The electronic pdf versions of the documents found through http://www.dnv.com/ are the officially binding versions. Copyright Det Norske Veritas.
![[Table of Contents]](/dwicons/b_toc.gif)
|
DNV-OS-A101 Safety Principles and Arrangements
|
SECTION 5
Emergency Shutdown (ESD) PrinciplesSec.5
A. General Requirements
Sec.5
A 100 Objectives
Sec.5 A
101 The provisions of this section aim to ensure that shutdown
systems are provided as suitable and effective to safeguard personnel
and plant against hazardous events on the unit or installation.Sec.5
A 200 Application
Sec.5 A
201 These requirements shall be applied to all offshore units
or installations having direct operational contact with hydrocarbons.
Sec.5 A
202 The requirements of DNV-OS-D202 apply to the emergency shutdown
system.Sec.5
A 300 Definition
Sec.5 A
301 An emergency shutdown system comprises:
| — | manual input devices (push buttons) |
| — | interfaces towards other safety systems, as e.g.:| — | fire detection system | | — | gas detection system | | — | alarm and communication systems | | — | process shutdown system | | — | drilling and well control system | | — | fire fighting systems | | — | ventilation systems |
|
| — | a central control unit receiving and evaluating signals
from the manual input devices and the interfaced systems, and creating
output signals to devices that shall be shut down or activated.
The ESD central shall include a device providing visual indication
of initiated inputs and activated outputs and a local audible alarm |
| — | output actuators as e.g. relays, valves and dampers,
including status indicators |
| — | signal transfer lines between the ESD central and all
input devices, interfaced systems and output actuators |
| — | power supply. |
Sec.5
A 400 Basic provisions
Sec.5 A
401 The ESD system shall be designed so that the risk of unintentional
shutdown caused by malfunction or inadvertent operation is minimised.
Sec.5 A
402 The ESD system shall be designed to allow testing without
interrupting other systems onboard.
Sec.5 A
403 The ESD system shall have continuous availability R0 as defined
in DNV-OS-D202, Ch.2 Sec.1 B200.
Sec.5 A
404 The ESD Operator Station shall be located in a non-hazardous
and continuously manned area.
Sec.5 A
405 The ESD central control unit shall be powered from the main
power system and from a monitored Uninterruptible Power Supply (UPS)
capable of at least 30 minutes continuous operation on loss of main power.
The UPS shall be powered from both the main and the emergency power
system.Sec.5
B. Safety and Shutdown Philosophy
Sec.5
B 100 General
Sec.5 B
101 The philosophy shall comprise functional requirements for
the safety systems upon detection of an abnormal condition. The
fail-safe functionality for the safety systems shall be included.
Sec.5 B
102 The philosophy document shall indicate actions to:| — | limit the duration and severity
of the incident |
| — | protect personnel exposed to the incident |
| — | limit environmental impact |
| — | facilitate escape, muster and evacuation, as necessary. |
Sec.5 B
103 Inter-relationships and requirements for the following systems
shall be addressed:| — | emergency shutdown system |
| — | fire and gas detection system |
| — | process shutdown system |
| — | drilling and well control systems |
| — | alarm and communication systems |
| — | active fire fighting systems |
| — | ventilation systems |
| — | energy sources and associated utilities required to
drive essential and emergency functions. |
Sec.5
C. Fail-Safe Functionality
Sec.5
C 100 General
Sec.5 C
101 Upon failure of the shutdown system, all connected systems
shall default to the safest condition for the unit or installation.
Sec.5 C
102 The safest conditions for the systems onboard shall be defined.
The safest conditions defined in Table C1 shall normally apply.
Deviation from the requirements of Table C1 shall be justified.Guidance note:
This is primarily intended for systems shutdown/operation
and not individual components within the system.
The table is not intended to be comprehensive, so that other
safety-related systems should also be considered in a similar way.---e-n-d---o-f---G-u-i-d-a-n-c-e---n-o-t-e---
Sec.5 C
| Table C1 Safest conditions
and corresponding output circuit configuration |
| System | Safest condition
in case of failure to the
shutdown system | Output circuit configuration | Process plant including associated utilities | Shut down | NE | | Drilling system | Operational 1) | NDE | | Fire pump drivers (start function) | Operational | NE | | Electrical power generation, including required auxiliary
systems, for units not dependent upon active position keeping | Shut down 2) | NE | | Electrical power generation, including required auxiliary
systems, for units dependent upon active position keeping | Operational 2) | NDE | Uninterruptible power supplies for power generation,
control
and safety systems | Operational 2) | NDE | | Propulsion and steering for units not dependent
upon active position keeping | Shut down 2) | NE | Propulsion and steering for units dependent
upon active
position keeping | Operational | NDE | | Turret locking and turning systems 3) | | | | Utility systems which do not affect essential
functions | Shut down | NE | - See DNV-OS-E101 for further details.
- Some installations may have multiple operational modes;
e.g. storage units intended to transport crude oil to port. In such
cases, the safest conditions for each operational mode shall be
identified and implemented (e.g. through facilities for by-pass
of high level ESD trips during transit).
- A detailed study of the different failure modes shall
be required for installations that depend on the ability to release
or rotate turret. Effects of torque from mooring lines, friction,
design limitations on fluid transfer systems and fairleads etc.
will need to be addressed.
NDE = normally
de-energised NE = normally energised | |
Sec.5 C
103 In the context of this section, 'circuit' is
defined as any signal transfer facility, e.g. electrical, pneumatic, hydraulic,
optical or acoustic.
Sec.5 C
104 Failures to be considered for the shutdown system shall include
broken connections and short circuits on input and output circuits,
loss of power supply and if relevant loss of communication with
other systems.Sec.5
D. Protection Systems and Shutdown
Logic
Sec.5
D 100 General
Sec.5 D
101 Shutdown shall be executed in a pre-determined, logical manner
to meet the objectives defined in Sec.5 B. Definition of the logic
and required response time shall include consideration of interactions
between systems and dynamic effects, e.g. for process plant.
Sec.5 D
102 A shutdown logic shall
be implemented to determine the response to different degrees of
emergency or upset condition. The shutdown logic should be as simple
as possible. The shutdown logic given in Fig.1 shall be applied
as a basis with additional due recognition of installation specific
requirements.
Sec.5 D
103 Mobile Drilling UnitsSee Sec.8 for simplified
alternatives applicable to mobile drilling units.
Fig. 1 Outline of emergency shutdown logic
Sec.5 D
104 Shutdown shall not result in adverse cascade effects, which
depend on activation of other protection devices to maintain a plant
in a safe condition. The shutdown system shall be designed to ensure
that any ongoing operations can be terminated safely when a shutdown
is activated.
Sec.5 D
105 Shutdown shall not require unrealistically quick, undependable
or complex intervention by the operator.
Sec.5 D
106 Shutdown on a hierarchical level shall automatically include
shutdowns on lower levels.
Sec.5 D
107 The process protection system and shutdown logic shall be
based on guidance given in API RP 14C or ISO 10418.
Sec.5 D
108 Shutdown shall initiate alarm at the control station. The
initiating device and operating status of devices affected by the
shutdown action shall be indicated at the control station, (e.g.
valve position, unit tripped, etc.).
Sec.5 D
109 Gas detection shall initiate alarm in the crane cabin. Non-operational
cranes shall be automatically de-energised if hydrocarbon gas is
detected in the vicinity of the crane. Operational cranes shall
be subject to manual isolation of uncertified electrical equipment
and other ignition sources.
Sec.5 D
110 Personnel lifts, work platforms and other man-riding equipment
shall be designed to enable safe escape after an emergency shutdown,
e.g. by controlled descent to an access point on a lower level.
Sec.5 D
111 Systems which are not permanently attended during operation,
and which could endanger safety if they fail, shall be provided
with automatic safety control, alert and alarm systems.
Sec.5 D
112 Plants that are protected by automatic safety systems shall
have pre-alarms to alert when operating parameters are exceeding
normal levels.
Sec.5 D
113 The shutdown command shall not be automatically reset. Significant
shutdown devices, (e.g. wellhead valves, riser ESD valves) shall
be reset locally following recognition and reset at the main control
room.
Sec.5
E. Automatic and Manual Shutdown
Sec.5
E 100 General
Sec.5 E
101 Shutdowns shall normally be automatically initiated, however
solely manually initiated actions may be provided where automatic
action could be detrimental to safety, e.g. during drilling and
dynamic positioning.
Sec.5 E
102 Alarm for manual initiation shall be clear, and shall be readily
identifiable at a permanently manned control station. The operator
must have sufficient time to acknowledge and execute shutdown before
an incident escalates. Manual activation shall be simple and quick
to operate.
Sec.5 E
103 In all shutdown systems, it shall be possible to manually
activate all levels of shutdown at the main control station.
Sec.5 E
104 Other manual shutdown buttons shall be located at strategic
locations on the unit or installation. Locations indicated in Table
E1 shall be applied as a basis with additional consideration given
to installation-specific requirements.Sec.5 E
| Table E1 Location
of push buttons for manual shutdown |
| Shutdown level | Location of push-button | Abandon platform (APS) | | — | main and
emergency control rooms | | — | muster stations, lifeboat stations and helicopter deck | | — | bridge connections between platforms |
| | Emergency shutdown (ESD) | As for APS, plus:| — | process control room | | — | driller's control cabin | | — | exits from process, drilling, wellhead, riser areas
etc. | | — | along main escape routes |
| | Process shutdown (PSD) | | — | main control
room | | — | process control room | | — | exits from process, drilling, wellhead, riser areas
etc. | | — | along main escape routes |
| | Manually activated call point (MAC) | Readily available for use in all normally manned
areas |
It may be
appropriate to limit the number of field installed pushbuttons for
lower level trips (e.g. for PSD) in order to avoid confusion about
their use. | |
Sec.5 E
105 For mobile offshore drilling units the arrangement shall as
a minimum comply with IMO MODU Code Sec. 6.5.Sec.5
F. Certification of Electrical Equipment
for Use in an Emergency
Sec.5
F 100 General
Sec.5 F
101 The following systems shall be operable after "Abandon
Platform" (APS) shutdown:| — | emergency lighting, for half
an hour at:| — | every embarkation station on
deck and over sides | | — | in all service and accommodation alleyways, stairways
and exits, personnel lift cars, and personnel lift trunks | | — | in the machinery spaces and main generating stations
including their control positions | | — | in all control stations and machinery control rooms |
|
| — | blowout preventer control |
| — | general alarm |
| — | public address |
| — | battery supplied radio-communication. |
Sec.5 F
102 Electrical equipment left operational after APS shutdown shall
be certified for operation in zone 2 areas with the exceptions given
in 104.
Sec.5 F
103 Electrical equipment located in non-hazardous areas which
is affected by a gas release, and left operational after gas detection
shall be certified for zone 2, with the exceptions given in 104.
Sec.5 F
104 Safety critical, uncertified electrical equipment may be left
operational after ESD or gas detection affecting its area of location,
provided that the ventilation to the room where the equipment is
located is efficiently isolated. Typical living quarter design will
meet this requirement, other enclosed spaces will be specially considered.
![[-]](/dwicons/i_colpse.gif)