Emergency Shutdown System (ESD) Definition Based

On API RP 14C
Hi,
I just want to share about my problem to define between Safety Instrumented System
(SIS) and Emergency Shutdown System (ESD). Is there any deferences? I read ANSI/ISA
5.1 2009 to find right symbol for ESD but I got nothing, I also asked to my mentors but still
didn't get enough information to know. And enlightenment came when I asked to Google
and found forum with subject "ESD vs SIS". From what I know after read information from
that forum "ESD is a manual input for SIS" and another informed we should read API RP
14C to know clearly about ESD. So I tried to find that standard and found it. So here is ESD
definition I cited from that standard:
An Emergency Shutdown (ESD) system is a system of manual control stations strategically
located on a platform that, when activated, will initiate shutdown of all wells and other
process stations. This system may include a number of independent process shutdown
systems that can also be actuated separately. Activation of the ESD system should result in
the termination of all production activity on the platform, including the closing of all pipeline
SDVs. The ESD system should be designed to permit continued operation of electric
generating stations and fire fighting systems when needed in an emergency.
The ESD system provides a means for personnel to manually initiate platform shutdown
when an abnormal condition is observed. Fusible elements of the fire loop may be
integrated with the ESD control loop.
So now I know that ESD is part of SIS for safety purpose to protect either plant or people
and ESD will active when there is someone activated (manually).
That's all.

ESD vs. SIS ??

What is the difference in Emergency Shutdown Systems defined in ISA 91.00.01 and the
Safety Instrumented Systems defined in ISA 84? Is 91.00.01 still active?
Voir les commentaires prcdents

Yusuf Mian
Mr. Tao Zhu, You mean SIS is simply a layer of protection and it is normally integrated with
BPCS (Basic Process Control System such as PLC or DCS) while ESD is a separate PLC for
shutting down system to protect equipment/people when emergency occurs.
It also means that both SIS & ESD don't increases availability of process system but both
systems enhance safety of process.
I also request other peoples to participate and give more clear explanation.
il y a 10 mois

Ian Gibson
Sorry folk - The first rule of IEC61511 (a.k.a. ANSI/ISA 84.00.01) is that the SIS is NOT part of
the BPCS (unless you build and operate the BPCS under the requirements of 61511, which
would be a nightmare! No operators changing setpoints, etc.) . The ESD system is inherently
a manual input (hence unreliable) to the SIS, which relies on automated sensors for most of
its logic. Advantage of the manual input is the opportunity to detect and suppress the faults
that haven't been automatically detected - ~40% of HC leaks in North Sea on old statistics.
The BPCS is there to control the plant, and warn the operator if it is failing to do so. Under
61511, this is not rated as providing better than a 90% reduction in hazard (less than SIL1).
The SIS is there to prevent such excursions from escalating to cause damage to persons, the
environment, or assets or (if prevention fails), to mitigate the resulting hazards. This can
provide risk reduction between 10 &100 (SIL1) thru 100 to 1000 (SIL2) and up to 1000 thru
10000 (SIL3). The higher the SIL the more expensive it is to maintain, so you really dont
want many SIL3 systems - it is likely less costly to design out the problem rather than try to

fix it with a SIL3 patch.

ESD is sometimes included with Fire & Gas systems as a third system, inherently mitigative,
and of low security (no better than SIL1 due to inadequacies in sensor coverage and efficacy
of mitigation action).
As commented by Harold, the next draft of IEC61511(Ed2) is likely to reach FDIS early next
year, and hopefully appear as a standard during 2015. Once it appears as an IEC standard, it
may be adopted (with or without modification) by the various national standards bodies.
ANSI/ISA84.00.01 is a MOD of 61511 (Ed1) and is only valid within USA and Canada - the
MOD is a 'grandfather clause' covering plants originally designed to ISA 84.01:1996. For a
somewhat outdated introduction, see http://www.iec.ch/functionalsafety/
il y a 10 mois

tao zhu
Thanks for the correction Ian, following is what I have found today, hope it will help yusuf a
little more ..
ESD is a traditionally defined as "shutdown system/equipment in emergency to prevent
damage to people and equipment/system." A simplest ESD system can be implemented with
mechanical or electronic relays provide shutdown protection. e.g. A ESD pushbutton to
shutdown a booster pump directly.
SIS is clearly defined in IEC 61511 as a instrumented system used to implement one or
more safety instrumented functions. Its composed of any combination of sensors, logic
solvers and final elements. Base on this definition , SIS provides automatic detection,
verification and control functionality . The function of SIS includes shutdowns but not limited
to shutdown. It helps to enhance the safety integrity of whole system.
Most popular safety platform in the market today call themselves "SIS", such as Honeywell
safety manager, Invensys tricon, and mention ESD as one of their typical application.
When I was in a refinery plant 6 years ago, everyone called our Honeywell FSC the ESD
system... maybe because the major function of it is shutdown part of or all process. Now I
know its not accurate.
il y a 10 mois


Yusuf Mian
Mr. Ian Gibson and Tao Zhu, Thank you very much for providing very good explanation. I
want you to give some explanation about SIF with some examples. I am working on
integrated steel making plant which is very old and whole plant has not a single SIS loop
implemented. What are the main applications of SIS system?
il y a 10 mois

Alan Bryant
Sounds like folks agree. ESD is a manually activated system (as defined in API RP 14C)
whereas the SIS or IPS in an instrumented system that acts automatically to provide risk
reduction. Correct? Would you ever take risk reduction credit for an ESD function in that
case?
il y a 10 mois

tao zhu
Alan, thanks for specify API spec #, it's helpful. The definition of "ESD" in RP 14C is accurate,
I didn't find it yesterday.
ISA-TR84.00.05-2009 mentioned that "SIF including all actions required to achieve or
maintain a safe state; Each SIF provide risk reduction against a set or subset of the initiating
events that can cause the hazard."

According to these two statements, if one ESD is initialized to achieve a safe state (it's true
in most cases), then the action of the final element of that ESD can be counted as one SIF,
and it will provide risk reduction credit.
Yusuf, ISA-TR84.00.04 explains SIS in detail; ISA-TR84.00.05 provides information of SIF with
example of BMS.
My understanding is the main applications of a SIS is case by case and should cover all the
safety functions required to achieve the necessary risk reduction which have been described
in the PHA meeting.
il y a 10 mois

Mohammed Abdul Aziz, MIET

Nice inputs there..
As per my experience in oil storage terminals we have a redundant or single Process PLC
Controller with a separate ESD PLC.
This ESD PLC system (redundant in some cases) is mostly considered as SIL 2 fail safe
system.
In some projects the contractors have provided a normal redundant PLC with SIL 2 rated I/O
termination modules to achieve fail safe requirements. The ESD push button is in the control
room, pump station, tank farm and utility packages.
Pump trips and MOV closure at HH levels of tank n high pump discharge pressure for
example is part of ESD Cause effect chart. We go for all hardwired n fire resistant cables for
ESD.
I can say ESD is part of safety system for plants where complex SIS systems is not
considered.
il y a 10 mois

Yusuf Mian
Thanks to all participants, Nice feedback and valuable comments. ESD and SIS are both
independent systems but both reduce risk factor and ensure controlled and safe shutdown.
What is about safety PLC and TMR? Are they essential components of SIS or ESD?
il y a 10 mois

Ian Gibson
Detailed requirements for a safety PLC can be found in IEC61131.6, which is derived from
IEC61508. The essential requirement is that the logic solver (doesnt necessarily need to be a
PLC!) should provide a negligable contribution(<5%) to the probability of failure of each SIF
in the SIS. That is, the sensor(s) and the final actuator(s) should be the limiting factors in the
reliability of the SIF. So if you only have SIL1 and SIL2 SIFs, then you MAY be able to get by
with a logic solver rated as 'suitable for SIL2 applications'. TMR systems are rated suitable
for continued SIL3 operation while having a unrepaired fault! That may be overkill as against
a system which just fails safe - there are a multitude of designs with various levels of
redundancy and diagnostics. Just dont get painted into a corner with a system which is only
just suitable for the current worst case - Murphy's Law is still valid.
il y a 10 mois

Yusuf Mian
Ian Gibson, very nice explanation. anybody want to add more information.