§ 33 Emergency shut-down system
Onshore facilities shall have an emergency shutdown system that can prevent the development of hazard and accident situations and limit the consequences of accidents, cf. Section 10. The system shall be able to perform the intended functions independently of other systems.
The emergency shutdown system shall be designed so that it enters or maintains a safe condition if a fault occurs that can prevent the system from functioning. The emergency shutdown system shall have a simple and clear command structure. The system shall be capable of being activated manually from release stations that are located in strategic locations at the onshore facility. It shall be possible to manually activate functions from the central control room that bring the onshore facility to a safe condition in the event of a fault in the parts of the system that can be programmed.
Emergency shutdown valves shall be installed that can stop streams of hydrocarbons and chemicals to and from the onshore facility, and which isolate the onshore facility's fire areas.
Section last changed: 01 January 2011
As regards the design of the emergency shutdown system, Chapters 7 and 8 of the NS-EN ISO 13702 standard, as well as Attachments B.2 and B.3 should be used.
The requirement for independence as mentioned in the first subsection, implies that the fire and gas detection system comes in addition to systems for management and control and other safety systems. The emergency shutdown system can interface vis-à-vis other systems if it cannot be adversely affected as a consequence of system failures, failures or individual incidents in these systems.
An unambiguous command structure as mentioned in the second subsection, means that the flow of signals and command hierarchy is clearly stated. The requirement to be able to activate functions manually in the event of failure in the programmable parts of the system, implies that the activation of the functions shall be functionally designed and physically different from the programmable parts of the system.
The requirement for shutdown and isolation as mentioned in the third subsection, entails that sectioning valves in the process facility and isolation valves towards pipeline systems shall normally be emergency shutdown valves.
The number and placing of sectioning valves in the processing plant should be determined on the basis of the fire and explosion strategy, cf. Section 6.
The emergency shutdown system should be verified in accordance with the safety integrity levels set based on the IEC 61508 and 61511 standards. As regards facilities that are not covered by this standard, the operability should be verified through a full-scale function test at least once each year. The test should cover all parts of the safety function, including closing of valves. The test should also include measurement of interior leakage through closed valves. Recording of the plant's or equipment's functionality in situations where the function is triggered or put to use, can replace testing of the installation or the equipment.