rp30-5.pdf

7/28/2019 RP30-5.pdf

1/81

RP 30-5

INSTRUMENTATION AND CONTROL

SELECTION AND USE OF EQUIPMENT

FOR INSTRUMENT PROTECTION

SYSTEMS

November 1993

Copyright The British Petroleum Company p.l.c.
http://rpses%20word%20documents/RP30-5.doc

7/28/2019 RP30-5.pdf

2/81

Copyright The British Petroleum Company p.l.c.

All rights reserved. The information contained in this document is

subject to the terms and conditions of the agreement or contract under

which the document was supplied to the recipient's organisation. None

of the information contained in this document shall be disclosed outside

the recipient's own organisation without the prior written permission ofManager, Standards, BP International Limited, unless the terms of such

agreement or contract expressly allow.

7/28/2019 RP30-5.pdf

3/81

7/28/2019 RP30-5.pdf

4/81

RP 30-5INSTRUMENTATION AND CONTROL - SELECTION AND USE

OF EQUIPMENT FOR INSTRUMENT PROTECTION SYSTEMS

PAGE i

CONTENTS

Section Page

FOREWORD................................................................................................................. iii1. INTRODUCTION...................................................................................................... 1

1.1 Scope.............................................................................................................. 1

1.2 Application ..................................................................................................... 1

1.3 Units............................................................................................................... 1

1.4 Quality Assurance........................................................................................... 2

2. PROTECTIVE INSTRUMENTATION SYSTEMS................................................. 2

2.1 General Requirements..................................................................................... 2

2.2 Choice of Equipment for Protective Systems................................................... 3

2.3 System Design ................................................................................................ 6

2.4 Equipment Recommendations ......................................................................... 92.5 Testing............................................................................................................ 13

2.6 Integrity Assessment ....................................................................................... 14

2.7 Design Documentation.................................................................................... 16

3. ALARM SYSTEMS................................................................................................... 18

3.1 General Requirements..................................................................................... 18

3.2 Categories of Alarms....................................................................................... 20

3.3 Measurement Interface.................................................................................... 22

3.4 Panel Annunciators ......................................................................................... 23

3.5 VDU Based Annunciators............................................................................... 23

3.6 Audible Alarms............................................................................................... 253.7 Microprocessor Based Alarm Systems............................................................. 26

4. FIRE AND GAS DETECTION AND CONTROL SYSTEM.................................. 27

4.1 General .......................................................................................................... 27

4.2 Fire and Gas Control Panel Equipment........................................................... 29

4.3 Annunciation and Display............................................................................... 31

4.4 Control Actions ............................................................................................. 31

4.5 Fire Protection System Controls..................................................................... 33

4.6 Telemetry Systems......................................................................................... 36

4.7 Field Equipment.............................................................................................. 36

4.8 Remote Fire and Gas Panels........................................................................... 424.9 Drawings and Documentation ........................................................................ 43

5. PIPELINE LEAK DETECTION SYSTEMS............................................................ 43

5.1 Scope.............................................................................................................. 43

5.2 Requirement for Pipeline Leak Detection ........................................................ 44

5.3 Design and Selection....................................................................................... 47

5.4 Operation, Maintenance and Testing ............................................................... 53

FIGURE 1 - DRAWING SYMBOLS FOR FIRE AND GAS LAYOUTS.................. 55

FIGURE 2 - TYPICAL FIREPUMP START LOGIC DIAGRAM............................ 57

7/28/2019 RP30-5.pdf

5/81



PAGE ii

FIGURE 3 - FIRE PUMP CAUSE & EFFECT DIAGRAM....................................... 58

FIGURE 4 - TYPICAL CONTROL ACTION MATRIX ........................................... 59

FIGURE 5 - TYPICAL FIRE AND GAS DETECTION SYSTEM BLOCK

DIAGRAM..................................................................................................................... 61

APPENDIX A................................................................................................................. 62

DEFINITIONS AND ABBREVIATIONS............................................................ 62

APPENDIX B................................................................................................................. 65

LIST OF REFERENCED DOCUMENTS............................................................ 65

APPENDIX B1............................................................................................................... 67

APPLICABLE STANDARDS AND LEGISLATION (UK) FOR FIRE AND

GAS SYSTEMS................................................................................................... 67

APPENDIX C................................................................................................................. 69

TYPICAL FIRE AND GAS VDU PHILOSOPHY ............................................... 69

C1. GENERAL DESCRIPTION .......................................................................... 69C1.1 Area Mimics................................................................................................ 69

C1.2 Expanded Mimics........................................................................................ 69

C1.3 Alarm Banner Area....................................................................................... 70

C1.4 Bar Chart Displays ....................................................................................... 70

C1.5 Tabular Switch State Displays (Page Displays) ............................................. 70

C1.6 Fire Pump/Ring Main Display....................................................................... 71

C1.7 HVAC Status Displays ................................................................................. 71

C1.8 Alarm Listings.............................................................................................. 71

C1.9 Help Displays ............................................................................................... 71

C1.10 Printer Facilities.......................................................................................... 71C2 ALARM HANDLING..................................................................................... 72

C3 DISPLAY ACCESS........................................................................................ 72

C3.1 Direct Access ............................................................................................... 72

C3.2 Previous/Next Paging ................................................................................... 72

C3.3 Fast Access .................................................................................................. 73

C4 DIRECTORY STACK.................................................................................... 73

7/28/2019 RP30-5.pdf

6/81

7/28/2019 RP30-5.pdf

7/81



PAGE iv

It is intended to review and update this document at regular intervals, because it is essential to

maintain BP's commercial advantage from the effective deployment of the rapidly developing

technology covered by this Practice.

Application

'Specification' or 'Approval' actions are indicated by an asterisk (*) preceding a paragraph

number.

Text in italics is Commentary. Commentary provides background information which supports

the requirements of the Recommended Practice, and may discuss alternative options.

This document may refer to certain local, national or international regulations but the

responsibility to ensure compliance with legislation and any other statutory requirements lies

with the user. The user should adapt or supplement this document to ensure compliance for

the specific application.

Principal Changes since last Issue

Principal changes to Sections Issued from March 1991:

(a) The Practice has been revised to the new format to rationalise the sections and to

integrate the commentary into the main test.

(b) The sections have been updated to include references to new standards and reflect

changes in operating practices.

(c) Section numbering has been amended to suit the applicable part.

The cross-references at the end of this foreword show relationships between new documents

and the old CP 18.

Feedback and Further Information

Users are invited to feed back any comments and to detail experiences in the application of

BP RPSE's, to assist in the process of their continuous improvement.

For feedback and further information, please contact Standards Group, BP International or

the Custodian. See Quarterly Status List for contacts.

7/28/2019 RP30-5.pdf

8/81



PAGE v

LIST OF SECTIONS CROSS REFERENCED TO CP 18

RP 30-1 TO RP 30-5 CP 18 PARTS AND SECTIONS

No equivalent in RP 3~X Part 1 (Foreword and Introduction)

RP 30-1 INSTRUMENTATION AND CONTROL DESIGN AND PRACTICE

Part 2 Systems, Design and Practice

Section 1 Introduction E Section 1 Introduction

Section 2 Control Engineering Principles E Section 2 Control Engineering Principles

Section 3 Selection of Instrumentation Equipment E Section 3 Selection of Instrumentation

Equipment

Section 5 Earthing and Bonding E Section 5 Earthing and Bonding

Section 6 Instrument Power Supplies E Section 6 Instrument Power Supplies

Section 7 Instrument Air Systems E Section 7 Instrument Air Systems

Section 8 Hydraulic Power Systems E Section 8 Hydraulic Power Systems

Section 9 Control Panels E Section 9 Control Panels

Section 10 Control Buildings E Section 10 Control Buildings

Section 11 Instrument Database Systems Section 1I Digital Systems (to RP 30-4, Sect 2)

+ Section 12 Adv. Cntrl Sys. (to RP 30-4, Sect. 5)

+ Section 13 Telecommunications (to RP 30-4, Sect. 3

RP 30-2 INSTRUMENTATION AND CONTROL SELECTION AND USE OF MEASUREMENT INSTRUMENTATION

Part 3 Measurement


Section 2 Temperature Measurement E Section 2 Temperature Measurement

Section 3 Pressure Measurement E Section 3 Pressure Measurement

Section 4 Liquid Level Measurement E Section 4 Liquid Level Measurement

Section 5 Flow Measurement E Section 5 Flow Measurement

Section 6 Storage Tank Measurement E Section 6 Storage Tank Measurement

Section 7 On Line Analytical Measurement E Section 7 Measurement

Section 8 Automatic Samplers for Offline E Section 8 Automatic Samplers for Offline Analysis

Analysis

Section 9 Weighbridges and Weighscales E + Section 9 Weighing Systems

Section 10 Environmental Monitoring

Section 11 Instrumentation for HVAC systems

Section 12 Drilling Instrumentation

RP 30-3 INSTRUMENTATION AND CONTROL SELECTION AND USE OF CONTROL AND SHUTOFF VALVESPart 4 Valves and Actuators


Section 2 Regulating Control Valves E Section 2 Regulating Control Valves

Section 3 Power Actuated Isolating Valves ESection 3 Power Actuated Isolating Valves

RP 30-4 INSTRUMENTATION AND CONTROL SELECTION AND USE OF CONTROL AND DATA ACQUISITION SYSTEMS

Section I Introduction

Section 2 Digital Systems (new commentary added)

Section 3 Telecommunications

Section 4 Subsea Control Systems

Section 5 + Advanced Control Systems

RP 30-5 INSTRUMENTATION AND CONTROL SELECTION AND USE OF EQUIPMENT FOR INSTRUMENT PROTECTIONSYSTEMS

Part 5 Protective Systems

Section I Introduction E Section I Introduction

Section 2 Protective Instrument Systems E Section 2 Protective Instrument Systems

Section 3 Alarm systems E Section 3 Alarm Systems

Section 4 Fire and Gas Detection and Control E Section 4 Fire and Gas Detection and Control

Systems Systems

Section 5 Pipeline Leak Detection E + Section 5 Pipeline Leak Detection

E- equivalent (not identical)

+- yet to be published
http://rp30-4.pdf/http://rp30-4.pdf/http://rp30-4.pdf/http://rp30-4.pdf/http://rp30-4.pdf/http://rp30-4.pdf/http://rp30-4.pdf/

7/28/2019 RP30-5.pdf

9/81

7/28/2019 RP30-5.pdf

10/81



PAGE 2

1.4 Quali ty Assurance

Verification of the vendor's quality system is normally part of the pre-qualification

procedure, and is therefore not specified in the core text of this specification. If

this is not the case, clauses should be inserted to require the vendor to operate and

be prepared to demonstrate the quality system to the purchaser. The quality system

should ensure that the technical and QA requirements specified in the enquiry andpurchase documents are applied to all materials, equipment and services provided

by sub-contractors and to any free issue materials.

Further suggestions may be found in the BP Group RPSEs Introductory Volume.

2. PROTECTIVE INSTRUMENTATION SYSTEMS

This Section details BP recommendations for instruments, logic

systems and valves which make up a protective instrumentation system

and should be read in conjunction with BP Group GS 130-9'Specification for the supply of Shutdown Systems'. Compliance with

all applicable statutory regulations at the final point of installation is

mandatory, and shall take precedence over the basis for design covered

by this Recommended Practice.

2.1 General Requirements

* 2.1.1 BP Group RP 30-6 specifies BP process design requirements for

protective instrumentation systems and the actions to be taken. A

system shall be provided to meet these requirements. Where the

requirements of this Recommended Practice conflict with otherdocuments, the matter shall be referred to BP.

2.1.2 A schedule should be prepared listing all process conditions to be

monitored by protective systems. It shall define the limits of safe

operation and protective action to be taken in the event of a

transgression. The schedule shall list the consequences of failure on

demand and the application category.

2.1.3 Failure of the protective instrumentation shall not cause the plant to go

to an unsafe condition. The effect of failure of any function or group offunctions should be fully analysed and the results of this investigation

used to determine the design of the protective instrumentation.

2.1.4 The action on loss of power supply to protective instrumentation

system shall cause the plant to trip.

Systems which energise to trip may be considered for certain Category 2

applications where spurious operation would cause more serious consequences

than lost production. In such case a study should be carried out to determine the

following:-
http://gs130-9.pdf/http://gs130-9.pdf/http://gs130-9.pdf/http://gs130-9.pdf/http://rp30-6.pdf/http://rp30-6.pdf/http://rp30-6.pdf/http://gs130-9.pdf/

7/28/2019 RP30-5.pdf

11/81

7/28/2019 RP30-5.pdf

12/81



PAGE 4

Where the system, in addition to providing facilities similar to

those offered by limited variability systems, provide facilities

similar to those in a mini-computer based real-time system, e.g.

displays, high level languages and data links.

(iv) Pneumatic or hydraulic logic systems. These systems are only

applicable to simple applications.

(v) Hybrid system comprising more than one of the above.

Points to be considered in the application of programmable electronic systems

include:-

(a) Failure and Failure Modes

Because a single microprocessor is often used to execute the logic of the

application, its, or associated component failure will usually result in

some or all logic being halted, e.g. plant protection may be lost.

It is unlikely that the mechanism of failure can be predicted and it is also

possible that a fault may lie unrevealed. To overcome these two

difficulties, it is necessary to arrange, usually by external equipment, to

detect failure and take action (usually by forcing plant outputs to a safe

state). In addition, to reveal dormant faults, it is necessary to test the

system regularly. It is therefore of the utmost importance to consider the

outcome of the failure states in plant design.

In addition to hardware faults, software problems can occur. Software

failure cannot occur, but software faults can result either from operating

system software being insufficiently tested to reveal faults, or from the

application software being unable to cope with a certain plant condition.The danger is that in each case the fault may lie dormant until a particular

plant condition is reached and the system then 'fails'. Recognition of these

two possibilities leads to important strategies concerning the selection and

testing of the system. In the case of faults in the operating system, these

can be minimised by selecting a manufacturer who has a standard product

implemented widely in industry. In the case of application software it is

necessary to apply strict control of the development process and undertake

verification of each stage. It is also essential to allow adequate time to

test the functions of the application software, both at the development

phase and on the actual plant.

To minimise problems with software full variability systems should be

avoided. They should only be considered where the complexity ofapplication requires advanced algorithms.

Some manufacturers offer designs which are fault tolerant and this can be

of benefit in applications where high integrity is required.

(b) Modifications

Because such systems provide flexibility and convenience in configuring

logic to meet plant requirements, there is a danger that such flexibility

applied in an uncontrolled fashion can lead to downgrading of plant

protection following injudicious modification of application software. It is

7/28/2019 RP30-5.pdf

13/81



PAGE 5

therefore important to ensure that access to, and modifications of, the

application software is closely controlled.

(c) Overrides and Interlocks

Where override or interlock facilities are provided by application

software, a facility should be provided to ensure that the operator andplant manager are aware that the plant is being operated in such a

fashion. If the application of overrides is not closely monitored, there is a

danger that plant protection is gradually downgraded.

Advantages of programmable systems include the following:-

(i) Space saving

(ii) Low power

(iii) Ease of configuration

(iv) Ease of reconfiguration

(v) Fault diagnosis

(vi) Simple interface to computers

Disadvantages of programmable systems include:-

(i) Statutory authorities may impose strict requirements for their

application on any safety related duty.

(ii) Hardware and software faults (revealed or unrevealed) may result

in common mode failure and seriously impair functionality.

Careful selection of vendor and his proposal is essential to

ensure:-

- Vendor has a proven experience in the supply of similar

sized systems.

- Vendor has established and effective QA system for both

hardware and software design and implementation; including

modification procedures.

- Bought-in hardware and software complies with above.

(iii) Additional costs can arise in meeting the software QA

requirements.

(iv) Such systems can be complex leading to more difficult and time

consuming fault finding. This can lead to higher cost of training.

2.2.3 When programmable systems are provided, their failure modes should

be fully considered. The systems should be designed such that in the

event of a system failure the plant is not put into an unsafe condition.

If failure of the shutdown system could cause an unsafe condition,

other equipment or systems should be provided to ensure that the plant

is maintained in a safe state.

7/28/2019 RP30-5.pdf

14/81



PAGE 6

A hybrid system using both discrete logic and programmable systems may provide

the optimum solution. Hybrid systems also have the advantage of diversity and

reduce the probability of common mode failure.

2.3 System Design

2.3.1 Overall design shall comply with BP Group RP 30-1 and the

requirements of BP GroupRP 30-6.

API RP 14Cfor offshore applications requires that each safety system comprise two

levels of protection to prevent or minimise the effects of an equipment failure within

the process. The two levels of protection should be independent of and in addition

to the control devices used in normal process operation. The first method of

protection is normally instrument based, the secondary method is normally by self

acting devices such as relief valves.

Where a Category 1 system is used top prevent hazards arising this may be

adequate acting alone providing:-

(a) The system used in complies with the requirements for Category 1 system

as defined in BP GroupRP 30-6.

(b) A full integrity analysis has shown that an acceptable standard of safety

has been achieved.

(c) The effects of common mode failure has been considered in the reliability

analysis

2.3.2 For a Category 1 application a single failure during normal operation

shall not cause the system to fail to perform its intended function.

2.3.3 For a Category 2A application involving serious commercial or

environmental loss, multiple sensors, logic and final actuation devices

should be used unless evaluation of the additional reliability and costs

against the probability of reducing business loss can be shown to be

uneconomic or environmentally unacceptable.

2.3.4 For a Category 2B application the use of single sensor, logic and final

actuation device is normally considered adequate.

2.3.5 In voting systems, precautions shall be taken to avoid degradation of

the protection through common faults in the system.

Examples of common mode problems include blockage of single pressure tappings,

blowing of common supply fuses to input channels, or accidental damage to cables

run on a common cable tray, or along the same route. Separation of individual

protection channels is normally required.

2.3.6 Category 1 systems need not comprise of one discrete system of

sensors, voting systems and valves.
http://rp30-1.pdf/http://rp30-1.pdf/http://rp30-6.pdf/http://rp30-6.pdf/http://external%20standards%20organisations.pdf/http://external%20standards%20organisations.pdf/http://rp30-6.pdf/http://rp30-6.pdf/http://rp30-6.pdf/http://external%20standards%20organisations.pdf/http://rp30-6.pdf/http://rp30-1.pdf/

7/28/2019 RP30-5.pdf

15/81

7/28/2019 RP30-5.pdf

16/81

7/28/2019 RP30-5.pdf

17/81

7/28/2019 RP30-5.pdf

18/81

7/28/2019 RP30-5.pdf

19/81



PAGE 11

The operation of motor operated valve actuators shall be controlled by

d.c. operated interposing relays, integral with the motor starter. The

d.c. supply voltage shall be derived from the protective system and shall

be independent of the contactor control supply.

The reversing starter, interlocking and signalling switches shall beintegral with the actuator.

When the operation of two or more electrically operated valves has to

be interlocked, (e.g. in order to ensure that a bypass valve is open

before the line main valve is permitted to close and vice versa), this

interlocking shall be done only in the main electrical contactor circuits.

The design shall ensure that any interlocks are effective in all 'remote'

and 'local' modes of control.

Actuators fitted to emergency shutdown valves on critical applicationsinvolving plant safety shall conform with BP Group GS 130-6 and

should be provided with transducers for measuring on-line

performance.

If the actuator does not reach the required position within a

predetermined time period after action is initiated, a 'valve fault' alarm

shall warn the operator. The alarm supply shall be independent of the

actuator supply.

Performance measurement is particularly important on large valves where the

actuator design margin may be reduced by wear or fouling.

2.4.3 Circuit Modules

Removal of a plug-in module should initiate a shut-down action to/from

the system for that module position. Alternatively for Category 2b

applications the system may remain in the untripped state providing

diagnostics are provided to indicate to the operator that the system is

no longer active.

Modules that need to be calibrated, e.g. analogue input modules,

should have defeat and test facilities that allow in situ calibration by asingle technician.

The system as a whole, and each type of module, shall be unaffected by

radio frequency interference, even when doors or covers are removed

for maintenance.

* When the modules incorporate self diagnostic circuitry, the choice of

alarm or trip action to be taken on detection of a fault, shall be subject

to approval by BP.
http://gs130-6.pdf/http://gs130-6.pdf/http://gs130-6.pdf/http://gs130-6.pdf/

7/28/2019 RP30-5.pdf

20/81



PAGE 12

Each output module shall control a separately fused supply to each

associated actuator. The output fuses shall be individually accessible.

Plug-in modules should be removable under power.

2.4.4 System Alarms

Protective systems should have facilities to monitor failure states.

There should be alarms for system malfunctions, and for the loss of

power supplies to the logic and external circuits.

2.4.5 Power Supplies

Powersupplies for protective systems shall be Class A as defined in BP

Group RP 12-5.

Relay systems shall be segregated into functional loops, each supplied

through a separate switch and fuse.

On earth-free systems, double pole power switches shall be used.

Separate power supplies should be used for actuation circuits unless it

can be shown that the effect of switching transients is unlikely to effect

input or logic circuits.

The filter circuits of input modules and logic power supplies will need to be

considered to establish adequate rejection of transients.

Batteries shall be capable of maintaining power for logic and actuating

devices for pre-defined period following a primary power supply

failure. (Refer to Section 6 of BP Group RP 30-1).

The pre-defined period will need to be sufficient to allow an orderly

shutdown of the process. The period will depend on the complexity of

the process and the available manning. The period should be agreed

with those responsible for Operations Management.

The components of the logic power supplies should be so arranged asto permit any one of them to be removed for maintenance while the

system stays on line, and under power.

2.5 Testing

2.5.1 Facilities to enable on-line testing of protective instrument systems

should be provided unless adequate reliability can be achieved by

testing during planned shutdowns. On spared equipment, batch or

cyclic processes, test facilities for use on line are not required provided
http://rp12-5.pdf/http://rp12-5.pdf/http://rp30-1.pdf/http://rp30-1.pdf/http://rp30-1.pdf/http://rp12-5.pdf/

7/28/2019 RP30-5.pdf

21/81

7/28/2019 RP30-5.pdf

22/81



PAGE 14

Test facilities which prevent the system fulfilling its intended function

should be avoided.

The frequency and method of testing should be those which have been

shown by reliability analysis to give acceptable integrity.

2.5.6 Category 2A Systems

Category 2A systems with multiple sensors, logic and trip valves should

be tested as for the Category 1 system. For 2A systems using single

sensors and logic, the testing will be determined by the reliability

requirements.

2.5.7 Category 2B Systems

Testing on line of final actuator devices may not be required. An

adequate level of integrity may be achieved by testing at plant or spared

equipment shutdown.

2.6 Integrity Assessment

2.6.1 General

2.6.1.1 The design of the shutdown systems shall be such to ensure the

necessary integrity is achieved.

A system can fail to meet its intended function because of random

hardware failures or systematic failure.

Random hardware failure result from a variety of normal degradation mechanism

in the hardware. The failure rate arising from this type of failure may be predicted

by reliability analysis providing the accurate failure rate and demand rate data is

available.

Systematic failures arise due to errors in design, construction or use of the system

and cause a system to fail under particular combinations of inputs or under some

environmental conditions. Systematic failures can be due to errors or omissions in

the system requirements specification or errors in the design, manufacture,

installation or operation of the hardware or software. The failure rate arising from

this type of failure cannot be predicted by reliability analysis.

In the event of the assessment not being carried out by BP it will be necessary prior

to the start of the study to ensure that the contractor or consultant has the

necessary procedures, data and skilled resources to carry out the design

assessment.

2.6.1.2 For Category 1 or for those Category 2A applications involving major

environmental risk, a quantified assessment of the system should be

carried out to ensure compliance with required hazard rate and

7/28/2019 RP30-5.pdf

23/81



PAGE 15

reliability. The study shall be subjected to detail audit by engineers not

involved in the design process.

For Category 2A systems involving economic or minor environmental

risk, the reliability of systems may be qualitatively assessed by

considering the extent of redundancy applied in the system design.Where the demand rate is assessed as low and the implications of

failure on demand are not large then this qualitative assessment may be

adequate. Where a reliability analysis is judged to be unnecessary for a

Category 2A application the reasons shall be recorded for approval.

The use of independent audit should be considered optional, but is

recommended where major economic risk is involved.

The local operating management or their representative should agree at

the design stage the level of maintenance and testing work.

In carrying out the analysis it is important that the following is agreed with those

responsible for the process and instrument design.

(a) The risks to be quantified.

(b) The events leading to the risks i.e. the fault trees.

(c) The data to be used for failure rates and demand rates.

(d) Whether operator intervention can be included.

(e) The assumptions made on which the validity of the results depend.

(f) The test procedure and test intervals.

2.6.1.3 The integrity of the system shall be reviewed throughout the duration

of the design and operational life. The design case for any changes toassociated process, plant design or assumptions used shall include

review of the categorisation and quantitive basis for the protective

system design.

It is common for protective system requirements to be established from preliminary

process and plant design. It is therefore essential that these be reviewed once the

design is changed for validation purposes.

2.6.2 Quality

The procedures to be used during each stage of the implementationshould be defined in the project specification. Evidence that the

procedures have been followed should be provided and included in the

design dossier.

The design, manufacture, installation and maintenance of protection

systems should be carried out using an established quality assurance

system such as ISO 9000 Series. An audit or review of independent

external audit (such as establishing if certification is confirmed) shall be

carried out to establish that the necessary procedures are in place and

are being followed.
http://external%20standards%20organisations.pdf/http://external%20standards%20organisations.pdf/http://external%20standards%20organisations.pdf/http://external%20standards%20organisations.pdf/

7/28/2019 RP30-5.pdf

24/81



PAGE 16

The level of overall quality achieved determines the likelihood of systematic

failures. The quality of procedures used in the design process is particularly

important since errors or omissions in specification will be carried on through

implementation and are unlikely to be corrected by later work.

When considering whether particular equipment is suitable for its intended

purpose, a significant history of satisfactory operation in a similar environment willbe of benefit. Other evidence such as independent test reports should also be

considered. The above aspects are particularly relevant where systems involving

software are being used. For Category 1 systems check lists within the British HSE

PES document may be used.

Integrity Assessment Summary

Category Design Quality Design

Assessment

1

2A (Major

environmental

risk)

Confirmation ofcontractor or

consultant

design ability

and resources

for design

process and

quantitative

assessment

Confirmation ofcertificationto

ISO 9000 series

or full Quality

system audit.

(Compliance audit

if considered

necessary)

Full quantitativedesign audit by

independent

specialist

consultant

2A (Economic

or minor

environmental

risk)

As 1/2A above As 1/2A above Optional but

recommended for

high economic risk

applications2B Design

capability audit

not required

As 1/2A above General project

procedures

acceptable

2.7 Design Documentation

2.7.1 Category 1

A design dossier shall be maintained for each Category 1 application

and submitted to BP for approval at successive stages in the project.

It should be recognised that a change in a control system design or philosophy

could necessitate a corresponding change in the design of protection systems. For

example:-

(a) Replacing a system of single control loop integrity by a distributed shared

loop system.

(b) Computer optimisation linking control loops in a manner not envisaged in

the original design.

(c) Changing control valve trim size.
http://external%20standards%20organisations.pdf/http://external%20standards%20organisations.pdf/http://external%20standards%20organisations.pdf/http://external%20standards%20organisations.pdf/

7/28/2019 RP30-5.pdf

25/81

7/28/2019 RP30-5.pdf

26/81



PAGE 18

2.7.1.12 All reasonably foreseeable failures of the distributed control system

leading to more than one output failing simultaneously. These shall be

listed together with details of how hazard associated loops have been

allocated.

2.7.1.13 Detailed design drawings showing process, electrical pneumatic,hydraulic and power supply arrangements.

2.7.1.14 Design specifications for all safety critical items.

2.7.1.15 Details of independent design audit together with associated report.

2.7.2 Category 2A

A design dossier shall be maintained for each Category 2A application.

The contents of the dossier should be similar to that defined above for

Category 1 system with the following exceptions:-

2.7.2.1 For systems involving major economic or environmental risk, the full

results of the cost benefit analysis and associated reliability studies shall

be included.

2.7.2.2 Where the consequences of failure do not include major economic or

environmental risk the completed check list need only include

information not related to quantitative analysis.

2.7.3 Category 2B

Documentation conforming to general agreed project procedures will

be adequate.

3. ALARM SYSTEMS

This Section specifies BP general requirements for alarm systems.

3.1 General Requirements

3.1.1 This Section outlines the requirements for alarm systems provided tofacilitate protection of plant and equipment. Fire and gas alarm

requirements are given in Section 4 of this Recommended Practice.

3.1.2 Each plant shall be fitted with alarm systems to draw the operator's

attention to abnormal process conditions or events. Alarm systems

shall provide audible and visual warnings of abnormal occurrences in

the process, utilities and plant equipment (e.g. machinery), and shall

display the alarm status of each point.

7/28/2019 RP30-5.pdf

27/81

7/28/2019 RP30-5.pdf

28/81



PAGE 20

3.1.7 Power supplies for alarm annunciators shall as a minimum requirement

be Class B as defined in BP GroupRP 12-5. Power supply should be

adequate for the peak load imposed by any lamp test facility.

3.1.8 Replacement of a modular power supply unit should be possible

without interrupting the operation of the system.

3.1.9 Termination wiring and labelling shall be in accordance with BP Group

RP 30-1Section 4.

3.2 Categories of Alarms

3.2.1 General Requirements

The following basic categories of alarms and status indications shall be

applied:-

(a) Emergency Trip Action

A separate alarm for each input channel to the protective safety

system shall be provided, as detailed in Section 2 of this

Recommended Practice.

(b) Urgent Alarm

A separate alarm shall be provided for each condition which

requires urgent operator action, including alarms which precedea trip as defined in Section 2 of this Recommended Practice.

(c) Information

A condition to be drawn to the attention of the operator but not

requiring immediate action on his part, e.g. standby pump

started, or status of a sequence controller.

Additional categories of alarms may be provided on digital control and

sequential logic equipment:-

(a) Minor Process Alarms

This category includes facilities such as control loop setpoint

deviation and rate of change of plant variable.

(b) Sequence or Logic Alarms
http://rp12-5.pdf/http://rp12-5.pdf/http://rp12-5.pdf/http://rp30-1.pdf/http://rp30-1.pdf/http://rp30-1.pdf/http://rp30-1.pdf/http://rp12-5.pdf/

7/28/2019 RP30-5.pdf

29/81



PAGE 21

This category includes alarms which require logic to define an

alarm stage, e.g. the failure of a valve to move on command or

the timeout of an expected action following a command.

(c) Control and Instrumentation System Equipment Failures

This category includes all alarms provided to draw the

operator's attention to failure of an item of equipment, which

may be failure of an individual measurement loop (e.g. open

circuit) or failure of a system module such as a multiplexer or

microprocessor or communications link which potentially

affects several measurements.

3.2.2 Location

The main alarm display shall be located in the appropriate permanently

manned control centre, integral with or adjacent to the control and

monitoring equipment, and shall include all alarms requiring the

attention of the operators stationed there.

Additional alarms may be provided and located at local level for plant

requiring full time or occasional operator attendance.

* When specified by BP, a self-contained alarm system should be

provided for plant attended full time by a local operator. The system

may be located in a local control room or adjacent to the plant.

Plant normally unattended but requiring occasional local operator

attention (e.g. for start-up, trouble shooting or maintenance operations)

should be provided with a local self-contained alarm system. Examples

of this type of plant are, packaged units, major machinery and a satellite

production facility.

Alarm repeats of local alarms, individually or in groups, should be

provided at the control centre. Details shall be included in the schedule

(see 3.1.4).

When a group alarm repeat is accepted, the action of acceptance should

reset the transmission system to allow subsequent alarms in that group

to be brought to the attention of the control centre operator.

Where remote alarms are also required at the control centre, they are usually taken

back as a single group, a number of groups, single alarms or a combination of

these. A single group should be used for areas where a single operator only needs

to visit the area. A number of groups should be used where there is a need to

define the specific function from an area, e.g. electrical, instrument, machinery or

process alarms. Single alarms should be used for critical functions which need

7/28/2019 RP30-5.pdf

30/81



PAGE 22

individual operator attention. The grouping of retransmitted alarm functions

should be fully discussed and agreed with the end user at the design stage.

Alarms at each location should be accepted independently.

The alarm logic units for equipment as 3.1.3 (a), (b) and (c) may becentrally housed or mounted behind each alarm panel. Centrally

housed alarm logic should be in a free standing, ventilated cabinet,

preferably with both front and back access. Removable gland plates

should be furnished for cable access.

The location of the alarm logic units should minimise interference to the operator

during maintenance operations and plant modifications. Examples of good

practice are:-

(a) Integral logic with back access in a conventional control panel.

(b) Integral logic with front access in a local control panel.

(c) Remote logic in an equipment area or room, where provided. This method

is preferred when the alarm display is integrated into a video based

console.

3.3 Measurement Interface

3.3.1 Alarms derived from analogue measurements are preferred.

3.3.2 When the alarm input is not otherwise measured and transmitted, direct

switch sensors may be used.

Direct sensors should be used only where they are more reliable than the function

measurement and transmission type and where calibration of the equipment is

possible. However, the cost of the system should also be considered and this

balanced against the overall requirements of the application.

3.3.3 Alarms derived from switches should be closed circuit for normal

operation and open circuit for the alarm condition.

3.3.4 Sensors shall have ranges selected for effective response, setting and

resetting at scheduled values of the alarm and normal conditions.Allowance shall be made for any dead-band in switch operation.

Overrange protection should be provided where necessary.

3.3.5 Trip alarms should be provided such that the integrity of the shutdown

system is unaffected (see Section 2 of this Recommended Practice).

3.4 Panel Annunciators

3.4.1 Panel mounted annunciators should consist of engraved illuminated

windows grouped in accordance with the plant units.

7/28/2019 RP30-5.pdf

31/81



PAGE 23

In selecting annunciator window size or the type of read-out (e.g. illuminated and

engraved windows or LEDs [light emitting diodes] with side descriptors), the

distance between the normal operator position and the read-out equipment should

be considered. The nearer the normal operator position is to the read-out

equipment, the smaller the read-out equipment needs to be. In most cases, it will be

necessary for the operator to read the alarm description from the normal operating

position, although in some cases, with experience, knowledge of the position of thealarm in the group will be sufficient.

When deciding the grouping of alarms, it is necessary to balance what is available

from manufacturers with the number of alarms for the relevant process unit and the

operational requirements. Although the system is usually divided by the process

unit, to assist operator recognition on a unit with a large number of alarms it may

be better to split alarm displays into a number of sections rather than have a single

large display.

3.4.2 The window illumination shall be provided by two bulbs or their

equivalent. A power healthy indicator shall also be provided for each

alarm group.

3.4.3 The windows should be colour coded according to the following:-

Emergency Trip Action Magenta

Urgent Alarm Amber

Information White

3.4.4 The window engravings should be of the following form:-

TAG (e.g. 17 PAH 342)

LOCATION (e.g. RECYCLE COMPRESSOR DISCHARGE)

ALARM (e.g. HIGH PRESS)

The engraving for 'Location' should be a concise but definitive

description of the point location.

3.4.5 Connections from the central logic cabinet to the alarm annunciators

should be made with multicore cables of adequate current capacity

terminated with plugs and sockets.

3.5 VDU Based Annunciators

* 3.5.1 This sub-section defines the functional requirements of VDU based

alarm systems. The precise scheme for each application shall be subject

to approval by BP.

3.5.2 Colour and/or text shall be used to denote the alarm/normal states and

flashing to denote the unaccepted alarm state.

7/28/2019 RP30-5.pdf

32/81

7/28/2019 RP30-5.pdf

33/81

7/28/2019 RP30-5.pdf

34/81



PAGE 26

3.7 Microprocessor Based Alarm Systems

3.7.1 This sub-section covers the requirements for programmable alarm

systems as defined in 3.1.3 (b), (c), (d) and (e).

The functional requirements of sub-sections 3.4 and 3.5, as appropriate,shall be satisfied.

3.7.2 The effect of common mode failures on alarm scanning and display

shall be stated by the vendor. Redundancy techniques should be

employed to minimise the effects of common mode failures within

equipment and its power supply system. The routing and connection of

critical alarms should be carried out in a manner which maximises

overall system availability.

Where redundant equipment is used, specific attention should be given to areas in

which common mode failures could occur. For example, in a duplicated multiplex

system with common switching equipment, a common mode fault could occur in the

switching equipment and negate the beneficial effects of duplication. Redundant

equipment should be regularly exercised on-line, preferably on an automatic cyclic

basis.

In-built diagnostic facilities should warn the operator of faults in the on-line and

back-up equipment.

The designer should ensure that the design is not compromised by external failures,

such as in the power supply system. Quality of the supply (e.g. voltage stability,

transients) should be addressed. This is covered in greater detail in BP Group RP

30-4 Section 2.

3.7.3 The maximum system response time to a burst of alarms shall be

specified by the vendor.

A burst of alarms, sometimes known as a flood of alarms, is a situation where one

plant event can trigger many subsequent events over a short time period. Bursts of

alarms which are likely to occur should be established in conjunction with the plant

designer or end user, as appropriate. Normal and abnormal circumstances should

be addressed, as should the interactive nature of plants connected to the system.

The response time of the alarm system should be taken as the time lag in processing

and displaying any single alarm which is initiated within a burst of alarms. Thislag should not significantly reduce the margin allowed by the plant designer for

operator action following alarm initiation from the primary sensor.

3.7.4 Urgent alarm limits shall only be altered under the protection of a key

(or equivalent) security system. Minor alarm settings, e.g. deviation,

may be modified by the plant operator.

3.7.5 All software alarm routines should be provided with an adjustable

deadband, to minimise oscillation into and out of alarm. Alteration of

7/28/2019 RP30-5.pdf

35/81



PAGE 27

the deadband shall be under the same security protection as for alarm

limits in 3.7.4.

* 3.7.6 The time resolution of alarm and event logging shall be subject to

approval by BP. Recording format should be as 3.5.9. A convenient

method of distinguishing between alarm and event messages should beprovided on printouts.

Systems should have the facility to store alarm and event history, with

printout only on demand. Measures to assure security of information

on loss of power supply and on equipment failure should be provided.

3.7.7 The following additional requirements shall apply to alarm systems to

be operated as an integral part of a proprietary distributed control or

computer system; as defined in paragraphs 3.1.3 (d) and (e).

All categories of alarms should be connected to the control system and

be provided with alarm annunciation and presentation facilities at the

operator's work station.

It should be possible to apply alarm facilities to derived plant values.

The system design should ensure that the operator's control facilities

are not hampered by processing a burst of alarms.

See 3.7.3 for definition of 'burst of alarms'. A burst of alarms may overload the

control system and delay other functions (e.g. key board actions) in addition toalarm response.

4. FIRE AND GAS DETECTION AND CONTROL SYSTEM

4.1 General

4.1.1 The scope and application of fire and gas detection, alarm and control

systems depends upon the inherent risks associated with the materials

being processed and the layout and size of the installation. Guidance

on system application is given in BP Group RP 30-7.

This Section details BP recommendations for fire, flammable and toxic

gas detection and control systems equipment, and should be read in

conjunction with BP Group GS 130-10 'Specification for the supply of

Fire and Gas Systems'. The recommendations also apply to systems

supplied as part of self contained package units.

To minimise spares holdings and maintenance every effort should be made to

ensure the package unit equipment (specially the detectors) offered is the same as

that used in the main F&G system.
http://rp30-7.pdf/http://rp30-7.pdf/http://gs130-10.pdf/http://gs130-10.pdf/http://gs130-10.pdf/http://rp30-7.pdf/http://gs130-10.pdf/

7/28/2019 RP30-5.pdf

36/81

7/28/2019 RP30-5.pdf

37/81



PAGE 29

energising and re-energising of the logic circuitry will not cause accidental

initiation of normally de-energised control actions.

For Intrinsically Safe circuits utilising Zener barriers both the positive line and the

negative return line should have separate barriers even if the negative lines are

tied to earth at the power supply. Use of a single barrier on the positive side only,

runs the risk of the signal return by-passing the negative return to the power supplyvia the IS earth. Galvanically isolated barriers are the preferred approach.

4.1.5 The Fire and Gas System shall be designed and installed to facilitate in-

service testing, maintenance, calibration and repair. Due regard shall be

made for safety of personnel and access of equipment.

4.2 Fire and Gas Control Panel Equipment

4.2.1 All FGCP's and annunciation displays should preferably be located in a

non-hazardous area such as a control or equipment room.

The equipment should be suitable for use in the environment in which it

is located. In controlled environments, account must be taken of the

possible loss of heating and ventilation under abnormal conditions.

Points which require particular attention during the assembly of the fire and gas

panels include:-

(a) Where front access only panels are used, withdrawal facilities shall be

provided to enable easy access to termination's etc. The withdrawal

facility shall provide self support of the equipment when withdrawn from

the panel and any flexible cabling shall be adequately guarded againstscuffing, kinking, and undue tension.

(b) Visibility of indications. Visibility of panel modules and their indicators is

necessary as well as the annunciation of displays. If the panel has doors

for protection of modules or to prevent unauthorised access, the doors

shall be provided with see through panels.

(c) Cooling and ventilation of the panel should be designed to cope with the

heat generated by a fully equipped panel, even if supplied with 25% spare

capacity. Where panels are fitted with ventilation systems for cooling

purposes the air intakes shall be protected with suitable dust filters, and

fan failure alarms should be provided.

4.2.2 The FGCP should be designed with spare capacity to allow for any

known future requirements and also a contingency allowance for design

development changes.

The purchase of a fire and gas system is frequently committed before detector and

control action requirements are fully defined. This can result in considerable

growth. Under these circumstances, it is prudent to allow a larger than normal

capacity for expansion and typically 25% may be considered.

7/28/2019 RP30-5.pdf

38/81



PAGE 30

4.2.3 All incoming detector field circuitry shall interface with modules which

must be compatible with the field sensors.

Flammable gas detector interface modules must have sufficient gain adjustment for

doubling the LEL% sensitivity to methane plus any subsequent deterioration in the

detector during its normal lifetime.

4.2.4 The system should provide the following:-

(a) Monitoring of all components of the detection circuit up to and

including the last sensing element, and shall generate a fault

signal in the event of any malfunctions.

(b) Lamp test facilities.

(c) Latching alarm to ensure short duration alarms are captured.

Facilities should be provided for remote latch reset where localreset is impractical (e.g. unmanned installations). An alarm

indication shall override fault indication.

At the remote control point alarm acceptance should silence the sounder

and steady the indications at the local panel as well as silencing the

sounder and steadying indications at the remote control point itself.

(d) Supervisory facilities to enable the failure of any power supply,

fuse, etc., to be quickly identified and located.

Compliance with the British Standards listed in Appendix B is not a statutoryrequirement and their guidance is open to some interpretation depending on the

installation. The following presents some areas where deviations or points of

contention may occur and interpretations that should be acceptable:-

(a) The onset of a detectable level of the hazardous condition at the detector

and annunciation at the CCR shall not exceed 8 seconds.

(b) The initiation of a manual call point and annunciation at the CCR shall

not exceed 3 seconds.

(c) In the case of flame detectors, which are more likely to operate

simultaneously, the alarm response should not be prevented.

(d) The lack of short circuit detection in fire detection loops is acceptable

provided that a short circuit fault producing an alarm condition is an

acceptable operating mode.

4.2.5 The number of circuits connected to individual input/interface modules

should be such that failure of that module does not significantly reduce

the level of protection provided for the facility.

7/28/2019 RP30-5.pdf

39/81

7/28/2019 RP30-5.pdf

40/81

7/28/2019 RP30-5.pdf

41/81



PAGE 33

For electronic data processing computer rooms, there is greater risk of external

fire due to paper debris from print outs etc. The consequence of loss of data in the

event of a fire situation can be quite important.

A fine water spray arrangement is currently preferred to quench any fire external

to the computer equipment. It is essential that the consequence to the equipment,

as a result of initiation of such extinguishant be investigated and agreement soughtfrom the equipment vendor. The design of the system should be such to avoid

ingress of extinguishant into the cabinets.

The computing equipment should be shut down on detection of problems from

detectors located in the room and inside the cabinets. The shutdown should be

after a time delay to allow for back up of current data.

4.5.1 Fire Water Pumps

4.5.1.1 All types of fire water pumps shall be provided with the means to

manually stop and start the machine locally. Only the start facility is

required from the FGCP. Additional fire pump start push-buttons at

selected remote locations should be provide where there is any risk of

loss of access to the pump locations during incident situations.

Additional remote start facilities can be provided dependent on plant layout and

operating procedures. Typically an onshore facility will have an on-site fire

fighting unit with it's own control point (e.g. fire station). In this instance remote

start facilities would be provided at the central control room and the fire fighting

control point.

Under confirmed combustible gas conditions in the duty fire pump room, control

logic should be provided to prevent the fire pump from starting, and enable thestart of the stand-by fire pump. Lockable means shall be provide for over-riding

this trip.

4.5.1.2 Duty/standby selection should be provided at the FGCP with adequate

indication to allow the operator to determine the operational status of

each pump.

Automatic duty pump start-up should be initiated from the FGCP by

one of the following:-

(a) Deluge discharge pressure high.

(b) Sprinkler flow switch high.

(c) Confirmed fire detection.

(d) Main pump failure to start or low fire main pressure.

The design of the pump control system should be such that automatic

duty pump start-up does not induce excessive pressure surges on fire

monitors and fire hoses.

7/28/2019 RP30-5.pdf

42/81

7/28/2019 RP30-5.pdf

43/81



PAGE 35

(e) One or more sets of four lamp visual warning clusters, at each

entrance to the protected area, showing the status of CO2 or

other gaseous total flood system and its controls. Audible

warning 'on discharge' klaxons or sirens should also be

provided. It should be audible throughout the area protected by

the extinguishing medium and should provide sufficientwarning, typically 15 secs, prior to release of extinguishant to

enable personnel to safely evacuate the area and for dampers to

close.

Where visual warning lamps are used on offshore installations,

consideration should be given to using extinguishant status lamps as

follows:-

System manual - lamp colour green

System auto - lamp colour amber

System discharged - lamp colour red

System electrically isolated - lamp colour white.

Each indicator shall have a twin lamp arrangement.

(f) Main and reserve systems where provided should have manual

selection on the skid and an electrical key switch at the FGCP.

Extinguishant systems may be provided with stand-by systems which

should be manual initiation only. The intention of these arrangements is

to allow quick return to normal operation after a discharge of

extinguishant. The stand-by should not be considered as 'second shotfacility' and any remote change-over facilities should preferably be

avoided, or if required be interlocked with key switches.

(g) All extinguishant isolating valves should be monitored via limit

or proximity switches to indicate they are fully open.

4.5.3.2 Deluge system solenoid valves should operate by venting the air

holding the deluge valve closed. Each deluge system should be fitted

with a low pressure switch for remote indication of loss of vent air.

Each sprinkler system branch should be fitted with a flow switch toindicate the operation of the system.

Deluge systems may be provided with the facility to stop deluge remotely at the

control point on offshore installations on a fire area basis. Where manual control

of the deluge is required for fire control purposes which uses water curtains and/or

sub-divides deluge systems within fire areas, consideration may be given to

grouping deluge controls in a Deluge Control Panel.

7/28/2019 RP30-5.pdf

44/81

7/28/2019 RP30-5.pdf

45/81

7/28/2019 RP30-5.pdf

46/81



PAGE 38

Ultra Violet Flame Detectors should. Built-in test facilities should be

provided for checking the detector on line.

It should be noted that UV detectors are particularly susceptible to smoke and oil

deposits on the lenses causing loss of sensitivity. Optical integrity should consist of

a UV source mounted such that the UV radiation path includes the detector lenses.

Ultra violet detectors should be used in areas where a fire is not likely to generate

smoke. Ultra violet detectors should only be used in combination with smoke or

heat detectors.

4.7.1.6 Infrared Flame Detectors

Infrared Flame Detectors should respond to radiation equivalent to the

CO2 absorption band. They should be solar blind and their response to

other sources of radiation should be minimised. Built-in test facilities

should be provided for checking the detector on line.

Point type smoke and heat detectors are not suitable for open areas and fire

detection coverage should be by optical flame fire detectors with IR detectors the

preferred choice for hydrocarbon areas. Areas covered by optical flame detectors

in certain instances may be supplemented with smoke (beam type) or heat (fusible

loop, linear).

The smoke and heat detection used in combination with optical flame detectors

should be selective in approach and is intended to provide firstly for other control

actions beyond those initiated by the early detection of fire by the flame detectors,

and secondly in certain circumstances to supplement the optical detection. For

example:-

(a) In well bays the optical detectors are intended for detection of fires at

their initial stages and initiate appropriate alarms and control actions

(release of deluge) without necessarily shutting down the wells. This

protection will be inadequate for sudden large fires due to catastrophic

failures which may threaten the platform structure itself. The addition of

temperature type detectors (such as fusible loops) is provided to initiate,

say, down-hole well shut-off valves.

(b) In areas where the fire can result in large quantities of smoke which can

accumulate or gravitate to predictable locations, beam type smoke

detectors should be used as a supplement to the optical flame detection.

In congested areas it may not be possible to cover a risk area fully with

optical detectors. Linear heat detectors should be used to supplement the

optical flame detection.

(c) An alternative means of heat detection is the frangible bulb or fusible link

used with fire protection systems.

The infrared (IR) flame detectors should be on separate circuits from the heat or

smoke detectors and independently initiate any control actions.

4.7.1.7 Combined Ultra Violet/Infrared Flame Detectors

7/28/2019 RP30-5.pdf

47/81

7/28/2019 RP30-5.pdf

48/81

7/28/2019 RP30-5.pdf

49/81

7/28/2019 RP30-5.pdf

50/81

7/28/2019 RP30-5.pdf

51/81

7/28/2019 RP30-5.pdf

52/81



PAGE 44

This document is not intended to cover those checks for pipeline leaks

such as visual inspection by line walking and overflying. Hand held and

aircraft mounted equipment for detecting the presence of hydrocarbons

or other substances are also excluded from this document.

5.2 Requirement for Pipeline Leak Detection

5.2.1 Regulatory and Legislative Framework

There is little in the way of national or international legislation

concerning the provision of pipeline leak detection systems, or the

capabilities of such systems. It is likely that more specific guidance will

be given in the next few years but this is unlikely to be of a prescriptive

or legislative nature. The USA is the exception to this where it is

expected that prescriptive legislation will be introduced.

Whereas, in general, the provision of leak detection is unlikely to be the

subject of prescriptive legislation, there is likely to be an increasing

demand on operators to demonstrate that all reasonable precautions are

being taken to avoid and mitigate the effects of any possible

environmental hazards.

In the UK, offshore pipelines are covered by legislative requirements relating to the

provision of leak detection, but only in the general sense. Onshore pipelines have

no specific leak detection requirements, although a leak detection system might

form part of a particular pipeline's safety notice. The nature of any system to be

installed and operated would normally be agreed with the appropriate local

regulatory authority prior to the granting of a pipeline operating licence. Section

5.3 provides guidance in selecting the most appropriate technology.

UK law currently requires the developer of any project likely to affect the

environment to undertake an environmental impact assessment and to provide 'a

description of the measures envisaged in order to avoid, reduce and if possible,

remedy the significant adverse effects'.

5.2.2 Risk Assessment

If not prescribed by legislation, the requirement for pipeline leak

detection will be determined by risk management considerations.

An environmental risk assessment should be carried out for eachpipeline system. The depth and complexity of the assessment will be

very much dependant on the particular pipeline. The factors which will

influence the environmental risk assessment will include:-

- the environmental sensitivity of the areas affected by the

pipeline routing (e.g. areas of special scientific interest,

proximity of shorelines, rivers and water courses, density of

human population)

7/28/2019 RP30-5.pdf

53/81



PAGE 45

- the fluid carried by the pipeline

- the likely causes of pipeline leakage. Causes of pipeline leakage

can be divided into five main categories:-

- internal and external corrosion- third party damage- operational error- natural hazards- mechanical failure

An examination of the likely causes of failure will provide an indication

of the most likely leak (hole) sizes and hence leakage rates.

The potential risk to the environment and the potential for financial loss

are closely linked. The financial risk associated with pipeline leakage

arises from:-

- value of lost line contents

- clean-up costs associated with loss of line contents

- the possibility of a large scale clean-up operation hindering the

repair and re-instatement of the pipeline system.

- temporary or permanent loss of pipeline operating licence

- damages or fines imposed by criminal or civil courts

- loss of Company image as an environmentally concerned

operator, thereby impeding future applications for operating

licences.

In the case of liquid carrying pipelines the most environmentally sensitive routings

would include subsea and those close to shorelines, rivers and water courses. In a

marine or river environment, a relatively small quantity of liquid hydrocarbon will

be spread over a great area and can potentially cause a disproportionately large

amount of damage. Clean up costs for this type of spill can therefore be

considerable, making preventative and loss limiting measures cost effective. Toxiceffects from the release of unstabilised sour crudes also requires consideration if

the pipeline is routed in proximity to populated areas. This hazard is discussed

under gas transportation below.

Leakage of chemicals, particularly those soluble or miscible with water, once

released into marine or river environments are virtually impossible to recover. In

this case the clean up costs arise from the necessity to neutralise as far as possible

the harmful effects of the released chemicals. Additionally the claims for damages

arising out of pollution to water supplies are potentially very large. Against this

potential liability, preventative and loss limiting measures might be seen as cost

effective as well as being environmentally desirable. The toxic effects from

7/28/2019 RP30-5.pdf

54/81



PAGE 46

chemicals released into the atmosphere also require consideration if the pipeline is

routed in proximity to human population.

The pipeline organisation CONCAWE maintains statistics of pipeline operation

including reported spillage's. These statistics are broken down into a number of

pipeline classifications and can therefore be used as a basis for estimating the

likelihood of leakage from various causes on a particular pipeline.

*Leakage's from hydrocarbon gas transportation pipelines have much smaller

potential for environmental pollution than leakage's from liquid carrying lines.

The environmental effects are limited to the release of greenhouse gases into the

atmosphere. Further, the quantities of gases involved are likely to be relatively

small compared to releases from natural sources. The main problems associated

with leakage from a hydrocarbon gas line are those of high levels of radiation from

an ignited leak, and the toxic effects of impurities in the gas. The potential risks

associated with leakage of sour gas (H2S) in proximity to human population are

considerable. In this case the automatic leak detection system might also require

the executive ability to shutdown, isolate and possibly de-pressurise the pipeline.

In the case of long pipelines the ability to isolate sections in sensitive areas mightalso be required.

5.2.3 Performance Targets for Pipeline Leak Detection

A performance target for the leak detection system should be set, based

on the conclusions of the environmental risk assessment discussed in

the previous section.

The performance target should aim, where practical, to reduce the

impact of the risks identified to a level capable of gaining wide

acceptance. The performance target should in any case significantlyreduce the impact of the risks identified. Once a performance target is

theoretically established an analysis of the potential technology in terms

of Leak Detection Systems can be carried out. If the performance

target derived from the risk assessment is known to be unachievable in

practical terms then a Leak Detection System based on the 'best

available technology' should be specified.

The following could form part of a performance target, either singularly

or in combination.

- minimum detectable leakage rate or sensitivity

- speed of response (possibly as function of leakage rate)

- maximum acceptable false alarm rate

As an example, if the major risk identified was thermal radiation from a leaking gas

or LPG line, then the performance target should comprise a minimum detectable

leakage rate. With the surrounding vessels and structures designed to withstand

say a 10 kw jet fire, then the minimum detectable leakage rate should be the

flowrate equivalent of the 10 kw fire.

7/28/2019 RP30-5.pdf

55/81



PAGE 47

As a further example, if the major risk identified was leakage of crude oil into

coastal waters, then the performance target would probably comprise a speed of

response as a function of leakage rate. If the oil spill response facilities were

capable of containing say a 10 tonne oil spill under typical conditions, then a

measure of the required speed of response for the leak detection system would be

30 minutes for a 20 tonne/hr leak and 2 minutes for a 300 tonne/hr leak.

5.3 Design and Selection

5.3.1 General Criteria

The design and selection of an automatic leak detection system will be

influenced by the following:-

- The performance target for the leak detection system. The

setting of a performance target is discussed in the previous

section.

- The capabilities of the available leak detection systems in

meeting the performance target, given the nature and operating

conditions of the particular pipeline. Outlines of well

established and developmental systems for leak detection are

provided later in this section.

- The availability of existing facilities (or the requirement for

facilities in the case of a new pipeline) which could form part of

a leak detection system. An example of this would be meteringequipment installed for fiscal purposes.

- Existing integrity checking techniques carried out on the

pipeline (inventory balances based on tank gauging for

example). The selected leak detection method should be

complimentary to any existing techniques by providing

increased sensitivity or speed of response.

The number of alarms produced by a leak detection system that indicate

a genuine leak will be few in number. Indeed if appropriate pipeline

integrity measures are taken, zero genuine leak alarms could be hopedfor over the lifetime of the system. Therefore, in order to maintain the

credibility of a leak detection system the spurious or false alarm rate

needs to be maintained at a suitably low level. A system with a high

false alarm rate will tend to be discounted and not provide the intended

protection.

The design and selection of a leak detection system is very much

dependent on the individual characteristics and circumstances of a

particular pipeline. However the following outlines of automatic leak

7/28/2019 RP30-5.pdf

56/81

7/28/2019 RP30-5.pdf

57/81

7/28/2019 RP30-5.pdf

58/81

7/28/2019 RP30-5.pdf

59/81

7/28/2019 RP30-5.pdf

60/81

7/28/2019 RP30-5.pdf

61/81

7/28/2019 RP30-5.pdf

62/81

7/28/2019 RP30-5.pdf

63/81

7/28/2019 RP30-5.pdf

64/81

7/28/2019 RP30-5.pdf

65/81

7/28/2019 RP30-5.pdf

66/81

7/28/2019 RP30-5.pdf

67/81

7/28/2019 RP30-5.pdf

68/81



PAGE 60

7/28/2019 RP30-5.pdf

69/81

7/28/2019 RP30-5.pdf

70/81



PAGE 62

APPENDIX A

DEFINITIONS AND ABBREVIATIONS

Definitions

Standardised definitions may be found in the BP Group RPSEs Introductory Volume.

The following general definitions are applicable to all Parts of this Recommended Practice:-

contract: the agreement or order between the purchaser and

the vendor (however made) for the execution of the

works including the conditions, specification and

drawings (if any) annexed thereto and such

schedules as are referred to therein.

cost of ownership: the life cost of a system including initial supply

contract value, installation cost, ongoing support

costs (e.g. spares, maintenance and service charges).

Ex: electrical apparatus protected to meet hazard

classification in accordance withBS 5345.

works: all equipment to be provided and work to be carried

out by the vendor under the contract.

The following definitions apply to Part 4 of this Recommended Practice:-

addressable system: a system in which analogue or digital signals from

each head (detector or manual callpoint) are

individually identified at the control panel.

addressable head module: the control panel mounted unit in an addressable

detection system interfacing with the field equipment

via a data highway, handling alarm and fault

detection functions. Also know as an Addressable

Loop Interface Module (ALIM).

circuit: the most precise identification in a hard-wired

detection system of the location of an alarm within

the fire area.

control action: an output from the control panel that can initiate

extinguishant discharge, request ESD action, stop

fans and close fire dampers etc. Control actions are

divided into two groups per fire area for inhibit

functions:-
http://external%20standards%20organisations.pdf/http://external%20standards%20organisations.pdf/http://external%20standards%20organisations.pdf/

7/28/2019 RP30-5.pdf

71/81

7/28/2019 RP30-5.pdf

72/81

7/28/2019 RP30-5.pdf

73/81

7/28/2019 RP30-5.pdf

74/81



PAGE 66

BP GroupRP 32-6 Inspection and Testing of In-Service Instrumentation

(replaces BP CP 52)

BP GroupRP 44-1 Overpressure Protection Systems

(replaces BP CP 14)

BP GroupGS 112-2 Electric Motor Operated Valve Actuators for

Intermittent Operation of Isolation Valves

(replaces BP Std 152)

BP GroupGS 130-6 Actuators for Shut-Off Valves

BP GroupGS 130-9 Specification for the Supply of Shutdown Systems

BP Group GS 130-10 Specification for the Supply of Fire and Gas Systems
http://rp32-6.pdf/http://rp32-6.pdf/http://rp44-1.pdf/http://rp44-1.pdf/http://gs112-2.pdf/http://gs112-2.pdf/http://gs130-6.pdf/http://gs130-6.pdf/http://gs130-9.pdf/http://gs130-9.pdf/http://gs130-10.pdf/http://gs130-10.pdf/http://gs130-9.pdf/http://gs130-6.pdf/http://gs112-2.pdf/http://rp44-1.pdf/http://rp32-6.pdf/

7/28/2019 RP30-5.pdf

75/81

7/28/2019 RP30-5.pdf

76/81

7/28/2019 RP30-5.pdf

77/81

7/28/2019 RP30-5.pdf

78/81

7/28/2019 RP30-5.pdf

79/81



PAGE 71

C1.7 HVAC Status Displays

Separate mimic displays shall show the status of each HVAC system in

a single line diagram format.

C1.8 Alarm Listings

Standard alarm listings shall be available, detailing tag number, alarm

type, location and time, on a rolling alarm principle. Each line shall be

tagged, and shall indicate the time of occurrence.

Alarm text shall be shown red flashing until accepted, changing to non

flashing indication.

Fault and inhibit text shall be shown yellow flashing until accepted,

changing to non flashing indication.

Status text shall be shown in white with the above accept facilities.

There shall be two alarm listings, one 'current' showing fire, gas,

manual call point and fault. A second alarm listing shall be available for

historical records and maybe sorted for display on either a device type

basis and/or a time period basis via the directory.

The historical alarm listing shall be capable of listing all events and

operator actions. Storage capacity shall be capable of holding on filethe last 2500 events.

C1.9 Help Displays

The system vendor shall incorporate any required 'help' actions

applicable to his system.

C1.10 Printer Facilities

All alarms received into the system shall be available on hard copy from

the printer on demand. Each entry shall comprise a full line identical tothe historical alarm listing display. Events to be logged shall include

the following:-

Incoming alarms and faults

Output actions

Inhibits

Alarm accepts

Alarm resets

System faults

7/28/2019 RP30-5.pdf

80/81



PAGE 72

C2 ALARM HANDLING

For both Area and Expanded Mimics, the sensor symbols which are not in alarm are

presented green on black. This way, shape recognition is possible, but the symboldoes not attract attention.

Whenever a sensor goes into alarm the status indication at base of display area shall

start flashing and the audible alarm will sound. It is now p

rp30-5.pdf

Documents