PDVSA

ENGINEERING DESIGN MANUAL

VOLUME 9–II

ENGINEERING SPECIFICATION

PDVSA N° TITLE

K–336 SAFETY INSTRUMENTED SYSTEMS

2 OCT.02 Modified Fig.1 11 N.L. Y.K. R.R.

1 FEB.99 ADOPTION OF ISA 84.01 11 Y.K. A.A. J.E.R.

0 AUG.94 APPROVED 15 L.T. E.J. A.N.

REV. DATE DESCRIPTION PAG. REV. APPD. APPD.

APPD.BY Youhad Kerbaje DATE OCT.02 APPD.BY Raúl Rivero DATE OCT.02

E PDVSA, 1983 ESPECIALISTAS

 ENGINEERING SPECIFICATION PDVSA K–336
REVISION DATE
PDVSA SAFETY INSTRUMENTED SYSTEMS 2 OCT.02
Page 1
Menú Principal Indice manual Indice volumen Indice norma

Index
1 PURPOSE . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
2 SCOPE . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
3 REFERENCES . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
3.1 Petróleos de Venezuela S.A. (PDVSA) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
3.2 The International Society for Measurement and Control (ISA) . . . . . . . . . 2
3.3 American Petroleum Institute (API) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
4 MODIFICATIONS, ADDITIONS AND DELETIONS (EXCEPTIONS)
OF ISA 84.01 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
 ENGINEERING SPECIFICATION PDVSA K–336
REVISION DATE
PDVSA SAFETY INSTRUMENTED SYSTEMS 2 OCT.02
Page 2
Menú Principal Indice manual Indice volumen Indice norma

1 PURPOSE
The purpose of this specification is to provide Engineers and Vendors with the
requirements for design and supply of Safety Instrumented Systems for PDVSA
Oil and Gas facilities, including utilities systems. It’s not intended for using in
petrochemical facilities, so appropriate advising is recommended.
This specification is not applicable for PDVSA storage tank, truck loading or marine
terminal facilities, pilot plants, gasoline service stations and other non–industrial
facilities.

2 SCOPE
ISA–S84.01–1996 has been accepted by PDVSA as its standard for Safety
Instrumented Systems, with the amendments indicated in this document. All
modifications comply with PDVSA requirements and are listed herein, in
accordance with each ISA S84.01 Standard Clause number.
The requirements of this specification are modifications, additions and/or deletions
(exceptions) to ISA–S84.01–1996, Application of Safety Instrumented Systems for
the Process Industries. The section, paragraph, clause, table and figure numbers
and the associated headings used in this specification correspond to the ones
used in ISA–S84.01–1996. Since this specification does not take exception to all
the requirements in ISA S84.01, the section/paragraph/clause/table/figure
numbers in this specification may not be sequential. It’s clearly understood that
sections, paragraphs, clauses, tables or figures of ISA 84.01 not mentioned
in this specification have been adopted without changes.

3 REFERENCES
3.1 Petróleos de Venezuela S.A. (PDVSA)
K–300 Introduction to PDVSA Instrumentation
IR–P–01 Safety Interlock Systems, Emergency Isolation, Emergency
Depressurization and Emergency Venting Systems
IR–S–02 Criterios para el Análisis Cuantitativo de Riesgos
SI–S–01 Gerencia de la Seguridad de los Procesos – Lineamientos
Corporativos
3.2 ISA, The International Society for Measurement and Control
S84.01 Application of Safety Instrumented Systems for the Process
Industries
3.3 American Petroleum Institute (API)
Spec. 6D Specification for Pipeline Valves (Gate, Plug, Ball, and Check
Valves)
 ENGINEERING SPECIFICATION PDVSA K–336
REVISION DATE
PDVSA SAFETY INSTRUMENTED SYSTEMS 2 OCT.02
Page 3
Menú Principal Indice manual Indice volumen Indice norma

Std. 607 Fire Test for Soft–Seated Quarter–Turn Valves

4 MODIFICATIONS, ADDITIONS AND DELETIONS

(EXCEPTIONS) OF ISA 84.01
Clause 1. Scope
SIS User Basic Process
Interface Control System

Logic
Final
Sensors
Solver Elements

Logic

Fig 1. DEFINITION OF SAFETY INSTRUMENTED SYSTEM (SIS)

Add the following item:

1.1.4 SIS alarm system shall be integral part of this specification.
Clause 3. Definition of terms and acronyms
Numeral 3.1.39: The following phrase shall be added: This term is equivalent to
“Fraction Dead Time”, FDT.
The following definition shall be added to this clause:
3.1.65 Hazardous Event: an event that involves an equipment
performance, a human action or an external element or agent to
a system which causes a deviation from its normal performance.
 ENGINEERING SPECIFICATION PDVSA K–336
REVISION DATE
PDVSA SAFETY INSTRUMENTED SYSTEMS 2 OCT.02
Page 4
Menú Principal Indice manual Indice volumen Indice norma

This only happens when there is a demand and the SIS is in a fault
mode.
3.1.66 Probability of Demand: a numeric value that represents the
chance of demand occurrence.
3.1.67 Risk Reduction Factor (RRF): The SIS ability to mitigate a process
risk. The Risk Reduction Factor is defined as The inverse of
Probability of Failure on Demand average (PFD). RRF=1/PFD.
Thus, SIL levels may also be determined by the RRF under the
following ranges: SIL1 [10,100], SIL2 [100,1000], SIL 3
[1000,10000].
3.1.68 Risk: Measure of economic loss, environmental damage or
human injury in terms of an accident probability of occurrence
(frequency) and the magnitude of loss, environmental damage or
injuries (consequences).
3.1.69 Fault Tree: a graphic representation of the logic relationship of
equipment failure and human errors that might result in an
accident. The main purpose of the Fault Tree is to determine if the
proposed design is acceptable or not, in terms of complying with
a predetermined reliability or safety standard.
3.1.70 Fault Tree Analysis: a method that identifies all events or
combinations of events (i.e. equipment failure, human errors) that
might create an undesirable situation. It is an inferential technique
that provides the methodology to determine the causes given a
known outcome.
3.1.71 Independent Protection Layer (IPL): A system or subsystem
specifically designed to reduce the likelihood or severity of the
impact of an identified hazardous event by a large factor, i.e. at
least by a 100 fold reduction in likelihood. An IPL must be
independent of other protection layers associated with the
identified hazardous event, as well as dependable, and auditable.
Numeral 3.2: Acronyms.
The following acronyms shall be added to this part:
– FDT: Fraction Dead Time.
– RRF: Risk Reduction Factor.
– FTA: Fault Tree Analysis.
– MOS.: Maintenance Override Switches
– IPL: Independent Protection Layer
– GSP: Gerencia de la Seguridad de los Procesos
 ENGINEERING SPECIFICATION PDVSA K–336
REVISION DATE
PDVSA SAFETY INSTRUMENTED SYSTEMS 2 OCT.02
Page 5
Menú Principal Indice manual Indice volumen Indice norma

Clause 4. Safety cycle

Numeral 4.2.2 shall be modified to:
4.2.2 A risk analysis shall be carried out wherein undesirable events for
PDVSA are identified. The methods to be used for the risk analysis
are HAZOP Modified, a quantitative method, a Semi–quantitative
method, Tropicalized Matrix or a qualitative method, among
others. This Analysis shall be carried out by personal from risk
analysis organization, Engineering and operation organization,
using the procedures established in PDVSA IR–S–02.
Numeral 4.2.5: The expression in parenthesis “(See Annex A for guidance)” shall
be substituted by this expression: “(See methods described in numeral 4.2.2 of
K–336)”.
Clause 5. Safety requirements specification development
Numeral 5.3: A new item is added to this numeral
5.2.4 Bypass function(s) requirements.
Numeral 5.4.1 shall be modified to:
5.4.1 The required SIL for each safety function or total system function.
Clause 6. Conceptual design
Numeral 6.2: A new item is added to this numeral
6.2.4 SIS accomplishment in accordance with required SIL shall be
verified. Markov or Reliability Block Diagram Techniques may be
used.
Clause 7. SIS Detailed design
The following items shall be added to this clause:
7.3.6 The Logic Solver shall be developed either using Pneumatic
techniques, Electromechanical relays, Solid–state/magnetic core
technology or microprocessor technology (Programmable
Electronic System). It will depend on the size, the application
complexity, maintenance facilities and future expansion of the
system.
7.3.7 The Logic Solver shall be as simple as possible and shall have a
minimum number of components.
7.3.8 All Logic equipment utilized in fully pneumatic protective system
shall be field mounted. Electrical pressure switches shall be used
to indicate actuation of the systems to the main control house.
7.3.9 Remote manual initiators for pneumatic logic shall use electric
switches and solenoid valves.
 ENGINEERING SPECIFICATION PDVSA K–336
REVISION DATE
PDVSA SAFETY INSTRUMENTED SYSTEMS 2 OCT.02
Page 6
Menú Principal Indice manual Indice volumen Indice norma

7.3.10 Electrical relays shall have a visible indication of relay status.

7.3.11 Relay contacts shall be suitable for the operating ranges of
voltages and currents.
7.3.12 Electrical relays shall be securely fastened in their sockets by
screws or clips.
7.3.13 The number of independent Logic Solvers shall be based on the
relation, operation and maintenance of its process unit.
7.3.14 A process unit may include more than one Logic Solver but its I/O
cards shall not contain signals related to other Logic Solver.
7.3.15 Any external connection to the Logic Solver shall not compromise
the protective function or the safety integrity of the Logic Solver
(i.e. printers, maintenance interface, communication interface).
7.3.16 The Logic Solver shall be designed to prevent unauthorized
access to any modification of the protective function, including
bypassing protective devices.
7.3.17 All Logic Solver components shall be suitable for use in the
specified electrical and environmental area classification in which
they are installed.
7.3.18 The scan time of the Logic Solver shall be maximum 300 ms. This
results in a cycle time from input change to output response of less
than 600 ms with spare capacity occupied.
7.3.19 Loss of data communication with the DCS or in any external
devices (printer, personal computers, etc) shall not result in trips.
7.3.20 A personal computer shall be included in the requisition of the
Logic Solver. This computer shall only be used for maintenance
purposes and as a Sequence of Event Recorder.
7.3.21 In programmable systems, facilities shall be provided to test the
logic of the program at regular intervals, in order to check the
performance of the system. The procedure shall be subject to
PDVSA approval.
7.3.22 For each shutdown system at least one covered and shrouded
emergency shutdown pushbutton shall be provided. This push
button shall be hardwired to the shutdown system and shall
bypass any override switch. The number of switches, their
functionality and locations shall be subject to PDVSA approval.
7.3.23 The protective instrumentation system manufacturer shall provide
a safe means of isolating elements of the system, including each
individual input and output device, for maintenance and repair,
whilst the remainder of the system continues in normal operation.
Account shall be taken of any redundancy within the system which
 ENGINEERING SPECIFICATION PDVSA K–336
REVISION DATE
PDVSA SAFETY INSTRUMENTED SYSTEMS 2 OCT.02
Page 7
Menú Principal Indice manual Indice volumen Indice norma

could feed a component or input/output device with power from

more than one source.
7.3.24 The components of the logic power supplies shall be arranged so
as to permit any one of them to be removed for maintenance while
the system stays on line, and under power.
7.3.25 The Logic Solver shall be able to handle the following signals:
• Digital Inputs.
• Digital Outputs
• Analog Inputs.
7.3.26 Analog Inputs shall be of the following types:
• 4–20 mA, passive, 24 Vdc, 2 – wire, including those from
thermocouples (B, J and K).
• 4–20 mA, active, 24 Vdc, 2 – wire
• Platinum resistance temperature detector (RTD), 3 or 4 wires.
7.3.27 The power for field mounted passive 4 – 20 mA transmitters
connected to the Logic Solver shall be supplied by the Logic
Solver.
7.2.28 Digital Inputs:
• The Logic Solver shall provide the required (“wetting”) voltage
for digital inputs which are connected to switches with voltage
free contacts.
• The Logic Solver shall be provided with open and short circuit
detection per input channel. Exceptions shall be made for field
mounted reset switches, lamp test, acknowledge and reset
switches in local panels and override switches.
7.3.29 Digital Outputs:
• The Logic Solver shall be able to handle the following output
types:
24 Vdc for Solenoid valves.
Interfacing/Interposing relays with coil voltage of 24 Vdc and
power consumption of 3 watts max.
Control room and/or local panel alarm lights with lamp rating of
24 Vdc and power consumption of 3 watts max.
Exceptions to the use of different power levels are mentioned in
the Electrical Power Source paragraph.
7.3.30 The Logic Solver shall provide power for the output circuit loads.
 ENGINEERING SPECIFICATION PDVSA K–336
REVISION DATE
PDVSA SAFETY INSTRUMENTED SYSTEMS 2 OCT.02
Page 8
Menú Principal Indice manual Indice volumen Indice norma

7.3.31 Normally De–Energized outputs, except for lamp outputs, shall be

provided with open and short circuit and earth fault detection per
output channel.
7.3.32 Logic Solvers shall provide hardwired alarms in case of
malfunctioning. Alarms shall be wired as inputs to third party
logging units (annunciators, DCS, etc). As a minimum the
following alarms shall be provided:
• Power supply failure
• Fan failure
• I/O module failure
• Communication failure
• Processor failure
7.3.33 Marshalling cabinets shall be considered during the design stage
of a Logic Solver.
7.3.34 Use of remote I/O shall be approved by the Owner and its effect
on system integrity and reliability shall be determined.
7.3.35 Systems with SIL level 3 or above require appropriate SIS
certification by at least, one prestigious organization, institute or
entity, such as TUV, UL, FM or equivalent.
Numeral 7.4 “Field Devices”
At the beginning of numeral 7.4.1.1 the following paragraph should be added: “The
protective system interlock shall be designed fail–safe through normally open
(held closed in normal operation), normally energized relays and normally
energized solenoid valves under safe process operating conditions.
Numeral 7.4.1.3: The exception cases mentioned, a through c, shall be approved
by the Owner. Exception “d” shall be changed to: “No communication via digital
network with field devices shall be allowed”.
Numeral 7.4.2.2: Exception a and b shall be approved by the Owner.
Exception “a” shall be modified to read: “In case that redundant sensors are
needed, and there are limitations for their installation, the signal of one of the
transmitter connected to the SIS might be transmitted via software link to the
BPCS, provided the integrity and reliability of SIS and BPCS are not compromised
at any time”.

Numeral 7.4.3 “Final Control Elements”

The following items shall be added to this numeral:
7.4.3.1.1 In case that redundant valves are needed for the SIS, a control
valve might be used in series with the emergency shutoff valve.
 ENGINEERING SPECIFICATION PDVSA K–336
REVISION DATE
PDVSA SAFETY INSTRUMENTED SYSTEMS 2 OCT.02
Page 9
Menú Principal Indice manual Indice volumen Indice norma

7.4.3.1.2 Valves for the SIS shall comply with API 6D and API 607 Standard.
7.4.3.1.3 Where a Control Valve function as an Final Element for a SIL 1 or
higher, The SIS shall have priority over the BPCS.
7.4.3.1.4 SIS Valves classified as SIL 1 or higher shall not be provided with
a hand wheel or a bypass as these increase the unrevealed failure
rate of the final element.
7.4.3.1.5 SIS Valves classified as SIL 1 or higher should be air operated and
spring loaded or have an potential energy stored in the actuator
itself to assure the capability to go to a predetermined safe state
in the event of a specific malfunction.
7.4.3.1.6 Electric motor operated valves without spring return shall not be
used as the only final element for SIL 1 or higher.
Numeral 7.5 “Interfaces”
A new numeral 7.5.1.4 shall be added to read: Application changes on line shall
not be allowed. In case that it is required to make changes on line, a procedure to
guarantee the system safety shall be established.
Numeral 7.6 “Power Sources”
The following items shall be added:
7.6.2 Electrical power source redundancy, if required, shall be provided
either by using an alternate source with automatic transfer, an
uninterruptible power supply (UPS), or battery backup by an
alternate source.
7.6.3 Circuit breakers and fuses shall be coordinated for selective
operation such that the electrical protective device closest to the
fault operates first selected operation.
7.6.4 Input and Output modules or racks shall be designed to have
separate power distribution and fused to minimize common cause
failure in case of a wiring fault. The fuses shall be properly sized
in order to assure minimum impact on system performance in
case of short circuit.
7.6.5 Fuses for sensors and final elements shall be located within the
Logic Solver cabinets.
7.6.6 Power supply to field devices shall be 24 Vdc unless drops of more
than 3 volts occurs. Under such circumstances alternate voltage
levels may be considered (125 Vdc). Mixing of voltage levels
within a system is not allowed.
7.6.7 All systems shall be fused immediately adjacent to the distribution
bus. On ungrounded systems both conductors shall be fused.
Miniature circuit breakers and/or disconnect switches shall be
 ENGINEERING SPECIFICATION PDVSA K–336
REVISION DATE
PDVSA SAFETY INSTRUMENTED SYSTEMS 2 OCT.02
Page 10
Menú Principal Indice manual Indice volumen Indice norma

used. Each individual sensor and actuator circuit shall be

separately fused. Circuit breakers and fuses shall be coordinated
such that the protective device nearest to the fault operates first.
7.6.8 Separate fusing shall be provided for indication lights and test
circuits.
7.6.9 DC power systems shall be fully isolated from ground and shall be
provided with ground fault detectors per power supply line.
Additionally grounding system shall be designed to meet
manufacturer requirements.
7.6.10 All electrical installation must satisfy NEC requirements.
Numeral 7.9.3: The word “or” shall be deleted from item b and c.
Numeral 7.9.4: The following new numerals shall be added after this numeral.
7.9.5 Start–up bypass (operational overrides) shall be individual and
may be implemented by means of timers.
7.9.6 Each protective system circuit linked to an initiating contact or
actuating device shall be provided with its own individual security
key operated switch to enable test the interlock system without
disrupting the process or equipment.
7.9.7 Each bypass switch shall be separate and it must not interfere with
other devices of the protective system.
7.9.8 A manual emergency shutdown pushbutton shall be automatically
reset when it is bypassed for testing purposes only.
7.9.9 For multiple sensors applications the use of by–pass switches is
optional.
7.9.10 Instrument maintenance bypass shall be implemented separated
from operational overrides.
7.9.11 Factory Acceptance Test shall be performed.
Clause 8. Installation, commissioning, and pre–startup acceptance test
Numeral 8.4: for Item “K” add the following: Also refer as Site Acceptance Test
(STA).
Clause 10. SIS Management of Change (MOC)
Numeral 10.2.1: Accepted with this addition: “Guidelines established in PDVSA
SI–S–01, “Gerencia de la Seguridad de los Procesos – Lineamientos
Corporativos” shall be followed.
Numeral 10.2.2: Item “ b “, add ”environment”.
This section covers PDVSA requirements for the design, specification, installation
and commissioning of alarms and Safety Interlock Systems (SIS). All guidelines
of the specification PDVSA K–300 shall also be explicity followed.
 ENGINEERING SPECIFICATION PDVSA K–336
REVISION DATE
PDVSA SAFETY INSTRUMENTED SYSTEMS 2 OCT.02
Page 11
Menú Principal Indice manual Indice volumen Indice norma

It is intended that the designer shall be capable of applying a rigorous analysis to

special or unusual problems. In such cases, the designer is responsible for
demostrating the validity of the approach in the presence of PDVSA.