Process Safety Engineering

Emergency Shutdown System Design (ESD)

API RP 14C / NORSOK S-001 tiered ESD architecture for safe rapid isolation and depressurisation

Start your projectBack to Process Safety
Technical overview

Emergency Shutdown System
Design (ESD)

Emergency Shutdown System design — particularly on offshore platforms, LNG facilities, and refining complex units — implements tiered logic that progressively isolates, depressurises, and inerts process inventories as the severity of the credible accident scenario grows. The dominant frameworks are API RP 14C (offshore SAFE chart-based ESD), NORSOK S-001 (Norwegian Continental Shelf safety system) which has become the de-facto international standard for FPSOs and complex topsides, and IEC 61511 for onshore process industries. Tier definitions typically run ESD-0 (Abandon Platform / Total Site Shutdown), ESD-1 (Process Shutdown — all hydrocarbon-handling), ESD-2 (Unit Shutdown — partial), ESD-3 (Equipment Shutdown — local SIF), with cause-and-effect logic linking initiator (F&G, manual pushbutton, process SIF) to action (block valve closure, depressurisation, pump trip, fire-pump start, deluge activation). Modern design now also integrates blowdown-line sizing per API RP 521 (flare-system simultaneity), high-integrity-pressure-protection systems (HIPPS) per API 17O as ESD alternatives for subsea, and cybersecurity overlay per IEC 62443.

Emergency Shutdown System Design (ESD) — Overview
Engineering process

Emergency Shutdown System Design (ESD) workflow

ESD Scope & SIL Allocation Review

Define ESD scope from PHA/LOPA output — ESD-0 (total), ESD-1 (process), ESD-2 (unit), ESD-3 (sub-unit); allocate SIL per SIF following IEC 61511 PHA workflow; verify scope against API RP 14C minimum SAFE chart requirements for offshore.

ESD Architecture & Voting Logic

Specify ESD logic solver platform (Triconex, HIMA, AB GuardLogix); design voting architecture (1oo1D, 1oo2, 2oo3) matched to SIL target and spurious-trip tolerance; segregate ESD from BPCS per IEC 61511 independence requirement.

Cause & Effect Matrix Development

Author ESD cause-and-effect matrix linking initiator → ESD level → executive actions (valve closure, motor trip, equipment isolation); review for completeness against PHA scenarios; specify reset and override logic per IEC 61511 manual-operation requirements.

Final Element & Sensor Specification

Specify ESD valves (ball / gate / butterfly) with fire-safe rating per API 607/6FA, partial-stroke-test capability for SIL ≥2; specify sensors (pressure, temperature, level, gas) with FMEDA data; verify SFF/HFT vs SIL target per IEC 61508.

FAT / SAT & Proof-Test Programme

Develop ESD FAT procedure exercising full cause-and-effect; SAT with end-to-end loop testing; specify proof-test frequency from PFD/PFH calculation; design partial-stroke-test schedule for SIL ≥2 SDV/BDV; specify bypass and override management.

Safety Manual & Cybersecurity Hardening

Compile ESD Safety Manual per IEC 61511 Cl.16; implement IEC 62443 zone-and-conduit cybersecurity with SIS isolation from corporate network; specify access control, audit log, and MOC procedure for ESD modifications.

Emergency Shutdown System Design (ESD) — Scope
Scope of work

Every deliverable — from basis to handover

Complete Emergency Shutdown System Design (ESD) scope — every calculation, drawing, specification, and construction support activity.

ESD tier-structure design — ESD-0 / -1 / -2 / -3 with progressive scope and operator-action expectation
Cause-and-effect matrix linking F&G, manual ESD, process SIFs to isolation / depressurisation / utility actions
Final-element selection — ESDV (Emergency Shutdown Valve), BDV (Blowdown Valve), SDV (Shutdown Valve)
Valve specification — SIL-rated, fail-safe direction, fugitive-emission tightness per ISO 15848
Partial-stroke testing (PST) capability on critical block valves for online diagnostic coverage
Blowdown-line and flare-system simultaneity per API RP 521
HIPPS (High-Integrity Pressure Protection System) design per API 17O for subsea / high-pressure
Manual ESD pushbutton placement per NORSOK S-001 with HF / siting study
Bypass / inhibit management with time-limit governance and compensating-measure logic
Cybersecurity zone-and-conduit per IEC 62443 with secure remote-access design
Engineering outcomes

Outcomes of Emergency Shutdown System Design (ESD)

ESD Functional Integrity Assurance
  • Achieves fast, deterministic isolation across credible major-accident scenarios
  • Drives blowdown design that prevents BLEVE / vessel rupture cascades
  • Closes the silent partial-stroke-test gap on critical block valves
  • Anchors the post-Macondo / post-Deepwater Horizon emergency-shutdown discipline
IEC 61511 / API 14C ESD Defence
  • API RP 14C / NORSOK S-001 audit-defensible design
  • IEC 61511 Ed.2 lifecycle compliance
  • Withstands BSEE / HSE / PSA Norway / DGH offshore regulator examination
  • Aligns with IEC 62443 cybersecurity requirements
Nuisance-Trip & Availability Optimisation
  • Reduces spurious-trip frequency through MTTFS-aware architecture
  • Enables online partial-stroke testing on critical ESDVs
  • Sharpens bypass governance preventing creeping-impairment patterns
  • Improves post-trip restart efficiency with documented restart logic
SIL Allocation & Trip-Rate Efficiency
  • Right-sizes SIL claim and valve specification
  • Cuts spurious-trip business-interruption cost — typically 50–80% reduction
  • Reduces capex through PST credit eliminating offline test scope
  • Trims underwriter loadings on high-hazard ESD-dependent assets
Get Started

Ready to start your project?

Speak with our team to scope an engagement tailored to your facility, regulatory context, and lifecycle stage.

Start your projectView all services