HSE-CP20HSE CRITICAL EQUIPMENT & SYSTEMS HSE Cont rol Procedure Version No. 1 rev. 00 Date: May 2005 We Refine Right HSE CRITICAL EQUIPMENT & SYSTEMS (HSE-CP20) HSE-CP20 HSE CRITICAL EQUIPMENT & SYSTEMS HSE Cont rol Procedure Version No. 1 rev. 00 Page i Date: May 2005 We Refine Right AUTHORISED FOR ISSUE BY HSE MANAGER DOCUMENT AUTHORISATION Document Owner Document Review Document Approval HSE Manager TAKREER Abu Dhabi Signature AGM (Technical) TAKREER Abu Dhabi Signature General Manager TAKREER Abu Dhabi Signature The following is a summary of the most recent revisions to this HSE Management System (HSE MS) Control Procedure. The Document Owner holds details of all revisions prior to this version. Version No. Issue Date Effective Date Scope/Remarks Version 1 May 2005 To be announced* Original. User Notes This document is available for use and is accessible to all TAKREER employees and contractors. The requirements of this document are mandatory. Non-compliance shall only be authorised by AGM(T) through a STEP-OUT approval (see HSE MS Manual). A controlled copy of the current version of this document is available from the TAKREER Intranet. Before making reference to this document, it is the user’s responsibility to ensure that the hard copy, or electronic copy, is current. For assistance contact the Document Owner. * This version of the HSE MS Control Procedure is issued for the purpose of training and familiarisation. An effective date for this HSE MS Control Procedure will be announced. HSE-CP20 HSE CRITICAL EQUIPMENT & SYSTEMS HSE Cont rol Procedure Version No. 1 rev. 00 Page 1 Date: May 2005 We Refine Right 1. PURPOSE This Procedure provides users with general requirements for managing HSE Critical Equipment and Systems (HSECES) associated with TAKREER refinery operations. This document incorporates best international practices, COP V5.1 (Risk Assessment and Control of Major Accident Hazards) and COP V6.1 (Identification and integrity assurance of HSE critical equipment and systems) This Procedure aims to: • provide a consistent, transparent and auditable approach to managing HSECES for TAKREER refineries and offices, which can be readily adapted when a new plant is designed, an existing plant is modified, or when conditions such as production levels or equipment risk change; and, • establish general (a) control measures for the management of critical safety devices and environmental control equipment. (a) This Procedure is based on using risk based principles to assess and manage HSE critical equipment and systems. The objective in managing HSECES is to ensure that: • HSECES are suitable for their intended function; and • HSECES remain in a condition whereby they can continue to perform their intended function 2. SCOPE This Procedure shall be applicable to all TAKREER employees, contractors, facilities, activities, services and products without exception. 3. DEFINITIONS As Low As Reasonably Practicable. (ALARP) The condition reached when all conceivable risk reducing measures have been assessed and all those which are not shown to be grossly disproportionate have been implemented Availability The likelihood that a HSECES will perform its function on demand or when called upon to do so Functionality What an HSECES does – its intended purpose e.g. a functional specification for a control or mitigation measure will describe how the system will fulfil its role in limiting the event or protecting people Health, Safety and Environment – Critical Equipment and Systems (HSECES) Parts of an installation and such of its structures, plant equipment and systems (including computer programmes) or any part thereof, the failure of which could cause or contribute substantially to; or a purpose of which is to prevent or limit the effect of a major accident or any accident with severe or catastrophic consequences (as defined in ADNOC Group Guideline on HSE Risk Management). HSEIA Health, Safety and Environmental Impact Assessment Systematic process of identifying HSE impacts of existing, new or substantially altered projects, and establishing mitigation requirements. HSE-CP20 HSE CRITICAL EQUIPMENT & SYSTEMS HSE Cont rol Procedure Version No. 1 rev. 00 Page 2 Date: May 2005 We Refine Right Independent competent person Person employed by an organisation independent of the equipment operator who can demonstrate the necessary training and experience to carry out defined activities associated with HSECES. The independent competent person may be an individual or a team of several individuals where this is required to ensure an appropriate level of competency or to complete verification tasks in a reasonable period of time. Performance Standard A statement which can be expressed in qualitative or quantitative terms, of the performance required of a system, item of equipment or computer programme and which is used as the basis for verification throughout the life cycle of the installation. Risk Combination of the frequency (likelihood) of an event and the severity of the consequences (effects) of that event. Verification The process by which an independent competent person confirms that all necessary activities to assure the integrity of HSECES have been undertaken 4. BACKGROUND This Procedure covers the requirements for HSE critical equipment and systems in TAKREER’s facilities. The Procedure covers existing facilities, modifications to existing plant, including temporary modifications, and new designs (see also HSE-CP29 Managing Change in HSE). Due consideration to cost effectiveness shall be taken into account when applying these standards to existing facilities, particularly over the remaining plant life in accordance with the ALARP principle. The approach is in line with ADNOC COP V5-01 (Risk Assessment and Control of Major Accident Hazards) and COP V6-01 (Verification of technical integrity). HSE critical equipment and systems are defined in Section 3. These elements can be hardware devices, systems or procedures. Examples of systems and equipment that can be critical to health and safety include: • Critical structures whose failure could lead to a multiple fatality accident. • Equipment where loss of integrity could result in an escape of fluid under pressure or hazardous material with the potential to cause harm to people. • Structures supporting equipment where loss of integrity could result in an escape of hazardous material with the potential to cause fatality and/or damage to the environment. • Structures designed to protect other structures or equipment from the full force of an impact which other wise has the potential to cause major accidents. • Integrity protection systems such as relief valves, instrumented protective systems and restriction orifices that protect the plant from loss of containment by exceeding design conditions. • Detection systems designed to alert the plant operators of an escape of hazardous material and to initiate various control actions. • Release control systems such as emergency shutdown systems and blowdown systems, which are designed to limit the quantity of hazardous material involved in an incident. • Secondary containment systems designed to restrict hazardous materials spreading from a spillage location into other plant areas. • Fire and explosion suppression systems where people could otherwise be at risk. HSE-CP20 HSE CRITICAL EQUIPMENT & SYSTEMS HSE Cont rol Procedure Version No. 1 rev. 00 Page 3 Date: May 2005 We Refine Right • Fire fighting systems. • Incident control equipment such as water sprays, foam systems and search and rescue equipment. • Personnel protective equipment for general use in an emergency such as life jackets, breathing apparatus, fireman’s gear, etc. • Systems designed to mitigate the consequences of fire and explosion such as fire walls, blast walls and passive fire protection. • Lifting equipment and systems, jacking systems whose failure could lead to or contribute to a major accident. • Hazardous material transporting systems such as road tankers and ship tankers could lead to, contribute to, or escalate a major accident within a facility. • Emergency power systems (emergency generators, UPS, etc.). • Communications systems that alert people that an incident has occurred and which can be used to provide instruction as to further action. • Systems that allow communication between emergency response teams and the emergency control centre. • Systems that allow communication with external agencies that can provide assistance in dealing with the incident. • Systems that expedite the removal of people to a place of safety such as emergency lighting, escape routes. Examples of systems and equipment which can be critical to environmental protection include: • Air pollution control equipment (fitted to process heaters, boilers, flares, incinerator, etc.) • Dust collection (precipitators, filters, absorbers, scrubbers, chemical dust suppressants, etc.) • Volatile organic compound emission control (fitted to process heaters, tank floating roofs, pump seals, etc.) • Wastewater treatment facilities (neutralisation pits, API/CPI separators) • Equipment using pesticides, herbicides, agricultural chemicals, etc. • Leak detection systems • Spill control equipment • Odour/discolouration control equipment • Process, wastewater tanks, associated piping, pumps and instrumentation • Sludge/residue/debris handling equipment, associated piping, pumps and instrumentation • Waste storage equipment/drums/constructed pads, containment (integrity testing, leak detection, secondary containment, cathodic protection, etc.) • Laboratory QA/QC equipment • Process pipelines inspection for leaks • Indoor air quality control (Drain and sump seals, crack and joint seals, surface seals, air circulation and cleaning equipment, respirators, etc.) • Fuel burning equipment • Smoke, fire, hazardous chemical detectors and alarms HSE-CP20 HSE CRITICAL EQUIPMENT & SYSTEMS HSE Cont rol Procedure Version No. 1 rev. 00 Page 4 Date: May 2005 We Refine Right • Radioactive material management equipment • Municipal waste handling equipment HSECES not only includes the specified equipment, but also any other equipment required for the equipment to perform its specified safety function, including electric or hydraulic power supplies and connections. More information regarding specific HSECES is given in Appendix A. 5. RESPONSIBILITIES 5.1 Division Managers Division Managers are responsible for ensuring that critical safety devices and environmental control equipment in their area of responsibility (including contractor activities) are managed in accordance with the requirements of this Procedure. Division Managers shall ensure that all safety and environmentally critical devices relating to existing facilities are identified and recorded in a register. Division Managers shall ensure that competent personnel are employed to manage critical safety devices and environmental control equipment at the refinery. Sufficient budgets shall be available to manage critical safety devices and environmental control equipment to an acceptable or ALARP level. In the event that circumstances prevent compliance with this Procedure, Division Managers shall ensure that the appropriate ‘Step-out Approval’ procedure is complied with. 5.2 Technical Services Manager The Inspection Group reporting to the Technical Services Manager is responsible for ensuring that the HSE critical equipment and systems within its control are maintained (including inspection, calibration and testing) in accordance with the requirements in this Procedure. They shall make sure that the equipment is maintained (inspected, calibrated and tested) in accordance with company procedures (incorporating vendor instructions) and that the equipment’s performance is monitored and recorded. 5.2.1 Verification The Technical Services Manager shall set up and maintain a verification scheme, where an independent competent person is assigned the responsibility to review the verification, implement the verification scheme, and monitor and report technical integrity of HSECES. 5.3 Maintenance Manager The Maintenance Manager is responsible for ensuring that the HSE critical equipment and systems within his control are maintained (including inspection, calibration and testing) in accordance with the requirements in this Procedure. They shall make sure that the equipment is maintained (inspected, calibrated and tested) in accordance with company procedures (incorporating vendor instructions) and that the equipment’s performance is monitored and recorded. 5.4 Safety, Environmental and Fire Manager The SEF Manager is responsible for ensuring that the HSE critical equipment and systems within his control are maintained (including inspection, calibration and testing) in accordance with the requirements in this Procedure. They shall make sure that the equipment is maintained (inspected, calibrated and tested) in accordance with company procedures (incorporating vendor instructions) and that the equipment’s performance is monitored and recorded. HSE-CP20 HSE CRITICAL EQUIPMENT & SYSTEMS HSE Cont rol Procedure Version No. 1 rev. 00 Page 5 Date: May 2005 We Refine Right 5.5 Corporate HSE Manager The corporate HSE Department shall provide suitably qualified safety and environmental engineers in order to provide guidance and assistance to the refineries on an as needs basis and shall provide the latest updated standards and procedures relevant to HSE management. The corporate HSE Department shall ensure that the refineries develop a modern risk based approach to HSE critical equipment & systems in accordance with international best practice and ADNOC HSE MS Guidelines. The corporate HSE Department is responsible for ensuring that the requirements of this Procedure are reflected in the documents for which they are responsible, such as risk assessments, risk registers and HSEIA/COMAH reports. 5.6 Projects Project work which introduces new, or significantly alters existing, critical safety devices shall as part of the scope of work develop a register of such devices including performance standards and recommended maintenance, inspection and testing intervals and procedures. Project handover to operations should not be accepted without these elements. 6. METHOD 6.1 Risk assessment If TAKREER refining operations are not effectively managed, they have the potential to cause harm to people, assets, environment and reputation. Potential major accident hazards related to the TAKREER refinery operations, include: • Loss of containment of flammable and/or toxic fluids leading to fire, explosion and/or toxic injury • Events resulting in structural failure which could lead to further progressive collapse • Other external hazards affecting the sites e.g. extreme weather, road/marine product tankers TAKREER shall carry out risk assessments addressing all major accident hazards for their refineries in accordance with ADNOC COP V5.1 (Risk Assessment and Control of Major Accident Hazards). HSE-CP24 Hazard Identification and HSE-CP25 HSE Risk Assessment provide the risk assessment requirements that shall be used by TAKREER as the basis for the management of critical safety devices and environmental control equipment. 6.2 Risk management TAKREER shall utilise the findings of the risk assessments to • Identify HSECES: That is the parts of the facility, which o could cause or contribute substantially to major accident; and/or o have the purpose to limit the effect of a major accident. • Set HSECES performance standards: Qualitative or quantitative statements of performance required (used as a basis for verification throughout the HSECES lifecycle). These performance standards commonly describe: o The functionality of the HSECES: What the HSECES is designed to do. How they prevent, detect, control or mitigate the risks from a major accident. HSE-CP20 HSE CRITICAL EQUIPMENT & SYSTEMS HSE Cont rol Procedure Version No. 1 rev. 00 Page 6 Date: May 2005 We Refine Right o The reliability of the HSCES: What confidence in the HSECES operating as required, when required is needed. • Monitor performance of HSECES against performance standards and maintain HSECES to ensure performance standards are met. 6.3 Temporary changes to plant design or operation TAKREER shall ensure that temporary changes to the design or operation of a system do not give rise to danger or otherwise impair the operation of any protective device or inspection facility. TAKREER must ensure that temporary changes are only authorised and implemented by those competent to do so. Reference should also be made to HSE-CP29 Managing HSE in Changes. Appendix C provides a procedure for managing the temporary defeat of HSECES. 6.4 Reports and records The risk assessment and risk management process shall be reported as part of the HSEIA and COMAH Reporting process (HSE-CP26 HSEIA). The HSEIA and COMAH reports shall demonstrate that adequate safeguards are been to manage the hazards at TAKREER refineries. TAKREER shall keep records regarding HSECES. The records must include, but not be limited to, a register of all HSECES, performance standards, and records of test and examination. 7. PERFORMANCE MEASURES Performance standards must be prepared for all HSECES. The performance standards are the parameters which must be measured or assessed so that the suitability and effectiveness of each HSECES can be verified. They will be the essential requirements which the HSECES must maintain throughout its life in order to fulfil its role. However, the standards may be amended during the lifecycle if the circumstances change. 7.1 Performance standards The objectives for the Performance standard are to • Ensure compliance with authority requirements • Ensure compliance with ADNOC and TAKREER requirements • Provide qualitative and quantitative performance requirements to the item, equipment or computer programme. • Provide basis for verification of performance throughout the installations lifecycle. 7.2 Quantitative performance measures For HSECES with quantitative requirements for the availability and where functional testing is required to test the safety function (e.g. pressure relief valves), then the performance standard should indicate an initial time between tests (test interval). The test interval should be based on the requirement of the availability and generic failure rates. It shall be used as test interval unless or until the installation has specific failure data. This test interval shall be updated to take account of changes in the generic data or the availability of specific data, where available. A methodology for calculating test intervals is shown in Appendix B. HSE-CP20 HSE CRITICAL EQUIPMENT & SYSTEMS HSE Cont rol Procedure Version No. 1 rev. 00 Page 7 Date: May 2005 We Refine Right 8. CROSS REFERENCES ADNOC HSE MS Requirements ADNOC HSE MS Guidelines ADNOC HSE Risk Management Guidelines Element 4: HSE Risk Evaluation and Management ADNOC Codes of Practice ADNOC-COP V5-01 Risk Assessment and Control of Major Accident Hazards ADNOC-COP V6-01 Identification and integrity assurance of HSE critical equipment and systems TAKREER Policies TAKREER HSE Policy TAKREER HSE Procedures HSE-CP24 Hazard Identification HSE-CP25 HSE Risk Assessment HSE-CP26 Health, Safety and Environmental Impact Assessment (HSEIA) HSE-CP27 Incident Handling and Investigation HSE-CP29 Managing HSE in Changes Other Requirements IEC 61511 Functional safety – Safety Instrumented Systems for the Process Industry Sector HSE-CP20 HSE CRITICAL EQUIPMENT & SYSTEMS HSE Cont rol Procedure Version No. 1 rev. 00 Page 8 Date: May 2005 We Refine Right Appendix A – Details of Typical HSE Critical Equipment and Systems A.1 HYDROCARBON CONTAINMENT The primary way of managing the risk from hydrocarbons on operating sites is to ensure that, as far as possible, the hydrocarbons remain contained within the process equipment. Hydrocarbon containment can be ensured by good design and by ongoing maintenance of the equipment. Good design will minimise the opportunities for leaks to take place by reducing the amount of equipment overall and by controlling the number of specific leak sources such as flanged joints, valves and nozzles. In addition, the appropriate specification of materials, design temperatures and pressures and corrosion/erosion allowances must be made to ensure that the equipment can operate across the range of expected conditions over the predicted lifetime of the facility. Ongoing maintenance and inspection should minimise the risk of loss of containment by identifying and controlling internal and external corrosion, erosion and mechanical loadings such as fatigue. Functional Requirements: Ref. Performance Standards but generally maintaining containment Safety Critical Equipment: pipework, vessels and fittings Equipment failure: loss of containment Test content: testing is not applicable but inspection and maintenance should be carried out to ensure integrity. A.2 DETECTION DEVICES The risk of fire, explosion or equipment damage can be reduced by the installation of appropriately located detection devices. These are used to detect hydrocarbon leakage, smoke, heat, flame, furnace flame-outs, high or low pressure, high or low flow, high or low temperature or machinery vibration. They may provide alarm and/or trip signals. To avoid unnecessary shutdowns caused by false alarms, it is common practice to use multiple detection circuits and a voting system (e.g. 2 out of 3 voting). A.2.1 FIRE AND GAS DETECTION The gas detection system at TAKREER shall monitor continuously for the presence of flammable or toxic gases, to alert personnel and allow control actions to be initiated manually or automatically to minimise the probability of personnel exposure, explosion and fire. Detectors may be point catalytic, point infra red or beam type. The fire detection system shall monitor continuously for the presence of a fire to alert personnel and allow control actions to be initiated manually or automatically to minimise the probability of fire escalation and personnel exposure. Fire detection may take the form of flame, heat or smoke sensitive devices. The fire detection system shall, relevant to specific equipment and areas, monitor continuously for the presence of an incipient fire condition to alert personnel and allow control actions to be initiated manually to minimise the probability of fire condition to develop. All fire detectors shall be designed to initiate an alarm, and may bring a local fire protection system, such as water sprinkler, Inergen, CO 2 , into operation when activated. The logic controller receiving the signals from the detectors and generating the output signals to alarm or executive actions shall also be considered to be part of the system. These may be hard-wired relay panels or safety PLC devices. HSE-CP20 HSE CRITICAL EQUIPMENT & SYSTEMS HSE Cont rol Procedure Version No. 1 rev. 00 Page 9 Date: May 2005 We Refine Right Functional requirements. Ref. Performance Standards Safety critical equipment. Fire and gas detectors, logic devices. Equipment failure. The fire and gas logic does not receive a signal corresponding to the upper alarm limit when detector is tested. The fire and gas logic does not generate the correct output when supplied with a test input. Test content. Testing and inspection fire and gas detectors shall be carried out in accordance with work descriptions and procedures including vendor recommendations. The testing shall cover all types of fire and gas detectors, and manual call points, including the signal transmission from the detector/call point to the output from the fire and gas logic. A.2.2 OTHER DETECTION DEVICES TAKREER uses a number of other detection devices to manage HSE risks. These detection devices are considered together with the safety system of which they are an integral part. E.g. the pressure transmitters and push buttons that are part of the emergency shutdown system (ESD) are considered together with the ESD system. It should be noted that detection devices which form part of the ESD system should be separate (and ideally of a different design) from those devices which perform similar roles for the process control system. i.e. a high level alarm on a tank may use a set point on a level gauge as an initiating device, a high high level shutdown should use a completely separate level switch rather than simply having another set point. A.3 EMERGENCY SHUTDOWN SYSTEMS (ESD) The Basic Process Control System (BPCS) constantly monitor the process systems for potential process upset conditions (low/high pressures, low/high liquid levels etc.) and acts to keep the process within its limits. In the event that the BPCS is unable to maintain the process within its acceptable limits, associated independent pre-alarms give warning of the upset condition. Should the condition advance to trip level, the ESD system initiates a controlled shutdown to avoid a major hazard developing. The shutdown actions include trip functions, the operation of shutdown valves and blow down/depressurising valves. The extent of any shutdown will be sufficient to maintain the plant in a safe condition and avoid any knock-on effects. ESD valves may require to open or to close under ESD conditions, depending on the system design. The ESD valve should be designed such that it will go to its ESD condition position if the driving force for the valve (pneumatic, hydraulic or electrical) is lost – this is denoted as fail safe. Objective The purpose of the emergency shutdown system (ESD) is to prevent escalation of abnormal conditions into a major hazardous event and to limit the extent and duration of any such events that do occur. Functional requirements Ref. Performance Standards Safety critical equipment Sensor devices, ESD push buttons, Logic device, ESD valves HSE-CP20 HSE CRITICAL EQUIPMENT & SYSTEMS HSE Cont rol Procedure Version No. 1 rev. 00 Page 10 Date: May 2005 We Refine Right Equipment failure • Sensor devices: The sensor does not generate the required output under trip conditions • ESD push buttons: The push button does not send a signal on the first test. • Logic device: The logic device does not generate the correct output signal on receipt of an appropriate input signal • ESD valves: The valve does not close on signal within specified time or has a higher internal leakage rate than specified criterion on the first test. Test content Testing and inspection shall be carried out in accordance with work descriptions and procedures incorporating vendor instructions. For ESD push buttons and sensors the test includes the signal transmission to the ESD logic. The testing of ESD valves includes signal transmission from the ESD logic, solenoid valve and actuator. A.4 PROCESS SAFEGAURDING Objective The purpose of the process safeguarding systems is to ensure that the process conditions do not exceed specified process safety limits. • Pressure relief • Valve interlock systems. Functional requirements Ref. Performance Standards Safety critical equipment The safety critical equipment is: • Pressure safety valves • Rupture disks • Valve interlock systems Equipment failure Equipment failure is defined as: • Pressure safety valves: The valve does not open at its set point. • Rupture disks: The disk does not rupture at its set point • Valve Interlock: The interlock system fails to control sequential valve operation Test content Testing and inspection shall be carried out in accordance with work descriptions and procedures incorporating vendor instructions. A.5 BLOWDOWN VALVES Blowdown (depressurising) valves are used to reduce the pressure on certain high pressure process units under emergency conditions. These valves normally depressurise to a lower pressure system or to flare. In order to control the blowdown rate and maintain control of the backpressure in the system, it is normal for a restriction orifice to be fitted downstream of the depressurising valve. The orifice also acts to control the chilling effect due to depressurisation. Blowdown valves are normally in the closed position. Blowdown valves are fully automatic in operation and on loss of operating medium or control signal will fail safe. Objective The purpose of the depressurising system is to: • Reduce the pressure in a process segment in case of a fire exposing the segment in question. • Reduce the leak rate and leak duration from a leaking process segment. HSE-CP20 HSE CRITICAL EQUIPMENT & SYSTEMS HSE Cont rol Procedure Version No. 1 rev. 00 Page 11 Date: May 2005 We Refine Right • Remove combustibles (gas/liquid) from the fire area. • Reduce the pressure and inventory of the process segment prior to rupture, if rupture cannot be avoided. • Depressurise the system in case of normal maintenance. Functional requirements Ref. Performance Standards Safety critical equipment • Blow down valves • Push buttons Equipment failure Blow down valve does not open on signal within specified time. Push button does not send a signal on test. Test content Testing and inspection shall be carried out in accordance with work descriptions and procedures. For push buttons the test includes the signal transmission to and from the blow down logic. The testing of valves includes signal transmission from the blow down logic, solenoid valve and actuator. A.6 DISTRIBUTED CONTROL SYSTEMS Distributed Control Systems (DCS) are microprocessor based systems, made up of distributed microprocessor based modules using real time distributed databases which communicate with each other over a Local Area Network (LAN). Operator consoles/work stations provide the means and facilities for the operator to view and interact with the process. In simple terms, the system controls the process system by continually receiving and reading input data from field devices (pressure/flow/level and temperature transmitters). This data is compared with the set point data and as long as there is no deviation outside of the normal operating range, the system will take no action. Should a deviation occur, the relevant controller will detect a mismatch between the input signal and the set point and will send a signal to its relevant control device (pressure/flow/level or temperature control valve) to alter its position to return the mismatch to zero. The DCS is in communication with the ESD system. The basic process control system (BPCS) of the DCS is not an HSE critical system. A.7 CONTROL VALVES In order for any process control system to control the variables in the process system (pressure, flow, level, differential pressure and temperature), it can only achieve this by varying the position of the relevant control valves in response to changes in the process system conditions. Control valves are normally automatically operated in response to signals from the relevant controller. These signals can be overridden by the operator from the operator console/work station. In some cases the valve can also be operated locally via hand wheel. Under normal operating conditions control valves will spend most of their time in a set position. Operators should take every opportunity to cycle (stroke) these valves through their full operating range. All control valves are to be periodically tested (function test). Control valves are not considered to be HSE critical safety equipment. HSE-CP20 HSE CRITICAL EQUIPMENT & SYSTEMS HSE Cont rol Procedure Version No. 1 rev. 00 Page 12 Date: May 2005 We Refine Right A.8 ENVIRONMENTAL CONTROL EQUIPMENT All environmental control equipment shall be identified and routinely checked to maintain its effectiveness. Inoperative or poorly maintained equipment could result in false positives or false negatives with regard to permit discharge limitations and may further result in improper reporting of the mass discharge limitations. A.9 SAFETY EQUIPMENT AND EMERGENCY RESPONSE All equipment (fixed or portable) which meets the criteria of HSECES should be subject to an inspection, maintenance, test and calibration schedule which is devised in order to ensure that the equipment continually meets the requirements set out in the performance standards in terms of functionality and reliability. HSE-CP20 HSE CRITICAL EQUIPMENT & SYSTEMS HSE Cont rol Procedure Version No. 1 rev. 00 Page 13 Date: May 2005 We Refine Right Appendix B – Methodology for Determining Safety Device Test Interval B.1 OBJECTIVE To provide a method for identifying initial test intervals for critical safety devices. B.2 BACKGROUND A critical safety device, by nature, spends the majority of its life in a dormant state. If the device were to suffer a failure, this may not be obvious or detectable unless or until the device is required to carry out its function at which point it will be unable to provide the protection it is designed to give. In order to achieve greater confidence in the likelihood of the device operating it is necessary to have a good idea of the likely period between failures and to carry out function tests to confirm that this is being achieved. B.3 METHODOLOGY Considering hidden (unrevealed) failures of safety components, a frequently used formula for the Probability of Failure on Demand (PFD) is: λτ 2 1 = PFD where is the failure rate of the component (in hours), and is the time between tests (also in hours). This formula is based on the assumptions: • The failure rate is time independent, which means that wear-out effects are negligible. • The mean time between failures is large compared to the time between tests. • The time to repair or replace a failed component is negligible compared to the time between tests. • The time to perform a test is negligible compared to the time between tests. • The mean time between real demands on the component is large compared to the test interval. • The component is as good as new after repair or replacement. • No failures are introduced by the testing. The PFD is commonly fixed and specified in the performance standard for the critical safety device. This may have been determined by a number of methods such as safety integrity level assessment. The λ value is normally fixed and can be obtained from published reliability data sources such as OREDA or other similar publications from CPSC/AIChE. This leaves τ as the dependant variable and this must be set such that the required PFD can be met with the given value of λ . HSE-CP20 HSE CRITICAL EQUIPMENT & SYSTEMS HSE Cont rol Procedure Version No. 1 rev. 00 Page 14 Date: May 2005 We Refine Right Based on the outcome of the tests the Probability of Failure on Demand (PFD) can be estimated as n x PFD 2 = , where x is the number of observed failures, and n is the number of tests performed. If the number of safety critical failures per number of tests differs significantly from the acceptance criteria, an evaluation shall be performed to decide upon a change in the test intervals or other relevant actions. As a guide to decide what is “significantly different” the following approach may be used: • Let PFD max denote the maximum allowed probability of failure on demand. The observed probability of demand can then be estimated as: max 2 1 2 1 PFD n x + + . • If the observed PFD is larger than 2 PFD max or smaller than PFD max /2, it is “significantly different” from the requirement. The quantitative requirement should be formulated as an acceptance criterion for “the ratio between the number of safety critical failures and the number of tests performed”. If the number of safety critical failures per number of tests differs significantly from the acceptance criteria, an evaluation shall be performed to decide upon a change in the test intervals or other relevant actions. If the observed PFD differs significantly from the required, the following should be considered: • Is the constant failure rate assumption reasonable? • Are failures introduced during testing/repair/replacement? • Are there reasonable ways to reduce the component failure rates? • Should the test interval be changed? HSE-CP20 HSE CRITICAL EQUIPMENT & SYSTEMS HSE Cont rol Procedure Version No. 1 rev. 00 Page 15 Date: May 2005 We Refine Right Appendix C – Procedure for defeating HSE Critical Equipment and Systems C.1 OBJECTIVE To lay down a formal procedure for controlling the defeat of critical Health, Safety and Environment – critical equipment and systems (HSECES) to ensure minimum risk potential to safe plant operations. C.2 DEFINITIONS C.2.1 HSECES Parts of an installation and such of its structures, plant equipment and systems (including computer programmes) or any part thereof, the failure of which could cause or contribute substantially to; or a purpose of which is to prevent or limit the effect of a major accident or any accident with severe or catastrophic consequences (as defined in ADNOC Group Guideline on HSE Risk Management). C.2.2 DEFEAT The wilful and deliberate overriding, bypassing, jumping or any other action which will cause an HSECES to become inoperative. The action may be applied to hardware (e.g. key switch, circuit jumper etc.) or to software (e.g. large change of set point etc.). The action may apply to the initiating device (detector or sensor etc.), the logic device (relay panel or PLC etc.) or the end device (ESD valve or firewater pump etc.) C.3 SCOPE This procedure shall be followed by all operations, maintenance and technical departments at TAKREER. This procedure shall apply to all HSECES on site. This procedure will ensure a unified approach for overriding HSECES by all staff. C.4 GUIDELINES C.4.1 APPLICATION OF DEFEAT HSECES will only be defeated when a genuine need arises. Like trouble shooting or checking safe guarding function of a specific loop or instrument. Jobs like overriding a level trip initiator to enable sight glass cleaning will not be an acceptable practice. The defeats should only be applied for maintenance (including calibration and testing) or in the case of a confirmed equipment fault. Defeats should not be applied under emergency conditions or if no independent evidence for an equipment fault is available. HSECES defeats shall be kept in place for as short a time as possible. Defeats should only be applied immediately before the work requiring their defeat and should be removed as soon as this work is complete. HSECES defeats should be applied to maintain the maximum level or remaining protection. If possible, sensor devices and logic systems should be maintained to give alarm only functionality. For example if a firewater system needs to be defeated, this should be done by inhibiting the pump startup this will allow the fire detectors and fire and gas panel to remain operative therefore giving alarm only coverage. HSE-CP20 HSE CRITICAL EQUIPMENT & SYSTEMS HSE Cont rol Procedure Version No. 1 rev. 00 Page 16 Date: May 2005 We Refine Right A clear understanding of the purpose and design intent of the HSECES should be appreciated before the defeat is applied. Whenever a need arises to defeat of bypass a HSECES, relevant Operations Supervisor fills Item 1 to Item 8 of the enclosed Authorization format. A risk assessment is required in order to demonstrate that: a) the potential impacts in terms of increased risk have been identified (Item 7), and b) additional safeguards which are required in order to manage the risk during the defeat have been identified (Item 8) During Office hours, relevant Operations Manager approval in writing will be obtained. However, during off hours his appointed deputy will approve the work, following consultation where possible (Item 10) For defeating ESD systems and/or security related to Major Plant Trips, Written approval will be obtained from Deputy Refinery Manager during office hours. However, during off hours, his assigned deputy and will record approval, following consultation where possible. (Item 11). During office hours, relevant Performer Department Manager (MTM or TSM) approval in writing will be obtained. However, during off hours or in emergency situations his assigned deputy will approve (Item 12) following consultation with the appropriate authority. Relevant Section Head in Office hours and Shift control in off hours will authorize and give final go ahead to applying the defeat and sign in Column 8. Performer (engineer) when involved in defeating will sign in Item 12. Always Operations Supervisor will issue a work permit to performing authority for such jobs. This format will be kept in a live file with operations in respective control room and will in addition be recorded in the defeat register presently being maintained and signed by respective Section Heads and Operations Managers. C.4.2 RESTORATION OF HSECES Once the work is complete, performer engineer (if involved) will sign as performer confirming that work has been completed and system is restored (Item 13). Operations Supervisor will close the formal record of defeat giving date and time of normalization of conditions (Item 14). Work required to restore a defeated HSECES should be treated as priority work and should be conducted in preference to routine activities. The discovery of a defeated HSECES which is not on the defeat register shall be considered to be a “near miss” and shall be reported, recorded and investigated in accordance with HSE-CP27 Incident Investigation and Handling. HSE-CP20 HSE CRITICAL EQUIPMENT & SYSTEMS HSE Cont rol Procedure Version No. 1 rev. 00 Page 17 Date: May 2005 We Refine Right HSECES DEFEAT AUTHORIZATION FORM Department: Unit / Section: Tag No.: Date when defeated: Purpose of HSECES: Work Permit No.: Time / Date: Work Order No.: Duration of defeat: Reason(s) for defeating: Ho will the defeat be applied: Hardware: Software: Risk Impact of defeat: Extra precautions required during defeat: Shift Supervisor / Controller Name: Signature: Time / Date: Authotrized by Operations Section Head / Shift Controller Name: Signature: Time / Date: Approval from Operations Manager Name: Signature: Time / Date: Approval from Deputy Refinery Manager (only for items like ESD or major tirps etc.) Name: Signature: Time / Date: Performer Manager (Maintenance or Technical Services Department) approval Name: Signature: Time / Date: Performer Manager (Section Head / Engineer) Name: Signature: Time / Date: Authorization for Restoration of HSECES HSECES restored to service and conditions normalized Performer (Engineer) Name: Signature: Time / Date: Shift Supervisor / Controller Name: Signature: Time / Date: 1. This format shall be used for all HSECES. 2. This format shall be used also for provision of jumpers by the maintenance department. 3. No action shall be taken to defeat HSE Critical Equipment & Systems unless prior approval is obtained from relevant Managers. 4. This form will be kept in live format with operations in respective control room and will be in addition to the override / defeat register being maintained and signed by respective Section Heads and Managers. 5. Performer Departments is Maintenance (Control Section) for Hardware, TRICONEX and PLC override / defeat and Technical Services (Automation Section) for DCS Software override / defeat.