Download - RP30-5.pdf
-
7/28/2019 RP30-5.pdf
1/81
RP 30-5
INSTRUMENTATION AND CONTROL
SELECTION AND USE OF EQUIPMENT
FOR INSTRUMENT PROTECTION
SYSTEMS
November 1993
Copyright The British Petroleum Company p.l.c.
http://rpses%20word%20documents/RP30-5.doc -
7/28/2019 RP30-5.pdf
2/81
Copyright The British Petroleum Company p.l.c.
All rights reserved. The information contained in this document is
subject to the terms and conditions of the agreement or contract under
which the document was supplied to the recipient's organisation. None
of the information contained in this document shall be disclosed outside
the recipient's own organisation without the prior written permission ofManager, Standards, BP International Limited, unless the terms of such
agreement or contract expressly allow.
-
7/28/2019 RP30-5.pdf
3/81
-
7/28/2019 RP30-5.pdf
4/81
RP 30-5INSTRUMENTATION AND CONTROL - SELECTION AND USE
OF EQUIPMENT FOR INSTRUMENT PROTECTION SYSTEMS
PAGE i
CONTENTS
Section Page
FOREWORD................................................................................................................. iii1. INTRODUCTION...................................................................................................... 1
1.1 Scope.............................................................................................................. 1
1.2 Application ..................................................................................................... 1
1.3 Units............................................................................................................... 1
1.4 Quality Assurance........................................................................................... 2
2. PROTECTIVE INSTRUMENTATION SYSTEMS................................................. 2
2.1 General Requirements..................................................................................... 2
2.2 Choice of Equipment for Protective Systems................................................... 3
2.3 System Design ................................................................................................ 6
2.4 Equipment Recommendations ......................................................................... 92.5 Testing............................................................................................................ 13
2.6 Integrity Assessment ....................................................................................... 14
2.7 Design Documentation.................................................................................... 16
3. ALARM SYSTEMS................................................................................................... 18
3.1 General Requirements..................................................................................... 18
3.2 Categories of Alarms....................................................................................... 20
3.3 Measurement Interface.................................................................................... 22
3.4 Panel Annunciators ......................................................................................... 23
3.5 VDU Based Annunciators............................................................................... 23
3.6 Audible Alarms............................................................................................... 253.7 Microprocessor Based Alarm Systems............................................................. 26
4. FIRE AND GAS DETECTION AND CONTROL SYSTEM.................................. 27
4.1 General .......................................................................................................... 27
4.2 Fire and Gas Control Panel Equipment........................................................... 29
4.3 Annunciation and Display............................................................................... 31
4.4 Control Actions ............................................................................................. 31
4.5 Fire Protection System Controls..................................................................... 33
4.6 Telemetry Systems......................................................................................... 36
4.7 Field Equipment.............................................................................................. 36
4.8 Remote Fire and Gas Panels........................................................................... 424.9 Drawings and Documentation ........................................................................ 43
5. PIPELINE LEAK DETECTION SYSTEMS............................................................ 43
5.1 Scope.............................................................................................................. 43
5.2 Requirement for Pipeline Leak Detection ........................................................ 44
5.3 Design and Selection....................................................................................... 47
5.4 Operation, Maintenance and Testing ............................................................... 53
FIGURE 1 - DRAWING SYMBOLS FOR FIRE AND GAS LAYOUTS.................. 55
FIGURE 2 - TYPICAL FIREPUMP START LOGIC DIAGRAM............................ 57
-
7/28/2019 RP30-5.pdf
5/81
RP 30-5INSTRUMENTATION AND CONTROL - SELECTION AND USE
OF EQUIPMENT FOR INSTRUMENT PROTECTION SYSTEMS
PAGE ii
FIGURE 3 - FIRE PUMP CAUSE & EFFECT DIAGRAM....................................... 58
FIGURE 4 - TYPICAL CONTROL ACTION MATRIX ........................................... 59
FIGURE 5 - TYPICAL FIRE AND GAS DETECTION SYSTEM BLOCK
DIAGRAM..................................................................................................................... 61
APPENDIX A................................................................................................................. 62
DEFINITIONS AND ABBREVIATIONS............................................................ 62
APPENDIX B................................................................................................................. 65
LIST OF REFERENCED DOCUMENTS............................................................ 65
APPENDIX B1............................................................................................................... 67
APPLICABLE STANDARDS AND LEGISLATION (UK) FOR FIRE AND
GAS SYSTEMS................................................................................................... 67
APPENDIX C................................................................................................................. 69
TYPICAL FIRE AND GAS VDU PHILOSOPHY ............................................... 69
C1. GENERAL DESCRIPTION .......................................................................... 69C1.1 Area Mimics................................................................................................ 69
C1.2 Expanded Mimics........................................................................................ 69
C1.3 Alarm Banner Area....................................................................................... 70
C1.4 Bar Chart Displays ....................................................................................... 70
C1.5 Tabular Switch State Displays (Page Displays) ............................................. 70
C1.6 Fire Pump/Ring Main Display....................................................................... 71
C1.7 HVAC Status Displays ................................................................................. 71
C1.8 Alarm Listings.............................................................................................. 71
C1.9 Help Displays ............................................................................................... 71
C1.10 Printer Facilities.......................................................................................... 71C2 ALARM HANDLING..................................................................................... 72
C3 DISPLAY ACCESS........................................................................................ 72
C3.1 Direct Access ............................................................................................... 72
C3.2 Previous/Next Paging ................................................................................... 72
C3.3 Fast Access .................................................................................................. 73
C4 DIRECTORY STACK.................................................................................... 73
-
7/28/2019 RP30-5.pdf
6/81
-
7/28/2019 RP30-5.pdf
7/81
RP 30-5INSTRUMENTATION AND CONTROL - SELECTION AND USE
OF EQUIPMENT FOR INSTRUMENT PROTECTION SYSTEMS
PAGE iv
It is intended to review and update this document at regular intervals, because it is essential to
maintain BP's commercial advantage from the effective deployment of the rapidly developing
technology covered by this Practice.
Application
'Specification' or 'Approval' actions are indicated by an asterisk (*) preceding a paragraph
number.
Text in italics is Commentary. Commentary provides background information which supports
the requirements of the Recommended Practice, and may discuss alternative options.
This document may refer to certain local, national or international regulations but the
responsibility to ensure compliance with legislation and any other statutory requirements lies
with the user. The user should adapt or supplement this document to ensure compliance for
the specific application.
Principal Changes since last Issue
Principal changes to Sections Issued from March 1991:
(a) The Practice has been revised to the new format to rationalise the sections and to
integrate the commentary into the main test.
(b) The sections have been updated to include references to new standards and reflect
changes in operating practices.
(c) Section numbering has been amended to suit the applicable part.
The cross-references at the end of this foreword show relationships between new documents
and the old CP 18.
Feedback and Further Information
Users are invited to feed back any comments and to detail experiences in the application of
BP RPSE's, to assist in the process of their continuous improvement.
For feedback and further information, please contact Standards Group, BP International or
the Custodian. See Quarterly Status List for contacts.
-
7/28/2019 RP30-5.pdf
8/81
RP 30-5INSTRUMENTATION AND CONTROL - SELECTION AND USE
OF EQUIPMENT FOR INSTRUMENT PROTECTION SYSTEMS
PAGE v
LIST OF SECTIONS CROSS REFERENCED TO CP 18
RP 30-1 TO RP 30-5 CP 18 PARTS AND SECTIONS
No equivalent in RP 3~X Part 1 (Foreword and Introduction)
RP 30-1 INSTRUMENTATION AND CONTROL DESIGN AND PRACTICE
Part 2 Systems, Design and Practice
Section 1 Introduction E Section 1 Introduction
Section 2 Control Engineering Principles E Section 2 Control Engineering Principles
Section 3 Selection of Instrumentation Equipment E Section 3 Selection of Instrumentation
Equipment
Section 5 Earthing and Bonding E Section 5 Earthing and Bonding
Section 6 Instrument Power Supplies E Section 6 Instrument Power Supplies
Section 7 Instrument Air Systems E Section 7 Instrument Air Systems
Section 8 Hydraulic Power Systems E Section 8 Hydraulic Power Systems
Section 9 Control Panels E Section 9 Control Panels
Section 10 Control Buildings E Section 10 Control Buildings
Section 11 Instrument Database Systems Section 1I Digital Systems (to RP 30-4, Sect 2)
+ Section 12 Adv. Cntrl Sys. (to RP 30-4, Sect. 5)
+ Section 13 Telecommunications (to RP 30-4, Sect. 3
RP 30-2 INSTRUMENTATION AND CONTROL SELECTION AND USE OF MEASUREMENT INSTRUMENTATION
Part 3 Measurement
Section 1 Introduction E Section 1 Introduction
Section 2 Temperature Measurement E Section 2 Temperature Measurement
Section 3 Pressure Measurement E Section 3 Pressure Measurement
Section 4 Liquid Level Measurement E Section 4 Liquid Level Measurement
Section 5 Flow Measurement E Section 5 Flow Measurement
Section 6 Storage Tank Measurement E Section 6 Storage Tank Measurement
Section 7 On Line Analytical Measurement E Section 7 Measurement
Section 8 Automatic Samplers for Offline E Section 8 Automatic Samplers for Offline Analysis
Analysis
Section 9 Weighbridges and Weighscales E + Section 9 Weighing Systems
Section 10 Environmental Monitoring
Section 11 Instrumentation for HVAC systems
Section 12 Drilling Instrumentation
RP 30-3 INSTRUMENTATION AND CONTROL SELECTION AND USE OF CONTROL AND SHUTOFF VALVESPart 4 Valves and Actuators
Section 1 Introduction E Section 1 Introduction
Section 2 Regulating Control Valves E Section 2 Regulating Control Valves
Section 3 Power Actuated Isolating Valves ESection 3 Power Actuated Isolating Valves
RP 30-4 INSTRUMENTATION AND CONTROL SELECTION AND USE OF CONTROL AND DATA ACQUISITION SYSTEMS
Section I Introduction
Section 2 Digital Systems (new commentary added)
Section 3 Telecommunications
Section 4 Subsea Control Systems
Section 5 + Advanced Control Systems
RP 30-5 INSTRUMENTATION AND CONTROL SELECTION AND USE OF EQUIPMENT FOR INSTRUMENT PROTECTIONSYSTEMS
Part 5 Protective Systems
Section I Introduction E Section I Introduction
Section 2 Protective Instrument Systems E Section 2 Protective Instrument Systems
Section 3 Alarm systems E Section 3 Alarm Systems
Section 4 Fire and Gas Detection and Control E Section 4 Fire and Gas Detection and Control
Systems Systems
Section 5 Pipeline Leak Detection E + Section 5 Pipeline Leak Detection
E- equivalent (not identical)
+- yet to be published
http://rp30-4.pdf/http://rp30-4.pdf/http://rp30-4.pdf/http://rp30-4.pdf/http://rp30-4.pdf/http://rp30-4.pdf/http://rp30-4.pdf/ -
7/28/2019 RP30-5.pdf
9/81
-
7/28/2019 RP30-5.pdf
10/81
RP 30-5INSTRUMENTATION AND CONTROL - SELECTION AND USE
OF EQUIPMENT FOR INSTRUMENT PROTECTION SYSTEMS
PAGE 2
1.4 Quali ty Assurance
Verification of the vendor's quality system is normally part of the pre-qualification
procedure, and is therefore not specified in the core text of this specification. If
this is not the case, clauses should be inserted to require the vendor to operate and
be prepared to demonstrate the quality system to the purchaser. The quality system
should ensure that the technical and QA requirements specified in the enquiry andpurchase documents are applied to all materials, equipment and services provided
by sub-contractors and to any free issue materials.
Further suggestions may be found in the BP Group RPSEs Introductory Volume.
2. PROTECTIVE INSTRUMENTATION SYSTEMS
This Section details BP recommendations for instruments, logic
systems and valves which make up a protective instrumentation system
and should be read in conjunction with BP Group GS 130-9'Specification for the supply of Shutdown Systems'. Compliance with
all applicable statutory regulations at the final point of installation is
mandatory, and shall take precedence over the basis for design covered
by this Recommended Practice.
2.1 General Requirements
* 2.1.1 BP Group RP 30-6 specifies BP process design requirements for
protective instrumentation systems and the actions to be taken. A
system shall be provided to meet these requirements. Where the
requirements of this Recommended Practice conflict with otherdocuments, the matter shall be referred to BP.
2.1.2 A schedule should be prepared listing all process conditions to be
monitored by protective systems. It shall define the limits of safe
operation and protective action to be taken in the event of a
transgression. The schedule shall list the consequences of failure on
demand and the application category.
2.1.3 Failure of the protective instrumentation shall not cause the plant to go
to an unsafe condition. The effect of failure of any function or group offunctions should be fully analysed and the results of this investigation
used to determine the design of the protective instrumentation.
2.1.4 The action on loss of power supply to protective instrumentation
system shall cause the plant to trip.
Systems which energise to trip may be considered for certain Category 2
applications where spurious operation would cause more serious consequences
than lost production. In such case a study should be carried out to determine the
following:-
http://gs130-9.pdf/http://gs130-9.pdf/http://gs130-9.pdf/http://gs130-9.pdf/http://rp30-6.pdf/http://rp30-6.pdf/http://rp30-6.pdf/http://gs130-9.pdf/ -
7/28/2019 RP30-5.pdf
11/81
-
7/28/2019 RP30-5.pdf
12/81
RP 30-5INSTRUMENTATION AND CONTROL - SELECTION AND USE
OF EQUIPMENT FOR INSTRUMENT PROTECTION SYSTEMS
PAGE 4
Where the system, in addition to providing facilities similar to
those offered by limited variability systems, provide facilities
similar to those in a mini-computer based real-time system, e.g.
displays, high level languages and data links.
(iv) Pneumatic or hydraulic logic systems. These systems are only
applicable to simple applications.
(v) Hybrid system comprising more than one of the above.
Points to be considered in the application of programmable electronic systems
include:-
(a) Failure and Failure Modes
Because a single microprocessor is often used to execute the logic of the
application, its, or associated component failure will usually result in
some or all logic being halted, e.g. plant protection may be lost.
It is unlikely that the mechanism of failure can be predicted and it is also
possible that a fault may lie unrevealed. To overcome these two
difficulties, it is necessary to arrange, usually by external equipment, to
detect failure and take action (usually by forcing plant outputs to a safe
state). In addition, to reveal dormant faults, it is necessary to test the
system regularly. It is therefore of the utmost importance to consider the
outcome of the failure states in plant design.
In addition to hardware faults, software problems can occur. Software
failure cannot occur, but software faults can result either from operating
system software being insufficiently tested to reveal faults, or from the
application software being unable to cope with a certain plant condition.The danger is that in each case the fault may lie dormant until a particular
plant condition is reached and the system then 'fails'. Recognition of these
two possibilities leads to important strategies concerning the selection and
testing of the system. In the case of faults in the operating system, these
can be minimised by selecting a manufacturer who has a standard product
implemented widely in industry. In the case of application software it is
necessary to apply strict control of the development process and undertake
verification of each stage. It is also essential to allow adequate time to
test the functions of the application software, both at the development
phase and on the actual plant.
To minimise problems with software full variability systems should be
avoided. They should only be considered where the complexity ofapplication requires advanced algorithms.
Some manufacturers offer designs which are fault tolerant and this can be
of benefit in applications where high integrity is required.
(b) Modifications
Because such systems provide flexibility and convenience in configuring
logic to meet plant requirements, there is a danger that such flexibility
applied in an uncontrolled fashion can lead to downgrading of plant
protection following injudicious modification of application software. It is
-
7/28/2019 RP30-5.pdf
13/81
RP 30-5INSTRUMENTATION AND CONTROL - SELECTION AND USE
OF EQUIPMENT FOR INSTRUMENT PROTECTION SYSTEMS
PAGE 5
therefore important to ensure that access to, and modifications of, the
application software is closely controlled.
(c) Overrides and Interlocks
Where override or interlock facilities are provided by application
software, a facility should be provided to ensure that the operator andplant manager are aware that the plant is being operated in such a
fashion. If the application of overrides is not closely monitored, there is a
danger that plant protection is gradually downgraded.
Advantages of programmable systems include the following:-
(i) Space saving
(ii) Low power
(iii) Ease of configuration
(iv) Ease of reconfiguration
(v) Fault diagnosis
(vi) Simple interface to computers
Disadvantages of programmable systems include:-
(i) Statutory authorities may impose strict requirements for their
application on any safety related duty.
(ii) Hardware and software faults (revealed or unrevealed) may result
in common mode failure and seriously impair functionality.
Careful selection of vendor and his proposal is essential to
ensure:-
- Vendor has a proven experience in the supply of similar
sized systems.
- Vendor has established and effective QA system for both
hardware and software design and implementation; including
modification procedures.
- Bought-in hardware and software complies with above.
(iii) Additional costs can arise in meeting the software QA
requirements.
(iv) Such systems can be complex leading to more difficult and time
consuming fault finding. This can lead to higher cost of training.
2.2.3 When programmable systems are provided, their failure modes should
be fully considered. The systems should be designed such that in the
event of a system failure the plant is not put into an unsafe condition.
If failure of the shutdown system could cause an unsafe condition,
other equipment or systems should be provided to ensure that the plant
is maintained in a safe state.
-
7/28/2019 RP30-5.pdf
14/81
RP 30-5INSTRUMENTATION AND CONTROL - SELECTION AND USE
OF EQUIPMENT FOR INSTRUMENT PROTECTION SYSTEMS
PAGE 6
A hybrid system using both discrete logic and programmable systems may provide
the optimum solution. Hybrid systems also have the advantage of diversity and
reduce the probability of common mode failure.
2.3 System Design
2.3.1 Overall design shall comply with BP Group RP 30-1 and the
requirements of BP GroupRP 30-6.
API RP 14Cfor offshore applications requires that each safety system comprise two
levels of protection to prevent or minimise the effects of an equipment failure within
the process. The two levels of protection should be independent of and in addition
to the control devices used in normal process operation. The first method of
protection is normally instrument based, the secondary method is normally by self
acting devices such as relief valves.
Where a Category 1 system is used top prevent hazards arising this may be
adequate acting alone providing:-
(a) The system used in complies with the requirements for Category 1 system
as defined in BP GroupRP 30-6.
(b) A full integrity analysis has shown that an acceptable standard of safety
has been achieved.
(c) The effects of common mode failure has been considered in the reliability
analysis
2.3.2 For a Category 1 application a single failure during normal operation
shall not cause the system to fail to perform its intended function.
2.3.3 For a Category 2A application involving serious commercial or
environmental loss, multiple sensors, logic and final actuation devices
should be used unless evaluation of the additional reliability and costs
against the probability of reducing business loss can be shown to be
uneconomic or environmentally unacceptable.
2.3.4 For a Category 2B application the use of single sensor, logic and final
actuation device is normally considered adequate.
2.3.5 In voting systems, precautions shall be taken to avoid degradation of
the protection through common faults in the system.
Examples of common mode problems include blockage of single pressure tappings,
blowing of common supply fuses to input channels, or accidental damage to cables
run on a common cable tray, or along the same route. Separation of individual
protection channels is normally required.
2.3.6 Category 1 systems need not comprise of one discrete system of
sensors, voting systems and valves.
http://rp30-1.pdf/http://rp30-1.pdf/http://rp30-6.pdf/http://rp30-6.pdf/http://external%20standards%20organisations.pdf/http://external%20standards%20organisations.pdf/http://rp30-6.pdf/http://rp30-6.pdf/http://rp30-6.pdf/http://external%20standards%20organisations.pdf/http://rp30-6.pdf/http://rp30-1.pdf/ -
7/28/2019 RP30-5.pdf
15/81
-
7/28/2019 RP30-5.pdf
16/81
-
7/28/2019 RP30-5.pdf
17/81
-
7/28/2019 RP30-5.pdf
18/81
-
7/28/2019 RP30-5.pdf
19/81
RP 30-5INSTRUMENTATION AND CONTROL - SELECTION AND USE
OF EQUIPMENT FOR INSTRUMENT PROTECTION SYSTEMS
PAGE 11
The operation of motor operated valve actuators shall be controlled by
d.c. operated interposing relays, integral with the motor starter. The
d.c. supply voltage shall be derived from the protective system and shall
be independent of the contactor control supply.
The reversing starter, interlocking and signalling switches shall beintegral with the actuator.
When the operation of two or more electrically operated valves has to
be interlocked, (e.g. in order to ensure that a bypass valve is open
before the line main valve is permitted to close and vice versa), this
interlocking shall be done only in the main electrical contactor circuits.
The design shall ensure that any interlocks are effective in all 'remote'
and 'local' modes of control.
Actuators fitted to emergency shutdown valves on critical applicationsinvolving plant safety shall conform with BP Group GS 130-6 and
should be provided with transducers for measuring on-line
performance.
If the actuator does not reach the required position within a
predetermined time period after action is initiated, a 'valve fault' alarm
shall warn the operator. The alarm supply shall be independent of the
actuator supply.
Performance measurement is particularly important on large valves where the
actuator design margin may be reduced by wear or fouling.
2.4.3 Circuit Modules
Removal of a plug-in module should initiate a shut-down action to/from
the system for that module position. Alternatively for Category 2b
applications the system may remain in the untripped state providing
diagnostics are provided to indicate to the operator that the system is
no longer active.
Modules that need to be calibrated, e.g. analogue input modules,
should have defeat and test facilities that allow in situ calibration by asingle technician.
The system as a whole, and each type of module, shall be unaffected by
radio frequency interference, even when doors or covers are removed
for maintenance.
* When the modules incorporate self diagnostic circuitry, the choice of
alarm or trip action to be taken on detection of a fault, shall be subject
to approval by BP.
http://gs130-6.pdf/http://gs130-6.pdf/http://gs130-6.pdf/http://gs130-6.pdf/ -
7/28/2019 RP30-5.pdf
20/81
RP 30-5INSTRUMENTATION AND CONTROL - SELECTION AND USE
OF EQUIPMENT FOR INSTRUMENT PROTECTION SYSTEMS
PAGE 12
Each output module shall control a separately fused supply to each
associated actuator. The output fuses shall be individually accessible.
Plug-in modules should be removable under power.
2.4.4 System Alarms
Protective systems should have facilities to monitor failure states.
There should be alarms for system malfunctions, and for the loss of
power supplies to the logic and external circuits.
2.4.5 Power Supplies
Powersupplies for protective systems shall be Class A as defined in BP
Group RP 12-5.
Relay systems shall be segregated into functional loops, each supplied
through a separate switch and fuse.
On earth-free systems, double pole power switches shall be used.
Separate power supplies should be used for actuation circuits unless it
can be shown that the effect of switching transients is unlikely to effect
input or logic circuits.
The filter circuits of input modules and logic power supplies will need to be
considered to establish adequate rejection of transients.
Batteries shall be capable of maintaining power for logic and actuating
devices for pre-defined period following a primary power supply
failure. (Refer to Section 6 of BP Group RP 30-1).
The pre-defined period will need to be sufficient to allow an orderly
shutdown of the process. The period will depend on the complexity of
the process and the available manning. The period should be agreed
with those responsible for Operations Management.
The components of the logic power supplies should be so arranged asto permit any one of them to be removed for maintenance while the
system stays on line, and under power.
2.5 Testing
2.5.1 Facilities to enable on-line testing of protective instrument systems
should be provided unless adequate reliability can be achieved by
testing during planned shutdowns. On spared equipment, batch or
cyclic processes, test facilities for use on line are not required provided
http://rp12-5.pdf/http://rp12-5.pdf/http://rp30-1.pdf/http://rp30-1.pdf/http://rp30-1.pdf/http://rp12-5.pdf/ -
7/28/2019 RP30-5.pdf
21/81
-
7/28/2019 RP30-5.pdf
22/81
RP 30-5INSTRUMENTATION AND CONTROL - SELECTION AND USE
OF EQUIPMENT FOR INSTRUMENT PROTECTION SYSTEMS
PAGE 14
Test facilities which prevent the system fulfilling its intended function
should be avoided.
The frequency and method of testing should be those which have been
shown by reliability analysis to give acceptable integrity.
2.5.6 Category 2A Systems
Category 2A systems with multiple sensors, logic and trip valves should
be tested as for the Category 1 system. For 2A systems using single
sensors and logic, the testing will be determined by the reliability
requirements.
2.5.7 Category 2B Systems
Testing on line of final actuator devices may not be required. An
adequate level of integrity may be achieved by testing at plant or spared
equipment shutdown.
2.6 Integrity Assessment
2.6.1 General
2.6.1.1 The design of the shutdown systems shall be such to ensure the
necessary integrity is achieved.
A system can fail to meet its intended function because of random
hardware failures or systematic failure.
Random hardware failure result from a variety of normal degradation mechanism
in the hardware. The failure rate arising from this type of failure may be predicted
by reliability analysis providing the accurate failure rate and demand rate data is
available.
Systematic failures arise due to errors in design, construction or use of the system
and cause a system to fail under particular combinations of inputs or under some
environmental conditions. Systematic failures can be due to errors or omissions in
the system requirements specification or errors in the design, manufacture,
installation or operation of the hardware or software. The failure rate arising from
this type of failure cannot be predicted by reliability analysis.
In the event of the assessment not being carried out by BP it will be necessary prior
to the start of the study to ensure that the contractor or consultant has the
necessary procedures, data and skilled resources to carry out the design
assessment.
2.6.1.2 For Category 1 or for those Category 2A applications involving major
environmental risk, a quantified assessment of the system should be
carried out to ensure compliance with required hazard rate and
-
7/28/2019 RP30-5.pdf
23/81
RP 30-5INSTRUMENTATION AND CONTROL - SELECTION AND USE
OF EQUIPMENT FOR INSTRUMENT PROTECTION SYSTEMS
PAGE 15
reliability. The study shall be subjected to detail audit by engineers not
involved in the design process.
For Category 2A systems involving economic or minor environmental
risk, the reliability of systems may be qualitatively assessed by
considering the extent of redundancy applied in the system design.Where the demand rate is assessed as low and the implications of
failure on demand are not large then this qualitative assessment may be
adequate. Where a reliability analysis is judged to be unnecessary for a
Category 2A application the reasons shall be recorded for approval.
The use of independent audit should be considered optional, but is
recommended where major economic risk is involved.
The local operating management or their representative should agree at
the design stage the level of maintenance and testing work.
In carrying out the analysis it is important that the following is agreed with those
responsible for the process and instrument design.
(a) The risks to be quantified.
(b) The events leading to the risks i.e. the fault trees.
(c) The data to be used for failure rates and demand rates.
(d) Whether operator intervention can be included.
(e) The assumptions made on which the validity of the results depend.
(f) The test procedure and test intervals.
2.6.1.3 The integrity of the system shall be reviewed throughout the duration
of the design and operational life. The design case for any changes toassociated process, plant design or assumptions used shall include
review of the categorisation and quantitive basis for the protective
system design.
It is common for protective system requirements to be established from preliminary
process and plant design. It is therefore essential that these be reviewed once the
design is changed for validation purposes.
2.6.2 Quality
The procedures to be used during each stage of the implementationshould be defined in the project specification. Evidence that the
procedures have been followed should be provided and included in the
design dossier.
The design, manufacture, installation and maintenance of protection
systems should be carried out using an established quality assurance
system such as ISO 9000 Series. An audit or review of independent
external audit (such as establishing if certification is confirmed) shall be
carried out to establish that the necessary procedures are in place and
are being followed.
http://external%20standards%20organisations.pdf/http://external%20standards%20organisations.pdf/http://external%20standards%20organisations.pdf/http://external%20standards%20organisations.pdf/ -
7/28/2019 RP30-5.pdf
24/81
RP 30-5INSTRUMENTATION AND CONTROL - SELECTION AND USE
OF EQUIPMENT FOR INSTRUMENT PROTECTION SYSTEMS
PAGE 16
The level of overall quality achieved determines the likelihood of systematic
failures. The quality of procedures used in the design process is particularly
important since errors or omissions in specification will be carried on through
implementation and are unlikely to be corrected by later work.
When considering whether particular equipment is suitable for its intended
purpose, a significant history of satisfactory operation in a similar environment willbe of benefit. Other evidence such as independent test reports should also be
considered. The above aspects are particularly relevant where systems involving
software are being used. For Category 1 systems check lists within the British HSE
PES document may be used.
Integrity Assessment Summary
Category Design Quality Design
Assessment
1
2A (Major
environmental
risk)
Confirmation ofcontractor or
consultant
design ability
and resources
for design
process and
quantitative
assessment
Confirmation ofcertificationto
ISO 9000 series
or full Quality
system audit.
(Compliance audit
if considered
necessary)
Full quantitativedesign audit by
independent
specialist
consultant
2A (Economic
or minor
environmental
risk)
As 1/2A above As 1/2A above Optional but
recommended for
high economic risk
applications2B Design
capability audit
not required
As 1/2A above General project
procedures
acceptable
2.7 Design Documentation
2.7.1 Category 1
A design dossier shall be maintained for each Category 1 application
and submitted to BP for approval at successive stages in the project.
It should be recognised that a change in a control system design or philosophy
could necessitate a corresponding change in the design of protection systems. For
example:-
(a) Replacing a system of single control loop integrity by a distributed shared
loop system.
(b) Computer optimisation linking control loops in a manner not envisaged in
the original design.
(c) Changing control valve trim size.
http://external%20standards%20organisations.pdf/http://external%20standards%20organisations.pdf/http://external%20standards%20organisations.pdf/http://external%20standards%20organisations.pdf/ -
7/28/2019 RP30-5.pdf
25/81
-
7/28/2019 RP30-5.pdf
26/81
RP 30-5INSTRUMENTATION AND CONTROL - SELECTION AND USE
OF EQUIPMENT FOR INSTRUMENT PROTECTION SYSTEMS
PAGE 18
2.7.1.12 All reasonably foreseeable failures of the distributed control system
leading to more than one output failing simultaneously. These shall be
listed together with details of how hazard associated loops have been
allocated.
2.7.1.13 Detailed design drawings showing process, electrical pneumatic,hydraulic and power supply arrangements.
2.7.1.14 Design specifications for all safety critical items.
2.7.1.15 Details of independent design audit together with associated report.
2.7.2 Category 2A
A design dossier shall be maintained for each Category 2A application.
The contents of the dossier should be similar to that defined above for
Category 1 system with the following exceptions:-
2.7.2.1 For systems involving major economic or environmental risk, the full
results of the cost benefit analysis and associated reliability studies shall
be included.
2.7.2.2 Where the consequences of failure do not include major economic or
environmental risk the completed check list need only include
information not related to quantitative analysis.
2.7.3 Category 2B
Documentation conforming to general agreed project procedures will
be adequate.
3. ALARM SYSTEMS
This Section specifies BP general requirements for alarm systems.
3.1 General Requirements
3.1.1 This Section outlines the requirements for alarm systems provided tofacilitate protection of plant and equipment. Fire and gas alarm
requirements are given in Section 4 of this Recommended Practice.
3.1.2 Each plant shall be fitted with alarm systems to draw the operator's
attention to abnormal process conditions or events. Alarm systems
shall provide audible and visual warnings of abnormal occurrences in
the process, utilities and plant equipment (e.g. machinery), and shall
display the alarm status of each point.
-
7/28/2019 RP30-5.pdf
27/81
-
7/28/2019 RP30-5.pdf
28/81
RP 30-5INSTRUMENTATION AND CONTROL - SELECTION AND USE
OF EQUIPMENT FOR INSTRUMENT PROTECTION SYSTEMS
PAGE 20
3.1.7 Power supplies for alarm annunciators shall as a minimum requirement
be Class B as defined in BP GroupRP 12-5. Power supply should be
adequate for the peak load imposed by any lamp test facility.
3.1.8 Replacement of a modular power supply unit should be possible
without interrupting the operation of the system.
3.1.9 Termination wiring and labelling shall be in accordance with BP Group
RP 30-1Section 4.
3.2 Categories of Alarms
3.2.1 General Requirements
The following basic categories of alarms and status indications shall be
applied:-
(a) Emergency Trip Action
A separate alarm for each input channel to the protective safety
system shall be provided, as detailed in Section 2 of this
Recommended Practice.
(b) Urgent Alarm
A separate alarm shall be provided for each condition which
requires urgent operator action, including alarms which precedea trip as defined in Section 2 of this Recommended Practice.
(c) Information
A condition to be drawn to the attention of the operator but not
requiring immediate action on his part, e.g. standby pump
started, or status of a sequence controller.
Additional categories of alarms may be provided on digital control and
sequential logic equipment:-
(a) Minor Process Alarms
This category includes facilities such as control loop setpoint
deviation and rate of change of plant variable.
(b) Sequence or Logic Alarms
http://rp12-5.pdf/http://rp12-5.pdf/http://rp12-5.pdf/http://rp30-1.pdf/http://rp30-1.pdf/http://rp30-1.pdf/http://rp30-1.pdf/http://rp12-5.pdf/ -
7/28/2019 RP30-5.pdf
29/81
RP 30-5INSTRUMENTATION AND CONTROL - SELECTION AND USE
OF EQUIPMENT FOR INSTRUMENT PROTECTION SYSTEMS
PAGE 21
This category includes alarms which require logic to define an
alarm stage, e.g. the failure of a valve to move on command or
the timeout of an expected action following a command.
(c) Control and Instrumentation System Equipment Failures
This category includes all alarms provided to draw the
operator's attention to failure of an item of equipment, which
may be failure of an individual measurement loop (e.g. open
circuit) or failure of a system module such as a multiplexer or
microprocessor or communications link which potentially
affects several measurements.
3.2.2 Location
The main alarm display shall be located in the appropriate permanently
manned control centre, integral with or adjacent to the control and
monitoring equipment, and shall include all alarms requiring the
attention of the operators stationed there.
Additional alarms may be provided and located at local level for plant
requiring full time or occasional operator attendance.
* When specified by BP, a self-contained alarm system should be
provided for plant attended full time by a local operator. The system
may be located in a local control room or adjacent to the plant.
Plant normally unattended but requiring occasional local operator
attention (e.g. for start-up, trouble shooting or maintenance operations)
should be provided with a local self-contained alarm system. Examples
of this type of plant are, packaged units, major machinery and a satellite
production facility.
Alarm repeats of local alarms, individually or in groups, should be
provided at the control centre. Details shall be included in the schedule
(see 3.1.4).
When a group alarm repeat is accepted, the action of acceptance should
reset the transmission system to allow subsequent alarms in that group
to be brought to the attention of the control centre operator.
Where remote alarms are also required at the control centre, they are usually taken
back as a single group, a number of groups, single alarms or a combination of
these. A single group should be used for areas where a single operator only needs
to visit the area. A number of groups should be used where there is a need to
define the specific function from an area, e.g. electrical, instrument, machinery or
process alarms. Single alarms should be used for critical functions which need
-
7/28/2019 RP30-5.pdf
30/81
RP 30-5INSTRUMENTATION AND CONTROL - SELECTION AND USE
OF EQUIPMENT FOR INSTRUMENT PROTECTION SYSTEMS
PAGE 22
individual operator attention. The grouping of retransmitted alarm functions
should be fully discussed and agreed with the end user at the design stage.
Alarms at each location should be accepted independently.
The alarm logic units for equipment as 3.1.3 (a), (b) and (c) may becentrally housed or mounted behind each alarm panel. Centrally
housed alarm logic should be in a free standing, ventilated cabinet,
preferably with both front and back access. Removable gland plates
should be furnished for cable access.
The location of the alarm logic units should minimise interference to the operator
during maintenance operations and plant modifications. Examples of good
practice are:-
(a) Integral logic with back access in a conventional control panel.
(b) Integral logic with front access in a local control panel.
(c) Remote logic in an equipment area or room, where provided. This method
is preferred when the alarm display is integrated into a video based
console.
3.3 Measurement Interface
3.3.1 Alarms derived from analogue measurements are preferred.
3.3.2 When the alarm input is not otherwise measured and transmitted, direct
switch sensors may be used.
Direct sensors should be used only where they are more reliable than the function
measurement and transmission type and where calibration of the equipment is
possible. However, the cost of the system should also be considered and this
balanced against the overall requirements of the application.
3.3.3 Alarms derived from switches should be closed circuit for normal
operation and open circuit for the alarm condition.
3.3.4 Sensors shall have ranges selected for effective response, setting and
resetting at scheduled values of the alarm and normal conditions.Allowance shall be made for any dead-band in switch operation.
Overrange protection should be provided where necessary.
3.3.5 Trip alarms should be provided such that the integrity of the shutdown
system is unaffected (see Section 2 of this Recommended Practice).
3.4 Panel Annunciators
3.4.1 Panel mounted annunciators should consist of engraved illuminated
windows grouped in accordance with the plant units.
-
7/28/2019 RP30-5.pdf
31/81
RP 30-5INSTRUMENTATION AND CONTROL - SELECTION AND USE
OF EQUIPMENT FOR INSTRUMENT PROTECTION SYSTEMS
PAGE 23
In selecting annunciator window size or the type of read-out (e.g. illuminated and
engraved windows or LEDs [light emitting diodes] with side descriptors), the
distance between the normal operator position and the read-out equipment should
be considered. The nearer the normal operator position is to the read-out
equipment, the smaller the read-out equipment needs to be. In most cases, it will be
necessary for the operator to read the alarm description from the normal operating
position, although in some cases, with experience, knowledge of the position of thealarm in the group will be sufficient.
When deciding the grouping of alarms, it is necessary to balance what is available
from manufacturers with the number of alarms for the relevant process unit and the
operational requirements. Although the system is usually divided by the process
unit, to assist operator recognition on a unit with a large number of alarms it may
be better to split alarm displays into a number of sections rather than have a single
large display.
3.4.2 The window illumination shall be provided by two bulbs or their
equivalent. A power healthy indicator shall also be provided for each
alarm group.
3.4.3 The windows should be colour coded according to the following:-
Emergency Trip Action Magenta
Urgent Alarm Amber
Information White
3.4.4 The window engravings should be of the following form:-
TAG (e.g. 17 PAH 342)
LOCATION (e.g. RECYCLE COMPRESSOR DISCHARGE)
ALARM (e.g. HIGH PRESS)
The engraving for 'Location' should be a concise but definitive
description of the point location.
3.4.5 Connections from the central logic cabinet to the alarm annunciators
should be made with multicore cables of adequate current capacity
terminated with plugs and sockets.
3.5 VDU Based Annunciators
* 3.5.1 This sub-section defines the functional requirements of VDU based
alarm systems. The precise scheme for each application shall be subject
to approval by BP.
3.5.2 Colour and/or text shall be used to denote the alarm/normal states and
flashing to denote the unaccepted alarm state.
-
7/28/2019 RP30-5.pdf
32/81
-
7/28/2019 RP30-5.pdf
33/81
-
7/28/2019 RP30-5.pdf
34/81
RP 30-5INSTRUMENTATION AND CONTROL - SELECTION AND USE
OF EQUIPMENT FOR INSTRUMENT PROTECTION SYSTEMS
PAGE 26
3.7 Microprocessor Based Alarm Systems
3.7.1 This sub-section covers the requirements for programmable alarm
systems as defined in 3.1.3 (b), (c), (d) and (e).
The functional requirements of sub-sections 3.4 and 3.5, as appropriate,shall be satisfied.
3.7.2 The effect of common mode failures on alarm scanning and display
shall be stated by the vendor. Redundancy techniques should be
employed to minimise the effects of common mode failures within
equipment and its power supply system. The routing and connection of
critical alarms should be carried out in a manner which maximises
overall system availability.
Where redundant equipment is used, specific attention should be given to areas in
which common mode failures could occur. For example, in a duplicated multiplex
system with common switching equipment, a common mode fault could occur in the
switching equipment and negate the beneficial effects of duplication. Redundant
equipment should be regularly exercised on-line, preferably on an automatic cyclic
basis.
In-built diagnostic facilities should warn the operator of faults in the on-line and
back-up equipment.
The designer should ensure that the design is not compromised by external failures,
such as in the power supply system. Quality of the supply (e.g. voltage stability,
transients) should be addressed. This is covered in greater detail in BP Group RP
30-4 Section 2.
3.7.3 The maximum system response time to a burst of alarms shall be
specified by the vendor.
A burst of alarms, sometimes known as a flood of alarms, is a situation where one
plant event can trigger many subsequent events over a short time period. Bursts of
alarms which are likely to occur should be established in conjunction with the plant
designer or end user, as appropriate. Normal and abnormal circumstances should
be addressed, as should the interactive nature of plants connected to the system.
The response time of the alarm system should be taken as the time lag in processing
and displaying any single alarm which is initiated within a burst of alarms. Thislag should not significantly reduce the margin allowed by the plant designer for
operator action following alarm initiation from the primary sensor.
3.7.4 Urgent alarm limits shall only be altered under the protection of a key
(or equivalent) security system. Minor alarm settings, e.g. deviation,
may be modified by the plant operator.
3.7.5 All software alarm routines should be provided with an adjustable
deadband, to minimise oscillation into and out of alarm. Alteration of
-
7/28/2019 RP30-5.pdf
35/81
RP 30-5INSTRUMENTATION AND CONTROL - SELECTION AND USE
OF EQUIPMENT FOR INSTRUMENT PROTECTION SYSTEMS
PAGE 27
the deadband shall be under the same security protection as for alarm
limits in 3.7.4.
* 3.7.6 The time resolution of alarm and event logging shall be subject to
approval by BP. Recording format should be as 3.5.9. A convenient
method of distinguishing between alarm and event messages should beprovided on printouts.
Systems should have the facility to store alarm and event history, with
printout only on demand. Measures to assure security of information
on loss of power supply and on equipment failure should be provided.
3.7.7 The following additional requirements shall apply to alarm systems to
be operated as an integral part of a proprietary distributed control or
computer system; as defined in paragraphs 3.1.3 (d) and (e).
All categories of alarms should be connected to the control system and
be provided with alarm annunciation and presentation facilities at the
operator's work station.
It should be possible to apply alarm facilities to derived plant values.
The system design should ensure that the operator's control facilities
are not hampered by processing a burst of alarms.
See 3.7.3 for definition of 'burst of alarms'. A burst of alarms may overload the
control system and delay other functions (e.g. key board actions) in addition toalarm response.
4. FIRE AND GAS DETECTION AND CONTROL SYSTEM
4.1 General
4.1.1 The scope and application of fire and gas detection, alarm and control
systems depends upon the inherent risks associated with the materials
being processed and the layout and size of the installation. Guidance
on system application is given in BP Group RP 30-7.
This Section details BP recommendations for fire, flammable and toxic
gas detection and control systems equipment, and should be read in
conjunction with BP Group GS 130-10 'Specification for the supply of
Fire and Gas Systems'. The recommendations also apply to systems
supplied as part of self contained package units.
To minimise spares holdings and maintenance every effort should be made to
ensure the package unit equipment (specially the detectors) offered is the same as
that used in the main F&G system.
http://rp30-7.pdf/http://rp30-7.pdf/http://gs130-10.pdf/http://gs130-10.pdf/http://gs130-10.pdf/http://rp30-7.pdf/http://gs130-10.pdf/ -
7/28/2019 RP30-5.pdf
36/81
-
7/28/2019 RP30-5.pdf
37/81
RP 30-5INSTRUMENTATION AND CONTROL - SELECTION AND USE
OF EQUIPMENT FOR INSTRUMENT PROTECTION SYSTEMS
PAGE 29
energising and re-energising of the logic circuitry will not cause accidental
initiation of normally de-energised control actions.
For Intrinsically Safe circuits utilising Zener barriers both the positive line and the
negative return line should have separate barriers even if the negative lines are
tied to earth at the power supply. Use of a single barrier on the positive side only,
runs the risk of the signal return by-passing the negative return to the power supplyvia the IS earth. Galvanically isolated barriers are the preferred approach.
4.1.5 The Fire and Gas System shall be designed and installed to facilitate in-
service testing, maintenance, calibration and repair. Due regard shall be
made for safety of personnel and access of equipment.
4.2 Fire and Gas Control Panel Equipment
4.2.1 All FGCP's and annunciation displays should preferably be located in a
non-hazardous area such as a control or equipment room.
The equipment should be suitable for use in the environment in which it
is located. In controlled environments, account must be taken of the
possible loss of heating and ventilation under abnormal conditions.
Points which require particular attention during the assembly of the fire and gas
panels include:-
(a) Where front access only panels are used, withdrawal facilities shall be
provided to enable easy access to termination's etc. The withdrawal
facility shall provide self support of the equipment when withdrawn from
the panel and any flexible cabling shall be adequately guarded againstscuffing, kinking, and undue tension.
(b) Visibility of indications. Visibility of panel modules and their indicators is
necessary as well as the annunciation of displays. If the panel has doors
for protection of modules or to prevent unauthorised access, the doors
shall be provided with see through panels.
(c) Cooling and ventilation of the panel should be designed to cope with the
heat generated by a fully equipped panel, even if supplied with 25% spare
capacity. Where panels are fitted with ventilation systems for cooling
purposes the air intakes shall be protected with suitable dust filters, and
fan failure alarms should be provided.
4.2.2 The FGCP should be designed with spare capacity to allow for any
known future requirements and also a contingency allowance for design
development changes.
The purchase of a fire and gas system is frequently committed before detector and
control action requirements are fully defined. This can result in considerable
growth. Under these circumstances, it is prudent to allow a larger than normal
capacity for expansion and typically 25% may be considered.
-
7/28/2019 RP30-5.pdf
38/81
RP 30-5INSTRUMENTATION AND CONTROL - SELECTION AND USE
OF EQUIPMENT FOR INSTRUMENT PROTECTION SYSTEMS
PAGE 30
4.2.3 All incoming detector field circuitry shall interface with modules which
must be compatible with the field sensors.
Flammable gas detector interface modules must have sufficient gain adjustment for
doubling the LEL% sensitivity to methane plus any subsequent deterioration in the
detector during its normal lifetime.
4.2.4 The system should provide the following:-
(a) Monitoring of all components of the detection circuit up to and
including the last sensing element, and shall generate a fault
signal in the event of any malfunctions.
(b) Lamp test facilities.
(c) Latching alarm to ensure short duration alarms are captured.
Facilities should be provided for remote latch reset where localreset is impractical (e.g. unmanned installations). An alarm
indication shall override fault indication.
At the remote control point alarm acceptance should silence the sounder
and steady the indications at the local panel as well as silencing the
sounder and steadying indications at the remote control point itself.
(d) Supervisory facilities to enable the failure of any power supply,
fuse, etc., to be quickly identified and located.
Compliance with the British Standards listed in Appendix B is not a statutoryrequirement and their guidance is open to some interpretation depending on the
installation. The following presents some areas where deviations or points of
contention may occur and interpretations that should be acceptable:-
(a) The onset of a detectable level of the hazardous condition at the detector
and annunciation at the CCR shall not exceed 8 seconds.
(b) The initiation of a manual call point and annunciation at the CCR shall
not exceed 3 seconds.
(c) In the case of flame detectors, which are more likely to operate
simultaneously, the alarm response should not be prevented.
(d) The lack of short circuit detection in fire detection loops is acceptable
provided that a short circuit fault producing an alarm condition is an
acceptable operating mode.
4.2.5 The number of circuits connected to individual input/interface modules
should be such that failure of that module does not significantly reduce
the level of protection provided for the facility.
-
7/28/2019 RP30-5.pdf
39/81
-
7/28/2019 RP30-5.pdf
40/81
-
7/28/2019 RP30-5.pdf
41/81
RP 30-5INSTRUMENTATION AND CONTROL - SELECTION AND USE
OF EQUIPMENT FOR INSTRUMENT PROTECTION SYSTEMS
PAGE 33
For electronic data processing computer rooms, there is greater risk of external
fire due to paper debris from print outs etc. The consequence of loss of data in the
event of a fire situation can be quite important.
A fine water spray arrangement is currently preferred to quench any fire external
to the computer equipment. It is essential that the consequence to the equipment,
as a result of initiation of such extinguishant be investigated and agreement soughtfrom the equipment vendor. The design of the system should be such to avoid
ingress of extinguishant into the cabinets.
The computing equipment should be shut down on detection of problems from
detectors located in the room and inside the cabinets. The shutdown should be
after a time delay to allow for back up of current data.
4.5.1 Fire Water Pumps
4.5.1.1 All types of fire water pumps shall be provided with the means to
manually stop and start the machine locally. Only the start facility is
required from the FGCP. Additional fire pump start push-buttons at
selected remote locations should be provide where there is any risk of
loss of access to the pump locations during incident situations.
Additional remote start facilities can be provided dependent on plant layout and
operating procedures. Typically an onshore facility will have an on-site fire
fighting unit with it's own control point (e.g. fire station). In this instance remote
start facilities would be provided at the central control room and the fire fighting
control point.
Under confirmed combustible gas conditions in the duty fire pump room, control
logic should be provided to prevent the fire pump from starting, and enable thestart of the stand-by fire pump. Lockable means shall be provide for over-riding
this trip.
4.5.1.2 Duty/standby selection should be provided at the FGCP with adequate
indication to allow the operator to determine the operational status of
each pump.
Automatic duty pump start-up should be initiated from the FGCP by
one of the following:-
(a) Deluge discharge pressure high.
(b) Sprinkler flow switch high.
(c) Confirmed fire detection.
(d) Main pump failure to start or low fire main pressure.
The design of the pump control system should be such that automatic
duty pump start-up does not induce excessive pressure surges on fire
monitors and fire hoses.
-
7/28/2019 RP30-5.pdf
42/81
-
7/28/2019 RP30-5.pdf
43/81
RP 30-5INSTRUMENTATION AND CONTROL - SELECTION AND USE
OF EQUIPMENT FOR INSTRUMENT PROTECTION SYSTEMS
PAGE 35
(e) One or more sets of four lamp visual warning clusters, at each
entrance to the protected area, showing the status of CO2 or
other gaseous total flood system and its controls. Audible
warning 'on discharge' klaxons or sirens should also be
provided. It should be audible throughout the area protected by
the extinguishing medium and should provide sufficientwarning, typically 15 secs, prior to release of extinguishant to
enable personnel to safely evacuate the area and for dampers to
close.
Where visual warning lamps are used on offshore installations,
consideration should be given to using extinguishant status lamps as
follows:-
System manual - lamp colour green
System auto - lamp colour amber
System discharged - lamp colour red
System electrically isolated - lamp colour white.
Each indicator shall have a twin lamp arrangement.
(f) Main and reserve systems where provided should have manual
selection on the skid and an electrical key switch at the FGCP.
Extinguishant systems may be provided with stand-by systems which
should be manual initiation only. The intention of these arrangements is
to allow quick return to normal operation after a discharge of
extinguishant. The stand-by should not be considered as 'second shotfacility' and any remote change-over facilities should preferably be
avoided, or if required be interlocked with key switches.
(g) All extinguishant isolating valves should be monitored via limit
or proximity switches to indicate they are fully open.
4.5.3.2 Deluge system solenoid valves should operate by venting the air
holding the deluge valve closed. Each deluge system should be fitted
with a low pressure switch for remote indication of loss of vent air.
Each sprinkler system branch should be fitted with a flow switch toindicate the operation of the system.
Deluge systems may be provided with the facility to stop deluge remotely at the
control point on offshore installations on a fire area basis. Where manual control
of the deluge is required for fire control purposes which uses water curtains and/or
sub-divides deluge systems within fire areas, consideration may be given to
grouping deluge controls in a Deluge Control Panel.
-
7/28/2019 RP30-5.pdf
44/81
-
7/28/2019 RP30-5.pdf
45/81
-
7/28/2019 RP30-5.pdf
46/81
RP 30-5INSTRUMENTATION AND CONTROL - SELECTION AND USE
OF EQUIPMENT FOR INSTRUMENT PROTECTION SYSTEMS
PAGE 38
Ultra Violet Flame Detectors should. Built-in test facilities should be
provided for checking the detector on line.
It should be noted that UV detectors are particularly susceptible to smoke and oil
deposits on the lenses causing loss of sensitivity. Optical integrity should consist of
a UV source mounted such that the UV radiation path includes the detector lenses.
Ultra violet detectors should be used in areas where a fire is not likely to generate
smoke. Ultra violet detectors should only be used in combination with smoke or
heat detectors.
4.7.1.6 Infrared Flame Detectors
Infrared Flame Detectors should respond to radiation equivalent to the
CO2 absorption band. They should be solar blind and their response to
other sources of radiation should be minimised. Built-in test facilities
should be provided for checking the detector on line.
Point type smoke and heat detectors are not suitable for open areas and fire
detection coverage should be by optical flame fire detectors with IR detectors the
preferred choice for hydrocarbon areas. Areas covered by optical flame detectors
in certain instances may be supplemented with smoke (beam type) or heat (fusible
loop, linear).
The smoke and heat detection used in combination with optical flame detectors
should be selective in approach and is intended to provide firstly for other control
actions beyond those initiated by the early detection of fire by the flame detectors,
and secondly in certain circumstances to supplement the optical detection. For
example:-
(a) In well bays the optical detectors are intended for detection of fires at
their initial stages and initiate appropriate alarms and control actions
(release of deluge) without necessarily shutting down the wells. This
protection will be inadequate for sudden large fires due to catastrophic
failures which may threaten the platform structure itself. The addition of
temperature type detectors (such as fusible loops) is provided to initiate,
say, down-hole well shut-off valves.
(b) In areas where the fire can result in large quantities of smoke which can
accumulate or gravitate to predictable locations, beam type smoke
detectors should be used as a supplement to the optical flame detection.
In congested areas it may not be possible to cover a risk area fully with
optical detectors. Linear heat detectors should be used to supplement the
optical flame detection.
(c) An alternative means of heat detection is the frangible bulb or fusible link
used with fire protection systems.
The infrared (IR) flame detectors should be on separate circuits from the heat or
smoke detectors and independently initiate any control actions.
4.7.1.7 Combined Ultra Violet/Infrared Flame Detectors
-
7/28/2019 RP30-5.pdf
47/81
-
7/28/2019 RP30-5.pdf
48/81
-
7/28/2019 RP30-5.pdf
49/81
-
7/28/2019 RP30-5.pdf
50/81
-
7/28/2019 RP30-5.pdf
51/81
-
7/28/2019 RP30-5.pdf
52/81
RP 30-5INSTRUMENTATION AND CONTROL - SELECTION AND USE
OF EQUIPMENT FOR INSTRUMENT PROTECTION SYSTEMS
PAGE 44
This document is not intended to cover those checks for pipeline leaks
such as visual inspection by line walking and overflying. Hand held and
aircraft mounted equipment for detecting the presence of hydrocarbons
or other substances are also excluded from this document.
5.2 Requirement for Pipeline Leak Detection
5.2.1 Regulatory and Legislative Framework
There is little in the way of national or international legislation
concerning the provision of pipeline leak detection systems, or the
capabilities of such systems. It is likely that more specific guidance will
be given in the next few years but this is unlikely to be of a prescriptive
or legislative nature. The USA is the exception to this where it is
expected that prescriptive legislation will be introduced.
Whereas, in general, the provision of leak detection is unlikely to be the
subject of prescriptive legislation, there is likely to be an increasing
demand on operators to demonstrate that all reasonable precautions are
being taken to avoid and mitigate the effects of any possible
environmental hazards.
In the UK, offshore pipelines are covered by legislative requirements relating to the
provision of leak detection, but only in the general sense. Onshore pipelines have
no specific leak detection requirements, although a leak detection system might
form part of a particular pipeline's safety notice. The nature of any system to be
installed and operated would normally be agreed with the appropriate local
regulatory authority prior to the granting of a pipeline operating licence. Section
5.3 provides guidance in selecting the most appropriate technology.
UK law currently requires the developer of any project likely to affect the
environment to undertake an environmental impact assessment and to provide 'a
description of the measures envisaged in order to avoid, reduce and if possible,
remedy the significant adverse effects'.
5.2.2 Risk Assessment
If not prescribed by legislation, the requirement for pipeline leak
detection will be determined by risk management considerations.
An environmental risk assessment should be carried out for eachpipeline system. The depth and complexity of the assessment will be
very much dependant on the particular pipeline. The factors which will
influence the environmental risk assessment will include:-
- the environmental sensitivity of the areas affected by the
pipeline routing (e.g. areas of special scientific interest,
proximity of shorelines, rivers and water courses, density of
human population)
-
7/28/2019 RP30-5.pdf
53/81
RP 30-5INSTRUMENTATION AND CONTROL - SELECTION AND USE
OF EQUIPMENT FOR INSTRUMENT PROTECTION SYSTEMS
PAGE 45
- the fluid carried by the pipeline
- the likely causes of pipeline leakage. Causes of pipeline leakage
can be divided into five main categories:-
- internal and external corrosion- third party damage- operational error- natural hazards- mechanical failure
An examination of the likely causes of failure will provide an indication
of the most likely leak (hole) sizes and hence leakage rates.
The potential risk to the environment and the potential for financial loss
are closely linked. The financial risk associated with pipeline leakage
arises from:-
- value of lost line contents
- clean-up costs associated with loss of line contents
- the possibility of a large scale clean-up operation hindering the
repair and re-instatement of the pipeline system.
- temporary or permanent loss of pipeline operating licence
- damages or fines imposed by criminal or civil courts
- loss of Company image as an environmentally concerned
operator, thereby impeding future applications for operating
licences.
In the case of liquid carrying pipelines the most environmentally sensitive routings
would include subsea and those close to shorelines, rivers and water courses. In a
marine or river environment, a relatively small quantity of liquid hydrocarbon will
be spread over a great area and can potentially cause a disproportionately large
amount of damage. Clean up costs for this type of spill can therefore be
considerable, making preventative and loss limiting measures cost effective. Toxiceffects from the release of unstabilised sour crudes also requires consideration if
the pipeline is routed in proximity to populated areas. This hazard is discussed
under gas transportation below.
Leakage of chemicals, particularly those soluble or miscible with water, once
released into marine or river environments are virtually impossible to recover. In
this case the clean up costs arise from the necessity to neutralise as far as possible
the harmful effects of the released chemicals. Additionally the claims for damages
arising out of pollution to water supplies are potentially very large. Against this
potential liability, preventative and loss limiting measures might be seen as cost
effective as well as being environmentally desirable. The toxic effects from
-
7/28/2019 RP30-5.pdf
54/81
RP 30-5INSTRUMENTATION AND CONTROL - SELECTION AND USE
OF EQUIPMENT FOR INSTRUMENT PROTECTION SYSTEMS
PAGE 46
chemicals released into the atmosphere also require consideration if the pipeline is
routed in proximity to human population.
The pipeline organisation CONCAWE maintains statistics of pipeline operation
including reported spillage's. These statistics are broken down into a number of
pipeline classifications and can therefore be used as a basis for estimating the
likelihood of leakage from various causes on a particular pipeline.
*Leakage's from hydrocarbon gas transportation pipelines have much smaller
potential for environmental pollution than leakage's from liquid carrying lines.
The environmental effects are limited to the release of greenhouse gases into the
atmosphere. Further, the quantities of gases involved are likely to be relatively
small compared to releases from natural sources. The main problems associated
with leakage from a hydrocarbon gas line are those of high levels of radiation from
an ignited leak, and the toxic effects of impurities in the gas. The potential risks
associated with leakage of sour gas (H2S) in proximity to human population are
considerable. In this case the automatic leak detection system might also require
the executive ability to shutdown, isolate and possibly de-pressurise the pipeline.
In the case of long pipelines the ability to isolate sections in sensitive areas mightalso be required.
5.2.3 Performance Targets for Pipeline Leak Detection
A performance target for the leak detection system should be set, based
on the conclusions of the environmental risk assessment discussed in
the previous section.
The performance target should aim, where practical, to reduce the
impact of the risks identified to a level capable of gaining wide
acceptance. The performance target should in any case significantlyreduce the impact of the risks identified. Once a performance target is
theoretically established an analysis of the potential technology in terms
of Leak Detection Systems can be carried out. If the performance
target derived from the risk assessment is known to be unachievable in
practical terms then a Leak Detection System based on the 'best
available technology' should be specified.
The following could form part of a performance target, either singularly
or in combination.
- minimum detectable leakage rate or sensitivity
- speed of response (possibly as function of leakage rate)
- maximum acceptable false alarm rate
As an example, if the major risk identified was thermal radiation from a leaking gas
or LPG line, then the performance target should comprise a minimum detectable
leakage rate. With the surrounding vessels and structures designed to withstand
say a 10 kw jet fire, then the minimum detectable leakage rate should be the
flowrate equivalent of the 10 kw fire.
-
7/28/2019 RP30-5.pdf
55/81
RP 30-5INSTRUMENTATION AND CONTROL - SELECTION AND USE
OF EQUIPMENT FOR INSTRUMENT PROTECTION SYSTEMS
PAGE 47
As a further example, if the major risk identified was leakage of crude oil into
coastal waters, then the performance target would probably comprise a speed of
response as a function of leakage rate. If the oil spill response facilities were
capable of containing say a 10 tonne oil spill under typical conditions, then a
measure of the required speed of response for the leak detection system would be
30 minutes for a 20 tonne/hr leak and 2 minutes for a 300 tonne/hr leak.
5.3 Design and Selection
5.3.1 General Criteria
The design and selection of an automatic leak detection system will be
influenced by the following:-
- The performance target for the leak detection system. The
setting of a performance target is discussed in the previous
section.
- The capabilities of the available leak detection systems in
meeting the performance target, given the nature and operating
conditions of the particular pipeline. Outlines of well
established and developmental systems for leak detection are
provided later in this section.
- The availability of existing facilities (or the requirement for
facilities in the case of a new pipeline) which could form part of
a leak detection system. An example of this would be meteringequipment installed for fiscal purposes.
- Existing integrity checking techniques carried out on the
pipeline (inventory balances based on tank gauging for
example). The selected leak detection method should be
complimentary to any existing techniques by providing
increased sensitivity or speed of response.
The number of alarms produced by a leak detection system that indicate
a genuine leak will be few in number. Indeed if appropriate pipeline
integrity measures are taken, zero genuine leak alarms could be hopedfor over the lifetime of the system. Therefore, in order to maintain the
credibility of a leak detection system the spurious or false alarm rate
needs to be maintained at a suitably low level. A system with a high
false alarm rate will tend to be discounted and not provide the intended
protection.
The design and selection of a leak detection system is very much
dependent on the individual characteristics and circumstances of a
particular pipeline. However the following outlines of automatic leak
-
7/28/2019 RP30-5.pdf
56/81
-
7/28/2019 RP30-5.pdf
57/81
-
7/28/2019 RP30-5.pdf
58/81
-
7/28/2019 RP30-5.pdf
59/81
-
7/28/2019 RP30-5.pdf
60/81
-
7/28/2019 RP30-5.pdf
61/81
-
7/28/2019 RP30-5.pdf
62/81
-
7/28/2019 RP30-5.pdf
63/81
-
7/28/2019 RP30-5.pdf
64/81
-
7/28/2019 RP30-5.pdf
65/81
-
7/28/2019 RP30-5.pdf
66/81
-
7/28/2019 RP30-5.pdf
67/81
-
7/28/2019 RP30-5.pdf
68/81
RP 30-5INSTRUMENTATION AND CONTROL - SELECTION AND USE
OF EQUIPMENT FOR INSTRUMENT PROTECTION SYSTEMS
PAGE 60
-
7/28/2019 RP30-5.pdf
69/81
-
7/28/2019 RP30-5.pdf
70/81
RP 30-5INSTRUMENTATION AND CONTROL - SELECTION AND USE
OF EQUIPMENT FOR INSTRUMENT PROTECTION SYSTEMS
PAGE 62
APPENDIX A
DEFINITIONS AND ABBREVIATIONS
Definitions
Standardised definitions may be found in the BP Group RPSEs Introductory Volume.
The following general definitions are applicable to all Parts of this Recommended Practice:-
contract: the agreement or order between the purchaser and
the vendor (however made) for the execution of the
works including the conditions, specification and
drawings (if any) annexed thereto and such
schedules as are referred to therein.
cost of ownership: the life cost of a system including initial supply
contract value, installation cost, ongoing support
costs (e.g. spares, maintenance and service charges).
Ex: electrical apparatus protected to meet hazard
classification in accordance withBS 5345.
works: all equipment to be provided and work to be carried
out by the vendor under the contract.
The following definitions apply to Part 4 of this Recommended Practice:-
addressable system: a system in which analogue or digital signals from
each head (detector or manual callpoint) are
individually identified at the control panel.
addressable head module: the control panel mounted unit in an addressable
detection system interfacing with the field equipment
via a data highway, handling alarm and fault
detection functions. Also know as an Addressable
Loop Interface Module (ALIM).
circuit: the most precise identification in a hard-wired
detection system of the location of an alarm within
the fire area.
control action: an output from the control panel that can initiate
extinguishant discharge, request ESD action, stop
fans and close fire dampers etc. Control actions are
divided into two groups per fire area for inhibit
functions:-
http://external%20standards%20organisations.pdf/http://external%20standards%20organisations.pdf/http://external%20standards%20organisations.pdf/ -
7/28/2019 RP30-5.pdf
71/81
-
7/28/2019 RP30-5.pdf
72/81
-
7/28/2019 RP30-5.pdf
73/81
-
7/28/2019 RP30-5.pdf
74/81
RP 30-5INSTRUMENTATION AND CONTROL - SELECTION AND USE
OF EQUIPMENT FOR INSTRUMENT PROTECTION SYSTEMS
PAGE 66
BP GroupRP 32-6 Inspection and Testing of In-Service Instrumentation
(replaces BP CP 52)
BP GroupRP 44-1 Overpressure Protection Systems
(replaces BP CP 14)
BP GroupGS 112-2 Electric Motor Operated Valve Actuators for
Intermittent Operation of Isolation Valves
(replaces BP Std 152)
BP GroupGS 130-6 Actuators for Shut-Off Valves
BP GroupGS 130-9 Specification for the Supply of Shutdown Systems
BP Group GS 130-10 Specification for the Supply of Fire and Gas Systems
http://rp32-6.pdf/http://rp32-6.pdf/http://rp44-1.pdf/http://rp44-1.pdf/http://gs112-2.pdf/http://gs112-2.pdf/http://gs130-6.pdf/http://gs130-6.pdf/http://gs130-9.pdf/http://gs130-9.pdf/http://gs130-10.pdf/http://gs130-10.pdf/http://gs130-9.pdf/http://gs130-6.pdf/http://gs112-2.pdf/http://rp44-1.pdf/http://rp32-6.pdf/ -
7/28/2019 RP30-5.pdf
75/81
-
7/28/2019 RP30-5.pdf
76/81
-
7/28/2019 RP30-5.pdf
77/81
-
7/28/2019 RP30-5.pdf
78/81
-
7/28/2019 RP30-5.pdf
79/81
RP 30-5INSTRUMENTATION AND CONTROL - SELECTION AND USE
OF EQUIPMENT FOR INSTRUMENT PROTECTION SYSTEMS
PAGE 71
C1.7 HVAC Status Displays
Separate mimic displays shall show the status of each HVAC system in
a single line diagram format.
C1.8 Alarm Listings
Standard alarm listings shall be available, detailing tag number, alarm
type, location and time, on a rolling alarm principle. Each line shall be
tagged, and shall indicate the time of occurrence.
Alarm text shall be shown red flashing until accepted, changing to non
flashing indication.
Fault and inhibit text shall be shown yellow flashing until accepted,
changing to non flashing indication.
Status text shall be shown in white with the above accept facilities.
There shall be two alarm listings, one 'current' showing fire, gas,
manual call point and fault. A second alarm listing shall be available for
historical records and maybe sorted for display on either a device type
basis and/or a time period basis via the directory.
The historical alarm listing shall be capable of listing all events and
operator actions. Storage capacity shall be capable of holding on filethe last 2500 events.
C1.9 Help Displays
The system vendor shall incorporate any required 'help' actions
applicable to his system.
C1.10 Printer Facilities
All alarms received into the system shall be available on hard copy from
the printer on demand. Each entry shall comprise a full line identical tothe historical alarm listing display. Events to be logged shall include
the following:-
Incoming alarms and faults
Output actions
Inhibits
Alarm accepts
Alarm resets
System faults
-
7/28/2019 RP30-5.pdf
80/81
RP 30-5INSTRUMENTATION AND CONTROL - SELECTION AND USE
OF EQUIPMENT FOR INSTRUMENT PROTECTION SYSTEMS
PAGE 72
C2 ALARM HANDLING
For both Area and Expanded Mimics, the sensor symbols which are not in alarm are
presented green on black. This way, shape recognition is possible, but the symboldoes not attract attention.
Whenever a sensor goes into alarm the status indication at base of display area shall
start flashing and the audible alarm will sound. It is now p