Process Safety Systems

By the end of this article, you will be able to:

  • Describe the Shut down systems.
  • Describe the Emergency Shutdown systems.
  • Describe the Pressure Release systems.
  • Describe the Fire and Gas detection systems
  • Describe the Process Safety.

Disclaimer: All the information provided below is for general awareness purpose, For Specific/ Technical Issues always refer to your company’s guidelines, Safety Data sheets or Equipment Manufacture guidelines in accordance with local or international regulations.
Causes of incidents / accidents

  1. Unsafe Acts
  1. Unsafe Conditions

Results of incidents / accidents

  1. Near Misses
  2. Injuries
  3. Death
  1. Damage to equipments Loss of production

Remedies for incidents / accidents

  1. Reporting
  1. Investigation
  2. Safer Design
  3. Improved Process
  4. Better Training


Definitions of terms

A condition in the operation of a system with potential for initiating an
Any deviation lfrom normal operation resulting in a potential emergency
An incident resulting in damage to equipment or injury to personnel.
The ability of a component, equipment or system to perform according to
The probability of the realisation of potential for loss, damage or injury. Loss of Containment
The unintentional release of process material retained within an enclosed space.
Lower/Upper Flammable Limit
The proportion (usually expressed as volume percent) of hydrocarbon vapour in air below/above which combustion will not take place.
Threshold Limit Value – Time Weighted Average (TLV-TWA)
Maximum concentration of toxic material to which workers may be exposed continuously without harmful effect.
Threshold Limit Value – Short Term Exposure Limit (TLV-STEL)
Maximum concentration of toxic material to which workers may be exposed for short terms separated by longer intervals (both times being defined), without harmful effect.

Safety & Legal Requirements

  • To Secure Health, safety and welfare of the people at work.
  • To protect the people from unnecessary risk.
  • To control emission from the environment.


Personal Safety

Safety can be defined as an individual’s response to a hazardous situation. The greatest potential for reduction of accidents lies therefore in educating the man on the job to :

  • Recognise hazardous situations
  • Use safety equipment and clothing
  • Observe standard procedures rigorously
  • Be aware of Company and Government regulationsBetter training
  • Refresher coursesFeedback
  • Observance of the permit-to-work systemParticipation in fire drills, etc.
  • Observance of the rules governing smoking etc.


Equipment Safety

Safety at Every Stage

  • Equipment used in oil or gas processing must be built to stringent specifications and very high standards

The ‘Fail-Safe’ Philosophy

  • Design of equipment for safety means not only that it is difficult to mishandle or unlikely to fail; it means that when it does fail, it fails in such a way as not to jeopardise safety even though production may be slowed down or halted.

Equipment Selection

  • The suitability of major items of equipment forming an integral part of the installation will have been considered at the design stage.

Inspection and Maintenance

  • No piece of equipment will function for ever.

Inspection and Maintenance should be noted on Management of Change documentation.

Product Safety

Hazards of Petroleum

  • The job of the oil industry is to extract petroleum from the ground, process it, and sell it to the public in various forms. There are certain aspects of this operation that make it inherently dangerous; i.e., hazards exist, and stringent precautions have to be taken if accidents are to be avoided.
  • Basically, the fluids handled are dangerous because of their flammability, toxicity, corrosivity, high pressure and high (or low) temperature.

The Petroleum/Personnel Interface

  • As an interaction between two components: petroleum and people (‘personnel’). The petroleum (oil and/or gas) undergoes a series of physical and chemical changes and is permanently altered; personnel, however, are ‘recycled’ (going on and off shift) and (hopefully) remain unchanged.

Petroleum and its products may have: • flammability;

  • toxicity;
  • high pressure;
  • high or low temperature.

Personnel, on the other hand, need to breathe air which has: • about 20% oxygen;

  • no toxic components;
  • normal atmospheric pressure;
  • normal atmospheric temperature

Explosive or Flammable Mixtures
The term ‘flammable material’ includes gases,
vapours, liquids, mists, solids and dusts, but does not include materials that are inherently explosive. A flammable material can react continuously with atmospheric oxygen and can sustain fire or explosion when such reaction is initiated by a suitable spark, flame or hot surface.
Hydrocarbon gases and vapours that are produced in large quantities in everyday operation. An ‘explosive gas/air mixture’ is a mixture of flammable gas or vapour with air under atmospheric conditions in which, after ignition, combustion spreads sufficiently rapidly throughout the unconsumed mixture for the fire to be regarded as an explosion.

  • All combustible gases and vapours are characterised by ‘explosive (or flammable) limits’ between which the gas or vapour mixed with air is capable of sustaining the propagation of flame and therefore explosion. The limits are called the lower explosive limit (LEL) and the upper explosive limit (UEL), and are usually expressed as percentages of the material mixed with air by volume.

Toxicity is the effect that some substances have on the human body, the main toxic effects of petroleum are:

  • Irritation of the skin, eyes and respiratory tract (throat and windpipe), and temporary or permanent damage to the brain, nervous system, kidneys, lungs or digestive system.
  • The most dangerous toxic component of petroleum normally encountered is hydrogen sulphide (H2S).

Hazardous Zones
   Classification of areas relates to the coding of electrical tools, which, if present on a hazardous site, should always be marked to show whether they are deemed safe for use in zoned areas.
Area classifications are as follows:

  • ZONE 0 in which a flammable (explosive) atmosphere is continuously present, or present for long periods (more than 1000 hours per year).
  • ZONE 1 in which a flammable (explosive) atmosphere is likely to occur in normal operations (about 10 to 1000 hours per year).
  • ZONE 2 in which a flammable (explosive) atmosphere is not likely to occur in normal operation, and if it occurs will exist only for a short time (less than about 10 hours per year).

Permit to work system
The work permit is a written document authorizing persons to carry out work of a non-routine nature
The objectives of the permit-to-work system are:

  • to ensure the proper authorisation of non-routine work;
  • to make clear to the (person’s) carrying out the job the risks involved and precautions to be taken;
  • to ensure that the manager responsible for an area of the installation is aware of all work being done there;
  • to provide a record showing that the method of work and the precautions needed have been checked by the appropriate person, and, if deemed necessary, to ensure a second opinion is obtained to prevent errors of judgement or the taking of short cuts which may increase the risk;
  • to ensure adequate continuity on handover.

Fire Prevention
Fire requires a combination of fuel, oxygen and a source of heat or ignition. Keep any one away from the other two and fire is prevented.
  Sources of Ignition
  Fire Detection

  • heat (infrared)
  • smoke
  • ultraviolet light

  Oil Recovery and Gas Plant are equipped with fixed fire fighting systems which are brought into operation when a major fire is threatened. 
  The substances normally used to extinguish fires are:

  • water
  • carbon dioxide (CO2)
  • foam
  • dry powder

Potential Safety Hazards

Built-in plant safety hazards are a basic feature of any operation

  • Leaks
  • Falls
  • Tripping
  • Hot/cold Pipeline Hazards
  • Rotating Machinery
  • Oil Spills
  • Heat Hazards
  • Construction and Maintenance Hazards
  • Radiation
  • Plant Vehicles
  • Overhead Work Hazards
  • Manual Handling
  • Unauthorized Work
  • Venting or Flaring
  • Draining
  • Purging
  • Equipment Isolation


Process Safety

Production facilities usually operate according to design. Oil and Gas travel from the reservoir to the surface facilities where they are separated, treated, measured and sent through a pipe line to the end user. During most of this process, every thing operates according to plan. Occasionally, problems occure:
-Things break
-Malfunction happens
-Settings change
-Horns go off
-Shut-in takes place
Such problems usually can be solved quickly and easily without negative consequences. Unfortunately, some problems have the potential for serious consequences such as injury to personal, pollution of environment and loss of company assets.
Understanding, preventing or minimizing potential negative consequences requires a fundamental understanding of basic protection concepts and safety analysis.

Basic Protection concepts

Most threats to safety from production involve the release of hydrocarbons; therefore, the analysis and design of a production facility safety system should focus on preventing such releases, stopping the flow of hydrocarbons to a leak if it occurs and minimizing the effects of hydrocarbons should they be released.


Ideally, hydrocarbons releases should never occur. Every process component is protected with two levels of protection: Primary and Secondary. The reason for two levels of protection is that if the first level fails to function properly, a secondary level of protection is available

Shut in

If hydrocarbon releases occur ( and, in spite of our best efforts, they some times do), inflow to the release site must be shut off as soon as possible.
Protective shut-in action is achieved by both the Process Shut Down and Emergency Shut Down systems.


When hydrocarbons are released, their effects should be minimized as much as possible. This can be accomplished through the use of ignition prevention measures and Emergency support systems (Liquid containment systems – Bund walls).

General production facility hazards

The followings are the major hazards in a generic production facility :
-Oil Pollution
-Fire / Explosions

Sources for a hazardous condition

The followings are the major sources of hazards in a generic production facility :
1.Over Pressure :
Over pressure can lead directly to all three hazards. It can lead directly and immediately to injury; it can lead to fire/explosion if there is an ignition source; and it can lead to pollution if there is in sufficient containment. Because of the hazard potential, a very good level of assurance is needed that the probability of over pressure occurring is very small.

  1. Fire Tubes:

Fire tubes can lead to fire/explosions if there is a leak of crude oil into the tubes or if there is a failure of the burner controls. An explosion can be sudden and lead directly to injury; therefore, a high degree of safety is required.

  1. Excess Temperature:

Excess temperature can cause premature equipment failure at a pressure below its maximum design working pressure. Excess temperature can create a leak, potentially leading to fire / explosion if gas leaks or oil pollution if oil leaks.
This type of failure would be gradual, giving off a warning as it develops.

  1. Leaks :

Leaks rarely lead directly to personal injury, but they can lead to fire/explosion if there is an ignition source and to oil pollution if there is inadequate containment.

Need for other protection devices

We also need to identify the other protection devices to include in equipment design that may minimize the possibility that a source will develop into a hazardous condition. These may include,
-Flame arrestors
-Gas detectors
-Fire detectors
-Manual shutdown stations.

Hazard Analysis

A hazard analysis can determine the need for safety devices and safety systems.
A hazard analysis:
-Identifies potential hazards.
-Defines conditions necessary for each hazard.
-Identifies the source for each hazard.
A facility designed with a safety shutdown systems is not necessarily “Safe”; it has an appropriate level of devices and redundancies to reduce the risk of occurrence of those sources and conditions that can be anticipated by sensing change in process conditions.
Other factors which contribute greatly in the safety systems ,
-Operating Procedures

Process Safety System

  • Plant control system: This is the normal control system to maintain the process operation within its normal operating limits. ( PIC, FIC, FDIC, etc)
  • Instrument safeguarding system.( i.e. PZAHH, TZAHH, etc with PSD & ESD systems) This will act in case the plant control system fails.
  • Mechanical safeguarding system. (includes normal relief valves, Bursting Discs, PVV, blow-off hatches, Thermal relief valves, etc).This will act in case the Instrument safeguarding system fails.


Instrumented Protective System

An Instrumented Protective System (IPS) also called Emergency Shutdown System (ESD) protects all personnel and equipment in the facility from injury and damage in the event of a site emergency or equipment failure.  The system utilizes a number of different protective devices such as gas detectors, flame sensors and emergency shutdown devices to automatically shut down equipment in the area, as directed by the Cause & Effect matrix.
Field instruments connected to the IPS use 4-20mA Analog electrical signals for trip and HART communication for diagnostics. Transmitters are connected to PLC analog input modules.  Trip settings are implemented in the PLC software.

ESD / MOS Panel

The ESD/MOS panel is equipped with Emergency Shutdown Pushbuttons & Group Maintenance Override Enable Switches and status lamps for the Station Process Facilities and fire & Gas detection.  All the Emergency Shutdown Pushbuttons & Group Maintenance Override Enable Switches and status lamps are hardwired to the Instrumented Protective System and Fire & Gas Detection System.

Fire & Gas Detection System

  • Manual Call Points with break glass units
  • Flame detectors (ultraviolet sensible)
  • Heat detectors (infrared sensible)
  • Combustible gas detectors
  • H2S gas detectors
  • Smoke detectors (ionizing and optical types)
  • Fusible plug system with pressure transmitters

Each detection channel giving a shutdown action is provided with a Maintenance Override Switch (MOS) for testing and maintenance purposes.  The switches will be activated by means of soft keys from the HMI.  Only inputs have MOS, not outputs and manual initiators do not have MOS.
All operating and maintenance personnel must know the location of and how to use portable fire extinguishers, safety showers, breathing equipment and manual call point locations.  Portable fire extinguishers are installed in all buildings and at specific locations throughout the facility.
-Isolate all Inlet lines.
-Stop all rotating equipments (By isolating electric power)
-Isolate equipments containing significant amounts of hydrocarbons.
-De-pressurize equipments and piping containing gas.

Heat & Flame Detectors

Another resource available against fire lies with the part of the Fire and Gas Protection System that detects flame and heat through the use of ultra violet (UV) or infrared (IR) detectors.  The detectors are placed so that the fire hazard on the equipment is completely covered by the detection system.  The hazards are areas where oil/gas leakage is likely and areas where known sources of ignition are in close proximity to flammable materials.  The temperature set points of the detectors are determined to be the minimum for prompt detection.
When flame is detected by 1 out of 2 detectors on a unit, a “Flame Detected” alarm will sound on the HMI to alert control room personnel.  When heat or flame is detected by 2 out of 2 detectors on a unit, a “Station Fire/Gas ESD” and “Confirmed Fire” alarms will be initiated.  The facility will shut down to a fail-safe condition according to the appropriate Cause and Effect diagrams.  When a “Confirmed Fire” shutdown is initiated, “Fire/Combustible Gas Detected” audible sirens and lighted beacons will be activated.

Combustible Gas Detectors

These sensors are used to detect escaped gas from a source close to operating equipment.   When gas is detected by a local sensor at a concentration of either 20% or 50% of LEL (Lower Explosive Limit), a “Gas Detected 20% Leakage” or Gas Detected 50% Leakage” alarm is sounded on the HMI graphic showing the sensor location and gas concentration.
If more than one sensor on a unit measure 50% LEL, a “Gas Confirm” alarm is sounded and a facility shutdown is automatically initiated.  When a “Gas Confirm” shutdown is initiated, “Fire/Combustible Gas Detected” audible sirens and lighted beacons will be activated.

Hydrogen Sulphide(H2S) Gas Detectors

H2S detectors are also used to detect escaped hydrogen sulphide gas from sources close to the operating equipment.  H2S gas can be lethal at much lower concentrations than other gasses so a great deal of caution is required.  100 ppm is the commonly accepted IDLH level of this gas.
When H2S is detected by one of the local sensors at a concentration of either 10 ppm or 20 ppm, a “10 ppm Detected” or “20 ppm Detected” common alarm is sounded on the HMI graphic showing the sensor location and gas concentration.  If more than one sensor on a unit measure 20 ppm, a “H2S Confirm” alarm is sounded and a facility shutdown is automatically initiated.
When a “H2S Confirm” shutdown is initiated for an area, an audible alarm signifying “Station Evacuation – H2S Gas Detected” is initiated and lighted beacons and building sirens will be activated.

Fusible Plug Loop

  • A fusible ring is fitted around the outside of the tank and forms part of the fire detection system by initiating low pressure switch 2 out of three, when fusible plug melts due to heat of a fire.
  • Fusible plug ring system will be kept under pressure. In case of any fire or other heat generation, the plugs will get melted and air will escape through that. When the air get released through the fused plug, the low air pressure generates alarm and shuts down the respective equipment.
  • In certain cases the execution of fusible plug system starts the fire water pumps and starts to inject foam in to the tank which is under fire.
  • A Foam Injection line enters the top side of the tank below the oil level, and injects foam in the event of a fire within the tank.
  • Fusible plug system is to be re-charged if it is executed once.


Process Safe Guarding System

Normal Plant control System-Level 1
Instrumented Safeguarding system- Level 2
Mechanical ( Ultimate) safeguarding system -level 3

Process Safe Guarding System


Normal Plant control system:

This is the normal control system to maintain the process operation  within its normal operating limits.
FIC, TIC, PIC, LIC, FDIC, Speed controllers, etc.
Instrumented safeguarding system.
Instrumented safeguarding system      will act in case the plant control system fails.
Also includes fusible plug systems, Fire and smoke detectors, etc.
Will activate PSD/ESD if initiated.

Mechanical safeguarding system.

This will act in case the Instrument safeguarding system fails. This is the ultimate safeguarding systems
(includes normal relief valves, Bursting Discs, PVV, blow-off hatches, Thermal relief valves, etc).

Venting / Flaring

Venting too much gas can cause incomplete combustion at the flare tip with large amounts of environmental unfriendly black smoke.  When venting, regulate the amount of gas going to flare so as to minimize this.


  • The asphyxiating effects of inert gas
  • Volatile vapours given off from a liquid
  • Protection of reception vessels from over-pressuring or over filling
  • Drainage of “dead-legs’ on vessels and equipment
  • Disposal of contaminated fluids



  • The contents of the pressure system
  • The physical layout of the system or change in elevation
  • The asphyxiating effect of purge gas
  • Minimizing the volume of toxic or flammable fluids released to the environment
  • The stratification or mixing effects between fluids and purge gas if purge rates are not properly controlled


Equipment Isolation

  • Test each part of the isolation separately; for example, test both valves of a double block and bleed.
  • Test each part to the highest pressure that can be expected.
  • The procedure for installing the isolation will clearly specify the duration of all tests and the acceptable leakage rate if applicable.
  • Personnel working on the plant after the isolation must be able to satisfy themselves of the integrity of the isolation before proceeding. This is done by a formal method for complex isolations with the issuing of an isolation certificate and a certified blanks list. For simple isolations, the isolation is recorded on the work permit.
  • If the isolation is to be used for more than one shift or is to be left in place unattended, the isolation must be monitored on a regular basis by operation technicians. This can be achieved by observation of bleeds, vents and pressure gauges between parts of the isolation at periodic intervals.
  • If the isolation fails to test satisfactorily, the situation will be immediately reassessed. To proceed safely, a larger section of the plant may need to be shutdown to secure a satisfactory isolation

All human activity is prone to error, and there will never be a
situation where 100% safety is achieved.
Nevertheless, this must still be the ideal aim of safety activity.

Disclaimer: All the information provided is for general awareness purpose, For Specific/ Technical Issues always refer to your company’s guidelines, Safety Data sheets or Equipment Manufacture guidelines in accordance with local or international regulations.  We Own no responsibility