipment (may be done by ESD)
Initiating ESD and PSD actions
Isolate electrical equipment (*)
Close watertight doors and fire doors(*)
(*) - May alternatively form a part of the Emergency
ShutDown system

Safety Process General

Safety by definition is the absence of
risk. There is risk in everything we do, so
the safety
process model is designed to effectively
identify & reduce risk. This includes:
Physical plant risk;
Human factor-related risk;
Attitudinal Risk.

Sustained improvements in accident prevention can only

come from changes to the overall mix of the above
The model defines Workplace risk as a formula such
RISK = Employee Exposure X Probability of the Accident
Sequence Taking Place = Potential Consequence of the
Noting that Risk = Consequence x Frequency and
Frequency = Demand rate x Probability of failure of the
safety function
We can define Five-Step Safety Process Model as

Five-Step Safety Process Model

Step 1: Identification of risks that are

producing accidents and injuries.
Step 2: Perform accident / incident
problem-solving on each identified risk:
1. Process includes:
2. Definition of problem
3. Contributing factors
4. Root Causes

Step 3: Develop a schedule for

implementation of each preventive action
Preventive action should all have
1. Responsible party
2. Resources to support actions
3. Timetable for completion:

Step 4: Continuously measure to ensure

preventive actions are working as expected.
Measure timetable to ensure each action is

Step 5: Employees involved in work

environment must be given feedback on a
continuous basis.
(i.e. positive reinforcement).

The process for managing risk

the process for managing risk

Risk Evaluation
There is no such thing as zero risk. This is
because no physical item has a zero
failure rate, no human being makes zero
errors and no piece of software design can
foresee every possibility.

Key Questions to Ask

A process control engineer implementing a
Safety Instrumented System must answer
1. What level of risk is acceptable?
2. How many layers of protection are
3. When is a Safety Instrumented System
4. Which architecture should be chosen?

Risk assessment
The measurement of risk
Quantitative scale:
Minor Injury to one person involving less than 3 days absence
from work
Major Injury to one person involving more than 3 days
absence from work
Fatal consequences for one person
Catastrophic Multiple fatalities and injuries.
Qualitative scale

One hazardous event occurring on the
average once every 10 years will have an
event frequency of 0.1 per year.
A rate of 104 events per year means that
an average interval of 10 000 years can
be expected between events.

Another alternative is to use a semi-quantitative

scale or band of frequencies to match up words
to frequencies. For example:
Possible = Less than once in 30 years
Occasionally = More than once in 30 years but less
than once in 3 years
Frequently = More than once in 3 years
Regularly = Several times per year.
Once we have these types of scales agreed, the
assessment of risk requires that for each hazard
we are able to estimate both the likelihood and the
consequence. For example:
Risk item no. 1 Major injury likely to occur
Risk item no. 2 Minor injury likely to occur

Risk matrix example 1

Risk matrix example 2

Scales of consequence

Risk classification of accidents