Add to collection(s) Add to saved
  1. No category
Uploaded by Henrique Campaneli

API-14C-2017-Analysis-Design-Installation-And-Testing-Of-Safety-Systems-For-Offshore-Production-Facilities-Apiasme-Practice-Test

advertisement 
Analysis, Design, Installation,
and Testing of Safety Systems
for Offshore Production Facilities
API RECOMMENDED PRACTICE 14C
EIGHTH EDITION, FEBRUARY 2017
Special Notes
API publications necessarily address problems of a general nature. With respect to particular circumstances, local,
state, and federal laws and regulations should be reviewed.
Neither API nor any of API's employees, subcontractors, consultants, committees, or other assignees make any
warranty or representation, either express or implied, with respect to the accuracy, completeness, or usefulness of the
information contained herein, or assume any liability or responsibility for any use, or the results of such use, of any
information or process disclosed in this publication. Neither API nor any of API's employees, subcontractors,
consultants, or other assignees represent that use of this publication would not infringe upon privately owned rights.
API is not undertaking to meet the duties of employers, manufacturers, or suppliers to warn and properly train and
equip their employees, and others exposed, concerning health and safety risks and precautions, nor undertaking their
obligations to comply with authorities having jurisdiction.
Information concerning safety and health risks and proper precautions with respect to particular materials and
conditions should be obtained from the employer, the manufacturer or supplier of that aterial, or the material safety
datasheet.
Work sites and equipment operations may differ. Users are solely responsible for assessing their specific equipment
and premises in determining the appropriateness of applying the provisions of this recommended practice. At all
times users should employ sound business, scientific, engineering, and judgment safety when using this
recommended practice.
Classified areas may vary depending on the location, conditions, equipment, and substances involved in any given
situation. Users of this recommended practice should consult with the appropriate authorities having jurisdiction.
API publications may be used by anyone desiring to do so. Every effort has been made by the Institute to ensure the
accuracy and reliability of the data contained in them; however, the Institute makes no representation, warranty, or
guarantee in connection with this publication and hereby expressly disclaims any liability or responsibility for loss or
damage resulting from its use or for the violation of any authorities having jurisdiction with which this publication may
conflict.
API publications are published to facilitate the broad availability of proven, sound engineering and operating
practices. These publications are not intended to obviate the need for applying sound engineering judgment
regarding when and where these publications should be utilized. The formulation and publication of API publications
is not intended in any way to inhibit anyone from using any other practices.
Any manufacturer marking equipment or materials in conformance with the marking requirements of an API standard
is solely responsible for complying with all the applicable requirements of that standard. API does not represent,
warrant, or guarantee that such products do in fact conform to the applicable API standard.
All rights reserved. No part of this work may be reproduced, translated, stored in a retrieval system, or transmitted by any means,
electronic, mechanical, photocopying, recording, or otherwise, without prior written permission from the publisher. Contact the
Publisher, API Publishing Services, 1220 L Street, NW, Washington, DC 20005.
Copyright © 2017 American Petroleum Institute
Foreword
Other API documents for safety and antipollution systems used in offshore oil and gas production include the
following:
— API Recommended Practice 14E, Recommended Practice for Design and Installation of Offshore Production
Platform Piping Systems;
— API Recommended Practice 14F, Design, Installation, and Maintenance of Electrical Systems for Fixed and
Floating Offshore Petroleum Facilities for Unclassified and Class 1, Division 1 and Division 2 Locations;
— API Recommended Practice 14G, Recommended Practice for Fire Prevention and Control on Fixed Open-type
Offshore Production Platforms;
— API Recommended Practice 14J, Recommended Practice for Design and Hazards Analysis for Offshore
Production Facilities;
— API Recommended Practice 17V, Recommended Practice for Analysis, Design, Installation, and Testing of
Safety Systems for Subsea Applications;
—
API Recommended Practice 75, Recommended Practice for Development of a Safety and Environmental
Management Program for Offshore Operations and Facilities.
The verbal forms used to express the provisions in this document are as follows:
Shall: As used in a standard, “shall” denotes a minimum requirement in order to conform to the standard.
Should: As used in a standard, “should” denotes a recommendation or that which is advised but not required in order
to conform to the standard.
May: As used in a standard, “may” denotes a course of action permissible within the limits of a standard.
Can: As used in a standard, “can” denotes a statement of possibility or capability.
Nothing contained in any API publication is to be construed as granting any right, by implication or otherwise, for the
manufacture, sale, or use of any method, apparatus, or product covered by letters patent. Neither should anything
contained in the publication be construed as insuring anyone against liability for infringement of letters patent.
This document was produced under API standardization procedures that ensure appropriate notification and
participation in the developmental process and is designated as an API standard. Questions concerning the
interpretation of the content of this publication or comments and questions concerning the procedures under which
this publication was developed should be directed in writing to the Director of Standards, American Petroleum
Institute, 1220 L Street, NW, Washington, DC 20005. Requests for permission to reproduce or translate all or any part
of the material published herein should also be addressed to the director.
Generally, API standards are reviewed and revised, reaffirmed, or withdrawn at least every five years. A one-time
extension of up to two years may be added to this review cycle. Status of the publication can be ascertained from the
API Standards Department, telephone (202) 682-8000. A catalog of API publications and materials is published
annually by API, 1220 L Street, NW, Washington, DC 20005.
Suggested revisions are invited and should be submitted to the Standards Department, API, 1220 L Street, NW,
Washington, DC 20005, standards@api.org.
iii
Contents
Page
1
Scope . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
2
Normative References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
3
3.1
3.2
Terms, Definitions, Acronyms, and Abbreviations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
Terms and Definitions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
Acronyms and Abbreviations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
4
4.1
4.2
4.3
4.4
4.5
Safety Device Symbols and Identification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Functional Device Identification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Symbols . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Component Identification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Example Identification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
11
11
11
11
11
11
5
5.1
5.2
5.3
5.4
Safety Analysis and System Design . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Purpose and Objectives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Safety Flow Chart . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Safety System Operation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Premises for Basic Analysis and Design . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
16
16
16
18
18
6
6.1
6.2
6.3
6.4
Protection Concepts and Safety Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Protection Concepts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Safety Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Analysis and Design Procedure Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
19
19
19
31
32
Annex A (normative) Process Component Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
Annex B (informative) Examples of Safety Analysis Flow Diagram and SAFE Chart . . . . . . . . . . . . . . . . . . . . 81
Annex C (informative) Remote Operations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 94
Annex D (normative) Safety System Bypassing. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 96
Annex E (normative) High-Integrity Pressure Protection Systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98
Annex F (informative) Logic Solver . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105
Annex G (normative) Emergency Support Systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107
Annex H (informative) Toxic Gases . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 117
Annex I (normative) Testing and Reporting Procedures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 120
Bibliography . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 129
Figures
1
Scope of API 14C vs API 17V . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
2
Examples of Safety Device Identification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
3
Offshore Production Facility Safety Flow Chart . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
A.1 Safety Devices: Dry Tree Wellhead Flowlines . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34
A.2 Safety Devices: Underwater Wellhead Flowlines . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35
A.3 Satellite Well. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36
A.4 Safety Devices: Dry Tree Wellhead Injection Lines . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39
A.5 Safety Devices: Headers. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42
A.6 Safety Devices: Pressure Vessels . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45
A.7 Safety Devices: Atmospheric Vessels . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50
A.8 Safety Devices: Typical Fired Vessel (Natural Draft) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53
A.9 Safety Devices: Typical Fired Vessel (Forced Draft) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54
A.10 Safety Devices: Exhaust-heated Component . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55
v
Contents
Page
A.11
A.12
A.13
A.14
A.15
A.16
A.17
A.18
B.1
B.2
B.3
B.4
Safety Devices: Pipeline Pump . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60
Safety Devices: Glycol-powered Glycol Pump . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61
Safety Devices: Other Pump . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62
Safety Devices: Simple Overhung Centrifugal Pump Seal System. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63
Safety Devices between the Bearings Type Centrifugal Pump Seal System . . . . . . . . . . . . . . . . . . . . . . . 64
Safety Devices: Compressor Unit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70
Safety Devices: Pipelines . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74
Safety Devices: Heat Exchangers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77
Example Safety Analysis Flow Diagram of Platform Production Process . . . . . . . . . . . . . . . . . . . . . . . . . 83
Example SAFE Chart. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84
Example Process Component Diagram for a Natural Draft Burner on a Pressure Vessel . . . . . . . . . . . . 90
Resulting Process Component Diagram for a Natural Draft Burner on a Pressure Vessel
after Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91
B.5 Example Heater Treater SAFE Chart . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92
B.6 Blank SAFE Chart . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93
G.1 Gas Detector Spacing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 113
Tables
1
Sensing and Self-acting Safety Device Symbols. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
2
Actuated Valve Safety Device Symbols . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
3
Component Identification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
A.1 Flowline Segment Safety Analysis Table . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37
A.2 Flowline Segment Safety Analysis Checklist. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37
A.3 Safety Analysis Table: Dry Tree Wellhead Injection Lines . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40
A.4 Safety Analysis Checklist: Dry Tree Wellhead Injection Lines. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40
A.5 Safety Analysis Table: Headers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43
A.6 Safety Analysis Checklist: Headers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43
A.7 Safety Analysis Table: Pressure Vessels . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44
A.8 Safety Analysis Checklist: Pressure Vessels. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46
A.9 Safety Analysis Table: Atmospheric Vessels . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50
A.10 Safety Analysis Checklist: Atmospheric Vessels . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51
A.11 Safety Analysis Table: Fired Components, Natural Draft . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55
A.12 Safety Analysis Table: Fired Components, Forced Draft . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56
A.13 Safety Analysis Table: Exhaust-heated Components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56
A.14 Safety Analysis Checklist: Fired and Exhaust-heated Components. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57
A.15 Safety Analysis Table: Pumps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65
A.16 Safety Analysis Checklist: Pumps. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65
A.17 Safety Analysis Table: Compressors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71
A.18 Safety Analysis Checklist: Compressors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71
A.19 Safety Analysis Table: Pipelines . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75
A.20 Safety Analysis Checklist: Pipelines. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76
A.21 Safety Analysis Table: Heat Exchangers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78
A.22 Safety Analysis Checklist: Heat Exchangers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79
G.1 Guidelines for Fusible Plug Installations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 110
G.2 Guidelines for Combustible Gas Detectors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 111
I.1 Safety Device Test Procedure Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 121
I.2 Safety Device Test Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 128
vi
Introduction
This document presents a systematization of proven practices for providing a safety system for offshore production
facilities. Proper application of these practices, along with good design, hazard analysis, maintenance, and operation
of the entire production facility, should provide an operationally safe facility.
The title of this document has been amended to include both fixed and floating facilities.
The Eighth Edition of this document is updated to include the changes in safety systems technology and provides
additional guidance for facility safety systems as they have become larger, more complex, and moved into deeper
water. Added requirements include extensive emphasis on the performing of hazards analysis due to increased flow
rates, pressures, temperatures, and water depth.
This document has been developed in coordination with the first edition of API 17V, Recommended Practice for
Analysis, Design, Installation, and Testing of Safety Systems for Subsea Applications.
Key changes to the main document include better alignment with API Standard 521, Pressure-relieving and
Depressuring Systems, additional requirements for pumps and compressors greater than 1000 hp, and additional
requirements to protect against backflow and settle-out pressures. Low-temperature hazards have been addressed
for the first time, and the definitions section has been expanded.
All annexes have been defined as normative or informative and the analysis tables from the seventh edition have
been removed. New annexes cover high-integrity pressure protection systems (HIPPS), logic solvers, bypassing, and
remote operations. While HIPPS has been presented as an option for overpressure protection of multiple
components, an HIPPS is used after thorough consideration of other alternatives. Caution should be applied when
using HIPPS given the rigorous design, testing, and maintenance requirements for the system.
vii
Analysis, Design, Installation, and Testing of Safety
Systems for Offshore Production Facilities
1
Scope
This document presents provisions for designing, installing, and testing both process safety and non-marine
emergency support systems (ESSs) on an offshore production facility. The basic concepts of a facility safety
system are discussed, and protection methods and requirements of the system are outlined.
API 14C
For the purposes of this document, all process components from the surface wellhead and/or topside
boarding valve are considered. For subsea equipment, Figure 1 provides a description between the scope of
API 17V and this document.
PSS
ESS
PSHL
CIU
BSDV
SDV
DCS Node or MCS
EPU
HPU
TUTA
Water Line
Umbilical
API 17V
Production Flowline
Flying Leads
UTH
Production Tree
Production
Manifold,
Boosting,
Separation,
Compression,
HIPPS,
SSIV
Jumper
Flying Leads
Flying Leads
Injection Tree
Flying Leads
SCSSV
Injection Flowline
Jumper
Injection Manifold
SCSSV
Reservoir
Figure 1—Scope of API 14C vs API 17V
API 17V is a companion document, which provides guidance for subsea safety systems. This document
illustrates how system analysis methods can be used to determine safety requirements to protect common
process components. Actual analyses of the principal components are developed in such a manner that the
requirements are typically applicable whenever the component is used in the process. However, it is
incumbent on the user to apply appropriate additional hazardous analysis methodologies to ensure that
hazards are identified and mitigated.
This document also includes:
a)
a method to document and verify process safety system functions [i.e. safety analysis function
evaluation (SAFE chart)];
1
2
API RECOMMENDED PRACTICE 14C
b)
design guidance for ancillary systems such as pneumatic supply systems and liquid containment
systems;
c)
a uniform method of identifying and symbolizing safety devices;
d)
procedures for testing common safety devices with recommendations for test data and acceptable test
tolerances.
Detailed process safety system design is not discussed and should be left to the discretion of the designer as
long as the recommended safety functions are properly implemented. Rotating machinery is considered in
this document as a unitized process component as it interfaces with the platform safety system. When
rotating machinery (such as a pump or compressor) installed as a unit consists of several process
components, each component can be analyzed as prescribed in this document.
Annex A contains a safety analysis for each process component commonly used in a production process,
including a checklist of additional criteria for consideration when the component is used in a specific process
configuration.
2
Normative References
The following referenced documents are indispensable for the application of this document. For dated
references, only the edition cited applies. For undated references, the latest edition of the referenced
document applies (including any addenda/errata).
API Specification 6A, Specification for Wellhead and Christmas Tree Equipment
API Specification 6AV1, Specification for Validation of Wellhead Surface Safety Valves and Underwater
Safety Valves for Offshore Service
API Specification 6FA, Specification for Fire Test for Valves
API Recommended Practice 75, Recommended Practice for Development of a Safety and Environmental
Management Program for Offshore Operations and Facilities
API Standard 521, Pressure-relieving and Depressuring Systems
API Standard 607, Fire Test for Quarter-turn Valves and Valves Equipped with Nonmetallic Seats
1
IEC 61508-2 , Functional safety of electrical/electronic/programmable electronic safety-related systems—
Part 2: Requirements for electrical/electronic/programmable electronic safety-related systems
IEC 61508-3, Functional safety of electrical/electronic/programmable electronic safety-related systems—Part
3: Software requirements
3
Terms, Definitions, Acronyms, and Abbreviations
3.1
Terms and Definitions
For the purposes of this document, the following terms and definitions apply.
3.1.1
abnormal operating condition
Condition that occurs in a process component when an operating variable ranges outside of its normal
operating limits.
1
International Electrotechnical Commission, 3, rue de Varembé, P.O. Box 131, CH-1211, Geneva 20, Switzerland,
www.iec.ch.
ANALYSIS, DESIGN, INSTALLATION, AND TESTING OF SAFETY SYSTEMS FOR OFFSHORE PRODUCTION FACILITIES
3
3.1.2
atmospheric service
Operation at gauge pressures between 0.5 ounce psi (0.2 kPa) vacuum and 5 psi (35 kPa) pressure.
3.1.3
backflow
Fluid flow in a process component opposite to the normal flow direction.
3.1.4
blowdown valve
An automatically operated valve used to vent the pressure from a process station.
3.1.5
boarding shutdown valve
BSDV
A shutdown valve (SDV) (3.1.68) installed on a production facility that isolates the subsea wellhead
flowlines from the production facility.
NOTE
See Figure 1.
3.1.6
classified area
Any area electrically classified in accordance with API 500 or API 505.
3.1.7
containment
Any method used on an offshore facility to collect and direct escaped liquid hydrocarbons to a safe location.
3.1.8
control circuit
Electrical, pneumatic hydraulic transmission system (e.g. wiring, tubing, relays) and logic solver (hardware
and software) used to connect associated sensors and final elements.
3.1.9
detectable abnormal condition
An abnormal operating condition that can be automatically detected.
3.1.10
direct ignition source
An exposed surface, flame, or spark at sufficient temperature and heat capacity to ignite combustibles.
3.1.11
emergency evacuation/muster station
A location where personnel gather in the case of an emergency and develop plans to either contend with the
emergency or evacuate.
NOTE
The location is typically inside or adjacent to the quarters and near the means of evacuation such as lifeboats.
3.1.12
emergency shutdown system
ESD system
System of manual stations that initiates facility shutdown when activated.
NOTE Activation of the ESD system can also be initiated automatically by fire detection devices and other safety
devices.
4
API RECOMMENDED PRACTICE 14C
3.1.13
emergency support system
ESS
A portion of the overall facility safety system consisting of the ESD, fire detection, gas detection, ventilation,
containment systems, sumps, blowdown system, and subsurface safety valves (SSSVs).
3.1.14
excess temperature
Temperature in a process component in excess of the minimum/maximum allowable working temperature.
3.1.15
facility
A vessel, a structure, or an artificial island used for production operation.
3.1.16
facility safety system
An arrangement of safety devices and ESSs to affect platform shutdown.
NOTE The system can consist of a number of individual process shutdowns and can be actuated by either manual
devices or automatic devices sensing detectable abnormal conditions.
3.1.17
facility shutdown
The shutting in of all process stations of a facility production process and all support equipment for the process.
3.1.18
fail closed valve
A valve that shifts to the closed position upon loss of the power medium.
3.1.19
fail open valve
A valve that shifts to the open position upon loss of the power medium.
3.1.20
failsafe
A mechanism capable of returning to a safe state in case there is a failure.
3.1.21
failure
Improper performance or operation of a device or equipment item that prevents completion of its design
function or intent.
3.1.22
final element
Part of a safety instrumented system that implements the physical action necessary to achieve a safe state.
EXAMPLE Examples are valves, switch gear, and motors, including their auxiliary elements, e.g. a solenoid valve and
actuator if involved in the safety instrumented function.
3.1.23
fire detection system
A system utilizing pneumatic fusible elements [temperature safety element (TSE)] or various electrical fire
detection devices, including flame (USH), thermal (TSH), or smoke (YSH) detection devices, installed to
detect fires.
3.1.24
fired vessel
A vessel in which the temperature of a fluid is increased by the addition of heat supplied by a flame within the
vessel.
ANALYSIS, DESIGN, INSTALLATION, AND TESTING OF SAFETY SYSTEMS FOR OFFSHORE PRODUCTION FACILITIES
5
3.1.25
flame failure
A flame that is inadequate to instantaneously ignite combustible vapors entering the firing chamber.
3.1.26
flowline
Piping that directs the well stream from the wellhead to the first downstream process component.
3.1.27
flowline segment
Any portion of a flowline that has an operating pressure different from another portion of the same flowline.
3.1.28
functional independence
Designed to be separate to the extent that a failure in one system cannot compromise the functional integrity
(safety) of the other system.
3.1.29
gas blow-by
The discharge of gas from a process component through a liquid outlet.
3.1.30
gas detection system
A system that monitors the concentration of combustible or toxic gases and initiates alarm and shutdown
functions at predetermined concentrations.
3.1.31
high liquid level
Liquid level in a process component above the highest operating level.
3.1.32
high pressure
Pressure in a process component in excess of the maximum operating pressure but less than the maximum
allowable working pressure (MAWP) [for pipelines, maximum allowable operating pressure (MAOP)].
3.1.33
high temperature
Temperature in a process component in excess of the design operating temperature.
3.1.34
indirect heated component
Vessel or heat exchanger used to increase the temperature of a fluid by the transfer of heat from another
fluid, such as steam, hot water, hot oil, or other heated medium.
3.1.35
Joule-Thomson effect
JT effect
Cooling effect resulting from the expansion of gases.
3.1.36
leak
An unplanned or uncontrolled release from a process component of liquid and/or gaseous hydrocarbons to
atmosphere.
3.1.37
liquid overflow
The discharge of liquids from a process component through a gas (vapor) outlet.
6
API RECOMMENDED PRACTICE 14C
3.1.38
logic function
A function that performs the transformations between input information (provided by one or more input
functions) and output information (used by one or more output functions).
3.1.39
logic solver
That portion of a safety system that performs one or more logic function(s).
NOTE These logic solvers can be pneumatic, electro-mechanical, programmable electronic (PLC), or hydraulic
technology.
3.1.40
low flow
Flow in a process component less than the minimum operating flow rate.
3.1.41
low liquid level
Liquid level in a process component below the lowest operating level.
3.1.42
low pressure
Pressure in a process component less than the minimum operating pressure.
3.1.43
low temperature
Temperature in a process component less than the minimum operating temperature.
3.1.44
lower explosive limit
LEL
The lowest concentration by volume of combustible gases in mixture with air that can be ignited at ambient
conditions, also known as lower flammability limit (LFL).
3.1.45
low-volume pump
1
A sump pump, chemical injection pump, or transfer pump that has a discharge rating of less than /2 gallon
per minute (gpm).
3.1.46
malfunction
Any condition of a device or an equipment item that causes it to operate improperly, but does not prevent the
performance of its design function.
3.1.47
maximum allowable operating pressure
MAOP
The highest operating pressure allowable at any point in a pipeline system during normal flow or static
conditions.
3.1.48
maximum allowable working pressure
MAWP
The highest operating pressure allowable at any point in any component other than a pipeline during normal
operation or static conditions.
ANALYSIS, DESIGN, INSTALLATION, AND TESTING OF SAFETY SYSTEMS FOR OFFSHORE PRODUCTION FACILITIES
7
3.1.49
nuisance trips
Activation of the safety system due to an internal systems failure or human error.
NOTE
Commonly known as a false or spurious systems failure.
3.1.50
occupied building
A structure (e.g. control room, storage building, quarters, maintenance building) in which at least one person
is present.
3.1.51
occupied facility
A facility on which at least one person occupies an accommodation space (living quarters).
3.1.52
overpressure
Pressure in a process component in excess of the MAWP (for pipelines, MAOPs).
3.1.53
pipeline
Piping that directs fluids between facilities or between a facility and a shore facility.
3.1.54
pneumatic power system
A system that supplies pressure to operate pneumatic actuators, sensors, and control devices.
3.1.55
pressure safety element
PSE
safety head
buckling pin device
A nonreclosing pressure-relief device (PRD) actuated by static differential pressure between the inlet and
outlet of the device and designed to function by the bursting of a rupture disk or buckling of a buckling pin.
NOTE
A pressure safety element includes a rupture disk and a rupture disk holder.
3.1.56
pressure safety valve
PSV
pressure-relief valve
A valve designed to open, relieve excess pressure, and then reclose to prevent further flow of fluid after
normal conditions have been restored.
3.1.57
pressure-relief device
PRD
A device actuated by inlet static pressure and designed to open during emergency or abnormal conditions to
prevent a rise of internal fluid pressure in excess of a specified design value.
NOTE The device also can be designed to prevent excessive internal vacuum. The device can be a pressure-relief
valve, a nonreclosing PRD such as a rupture disk or a buckling pin, a vacuum-relief valve, or a pressure-vacuum relief
valve (PVRV).
3.1.58
pressure-vacuum relief valve
PVRV
A valve that designed to open and relieve excess pressure or vacuum and then reclose to prevent further
flow of fluid in or out after normal conditions have been restored.
8
API RECOMMENDED PRACTICE 14C
3.1.59
process
Any system used to receive, treat, store well fluids, or transmit hydrocarbons produced from a well.
NOTE A process can also include the produced water systems, water injection systems, and injection systems
containing flammable, toxic, or hazardous chemicals.
3.1.60
process component
A single functional piece of production equipment and associated piping used in a process station, such as a
separator, heater, pump, or tank.
3.1.61
process safety system
Devices used on a facility to prevent or mitigate the potentially undesirable events that could occur within the
process.
3.1.62
process shutdown
The isolation of a given process station from the process by closing appropriate SDVs to shut in flow to the
process station or divert flow to another process station.
3.1.63
process station
One or more process components performing a specific process function, such as separating, heating,
pumping, etc.
3.1.64
qualified person
An individual with characteristics or abilities gained through training or experience or both, as measured
against established requirements.
EXAMPLE Standards or tests that enable the individual to perform a required function.
3.1.65
safety device
An instrument or control used within the safety system.
3.1.66
safety function
A function, consisting of one or more sensors, a logic solver, and one or more final elements, implemented
by the safety system and intended to achieve or maintain a safe state for the process with respect to a
specific hazardous event.
3.1.67
sensor
A device that detects an abnormal operating condition and transmits a signal to perform a specific shutdown
function.
3.1.68
shutdown valve
SDV
An automatically operated, fail closed valve used for isolating a process station.
3.1.69
subsurface safety valve
SSSV
A device installed in a well below the wellhead with the design function to prevent uncontrolled well flow
when actuated.
ANALYSIS, DESIGN, INSTALLATION, AND TESTING OF SAFETY SYSTEMS FOR OFFSHORE PRODUCTION FACILITIES
9
3.1.70
subsurface-controlled subsurface safety valve
SSCSV
A subsurface safety valve actuated by the pressure characteristics of the well.
NOTE
Also known as a storm choke.
3.1.71
surface safety valve
SSV
An automatic wellhead valve assembly that closes upon loss of power supply.
3.1.72
surface-controlled subsurface safety valve
SCSSV
An SSSV controlled from the surface by hydraulic, electric, mechanical, or other means.
3.1.73
temporary equipment/component
Process equipment and/or safety systems that are temporarily connected and placed in service to existing
permanent process equipment or safety systems.
EXAMPLE
Well cleanup/flowback equipment can be considered temporary equipment.
3.1.74
underpressure
Pressure in a process component less than the design collapse pressure.
3.1.75
undesirable event
An adverse occurrence or situation in a process component or process station that poses a threat to safety,
such as overpressure, underpressure, liquid overflow, etc.
3.1.76
vacuum
Pressure in a process component less than atmospheric pressure.
3.1.77
vent
A pipe or fitting on a vessel that opens to the atmosphere.
NOTE
A vent can be equipped with a PRD and/or vacuum-relief device.
3.1.78
volatile
A flammable liquid whose temperature is above its flash point, or a Class II combustible liquid having a vapor
pressure not exceeding 276 kPa (40 psia) at 37.8 °C (100 °F) whose temperature is above its flash point.
3.2
Acronyms and Abbreviations
CIU
chemical injection utilities
DCS
distributed control system
EPU
electrical power unit
ESD
emergency shutdown
ESS
emergency support system
10
API RECOMMENDED PRACTICE 14C
HIPPS
high-integrity pressure protection system
HMI
human-machine interface
HPU
hydraulic power unit
I/O
input and output
IPM
ignition preventing measure
JT
Joule-Thomson
LEL
lower explosive limit
LFL
lower flammability limit
MAOP
maximum allowable operating pressure
MAWP
maximum allowable working pressure
MCS
master control station
MOC
management of change
NRTL
nationally recognized testing laboratory
PFD
process flow diagram
P&ID
piping and instrument diagram
PRD
pressure-relief device
PSS
PVRV
pressure-vacuum relief valve
SAC
safety analysis checklist
SAFE
safety analysis function evaluation
SAT
safety analysis table
SCSSV
surface-controlled subsurface safety valve
SIS
safety instrumented system
SITP
shut-in tubing pressure
SSCSV
subsurface-controlled subsurface safety valve
SSIV
subsea isolation valve
SSSV
subsurface safety valve
SSV
surface safety valve
TUTA
topside umbilical termination assembly
UPS
uninterruptible power supply
USV
underwater safety valve
UTH
VSH
high-vibration sensor
WDT
watchdog timer
ANALYSIS, DESIGN, INSTALLATION, AND TESTING OF SAFETY SYSTEMS FOR OFFSHORE PRODUCTION FACILITIES
4
4.1
11
Safety Device Symbols and Identification
Introduction
A standard method for identifying, abbreviating, and symbolizing individual safety devices is needed to
promote uniformity when describing or referring to safety systems. This method can be used to illustrate
safety devices on piping and instrument diagrams (P&IDs) and other drawings and to identify an individual
safety device for any purpose.
Abbreviations and symbols are derived, insofar as possible, from ISA-5.1. Additional applications that adhere to
this standard may be derived as required. However, certain abbreviations have such wide oil field acceptance
that their continued use is justified even though they do not strictly conform to ISA-5.1. The abbreviations SSV
for surface safety valve, SDV for shutdown valve, and ESD for emergency shutdown are examples.
4.2
Functional Device Identification
Each safety device should be identified by a system of letters used to classify it functionally. The functional
identification includes one first letter covering the measured or initiating variable and one or more succeeding
letters covering the function of the device. The term “safety” (S) applies to safety devices and is used as the
second letter of sensing and self-acting devices.
If two or more devices of the same type are installed on a single component, each device should be
numbered or lettered consecutively and the number or letter shown following the functional identification. If
only one device is installed, the device number or letter may be omitted.
4.3
Symbols
The circular balloon is used to tag distinctive symbols, such as a pressure-relief valve. In such instances, the
line connecting the balloon to the instrument symbol is drawn close to, but not touching, the symbol. In other
instances, the balloon serves to represent the device proper. Table 1 and Table 2 illustrate example symbols
for various safety devices.
4.4
Component Identification
The complete identification of a safety device includes reference to the component that it protects. This is
accomplished by following the device functional identification or device number, if applicable, with a
component identification. Components should be identified in accordance with Table 3.
The first letter is the component type and shall be one of the letters in the code column under component
type. The letter “Z” is used to cover a component not listed.
The second and third letters may be used to further define or otherwise modify the first character.
The last four characters identify the specific component. These characters are user assigned and shall be
unique to the component at the particular location.
4.5
Example Identification
Example applications of the identification method are illustrated in Figure 2.
12
API RECOMMENDED PRACTICE 14C
Table 1—Sensing and Self-acting Safety Device Symbols
Safety Device Designation
Symbol
Variable
Common
ISA
Backflow
Check valve
Flow safety
valve
Burner flame
Burner flame detector
Burner safety
valve
High-flow sensor
Flow safety high
Low-flow sensor
Flow safety low
High-level sensor
Level safety high
Low-level sensor
Level safety low
High-pressure sensor
Pressure
safety high
Low-pressure sensor
Pressure
safety low
Pressure-relief or safety valve
Pressure
safety valve
Rupture disc or buckling pin
Pressure
safety element
Pressure-vacuum relief valve
Pressure
safety valve
Pressure-vacuum relief manhole
cover
Pressure
safety valve
Vent
None
Flow
Level
Pressure
Pressure or
vacuum
Single Device
Combination
Device
ANALYSIS, DESIGN, INSTALLATION, AND TESTING OF SAFETY SYSTEMS FOR OFFSHORE PRODUCTION FACILITIES
Table 1—Sensing and Self-acting Safety Device Symbols (Continued)
Safety Device Designation
Symbol
Variable
Common
ISA
Vacuum-relief valve
Pressure
safety valve
Vacuum
Rupture disc or buckling pin
High-temperature sensor
Temperature
safety high
Low-temperature sensor
Temperature safety
low
Flame arrestor
None
Stack arrestor
None
Temperature
Flame
Flame detector
(ultraviolet/infrared)
Heat detector (thermal)
Temperature
safety high
Fire
Smoke detector (ionization)
Fusible material
Temperature
safety high
Combustible gas
concentration
Combustible gas detector
Analyzer
safety high
Toxic gas concentration
Toxic gas detector
Vibration
Vibration safety sensor
Vibration
safety high
Single Device
Combination
Device
13
14
API RECOMMENDED PRACTICE 14C
Table 2—Actuated Valve Safety Device Symbols
Service
Common Symbols
Wellhead surface safety valve or
underwater safety valve (USV)
N/A
N/A
Blowdown valve
All other shutdown valves
Boarding shutdown valves
N/A
Figure 2—Examples of Safety Device Identification
ANALYSIS, DESIGN, INSTALLATION, AND TESTING OF SAFETY SYSTEMS FOR OFFSHORE PRODUCTION FACILITIES
15
Table 3—Component Identification
First Letter
Code
Component Type
Second Letter
Common Modifiers
Code
Component
Modifier
A
Atmospheric vessel
(ambient temperature)
BH,BJ,BM
AA
Bidirectional
B
Atmospheric vessel
(heated)
AP,BC,BK,BM
AB
Blowcase
C
Compressor
NONE
AC
Boiler
D
Enclosure
AE,AN,AU,BB
AD
Coalescer
E
Fired or exhaust-heated
component
AL,AW,BN
AE
Compressor
F
Flowline
A1–A9
AF
Contactor
G
Header
AR,AS,AT,AY,AZ
AG
Control unit
H
Heat exchanger
BG, AP
AH
Departing
J
Injection line
AR,AS,AT
AJ
Filter
K
Pipeline
AA,AH,AQ
AK
Filter-separator
L
Platform
AG
AL
Forced draft
M
Pressure vessel
(ambient temperature)
AB,AD,AF,AJ,AK,AM,
AV,BD,BF,BH,BJ,BL,BM
AM
Freewater knockout
N
Pressure vessel
(heated)
AC,AF,AM,AP,BC,BD, BG,BJ,BK
AN
Generator
P
Pump
AX,BA,BE
AP
Heater
Q
Wellhead
AR,AT,AY,AZ
AQ
Incoming
Z
Other
AR
Injection, gas
AS
Injection, gas lift
AT
Injection, water
AU
Meter
AV
Metering vessel
AW
Natural draft
AX
Pipeline
AY
Production,
hydrocarbon
AZ
Production, water
A1-A9
Flowline segment
BA
Process, other
BB
Pump
BC
Reboiler
BD
Separator
BE
Service
BF
Scrubber
BG
Shell and tube,
cooler
BH
Sump
BJ
Tank
BK
Treater
BL
Volume bottle
BM
Water treating
BN
Exhaust heated
ZZ
Other
Succeeding Characters
User assigned identification
unique to equipment at
location
16
5
API RECOMMENDED PRACTICE 14C
Safety Analysis and System Design
5.1
Purpose and Objectives
5.1.1 The purpose of a production facility safety system is to protect personnel, the environment, and the
facility from threats to safety caused by the production process. The purpose of a safety analysis is to identify
undesirable events that can pose a threat to safety or the environment, and define reliable protective
measures that prevent such events or minimize their effects if they occur. Potential threats to safety and/or
the environment are identified through proven systems analysis techniques that have been adapted to the
production process. Recommended protective measures are common industry practices proven through long
experience. The systems analysis and protective measures have been combined into a safety analysis for
offshore production facilities.
5.1.2 The content of this document establishes a firm basis for designing and documenting a production
facility safety system for a process composed of components and systems normally used offshore. It also
establishes guidelines for analyzing components or systems that are new or significantly different from those
covered in this document. However, it is incumbent on the user to apply appropriate additional hazardous
analysis methodologies to ensure that hazards are identified and mitigated.
5.1.3 Before a production facility safety system is placed in operation, procedures should be established to
ensure continued system integrity. Annex B may be used for this purpose.
5.2
Safety Flow Chart
5.2.1 Figure 3 is a safety flow chart depicting the manner in which undesirable events could result in
personnel injury, environmental impact, or facility damage. It also shows where safety devices or procedures
should be used to prevent the propagation of undesirable events. As shown on the chart, the release of
hydrocarbons is a factor in virtually all threats to safety. Thus, the major objective of the safety system should
be to prevent the release of hydrocarbons from the process and to minimize the adverse effects of such
releases if they occur.
5.2.2
Referring to Figure 3, the overall objectives may be enumerated as follows:
a)
prevent undesirable events that could lead to a release of hydrocarbons;
b)
shut in the process or affected part of the process to stop the flow of hydrocarbons to a leak or overflow
if it occurs;
c)
accumulate and recover hydrocarbon liquids and safely disperse gases that escape from the process;
d)
prevent ignition of released hydrocarbons;
e)
shut in the process in the event of a fire;
f)
prevent undesirable events that could cause the release of hydrocarbons from equipment other than that
in which the event occurs.
5.2.3 Accidents occurring external to the process on a production facility are not self-propagating unless they
affect the process. If an external accident can affect the process, the safety system should shut down the
process or affected part of the process. The firefighting and emergency response systems shall be maintained
in operation. Such accidents may be caused by natural phenomenon, ship or helicopter collision, failure of tools
and machinery, or mistakes by personnel. These types of accidents can be prevented or minimized through
safe design of tools and machinery, safe operating procedures for personnel and equipment, and personnel
training. Figure 3 indicates the manner in which external accidents may affect the process.
(a) Applicable only to fired components
(b) Air intake flame arrestor
(c) Stack spark arrestor
(d) Motor starter interlock
(e) For pressure components
(f) For atmospheric components
NOTE
TSE designations are symbolic and are not intended to reflect actual location or quantity.
Figure 3—Offshore Production Facility Safety Flow Chart
18
5.3
API RECOMMENDED PRACTICE 14C
Safety System Operation
The safety system provides protection in all of the following ways:
a)
automatic monitoring and automatic protective action if an abnormal condition indicating an undesirable
event can be detected by a sensor,
b)
protective action manually actuated by personnel who observe or are alerted to an unsafe condition by
an alarm,
c)
continuous protection by support systems that minimize the effects of escaping hydrocarbons.
The emergency shutdown (ESD) system is required for all offshore facilities. These ESD systems are
required for those facilities that are not continuously occupied, because many accidents and failures are
caused by human error and can occur on normally unoccupied facilities during those times when personnel
are aboard and conducting maintenance or other activities. Thus, personnel may be available to actuate the
ESD system.
A system to remotely control the facility safety system and process control system may be installed to
monitor, control, open, close, and restart specific wells, pipelines, and process components remotely. See
Annex C for further details on remote operations.
5.4
Premises for Basic Analysis and Design
5.4.1 The analysis and design procedures for a platform safety system are based on the premises
described in 5.4.2 through 5.4.10.
5.4.2 The process facility shall be designed for safe operation in accordance with good engineering
practices.
5.4.3 The safety system provides two levels of protection to prevent or minimize the effects of an
equipment failure within the process. In general, the two levels should be provided by functionally different
types of safety devices for a wider spectrum of coverage. Two identical devices would have the same
characteristics and might have the same inherent weaknesses.
5.4.4 The two levels of protection should be the highest order (primary) and next highest order (secondary)
available. Judgment is required to determine these two highest orders for a given situation. Preference shall
be given to prevention as opposed to mitigation measures. As an example, two levels of protection from a
rupture due to overpressure would be provided by a PSH and a PRD. The PSH prevents the rupture by
shutting in affected equipment before pressure becomes excessive, and a PRD is selected because it
prevents the rupture by relieving excess volumes to a safe location. In this case the PSH would be the
primary device because it prevents the overpressure at a level below the set point of the PRD. In some
cases a PRD’s fast response can prevent a rupture in situations where the PSH might not effect corrective
action fast enough.
5.4.5 The safety devices shall be independent of and in addition to the control devices used in normal
process operation. Process connections between control and safety devices should be independent to
eliminate common cause failures. For example, the LSH and the level control device would have separate
process connections for high level in a vessel.
5.4.6 The use of proven systems analysis techniques, such as those provided in 6.4, will determine the
minimum safety requirements for a process component. If such an analysis is applied to the component as
an independent unit, assuming worst-case conditions of input and output, the analysis is valid for that
component in any process configuration.
5.4.7 All temporary and permanent process components, associated with a production facility, comprise
the entire process from the wellhead to the most downstream discharge point; thus, all process equipment
and functions are incorporated into the safety system.
ANALYSIS, DESIGN, INSTALLATION, AND TESTING OF SAFETY SYSTEMS FOR OFFSHORE PRODUCTION FACILITIES
19
5.4.8 When fully protected process components are combined into a facility, no additional threats to safety
are expected. Therefore, if all process component safety devices are logically integrated into a safety
system, the entire facility should be protected. However, it is incumbent on the user to apply appropriate
additional hazardous analysis methodologies to ensure that hazards are identified and mitigated.
5.4.9 The analysis procedure should provide a standard method to develop a safety system and provide
supporting documentation.
5.4.10 The safety system should be designed to limit the amount of time and frequency that safety functions
are bypassed and to automate start-up bypasses where practical to minimize human error. Bypasses shall
be classified and applied in accordance with Annex C.
6
Protection Concepts and Safety Analysis
6.1
Introduction
Section 5.1 emphasizes that most threats to safety from the production process involve the release of
hydrocarbons. Thus, the analysis and design of a production facility safety system should focus on
preventing such releases, stopping the flow of hydrocarbons to a leak if it occurs, and minimizing the effects
of hydrocarbons that are released. A hazard analysis should be utilized to identify the causes.
Section 6.2 explains the basic concepts of protection used in the analysis. These concepts are repeated in
Annex A, as applicable to individual component analysis.
Section 6.3 discusses methods of analyzing the process and establishing design criteria for an integrated
safety system covering the entire production process. These methods are exemplified in the example
analysis illustrated in Annex B.
Section 6.4 is a step-by-step summary for performing a safety analysis in accordance with this document. It
is pointed out that this method initially considers each component independently from the rest of the process
and can recommend safety devices that are not required after larger segments of the process are
considered. For example, many safety devices initially considered on headers are not normally required
because their safety function is performed by devices on other components.
6.2
Protection Concepts
6.2.1
General
The basic protection concepts used in the safety system analysis are discussed in this paragraph. Section
6.2.2 describes each undesirable event that could affect a process component and considers its cause,
effect, and protective measures. Section 6.2.3 discusses safety device selection criteria. Section 6.2.4
discusses protective shut-in action for isolating a process component. Section 6.2.5 discusses ignition
preventing measures (IPMs) that can be used to minimize the possibility of combustible concentrations of
hydrocarbons contacting an ignition source. Section 6.2.6 discusses protective measures to prevent
accidental contact of hot surfaces by personnel. Section 6.2.7 discusses the function of the ESS. Section
6.2.8 discusses the function of other support systems.
6.2.2
6.2.2.1
Undesirable Events
General
An undesirable event is an adverse occurrence in a process component that can pose a threat to personnel,
the environment, and the facility. The undesirable events discussed in this paragraph are those that might
develop in a process component under worst-case conditions of input and output. An undesirable event may
be indicated by one or more process variables ranging out of operating limits. These abnormal operating
conditions can be detected by sensors that initiate shutdown action to protect the process component. Each
undesirable event that can affect a process component is discussed according to the following format:
20
API RECOMMENDED PRACTICE 14C
a)
cause,
b)
effect and detectable abnormal condition,
c)
primary and secondary protection that should prevent or react to its occurrence,
d)
location of safety device.
6.2.2.2
6.2.2.2.1
Overpressure
General
Overpressure is pressure in a process component in excess of the MAWP.
6.2.2.2.2
Cause
Overpressure can be caused by various scenarios that develop a pressure that is in excess of the MAWP of
the component. Typical causes of overpressure include, but are not limited to, the following.
a)
An input source that develops pressure in excess of a process component’s MAWP if inflow exceeds
outflow. Inflow can exceed outflow if an upstream flow rate control device fails, if there are restrictions or
blockage in the component’s outlets, or if overflow or gas blow-by from an upstream component occurs.
b)
Backflow occurs from a downstream source with a higher operating pressure than the MAWP of the
component. Backflow can occur when forward flow is stopped, allowing reverse flow to the upstream
components. Typical examples include centrifugal pumps and compressors where the suction side has
an MAWP lower than the downstream operating pressure. Check valves should not be assumed to
prevent such backflow as they are subject to leaking and failing open on demand. Careful consideration
should also be given to side streams feeding into the system.
c)
Settle-out pressure after compressor shutdown results in a pressure exceeding the MAWP of any
component in the system. This scenario can occur when the MAWP of the suction side of a compressor
is lower than the resulting settle-out pressure.
d)
In the event of tube leakage or rupture in a heat exchanger where the higher pressure side operates at a
pressure in excess of the MAWP of the lower pressure side.
e)
Thermal expansion of fluids within a component if heat is added while the inlets and outlets are closed.
The heat source can be from other process streams, ambient conditions, or solar radiation.
f)
Heating of component contents by an external fire.
g)
Misdirected flow resulting from a high-pressure source being inadvertently routed to a component having
a lower MAWP.
Causes of overpressure can vary between sites and depends on the facility design and operating conditions.
API 521 provides information on additional causes that should be considered and additional guidance on
evaluating the scenarios listed above.
6.2.2.2.3
Effect and Detectable Abnormal Condition
The effect of overpressure can be a sudden rupture and leak of hydrocarbons. High pressure is the
detectable abnormal condition that indicates that overpressure may occur.
ANALYSIS, DESIGN, INSTALLATION, AND TESTING OF SAFETY SYSTEMS FOR OFFSHORE PRODUCTION FACILITIES
6.2.2.2.4
21
Primary Protection
Primary protection from overpressure in a pressure component should be provided by a PSH sensor to shut
off inflow. If a vessel is heated, the PSH sensor should also shut off the fuel or source of heat. Primary
protection for atmospheric components should be provided by an adequate vent system.
6.2.2.2.5
Secondary Protection
6.2.2.2.5.1
Secondary protection from overpressure in a pressure component should be provided by a
PRD. Secondary protection for atmospheric components should be provided by a second vent. The second
vent may be identical to the primary vent, a gauge hatch with a self-contained PRD, or an independent PRD.
6.2.2.2.5.2
Establishment of required PRD or vent capacities should include consideration of operating
conditions and failure modes during all modes of operation capable of creating overpressure, including startup, shutdown, trip, and maintenance, and should consider common modes of failure, such as electrical,
instrument control system, mechanical, human, and procedural. Guidance regarding potential causes of
overpressure to be considered in sizing of PRDs is provided in API 521.
6.2.2.2.5.3
While the preferred second layer of protection against overpressure is a mechanical PRD such
as a pressure-relief valve, provision of a PRD and the associated vent/flare system in accordance with the
requirements contained within API 521 may not be technically or economically practical. In such cases, use
of an alternative high-integrity instrumented system [high-integrity pressure protection system (HIPPS)] for
overpressure protection may be applied. Where implemented, the high-integrity instrumented system shall
conform to the requirements set forth in Annex E. Such a system is typically referred to as an HIPPS. While
HIPPS has been presented as an option for overpressure protection of multiple components, HIPPS shall
only be used after consideration of other alternatives. Caution should be applied when using HIPPS given
the rigorous design, testing, and maintenance requirements for the system.
6.2.2.2.5.4
For applications involving a well flowing in a flowline to a manifold, a similar level of protection
can be achieved by adding a second SDV to the well (in addition to the well SSV) and a second independent
PSH sensor connected to a separate logic solver (see Annex F) and sensing point. Use of this alternative
approach should be used with caution after consideration of the potential risks and other alternative means
of overpressure protection. Design of this alternative system should ensure that the volume upstream of any
block valves, chokes, or control valves located downstream of the pressure specification break is adequate
to allow sufficient time for the SDVs to close before exceeding the MAWP of the protected system. This
response time and leakage rates shall be established as performance criteria for the protection layer and
shall be periodically verified through testing. Consideration should also be given to installing a small PSV in
addition to the protective layer to protect against overpressure from leakage through the SSVs. Operations
personnel shall be trained regarding the operation, testing, and maintenance of the protective layer.
6.2.2.2.6
Location of Safety Devices
In a process component with a liquid and a gas section, the PSH sensor, PRD, or vent should be installed to
sense or relieve pressure from the gas or vapor section. The sensing connections for the safety devices
should be located at the highest practical location on the component to minimize the chance of fouling by
flow stream contaminants. The installation of PRDs and vents on atmospheric tanks should be in accordance
with API 2000 or other applicable standards.
6.2.2.3
6.2.2.3.1
Leak
General
A leak is the accidental escape of fluids from a process component to atmosphere. In this document, “leak”
implies that the escaping fluids are hydrocarbons, flammable, toxic, or hazardous chemicals.
22
6.2.2.3.2
API RECOMMENDED PRACTICE 14C
Cause
A leak can be caused by deterioration from corrosion, erosion, mechanical failure, vibration, or excess
temperature; by rupture from overpressure; or by accidental damage from external forces.
6.2.2.3.3
Effect and Detectable Abnormal Conditions
The effect of a leak is the release of hydrocarbons to the atmosphere. Low pressure and low level are the
abnormal conditions that, when detected, can indicate that a leak has occurred.
6.2.2.3.4
Primary Protection
Primary protection from leaks of sufficient rate to create an abnormal operating condition within a pressure
component should be provided by a PSL sensor to shut off flow and a flow safety valve (FSV) to minimize
backflow. Primary protection from leaks from the liquid section may also be provided by an LSL sensor to
shut off flow. On an atmospheric component, primary protection from liquid leaks should be provided by an
LSL sensor to shut off flow. A containment system should provide primary protection from small liquid leaks
that cannot be detected by the safety devices on a process component. Primary protection from small gas
leaks that occur in an inadequately ventilated area and cannot be detected by component sensing devices
should be provided by a combustible gas detection system.
6.2.2.3.5
Secondary Protection
Secondary protection from all detectable leaks and small gas leaks in an inadequately ventilated area shall
be provided by the ESSs. Secondary protection from small liquid leaks should be provided by an LSH sensor
installed on the sump tank to shut in all components that can leak into the sump.
6.2.2.3.6
Location of Safety Devices
In a process component with both a liquid and a gas section, the PSL sensor should be connected to sense
pressure from the gas or vapor section. The PSL sensor should be installed at the highest practical location
on the component to minimize the chances of fouling by flow stream contaminants. FSVs should be installed
in each component operating outlet line subject to significant backflow. The LSL sensor should be located a
sufficient distance below the lowest operating liquid level to avoid nuisance shutdowns, but with adequate
volume between the LSL sensor and liquid outlet to prevent gas blow-by before shutdown is accomplished.
6.2.2.4
6.2.2.4.1
Liquid Overflow
General
Liquid overflow is the discharge of liquids from a process component through a gas or vapor outlet or the
relief system.
6.2.2.4.2
Cause
Liquid overflow can be caused by liquid input in excess of liquid outlet capacity. This may be the result of
failure of an upstream flow rate control device, failure of the liquid level control system, or blockage of a liquid
outlet.
6.2.2.4.3
Effect and Detectable Abnormal Condition
The effects of liquid overflow can be overpressure or excess liquids in a downstream component, or release
of hydrocarbons to the atmosphere. High level is the detectable abnormal condition that indicates that
overflow may occur.
6.2.2.4.4
Primary Protection
Primary protection from liquid overflow should be provided by an LSH sensor to shut off inflow into the
component.
ANALYSIS, DESIGN, INSTALLATION, AND TESTING OF SAFETY SYSTEMS FOR OFFSHORE PRODUCTION FACILITIES
6.2.2.4.5
23
Secondary Protection
Secondary protection from liquid overflow to the atmosphere should be provided by the containment system
as defined by the ESSs in 6.2.7 b). Secondary protection from liquid overflow to a downstream component
should be provided by safety devices on the downstream component.
6.2.2.4.6
Location of Safety Devices
The LSH sensor should be located a sufficient distance above the highest operating liquid level of a
component to prevent nuisance shutdowns, but with adequate volume above the LSH sensor to prevent
liquid overflow before shutdown is accomplished.
6.2.2.5
6.2.2.5.1
Gas Blow-by
General
Gas blow-by is the discharge of gas from a process component through a liquid outlet.
6.2.2.5.2
Cause
Gas blow-by can be caused by failure of a liquid level control system or inadvertent opening of a bypass
valve around a level control valve.
6.2.2.5.3
Effect and Detectable Abnormal Condition
The effect of gas blow-by can be overpressure in a downstream component. Low level is the detectable
abnormal condition that indicates gas blow-by may occur.
6.2.2.5.4
Primary Protection
Primary protection from gas blow-by should be provided by an LSL sensor to shut off the liquid outlet or shut
off inflow when closure of the inflow valve does not exceed the downstream vessel MAWP caused by gas
blow-by.
6.2.2.5.5
Secondary Protection
Secondary protection from gas blow-by to a downstream component should be provided by over pressure
protection on the downstream component.
6.2.2.5.6
Location of Safety Devices
The LSL sensor should be located a sufficient distance below the lowest operating liquid level to avoid
nuisance shutdowns, but with an adequate volume between the LSL sensor and liquid outlet to prevent gas
blow-by before shutdown is accomplished.
6.2.2.6
6.2.2.6.1
Underpressure
General
Underpressure is pressure in a process component less than the design collapse pressure.
6.2.2.6.2
Cause
Underpressure can be caused by fluid withdrawal in excess of inflow that may be the result of failure of an
inlet or outlet control valve, blockage of an inlet line during withdrawal, or thermal contraction of fluids when
the inlets and outlets are closed.
6.2.2.6.3
Effect and Detectable Abnormal Condition
The effect of underpressure can be collapse of the component and a leak. Low pressure is the detectable
abnormal condition that indicates underpressure may occur.
24
6.2.2.6.4
API RECOMMENDED PRACTICE 14C
Primary Protection
Primary protection from underpressure in an atmospheric component should be provided by an adequate
vent system. Primary protection for a pressure component subject to underpressure should be provided by a
gas makeup system.
6.2.2.6.5
Secondary Protection
Secondary protection for an atmospheric component should be provided by a second vent or by a PVRV.
Secondary protection for a pressure component subject to underpressure should be provided by a PSL
sensor to shut off inflow and outflow.
6.2.2.6.6
Location of Safety Devices
The PSL sensor should be installed at the highest practical location on the component to minimize the
chances of fouling by flow stream contaminants. Vents and PVRVs should be installed in accordance with
API 2000 or other applicable standards.
6.2.2.7
6.2.2.7.1
Excess High Temperature (Fired and Exhaust-heated Components)
General
Excess temperature is temperature above that in which a process component is designed to operate. This
undesirable event in fired and exhaust-heated components is categorized as excess medium or process fluid
temperature and excess stack temperature. Excess temperature in unfired components is discussed in
individual component analyses in Annex A.
6.2.2.7.2
Cause
Excess medium or process fluid temperature can be caused by excess fuel or heat input due to failure or
inadvertent bypassing of the fuel or exhaust gas control equipment, extraneous fuel entering the firing
chamber through the air intake, or a leak of combustible fluids into the fired or exhaust-heated chamber;
insufficient volume of heat transfer fluid due to low flow in a closed heat transfer system (where the heated
medium is circulated through tubes located in the firing or exhaust-heated chamber); or low liquid level in a
fired component with an immersed fire or exhaust gas tube. Excess stack temperature in a fired component
can be caused by any of the above or by insufficient transfer of heat because of accumulation of foreign
material (sand, scale, etc.) in the heat transfer section. Excess stack temperature in an exhaust-heated
component can result from ignition of a combustible medium leak into the exhaust-heated chamber.
6.2.2.7.3
Effect and Detectable Abnormal Condition
The effects of high medium or process fluid temperature can be a reduction of the working pressure and
subsequent leak or rupture of the affected component and/or overpressure of the circulating tubes in a
closed heat transfer system, if the medium is isolated in the tubes. The effect of high stack temperature can
be a direct ignition source for combustibles coming in contact with the stack surface. High temperature, low
flow, and low level are the detectable abnormal conditions that indicate that excess temperature may occur.
6.2.2.7.4
Primary Protection
Primary protection from excess medium or process fluid temperature resulting from excess or extraneous
fuel, heat, or medium leaks into the fired or heated chamber should be provided by a TSH sensor. If caused
by low liquid level, protection should be provided by an LSL sensor. The TSH and LSL sensors on fired
components should shut off fuel supply and inflow of combustible fluids. The TSH and LSL sensors on
exhaust-heated components should divert or shut off the fuel or heat source. If excess medium temperature
is due to low flow in a closed heat transfer system containing combustible fluid, primary protection should be
provided by an FSL sensor to shut off fuel supply to a fired component or to divert the exhaust flow from an
exhaust-heated component. Primary protection from excess stack temperature should be provided by a TSH
(stack) sensor to shut off the fuel or exhaust gas source and inflow of combustible fluids.
ANALYSIS, DESIGN, INSTALLATION, AND TESTING OF SAFETY SYSTEMS FOR OFFSHORE PRODUCTION FACILITIES
6.2.2.7.5
25
Secondary Protection
Secondary protection from excess medium or process fluid temperature in a fired component, if caused by
excess or extraneous fuel, should be provided by a TSH (stack) sensor and, if caused by low flow, by a TSH
(medium) sensor and TSH (stack) sensor. If caused by low level, secondary protection should be provided
by a TSH (medium or process fluid) sensor and TSH (stack) sensor. Secondary protection from excess
medium or process fluid temperature in an exhaust-heated component, if caused by low level or low flow,
should be provided by a TSH (medium) sensor. These TSH sensors should perform the same function as the
primary protection. Secondary protection for excess stack temperature should be provided by the ESSs and
an FSV, where applicable.
6.2.2.7.6
Location of Safety Devices
Temperature sensors, other than fusible or skin contact types, should be placed in a thermowell for ease of
removing and testing. In a two-phase (gas/liquid) system, the TSH sensor should be located in the liquid
section. In a tube-type heater, where the heated medium flows through tubes located in the firing or heating
chamber, the TSH sensor should be located in the tube outlet as close as is practical to the heater. An FSL
sensor should be located in the medium circulating tube piping. An FSV installed on medium tube outlet
piping is used to prevent backflow from downstream components in the event of tube rupture. See A.6.3.2 for
additional guidance.
6.2.2.8
6.2.2.8.1
Excess Low Temperature (Pipe Embrittlement)
General
Excess low temperature is temperature below the minimum allowable working temperature of a process
component. This type of low temperature results in loss of ductility, or embrittlement, of the process
component material. Embrittled materials can mechanically fail even at pressures far below the process
component’s MAWP. Piping is more commonly associated with the effects of this type of low temperature
since the process cause of the low temperature often occurs in the piping between process components.
Pipe can experience failure first because of its smaller relative mass to the downstream process component.
6.2.2.8.2
Causes
Excessive pressure drop of gases can produce a Joule-Thomson (JT) effect. This effect can create
extremely low temperatures in the downstream piping after the pressure drop and can cause the low
temperature limit of the piping to be exceeded. Flashing liquids may also cause low temperatures.
6.2.2.8.3
Conditions
Extremely low temperature in the downstream piping can result in brittle fracture and failure of the piping.
“Low temperature” in the downstream section is the detectable condition.
6.2.2.8.4
Primary Protection
Primary protection from low-temperature embrittlement should be through system design such that the
process component materials are suitable for all credible low temperatures considering both abnormal and
normal operations. A TSL located downstream of the pressure drop should be installed as primary protection
from low-temperature embrittlement when system design is impracticable. The use of a TSL as a layer of
protection should not apply to blowdown piping and relief systems because stopping relief flow to prevent a
low temperature could cause a more dangerous event.
If low temperatures only result from a high pressure drop, then a high differential pressure monitor can give a
quicker response time and may be considered as an alternative. The monitoring devices should shut off the
process flow.
26
6.2.2.8.5
API RECOMMENDED PRACTICE 14C
Secondary Protection
Secondary protection shall be required when the system cannot be designed to avoid low-temperature
embrittlement during normal operating conditions even if temperature-based operating constraints are
implemented, e.g. the system shall be allowed to warm up following a low-temperature event before
repressurization can occur. A second TSL located downstream of the pressure drop should be installed and
not associated with the primary protection monitoring device to take appropriate action.
6.2.2.8.6
Location of Safety Devices
TSL sensors installed as insertion elements should be protected by thermowells in the downstream piping no
more than five diameters from the source of pressure drop. TSL sensors installed as skin-type elements
should be insulated to protect against ambient temperature effects.
6.2.2.9
6.2.2.9.1
Direct Ignition Source (Fired Components)
General
A direct ignition source is an exposed surface, flame, or spark at sufficient temperature and heat capacity to
ignite combustibles. Direct ignition sources discussed in this paragraph are limited to fired components.
Electrical systems and other ignition sources are discussed in 6.2.5.
6.2.2.9.2
Cause
Direct ignition sources can be caused by flame emission from the air intake due to the use of improper fuel
(e.g. liquid carry-over in a gas burner), reverse draft from a natural draft burner, or extraneous fuel entering
the air intake, spark emission from the exhaust stack, or hot surfaces resulting from excess temperature.
6.2.2.9.3
Effect and Detectable Abnormal Condition
The effect of a direct ignition source can be a fire or explosion if contacted by a combustible material. High
temperature and low airflow (forced draft burners only) are the detectable abnormal conditions that indicate a
direct ignition source can occur.
6.2.2.9.4
Primary Protection
Primary protection from flame emission through the air intake of a natural draft burner should be provided by
a flame arrestor to contain the flame in the firing chamber. Primary protection from flame emission through
the air intake of a forced draft burner should be provided by a PSL (air intake) sensor to detect low airflow
and shut off the fuel and air supply. A stack arrestor should provide primary protection from exhaust stack
spark emission. Primary protection from hot surfaces due to excess temperature should be provided by a
TSH (medium or process fluid) sensor and TSH (stack) sensor. The TSH sensor should shut off fuel supply
and inflow of combustible fluids.
6.2.2.9.5
Secondary Protection
Secondary protection from flame emission through the air intake of a natural draft burner should be provided
by the ESS. Secondary protection from flame emission through the air intake of a forced draft burner should
be provided by a blower motor interlock to detect blower motor failure and to initiate a signal to shut off the
fuel and air supply. Secondary protection from exhaust stack spark emission and hot surfaces should be
provided by the ESSs and an FSV where applicable.
6.2.2.9.6
Location of Safety Devices
The location of air intake flame arrestors and exhaust stack spark arrestors is fixed. These items should be
installed to facilitate inspecting and cleaning. TSH (stack, media, process fluids) sensors should be installed
as discussed in 6.2.2.7. A PSL (air intake) sensor should be installed downstream of the blower fan inside
ANALYSIS, DESIGN, INSTALLATION, AND TESTING OF SAFETY SYSTEMS FOR OFFSHORE PRODUCTION FACILITIES
27
the air intake on a forced draft burner. Forced draft burners should have starter interlocks installed on the
blower motor starter. An FSV should also be installed in medium tube outlet piping.
6.2.2.10
Excess Combustible Vapors in the Firing Chamber (Fired Component)
6.2.2.10.1 General
Excess combustible vapors in the firing chamber are combustible vapors in addition to those required for
normal ignition of either the pilot or main burner.
6.2.2.10.2 Cause
Accumulation of excess combustible vapors in the firing chamber can be caused by a failure of the fuel or air
supply control equipment or improper operating procedures.
6.2.2.10.3 Effect and Detectable Abnormal Condition
The effect of excess combustible vapors in the firing chamber, on ignition, can be an explosion and possible
rupture of the component. Flame failure and high or low fuel supply pressure are detectable abnormal
conditions that can indicate excess combustible vapors in the firing chamber. Low air supply pressure and
blower failure can also indicate this condition in forced draft burners.
6.2.2.10.4 Primary Protection
Primary protection from excess combustible vapors in the firing chamber caused by a mechanical failure of
the fuel control equipment should be provided by a flame failure sensor (BSL). The sensor should detect a
flame insufficient to ignite the entering vapors and shut off the fuel.
6.2.2.10.5 Secondary Protection
Secondary protection from excess combustible vapors in the firing chamber due to fuel control failure should
be provided by a PSH and PSL (fuel) sensor to shut off the fuel. On a forced draft burner, a PSL (air) sensor
and motor starter interlock should be installed to detect an inadequate air supply and initiate a signal to shut
off the fuel and air. An FSL sensor may be installed in place of a PSL sensor in the air intake to sense low
airflow. In addition to the above safety devices, safe operating procedures should also be followed to prevent
firebox explosions during ignition of the pilot or main burner. Recommended safe operating procedures are
shown in A.6.4. Additionally, automated burner start-up procedures should be considered.
6.2.2.10.6 Location of Safety Devices
A BSL sensor should be installed in the firing chamber to monitor the pilot and/or main burner flame. PSH
and PSL sensors in the fuel supply should be installed downstream of all fuel pressure regulators. A PSL (air
intake) sensor should be installed in the air intake downstream of the forced draft blower.
6.2.3
Safety Device Selection
6.2.3.1 The required safety device protection is categorized into primary and secondary protective
devices. The primary device will react sooner, safer, or more reliably than the secondary device. The primary
device will provide the highest order of protection, and the secondary device should provide the next highest
order of protection.
6.2.3.2 A single safety device may not provide complete primary or secondary protection because the
results of a failure can vary by degree or sequence. Thus, several devices or systems may be shown, the
combination of which will provide the necessary level of protection. For example, a PSL sensor and an FSV
can be required to stop flow to a leak. These two devices can provide the primary level of protection.
28
API RECOMMENDED PRACTICE 14C
6.2.3.3 The protection devices determined in the SAT, in conjunction with necessary SDVs or other final
control devices, protect the process component in any process configuration. It is important that the user
understand the SAT logic and how the SATs are developed.
6.2.3.4 The location of SDVs and other final control devices shall be determined from a study of the
detailed flow schematic(s) [e.g. safety analysis flow diagram, process flow diagram (PFD), and P&ID] and
from a knowledge of operating parameters. When an undesirable event is detected in a process component,
the component can be isolated from all input process fluids, heat, and fuel, by either shutting in the primary
sources of input or diverting the inputs to other components where they can be safely handled.
6.2.3.5 All safety devices shown in the figures in Annex A for each component should be considered and
should be installed unless conditions exist whereby the function normally performed by a safety device is not
required or is performed adequately by another safety device(s). The safety analysis checklists (SACs) in
Annex A list equivalent protection methods, thereby allowing the exclusion of some devices.
6.2.3.6 If a process component is used that is not covered in Annex A, an SAT for that component should
be developed as discussed in 6.2.3.2 and 6.2.3.3.
6.2.4
Protective Shut-in Action
6.2.4.1 When an abnormal condition is detected in a process component by a safety device or by
personnel, all input sources of process fluids, heat, and fuel should be shut off or diverted to other
components where they can be safely handled. If shutoff is selected, process inputs should be shut off at the
primary source of energy (wells, pump, compressor, etc.). It is not advisable to only close the process inlet to
a component if this can create an abnormal condition in the upstream component, causing its safety devices
to shut it in. This would be repeated for each component back through the process until the primary source is
shut in. Each component would therefore be subjected to abnormal conditions and shall be protected by its
safety devices every time a downstream component shuts in. This cascading effect depends on the
operation of several additional safety devices and can place undue stress on the equipment.
There can be special cases where shut-in by cascading is acceptable; the following are examples.
a)
The source of input to a separator is frequently changed as wells are periodically switched into the
separator. If the well(s) producing to the separator is to be directly shut in when an abnormal condition is
detected, the safety system logic shall be changed each time different wells are switched into the unit.
This creates the possibility of oversight in changing the logic. In this case, it may be preferable to close
the separator inlet and let the resulting high flowline pressure cause the well(s) to shut in by action of the
flowline PSH sensor. The header and the flowline should be rated for the maximum pressure that can be
caused by this action.
b)
A platform receives production through a flowline from a satellite well. Although the source of energy to
the system is the satellite well, detection of an abnormal condition on the platform should cause
activation of an SDV on the incoming flowline. If it is desired to shut in the satellite well following closure
of the flowline SDV at the platform, this may be accomplished by use of a flowline PSH sensor installed
at the satellite location.
c)
A compressor installation is equipped with an automatic divert valve that permits production to be
maintained from wells capable of producing against pipeline pressure when a compressor shutdown
occurs. In this case, wells incapable of producing against pipeline pressure may be shut in by action of
the individual flowline PSH sensors to minimize potential safety system logic problems as discussed in
Item a) above
6.2.4.2 Where subsea trees are the source of pressure, a boarding shutdown valve (BSDV) shall be
installed and assumes the role of the surface safety valve (SSV) required for a traditional dry tree. This
protects the production facility from the subsea flowline inventory.
6.2.4.3
The BSDV shall be designed to meet the following requirements.
ANALYSIS, DESIGN, INSTALLATION, AND TESTING OF SAFETY SYSTEMS FOR OFFSHORE PRODUCTION FACILITIES
29
a)
The BSDVs shall be rated to at least the riser MAOP.
b)
BSDV shall meet the requirements of API 6A and API 6AV1 and be fire rated for a minimum of 30
minutes.
c)
BSDVs shall be located as close to the water line as practical while providing adequate access for
operation, maintenance, and testing. The piping outboard of the BSDV shall be protected from all
credible hazards.
d)
A temperature safety element (TSE) or other fire detection device shall be installed to allow detection of
fire at each BSDV.
6.2.4.4
Where pipelines are a potential source of pressure or backflow (e.g. gas pipelines or where
pipelines have multiple downstream input sources), the pipeline-tested SDV/FSV should have a leakage rate
as specified per I.4.10 to ensure that leakage through a closed valve will not lead to significant escalation
from an ignited release. This ensures the maximum level of safety for the production facility and the people
aboard the facility.
6.2.4.5
A TSE or other fire detection device shall be installed to allow detection of fire on pipeline-tested
SDV/FSV.
6.2.4.6
It may be desirable or necessary to shut in the inlet to a process component for additional
protection or to prevent upstream components from equalizing pressure or liquid levels after the primary
source is shut in. If this option is selected, the primary source of energy should be shut in simultaneously
with or prior to closing of the component inlet valve.
6.2.5
6.2.5.1
Ignition Preventing Measures
General
The safety flow chart shown in Figure 3 illustrates that the principal threat to platform safety is the release of
hydrocarbons. However, if ignition of released hydrocarbons can be prevented, the consequences of the
hydrocarbon release can be reduced. Thus, prevention of ignition is another protection method that shall be
considered along with safety devices and ESSs. Ignition of hydrocarbons can be caused by electric arcs,
flame, sparks, and hot surfaces. Protection from these sources is provided by design considerations that
decrease the possibility of hydrocarbons contacting an ignition source or preventing gaseous hydrocarbons
from reaching a combustible concentration. Collectively, these methods are referred to in this document as
IPMs and include
— ventilation,
— application of electrical codes and standards,
— location of potential ignition sources,
— protection of hot surfaces.
6.2.5.2
Ventilation
Ignition of a combustible gas requires that the concentration of the gas mixed with air (oxygen) reaches the
lower explosive limit (LEL). The safety system is designed to minimize the amount of hydrocarbon released
by shutting off the hydrocarbon source on detecting an abnormal condition. Another method for preventing a
combustible mixture is to provide a volume of air sufficient to maintain the hydrocarbon concentration below
the LEL. To prevent the accumulation of combustible mixtures, process areas should be as open as
practicable to allow the free movement of air. Enclosed areas containing hydrocarbon handling or fueled
equipment should have adequate ventilation so that the gases or vapors will dissipate before reaching the
LEL. Refer to G.2.3 for requirements related to combustible gas detector installation.
30
API RECOMMENDED PRACTICE 14C
6.2.5.3
Electrical Codes and Standards
6.2.5.3.1
Protection from ignition by electrical sources should be provided by designing, installing, and
maintaining electrical equipment in accordance with API 14F or API 14FZ or other applicable standards and
by classification of platform areas according to API 500 or API 505.
6.2.5.3.2
API 14F and API 14FZ define criteria for electrical equipment and wiring methods that can be
used safely in classified and unclassified areas on offshore production facilities.
6.2.5.3.3
API 500 and API 505 presents methods for classifying areas surrounding drilling rigs and
production facilities on land and on marine fixed and mobile platforms for safe installation of electrical
equipment.
6.2.5.4
Location
Potential ignition sources, such as fired process components and certain rotating machinery, are normally
equipped to minimize the possibility of igniting released hydrocarbons. Additional protection can be provided by
locating equipment in areas where exposure to inadvertently released hydrocarbons is minimized. API 14J
provides guidance for locating equipment. Some other potential ignition sources are those related to
housekeeping such as boilers, water heaters, stoves, clothes dryers, etc. These should be located in electrically
unclassified locations. If such equipment is gas fueled and installed in an inadequately ventilated building, a
combustible gas detector (ASH) should be installed to close the fuel SDV(s) located outside the building.
6.2.5.5
Hot Surface Protection
Any surface including portable equipment with a temperature in excess of 400 °F (204 °C) should be protected
from exposure to hydrocarbon liquids due to spillage or leakage. Surfaces including portable equipment with a
temperature in excess of 725 °F (385 °C) should be protected from exposure to accumulations of combustible
gases and vapors. Methods of protection can be insulation, barriers, water cooling, etc. Some mechanical
components such as turbochargers, exhaust manifolds and the like (including associated piping) that cannot be
insulated without causing mechanical failure should be protected by other means.
6.2.6
Hot Equipment Shielding
Any surface with a temperature in excess of 160 °F (71 °C) should have protection when accidental contact
of the hot surface could be made by personnel within normal work or walk areas. Protection may be in the
form of guards, barriers, or insulation. Some mechanical components such as turbochargers, exhaust
manifolds, compressor heads, expansion bottles, and the like (including associated piping) are exceptions; in
these cases, warning signs are acceptable.
6.2.7
Emergency Support Systems
To minimize the effects of escaped hydrocarbons on offshore production facilities, the ESSs shall be
designed in accordance with Annex G. The ESS includes:
a)
the combustible gas detection system to sense the presence of escaped hydrocarbons and initiate
alarms and facility shutdown before gas concentrations reach the LEL;
b)
the containment system to collect escaped liquid hydrocarbons and initiate facility shutdown on high
level in the collective containment system;
c)
the fire detection system to sense a fire and initiate facility shutdown;
d)
the ESD system to provide a method to manually initiate facility shutdown by personnel observing
abnormal conditions or undesirable events;
ANALYSIS, DESIGN, INSTALLATION, AND TESTING OF SAFETY SYSTEMS FOR OFFSHORE PRODUCTION FACILITIES
31
e)
the SSSVs that may be self-actuated [subsurface-controlled subsurface safety valves (SSCSVs)] or
activated by an ESD system and/or fire detection system [surface-controlled subsurface safety valves
(SCSSVs)];
f)
systems for discharging gas to the atmosphere are installed to provide a means for conducting
discharged gas from process components to safe locations for final release to the atmosphere.
6.2.8
Other Support Systems
The integrity of a facility surface safety system depends on proper operation of several other support
systems. These ancillary support systems carry the same degree of importance as other portions of the
facility safety system and should be equally as well maintained. Those discussed in Annex G are the
pneumatic supply system and the hydraulic supply system.
The pneumatic and hydraulic supply systems are installed to provide power for actuators. The pneumatic
system also provides supply for instruments.
6.3
6.3.1
Safety Analysis
Safety Analysis Table
6.3.1.1 Safety analysis tables (SATs) for the basic process components of a production facility are
presented in Annex A. The SATs are applicable to a component regardless of its position in the process flow.
The boundaries of each process component include the inlet piping, control devices, and the outlet piping to
another component. Every outlet pipe and pipe branch should be included up to the point where safety
devices on the next component provide protection.
6.3.1.2 The safety analysis of each process component highlights undesirable events (effects of
equipment failures, process upsets, accidents, etc.) from which protection should be provided, along with
detectable abnormal conditions that can be monitored for safety surveillance. These detectable conditions
are used to initiate action through automatic controls to prevent or minimize the effect of undesirable events.
The tables present the logical sequence of safety system development, including undesirable events that
could be created in downstream process components because of failures in the equipment or safety devices
of the component under consideration.
6.3.1.3 The generic causes of each undesirable event are listed. The primary causes are equipment
failures, process upsets, and accidental, but all primary causes in a category will create the same
undesirable event. Thus, a blocked line could be due to plugging, freezing, or other failure of a control valve
or the inadvertent closing of a manual valve. The undesirable events should be determined from a detailed
investigation of the failure modes of the component and its ancillary equipment. These failure modes are
grouped under causes, according to the manner in which they can generate the undesirable event.
6.3.1.4 The protective safety devices and ESSs that prevent or react to minimize the effects of undesirable
events shall be designed in accordance with 6.2.
6.3.2
Safety Analysis Checklist
Individual SACs are shown in Annex A as an aid for discussing the application of the safety analysis to each
individual component. The SAC lists the safety devices that would be required to protect each process
component if it were viewed as an individual unit with the worst probable input and output conditions. Listed
under each device are certain conditions that eliminate the need for that particular device when the
component is viewed in relation to other process components. This action is justified because safety devices
on other components can provide the same protection, or because in a specific configuration, the abnormal
condition that the device detects cannot lead to a threat to safety.
32
API RECOMMENDED PRACTICE 14C
6.3.3
SAFE Chart
The SAFE chart, shown in Figure B.2, is used to relate all sensing devices, SDVs, shutdown devices, and
ESSs to their functions. The SAFE chart should list all process components and ESSs with their required
safety devices and should list the functions to be performed by each device. If the device is not needed, the
reason shall be listed on SAFE by referring to the appropriate SAC item number. The SAC references are
defined by the item and procedure numbers from the appropriate SAC table for the equipment referenced. If
the reason for eliminating a device is that a device on another component provides equivalent protection, this
alternate device should also be shown on SAFE. The relation of each safety device with its required function
can be documented by checking the appropriate box in the chart matrix. Completion of the SAFE chart
provides a means of verifying the design logic of the safety system.
6.4
Analysis and Design Procedure Summary
The analysis and design of a facility surface safety system should include the following steps.
1.
A description of the process in a detailed flow schematic(s) (e.g. safety analysis flow diagram, PFDs,
and P&IDs) that establishes the operating parameters. The flow schematic(s) and operating parameters
should be developed based on equipment design and process requirements.
2.
Verification from the SATs of the need for basic safety devices to protect each process component
viewed as an individual unit. The SAC for individual components is then used to justify the elimination of
any safety device when each process component is analyzed in relation to other process components.
The SAC lists specific conditions under which some safety devices may be eliminated when larger
segments of the process are considered.
3.
Develop an SAT and an SAC table for process components that differ from those covered in this
document.
4.
Logically integrate all safety devices and self-protected equipment into a complete facility safety system
using the SAFE chart. List on the SAFE chart all process components and their required safety devices.
Enter the functions the devices perform and relate each device to its function by checking the
appropriate box in the chart matrix.
5.
If designing a new facility, show all devices to be installed on the P&IDs.
6.
If analyzing an existing facility, compare SAFE chart with the detailed flow schematic(s) and add the
devices required but not shown.
The analyses should define the monitoring devices (sensors) and self-actuating safety devices needed for a
process facility. They also establish the safety function required (shutdown, diverting the input, pressurerelief, etc.).
Annex A
(normative)
Process Component Analysis
A.1 General
This annex presents a complete safety analysis of each basic process component normally used in a facility
production process system. The component analysis includes the following.
a)
A description of each process component.
b)
A typical drawing of each process component showing safety devices that should be considered based
on individual component analysis. A discussion of each process component is included outlining
recommended safety device locations.
c)
An SAT for each process component analyzing the undesirable events that could affect the component.
d)
An SAC for each process component listing safety devices and showing conditions under which
particular safety devices may be excluded. A discussion of the rationale for including or excluding each
safety device is presented.
A.2 Wellheads and Flowlines
A.2.1 Description
Wellheads provide surface control (manual and automatic) and containment of well fluids and provide
downhole access for well servicing. Flowlines transport well fluids from the wellhead to the first downstream
process component.
For analysis purposes and assignment of safety devices, flowlines are divided into flowline segments. A
flowline segment is any portion of a flowline that has an assigned operating pressure different from other
portions of the same flowline. These flowline segments can be classified as either initial (beginning at
wellhead), intermediate, or final (terminating at another process component) segments. Thus, a flowline that
experiences a reduction in operating pressure due to some inline pressure-reducing device, such as a
choke, and has two different assigned operating pressures will have an initial and final segment. A flowline
that experiences no reduction in operating pressure due to a pressure-reducing device will have only one
segment. In this case, the initial and final flowline segment will be the same. Each flowline segment shall be
analyzed to determine appropriate safety devices. Recommended safety devices for typical wellheads and
flowlines are shown in Figures A.1, A.2, and A.3.
A.2.2 Safety Analysis
A.2.2.1
Safety Analysis Table
The SAT for a flowline segment is presented in Table A.1. The undesirable events that can affect a flowline
segment are overpressure and leak.
A.2.2.2
A.2.2.2.1
Safety Analysis Checklist
General
The SAC for a flowline segment is presented in Table A.2.
33
34
API RECOMMENDED PRACTICE 14C
NOTE
a
The TSE designations are symbolic and are not intended to reflect actual location or quantity.
The PSV location can be upstream or downstream of the FSV.
Figure A.1—Safety Devices: Dry Tree Wellhead Flowlines
ANALYSIS, DESIGN, INSTALLATION, AND TESTING OF SAFETY SYSTEMS FOR OFFSHORE PRODUCTION FACILITIES
Key
SITP
MAWP
shut-in tubing pressure
maximum allowable working pressure (rated)
Figure A.2—Safety Devices: Underwater Wellhead Flowlines
35
36
API RECOMMENDED PRACTICE 14C
NOTE 1
TSE designations are symbolic and are not intended to reflect actual location or quantity.
NOTE 2 Numbers used on safety devices are provided as reference for this drawing and are not required to be used
as actual tagging requirements.
a
PSV location can be upstream or downstream of the FSV.
Figure A.3—Satellite Well
ANALYSIS, DESIGN, INSTALLATION, AND TESTING OF SAFETY SYSTEMS FOR OFFSHORE PRODUCTION FACILITIES
37
Table A.1—Flowline Segment Safety Analysis Table
Undesirable Event
Overpressure
Cause
Blocked or restricted line
Detectable Abnormal
Condition at Component
High pressure
Downstream choke plugged
Hydrate plug
Upstream flow control failure
Changing well conditions
Closed outlet valve
Leak
Deterioration
Low pressure
Erosion
Corrosion
Impact damage
Vibration
Table A.2—Flowline Segment Safety Analysis Checklist
Item
A.1a.
Description
High-pressure sensor (PSH).
1) PSH installed.
2)
A.1b.
Low-pressure sensor (PSL).
1) PSL installed.
2)
A.1c.
Flowline segment has a maximum allowable working pressure (MAWP) greater than maximum shut-in
pressure and is protected by a PSH on a downstream flowline segment.
Flowline segment is between the well and the first choking device and is less than 10 ft (3 m) in length.
Pressure safety valve (PSV).
1) PSV installed.
2)
3)
Flowline segment has an MAWP greater than the maximum shut-in tubing pressure.
Two shutdown valves (SDVs) [one of which being the original surface safety valve (SSV)] with
independent PSHs, logic solvers, and sensing points are installed where there is adequate flowline volume
upstream of any block valves to allow sufficient time for the SDVs to close before exceeding the MAWP.
4)
Flowline segment is protected by a pressure-relief device (PRD) on upstream segment.
5)
Flowline segment is protected by a PRD on downstream component that cannot be isolated from the
flowline segment and there are no chokes or other restrictions between the flowline segment and the PRD.
6)
Flowline segment is protected by a high-integrity pressure protection system (HIPPS) meeting the
requirements in Annex E.
NOTE See additional design requirements in 6.2.2.2.5.
A.1d.
Flow safety valve (FSV).
1) FSV installed.
2)
Flowline segment is protected by FSV in final flowline segment.
38
API RECOMMENDED PRACTICE 14C
A.2.2.2.2
Pressure Safety Devices (PSH, PSL, and PSV)
Because wells are the primary source of pressure, a PSH sensor to shut in the well shall be provided on
each flowline to detect abnormally high pressure. A PSH sensor to shut in the well should be installed on the
final flowline segment and on any other segment that has an MAWP less than the maximum SITP of the well.
A PSL sensor to shut in the well should be provided on each flowline segment, except the initial segment if
the first choking device is less than 10 ft (3 m) from the wellhead.
A PSV is not required on a flowline under the following conditions:
a)
the MAWP of a flowline segment is greater than the maximum SITP of the well;
b)
the flowline is protected by a PRD located on an upstream flowline segment;
c)
an SDV (in addition to the SSV) with an independent PSH sensor connected to a separate logic solver
and sensing point is an acceptable alternate to a PSV, providing the flowline volume upstream of block
valve is adequate to allow sufficient time for the SDVs to close before exceeding the MAWP;
d)
the flowline is protected by an HIPPS meeting the requirements Annex E.
The use of an SDV and SSV or HIPPS in lieu of a PSV should be approached with caution after
consideration of other alternatives. In some cases, installation of a PSV in addition to an SDV and SSV or
HIPPS might be desirable even at locations having no containment system.
A.2.2.2.3
Flow Safety Device (FSV)
A check valve (FSV) is only necessary in the final flowline segment to minimize backflow to the flowline.
A.2.3 Safety Device Location
A.2.3.1
Pressure Safety Devices (PSH, PSL, and PSV)
The PSH and PSL sensors should be located for protection from damage due to vibration, shock, and
accidents. The sensing point should be located on top of a horizontal run or in a vertical run. Independent
sensing points should be provided for all required PSHs used with an SDV or HIPPS as alternate protection
for a PSV. The PSV should be located upstream of the first blocking device in the flowline segment and
should not be set higher than the rated working pressure of the segment.
A.2.3.2
Flow Safety Device (FSV)
The check valve (FSV) should be located in the final flowline segment so that the entire flowline is protected
from backflow.
A.2.3.3
Shutdown Devices (SSV or USV)
The SSV should be located on the wellhead as the first automatically actuated valve in the flow stream from
the wellbore. The SSV should be actuated by the flowline pressure sensors, ESD system, fire detection
system, and sensors on downstream process components. An SDV (in addition to the SSV) may be installed
on the wellhead. If an SDV is installed, it may be actuated, in lieu of the SSV, by the flowline pressure
sensors and sensors on downstream process components. The USV should be actuated by the flowline
pressure sensors located upstream of the BSDV, by the ESD system, and by the fire detection system.
A.3 Wellhead Injection Lines
A.3.1 Description
Injection lines transfer fluids to the wellbore for artificial lift or reservoir injection. Recommended safety
devices for wellhead injection lines are shown in Figure A.4.
ANALYSIS, DESIGN, INSTALLATION, AND TESTING OF SAFETY SYSTEMS FOR OFFSHORE PRODUCTION FACILITIES
NOTE 1
39
TSE designations are symbolic and are not intended to reflect actual location or quantity.
NOTE 2 Numbers used on safety devices are provided as reference for this drawing and are not required to be used
as actual tagging requirements.
a
In the event of hydrocarbon injection, the SDV shall be an SSV.
b
Producing formation not capable of backflow.
Figure A.4—Safety Devices: Dry Tree Wellhead Injection Lines
A.3.2 Safety Analysis
A.3.2.1
Safety Analysis Table
The SAT for wellhead injection lines is presented in Table A.3. The undesirable events that can affect an
injection line are overpressure and leak.
A.3.2.2
A.3.2.2.1
Safety Analysis Checklist
General
The SAC for wellhead injection lines is presented in Table A.4.
40
API RECOMMENDED PRACTICE 14C
Table A.3—Safety Analysis Table: Dry Tree Wellhead Injection Lines
Undesirable Event
Overpressure
Cause
Blocked or restricted outlet
Hydrate plug
Detectable Abnormal
Condition at Component
High pressure
Upstream flow control failure
Plugged formation
Backflow from formation
Leak
Deterioration
Erosion
Low pressure
Corrosion
Impact damage
Vibration
Table A.4—Safety Analysis Checklist: Dry Tree Wellhead Injection Lines
Item
A.2a.
Description
High-pressure sensor (PSH).
1) PSH installed.
2)
A.2b.
Low-pressure sensor (PSL).
1) PSL installed.
2)
A.2c.
3)
4)
PSV installed.
Line and equipment have a maximum allowable working pressure (MAWP) greater than the
maximum pressure that can be imposed by the injection source.
Line and equipment are protected by an upstream pressure-relief device (PRD).
Line and equipment are protected by a high-integrity pressure protection system (HIPPS) meeting
the requirements in Annex E.
Check valves (FSV).
1)
A.3.2.2.2
Line and equipment are protected by an upstream PSL.
Pressure safety valve (PSV).
1)
2)
A.2d.
Line and equipment are protected by an upstream PSH.
FSV(s) installed.
Pressure Safety Devices (PSH, PSL, and PSV)
Pressure protection is usually provided by a PSH and a PSL sensor on the injection source, such as a
compressor or pump, to shut off inflow. If the PSH and PSL sensors also protect the injection line, wellhead,
and other equipment, these devices are not required on the injection line. A PSV is not necessary if the
injection line is designed to withstand the maximum pressure that can be imposed by the injection source.
Usually, a PRD is provided on the injection source that will also protect the injection line, wellhead, and other
equipment.
A.3.2.2.3
Flow Safety Device (FSV)
A check valve (FSV) should be provided on each injection line to minimize backflow.
ANALYSIS, DESIGN, INSTALLATION, AND TESTING OF SAFETY SYSTEMS FOR OFFSHORE PRODUCTION FACILITIES
41
A.3.3 Safety Device Location
A.3.3.1
Pressure Safety Devices (PSH, PSL, and PSV)
The PSH and PSL sensors should be located upstream of the FSV, and the sensing point should be on top
of a horizontal run or in a vertical run. The PSV should be located so that it cannot be isolated from any
portion of the injection line.
A.3.3.2
Flow Safety Device (FSV)
The check valve (FSV) should be located on each injection line as near the wellhead as is practical so that
the entire line is protected from backflow.
A.3.3.3
Shutdown Devices (SDV)
Injection line SDVs to prevent backflow should be located as near the wellhead as is practical to minimize the
amount of line exposed to piping failure. SDVs are not required on gas lift lines if they are protected at an
upstream component and if they are not subject to backflow from the producing formation. SDVs are not required
if the injection line is for the purpose of injecting water and the subsurface formation is incapable of backflowing
hydrocarbons. If closing an SDV could cause rapid pressure buildup in the injection line, consideration should be
given to shutdown of the injection source and/or use of a second FSV in lieu of an SDV.
A.4 Headers
A.4.1 Description
Headers receive production from two or more flow streams and distribute production to the required process
systems, such as the low-, intermediate-, or high-pressure production and test separation facilities.
Recommended safety devices for typical headers are shown in Figure A.5.
A.4.2 Safety Analysis
A.4.2.1
Safety Analysis Table
The SAT for headers is presented in Table A.5. The undesirable events that can affect a header are
overpressure and leaks.
A.4.2.2
A.4.2.2.1
Safety Analysis Checklist
General
The SAC for headers is presented in Table A.6.
A.4.2.2.2
Pressure Safety Devices (PSH, PSL, and PSV)
PSH and PSL sensors are not required on headers if each input source is equipped with a PSH and a PSL
sensor and the PSH sensor is set less than the rated working pressure of the header. Also, a PSH sensor is
not required if the header is protected by a PSH sensor on a downstream process component and the
header cannot be isolated, from either pluggage or by a manual isolation valve, from the downstream
component. A PSL is not required if the header is for flare, relief, vent, or atmospheric service. If the header
requires a PSH and a PSL sensor, the signal from each should shut off all input sources to the header.
A PSV is not required on a header under the following conditions.
a)
The MAWP is greater than the maximum shut-in pressure of any connected input source.
b)
Pressure-relief protection is provided on all connected input sources that have a maximum shut-in
pressure greater than the MAWP of the header.
42
API RECOMMENDED PRACTICE 14C
c)
The header is protected by a PRD on a downstream process component that cannot be isolated from
the header.
d)
The header is for flare, relief, vent, or atmospheric service and has no valving in the outlet piping.
e)
Input sources include well(s) having a pressure greater than the MAWP of the header and that well is
equipped with two SDVs (one of which may be the original SSV) controlled by independent PSHs
connected to separate logic solvers and sensing points. This design shall provide adequate flowline
volume to allow sufficient time for the SSVs to close before exceeding the MAWP. See additional design
requirements in 6.2.2.2.5. Other input sources having a pressure greater than the MAWP of the header
are protected by PSVs.
f)
Input source is a well(s) having a pressure greater than the MAWP of the header and is protected by an
HIPPS meeting the requirements in Annex E.
The use of two SSVs or HIPPS in lieu of a PSV should be approached with caution after consideration
of other alternatives. In some cases, installation of a PSV in addition to two SSVs or HIPPS might be
desirable even at locations having no containment system.
NOTE
TSE designations are symbolic are not intended to reflect actual location or quantity.
Figure A.5—Safety Devices: Headers
A.4.3 Safety Device Location
Pressure safety devices, PSH and PSL sensors or a PSV, if required, should be located to sense pressure
throughout the header. If different pressure conditions exist in separate sections of the header, each section
should have the required protection.
ANALYSIS, DESIGN, INSTALLATION, AND TESTING OF SAFETY SYSTEMS FOR OFFSHORE PRODUCTION FACILITIES
43
Table A.5—Safety Analysis Table: Headers
Undesirable Event
Overpressure
Cause
Blocked or restricted outlet
Hydrate plug
Detectable Abnormal
Condition at Component
High pressure
Upstream flow control failure
Excess inflow
Leak
Deterioration
Low pressure
Erosion
Corrosion
Impact damage
Vibration
Table A.6—Safety Analysis Checklist: Headers
Item
A.3a.
A.3b.
A.3c.
Description
High-pressure sensor (PSH).
1)
PSH installed.
2)
Each input source is equipped with a PSH set less than the maximum allowable working pressure
(MAWP) of the header.
3)
Header is protected by downstream PSH that cannot be isolated from the header.
4)
Header is for flare, relief, vent, or atmospheric service and has no valving in the outlet piping.
Low-pressure sensor (PSL).
1)
PSL installed.
2)
Each input source is protected by a PSL and there are no pressure control devices or restrictions
between the PSL and the header.
3)
Header is for flare, relief, vent, or atmospheric service.
Pressure safety valve (PSV).
1)
PSV installed.
2)
Header has an MAWP greater than the maximum shut-in pressure of any connected well.
3)
Pressure-relief protection is provided on each input source having a maximum shut-in pressure greater
than the MAWP of the header.
4)
Header is protected by downstream pressure-relief device (PRD) that cannot be isolated from the header.
5)
Header is for flare, relief, vent, or atmospheric service and has no valving in the outlet piping.
6)
Input sources is a well(s) having a pressure greater than the MAWP of the header and that well is
equipped with two shutdown valves (SDVs) [one of which may be the original surface safety valve (SSV)]
controlled by independent PSHs connected to separate logic solver and sensing points and there is
adequate volume upstream of any block valves to allow sufficient time for the SSVs to close before
exceeding the MAWP. Other input sources having a pressure greater than the MAWP of the header are
protected by PSVs.
NOTE
7)
See additional design requirements in 6.2.2.2.5.
Input source is a well(s) having a pressure greater than the MAWP of the header and is protected by a
high-integrity pressure protection system (HIPPS) meeting the requirements Annex E.
44
API RECOMMENDED PRACTICE 14C
A.5 Pressure Vessels
A.5.1 Description
Pressure vessels handle hydrocarbons under pressure such as for separation, dehydration, storage, and
surge. Some pressure vessel applications require heat input. This discussion covers only the effects of
temperature to the process section of vessel. Electric heaters installed within process vessels are covered by
this section. Heat exchangers transferring heat between fluids are covered in A.6 and A.10. Pressure vessels
associated with compressors, other than compressor cylinders, should be protected in accordance with this
section. Compressor cylinders and cases are covered in A.8. Recommended safety devices for typical
pressure vessels are shown in Figure A.6.
A.5.2 Safety Analysis
A.5.2.1
Safety Analysis Table
The SAT for pressure vessels is presented in Table A.7. The undesirable events that can affect a pressure
vessel are overpressure, underpressure, overflow, gas blow-by, leak, and excess temperature.
Table A.7—Safety Analysis Table: Pressure Vessels
Undesirable Event
Cause
Detectable Abnormal
Condition at Component
Overpressure
Blocked or restricted outlet
Inflow exceeds outflow
Gas blow-by (upstream component)
Pressure control system failure
Thermal expansion
Excess heat input
Fire
High pressure
Underpressure (vacuum)
Withdrawals exceed inflow
Thermal contraction
Open outlet
Pressure control system failure
Low pressure
Liquid overflow
Inflow exceeds outflow
Liquid slug flow
Blocked or restricted liquid outlet
Level control system failure
High liquid level
Gas blow-by
Liquid withdrawals exceed inflow
Open liquid outlet
Level control system failure
Low liquid level
Leak
Deterioration
Erosion
Corrosion
Impact damage
Vibration
Low pressure, low liquid level
Excess temperature (high)
Temperature control system failure
High inlet temperature
High temperature
Excess temperature (low)
Temperature control system failure
Low inlet temperature
Low ambient temperature
Blowdown or rapid depressurization
Low temperature
ANALYSIS, DESIGN, INSTALLATION, AND TESTING OF SAFETY SYSTEMS FOR OFFSHORE PRODUCTION FACILITIES
NOTE 1
TSE designations are symbolic and are not intended to reflect actual location or quantity.
NOTE 2
If pressure vessel is subject to high temperature, TSH should be installed.
NOTE 3
If the vessel is subject to temperature lower than design a TSL must be installed. See A.4.2.2.4.
45
NOTE 4 Numbers used on safety devices are provided as reference for this drawing and are not required to be used
as actual tagging requirements.
Figure A.6—Safety Devices: Pressure Vessels
A.5.2.2
A.5.2.2.1
Safety Analysis Checklist
General
The SAC for pressure vessels is presented in Table A.8.
A.5.2.2.2
Pressure Safety Devices (PSH, PSL, and PSV)
A.4.2.2.2.1 A pressure vessel that receives fluids from a well or from other sources that can cause
overpressure should be protected by a PSH sensor to shut off inflow to the vessel. The PSH sensor need not
be provided on the vessel if a PSH sensor on other process components will sense vessel pressure and shut
off inflow to the vessel, and the PSH sensor cannot be isolated from the vessel; or if the vessel is the final
scrubber in a flare, relief, or vent system and is designed to withstand maximum built-up back pressure; or if
the vessel operates in atmospheric service and has an adequate vent system. A vessel receiving fluids from
a well shall be protected by a PSH sensor because the pressure potential of a well may increase due to
changes in reservoir conditions, artificial lift, workover activities, etc.
46
API RECOMMENDED PRACTICE 14C
Table A.8—Safety Analysis Checklist: Pressure Vessels
Item
A.4a.
Description
High-pressure sensor (PSH).
1)
2)
3)
4)
5)
6)
A.4b.
Low-pressure sensor (PSL).
1)
2)
PSL installed.
Minimum operating pressure is atmospheric pressure when in service.
3)
Each input source is protected by a PSL and there are no pressure control devices or restrictions between
the PSL(s) and the vessel.
4)
Vessel is scrubber or small trap, is not a process component, and adequate protection is provided by
downstream PSL or design function (e.g. vessel is gas scrubber for pneumatic safety system or final
scrubber for flare, relief, or vent system).
Adequately sized piping without block or regulating valves connects gas outlet to downstream equipment
protected by a PSL that also protects the upstream vessel.
5)
A.4c.
Pressure safety valve (PSV).
1) PSV installed.
2)
Each input source is protected by a pressure-relief device (PRD) set no higher than the MAWP of the
vessel and a PSV is installed on the vessel for fire exposure and thermal expansion.
3)
Each input source is protected by a PRD set no higher than the vessel’s MAWP and at least one of these
PRDs cannot be isolated from the vessel and the PRD is adequately sized for thermal expansion and fire
exposure for the vessels being protected.
PRDs on downstream equipment can satisfy relief requirement of the vessel and cannot be isolated from
the vessel.
Vessel is the final scrubber in a flare, relief, or vent system, is designed to withstand maximum built-up
back pressure, and has no internal or external obstructions, such as mist extractors, back pressure valves,
or flame arrestors.
4)
5)
6)
7)
A.4d.
PSH installed.
Input is from a pump or compressor that cannot develop pressure greater than the maximum allowable
working pressure (MAWP) of the vessel.
Input source is not a wellhead flowline(s), production header, or pipeline and each input source is protected
by a PSH that protects the vessel.
Adequately sized piping without block or regulating valves connects gas outlet to downstream equipment
protected by a PSH that also protects the upstream vessel.
Vessel is the final scrubber in a flare, relief, or vent system and is designed to withstand maximum built-up
back pressure.
Vessel operates in atmospheric service and has an adequate vent system.
Vessel is the final scrubber in a flare, relief, or vent system, is designed to withstand maximum built-up
back pressure, and is equipped with a PRD to bypass any internal or external obstructions, such as mist
extractors, back pressure valves, or flame arrestors.
Vessel is protected by a high-integrity pressure protection system (HIPPS) installed at the component or on
all input sources that may exceed the MAWP of the vessel, meeting the requirements in Annex E, and is
protected by a PSV for any other credible overpressure source the HIPPS is not designed to protect
against, to include those listed in 6.2.2.2.2 and HIPPS leakage.
High-level sensor (LSH).
1)
2)
3)
LSH installed.
Equipment downstream of gas outlet is not a flare or vent system and can safely handle maximum liquid
carry-over.
Vessel function does not require handling separated fluid phases.
4)
Vessel is a small trap from which liquids are manually drained.
ANALYSIS, DESIGN, INSTALLATION, AND TESTING OF SAFETY SYSTEMS FOR OFFSHORE PRODUCTION FACILITIES
47
Table A.8—Safety Analysis Checklist: Pressure Vessels (Continued)
A.4e.
A.4f.
A.4g.
Low-level sensor (LSL).
1)
LSL installed to protect each liquid outlet.
2)
Liquid level is not automatically maintained in the vessel, and the vessel does not have an immersed
heating element subject to excess temperature or the heating element is located in the gas phase.
3)
For vessels controlling a gas-liquid interface, equipment downstream of liquid outlet(s) can safely handle
maximum gas rates that can be discharged through the liquid outlet(s), and vessel does not have an
immersed heating element subject to excess temperature. Restrictions in the discharge line(s) may be
used to limit the gas flow rate.
4)
For vessels controlling a hydrocarbon/water interface, equipment downstream of liquid outlet(s) can safely
handle maximum hydrocarbon gas or liquid rates that can be discharged through the liquid outlet(s) and
vessel does not have an immersed heating element subject to excess temperature.
Check valve (FSV).
1)
FSV installed on each outlet.
2)
The maximum volume of hydrocarbons that could backflow from downstream equipment is insignificant.
3)
A control device in the line will effectively minimize backflow.
High-temperature sensor (TSH).
NOTE TSHs are applicable only to vessels having a heat source.
A.4h.
1)
TSH installed.
2)
(Deleted in Second Edition.)
3)
Heat source is incapable of causing excess temperature.
Low-temperature sensor (TSL).
NOTE Low-temperature sensors are applicable only to vessels subject to cooling.
1)
TSL installed.
2)
Materials suitable for all credible low temperatures considering both abnormal and normal operations.
A.4.2.2.2.2 A pressure vessel should be provided with a PSL sensor to shut off inflow to the vessel when
leaks large enough to reduce pressure occur, unless PSL sensors on other components will provide
necessary protection and the PSL sensor cannot be isolated from the vessel when in service. A PSL sensor
should not be installed if the vessel normally operates at atmospheric pressure or frequently varies to
atmospheric while in service.
A.4.2.2.2.3 A pressure vessel shall be protected by one or more PSVs with sufficient capacity to discharge
maximum vessel input rates. At least one PSV should be set no higher than the MAWP of the vessel.
API 521 may be used as a guide in determining set pressures of multiple relief valve installations. A PSV
need not be provided on a vessel if the vessel is the final scrubber in a flare, relief, or vent system; is
designed so that back pressure, including inertial forces, developed at maximum instantaneous flow
conditions will not exceed the working pressure of the lowest pressure rated element; and has no internal or
external obstructions, such as mist extractors, back pressure valves, or flame arrestors. If obstructions exist,
a PSV, or other PRD, should be installed to bypass the restriction. A PSV need not be provided on a vessel if
PRDs on other process components provide adequate relief capacity, relieve at or below vessel MAWP, and
cannot be isolated from the vessel when in service. If such PRDs are located on downstream components,
they shall not be isolated from the vessel at any time. Moreover, if upstream PRDs provide necessary
protection when the vessel is in service, but can be isolated when the vessel is shut in, a PSV should be
installed on the vessel for pressure relief due to thermal expansion or fire exposure.
48
API RECOMMENDED PRACTICE 14C
For vessels with an overpressure scenario that cannot be practicably protected by a PRD, an HIPPS may be
used. HIPPS installation shall be in accordance with Annex E. Where an HIPPS is installed, a PSV can be
required to protect against other credible overpressure scenarios, including those listed in 6.2.2.2.2 and
HIPPS leakage.
A.4.2.2.2.4 If a pressure vessel is subject to underpressure that can cause it to collapse, the vessel should
be provided with a gas makeup system that will maintain adequate pressure in the vessel.
A.5.2.2.3
Level Safety Devices (LSH and LSL)
A pressure vessel that discharges to flare should be protected from liquid overflow by an LSH sensor to shut
off inflow to the vessel. Vessels that do not discharge to flare should also be protected by an LSH sensor
unless downstream process components can safely handle maximum liquids that could overflow. Normal
response to an LSH is to shut off inflow to the vessel. Downstream components (e.g. compressors) may
require shutdown to prevent equipment failure. A pressure vessel should be protected from gas blow-by by
an LSL sensor to shut off the liquid outlet or shut off inflow when closure of the inflow valve alone prevents
the downstream vessel from exceeding the MAWP caused by gas blow-by. The LSL sensor is not required if
a liquid level is not maintained in the vessel during normal operation or downstream equipment can safely
handle any gas that could blow-by without venting flammable vapors to an unsafe area. An LSL sensor to
shut off the heating source should be provided in a heated vessel if the heating element is immersed. Level
devices are not required on pressure vessels that are not designed for liquid-gas separation or on small traps
from which liquids are manually drained. This includes such vessels as pressure-surge bottles, de-sanders,
gas volume bottles, gas meter drip traps, fuel gas filters, etc.
A.5.2.2.4
Temperature Safety Devices (TSH and TSL)
If a pressure vessel is heated, a TSH sensor should be provided to shut off the source of heat when process
fluid temperature becomes excessive.
If process vessel, pipe or equipment is exposed to JT effect cooling, a TSL sensor should be provided to
shut off JT effect cooling flow. If the JT effect cooling is the result of a shutdown-blowdown operation, the
TSL should activate a permissive that does not allow the equipment to be pressurized until the actual
temperature exceeds the minimum design temperature. The TSL is not required if the equipment is designed
for the minimum credible JT effect temperature. This requirement excludes blowdown piping and relief
headers.
A.5.2.2.5
Flow Safety Devices (FSV)
An FSV should be installed in each gas and liquid discharge line if significant fluid volumes could backflow
from downstream components in the event of a leak. An FSV is not required if a control or safety device in
the line will effectively minimize backflow. Whether backflow is significant is a judgment decision. If a line
discharges to a pressure vessel at a point above the liquid level range, the backflow of liquids should be
insignificant. Whether or not the gas volume is insignificant should depend on the size and pressure of the
gas section and the conditions where a leak might occur.
A.5.3 Safety Device Location
A.5.3.1
Pressure Safety Devices (PSH, PSL, and PSV)
The PSH and PSL sensors and the PSV should be located to sense or relieve pressure from the gas or
vapor section of the vessel. This is usually on or near the top. However, such devices may be located on the
gas outlet piping if the pressure drop from the vessel to the sensing point is negligible and if the devices
cannot be isolated from the vessel. Such isolation could be caused externally (e.g. by blocked valves on gas
outlet) or internally (e.g. by plugged mist extractors).
ANALYSIS, DESIGN, INSTALLATION, AND TESTING OF SAFETY SYSTEMS FOR OFFSHORE PRODUCTION FACILITIES
A.5.3.2
49
Level Safety Devices (LSH and LSL)
The LSH sensor should be located a sufficient distance above the highest operating liquid level to prevent
nuisance shutdowns but with adequate vessel volume above the LSH sensor to prevent overflow before
shutdown can be affected. The LSL sensor should be located a sufficient distance below the lowest
operating liquid level to prevent nuisance shutdowns but with adequate liquid volume between the LSL
sensor and liquid outlet to prevent gas blow-by before shutdown can be affected. In heated components, the
LSL should be located above the heating elements. The LSH and LSL sensors should preferably be installed
in external columns that can be isolated from the vessel. The column will be fitted with vents and drains to
permit testing the devices without interrupting the process. However, if solid deposits or foam cause fouling
or false indication of devices in external columns, the level sensors may be installed directly in the vessel. In
this case, a pump may be required to manipulate vessel liquid level for testing.
A.5.3.3
Flow Safety Device (FSV)
FSVs should be located in outlet piping.
A.5.3.4
Temperature Safety Devices (TSH and TSL)
The temperature sensors, other than fusible or skin contact types, should be installed in thermowells for ease
of removing and testing. The thermowell should be located where it will be accessible and continuously
immersed in the fluids subject to temperatures outside of safe operating limits.
A.5.3.5
Shutdown Devices (SDV)
An SDV is required on liquid outlets if closing the vessel inlets on LSL does not prevent exceeding the
downstream vessel MAWP caused by gas blow-by.
A.6 Atmospheric Vessels
A.6.1 Description
Atmospheric vessels are used for processing and temporary storage of liquid hydrocarbons including
flammable chemicals. Some applications require heat input to the vessel. This discussion covers only the
effects of heat input to the process section of an atmospheric vessel. Heating equipment is covered in A.6
and A.10. Recommended safety devices for typical atmospheric vessels used in a production process
system are shown in Figure A.7. Vessels such as those used for diesel fuel and nonflammable chemical
storage that are ancillary to the production process system are not covered by this document. However,
some of the recommendations contained in Annex G can be applicable when installing such equipment.
NOTE
This document does not cover integral hull storage or tanks that are subject to other marine design standards.
A.6.2 Safety Analysis
A.6.2.1
Safety Analysis Table
The SAT for atmospheric vessels is presented in Table A.9. The undesirable events that can affect an
atmospheric vessel are overpressure, underpressure, overflow, leak, and excess temperature if the vessel is
heated.
A.6.2.2
A.6.2.2.1
Safety Analysis Checklist
General
The SAC for atmospheric vessels is presented in Table A.10.
50
API RECOMMENDED PRACTICE 14C
NOTE 1
TSE designations are symbolic and are not intended to reflect actual location or quantity.
NOTE 2
If atmospheric vessel is heated, TSH should be installed.
NOTE 3
A vent line might contain pressure- and/or vacuum-relief device.
NOTE 4
A second vent may be installed in lieu of the PVRV.
Figure A.7—Safety Devices: Atmospheric Vessels
Table A.9—Safety Analysis Table: Atmospheric Vessels
Undesirable Event
Cause
Detectable Abnormal
Condition at Component
Over pressure
Blocked or restricted outlet
Inflow exceeds outflow
Gas blow-by (upstream component)
Pressure control system failure
Thermal expansion
Excess heat input
Fire
High pressure
Underpressure
(vacuum)
Withdrawals exceed inflow
Thermal contraction
Pressure control system failure
Low pressure
Liquid overflow
Inflow exceeds outflow
Blocked or restricted outlet
Level control system failure
High liquid level
Leak
Deterioration
Erosion
Corrosion
Impact damage
Vibration
Vacuum collapse
Low liquid level
Excess temperature
Temperature control system failure
High inlet temperature
High temperature
ANALYSIS, DESIGN, INSTALLATION, AND TESTING OF SAFETY SYSTEMS FOR OFFSHORE PRODUCTION FACILITIES
51
Table A.10—Safety Analysis Checklist: Atmospheric Vessels
Item
A.5a.
A.5b.
A.5c.
A.5d.
Description
Vent
1)
Vent installed.
2)
Vessel is protected by a high-integrity pressure protection system (HIPPS) meeting the
requirements in Annex E and is protected by a vent for any other credible overpressure
and underpressure source the HIPPS is not designed to protect against, to include
b
those listed in 6.2.2.2.2 and HIPPS leakage.
Pressure-vacuum relief valve (PVRV).
1)
2)
PVRV installed.
Vessel has second vent capable of handling maximum gas volume.
3)
Component is a pressure vessel, not subject to collapse, that operates in atmospheric
service and is equipped with an adequately sized vent.
4)
Vessel has no pressure sources (except blanket gas and/or manual drains) and is
equipped with an adequately sized vent.
5)
Vessel is protected by an HIPPS meeting the requirements in Annex E and is protected
by a PVRV for any other credible overpressure and underpressure source the HIPPS is
not designed to protect against, to include those listed in 6.2.2.2.2 and HIPPS leakage.
High-level sensor (LSH).
1)
2)
LSH installed.
Fill operations are continuously attended.
3)
Overflow is diverted or contained by other process components.
Low-level sensor (LSL).
1) LSL installed.
2)
3)
4)
A.5e.
a
Adequate containment system is provided.
Liquid level is not automatically maintained in the vessel, and vessel does not have an
immersed heating element subject to excess temperature.
Component is final vessel in a containment system designed to collect and direct
hydrocarbon liquids to a safe location.
High-temperature sensor (TSH).
NOTE TSHs are applicable only to vessels having a heat source.
1)
TSH installed.
2)
3)
(Deleted in Second Edition.)
Heat source is incapable of causing excess temperature.
a
A vent is a pipe or fitting on a vessel that opens to atmosphere. This vent line may contain a pressureand/or vacuum-relief device but shall not contain pressure controlling device.
b
An HIPPS may be used for overpressure protection of a single scenario. Where an HIPPS is used, it
provides both primary and secondary protection for that single scenario and safety analysis checklist references
A.5a.2) and A.5b.3) both apply to that scenario.
A.6.2.2.2
Pressure Safety Devices (Vent and PVRV)
An atmospheric vessel should be protected from overpressure and underpressure by two adequately sized
vent systems (primary and secondary levels of protection). API 2000 may be used as a guide for sizing vent
systems. A flame arrestor should be included in the vent system to prevent flame migration back to the vessel.
Alternative types of arrestors (e.g. detonation arrestors) should be considered when the installation location
would render a flame arrestor ineffective in preventing flame migration back to the atmospheric vessel.
For those vessels with an overpressure scenario that cannot be practicably protected by a vent system, an
HIPPS, meeting the requirements in Annex E, may be used. Two vent systems shall be installed for any
other credible overpressure or underpressure scenarios the HIPPS is not designed to protect against,
including those listed in 6.2.2.2.2 and HIPPS leakage.
52
API RECOMMENDED PRACTICE 14C
For the second level of protection, a PVRV or a second vent should be installed to protect the vessel in case
the primary vent control device(s) fouls or otherwise obstructs flow. The PVRV or second vent is not required
when:
a)
a pressure vessel not subject to collapse is used in atmospheric service, or
b)
an atmospheric vessel has no pressure sources (except blanket gas) piped to it. A blanket gas system
may be desirable to exclude air from an atmospheric vessel where a flammable mixture can exist.
A.6.2.2.3
Level Safety Devices (LSH and LSL)
Protection from liquid overflow from an atmospheric vessel should be provided by an LSH sensor to shut off
inflow unless fill operations are continuously attended or overflow is diverted to other process components.
An LSL sensor should be provided to shut off the heat source if the vessel has an immersed heating element
subject to excess temperature. When the liquid level is automatically maintained in the vessel, an LSL
sensor should be provided to protect against leaks by shutting of inflow. A containment system to collect
leakage is preferable to a low-level sensor when normal inflow of liquids would preclude the sensor’s
detection of a leak.
A.6.2.2.4
Temperature Safety Devices (TSH)
If an atmospheric vessel is heated, a TSH sensor should be provided to shut off the source of heat when
process fluid temperature becomes excessive.
A.6.3 Safety Device Location
A.6.3.1
Pressure Safety Devices (Vent and PVRV)
The vent and PVRV should be located on the top (highest practical elevation in the vapor section) of
atmospheric vessels. Flame arrestors should be located near the discharge point in the vent pipe. If this
makes access to the flame arrestor difficult, then consideration should be given for an alternate arrestor type
(e.g. detonation arrestors) to allow for installation further back from the vent discharge point in a location that
is accessible.
A.6.3.2
Level Safety Devices (LSH and LSL)
The LSH sensor should be located at a sufficient distance above the highest operating liquid level to prevent
nuisance shutdowns but with adequate vessel volume above the LSH sensor to contain liquid inflow during
shut-in. The LSL should be located at a sufficient distance below the lowest operating liquid level to avoid
nuisance shutdowns. In heated element components, the LSL should be located above the heating
elements. The LSH and LSL sensors should preferably be located in external columns for ease of testing
without interrupting the process. However, internally mounted sensors are also acceptable as discussed in
A.4.3.2.
A.6.3.3
Temperature Safety Devices (TSH)
The TSH sensors, other than fusible or skin contact types, should be installed in thermowells for ease of
removal and testing. The thermowell should be located for accessibility and should be continuously
immersed in the process fluid.
A.7 Fired and Exhaust-heated Components
A.7.1 Description
Fired and exhaust-heated components are used for processing and heating hydrocarbons. Included are both
direct and indirect fired atmospheric and pressure vessels and tube-type heaters equipped with either
ANALYSIS, DESIGN, INSTALLATION, AND TESTING OF SAFETY SYSTEMS FOR OFFSHORE PRODUCTION FACILITIES
53
automatically controlled natural or forced draft burners. Also included are exhaust-heated components that
use exhaust gases from other equipment such as turbines and engines as a heat source and that may or
may not be supplementary fired. This section discusses the required protection for firing equipment of a fired
component and for the heating section of exhaust-heated components. Protection for the process portion of
a fired or exhaust-heated component is discussed under the appropriate component. Safety devices for a
typical fired vessel equipped with a natural draft burner or a forced draft burner are shown in Figures A.8 and
A.9, respectively. Safety devices for a typical exhaust-heated component are shown in Figure A.10. API 556
should be used to ensure a complete set of protective system requirements.
A.7.2 Safety Analysis
A.7.2.1
Safety Analysis Table
The SAT is presented for fired components with natural draft burners in Table A.11, for those with forced
draft burners in Table A.12, and for exhaust-heated components in Table A.13. The undesirable events that
can affect a fired component or supplementary-fired exhaust-heated component are excess temperature,
direct ignition source, excess fuel in the firing chambers, and overpressure. The undesirable events that can
affect an exhaust-heated component are excess temperature and overpressure.
NOTE 1
TSE designations are symbolic and are not intended to reflect actual location or quantity.
NOTE 2
The vessel portion should be analyzed according to A.4 or A.5.
NOTE 3 Numbers used on safety devices are provided as reference for this drawing and are not required to be used
as actual tagging requirements.
Figure A.8—Safety Devices: Typical Fired Vessel (Natural Draft)
54
API RECOMMENDED PRACTICE 14C
NOTE 1
TSE designations are symbolic and are not intended to reflect actual location or quantity.
NOTE 2
The vessel portion should be analyzed according to A.4 or A.5.
NOTE 3
Stack arrestor may be eliminated (see A.6.2.2.5.2).
NOTE 4 Numbers used on safety devices are provided as reference for this drawing and are not required to be used
as actual tagging requirements.
Figure A.9—Safety Devices: Typical Fired Vessel (Forced Draft)
ANALYSIS, DESIGN, INSTALLATION, AND TESTING OF SAFETY SYSTEMS FOR OFFSHORE PRODUCTION FACILITIES
NOTE
55
TSE designations are symbolic and are not intended to reflect actual location or quantity.
Figure A.10—Safety Devices: Exhaust-heated Component
Table A.11—Safety Analysis Table: Fired Components, Natural Draft
Undesirable Event
Excess temperature
Direct ignition source
Cause
Detectable Abnormal
Condition at Component
Temperature control system failure
High temperature (process)
Inadequate flow
Limited heat transfer
High temperature (stack)
Low process flow rate
Ignition of medium leak into fired chamber
Exposed heat transfer surface
Low liquid level
Flame emission from air intake
Spark emission from exhaust stack
External fire
High-temperature stack
Excess stack temperature
Exposed hot surface
Excess combustible vapors in firing chamber
Fuel control system failure
Flame failure
High fuel pressure
Low fuel pressure
56
API RECOMMENDED PRACTICE 14C
Table A.12—Safety Analysis Table: Fired Components, Forced Draft
Undesirable Event
Excess temperature
Detectable Abnormal
Condition at Component
Cause
Temperature control system failure
Inadequate flow
High temperature (process)
High temperature (stack)
Limited heat transfer
Ignition of medium leak into fire chamber
Low flow rate
Low liquid level
Exposed heat transfer surface
Direct ignition source
Flame emission from air intake
Spark emission from exhaust stack
External fire
High temperature (stack)
Excess stack temperature
Exposed hot surface
Excess combustible vapors in firing chamber
Fuel control system failure
Air supply control system failure
Low air pressure
Flame failure
Blocked air inlet
Blower failure
High fuel pressure
Low fuel pressure
Low air velocity
Table A.13—Safety Analysis Table: Exhaust-heated Components
Undesirable Event
Excess temperature
Direct ignition source
Detectable Abnormal
Cause
Condition at Component
Temperature control system failure
High temperature (medium)
Inadequate flow
Limited heat transfer
High temperature (stack)
Low flow rate
Ignition of medium leak into
Exposed heated chamber heat transfer surface
Low liquid level
Spark emission from exhaust stack
High temperature (stack)
Excess stack temperature
Exposed hot surface
Fire
When supplemental firing is used, components should also be analyzed in accordance with Table A.11 or Table A.12, as applicable.
A.7.2.2
A.7.2.2.1
Safety Analysis Checklist
General
The SAC for fired and exhaust-heated components is presented in Table A.14.
A.7.2.2.2
Temperature Safety Devices (TSH)
A.6.2.2.2.1 The medium or process fluid temperature in a fired component should be monitored by a TSH
sensor to shut off the fuel supply and the inflow of combustible fluids. If a component is exhaust heated, the
exhaust should be diverted or the source of exhaust shutdown. A TSH to sense medium or process fluid
temperature is generally not necessary for an indirect water bath heater in atmospheric service since the
maximum temperature is limited by the boiling point of the water bath.
A.6.2.2.2.2 The flow of combustible medium in a closed heat transfer system, where the medium is
circulated through tubes located in the firing or exhaust-heated chamber, should not be shut off until the
chamber has cooled. Activation of either the ESD system or fire detection system should immediately shut
ANALYSIS, DESIGN, INSTALLATION, AND TESTING OF SAFETY SYSTEMS FOR OFFSHORE PRODUCTION FACILITIES
57
off medium flow if an uncontrolled fire has occurred in the area or the medium is escaping from a closed
system.
A.6.2.2.2.3 Temperature in the burner exhaust stack should be monitored by a TSH sensor to shut off the
fuel supply and the inflow of combustible fluids. Temperature in the exhaust-heated component stack should
be monitored by a TSH sensor to shut off the inflow of combustible medium and to shut down the exhaust
source. A TSH sensor is not required on a fired component located in an isolated area not handling
combustibles other than fuel.
Table A.14—Safety Analysis Checklist: Fired and Exhaust-heated Components
Item
A.6a.
A.6b.
Description
High-temperature sensor (medium or process fluid) (TSH).
1)
2)
TSH installed.
Component is a steam generator protected by a PSH or, if fired, by a low-level sensor (LSL).
3)
Component is an indirect water bath heater in atmospheric service and is protected by an LSL.
TSH (stack).
1)
2)
TSH installed.
Component is isolated and does not handle combustible medium or process fluids other than fuel.
3)
Component is exhaust heated without supplemental firing and medium is not combustible.
A.6c.
(Deleted in Second Edition.)
A.6d.
Low-pressure sensor (air supply) (PSL).
A.6e.
1)
2)
PSL installed.
Component is equipped with a natural draft burner.
3)
4)
Forced draft burner is equipped with another type of low air supply sensor.
Component is exhaust heated without supplemental firing.
High-pressure sensor (fuel supply) (PSH).
1)
2)
A.6f.
PSL (fuel supply).
1) PSL installed.
2)
3)
A.6g.
BSL installed.
Component is exhaust heated without supplemental firing.
Low-flow sensor (heated medium) (FSL).
1) FSL installed.
2)
A.6i.
Component is equipped with a natural draft burner.
Component is exhaust heated without supplemental firing.
Flame failure sensor (BSL)
1)
2)
A.6h.
PSH installed.
Component is exhaust heated without supplemental firing.
Component is not a closed heat transfer type in which a combustible medium flows through tubes located in
the firing or exhaust-heated chamber.
Motor interlock (forced draft fan motor).
1)
2)
Motor interlock installed.
Component is equipped with a natural draft burner.
3)
Component is exhaust heated without supplemental firing.
58
API RECOMMENDED PRACTICE 14C
Table A.14—Safety Analysis Checklist: Fired and Exhaust-heated Components (Continued)
A.6j.
A.6k.
A.6l.
A.6m.
Flame arrestor (air intake).
1)
2)
Flame arrestor installed.
Component is equipped with a forced draft burner.
3)
Component is located in an isolated area and not handling combustible medium or process fluids other than
fuel.
4)
Component is exhaust heated without supplemental firing.
Stack arrestor.
1) Stack arrestor installed.
2)
Component is equipped with a forced draft burner and (i) the fluid being heated is nonflammable or (ii) the
burner draft pressure at the exit of the transfer section is higher than the fluid pressure (head).
3)
4)
Component is isolated so process fluids will not contact stack emissions.
Component is exhaust heated without supplemental firing or supplemental fired and the fluid being heated
is nonflammable.
Pressure safety valve (medium circulating tube) (PSV).
1)
2)
PSV installed.
Component is not a tube-type heater.
3)
Pressure-relief device (PRD) installed on another component will provide necessary protection and the PRD
cannot be isolated from the tube section.
Check valve (medium circulating tube) (FSV).
1)
2)
3)
A.7.2.2.3
FSV installed on each outlet.
The maximum volume of combustible medium that could backflow from downstream equipment is
insignificant or medium is not combustible.
Component is not a tube-type heater.
Flow Safety Devices (FSL and FSV)
When a combustible medium is circulated through tubes located in the firing or exhaust-heated chamber, the
medium flow rate should be monitored by an FSL sensor to shut off the fuel supply to a fired component or to
divert the exhaust flow from an exhaust-heated component. In this type of component, high temperature in
the medium could occur before being detected by a TSH (medium) sensor located outside the heater. An
FSL sensor is not required in other types of heaters because the TSH (medium) sensor is located in the
medium section and should immediately detect the high temperature condition. An FSV should be located in
tube outlet piping to prevent backflow into the fired or heated chamber in the event of tube rupture.
A.7.2.2.4
Pressure Safety Devices (PSH, PSL, and PSV)
The pressure in the fuel supply line should be monitored by PSH and PSL sensors to shut off the fuel supply
to the burner. In some cases, implementation of a PSL may not be practical due to near atmospheric
operation of the fuel gas. The air intake pressure of a forced draft burner should be monitored by a PSL
sensor to shut off the fuel and air supply. An air velocity device may be used to monitor air supply in lieu of a
PSL sensor. The PSL sensor on the air intake is not required on a natural draft burner because of the low air
intake pressure. Flow tubes located in the firing or exhaust-heated chamber of a tube-type heater should be
protected by a PSV from overpressure caused by expansion of the medium or process fluid.
A.7.2.2.5
Ignition Safety Devices
A.6.2.2.5.1 The air intake of a natural draft burner should be equipped with a flame arrestor to prevent
flame migration back through the air intake. A flame arrestor is not required on a forced draft burner because
the air velocity through the air intake prevents flame migration or the PSL sensor in the air intake and fan
motor starter interlock shut off the air intake.
ANALYSIS, DESIGN, INSTALLATION, AND TESTING OF SAFETY SYSTEMS FOR OFFSHORE PRODUCTION FACILITIES
59
A.6.2.2.5.2 The stack on a natural draft burner should be equipped with a stack arrestor to prevent spark
emission. When the fired component is not handling combustibles other than fuel and is located in an
isolated area, the arrestor is not necessary. A stack arrestor may not be necessary on a forced draft burner
due to the higher combustion efficiency that prevents carbon buildup. A stack arrestor is required if the fluid
being heated is flammable or the burner draft pressure at the exit of the transfer section is lower than the
fluid pressure (head).
A.6.2.2.5.3 The motor on a forced draft fan should be equipped with a motor starter interlock to sense
motor failure and shut off the fuel and air supply.
A.6.2.2.5.4 The flame in the firing chamber should be monitored by a BSL sensor that will detect a flame
insufficient to immediately ignite combustibles entering the firing chamber and will shut off fuel supply.
A.7.3 Safety Device Location
A.7.3.1
Temperature Safety Devices (TSH)
Temperature sensors, other than fusible or skin contact types, should be installed in a thermowell for ease of
removal and testing. When the fire tube is immersed, the TSH sensor should be located in the heated liquid
medium or process fluid. When the liquid medium or process fluid flows through tubes within the firing or
exhaust-heated chambers, the TSH sensor should be located in the discharge line as close as is practical to
the heater and upstream of all isolating devices. A TSH sensor in the stack should be located near the base
of the exhaust stack.
A.7.3.2
Flow Safety Devices (FSL and FSV)
In a closed heat transfer system with a combustible medium, an FSL sensor should be located in the
medium circulating tube piping. The sensor should be located in the medium outlet line as close to the heater
as is practical and should monitor total flow through the heater provided there are no single pass isolation or
control valves installed. If passes can be individually isolated, an FSL should be installed on each pass. An
FSV should be installed in the tube outlet piping.
A.7.3.3
Pressure Safety Devices (PSH, PSL, and PSV)
A PSL sensor in the air intake of a forced draft burner should be located downstream of the blower. The PSH
and PSL sensor in the fuel supply line should be located downstream of the last pressure regulator and the
fuel control valve to detect either regulator or control failures. A PSV on the tubes of a tube-type heater
should be located where it cannot be isolated from the heated section of the tubes.
A.7.3.4
Ignition Safety Devices
The flame and stack arrestors on fired components should be located to prevent flame emission from the air
intake and spark emission from the exhaust stack. The BSL sensor should be located in the firing chamber.
A.7.4 Safe Operating Procedures and/or Automated Start-up Sequences
In addition to the safety devices indicated in Tables A.8, A.10, and A.14, the following sequence shall be
followed to safely operate a fired or exhaust-heated component. See API 556 for additional information on
process heaters.
a)
Ensure complete fuel shutoff.
b)
Void firing chamber of excess combustibles prior to pilot ignition.
c)
Limit time on trial for ignition of pilot and main burner to prevent excess fuel accumulation in fire
chamber. After the time limit is exceeded, the fuel should be shut off and a manual reset start-up
required.
60
API RECOMMENDED PRACTICE 14C
d)
Prove pilot and ensure fuel-air proportioning dampers and burner controls are in low fire position prior to
opening fuel supply to main burner.
e)
Manually reset start-up controls following a flame failure of either the pilot or main burner.
f)
Ensure fuel is clean from all residue and foreign materials by providing adequate fuel cleaning
equipment.
g)
Ensure that exhaust is diverted around exhaust-heated component prior to starting up heat source, if
applicable.
A.8 Pumps
A.8.1 Description
Pumps transfer liquids within the production process and into pipelines leaving the platform. Pipeline pumps
transfer produced hydrocarbons from the process system to a pipeline. Pumps that occasionally transfer
small volumes of hydrocarbons from ancillary equipment (swab tanks, sumps, etc.) to a pipeline that receives
the bulk of its volume from another source are not considered pipeline pumps. Glycol-powered glycol pumps
circulate glycol within a closed system. Other pumps transfer produced liquids, heat transfer liquids, or
chemicals within the production process system or from the containment system to the process system
(booster/charge pumps, sump pumps chemical injection pumps, heating medium circulating pumps, glycol
pumps, etc.). Safety devices for typical pump installations are shown in Figures A.11 through A.15.
NOTE 1
Numbers used on safety devices are provided as reference for this drawing and are not required to be used
as actual tagging requirements.
NOTE 2
TSE designations are symbolic and are not intended to reflect actual location or quantity.
Figure A.11—Safety Devices: Pipeline Pump
ANALYSIS, DESIGN, INSTALLATION, AND TESTING OF SAFETY SYSTEMS FOR OFFSHORE PRODUCTION FACILITIES
NOTE
TSE designations are symbolic and are not intended to reflect actual location or quantity.
Figure A.12—Safety Devices: Glycol-powered Glycol Pump
61
62
NOTE 1
API RECOMMENDED PRACTICE 14C
TSE designations are symbolic and are not intended to reflect actual location or quantity.
NOTE 2 Numbers used on safety devices are provided as reference for this drawing and are not required to be used
as actual tagging requirements.
a
MAWP extends back to first isolation component or check valve.
Figure A.13—Safety Devices: Other Pump
ANALYSIS, DESIGN, INSTALLATION, AND TESTING OF SAFETY SYSTEMS FOR OFFSHORE PRODUCTION FACILITIES
NOTE 1
63
LSL detects failure of secondary outboard seal.
NOTE 2 PSH on the seal pot shows failing of primary seal, but containment is not lost; therefore, the pump can be
shut down in a controlled stop.
NOTE 3
An FSL or recycle can be used to protect pumps against problems with minimum flow.
NOTE 4
For suction and discharge piping protection; see Figures A.11 to A.13.
Figure A.14—Safety Devices: Simple Overhung Centrifugal Pump Seal System
64
API RECOMMENDED PRACTICE 14C
NOTE 1
LSL detects failure of secondary outboard seal.
NOTE 2 PSH on the seal pot shows failing of primary seal, but containment is not lost; therefore, the pump can be
shutdown in a controlled stop.
NOTE 3
An FSL or recycle system can be used to protect pumps against problems with minimum flow.
NOTE 4
For suction and discharge piping protection; see Figures A.11 to A.13.
NOTE 5 Numbers used on safety devices are provided as reference for this drawing and are not required to be used
as actual tagging requirements.
Figure A.15—Safety Devices between the Bearings Type Centrifugal Pump Seal System
A.8.2 Safety Analysis
A.8.2.1
Safety Analysis Table
The SAT for pumps is presented in Table A.15. The undesirable events that can affect a pump are
overpressure and leak.
A.8.2.2
A.8.2.2.1
Safety Analysis Checklist
General
The SAC for pumps is presented in Table A.16.
ANALYSIS, DESIGN, INSTALLATION, AND TESTING OF SAFETY SYSTEMS FOR OFFSHORE PRODUCTION FACILITIES
65
Table A.15—Safety Analysis Table: Pumps
Undesirable Event
Overpressure
Detectable Abnormal
Condition at Component
Cause
Blocked or restricted discharge line
Excess back pressure
High pressure
Low flow
High inlet pressure (centrifugal)
Overspeed
Fluid density increase
Reverse flow
Leak
Deterioration
Low pressure
Erosion
Corrosion
Vibration
Low flow
Impact damage
Table A.16—Safety Analysis Checklist: Pumps
Item
Description
A.7a.
High-pressure sensor (PSH)—pipeline pumps, discharge.
1) PSH installed.
A.7b.
PSH—other pumps, discharge.
1)
2)
A.7c.
3)
PSH installed.
Maximum pump discharge pressure does not exceed 70 % of the maximum allowable working pressure
(MAWP) of the discharge piping.
Pump is manually operated and continuously attended.
4)
5)
Low-volume pumps.
Pump discharges to an atmospheric vessel.
6)
Pump is a glycol-powered glycol pump.
Low-pressure sensor (PSL)—pipeline pumps.
1)
2)
A.7d.
A.7e.
PSL—other pumps.
1)
2)
PSL installed.
Pump is manually operated and continuously attended.
3)
4)
Adequate containment is provided.
Low-volume pumps.
5)
Pump discharges to an atmospheric vessel.
Pressure safety valves (PSVs)—discharge of pipeline pumps.
1)
2)
A.7f.
PSL installed.
Pump does not handle hydrocarbons.
PSV installed.
Pump is centrifugal type and incapable of generating a head greater than the MAWP of the discharge
piping.
PSVs—discharge of other pumps.
1) PSV installed.
2)
3)
Maximum pump discharge pressure is less than the MAWP of discharge piping.
Deleted in Eighth Edition.
4)
Pump is a glycol-powered glycol pump, and the wet glycol low-pressure discharge piping is rated higher
than the maximum discharge pressure.
5)
Pump is a glycol-powered glycol pump, and the wet glycol low-pressure discharge piping is protected by
a PRD on a downstream component that cannot be isolated from the pump.
66
API RECOMMENDED PRACTICE 14C
Table A.16—Safety Analysis Checklist: Pumps (Continued)
A.7g.
Check valve (FSV)—all pumps.
1)
A.7h.
PSVs—suction, all pumps.
1) PSV installed.
2)
3)
A.7i.
A.7j.
4)
Suction piping has an MAWP greater than the discharge PSV set point.
Discharge piping is not rated higher than the suction piping and no other sources can exceed the MAWP
of the suction piping.
Suction piping is protected by a PSV on an upstream component that cannot be isolated from the pump.
5)
Pump is a glycol-powered glycol pump.
Low-flow sensor (FSL)—all pumps.
1)
2)
FSL installed.
The pump is a positive displacement type.
3)
4)
Pump is manually operated and continuously attended.
Low-volume pumps.
5)
6)
No low continuous flow (restricted or blocked flow) scenario.
A properly designed recycle system is installed.
7)
PSH and/or PSL have trip set points selected to detect loss of flow.
High-vibration sensor(s) (VSH).
1) VSH installed.
2)
3)
A.7k.
A.7l
A.8.2.2.2
FSV installed.
Pump with driver less than 1000 hp.
Pump is manually operated and continuously attended.
Low-level sensor (LSL)—centrifugal seal buffer pot.
1) LSL installed.
2)
3)
Pump with driver less than 1000 hp and in nonvolatile service.
Pump is manually operated and continuously attended.
4)
5)
Pump has a secondary gas seal with failure detection pump shutdown.
Seal buffer pots not installed.
PSH—centrifugal seal buffer pot.
1)
2)
PSH installed.
Pump with driver less than 1000 hp and in nonvolatile service.
3)
4)
Pump is manually operated and continuously attended.
Pump has a secondary seal with failure detection pump shutdown.
5)
Seal buffer pots not installed.
Pressure Safety Devices (PSH, PSL, and PSV)
PSH and PSL sensors should be provided on all hydrocarbon pipeline pump discharge lines to shut off inflow
and shut down the pump.
A PSH sensor to shut down the pump should be provided on the discharge line of other pumps, unless the
maximum pump discharge pressure does not exceed 70 % of the MAWP of the discharge line or the pump is
manually operated and continuously attended. A PSH sensor is not required on glycol-powered glycol
pumps. Other hydrocarbon pumps should also be provided with a PSL sensor to shut down the pump, unless
the pump is manually operated and continuously attended or adequate containment is provided. PSL
sensors should be provided on glycol-powered glycol pumps to shut off wet glycol flow to the pump.
PSH and PSL sensor may also be used to detect loss of flow through an operating pump. These may only be
selected for this service if the pump flow curve is suitable for detection of loss of flow by these devices for
each credible cause and process fluid.
ANALYSIS, DESIGN, INSTALLATION, AND TESTING OF SAFETY SYSTEMS FOR OFFSHORE PRODUCTION FACILITIES
67
PSH and PSL sensor on small, low-volume pumps are not required. Low-volume pumps are defined as
1
sump pump, chemical injection pumps, or transfer pumps that have a discharge rating of less than /2 gpm.
A suction PSV should be provided on all pumps where backflow is possible, either through the pump or the
recycle line, for overpressure protection due to backflow unless the suction piping and components have an
MAWP greater than or equal to the pump discharge PSV set point, or the discharge piping is not rated higher
than the suction piping, or the suction piping is protected by a PRD on an upstream component that cannot
be isolated from the pump. A suction PSV is not required on glycol-powered glycol pumps.
A PSV should be provided on all pipeline pump discharge lines, unless the pump is a centrifugal type and is
incapable of generating a head greater than the MAWP of the discharge piping.
A PSV should be provided in the discharge line of all other pumps unless the maximum pump discharge
pressure is less than the MAWP of the line. A PSV should be provided in the wet glycol low-pressure discharge
line of glycol-powered glycol pumps unless the line is rated higher than the maximum pump discharge pressure
or is protected by a PRD on a downstream component that cannot be isolated from the pump.
A.8.2.2.3
Flow Safety Devices (FSV and FSL)
An FSV should be provided in the pump discharge line to minimize backflow.
A flow safety low (FSL) should be provided in the pump discharge line to shut down the pump and protect
the pump from continuing operation at less than the manufacturer’s recommended minimum flow. Operating
at below minimum flow can result in seal failure. An FSL is not required if one of the following conditions
exists.
a)
The pump is a positive displacement type.
b)
The pump is manually operated and continuously attended.
c)
The pump is low volume.
d)
There is no minimum continuous flow (restricted or blocked flow) scenario and an LSL is installed on
upstream feed vessel. A blocked flow scenario should be considered if the installation includes a strainer
or valve(s) that are not locked open.
e)
A recycle system is installed.
f)
PSH and/or PSL have trip set points selected to detect loss of flow.
A.8.2.2.4
Vibration Safety Devices
A vibration safety high device (VSH) should be provided on pump casings to shut down the pump in the
event of a failure that may result in a loss of containment. A VSH is not required if
— the pump with driver less than 1000 hp (high-energy pumps are at greater risk of loss of containment
caused by mechanical failure), or
— the pump is manually operated and continuously attended.
A.8.2.2.5
Seal Buffer Pot Level Safety Low
When dual mechanical seals are installed, a level safety low device (LSL) should be provided on centrifugal
pump seal buffer pot to shut down the pump and prevent a significant leak. An LSL should also be provided
on upstream pump feed vessels that shut down the pump on low feed level (see A.4.1). An LSL on the pump
seal buffer pot is not required if
— the pump is less than 1000 hp and in nonvolatile service, or
68
API RECOMMENDED PRACTICE 14C
— the pump is manually operated and continuously attended, or
— the pump has a secondary gas seal with failure detection pump shutdown.
A.8.2.2.6
Seal Buffer Pot Pressure Safety High
When dual mechanical seals are installed, a pressure safety high device (PSH) should be provided on
centrifugal pump seal buffer pot to shut down the pump and prevent a significant leak. A PSH on the pump
seal buffer pot is not required if
— the pump with driver less than 1000 hp and in nonvolatile service,
— the pump is manually operated and continuously attended,
— the pump has a secondary gas seal with failure detection pump shutdown.
A.8.3 Safety Device Location
A.8.3.1
Pressure Safety Devices (PSH, PSL, and PSV)
The PSH and PSL sensors should be located on the pump discharge line upstream of the FSV or any block
valve. In a glycol-powered glycol pump, the PSL on the wet glycol high-pressure line should be located
between the pump and the SDV. The PSV should be located where it cannot be isolated from components
requiring protection from backflow scenarios. Where required on pipeline pumps and other pumps, the
suction PSV should be located as close as is practical to the pump downstream of any block valve while the
discharge PSV should be located on the discharge line upstream of any block valve.
A.8.3.2
Flow Safety Devices (FSV and FSL)
The check valve (FSV) should be located on the pump discharge line to minimize backflow. For glycol
systems, an FSV should be located as close to the contactor as practical.
The FSL should be installed on the pump discharge line to detect low flow.
A.8.3.3
Shutdown Devices (SDV)
An SDV should be located near the outlet of a storage component (tank, separator, etc.) that delivers
production to a pipeline pump to prevent the flow of hydrocarbons through the pipeline pump and into the
pipeline in the event of a pipeline leak.
When glycol-powered pumps are used, an SDV should be located near the high-pressure wet glycol outlet of
the glycol contactor to shut off flow from the contactor and to shut down the pumps.
A.8.3.4
Vibration Safety Devices (VSH)
A VSH should be installed on the pump casing if it is an overhung pump type, or on the bearing housings if
the pump is a between the bearings type. Alternatively, instrumentation may be provided in accordance with
API 670.
A.8.3.5
Seal Buffer Pot Level Safety Devices (LSL)
An LSL should be installed on the seal buffer pot to detect failure of the secondary seal resulting in a drained
buffer pot.
A.8.3.6
Seal Buffer Pot Pressure Safety Devices (PSH)
A PSH should be installed on the seal buffer pot to detect failure of the primary seal.
ANALYSIS, DESIGN, INSTALLATION, AND TESTING OF SAFETY SYSTEMS FOR OFFSHORE PRODUCTION FACILITIES
69
A.9 Compressor Units
A.9.1 Description
Compressor units transfer hydrocarbon gases within the production process and into pipelines leaving the
facility. Safety devices for a typical compressor unit are shown in Figure A.16.
A.9.2 Safety Analysis
A.9.2.1
Safety Analysis Table
The SAT for compressor units is presented in Table A.17. The SAT analyzes the compressor cylinder or
case and the suction, discharge, and fuel gas piping of a compressor unit. Hydrocarbon handling equipment
associated with compressors, other than compressor cylinders or cases, should be protected in accordance
with appropriate sections of this document. The compressor and prime mover are normally furnished with
devices to prevent mechanical damage. The undesirable events that can affect a compressor unit are
overpressure, leak, and excess temperature.
A.9.2.2
A.9.2.2.1
Safety Analysis Checklist
General
The SAC for compressor units is presented in Table A.18.
A.9.2.2.2
Pressure Safety Devices (PSH, PSL, and PSV)
PSH and PSL sensors should be provided on each suction line of a compressor unit unless each input
source is protected by PSH and PSL sensors that will also protect the compressor. Also, PSH and PSL
sensors should be provided on each compressor discharge line. The PSH and PSL sensors should shut off
all process inflow and shutdown the compressor and compressor driver. A PSV should be provided on each
compressor suction line, unless each input source is protected by a PRD that will protect the compressor and
suction piping when considering the possible causes of suction overpressure, including reverse flow and
settle-out pressure. A PSV should be provided on each compressor discharge line. A PSV is not necessary
on the discharge of a centrifugal compressor if the compressor or other inlet sources including backflow are
incapable of developing a pressure greater than the MAWP of the compressor or discharge piping.
A.9.2.2.3
Flow Safety Devices (FSV)
An FSV should be provided in each final discharge line to minimize backflow.
A.9.2.2.4
Gas Detecting Devices (ASH)
If a compressor unit is installed in an inadequately ventilated building or enclosure, as defined in G.2.4, gas
detectors (ASHs) should be provided to shut off all process inflow to the compressor and shutdown
compressor and compressor driver and blowdown (if installed) the compressor. If toxic gases are handled,
the toxic gas detectors (OSHs) shall also be installed and take the same action as combustible gas
detectors.
A.9.2.2.5
Temperature Safety Devices (TSH)
A TSH sensor should be provided to protect each compressor cylinder or case such as high temperature
resulting from high inlet gas temperature, cooling failures, lube oil failures, and mechanical failures. The TSH
sensor should shut off all process inflow to the compressor and shutdown the compressor and compressor
driver.
70
API RECOMMENDED PRACTICE 14C
NOTE 1
TSE designations are symbolic and are not intended to reflect actual location or quantity.
NOTE 2
ASH 1, 2, and 3 and OSH 1 and 2 are not required if compressor is not installed in an enclosed building.
NOTE 3 ASH 3 and OSH 2 is not required if compressor does not have piping or other potential source of gas leak
below a solid subfloor.
NOTE 4
Suction scrubbers are not shown; they should be analyzed according to A.4.
NOTE 5
OSH should be considered based on the conditions stated in Annex H.
NOTE 6
Discharge coolers are not shown; they should be analyzed according to A.10.
NOTE 7 Numbers used on safety devices are provided as reference for this drawing and are not required to be used
as actual tagging requirements.
a
Refer to A.8.3.6 for vibration sensor placement.
b
For centrifugal or screw compressors, the FSH detects seal failures.
c
Not always required.
Figure A.16—Safety Devices: Compressor Unit
ANALYSIS, DESIGN, INSTALLATION, AND TESTING OF SAFETY SYSTEMS FOR OFFSHORE PRODUCTION FACILITIES
71
Table A.17—Safety Analysis Table: Compressors
Undesirable Event
Cause
Detectable Abnormal
Condition at Component
Overpressure (suction)
Excess inflow
Failure of suction pressure control system
Compressor or driver failure
Reverse flow
Pressure equalization (settle-out)
High pressure
Overpressure (discharge)
Blocked or restricted discharge line
Excess back pressure
High inlet pressure
Over speed
High pressure
Leak
Deterioration
Erosion
Corrosion
Impact damage
Vibration
Damage due to liquid ingestion
Packing/seal failure
Low pressure
High gas concentration (building)
Vibration
High flow (seal gas)
Excess temperature
Compressor valve failure
Cooler failure
Excess compression ratio
Insufficient flow
High temperature
Table A.18—Safety Analysis Checklist: Compressors
Item
A.8a.
Description
High-pressure sensor (PSH)—suction.
1) PSH installed.
2)
A.8b.
PSH—discharge.
1) PSH installed.
2)
A.8c.
Each input source is protected by a PSL that will also protect the compressor.
PSL—discharge.
1) PSL installed.
2)
A.8e.
Compressor is protected by a downstream PSH, located upstream of any cooler, that cannot be isolated
from the compressor.
Low-pressure sensor (PSL)—suction.
1) PSL installed.
2)
A.8d.
Each input source is protected by a PSH that will also protect the compressor.
Compressor is protected by a downstream PSL that cannot be isolated from the compressor.
Pressure safety valve (PSV)—suction.
1)
2)
3)
PSV installed.
Each input source is protected by a pressure-relief device (PRD) that will also protect the compressor and
the compressor suction is protected against all credible cases of backflow and settle-out.
Compressor suction is protected by a high-integrity pressure protection system (HIPPS) meeting the
requirements in Annex E and is protected by a PSV for any other credible overpressure source the HIPPS
is not designed to protect against, to include those listed in 6.2.2.2.2 and HIPPS leakage.
72
API RECOMMENDED PRACTICE 14C
Table A.18—Safety Analysis Checklist: Compressors (Continued)
A.8f.
Pressure safety valve (PSV)—discharge.
1)
2)
3)
A.8g.
Check valve (FSV)—discharge.
1) FSV installed at discharge of each compressor unit.
2)
A.8h.
TSH installed.
High-vibration sensor(s) (VSH).
1) VSH installed.
2)
A.8j.
FSV installed at final stage discharge and compressor is positive displacement type.
High-temperature sensor (TSH).
1)
A.8i.
PSV installed.
Compressor is protected by a downstream PRD, located upstream of any cooler, that cannot be isolated
from the compressor.
Compressor is kinetic energy type and incapable of generating a pressure greater than the maximum
allowable working pressure (MAWP) of the compressor or discharge piping.
Compressor is manually operated and continuously attended.
Secondary seal with FSH on primary seal vent—centrifugal and screw compressors.
1)
2)
Compressor less than 1000 hp and nonvapor recovery service.
Compressor is manually operated and continuously attended.
3)
4)
Secondary seal with failure detection and shutdown.
Compressor does not have dry gas seals.
A.9.2.2.6
Vibration Safety Devices (VSH)
A VSH should be provided to detect mechanical failures that could cause loss of containment.
A.9.2.2.7
Flow Safety Devices (FSH)
A FSH should be provided for centrifugal and screw compressors with drivers greater than 1000 hp. The
FSH is provided to detect failure of the primary seal.
A.9.3 Safety Device Location
A.9.3.1
Pressure Safety Devices (PSH, PSL, and PSV)
The PSH and PSL sensors should be located on each suction line as close to the compressor as is practical
and on each discharge line upstream of the FSV and any block valve. The PSVs should be located on each
suction line as close to the compressor as is practical and on each discharge line so that the PSV cannot be
isolated from the compressor.
A.9.3.2
Flow Safety Devices (FSV, FSH)
An FSV should be located on each compressor unit’s final discharge line to minimize backflow. If the
compressor unit is inside a building, the FSV should be located outside the building. The seal failure FSH
should be located on the primary seal vent line.
A.9.3.3
Gas Detecting Devices (ASH)
Should the compressor unit be installed in an inadequately ventilated building or enclosure, gas detectors
(ASHs) should be located in areas where combustible gases can accumulate.
ANALYSIS, DESIGN, INSTALLATION, AND TESTING OF SAFETY SYSTEMS FOR OFFSHORE PRODUCTION FACILITIES
A.9.3.4
73
Temperature Safety Devices (TSH)
A TSH sensor should be located in the discharge piping of each compressor cylinder or case as close as
practical to the cylinder or case.
A.9.3.5
Shutdown Devices (SDV)
An SDV should be located on each process inlet line and fuel gas line so that the compressor can be
isolated from all input sources. SDVs should be located at the discharge of each stage of a multistage
system where settle-out or backflow pressures can exceed design pressure. Each section isolated by an
SDV should have a blowdown valve installed. If the compressor unit is installed in a building, all SDVs should
be located outside the building. All SDVs shall be actuated by a signal from the ESS and by any abnormal
pressure condition sensed in the suction and discharge lines. A blowdown valve should be located on the
compressor unit final discharge line(s) for compressors greater than 1000 hp. The blowdown valve(s) may be
actuated by a signal from the compressor’s fire detection system, gas detectors, facility ESD, or compressor
ESD.
A.9.3.6
Vibration Safety Device (VSH)
A VSH should be provided on the compressor bearing housings if it is a centrifugal or screw compressor or
on compressor frame if it is a reciprocating compressor. Alternatively, instrumentation may be provided in
accordance with API 670.
A.10 Pipelines
A.10.1 Description
Offshore pipelines direct liquids and gases between facilities or between a facility and an onshore facility.
Pipelines are classified as incoming, departing, or bidirectional, depending on the direction of flow at the
facility. An incoming pipeline directs fluids onto the facility and a departing pipeline transports fluids from the
facility. A bidirectional pipeline can transport fluids in either direction. Pipelines can be further classified
according to the delivery or receiving point as follows.
a)
Incoming pipelines:
— deliver to facilities;
— deliver to departing pipeline.
b)
Departing pipelines:
— receive from facilities;
— receive from incoming pipeline(s);
— receive from both facilities and incoming pipeline(s).
c)
Bidirectional pipelines:
— deliver to and receive from facilities;
— deliver to and receive from another bidirectional pipeline;
— deliver to and receive from other bidirectional pipelines and receives from facilities.
Recommended safety devices for offshore pipelines are shown in Figure A.17.
74
API RECOMMENDED PRACTICE 14C
a
For departing pipelines, where significant backflow hazards exist from gas pipelines or where pipelines have multiple
downstream input sources, backflow safety devices shall be a tested FSV or SDV.
Figure A.17—Safety Devices: Pipelines
A.10.2 Safety Analysis
A.10.2.1 Safety Analysis Table
The SAT for pipelines is presented in Table A.19. The undesirable events that can affect a pipeline are
overpressure and leak.
ANALYSIS, DESIGN, INSTALLATION, AND TESTING OF SAFETY SYSTEMS FOR OFFSHORE PRODUCTION FACILITIES
75
Table A.19—Safety Analysis Table: Pipelines
Undesirable Event
A.10.2.2
Cause
Detectable Abnormal
Condition at Component
Overpressure
Blocked or restricted line
Thermal expansion
Inflow exceeds outflow
High pressure
Leak
Deterioration
Erosion
Corrosion
Impact damage
Vibration
Low pressure
Safety Analysis Checklist
A.10.2.2.1 General
The SAC for pipelines is presented in Table A.20.
A.10.2.2.2 Pressure Safety Devices (PSH, PSL, and PSV)
PSH and PSL sensors are required on departing pipelines to shut off all input sources. PSH and PSL
sensors are not provided on an incoming pipeline that is protected by sensors provided at the upstream
facility. Bidirectional pipelines should be provided with PSH and PSL sensors. Protection may be provided by
PSH and PSL sensors located at each input source or on a parallel component (looped pipeline) if the
sensors cannot be isolated from the pipeline.
Each pipeline input source is normally protected by a PSV set to protect the pipeline. A PSV is not required if
one or more of the following conditions exist.
a)
The pipeline has a MAOP greater than the maximum pressure of any input source.
b)
Each input source having a pressure greater than the pipeline’s MAOP is protected by a PRD set no
higher than the pipeline’s MAOP.
c)
Input source is a well(s) having a pressure greater than the pipeline’s MAOP and is equipped with two
SDVs (one of which may be the SSV) controlled by independent PSHs connected to separate logic
solver and sensing points. See additional design requirements in 6.2.2.2.5.
d)
The pipeline is protected by an HIPPS meeting the requirements in Annex E and is protected by a PSV
for any other credible overpressure source the HIPPS is not designed to protect against, to include
those listed in 6.2.2.2.2 and HIPPS leakage.
A.10.2.2.3 Flow Safety Devices (FSV)
An FSV is provided on an incoming pipeline to minimize backflow to a leak or rupture in the pipeline and on a
departing pipeline to minimize backflow to a leak or rupture in a component on the facility. For departing
pipelines, where significant backflow hazards exist from gas pipelines or where pipelines have multiple
downstream input sources, backflow safety devices shall be a tested FSV or tested SDV.
76
API RECOMMENDED PRACTICE 14C
Table A.20—Safety Analysis Checklist: Pipelines
Item
A.9a.
A.9b.
A.9c.
Description
High-pressure sensor (PSH).
1)
2)
PSH installed.
Delivering pipeline protected by PSH located on upstream component.
3)
4)
Each input source is protected by a PSH that also protects a departing or bidirectional pipeline.
The pipeline is protected by a PSH located on a parallel component.
Low-pressure sensor (PSL).
1)
2)
PSL installed.
Delivering pipeline protected by PSL located on upstream component.
3)
4)
Each input source is protected by a PSL that also protects a departing or bidirectional pipeline.
The pipeline is protected by a PSL located on a parallel component.
Pressure safety valve (PSV).
1) PSV installed.
2)
Pipeline has a maximum allowable operating pressure (MAOP) greater than the maximum pressure of
any input source.
3)
Each input source having a pressure greater than the MAOP of the pipeline is protected by a pressurerelief device (PRD) set no higher than the MAOP of the pipeline.
4)
5)
The pipeline does not receive input from the facility process.
Input source is a well(s) having a pressure greater than the MAOP of the pipeline and the well is
equipped with two shutdown valves (SDVs) [one of which may be the original surface safety valve
(SSV)] controlled by independent PSHs connected to separate relays and sensing points. Other input
sources having a pressure greater than the MAOP of the pipeline are protected by PSVs.
6)
The pipeline is protected by a high-integrity pressure protection system (HIPPS) meeting the
requirements in Annex E and is protected by a PSV for any other credible overpressure source the
HIPPS is not designed to protect against, to include those listed in 6.2.2.2.2 and HIPPS leakage.
NOTE
A.9d.
Additional design requirements are defined in 6.2.2.2.5.
Check valve (FSV).
1) FSV installed.
2)
3)
4)
Departing pipeline is equipped with an SDV controlled by a PSL.
Each input source is protected by an FSV located so that no significant length of pipeline is unprotected
from backflow.
Pipeline is used for bidirectional flow.
When an incoming pipeline connects only to a departing pipeline (crossing pipeline), the FSV on the
departing pipeline also protects the incoming pipeline.
An FSV may be eliminated on a departing pipeline if all input sources are equipped with FSVs located so that
no significant length of piping is unprotected from backflow from the pipeline.
An FSV cannot be installed on a bidirectional pipeline.
A.10.3 Safety Device Location
A.10.3.1 Pressure Safety Devices (PSH, PSL, and PSV)
The PSH and PSL sensors should be located downstream of any facility input source and upstream of a
departing pipeline FSV. If a PSV is required, it should be located downstream of all input sources and
installed so that it cannot be isolated from inlet sources.
ANALYSIS, DESIGN, INSTALLATION, AND TESTING OF SAFETY SYSTEMS FOR OFFSHORE PRODUCTION FACILITIES
77
A.10.3.2 Flow Safety Devices (FSVs)
Incoming pipelines delivering to a facility process station should have an FSV located immediately upstream
from the process station. The FSV on a departing pipeline should be located as far downstream as is
practical, but upstream of a block valve.
A.10.3.3 Shutdown Devices (SDV)
Pipeline SDVs should be located to minimize the portion of pipeline exposed on the facility. All SDVs should
be actuated by the facility ESD system, fire detection system, and sensors on any downstream component
through which the pipeline fluids flow. The SDV on a pipeline delivering to a departing pipeline should be
actuated by the departing pipeline’s PSH and PSL sensors, the ESD system, and the fire detection system.
Bidirectional pipelines should be equipped with SDVs on each facility terminus.
A.11 Heat Exchangers
A.11.1 Description
Heat exchangers transfer thermal energy from one flow stream to another while maintaining isolation of the
two flow streams. Recommended safety devices for a typical heat exchanger are shown in Figure A.18. This
section does not apply to exchangers used with primary heat sources such as turbine exhaust exchangers
that should be analyzed in accordance with A.6. This section may be used to analyze heating or cooling coils
inserted into vessels, but the vessels themselves should be analyzed in accordance with A.4 or A.5, as
appropriate. This section may also be used to analyze heat exchangers using air to cool or heat
hydrocarbons, in which case only the hydrocarbon section need be considered. Electric heaters installed
within process vessels should be analyzed in accordance with A.4.
NOTE 1
TSE designations are symbolic and are not intended to reflect actual location or quantity.
NOTE 2 Numbers used on safety devices are provided as reference for this drawing and are not required to be used
as actual tagging requirements.
a
Alternative configurations can require analysis and changes in TSH and TSL locations.
Figure A.18—Safety Devices: Heat Exchangers
78
API RECOMMENDED PRACTICE 14C
A.11.2 Safety Analysis
A.11.2.1
Safety Analysis Table
The SAT for heat exchangers is presented in Table A.21. The undesirable events that can affect a heat
exchanger are overpressure and leak.
A.11.2.2
Safety Analysis Checklist
A.11.2.2.1 General
The SAC for exchangers is presented in Table A.22.
A.11.2.2.2 Pressure Safety Devices (PSH, PSL, and PRD)
A.10.2.2.2.1 In analyzing heat exchangers for pressure safety devices, both sections (the heat receiving
section and the heat input section) should be analyzed separately since each section can have different
design and operating pressure requirements. A section of a heat exchanger that receives fluids from a
source that can cause overpressure should be protected by a PSH sensor to shut off inflow of the source to
that section of the heat exchanger. Also, a section of the heat exchanger that could be overpressured
because of a rupture or leak of another section of the heat exchanger should be protected by a PSH sensor
to shut off inflow of the source of overpressure to that section. The PSH sensor need not be provided for a
section of a heat exchanger if an upstream PSH sensor on other process components will sense the
pressure in the heat exchanger section and shut off inflow to the heat exchanger, or if a downstream PSH
sensor will sense pressure in the heat exchanger section and cannot be isolated. Also, the PSH sensor need
not be provided on a section of a heat exchanger if the MAWP of that section is greater than the potential
pressure of any input source to that section.
Table A.21—Safety Analysis Table: Heat Exchangers
Undesirable Event
Overpressure
Cause
Blockage or restriction
Inflow exceeds outflow
Detectable Abnormal
Condition at Component
High pressure
Thermal expansion
Tube leak or rupture
Vaporization
Leak
Deterioration
Erosion
Low pressure
Corrosion
Impact damage
Vibration
Over temperature
Control failure
High temperature
Blocked process outlet
High inlet temperature
Under temperature
Control failure
JT effect or liquid flashing
Low inlet temperature
Low temperature
ANALYSIS, DESIGN, INSTALLATION, AND TESTING OF SAFETY SYSTEMS FOR OFFSHORE PRODUCTION FACILITIES
79
Table A.22—Safety Analysis Checklist: Heat Exchangers
Item
A.10a.
Description
High-pressure sensor (PSH).
1)
2)
3)
4)
A.10b.
2)
Each input source is protected by a PRD or high-integrity pressure protection system (HIPPS) that is
set no higher than the MAWP of the heat exchanger section, and a PRD is installed on the heat
exchanger section for fire exposure and thermal relief and the heat exchanger section cannot be
overpressured due to pressure in the other heat exchanger section.
3)
Each input source is protected by a PRD or HIPPS that is set no higher than the MAWP of the heat
exchanger section, can satisfy relief requirement of the heat exchanger section, and cannot be
isolated from the heat exchanger section.
PRDs on downstream equipment can satisfy relief requirement of the heat exchanger section and
cannot be isolated from the heat exchanger section.
Deleted in Fourth Edition.
5)
6)
Input sources to the heat exchanger section cannot develop pressure greater than the MAWP of the
heat exchanger section, a PRD is installed on the heat exchanger section for fire exposure and
thermal relief, and the heat exchanger section cannot be overpressured due to pressure in the other
heat exchanger section.
7)
Each input source is protected by a PRD or HIPPS set no higher than the MAWP of the heat
exchanger section, and the heat exchanger section cannot be overpressured due to temperature or
pressure in the other section.
Temperature safety high (TSH).
1)
2)
A.10e.
Minimum operating pressure is atmospheric pressure when in service.
PSL installed on another component will provide necessary protection, and the PSL cannot be
isolated from the heat exchanger section when the heat exchanger is in service.
Pressure-relief device (PRD) [pressure safety valve (PSV) or pressure safety element (PSE)].
1) PRD installed.
4)
A.10d.
A PSH is installed on a downstream component and cannot be isolated from the heat exchanger
section by block or regulating valves.
Low-pressure sensor (PSL).
1) PSL installed.
2)
3)
A.10c.
PSH installed.
Input source to heat exchanger section cannot develop pressure greater than the maximum
allowable working pressure (MAWP) of the heat exchanger section.
Each input source is protected by a PSH that also protects the heat exchanger section.
TSH installed.
Input source to heat exchanger section cannot develop temperature greater than the maximum
allowable working temperature of the heat exchanger section.
Temperature safety low (TSL)
1) TSL installed.
2)
Input source to heat exchanger section cannot develop temperature lower than the minimum
allowable working temperature of the heat exchanger section.
A.10.2.2.2.2 A heat exchanger section containing hydrocarbons should be provided with a PSL sensor to
shut off inflow to the heat exchanger when leaks large enough to reduce pressure occur, unless PSL sensors
on other components will provide necessary protection and the PSL sensor cannot be isolated from the heat
exchanger section when in service.
A PSL sensor should not be installed if the heat exchanger section normally operates at atmospheric
pressure or frequently varies to atmospheric while in service. In this case, the complexity of lockout devices
to keep the heat exchanger from shutting in during these operating modes could more than offset the
protection afforded by the PSL sensor.
80
API RECOMMENDED PRACTICE 14C
A.10.2.2.2.3 Each heat exchanger section should be provided with a PRD with sufficient capacity to
discharge maximum input rates. A PRD need not be provided on a heat exchanger section if PRDs on other
process components provide adequate relief capacity, relieve at or below heat exchanger section working
pressure, and cannot be isolated from the section when in service. If such PRDs are located on downstream
components, they shall not be isolated from the heat exchanger section at any time. Also, the PRD need not
be provided on a section of a heat exchanger if the MAWP of that section is greater than the potential
pressure of any input source to that section. Moreover, if PRDs on other components provide necessary
protection when the heat exchanger section is in service, but can be isolated when the heat exchanger
section is shut in, a PRD should be installed on the heat exchanger section for pressure relief due to thermal
expansion or fire exposure. The selection of the pressure-relief device (PSV or PSE) shall take the transient
overpressure conditions into account. See API 521 for selection of PRDs on heat exchangers.
A.11.2.2.3 Temperature Safety Devices (TSH and TSL)
A TSH is required to shut off the source of heat. If the maximum allowable working temperature of that
section is greater than the potential temperature of any input source to that section, a TSH is not required. A
TSH is not required if a TSH on an upstream component protects the heat exchanger section from high
temperature. A TSL is required to shut off the sources if the potential temperature of any input source of that
section is lower than the minimum allowable working temperature to that section.
A.11.3 Safety Device Location
A.11.3.1 Pressure Safety Devices (PSH, PSL, and PSV or PSE)
The PSH and PSL sensors and the PSV or PSE should be located to sense pressure in or relieve it from
each section of the heat exchanger. Such devices may be located in the inlet or outlet piping if the pressure
drop from the heat exchanger section to the sensing point is negligible and if the devices cannot be isolated
from the heat exchanger section. The location of the pressure-relief device (PSV or PSE) shall take the
transient overpressure conditions into account. See API 521 for location of PRDs on heat exchangers. The
pressure-relief device (PSV or PSE) should be located at the heat exchanger where tube rupture protection
is required. This shall be considered in SAC references in relieving devices.
A.11.3.2 Temperature Safety Devices (TSH and TSL)
The TSH sensor should be located on the heating medium inlet or process outlet as required. The TSL
sensor should be located on the process outlet.
NOTE
Alternative configurations can require analysis and changes in TSH and TSL locations.
Annex B
(informative)
Examples of Safety Analysis Flow Diagram and SAFE Chart
B.1 General
Figures B.1 and B.2 present a completed safety analysis flow diagram and a SAFE chart for an example
platform production process. Each process component is listed on the SAFE chart with its recommended
safety devices determined from the individual components analysis (see Annex A). Each shutdown and
safety function is also listed. For each safety device, a specific shutdown and/or safety function(s) or an SAC
reference should be documented on the SAFE chart. Provisions are also made for documenting alternate or
substitute safety devices used in lieu of recommended safety devices.
The flow diagram in Figure B.1 is not intended as a recommended method for handling produced fluids, but
is included for illustrative purposes only.
Section B.2 provides an example method for analysis of a natural draft burner on a pressure vessel. Figure
B.3 shows the process component with all possible safety devices prior to analysis. Figure B.4 shows the
resulting component after analysis with installed safety devices designated by solid circles and safety
devices that have been eliminated with appropriate SAC references indicated by dashed circles. Figure B.5
is the corresponding SAFE chart for the analysis.
NOTE The following examples in this annex are merely examples for illustration purposes only. They are not to be
considered exclusive or exhaustive in nature. API makes no warranties, express or implied, for reliance on or any
omissions from the information contained in this document.
B.2 Natural Draft Burner on a Heater Treater Pressure Vessel
B.2.1 General
To analyze the combination of a natural draft burner on a pressure vessel, see A.4 for the pressure vessel
and A.6 for the fired component.
Draw a simplified diagram with all required safety devices in accordance with A.4 and A.6 (refer to
Figure B.3).
It is suggested that the component identification (refer to Table A.7) for both the vessel and the fired
component have the same component identifier (e.g. XXX-2000, YYY-2000).
Using A.4 and A.6 as guidelines, analyze Figure B.3.
B.2.2 Explanation
The LSL cannot be eliminated because of fire tube exposure.
Due to the internal design of the vessel, an additional LSL (LSL 2) is required. The blow-by of the level
control valve was calculated and it exceeded the process capacity of the downstream component. LSL 2 and
an SDV were added to protect the downstream component from blow-by.
FSV 3 is not required because the regulator effectively minimizes backflow.
It is not necessary to install two media TSHs in the vessel—one for the vessel and the other for the fired
component. One TSH provides adequate protection, and it is mounted in the liquid portion of the vessel.
81
82
API RECOMMENDED PRACTICE 14C
Figure B.4 represents the heater after analysis. Figure B.5 is the corresponding SAFE chart for B.2.2.
B.3 Blank Safe Chart
A blank SAFE chart has been provided for example in Figure B.6.
Figure B.1—Example Safety Analysis Flow Diagram of Platform Production Process
84
API RECOMMENDED PRACTICE 14C
Figure B.2—Example SAFE Chart
ANALYSIS, DESIGN, INSTALLATION, AND TESTING OF SAFETY SYSTEMS FOR OFFSHORE PRODUCTION FACILITIES
Figure B.2—Example SAFE Chart (Continued)
85
86
API RECOMMENDED PRACTICE 14C
Figure B.2—Example SAFE Chart (Continued)
ANALYSIS, DESIGN, INSTALLATION, AND TESTING OF SAFETY SYSTEMS FOR OFFSHORE PRODUCTION FACILITIES
Figure B.2—Example SAFE Chart (Continued)
87
88
API RECOMMENDED PRACTICE 14C
Figure B.2—Example SAFE Chart (Continued)
ANALYSIS, DESIGN, INSTALLATION, AND TESTING OF SAFETY SYSTEMS FOR OFFSHORE PRODUCTION FACILITIES
Figure B.2—Example SAFE Chart (Continued)
89
90
API RECOMMENDED PRACTICE 14C
Figure B.3—Example Process Component Diagram for a Natural Draft Burner on a Pressure Vessel
ANALYSIS, DESIGN, INSTALLATION, AND TESTING OF SAFETY SYSTEMS FOR OFFSHORE PRODUCTION FACILITIES
Figure B.4—Resulting Process Component Diagram for a Natural Draft Burner
on a Pressure Vessel after Analysis
91
92
API RECOMMENDED PRACTICE 14C
Figure B.5—Example Heater Treater SAFE Chart
ANALYSIS, DESIGN, INSTALLATION, AND TESTING OF SAFETY SYSTEMS FOR OFFSHORE PRODUCTION FACILITIES
Figure B.6—Blank SAFE Chart
93
Annex C
(informative)
Remote Operations
C.1 Definitions Specific to Remote Operation
C.1.1
downstream components
Components located between the hydrocarbon source and the sensing point.
EXAMPLES
Flowlines, pipelines, and separators
C.1.2
dry gas facility
A facility producing from a reservoir that has a gas/oil ratio (GOR) greater than 100,000 SCF/bbl, a
concentration of C1 and C2 greater than 96 %, and a concentration of C7+ less than 1 %.
C.1.3
essential operating conditions
All process information required to ensure safe operation of the facility.
EXAMPLES
These include pressure, status of the safety devices, appropriate liquid levels, temperature, and flow
rates and/or pressures on specific downstream components.
C.1.4
local storm timers
Time delay circuitry that is an integral part of the SCADA logic located in the program logic controller (PLC)
at the remote facility.
NOTE
This logic is initiated on the remote facility.
C.1.5
static pressure
The pressure at which the specific system should become stabilized if the pressure source is rendered
inoperative (shut-in) during normal operations.
C.2 General
C.2.1
This annex covers facilities that are controlled using remote operations.
C.2.2 A system to remotely control the facility safety system and process control system may be installed
to monitor, control, open, close, and restart specific wells, pipelines, and process components remotely.
These systems are sometimes referred to as Supervisory Control and Data Acquisition (SCADA) systems or
distributed control system (DCS). This type of system can be used to remotely monitor and control a facility
provided that the following conditions are met.
a)
The system is capable of monitoring all essential operating conditions that affect the subject wells,
pipelines (i.e. export pipeline operations shall be coordinated with the pipeline operator), and process
components.
b)
An investigation shall be performed prior to restart of the facility. An onsite investigation is required if you
cannot ascertain the primary cause of a shut-in by diagnosing the data available from the monitored
operating conditions.
94
ANALYSIS, DESIGN, INSTALLATION, AND TESTING OF SAFETY SYSTEMS FOR OFFSHORE PRODUCTION FACILITIES
95
c)
Ensure that all detected abnormal operating conditions that indicate a shut-in of a component or process
have returned to a “normal” status (clear) before you remotely reactivate the process or return the
source to an operational status.
d)
Safety sensors and their associated shut-in devices on process components may be temporarily
bypassed during remote start-up operations provided there is continuous monitoring of all essential
operating conditions, including those on downstream components, and the bypasses are automated and
meet the requirements of Annex D.
e)
Safety devices and their associated electronic, electrical, pneumatic, or hydraulic circuitry shall be
designed, installed and operated in a failsafe mode.
f)
The safety system shall function in a manual reset mode.
g)
Remote restart capability is not allowed for the following function shut-ins detected by the following:
— level safety low (LSL);
— ESD;
— fusible elements (TSE) or other fire detection devices;
— combustible and toxic gas detection;
— temperature safety high (TSH);
— level safety high (LSH) on sump tanks/piles, water skimmers, flare scrubbers, and stock tanks.
h)
Special considerations shall be addressed before implementing remote restart on complex components
such as fired heaters and compressors.
i)
Before commencing restart operations after a low-pressure condition shut-in [i.e. the pressure safety low
(PSL) sensor is the first out], static pressure shall be achieved to ensure a leak is not present.
C.3 Remote Operations during Storm Conditions
The system to provide remote operations during storm conditions should provide the following capabilities.
a)
Remote monitoring and remote shut-in capabilities of the facility.
b)
The subsurface safety device shall be in service.
c)
Loss of remote monitoring and shut-in capabilities for not greater than four hours shall require activation
of time delay circuitry (local storm timers) in the local system logic to shut-in the facility.
d)
During the storm, if sustained wind speeds exceed 74 mph (119 km/h) at the facility, the following should
apply.
— Shut in a liquid hydrocarbon facility immediately. Remote restart is not allowed.
— Shut in a H2S-bearing facility, as defined in Annex H, immediately. Remote restart is not allowed.
— May continue to produce a dry gas facility. If an upset condition occurs, shut in the facility
immediately (including an ESD). Remote restarting is allowed as defined above.
e)
After the storm passes, the facility may be restarted provided the sustained wind speeds have not
exceeded 74 mph (119 km/h) at the facility location.
96
API RECOMMENDED PRACTICE 14C
Annex D
(normative)
Safety System Bypassing
D.1 General
Bypassing safety functions falls into two general categories: automatic and manual. Bypass functions have
three separate purposes as follows:
a)
allow online sensor testing without process upset;
b)
allow facility, unit, or equipment start-up where start-up process variables are within trip ranges;
c)
allow repair of failed or failing safety function devices without process upset (maintenance activities).
A safety device is only effective when it is in service. Safety systems should be designed to limit the amount
of time and frequency that safety functions are bypassed and to automate start-up bypasses where practical
to minimize human error. It is particularly important to effectively manage and automate bypasses where the
large number of potential bypasses needed during complex operations could overwhelm operators.
D.2 Manual Bypass
Manual bypasses are used for maintenance and testing of the safety devices. Manual bypasses should be
used for start-up only when an automated bypass cannot be implemented. Only the minimum number of
safety devices shall be bypassed in order to accomplish maintenance and testing.
Manual bypasses should inhibit trip functions, but shall not inhibit the associated trip alarms. Any time any
safety device is placed in manual bypass, there shall be clear visible indication in a continuously occupied
control room or locally at the device as required. Facility personnel shall monitor the process equipment and
manually perform the device safety function while the manual bypass is in effect, unless the equipment has
been completely taken out of service (temporarily or permanently) and is isolated from the process.
The primary and secondary protection devices for a particular function should not be bypassed concurrently
for in-service equipment.
D.3 Automatic Bypass
D.3.1 General
Class A—A device where no automatic bypass is fitted.
Class B, Class C, and Class B/C logic can be applied to all sensors installed on process equipment.
Automatic bypasses should not be fitted to any of the following ESS components:
a)
containment systems;
b)
fire and gas system;
c)
SSSV;
d)
ESD.
ANALYSIS, DESIGN, INSTALLATION, AND TESTING OF SAFETY SYSTEMS FOR OFFSHORE PRODUCTION FACILITIES
97
D.3.2 Class B Device
Class B device is automatically bypassed when the associated equipment is off (pump/compressor is
stopped, well is closed, etc.) and for a fixed time period, typically 15 to 45 seconds (but may be longer for
high capacity processes if clearly documented justification is provided for longer time) after the equipment
starts/opens/is in service. Class B devices are mostly used in conjunction with low-pressure shutdowns for
pumps and compressors.
D.3.3 Class C Device
Class C device is bypassed until it has come into service. For example, the LSL for an empty vessel would
be bypassed until the level rises above the LSL set point (a minimal time delay or dead band maybe be used
to prevent re-trip), at which time the bypass would be removed and the LSL would be in service; if the level
dropped below the set point, the LSL would activate.
D.3.4 Class B/C Device
Class B/C device is automatically bypassed by a combination of Class B and Class C bypass logic. For
example, Class B/C bypass circuitry activates when a pump is shut down during normal operations. The
safety device remains bypassed until the pump’s start logic is activated; the bypass is removed when either
(a) the Class B timer expires or (b) the pump builds up pressure above the PSL set point and the safety
device becomes active. If the safety sensor should trip while the pump is running, the pump will shut down
and the Class B/C bypass circuit will remain inactive until the safety system devices are cleared and reset.
D.3.5 Class (Cp or Bp) Partial Automatic Bypass
Partial automatic bypasses bypass only some of the safety function’s final elements, e.g. low level in a
separation vessel isolates both the inlet and the liquid piping to prevent blow-by of gas into the liquid
processes. For example, a partial Type Cp bypass allows the inlet valves to open, but not the liquid outlet
valves until a level is established.
D.4 Final Element
D.4.1 General
Final elements shall not be bypassed unless required for specific test scenarios.
D.4.2 Operating Mode Automatic Bypass
Differing modes of operation such as a test separator in operating mode or a pipe in pigging mode may
require bypassing of specific safety functions. Mode-based automatic bypassing shall require sensor or valve
position confirmation of the operating mode. The bypass shall automatically disable if the valve position(s) or
process conditions are not correct for the operating mode requiring the bypass.
Annex E
(normative)
High-Integrity Pressure Protection Systems
E.1 General
E.1.1 API 14C requires two layers of protection for all risks including the risk of vessel or piping
overpressure. The preferred layers of protection consist of a single PSH and a second layer of pressure relief
provided by a mechanical device such as a pressure-relief valve. Where pressure relief in accordance with
the requirements contained within API 521 is not technically or economically practical, a high-integrity
instrumented approach to overpressure protection may be applied.
E.1.2 A HIPPS is an instrumented protective system typically made up of an arrangement of sensors (e.g.
pressure transmitters), final control elements (e.g. valves, switches, motor starters, etc.), and a high-integrity
logic solver configured in a manner designed to protect against overpressure. These systems have specific
design, installation, operation, and maintenance requirements to ensure their effectiveness. The use of
HIPPS should be applied only when a traditional method for relief system design, in accordance with API
521, is not practical. Justifications for the HIPPS shall be documented and approved by the owner/operator.
Approvals should be at an owner/operator organizational level that is appropriate for the level of risk
managed by the HIPPS.
E.1.3 The application of HIPPS requires the application of rigorous analysis, planning, and QA/QC
procedures during the definition and design phases to ensure a safe HIPPS design. Rigorous analysis and
planning includes applying API 14J along with generally accepted risk analysis methods and standards.
Documented analysis and planning solutions shall be applied to the following.
a)
Process and HIPPS response times to ensure the HIPPS reaches a safe state before design pressures
are exceeded.
b)
Competency of the individuals designing, operating, and maintaining the HIPPS.
c)
Systematic and random common cause failures including software, instrument air/hydraulic systems
calibration, plugging and fouling, cabling, dropped objects, fire, flooding, and any other causes particular
to the specific facility.
d)
Management of change plan (MOC) including a plan for changes that can affect the analysis results.
E.1.4 Effective and detailed maintenance, testing, and inspection procedures shall be applied to the
operational lifecycle phase. All HIPPS lifecycle phases shall be audited in accordance with API 75 by the
owner/operator or representative to ensure effectiveness and compliance. For these reasons, the decision to
implement an HIPPS on a given project should be made with a great deal of caution and careful
consideration.
E.1.5 HIPPS may be considered for specific overpressure scenarios where installation of a pressure-relief
valve may not be practical or where a relief device is ineffective or creates additional unacceptable hazards.
However, a practically sized relief system may be required to cover all other design contingencies.
Typical examples of the application are as follows:
a)
where relief system sizing would be too large and heavy to practically install;
b)
environmental release is unacceptable, such as in H2S service;
c)
where flare heat radiation would create an unacceptable hazard;
98
ANALYSIS, DESIGN, INSTALLATION, AND TESTING OF SAFETY SYSTEMS FOR OFFSHORE PRODUCTION FACILITIES
d)
99
where adding new high-production, high-pressure wells precludes the use of existing relief systems as
adequate protection.
E.2 HIPPS Implementation Methods
E.2.1 One of the following two methods shall be used for the design, installation, maintenance, and testing
of an HIPPS:
— a prescriptive approach as outlined in this appendix;
— a performance-based approach as defined in API 521.
E.2.2 Applications using the performance-based approach defined in API 521 shall meet a minimum safety
integrity level (SIL) of 2. In many cases for HIPPS, the result of the hazard analysis is a SIL 3 system.
E.2.3
The requirements within E.3 shall apply regardless of the HIPPS implementation method chosen.
E.3 General Requirements
E.3.1 HIPPS sensors, logic solvers, and valves shall be functionally independent from other protection
layers and control and safety systems. Functional independence ensures that failures within another system
cannot prevent operation of the HIPPS.
E.3.2 The HIPPS shall be designed as an independent system in addition to the PSH (or other protective
functions) and associated SDV required by Annex A.
E.3.3
All lifecycle management requirements defined in API 75 shall be applied to HIPPS.
E.3.4 Electronic microprocessor based components (sensors, logic solvers, etc.) shall be certified and
implemented in accordance with IEC 61508-2 and IEC 61508-3 for use in a safety instrumented system
(SIS).
E.3.5 System shall act fast enough to prevent exceeding the equipment design pressure (i.e. MAWP for
vessels, design pressure for facility piping, and MAOP for pipelines.). This shall be confirmed by modeling of
the system response to credible overpressure events. This simulation shall include analysis of overpressure
resulting from transient pressure waves produced by valve closure.
E.3.6
System shall be designed as failsafe.
E.3.7
Manual activation of HIPPS shall be provided.
E.3.8 A pressure-relief valve shall be installed downstream of the HIPPS valves to accommodate possible
HIPPS valve leakage. The user shall specify and document the anticipated leakage rate and ensure the PSV
is sized in accordance.
E.4 Input Sensors
E.4.1
Analog transmitters (smart where possible) shall be used as input sensors for all HIPPS applications.
E.4.2
Input sensors shall be provided in a 2oo3 voting configuration, including the following.
— The process connections of the pressure sensors shall be such that concurrent isolation of sensors is
prevented at all times by separation or a suitable mechanical or key interlocking system.
— Installation shall allow for the online performance testing of sensors.
E.4.3
Sensors shall have their trip set point and the design basis for that trip set point defined.
100
API RECOMMENDED PRACTICE 14C
E.4.4
All HIPPS sensors shall have the same range and calibration.
E.4.5 Input sensors shall be connected directly to the HIPPS logic solver. Input sensors connected to other
logic solvers shall not be used for the HIPPS either by sharing (wired to both logic solvers) or transmitted via
a network or peer-to-peer.
E.4.6 Input sensors shall be designed and installed to minimize common mode failure between all three
input sensors and the PSH, required by Annex A, including freezing or plugging scenarios. This includes
separation of heat tracing circuits where freezing is a concern.
E.4.7 Sensors shall be mounted on separate process nozzles to avoid a single blockage from isolating
multiple sensors.
E.4.8 HIPPS sensors shall not be equipped with programmable bypasses. Testing can be performed on
one transmitter at a time without causing a trip using 2oo3 voting configuration.
E.4.9
HIPPS sensors shall have the following diagnostic capability.
a)
Sensors shall be programmed to detect faults and failures and transmit a defined low milliamp output
value for logic solver for voting response. A sensor that has failed or has a fault shall vote to trip.
b)
Sensor deviation diagnostics shall be established to detect and alarm a deviation between the HIPPS
sensors as follows.
— A deviation alarm shall be set to detect a 5 % to 7 % deviation between the sensors’ calibrated
ranges. Deviations should be repaired within 72 hours of alarm.
— Visual indication of the analog signal and the amount of deviation shall be provided on the humanmachine interface (HMI). A dead-band (typically 1 % or 2 %) should be provided to avoid nuisance
alarms.
E.5 Input Sensor Maintenance and Testing
E.5.1 Sensors shall be tested with the system in service. To prevent common cause calibration failure of
transmitters, they shall be calibrated with the platform in operation and users should consider not calibrating
individual transmitters on the same shift. This statement is applicable after commissioning of the HIPPS.
E.5.2
Test frequencies shall be in accordance with Annex I.
E.5.3
Written test procedures shall be developed for all HIPPS sensors.
E.6 Logic Solver
E.6.1 An HIPPS logic solver shall be dedicated to the HIPPS application and shall be functionally
independent of the process control system, the process safety system, and the ESS.
E.6.2 All logic solvers utilized as part of an HIPPS shall be certified to meet the requirements of IEC
61508-2 and IEC 61508-3 for use in SIL 3 or higher applications.
E.6.3 Logic solver processors, power supplies, and input and output (I/O) modules should be fault tolerant
so that no single failure can cause a spurious trip of the system. Spurious trips should be avoided to prevent
cascading events and limit risk associated with restarts.
E.6.4
All field I/O devices (sensors and final elements) shall have a dedicated logic solver I/O channel.
E.6.5 All logic solver faults and failures shall be alarmed. Logic solver faults may be provided as a
summary alarm point.
ANALYSIS, DESIGN, INSTALLATION, AND TESTING OF SAFETY SYSTEMS FOR OFFSHORE PRODUCTION FACILITIES
101
E.7 HIPPS Logic Solver Modifications
E.7.1
Modification of the logic solver shall be made by trained, competent personnel.
E.7.2 Any change to the logic shall be controlled with the site’s formal MOC procedure. Following any logic
change, the HIPPS shall be functionally tested before it can be placed back in operating service. Functional
testing includes validation of end to end functionality.
E.8 Relays
E.8.1 Relays utilized as part of an HIPPS interface shall be safety-certified in accordance with IEC 61508-2
and IEC 61508-3 for use in SIL 3 or higher applications.
E.8.2
Relays shall be designed to be normally energized to operate and de-energized to trip.
E.8.3
Bypassing of individual relays within the system shall not be allowed.
E.9 Final Field Elements
E.9.1
Two or more dedicated and independent final elements shall be used for HIPPS designs.
E.9.2 Where the source of over pressure is a pump or compressor, it is acceptable to stop the
pump/compressor to meet the process safety time and prevent the facility pressure from rising above the
MAWP. For this application, redundant final elements can be achieved by tripping the primary breaker and
the upstream feed or the primary breaker and the pump/compressor drive. As noted in E.3.1 and E.3.2, this
system shall be independent of the primary layer of protection.
E.10 Design of HIPPS Valves
E.10.1
Actuator
E.10.1.1 HIPPS valves shall be provided with actuators that are spring loaded and failsafe on loss of
power to the solenoid or partial stroke testing device or on loss of instrument air or hydraulic pressure to the
actuator. Where solenoids are used, they shall be single coil design.
E.10.1.2 Failsafe actuators shall be used and sized for maximum differential process pressure across the
valve with a minimum safety factor of 1.5 times the required force to close the valve.
E.10.2
Fire Safety
All valves and actuators shall be designed to meet the fire safe requirements in API 607 or API 6FA based
on valve type.
E.10.3
Stroke Time
E.10.3.1 Required speed of closure from normal to failsafe positions shall be clearly defined based on the
requirement in E.3.5 and shall be documented in the design calculations and test procedures.
E.10.3.2 Stroke time shall be fast enough to ensure that the pressure does not exceed the protected
equipment’s design pressure (i.e. MAWP for vessels, design pressure for facility piping, MAOP for pipelines).
E.10.3.3 Travel speed shall be slow enough to prevent damaging the piping systems or SDV components
from dynamic pressures caused by hydraulic shock.
102
API RECOMMENDED PRACTICE 14C
E.10.4
Valve Position
E.10.4.1 HIPPS valves shall be provided with mechanisms to provide position feedback. The feedback
signals shall be connected to the HIPPS. The following shall apply to HIPPS valves.
a)
Where the valve actuating device is a digital valve positioner, an analog position transmitter shall be
provided and shall be integral to the digital SIS valve positioner device where possible.
b)
Where the valve actuating device is a solenoid, an analog position transmitter is preferred, although
proximity sensors/switches are also acceptable.
E.10.4.2
HIPPS valves shall be provided with local position indication.
E.10.4.3
The following HIPPS valve position faults shall be detected and alarmed:
a)
valve malfunction—valve-open and valve-closed indications active at the same time;
b)
failure to open—an open command was issued but valve-open position was not detected;
c)
failure to close—a close command was issued but valve-closed position was not detected.
E.10.4.4 Written test procedures shall be developed for implementation of both online and offline testing
for all HIPPS final elements and ancillary components. Test procedures shall confirm acceptable closure
time and leakage rate.
E.11 Reset of System
E.11.1
The system shall be allowed to be reset only when the cause of overpressure has been remedied
and the high pressure upstream of the closed HIPPS valves has been safely reduced. Additional piping or
equipment can be required to enable safe depressurization for system reset.
E.11.2
The HIPPS trip state shall be manually reset.
E.11.3
Where multiple HIPPS exist (e.g. individual HIPPS on more than one riser), each individual HIPPS
shall have a dedicated reset.
E.12 Installation and Commissioning
E.12.1
General
E.12.1.1
Installation is defined as the period after manufacture and factory acceptance testing (FAT)
where the HIPPS is moved to its operating location, fixed in place, mechanically completed, and hooked up
to the system to be protected.
E.12.1.2
Commissioning begins following installation and includes all activities from testing through
introduction of hydrocarbons.
E.12.1.3
MOC should be maintained throughout the installation and commissioning process to ensure
that any changes found necessary during these phases of the work do not compromise the specified system
design and are reflected in updates to the design and engineering documentation.
ANALYSIS, DESIGN, INSTALLATION, AND TESTING OF SAFETY SYSTEMS FOR OFFSHORE PRODUCTION FACILITIES
E.12.2
103
Testing and System Validation
E.12.2.1 General
E.12.2.1.1 Testing and commissioning should:
a)
demonstrate that the HIPPS meets requirements of the design documentation and works as planned
after commissioning,
b)
be used to validate and correct operating procedures for all parts of the HIPPS, and
c)
be used to validate and correct test procedures for all parts of the HIPPS.
E.12.2.1.2 Subsequent to installation, tests should be conducted to verify that the entire system operation
is validated. Validation should confirm that
a)
response time is as rapid as required by design,
b)
system functions (e.g. closure) take place at the designated set point,
c)
valve leakage rate is within specification, and
d)
other performance factors are within specified design limits.
E.12.2.2 Testing and Commissioning Activities
E.12.2.2.1 HIPPS safety validation is defined as all activities necessary to validate prior to start-up that the
HIPPS and its associated instrumented functions meet the requirements as stated in the design
documentation. Activities should confirm that the HIPPS, including sensors, logic solver, and final elements,
performs as identified in the design documentation, including but not limited to the following:
a)
adverse interaction with the basic process control system and other connected systems do not affect the
proper operation of the HIPPS;
b)
the HIPPS properly communicates (where required) with the basic process control system or any other
system or network;
c)
the HIPPS performs as specified on bad (e.g. out of range) process variables;
d)
the system provides the proper annunciation and proper operation display;
e)
the reset functions perform as defined in the design documentation;
f)
manual activation of the HIPPS operates correctly;
g)
diagnostic alarm functions perform as required;
h)
the system performs as required on loss of power or a failure of a power supply and when power is
restored, the system returns to the desired state.
E.12.2.2.2 Prior to using the HIPPS for its intended purpose and after the testing and commissioning
activities are complete, the following activities shall be performed:
a)
all process isolation valves shall be set according to the process start-up requirements and procedures;
b)
all test materials (e.g. fluids) shall be removed;
c)
a final shutdown test shall be performed.
104
API RECOMMENDED PRACTICE 14C
E.12.2.3 Testing and Commissioning Documentation
Documentation should include the following:
a)
the HIPPS validation plan being used;
b)
tools and equipment used, along with calibration data;
c)
the results of each test;
d)
the test specification used;
e)
the criteria for acceptance of the tests;
f)
any discrepancy between expected and actual results and actions taken;
g)
documentation reflects the installed system;
h)
that the proof test intervals are documented in the maintenance procedures;
i)
operating procedures.
Annex F
(informative)
Logic Solver
F.1.1 The logic solver technology may be electrical (e.g. trip amplifiers or relays), pneumatic, hydraulic, or
programmable electronic (e.g. PLCs).
F.1.2
Unsafe failure modes for the logic solver shall be understood and addressed by one of the following:
a)
certification in accordance with IEC 61508-2 and IEC 61508-3;
b)
frequent testing of inputs and outputs (at least annually) with a management system in place for
documenting test results and ensuring failures are corrected (see Annex I);
c)
external systems such as watch dog timers (WDTs).
F.1.3
The main failure modes which should be considered for programmable systems are
— I/O points being stuck on or stuck off, and
— the logic solver CPU or application program stalling.
F.1.4 Detection of I/O failures requires cycling of the I/O point and confirmation of correct action and
detection where failures exist, either by automatic diagnostics or by manual testing of input and output
devices.
F.1.5 Detection of process program stalling requires an external WDT or equivalent internal monitoring
system as part of an independently certified logic solver. In many cases, a WDT consists of a time delay
relay, which is installed external to the logic solver. The logic solver sends a reset to this WDT frequently
enough to prevent the timer from timing out. The watchdog timing out is an indication that the logic solver
has failed and the state of the process being monitored by the PLC is unknown.
F.1.6 Users shall analyze and specify the actions required when a logic solver failure is detected. The
following actions should be considered if a PLC failure is indicated by the I/O failure detection or WDT.
a)
Send an alarm to monitoring locations (local and/or remote). This alarm should be generated by the
WDT and not the PLC it monitors.
b)
Activate protective function. Where possible, individual logic solver modules shall be programmed to
detect and respond to loss of communication to other modules.
F.1.7 The installed programmable logic solver’s safety function programming shall be restricted to the use
of predefined library functions, such as ladder diagram, function block diagram, and sequential function
charts.
F.1.8
The logic solver shall be protected against unauthorized or unintended modifications.
F.1.9 Any changes to the logic solver hardware or firmware shall be implemented in accordance with the
instructions of the manufacturer and shall be subject to MOC procedures.
F.1.10 Programmable function blocks and other functional solutions shall be tested before use. The entire
system’s functionality shall be tested for compliance to the design documents (including SAFE charts) before
being placed into service.
105
106
API RECOMMENDED PRACTICE 14C
F.1.11 Any changes during operation shall be tested to ensure the change functions as expected and that
the change does not affect other functions.
F.1.12 Test results shall be documented.
Annex G
(normative)
Emergency Support Systems
G.1 General
ESSs and other support systems provide a method of performing specific safety functions common to the
entire facility. The ESS includes ESD, fire detection, gas detection, ventilation, containment systems and
sumps, and SSSV systems. These are essential systems that provide a level of protection to the facility by
initiating shut-in functions or reacting to minimize the consequences of released hydrocarbons.
Requirements from this section are applicable to both temporary and permanent quarters and buildings.
The other support systems include the pneumatic/hydraulic supply systems, systems for discharging gas to
the atmosphere, systems for containing leaks or spills, and any other service system that might enhance
platform safety such as essential electrical power and HVAC systems. The pneumatic/hydraulic supply
system provides a control medium for the safety system, and the systems for discharging gas to the
atmosphere provide a means of discharging gases to the atmosphere under safe, controlled conditions.
G.2 ESSs
G.2.1 ESD System
G.2.1.1
Purpose
An ESD is a system of manual control stations strategically located throughout the facility that, when
activated, shall shut in all hydrocarbon sources. This includes shut-in of all wells (SSVs, USVs, BSDVs, and
SSSVs), closing of all incoming and departing SDVs, and shutdown of topsides process components,
applicable subsea components, and nonessential utility systems. The ESD system should be designed to
permit continued operation of electric generating stations, firefighting systems, and other support systems
when needed in an emergency.
Activation of the ESD system may also be initiated automatically by fire detection devices and other safety
devices.
The ESD system and the component process shutdown systems may be part of a single integrated system.
Additional guidance on ESD is defined in API 14G and API 17V.
G.2.1.2
Shutdown Stations
Stations for activation of the ESD system for complete facility shutdown should be located as follows:
a)
helicopter decks;
b)
exit stairway landings at each deck level;
c)
boat landings;
d)
at the center or each end of a bridge connecting two facilities;
e)
emergency evacuation/muster stations;
f)
near the driller’s console during drilling and workover operations;
107
108
API RECOMMENDED PRACTICE 14C
g)
near the main exits of living quarters;
h)
control rooms and central monitoring stations;
i)
within the process area, the maximum travel distance from any normal access deck location on the
facility to ESD stations should not exceed 100 ft (30.5 m) as measured along main egress routes;
j)
other locations as needed to provide stations accessible to all platform areas.
ESD stations should be conveniently located but should be protected against accidental activation. ESD
stations should be identified by shutdown function, and the shutdown position should be clearly indicated.
For pneumatic systems, the manually operated ESD valve should be quick-opening and nonrestricted to
enable rapid actuation of the shutdown system. Electric ESD stations should be wired as de-energize to trip
or as supervised circuits. Because of the key role of the ESD system in the facility safety system, all ESD
components should be of high quality and corrosion resistant. ESD stations at boat landings may utilize a
loop of synthetic tubing in lieu of a valve or electric switch.
G.2.2 Fire Detection System
G.2.2.1
Purpose
A method of automatically detecting fires on an offshore facility should be provided to allow for early
response. A fire detection system utilizing pneumatic fusible elements (TSE) or various electrical fire
detection devices, including flame (USH), thermal (TSH), or smoke (YSH) detection devices, should be
installed to detect fires in all areas classified by API 500 (Division 1 or 2) or API 505 (Zone 0, 1, or 2) and in
all buildings where personnel regularly or occasionally sleep.
G.2.2.2
Pneumatic Fusible Element Systems
One method of detecting fires is a pneumatic line containing strategically located fusible elements. Fusible
elements normally are metallic plugs that melt at a designed temperature or a section of fusible synthetic
tubing. The systems are utilized to provide a signal to shut down production activities except for equipment
required to control the fire. Fusible elements of the fire loop may be integrated with the ESD system.
G.2.2.3
Electrical Fire Detection Systems
Electrical fire detection devices (flame, thermal, and smoke) may be used in lieu of or in conjunction with
pneumatic fusible element systems. These devices are utilized to activate alarms, initiate shut-in actions, or
activate fire suppression systems (e.g. gaseous agents or water).
G.2.2.4
Installation and Operation
All electrical fire detection devices should be approved by a nationally recognized testing laboratory (NRTL)
for fire detection functionality and installed in accordance with manufacturer’s recommendations. Electrical
fire detection devices and associated alarm systems in the process area should be capable of operating a
minimum of 4 hours without primary facility electrical power. For the hull and the living quarters, other
standards can apply.
The installation and operation of a fire detection system should be suitable for the area it is designed to
protect. Fire detection systems should be installed for process equipment, enclosed classified areas, and
enclosed unclassified areas as follows.
a)
Process Equipment. Table G.1 presents guidelines for the installation of fusible plugs. When fusible
tubing or other devices (e.g. ultraviolet flame detectors, infrared sensors, etc.) are used in lieu of fusible
plugs, they should perform the same protective actions as fusible plugs and provide at least the same
coverage as outlined in Table G.1. Fusible elements may be installed in the various pneumatic lines of
the safety system if the signal generated initiates the proper shut-in functions. Fusible elements should
ANALYSIS, DESIGN, INSTALLATION, AND TESTING OF SAFETY SYSTEMS FOR OFFSHORE PRODUCTION FACILITIES
109
not use combustible gas unless a means is implemented to ensure bleeding does not continue after
shutdown.
b)
Enclosed Classified Areas. Enclosed areas that are classified by API 500 (Division 1 or 2) or API 505
(Zone 0, 1, or 2) should be equipped with fire (flame, thermal, or smoke) detection devices that
automatically shut in the hydrocarbon sources causing the enclosed areas to be classified. Hydrocarbon
sources can be internal or external to the enclosed classified area. A fusible plug system using either
combustible (if a means to ensure bleeding does not continue is implemented) or noncombustible gas is
acceptable in these areas.
c)
Enclosed Unclassified Areas. All rooms in which personnel regularly or occasionally sleep should be
equipped with smoke detectors that activate an audible alarm. Living quarter rooms containing heat
sources (e.g. water heaters, clothes dryers, kitchen ranges, ovens, space heaters, etc.) should be
equipped with smoke and/or thermal rate of rise detectors that activate an audible alarm. Fusible plug
systems utilizing a combustible gas should not be used for fire detection in buildings where personnel
regularly or occasionally sleep (even if the building is classified because of its proximity to a
hydrocarbon source).
G.2.3 Combustible Gas Detection System
G.2.3.1
Purpose
The accumulation of combustible gases in the atmosphere approaching the LEL on offshore facilities could
create a threat to safety. The gas detector (ASH) system should alert personnel by audible and/or visual
alarm to the presence of low-level concentrations of flammable gas or vapor. Also, it should shut off the gas
source and may remove all sources of ignition if the concentration approaches the LEL of the gas present.
G.2.3.2
Installation
Combustible gas detecting sensors should be located in all enclosed areas that are classified by API 500
(Division 1 or 2) or API 505 (Zone 0, 1, or 2), such as the following:
— enclosed areas containing flammable gas compressors or natural gas fueled prime movers;
— in buildings where personnel regularly or occasionally sleep and that contain a flammable gas source.
In enclosed areas containing flammable gas compressors, the minimum number of sensors is one per
compressor unit, plus an additional sensor per three units or fractional part thereof (minimum of two sensors
in all enclosed compressor buildings).
In enclosed areas containing other natural gas-fueled prime movers (e.g. engines driving generators or
pumps), the minimum number of sensors is one per prime mover.
Gas detection instruments should be approved by an NRTL and should meet requirements of ISATR12.13.01 and ISA-TR12.13.04. Process shutdown devices controlled by gas detector systems should be
“normally energized” (commonly referred to as “failsafe”). Automatic corrective actions, such as
disconnecting electrical power, should be evaluated to determine if “normally energized” creates additional
hazards. Gas detection systems should be installed, operated, and maintained in accordance with ISATR12.13.02. Providing adequate ventilation (refer to G.2.4) is an acceptable alternative to installing gas
detection systems except in buildings where personnel regularly or occasionally sleep or in enclosed areas
that contain components handling flammable gas.
Pressure-sensing devices, in some cases, are only capable of detecting large leaks. The use of gas
detectors in open process areas should be considered so that the ESS is capable of detecting gas releases
such that the likelihood of escalation is minimized. Like a PSL, an automatic corrective action on confirmed
gas by the detection system shall be targeted for the hazard that is being protected against in each area.
Table G.2 describes the capabilities of the types of gas detectors used in industry.
110
API RECOMMENDED PRACTICE 14C
Table G.1—Guidelines for Fusible Plug Installations
Component
Wellheads
Minimum Number
of Plugs
Fusible Plug Arrangement
One for each wellhead
ad
—
a
Headers
One for each 10 ft (3 m) of header length
Boarding shutdown valves
(BSDVs) and pipeline
shutdown valves (SDVs)
One for each valve within 5 ft (1.5 m) of the valve
2
—
Pressure vessels
Vertical vessel
One for each 12 in. (0.3 m) of OD to a maximum of 5 at the
c
top of the vessel
1
Horizontal vessel
Less than 48 in. (1.2 m) OD—one for each 5 ft (1.5 m) of
length
2
Greater than 48 in. (1.2 m) OD—two for each 5 ft (1.5 m) of
length in two parallel rows
4
Atmospheric vessels
One for each 5 ft of perimeter to a maximum of 10 at the top
c
of the vessel
1
Fired vessels and exhaustheated components
Same as pressure vessels. Additionally, one outside the flame
arrestor on fired components
—
Heat exchangers
One at each hydrocarbon process connection of the heat
exchanger
2
Pumps
Adjacent to pump seals/packing
—
Compressors
b
Reciprocating
One for each cylinder
Centrifugal
One over compressor case
—
—
Engines
b
Spark ignition
One over each carburetor or fuel injection valve
Diesel
One for pump supplying injectors
Combustion turbines
One for each fuel solenoid, governor valve, and power takeoff (PTO) pump
b
—
—
—
a
Not applicable to underwater wellheads or headers.
b
Or equivalent coverage.
c
Where the vessel passes through one or more decks, an additional level of fusible plugs shall be installed under each deck.
d
Consider using electronic fire detection devices on floating facilities with dry trees. This helps compensate for movement between
the facility and the tree.
NOTE When fusible tubing or other devices (such as ultraviolet flame detectors, etc.) are used instead of fusible plugs, they should
provide at least the same coverage as outlined above.
ANALYSIS, DESIGN, INSTALLATION, AND TESTING OF SAFETY SYSTEMS FOR OFFSHORE PRODUCTION FACILITIES
111
Table G.2—Guidelines for Combustible Gas Detectors
Combustible Gas
Detector Type
Capabilities
Recommended Set Points
Point
Detect combustible gas specifically at the
sensor head.
An audible alarm should be activated
at gas concentration no greater than
25 % LEL. Under confirmed gas
detection, automatic corrective action
should be initiated at no greater than
60 % LEL.
Open path/line of sight
Detect combustible gas along a continuous
path between an infrared energy transmitter
and an infrared receiver. Can provide
greater coverage than a single point
combustible gas detector.
An audible alarm should be activated
at gas concentration no greater than
1.25 LEL-m. Under confirmed gas
detection, automatic corrective action
should be initiated at no greater than
3.00 LEL-m. Note that these set
points are equivalent to the point gas
detector set points based on a 5 m
gas cloud.
Ultrasonic/acoustic
Detects pressurized gas leaks by measuring
the ultrasonic energy generated by the leak.
This technology offers a complementary
method to point and open path combustible
gas detectors.
An audible alarm should be activated
at a level greater than 6 dB above
the background ultrasonic noise
level.
NOTE Ultrasonic gas detectors can pick up
leaks of nonhazardous gases (e.g. air leak). As
such, consider voting ultrasonic detectors with
point or open path detectors when initiating
automatic corrective action.
Automatic corrective action should include shutting off affected components and gas sources and may
disconnect electrical power to affected areas. In lieu of total process shut-in, it is acceptable to isolate
affected areas (e.g. closing a fuel valve to a generator building). Careful consideration should be given to the
form of automatic corrective action taken to ensure that the situation is not made more hazardous. Gas
detection systems monitoring more than one area should identify the location where flammable gas or vapor
is detected.
Combustible gas detectors in applications with high airflow rates, such as gas turbine combustion air intake,
gas turbine enclosure ventilation inlet and outlets, and HVAC inlets may require alarms and automatic
corrective actions at lower levels. In addition, combustible gas detectors used in high airflow applications
shall be designed for this purpose.
Lower LEL set points may be required when using the provisions in API 500 and API 505 to reduce the area
classification.
Confirmed gas detection shall be defined for the specific application and shall be targeted for the defined
hazard and the automatic corrective action. This may be accomplished by a single detector or by voting of
multiple detectors. Voting of multiple combustible gas detectors provides redundancy and ensures gas
detector configurations are robust against nuisance trips. When voting is used, detectors shall be installed
such that a hazardous event is detected by multiple detectors, taking into account likely migration of gas
clouds. Detector voting may not be necessary where detectors themselves are reliable or when the
consequences of nuisance trips are not significant.
In the event gas detectors are installed in open process areas, the basis for determining the location,
number, and types of detectors should be established by first identifying and assessing the possible
combustible gas detection hazardous events in each area and, second, evaluating requirements to
effectively detect these events. Selection of combustible gas detection devices should take into account their
response characteristics and the conditions that may be experienced when detection is required.
112
API RECOMMENDED PRACTICE 14C
In lieu of dispersion and consequence analysis, a default 5 m (16.4 ft) gas cloud size [46] can be used to
determine detector spacing.
Figure G.1 shows four point detectors and two open path detectors capable of detecting a leak from a single
component. One gas detector can be capable of detecting a gas leak from an adjacent component;
therefore, a detector mapping methodology can improve sensor coverage significantly.
Gas detector mapping allows for the analysis of irregularly shaped “covered” areas as well as a range of
different detection equipment. For additional guidance, see ISA-TR84.00.07.
G.2.4 Adequate Ventilation
Adequate ventilation is ventilation (natural or artificial) that is sufficient to prevent the accumulation of
significant quantities of vapor-air mixtures in concentrations above 25 % of their LEL. Refer to API 500 or API
505 for additional details, including recommended methods of achievement.
G.2.5 Containment System
A containment system is installed to collect and direct escaped liquid hydrocarbons to a safe location. All
equipment subject to leaks or overflow should be protected by curbs, gutters, or drip pans that drain to a
sump. Containment systems are optional on structures that do not have process vessels or other equipment
subject to leak or overflow (e.g. structures with only wells, headers, pipelines, cranes, and/or instrument gas
scrubbers).
All gravity drain piping networks should be designed to prevent escape of gas from sumps through the
drains. This is typically accomplished by water seals located at each drain, or each drain pipe header, or with
a total network water seal located in the sump inlet piping. Check valves are not considered appropriate for
this service and should not be used as alternative protection for water seals. Pressure drains should not be
combined with gravity drains prior to sump entry.
G.2.6 Sumps
G.2.6.1
General
A sump may be a tank, a closed-end pile, or an open-end pile. All sumps should be equipped with an
automatic discharge to handle maximum inflow. Vents are installed on atmospheric sumps for the purpose of
safely dissipating hydrocarbon vapors. Depending upon design and location, a sump pile vent may fulfill this
purpose without a flame arrestor being installed. Due to possible plugging from corrosion, the low flow/low
pressure (no static electricity), and distance from potential ignition/flash back sources, a flame arrestor could
be eliminated in a sump pile located close to the water level.
G.2.6.2
Open-end Sump Piles
Properly designed open-end sump piles are occasionally used to collect deck drainage or drips and to
dispose of treated produced water. Except during emergency upset condition, vessels should not discharge
liquid hydrocarbons directly into an open-end sump pile. Open-end sump piles should be protected against
hydrocarbon discharge (overflow and/or underflow). The type of protection should be determined on a caseby-case basis. Some factors that should be considered include pile length, liquid properties, maximum inflow
rate, wave action, and tidal fluctuation.
G.2.7 SSSVS
Subsurface safety valves (SSSVs) are installed below the wellhead to prevent uncontrolled well flow in the
event of an emergency situation. Subsurface-controlled subsurface safety valves (SSCSVs) should shut in if
well rate exceeds a predetermined rate that might indicate a large leak. Surface-controlled subsurface safety
valves (SCSSVs) should shut in when activated by an ESD system and/or a fire detection system. Guidance
for the design and installation of SSSVs is covered in API 14B.
ANALYSIS, DESIGN, INSTALLATION, AND TESTING OF SAFETY SYSTEMS FOR OFFSHORE PRODUCTION FACILITIES
NOTE
113
See API 17V for additional information on SCSSVs associated with wet trees.
Figure G.1—Gas Detector Spacing
G.3 Other Support Systems
G.3.1 Pneumatic Supply System
G.3.1.1
Purpose
The pneumatic supply system provides the control medium for the surface safety system. The facility safety
and shutdown systems generally require a power supply at a pressure adequate to operate valve actuators
and an instrument supply at a lower pressure.
114
API RECOMMENDED PRACTICE 14C
G.3.1.2
Pneumatic Supply Properties
Proper functioning of the safety system is dependent on the pneumatic supply; therefore, a reliable source of
high-quality gas is essential. The following are properties of a good pneumatic supply:
a)
free of liquid hydrocarbons;
b)
free of water and water vapor;
c)
free of solids;
d)
noncorrosive.
G.3.1.3
Pneumatic Supply Sources
Usually, air, natural gas, or nitrogen is the pneumatic control medium. When air is used as a pneumatic
supply source, the system should be designed to prevent the mixing of air and hydrocarbon gases from the
process or utility systems under both normal and abnormal conditions. If an alternate pneumatic supply
source is provided, the alternate medium shall be of a composition that will not create a combustible mixture
when combined with the primary source.
G.3.1.4
Supply and Response
The pneumatic supply distribution systems should be sized to ensure adequate volume and pressure to all
safety devices. Pneumatic supply usage should be calculated for the maximum condition that could be
experienced at any one time. The time it takes for any safety device (e.g. PSH, BSL, ESD station, etc.) to
effect component or facility shutdown should not exceed 45 seconds. To achieve this response,
consideration should be given to pneumatic line sizes, safety device bleed port size, and the use of auxiliary
quick bleed devices. Pneumatic lines that supply and bleed should be sized for optimum bleed conditions.
Because of volume and flow characteristics, a line that is either too large or too small will require excessive
time to bleed.
G.3.2 Hydraulic Supply System
G.3.2.1
Purpose
The hydraulic supply system provides the control medium for the surface safety system. The platform safety
and shutdown systems generally require a power supply at a pressure adequate to operate valve actuators.
G.3.2.2
Hydraulic Supply Properties
Proper functioning of the safety system is dependent on the hydraulic supply; therefore, a reliable and highquality hydraulic supply is essential. Maintaining the cleanliness of the hydraulic supply is fundamental to
ensuring the reliability of the system.
G.3.2.3
Hydraulic Supply Design Considerations
Hydraulic control mediums may be water or mineral oil based. The design should address the reliability of
the hydraulic power pack to ensure the availability of hydraulic power during emergency events. Filtration
equipment provided should maintain the cleanliness of hydraulic fluid within operating limits specified by the
manufacturers of all hydraulic components.
G.3.2.4
Supply and Response
The hydraulic supply distribution systems should be sized to ensure adequate volume and pressure to all
safety devices. For valve actuation, capacity should be such that the operating volume between maximum
and minimum levels shall hold the complete control system capacity plus 20 %. Hydraulic supply usage
ANALYSIS, DESIGN, INSTALLATION, AND TESTING OF SAFETY SYSTEMS FOR OFFSHORE PRODUCTION FACILITIES
115
should be calculated for the maximum condition that could be experienced at any one time. The time it takes
for any safety device (e.g. PSH, BSL, ESD station, etc.) to effect component or facility shutdown should not
exceed 45 seconds. To achieve this response, consideration should be given to hydraulic feed line sizes,
safety device bleed port size, the use of auxiliary quick bleed devices, and hydraulic return line sizes.
G.3.3 Electrical Power System
G.3.3.1
Purpose
The electrical power system provides power to any electrically powered ESSs. The essential electrical power
system provides a continuous electrical power source so that the ESS and other support systems will
function during any loss of the platforms normal electrical power system. Refer to API 14F for the design,
installation, and maintenance of these systems. Systems requiring standby electrical power may include the
following:
1) ESD system;
2) fire and gas system;
3) public address and general alarm system;
4) telecommunications;
5) ventilation systems;
6) equipment for Safety of Life at Sea (SOLAS) requirements.
G.3.3.2
Design Considerations
Essential electrical power system should be capable of supplying the ESS for a period determined necessary
to manage an emergency event, which does not require evacuation of the facility. Systems requiring power
for periods when emergency generation is unavailable will require uninterruptible power supply (UPS) or
battery systems. Transfer on failure of emergency generator to UPS or battery back systems should not
affect ESS system operation. UPS and battery systems should be sized to ensure the availability of the ESS
for a period commensurate with the completion of emergency response activities.
G.3.4 Systems for Discharging Gas to Atmosphere
G.3.4.1
Purpose
Systems for discharging gas to the atmosphere provide a means for conducting discharged gas from
process components under normal conditions (flare, vent) and abnormal conditions (relief) to safe locations
for final release to the atmosphere. These should be locations where the gas will be diluted with air to below
the LEL so it will not be a threat to the facility or where it can safely be burned.
G.3.4.2
Description
These systems originate at the normal gas exit or PRD of a process component and terminate at the
designated safe locations. They can vary from an exit nipple on an individual PRD or control valve to a piping
network connected to the outlet of several valves. If gas is discharged from a pressure vessel during normal
operation (i.e. to flare or vent), a scrubbing vessel should be provided to remove liquid hydrocarbons.
G.3.4.3
Discharge Point
The final discharge point for atmospheric gas may be through a vertical, cantilevered, or underwater pipe. In
some cases the discharge point may be remote from the platform. The following should be considered in
selecting a safe discharge point:
116
API RECOMMENDED PRACTICE 14C
a)
personnel safety;
b)
the discharge volume;
c)
the location in relation to other equipment, particularly fired vessels or other ignition sources, personnel
quarters, fresh air intake systems, and helicopter and boat approaches;
d)
prevailing wind direction and, in the case of underwater discharges, the prevailing current;
e)
if a PSV is located inside a building, its discharge outlet should be piped to a safe location outside the
building such as a flare or vent system.
G.3.4.4
Design Considerations
Atmospheric gas discharge systems should be designed in accordance with API 520 and API 521, API 2000,
and ASME BPVC Section VIII or equivalent. Systems should be designed so that back pressure, including
inertial forces developed at maximum instantaneous flow conditions, will not exceed the working pressure of
the lowest pressure rated item. Flame arrestors can be used in vent systems to reduce the danger of
combustion within the component from an external source. Flame arrestors should be located near the
discharge point in the vent pipe. If this makes access to the flame arrestor difficult, then consideration should
be given for an alternate arrestor type (e.g. detonation arrestors) to allow for installation further back from the
vent discharge point in a location that is accessible. A flare scrubber should be a pressure vessel designed
to handle maximum anticipated flow.
G.3.5 Essential HVAC System
G.3.5.1
Purpose
Where HVAC systems are deemed essential by providing pressurization, ventilation, or cooling to areas
occupied during emergency events, and to areas containing powered ESS equipment, the following design
considerations are applicable. Coverage for the essential HVAC system may include enclosed muster areas,
areas occupied during emergency event management, and rooms housing electrically powered ESS
equipment.
G.3.5.2
Design Considerations
The essential HVAC should be powered from the standby electrical power system. Replenishment air should
be drawn from a deemed safe area. If gas is detected at air intakes or doorways, the system should, as a
minimum, be capable of shutting off the external air supply to mitigate the likelihood of gas ingress.
Annex H
(informative)
Toxic Gases
H.1 General
H.1.1 This annex provides guidelines and methods of handling sour production (e.g. production containing
hydrogen sulfide) on offshore facilities. This section includes discussion of general criteria, toxic gas
detectors, and atmospheric discharging systems. These are essential systems and procedures that provide a
minimum acceptable level of protection to the facility and personnel by initiating shut-in functions or reacting
to minimize the consequences of released toxic gases. In addition to the following recommendations, API 55
should be consulted.
H.1.2 Production of liquid and gaseous hydrocarbons containing hydrogen sulfide (H2S) in significant
amounts can be hazardous to personnel and can cause failure of equipment. The presence of H2S also
presents the possibility of exposure to sulfur dioxide (SO2) that is produced from the combustion of hydrogen
sulfide. H2S gas detectors or alternate detection systems should be installed on offshore production facilities
a)
where the concentrations of H2S gas may reach an atmospheric concentration of 50 ppm or greater at a
distance determined by dispersion calculations (refer to API 55) to which personnel could be exposed
during normal or abnormal operations, or
b)
where dispersion calculations are not performed, a process component or piping on the platform
contains gas with a H2S concentration of 100 ppm or greater. Sulfur dioxide monitoring equipment
should be utilized when flaring operations could result in personnel exposure to atmospheric
concentrations of SO2 of 2 ppm or greater. Sulfur dioxide monitoring equipment should indicate when
concentrations reach a level of 2 ppm.
H.1.3 Accumulations of toxic gases or vapors are more likely to occur in poorly ventilated areas containing
a source of H2S, particularly in enclosed areas. Methods for increasing safety include improving ventilation
and installing toxic gas detector (OSH) systems. Toxic gas detector (OSH) systems should alert personnel
by unique audible or visual alarms, as appropriate for the area or zone where low-level concentrations of
toxic gases have been detected. Also, these systems should increase ventilation and shut off the gas source
if possible. Since many toxic gases are flammable, combustible gas detectors (ASHs) should be installed to
prevent concentrations from reaching the LEL of the gas present and eliminate ignition sources. Electrical
installations should be made in accordance with API 14F. Strict controls should be used when exposing
materials to an environment containing hydrogen sulfide. Many materials may suddenly fail by a form of
embrittlement known as sulfide stress cracking (SSC). Guidelines for equipment and materials selection on
the basis of resistance to sulfide stress cracking and corrosion is provided by NACE MR0175/ISO 23251.
H.1.4
Gas containing H2S shall not be used as supply for instrument gas systems.
H.2 Installation, Operation, and Testing of Fixed Detection Systems
H.2.1 Placement of H2S detectors involves consideration of many variables including concentration of toxic
gas in process streams, specific gravity of the gas mixture, process pressure, process temperature,
atmospheric conditions, ventilation, equipment location, type of decking (solid or grated), and direction of
prevailing winds. A detailed design analysis that might include dispersion modeling should be performed to
determine the need for and placement of detector systems.
H.2.2 When reviewing a platform to determine where H2S gas detector sensors should be installed, the
first step is to prepare drawings that identify all process components or piping handling 100 ppm or greater
concentrations of hydrogen sulfide. All fittings, flanges, and valves comprising the piping system and the
location of devices subject to leaks to the atmosphere during normal or abnormal conditions should be
considered in determining the placement of sensors.
117
118
API RECOMMENDED PRACTICE 14C
H.2.3 Because H2S gas is heavier than air, sensors normally should be installed no more than 36 in.
(0.9 m) above the floor (deck). To allow for proper maintenance and to reduce the probability of wetting
during area wash-down, sensors should be installed no less than 12 in. (0.3 m) above the floor (deck).
Installation of protective caps designed for the detector’s head should be considered to prevent wetting. H2S
mixed with natural gas may form a lighter-than-air mixture. When such mixtures are anticipated, sensor
installations at elevations greater than 36 in. (0.9 m) may be appropriate.
H.2.4
H2S gas detecting sensors should be installed at the following locations.
a)
In enclosed areas (see definition in API 500 or API 505) where personnel enter frequently on a regular
basis and are inadequately ventilated (see API 55) and that contain sources of H2S that can cause
concentrations of 10 ppm or more in the atmosphere.
b)
In occupied buildings or spaces (e.g. at air intakes) located on facilities where toxic gas detectors are
installed.
c)
In certain enclosed and nonenclosed areas that contain sources of H2S that can cause concentrations of
50 ppm or more in the atmosphere where personnel could be exposed
1)
as determined by the detailed design analysis (e.g. dispersion modeling), or
2)
in a grid pattern with a minimum of one detector for each 400 ft2 (37 m2) of floor area or fractional
part thereof, or
3)
within 10 ft (3 m) of the following (refer to H.1):
— all applicable vessels;
— all applicable compressors—compressors exceeding 50 hp (38 kw) should be provided with at
least two (2) sensors;
— all applicable pumps;
— all applicable headers;
— all applicable wellheads. Wells shut in at the master valve and sealed closed are exempt.
H.2.5 When utilizing the 10 ft (3 m) criteria for sensor location, one sensor may be utilized to detect H2S
gas around multiple pieces of equipment, provided the sensor is no greater than 10 ft (3 m) from all
applicable equipment. When utilizing the grid configuration, maximum sensor spacing should be 20 ft (6 m).
H.2.6 H2S detection instruments should be approved by an NRTL and meet ISA-92.00.01 and ISA92.00.04 Part I. Furthermore, H2S detection systems should be installed, operated, and maintained in
accordance with ISA-92.00.02.
H.2.7 Detection of no more than 10 ppm of H2S gas in the atmosphere should initiate an audible or visual
alarm, as most appropriate for the area where the gas has been detected. A visual warning system should
be provided at locations such that personnel in approaching helicopters or boats can be effectively warned of
the release of toxic gas when concentrations in the atmosphere around the landing area exceed 10 ppm.
H2S warning alarms should be distinguishable from other alarms at the location.
H.2.8 Detection of no more than 50 ppm of hydrogen sulfide gas in the atmosphere should initiate an
audible general platform alarm and a visual alarm, as most appropriate for the area where the gas has been
detected. Automatic corrective actions to control the source of hydrogen sulfide should be initiated upon
confirmed detection of the gas. Visual indication should be displayed if the concentration of gas exceeds 50
ppm around the landing areas for boats and helicopters or if personnel arriving by boat or helicopter would
not have access to safe briefing areas. Depending on the source of the leak, the corrective action may
include the following:
ANALYSIS, DESIGN, INSTALLATION, AND TESTING OF SAFETY SYSTEMS FOR OFFSHORE PRODUCTION FACILITIES
a)
a shut-in of the sour production handling equipment, applicable wells, and pipelines/flowlines;
b)
blowdown of certain process equipment;
c)
providing (or increasing) ventilation;
d)
closing air intakes and/or shutdown of HVAC systems.
119
H.2.9 In lieu of total process shut-in, alarmed areas may be isolated; an example is closing an inlet valve to
a compressor building. It may be desirable in certain instances for H2S detectors not to initiate shutin/isolation action, but to alarm only.
H.2.10 Careful consideration should be given to the form of automatic corrective action taken to ensure that
the situation is not made more hazardous.
H.2.11 Shutdown devices controlled by H2S gas detection systems should be installed “normally energized”
(commonly referred to as “failsafe”). Refer to API 14F.
H.2.12 In addition to being toxic, H2S gas is combustible. The range of combustibility is approximately 4.3 %
to 45.5 % by volume. Areas subject to combustible levels of H2S should be classified as Group C and
electrical equipment should be suitable for Groups C and D atmospheres. For mixtures of H2S and natural
gas, the mixture should be considered Group D if the H2S constitutes less than 25 % of the mixture (by
volume) and Groups C and D if greater than 25 %. If machinery or equipment shutdown could create an
ignition source, consideration should be given to actuation of a fire inerting system prior to shutdown.
H.2.13 If sour gas is sweetened to reduce personnel exposure hazard or for equipment protection, the
sweetened gas shall be continuously monitored for H2S prior to the gas leaving the facility and preferably
before being utilized for fuel or control gas at the facility. Devices specifically designed for analyzing an
in-stream sample for H2S content on a continuous basis should be utilized.
H.2.14 To better ensure proper application of H2S detection instruments, an environment and application
checklist (similar to the example shown in ISA-92.00.02) should be provided to prospective suppliers by the
user.
H.3 Systems for Discharging Hydrogen Sulfide and Sulfur Dioxide to Atmosphere
Discharge of pressure-relief and normally venting devices should be located away from work areas and
designed to provide adequate dispersion and to limit personnel exposure to H2S and sulfur dioxide
concentrations not exceeding those discussed in H.1. If dispersion modeling determines that ignition of
vented gas is required, the flare outlets should be equipped with an automatic ignition system and contain a
pilot(s) or other means to ensure combustion. On platforms where flaring is required, failure of the automatic
ignition system and loss of flare should shut in the input source.
Annex I
(normative)
Testing and Reporting Procedures
I.1 General
Performance testing provides a practical method of confirming the system’s ability to perform the design
safety functions. On initial installation, tests shall be conducted to verify that the entire facility safety system,
including the final SDVs or other final elements, is designed and installed to provide proper response to
abnormal conditions. Thereafter, periodic operational tests should be performed, at least annually, to
substantiate the integrity of the entire system, including process station or facility shutdown if necessary.
Typical test procedures for individual types of safety devices are presented in Table I.1. Alternative
procedures may be used as recommended by manufacturers or as determined through other assessments.
A reporting method shall provide for orderly accumulation of test data that can be used for operational
analyses, reliability studies, asset integrity studies, and reports that can be required by regulatory agencies.
I.2 Design and Installation Verification
I.2.1
Purpose
Before a production system is placed in initial operation, the safety system should be thoroughly inspected
and tested to verify that each device is installed, operable, performs its design function, and, if applicable, is
calibrated for the specific operating conditions.
When re-commissioning a facility after being shut in for 30 days or more, the production safety system
sensors and final elements shall be physically verified for proper operation. This verification is to ensure that
all sensors remain connected to the process and are functioning and all final elements are properly
connected and functional.
Where an addition or modification is made to the facility safety system, that portion of the system that has
been added or modified and any portion of the system associated with that change shall be completely
inspected and tested to ensure functionality from sensor through logic and to confirm that the final elements
function as required.
I.2.2
SAFE Chart
The SAFE chart shown in Figure B.6 and discussed in 6.3.3 provides a checklist for the initial design and
installation verification. Each sensing device is listed in the column headed “DEVICE I.D.,” and its respective
control function is indicated under the column headed “FUNCTION PERFORMED.” It shall be determined
that a safety device is operable, properly calibrated, and accomplishes the design control function within the
prescribed time period. This fact can be noted on the SAFE chart. When all initiating devices have been
tested and their “function performed” confirmed, the design and installation is verified.
I.3 Safety System Testing
I.3.1
Purpose
Safety systems shall be tested to verify that each sensing device operates within the test tolerances defined
in I.4 and the control circuit performs its shutdown function as specified. Testing is required to maintain the
reliability of the safety system. Testing intervals should be adjusted based on analysis of the required testing
records. Test intervals may need to be shortened to maintain the reliability of the system in systems
subjected to higher stresses (corrosion, heat, etc.), and the intervals may be extended where analysis
indicates that extension of the interval will not degrade the system reliability.
120
ANALYSIS, DESIGN, INSTALLATION, AND TESTING OF SAFETY SYSTEMS FOR OFFSHORE PRODUCTION FACILITIES
Table I.1—Safety Device Test Procedure Examples
Item
A
Safety Device
Burner flame detector
(BSL)
Procedure
1)
a)
b)
2)
B
Combustible point gas
detector (ASH)
Emergency shutdown
system (ESD)
light pilot,
block fuel supply to main burner,
c) shut off fuel supply to pilot and check BSL for detection.
To check burner flame-out control:
d)
e)
light main burner,
block fuel supply to pilot,
f)
shut off fuel supply to main burner and check BSL for detection.
1)
Adjust the zero control, if necessary, so that meter reads 0 % LEL with all
gas positively eliminated from sensor.
2)
Place sensing adapter of portable purge calibrator over probe head and
open shut-off valve on sample container.
3)
When meter reaches maximum level and stabilizes, record meter
reading, calibration gas concentration, low alarm, and high shutdown set
points (% LEL).
If necessary, adjust meter to read % LEL of calibration gas.
4)
C
To check pilot flame-out control:
5)
6)
Close shut-off valve on sample container and remove sensing adapter.
Actuate test control or zero control, as appropriate, and observe low and
high trip points. Check shutdown relay for actuation.
1)
Pneumatic Station—Check each ESD station by moving to the shutdown
position. Observe for free valve movement and unobstructed gas bleed.
Verify loss of pressure at activating element if it is bypassed.
2)
Electric Station—Activate each station and verify receipt of signal at logic
solver. They may be bypassed to prevent platform shutdown.
The overall ESD system shall be tested at regular intervals by activation of an
ESD station and verification that all outputs operate properly. This may be
done individually or as a group depending on platform design in order to avoid
an actual facility shutdown. Record the time (seconds) after operating the
manual remote station for the flowline surface valve or BSDV to close.
Unplanned shutdowns may be used to provide evidence of satisfactory
operation, providing adequate information is available to record the
performance of individual components.
D
Flowline and departing
pipeline check valve (FSV)
1)
Close upstream valve and associated header valves.
2)
Open bleeder valve and bleed pressure from flowline between closed
valves.
3)
4)
Close bleeder valve.
Open appropriate header valve.
5)
6)
Open bleeder valve.
Check bleed valve for backflow. If there is a continuous backflow from
bleeder valve, measure the flow rate. If sustained liquid flow exceeds
400 cc/min or gas flow exceeds 15 ft3/min (0.4 m3/min) during the
pressure holding test, the FSV should be repaired or replaced.
NOTE See I.4.6 for additional leakage guidance.
7)
Close bleeder valve and open upstream valve.
121
122
API RECOMMENDED PRACTICE 14C
Table I.1—Safety Device Test Procedure Examples (Continued)
E
High- and low-level sensors
(LSHs) and (LSLs)—
installed internally
1)
Manually control vessel dump valve to raise liquid level to high-level trip
point while observing level liquid in gauge glass.
2) Manually control vessel dump valve to lower liquid level to low level trip
point while observing liquid level in gauge glass.
Alternate procedure 1:
1)
2)
Open fill line valve and fill vessel to high level trip point.
Close fill line valve.
3) Drain vessel to low level trip point.
Alternate procedure 2 (for pressure differential transmitter used for level
sensors):
NOTE Source pressures utilized for testing transmitters shall be external sources
separate from the process, utilizing test gauges, test meter or calibrator to observe trip
points and/or verify the zero and span of the transmitters.
1)
2)
Close valve connecting high side of transmitter to vessel.
Close valve connecting low side of transmitter to vessel.
3)
Connect external test pressure source to high side of transmitter.
External pressure source shall have means to measure pressure
(or equivalent level) utilizing an external test gauge.
Vent to atmosphere low side of transmitter.
4)
5)
Introduce pressure at high side of transmitter equal to high liquid
level and verify LSH actuates within test tolerance.
6)
Introduce pressure at high side of transmitter equal to low liquid
level and verify LSL actuates within test tolerance.
7)
8)
Disconnect test pressure source.
Close vent valve of low side of transmitter.
9)
Open valves to vessel and return transmitter to service.
NOTE For transmitters without low side connections to vessel, steps 2, 4, and 8 can
be omitted.
F
LSHs and LSLs—installed
in outside cages
1)
2)
Close isolating valve on float cage(s).
Fill cage(s) with liquid to high level trip point.
3)
4)
Drain cage(s) to low level trip point.
Open cage(s) isolating valves.
Alternate procedure:
1) Close isolating valve on float cage(s).
2)
3)
Drain cage to low level trip point.
Open lower cage isolating valve.
4)
Slowly bleed pressure from the top of the cage, allowing vessel
pressure to push fluid from inside the vessel to the high level trip
point.
Open upper cage isolating valve.
5)
G
High- and low-pressure
sensors (PSHs) and
(PSLs)—external pressures
test
1)
2)
3)
4)
5)
Close isolating valve on pressure-sensing connection.
Bleed pressure from sensors and record low sensor trip pressure
observed from an external test gauge.
Apply pressure to sensor(s) with a hydraulic pump, high-pressure gas, or
nitrogen, and record sensor trip pressure observed from an external test
gauge.
Adjust sensor, if required, to provide proper set pressure.
Open sensor-isolating valve, verifying that high pressure bleeds into
process system, confirming that sensing port is not blocked.
ANALYSIS, DESIGN, INSTALLATION, AND TESTING OF SAFETY SYSTEMS FOR OFFSHORE PRODUCTION FACILITIES
Table I.1—Safety Device Test Procedure Examples (Continued)
H
I
PSHs and PSLs—bench
test
Safety relief valve (PSV)—
external pressure test.
1)
Mount sensors on a test stand and connect pneumatic supply.
2)
3)
Apply pressure as indicated.
a) PSH. Apply pressure to sensor with hydraulic pump, high-pressure
gas, or nitrogen bottle, and record high sensor trip pressure.
b) PSL. Apply pressure above set pressure and bleed pressure, and
record pressure at which low sensor trips.
Tag sensor with set pressure and date.
1)
Remove lock or seal and close inlet isolating block valve.
2)
Apply pressure through test connection with nitrogen, high-pressure gas,
or hydraulic pump, and record pressure at which the relief valve or pilot
starts to relieve.
The safety valve or pilot should continue relieving down to reseat
pressure. Hold test connection intact until the pressure stops dropping to
ensure that valve has reseated.
NOTE API 576 provides
detailed isolation procedures
3)
J
K
PSV—bench test
Pipeline and process
shutdown valve (SDV)
4)
Open inlet isolating block valve and lock or seal.
1)
Mount on a test stand.
2)
3)
Apply pressure through test connection with nitrogen, high-pressure gas,
or a hydraulic pump, and record pressure at which the relief valve starts
to relieve test pressure.
Record results.
4)
Tag PSV with the set pressure and the date of test.
1) Partial stroke test.
Vent pressure off the actuator and allow valve to reach approximately 20 %
closed/80 % open position.
Return pressure to actuator to return valve to fully open.
2) Full valve closure test.
Initiate signal to close SDV from either remote or local switch.
Close SDV.
Verify SDV closure.
Open SDV.
L
M
Surface safety valve (SSV)
operation test
SSV pressure holding test
1)
Shut in well.
2)
3)
Close SSV.
Open SSV.
4)
Return well to production.
1)
2)
4)
Shut in well and SSV as for operations test.
Position wing and flowline valves to permit pressure to be bled off
downstream of SSV.
With pressure on upstream side of SSV, open bleed valve downstream of
SSV and check for continuous flow. If sustained liquid flow exceeds 400
cc/min or gas flow exceeds 15 ft3/min (0.4 m3/min) during the pressure
holding test, the SSV should be repaired or replaced.
Close bleeder valve.
5)
Return well to production.
3)
123
124
API RECOMMENDED PRACTICE 14C
Table I.1—Safety Device Test Procedure Examples (Continued)
N
Boarding shutdown valve—
(BSDV)
O
High and low temperature
(TSHL)—temperature bath
test
1)
Shut BSDV as for operations test.
2)
With pressure on upstream side of BSDV, open bleed valve downstream
of BSDV and check for continuous flow. If sustained liquid flow exceeds
400 cc/min or gas flow exceeds 15 ft3/min (0.4 m3/min) during the
pressure holding test, the BSDV should be repaired or replaced.
3)
1)
Close bleeder valve.
Return well to production.
1)
Remove temperature sensing probe.
2)
3)
Place a thermometer in a hot liquid bath.
Insert temperature sensing probe in the liquid bath and set manual dial
on temperature controller at the same temperature indicated on the
thermometer. Record high temperature set point. If the controller does
not trip at the temperature of the liquid bath, adjust the controller to trip at
that temperature.
4)
Remove temperature sensing probe from liquid bath, allow it to cool, and
record low temperature set point.
5)
Remove sensing probe to original location and adjust controller to
desired temperature.
Q
Toxic gas detector (OSH)
Toxic gas detectors should be tested in accordance with the manufacturer’s
specifications.
R
Pipeline-tested SDV—
leakage test
1)
Stop inlet source to pipeline.
2)
3)
Close SDV as for operations test.
Bleed off upstream section.
4)
Check for leakage upstream of valve. If sustained liquid flow exceeds
400 cc/min or gas flow exceeds 15 ft3/min (0.4 m3/min) during the
pressure holding test, the SDV should be repaired or replaced.
NOTE See I.4.10 for additional leakage guidance.
I.3.2
5)
Return SDV to service.
6)
Return inlet source to pipeline.
Frequency
Safety devices and systems should be tested at the intervals recommended below. Alternative intervals may
be established based on field experience, where supported by historical testing records. The recommended
test frequencies do not supersede the testing requirements called for in I.2.1 when the safety system is
initially installed or modified.
a)
Monthly (once each calendar month, not to exceed 6 weeks):
— PSH and PSL (pneumatic/electronic switch);
— LSH and LSL (pneumatic/electronic switch/electric analog with mechanical linkage);
— SDV (partial stroke testing);
— SSV and BSDV (full stroke and leakage test);
— flowline FSVs.
b)
Quarterly (every third calendar month, not to exceed 120 days):
— PSH and PSL (electronic analog transmitters connected to programmable electronic systems);
ANALYSIS, DESIGN, INSTALLATION, AND TESTING OF SAFETY SYSTEMS FOR OFFSHORE PRODUCTION FACILITIES
125
— LSH and LSL (electronic analog transmitters connected to programmable electronic systems);
— fire and gas sensors (excluding sacrificial components).
c)
Bi-annually (every 6 calendar months)
— TSH and TSL (excluding sacrificial components);
— FSH and FSL (pneumatic/electronic switch);
— VSH (vibration switches);
— SCSSV;
— ESD hand stations (with individual station in bypass).
d)
Yearly
— FSL and FSH (electronic analog transmitters connected to programmable electronic systems);
— PSV;
— BSL;
— departing pipeline-tested FSVs;
— SDV (full stroke testing),
— pipeline-tested SDV.
I.3.3
Sensor Testing
Safety device tests shall confirm that sensors properly detect the abnormal conditions and transmit a signal
to the logic solver to perform specific shutdown functions. Sensors are usually tested by simulating an
abnormal condition that the device senses to initiate shutdown functions and verifying that it is accurately
received by the logic solver. In addition to confirming the sensor’s accuracy and ability to transmit the signal,
the testing procedure in Table I.1 also verifies that process connections and impulse lines, where they exist,
are free of blockage and process condition is accurately presented to the sensor. Testing of sensors should
include the primary sensing element as defined in Table I.1. Manufacturer’s testing procedure may
supersede the testing defined in Table I.1.
To facilitate testing of a sensor, the trip function may be bypassed to prevent actual shutdown of the process
system or the facility. See Annex C for more information on bypassing safety systems.
I.3.4
SDV and Other Final Element Testing
SDVs and other final elements should be tested to ensure they receive the signal transmitted by the logic
solver and perform their design function. The shutdown output or circuit, including the final SDV or other final
element, should be tested at least annually.
I.3.5
Logic Solvers
Application code or configuration for the logic solver shall be strictly controlled under an MOC program.
126
API RECOMMENDED PRACTICE 14C
I.3.6
Auxiliary Devices
All auxiliary devices in the safety system between the sensing device and the SDV or other final element
shall be tested at least annually to verify the integrity of the entire shutdown system. These devices,
including master or intermediate panels, should be tested in addition to the sensing devices. Annual testing
requirement can be fulfilled utilizing trip events that exercise the entire shutdown system.
I.3.7
Installation for Testing
Devices should be installed with online functional testing in mind. Test bypasses should be installed so that
individual devices can be tested without actual shutdowns. Safety devices should be located to allow for
easy and safe access. Consideration shall be given to facility safety and operation while safety devices are
bypassed. Refer to Annex C for additional bypassing guidance.
I.3.8
Test Procedures
Testing of common safety devices shall be performed. Example test procedures are shown in Table I.1.
Individual operators shall be responsible for providing procedures for each system.
a)
The many types and models of safety devices preclude detailed procedures for each; however, general
test procedures for the principal types will cover most safety devices. If a device in use is not covered or
does not fit the general procedures, specific test procedures should be developed by the operator.
b)
Because of the many possible equipment arrangements, detailed test procedure steps to deactivate a
shutdown or control device or to take a component out of service during testing are not given; however,
guidance on bypassing and out of service is provided in Annex C. Devices or equipment taken out of
service for testing should be clearly identified and/or tagged to minimize the possibility of their being left
in an inactive condition.
I.3.9
Personnel Qualification
Testing of surface safety systems should be performed only by a competent person. Individual operators
shall establish requirements for competency.
I.3.10 Deficient Devices
A safety device that fails or is otherwise found inoperable during the test procedure should be promptly
replaced, repaired, adjusted, or calibrated, as appropriate, and the failure documented in the test records.
Until such action can be completed, the device should be clearly tagged as inoperable and equivalent
surveillance shall be provided, the process component taken out of service, or the facility shut-in.
I.4 Test Tolerances
I.4.1
PSV
PSV set pressure tolerances are ±2 psi (14 kPa) for pressure up to and including 70 psi (480 kPa), and ±3 %
for pressure above 70 psi (480 kPa).
I.4.2
High- and Low-pressure Sensor (PSHL)
PSHL set pressure tolerance for set pressures greater than 5 psi (35 kPa) is ±5 % or 5 psi (35 kPa),
whichever is greater; however, the trip pressure should not exceed the pressure rating of the equipment
protected. A PSHL with a set pressure of 5 psi (35 kPa) or less shall function properly within the service
range for which it is installed.
ANALYSIS, DESIGN, INSTALLATION, AND TESTING OF SAFETY SYSTEMS FOR OFFSHORE PRODUCTION FACILITIES
I.4.3
127
High-level Sensor (LSH)
An LSH shall operate with sufficient remaining volume in vessel to prevent carry-over before shut-in. Test
tolerance for analog level transmitters is ±3 in. (7.5 cm) of the LSH set point.
I.4.4
Low-level Sensor (LSL)
An LSL shall operate with sufficient liquid volume above the highest liquid discharge to prevent gas
discharge into liquid outlet before shut-in. Test tolerance for analog level transmitters is ±3 in. (7.5 cm) of the
LSL set point.
I.4.5
Combustible Gas Detector (ASH)
ASH set point tolerance is ±5 % of full scale reading; however, the trip point shall not exceed 60 % of LEL for
point gas detection and 3 LFL-m for line-of-sight detection, at the high level setting or 25 % of LEL for point
gas detection and 1 LFL-m for line-of-sight detection at the low level setting.
I.4.6
Check Valve (FSV)
Flowline FSVs and departing pipeline-tested FSVs, where required in accordance with in A.9.2.2.2, should
be tested for leakage. If sustained liquid flow exceeds 400 cc/min or gas flow exceeds 15 ft3/min
(0.4 m3/min), the valve should be repaired or replaced. The leakage criteria for the pipeline-tested FSVs can
be made less stringent where the operator has demonstrated with appropriate analysis that a higher leakage
rate is tolerable.
I.4.7
High- and Low-temperature Sensor (TSHL)
If temperature devices are used to initiate shutdown in the event of fire or surface temperatures approaching
ignition temperature, the danger point is usually much higher than normal operating temperature. Thus, the
instrument may be checked at one point on the scale, as described in Table I.1, and the set point adjusted
sufficiently below the danger point to ensure that any working instrument will operate before reaching the
danger point. If the set temperature is near the operating temperature range, specific test tolerances should
be established. Calibration and testing procedures discussed in this section are not applicable to eutectic
devices.
I.4.8
Toxic Gas Detector (OSH)
OSH set point tolerance shall not vary from the test gas concentration (known to a tolerance of 5 % or
1 ppm, whichever is greater) by more than 2 ppm or 10 %.
I.4.9
Electrical Flame Detectors (USH)
USH tolerance is based on manufacturer’s testing guidelines.
I.4.10 Surface Safety Valves, Boarding Shutdown Valves, and Pipeline Tested Shutdown
Valves
SSVs, BSDVs, and pipeline-tested SDVs, where required for departing pipelines in accordance with
A.9.2.2.2, should be tested for leakage. If sustained liquid flow exceeds 400 cc/min or gas flow exceeds 15
ft3/min (0.4 m3/min), the valve should be repaired or replaced. The leakage criteria for the pipeline SDVs can
be made less stringent where the operator has demonstrated with appropriate analysis that a higher leakage
rate is tolerable.
Testing requirements for SSSVs are covered in API 14B.
128
API RECOMMENDED PRACTICE 14C
I.5 Reporting Methods
I.5.1
Purpose
Safety device test result records should be maintained in a manner that will enable the performance of
operational analyses and equipment reliability studies and the providing of reports that are required by
regulatory agencies. These records should document that standards and regulatory requirements are met.
I.5.2
Test Information
The minimum test information for different safety devices is shown in Table I.2. Test results and operating
conditions shall be recorded to adequately assess the performance of safety devices.
I.5.3
Deficient Devices
Records of deficient devices are essential for reliability analyses. As a minimum, the record should include
the cause of the deficiency in addition to the data required in Table I.2.
Table I.2—Safety Device Test Data
Data
Device identification
ASH
ESD
FSV
LSH
LSL
PSH/PSL
VSH
PSV
SDV
TSH
TSL
BSL
BDV
BSDV
OSH
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
Maximum working
pressure
X
Operating range
X
Response time
X
X
X
X
X
Required setting
X
X
X
X
X
X
X
X
X
Observed setting
X
X
X
X
X
X
X
X
X
Adjusted setting
X
X
X
X
X
X
X
X
X
Proper operation
X
X
X
X
X
Leakage
X
X
X
X
Corrective action, if
required
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
NOTE 1
Required, observed, and adjusted settings apply to transmitters and may not be required for point type devices.
NOTE 2
BSDV requirements includes pipeline-tested SDV and SSVs.
X
X
Bibliography
[1]
API Specification 6D, Specification for Pipeline and Piping Valve
[2]
API Specification 14A, Specification for Subsurface Safety Valve Equipment
[3]
API Recommended Practice 14B, Design, Installation and Operation of Subsurface Safety Valve
Systems
[4]
API Recommended Practice 14E, Recommended Practice for Design and Installation of Offshore
Production Platform Piping Systems
[5]
API Recommended Practice 14F, Design, Installation, and Maintenance of Electrical Systems for
Fixed and Floating Offshore Petroleum Facilities for Unclassified and Class 1, Division 1 and Division
2 Locations, Fifth Edition
[6]
API Recommended Practice 14FZ, Design and Installation of Electrical Systems for Fixed and
Floating Offshore Petroleum Facilities for Unclassified and Class I, Zone 0, Zone 1, and Zone 2
Locations
[7]
API Recommended Practice 14G, Recommended Practice for Fire Prevention and Control on Fixed
Open-type Offshore Production Platforms
[8]
API Recommended Practice 14H, Recommended Practice for Installation, Maintenance and Repair
Surface Safety Valves and Underwater Safety Valves Offshore
[9]
API Recommended Practice 14J, Recommended Practice for Design and Hazards Analysis for
Offshore Production Facilities
[10]
API Recommended Practice 17V, Recommended Practice for Analysis, Design, Installation, and
Testing of Safety Systems for Subsea Applications
[11]
API Recommended Practice 55, Conducting Oil and Gas Producing and Gas Processing Plant
Operations Involving Hydrogen Sulfide
[12]
API Recommended Practice 500, Recommended Practice for Classification of Locations for Electrical
Installations at Petroleum Facilities Classified as Class I, Division 1 and Division 2
[13]
API Recommended Practice 505, Recommended Practice for Classification of Locations for Electrical
Installations at Petroleum Facilities Classified as Class I, Zone 0, Zone 1 and Zone 2
[14]
API 510, Pressure Vessel Inspection Code: In-service Inspection, Rating, Repair, and Alteration
[15]
API Recommended Practice 520 (all parts), Sizing, Selection, and Installation of Pressure-relieving
Devices
[16]
API Recommended Practice 551, Process Measurement
[17]
API Recommended Practice 556, Instrumentation, Control, and Protective Systems for Gas Fired
Heaters
[18]
API Recommended Practice 576, Inspection of Pressure-relieving Devices
[19]
API Standard 670, Machinery Protection Systems
[20]
API Standard 2000, Venting Atmospheric and Low-pressure Storage Tanks
129
130
API RECOMMENDED PRACTICE 14C
[21]
API Specification Q1, Specification for Quality Management System Requirements for Manufacturing
Organizations for the Petroleum and Natural Gas Industry
[22]
ASME Boiler and Pressure Vessel Code (BPVC) , Section VIII: Rules for Construction of Pressure
Vessels; Divisions 1 and 2
[23]
ASME B31.3, Process Piping
[24]
ASME B31.4, Pipeline Transportation Systems for Liquids and Slurries
[25]
ASME B31.8, Gas Transmission and Distribution Piping Systems
[26]
ISA-5.1 , Instrumentation Symbols and Identification
[27]
ISA-7.0.01, Quality Standard for Instrument Air
[28]
ISA-S12.13, Part II, Installation, Operation, and Maintenance of Combustible Gas Detection
Instruments
[29]
ISA-TR12.13.01, Flammability Characteristics of Combustible Gases and Vapors
[30]
ISA-TR12.13.02, Investigation of Fire and Explosion Accidents in the Fuel-Related Industries—A
Manual by Kuchta
[31]
ISA-TR12.13.04, Performance Requirements for Open Path Combustible Gas Detectors
[32]
ISA-20, Specification Forms for Process Measurement and Control Instruments, Primary Elements
and Control Valves
[33]
ISA-RP42.00.01, Nomenclature for Instrument Tube Fittings
[34]
ISA-RP60.9, Piping Guide for Control Centers
[35]
ISA-TR84.00.07, Guidance on the Evaluation of Fire, Combustible Gas and Toxic Gas System
Effectiveness
[36]
ISA-92.00.01, Performance Requirements for Toxic Gas Detectors
[37]
ISA-92.00.02, Installation, Operation, and Maintenance of Toxic Gas-Detection Instruments
[38]
ISA-92.00.04, Performance Requirements for Open Path Toxic Gas Detectors
[39]
ISEA-102 4, American National Standard for Gas Detector Tube Units—Short Term Type for Toxic
Gases and Vapors in Working Environments
[40]
NACE MR0175/ISO 15156 , Petroleum, petrochemical and natural gas industries—Materials for use
in H2S-containing environments in oil and gas production
2
3
4
5
2
3
5
ASME International, 2 Park Avenue, New York, New York 10016-5990, www.asme.org.
The International Society of Automation, 67 T.W. Alexander Drive, Research Triangle Park, North Carolina, 22709,
www.isa.org.
International Safety Equipment Association, 1901 North Moore Street Suite #808, Arlington, Virginia 22209-1762,
www.safetyequipment.org.
NACE International, 15835 Park Ten Place, Houston, Texas 77084, www.nace.org.
ANALYSIS, DESIGN, INSTALLATION, AND TESTING OF SAFETY SYSTEMS FOR OFFSHORE PRODUCTION FACILITIES
131
[41]
30 Code of Federal Regulations Part 250 6, Oil and Gas Sulphur Operations in the Outer Continental
Shelf
[42]
33 Code of Federal Regulations Chapter I, Subchapter N, Artificial Islands and Fixed Structures on
the Outer Continental Shelf
[43]
40 Code of Federal Regulations Part 112, Chapter I, Subchapter D, Oil Pollution Prevention
[44]
49 Code of Federal Regulations Part 192, Transportation of Natural and Other Gas by Pipeline:
Minimum Federal Safety Standards
[45]
49 Code of Federal Regulations Part 195, Transportation of Hazardous Liquids by Pipeline
[46]
Offshore Technology Report OTO 93 02, Offshore Gas Detector Siting Criterion Investigation of
Detector Spacing; by Lloyd’s Register for the UK Health and Safety Executive, April 1993
6
The Code of Federal Regulations is available from the U.S. Government Printing Office, Washington, DC 20402,
www.gpo.gov.
Product No. G14C08
Related documents
Fangzheng Valve Group Co., Ltd
Fangzheng Valve Group Co., Ltd
experiment explanation
experiment explanation
Greek Vessels Typology_3 objects sketch
Greek Vessels Typology_3 objects sketch
Control Valve Introduction
Control Valve Introduction
List of Donor parts for EFI Conversion
List of Donor parts for EFI Conversion
Sensor Position
Sensor Position
Intelligent Distributed Sensor Networks
Intelligent Distributed Sensor Networks
Download
advertisement