SAES-J-601

Engineering Standard 20 July 2022
SAES-J-601
Emergency Shutdown and Isolation Systems
Document Responsibility: Process Control Standards Committee
Previous Revision: 12 July 2017 Next Revision: 20 July 2027

Contact: (damlax0a) Page 1 of 49
© Saudi Arabian Oil Company, 2022
Saudi Aramco: Company General Use

Document Responsibility: Process Control Standards Committee SAES-J-601
Issue Date: 20 July 2022
Next Revision: 20 July 2027 Emergency Shutdown and Isolation Systems
Contents
Summary of Changes...................................................................................................... 4
1 Scope ..................................................................................................................... 11
2 Conflicts and Deviations ......................................................................................... 11
3 References ............................................................................................................. 11
3.1 Saudi Aramco References .................................................................................. 11
3.2 Industry Codes and Standards ........................................................................... 13
4 Terminology ........................................................................................................... 14
4.1 Acronyms ........................................................................................................... 14
4.2 Terms ................................................................................................................. 16
5 General Design Guidelines .................................................................................... 20
5.1 ESD Shutdown Levels ........................................................................................ 21
5.2 SIL Assignment .................................................................................................. 22
5.3 Safety Instrumented Functions ........................................................................... 22
5.4 Prescriptive ESD Functions ................................................................................ 22
5.5 Potential SIFs ..................................................................................................... 22
5.6 Segregation ........................................................................................................ 23
5.7 Failure Modes ..................................................................................................... 24
5.8 High Integrity Protection Systems (HIPS) ........................................................... 24
6 Input Devices ......................................................................................................... 24
6.1 Design Requirements for Input Devices ............................................................. 25
6.2 Process Taps and Connections .......................................................................... 26
6.3 Multiple ESD Functions ...................................................................................... 27
6.4 Redundant ESD Devices .................................................................................... 27
6.5 Time Delays and Filters ...................................................................................... 28
6.6 Shutdown and Reset Buttons ............................................................................. 28
6.7 ESD Input, Output and Startup Bypasses .......................................................... 30
6.8 Process Pre-Trip Alarm Requirements ............................................................... 32
7 ESD Systems and Auxiliary Equipment ................................................................. 34
7.1 Programmable Controller Based ESD Systems ................................................. 34
7.2 Solid-State ESD Systems ................................................................................... 34
7.3 Wellhead Emergency Shutdown System (WESD). ............................................. 34
7.4 Power Supplies................................................................................................... 34
7.5 Sequence of Events (SOE) and First Out Alarm................................................. 35
7.6 Input and Output Signal Isolation........................................................................ 35
7.7 Wiring Methods, Grounding and Ground Fault Detection Systems (GFD) ......... 35
7.8 ESD Communications to DCS/BPCS ................................................................. 36
7.9 ESD Peer to Peer Communications ................................................................... 37
8 Final Shutdown Devices ......................................................................................... 38
© Saudi Arabian Oil Company, 2022 Page 2 of 49

8.1 ZV General Guidelines ....................................................................................... 38

8.2 ZV Design ........................................................................................................... 39
8.3 ZV Actuators ....................................................................................................... 40
8.4 ZV Actuator Accessories .................................................................................... 40
8.6 Power Sources for ZV Actuators ........................................................................ 41
8.7 ZV Local Control ................................................................................................. 41
8.8 Block and Bypass Valves ................................................................................... 42
9 Documentation ....................................................................................................... 43
9.1 Design Verification.............................................................................................. 43
9.2 Application Logic Design Documentation (Ref. SAES-J-003)............................. 43
9.3 System Design Documentation .......................................................................... 44
10 Application Logic ................................................................................................ 45
11 Testing and Validation ........................................................................................... 46
11.1 ESD System Validation ...................................................................................... 46
11.2 Testing During Project Execution (Ref SAEP-750) ............................................. 46
11.3 Periodic Testing of Field Devices ....................................................................... 47
11.4 Periodic Testing of Shutdown Logic ................................................................... 48
12 Management of Change to ESD Systems ............................................................. 48
Document History .......................................................................................................... 49

Summary of Changes
Paragraph Number
Change Type
Previous Current Technical Change(s)
Revision Revision (Addition, Modification,
Deletion, New)
(12 July 2017) (20 July 2022)
1.1 1.1 Modification Added the term; Safety Instrumented

Systems (SISs)
1.2 1.2 Modification Editorial, added requirement to

develop Safety Requirement
Specification (SRS)
1.3 1.3 Modification Editorial
3.1 3.1 Modification Upgrade of referenced standards
4.1 4.1 Modification Addition of 9, modification of 1 and

deletion of 1 abbreviations.
4.2 4.2 Modification Addition of 6 definitions, modification

of 10 and deletion of 3.
5 5 Modification Introduction of the requirement of SIF

response time to be within the hazard
Process Safety Time.
Expanding how SIFs with RR < 10

are dealt with.
Deletion of requirement for

prescriptive SIF to trip a critical
rotating equipment using drivers of
1000 HP or more since this is already
included in referenced SAES-B-058.
5.3 5.3 Modification Removal of reference to predefined

test interval and addition of
requirement to utilize the test interval
utilized in the SIL Verification
calculations.

Paragraph Number
Change Type
Deletion, New)
(12 July 2017) (20 July 2022)
5.4 5.4 Modification Removal of examples of prescriptive

SIFs and application. Adding referral
to relevant Company standards for
prescriptive SIFs
5.5 5.5 Modification Removal of potential SIFs and

replace them with description of what
could be a SIF.
5.5.3 5.5.6 Modification Editorial
5.7.1 5.7.1 Modification Distinguishing of ZVs from EIVs,

adding requirement for energize to
trip and expected functionality of logic
solver outpout module.
6.1.1 6.1.1 Modification Deletion of the expression “smart ZV”.

The word smart only appears as a
description of “smart transmitter”
6.1.13 6.1.2 Modification Sequence figure change
6.1.6 6.1.6 Modification Allowing a delay on trip for transmitter

failure as long as it does not extend
more than the PST.

Paragraph Number
Change Type
Deletion, New)
(12 July 2017) (20 July 2022)
6.1.10 6.1.10 Modification Removal of material specification

from this engineering standard.
6.1.14 6.1.14
- 6.4.2 Addition Use of multiple measurement voting

architecture imposed by prescriptive
standards.
6.4.2 6.4.3 Addition Requirement to use I/O modules in

separate racks if available for voted
signals.
6.4.4 Addition Requirement for HFT of 1 for SIL 3
6.5.1 6.5.1 Deletion Editorial
6.5.2 6.5.2 Addition Addition of a commentary note

explaining that an introduced time
delay to a SIF should not increase the
SIF response time more than the
PST.
6.6.1.3 6.6.1.3 M, A Editorial + addition of an exception for

remote activiation of an HMI
shutdown.
6.6.2.3 6.6.2.3 Modification Editorial
6.7.5 6.7.1 Modification Change location of clause only.
6.7.1.1 6.7.2.1 Modification Removal of the commentary note that

restrict bypass switches for push/pull
buttons
6.7.1.3 - Deletion Removal of this clause which restricts

bypass switch activation to only when
process is running in normal
operating range.
6.7.1.4 6.7.2.3 Modification Change numbering and eliminate the

requirement to have an external light
to indicate the presence of a bypass
switch.

Paragraph Number
Change Type
Deletion, New)
(12 July 2017) (20 July 2022)
Adding the requirement to have a

common bypass/force status indicator
on all graphic screens.
6.7.1.5 6.7.2.4 Modification Change numbering only.
6.7.1.6 6.7.2.5 Modification Change numbering only.
6.7.1.7 6.7.2.6 Modification Change numbering and removal of

the requirement to initiate an alarm to
activate or deactivate a bypass
switch.
6.7.3.3 6.7.4.3 Modification Editorial + adding example of

automatic bypass application
6.7.5 - Deletion Moved to become 6.7.1
6.7.4 6.7.5 Deletion Deletion of requirement to initiate an

alarm when a force is applied.
- 6.7.5.1 Modification Adding a number to this clause.

Removal of text requiring the
activation of an alarm in the system if
a force is activated. Forcing alarm is
addressed in new clauses 6.7.5.2 and
6.7.5.3
- 6.7.5.2 Addition New clause adding the requirement to

illuminate the common bypass/force
status indicator on all graphic screens
when any I/O is forced.
- 6.7.5.3 Addition New clause adding the requirement

that every forcing action to be
archived in the event log.
7.1 7.1 Addition Addition of 2oo4D system to align

with 34-SAMSS-623 (ESD)

Paragraph Number
Change Type
Deletion, New)
(12 July 2017) (20 July 2022)
7.2 7.2 Deletion Removal of all references to relay

based ESD systems and associated
engineering.
7.3 7.3 Modification Removed reference to 34-SAMSS-

624 and introduced reference to 34-
SAMSS-630
- 7.4.4 Addition New subsection for the power supply

to ESD systems in remote area where
a UPS is not a possibility
7.6.3 7.6.3 Modification Removal of material specification

from this engineering standard.
7.8.2 7.8.2 Modification Editorial and reference to SAES-Z-

001
7.9.4 - Deletion Section deleted as contents covered

by 7.9.2
8.b 8.b Modification The use of interposing relays to

interface ESD system outputs to final
elements that operate at a different
voltage explained.
8.1.2 8.1.2 Modification Removal of non-applicable standards.
8.2.2 8.2.2 Deletion Removal of material requirement for

ZVs from this engineering document.
8.2.4 8.2.4 Addition Explaining the location of a ZV

Paragraph Number
Change Type
Deletion, New)
(12 July 2017) (20 July 2022)
8.3.3 8.3.3 Modification Inclusion of backup power supply in

the SIL Verification
8.3.5 8.3.5 Deletion Removal of material requirement for

ZVs from this engineering document.
8.4.3 8.4.3 Deletion Removal of material requirements

specified in SAMSS
8.4.4 8.5 Modification Introducing the requirement that the

SIF response time should be less
than the process safety time.
8.5, 8.6, Modification Editorial

8.5.1 8.6.1
8.5.1.3 8.6.1.3 Modification Removal of wrongly placed

requirement for PZVs when the
clause 8.5 is about Power Sources for
ZV Actuators.
8.5.1.4 8.6.1.4 Modification Removal of the assumptions of bad

quality instrument air.
8.5.2 8.6.2 Addition Refinement of the description of the

hydraulic fluid accumulator
8.5.3 - Deletion Deleting the allowance to use pipeline

gas as source of power for valve
actuators (environmental)
8.6.1 8.7.1 Modification Modifying the requirement for a ZV

local control panel to ZVs that require
partial stroke testing only.

Paragraph Number
Change Type
Deletion, New)
(12 July 2017) (20 July 2022)
- 8.7.2 Addition Clarifying that for redundant

processes partially stroking ZVs is not
required.
8.6.2, 8.7.3, Modification Editorial

8.6.3, 8.7.4,
8.6.4, 8.7.5,
8.6.5 8.7.6
9.1.2 9.1.2 Modification Improving the language.
9.3.1, 9.3.1, Modification Addition of more required design

9.3.2 9.3.2 documents.
11 11 Modification Aligning with SAEP-750 Testing

Procedures for Process Automation
Systems (PAS)

1 Scope
1.1 This standard defines the minimum requirements for the design, specification,
installation, commissioning, and testing of Emergency Shutdown Systems
(ESD)/Safety Instrumented Systems (SISs), emergency isolation and
depressuring systems and equipment protection systems.
1.2 This standard adheres to the implementation of ESD systems according to

IEC 61511 throughout the SIS Safety Life Cycle including the Assignment and
Verification of Safety Integrity Levels (SIL), developing and maintaining Safety
Requirement Specification (SRS) and conducting proof testing of Safety
Instrumented Functions (SIFs).
1.3 SAEP-250 and its referenced standards provide the basis for SIL Assignment
and Verification of the design of ESD SIFs.
1.4 The requirements of this standard also apply to the design of pneumatic,
hydraulic, pneumatic-hydraulic, electro-hydraulic, electric-electric, or
programmable controller based ESD systems for off-shore and on-shore
Wellhead Emergency Shutdown systems tie-in platforms and ESD systems for
packaged equipment.
1.5 Procedural requirements and guidelines governing security for the operations
and maintenance of Emergency Shutdown Systems are contained in SAEP-99.
2 Conflicts and Deviations
Any conflicts between this document and other applicable Mandatory Saudi
Aramco Engineering Requirements (MSAERs) shall be addressed to the EK&RD
Director.
Any deviation from the requirements herein shall follow internal company
procedure SAEP-302.
3 References
All referenced specifications, standards, codes, drawings, and similar material

are considered part of this engineering standard to the extent specified, applying
the latest version, unless otherwise stated.
3.1 Saudi Aramco References
Saudi Aramco Engineering Procedures
SAEP-99 Saudi Aramco Industrial Control System Security
SAEP-250 Safety Integrity Level Assignment and Verification

SAEP-302 Waiver of a Mandatory Saudi Aramco Engineering

Requirement
SAEP-354 High Integrity Protection Systems Design Requirements
SAEP-750 Testing Procedures for Process Automation Systems (PAS)
Saudi Aramco Engineering Standards
SAES-B-006 Fireproofing for Plants
SAES-B-009 Fire/Blast Protection and Safety Requirements for Offshore

Production Facilities
SAES-B-054 Access, Egress, and Materials Handling for Plant Facilities
SAES-B-057 Safety Requirements: Refrigerated and Pressure Storage

Tanks and Vessels
SAES-B-058 Emergency Shutdown, Isolation, and Depressuring
SAES-B-064 Onshore and Nearshore Pipeline Safety
SAES-B-070 Fire and Safety Requirements for Bulk Plants, Air Fueling
Terminals and Sulfur Handling Facilities
SAES-P-103 UPS and DC Systems
SAES-J-003 Instrumentation and Control Buildings - Basic Design Criteria
SAES-J-505 Combustible Gas and Hydrogen Sulfide in Air Detection

Systems
SAES-J-602 Boiler and Combustion Systems Hazards Management and

Waterside Control
SAES-J-603 Process Heaters Instrumentation, Control, and Safety

Systems
SAES-J-607 Burner Management Systems for SRU Trains
SAES-J-901 Instrument and Plant Air Supply Systems
SAES-J-902 Electrical Systems for Instrumentation
SAES-L-108 Selection of Valves
SAES-Z-001 Process Control Systems

Saudi Aramco Materials System Specifications
34-SAMSS-621 ESD Systems - Hardwired - Solid-State

(Non-Programmable)
34-SAMSS-623 Emergency Shutdown (ESD) Systems
34-SAMSS-630 Wellhead Emergency Shutdown Systems
34-SAMSS-634 Local ZV Control Systems
34-SAMSS-716 Valve Actuators
34-SAMSS-820 Instrument Control Cabinets
Saudi Aramco Engineering Reports
SAER-5437 Guidelines for Conducting HAZOP Studies
SAER-6460 Bypass Guidelines for Emergency Shutdown Systems
Saudi Aramco Best Practice
SABP-Z-076 Guideline for Development of Safety Requirement

Specification (SRS)
3.2 Industry Codes and Standards
American Petroleum Institute
API STD 521 Pressure-Relieving and Depressuring Systems
National Fire Protection Association
NFPA 70 National Electrical Code (NEC)
The International Society of Automation (ISA)
ANSI/ISA S5.2 Binary Logic Diagrams for Process Operations
The International Electrotechnical Commission (IEC)
IEC 61511 Functional Safety - Safety Instrumented Systems for the

Process Industry Sector

4 Terminology
4.1 Acronyms
AC Alternating Current
BMS Burner Management System
BPCS Basic Process Control System
CGT Combustion Gas Turbine
CPU Central Processor Unit
DC Direct Current
DCS Distributed Control System
DI Digital Input
DMR Dual Modular Redundant
DO Digital Output
EIV Emergency Isolation Valve
ESD Emergency Shutdown System
FST Full Stroke Test
GFD Ground Fault Detection
HAZOP Hazards and Operability Study
HIPS High Integrity Protective System
HMI Human Machine Interface
IC Initiating Cause
I/O Input/Output
IPL Independent Protection Layer
ISS Instrument Specification Sheet

LOPA Layer of Protection Analysis
MOC Management of Change
MOV Motor Operated Valve
MooN M (number) voted out of N (number  M)
MTBF Mean Time Between Failure
NFPA National Fire Protection Agency
PAS Process Automation System
P&ID Piping and Instrument Drawing
PCS Process Control System
PFDavg Probability of Failure on Demand Average
PHA Process Hazards Analysis
PLC Programmable Logic Controller
PSFT Process Safety Time
PST Partial Stroke Testing
RRF Risk Reduction Factor
RTD Resistance Temperature Detector
SCADA Supervisory Control and Data Acquisition
SIF Safety Instrumented Function
SIL Safety Integrity Level
SIS Safety Instrumented System
SOE Sequence of Events
SRS Safety Requirement Specification

SRT Safety Response Time
SRU Sulfur Recovery Unit
STR Spurious Trip Rate
T&I Turnaround and Inspection
TMR Tri-modular Redundant
UPS Uninterruptible Power Supply
WESD Wellhead Emergency Shutdown System
ZV SIF Final Element Power Operated Emergency Isolation Valve
4.2 Terms
Alarm: An audible and/or visible means of indicating to the operator an

equipment malfunction, process deviation, or abnormal condition requiring a
response.
Basic Process Control System (BPCS): Is a system which provides process

control and monitoring for a facility by responding to input signals from the
process, associated equipment or operators to generate output based on control
functions and desired control strategies but does not perform any SIF. Examples
of a BPCS e.g. Distributed Control System (DCS), Supervisory Control and Data
Acquisition (SCADA), and Programmable Logic Controllers (PLCs).
Dual Modular Redundant 1oo2D ESD System (DMR): An ESD system which
uses two separate processors, bus structure, chassis, software and power
supplies, to vote signals in a 1oo2 arrangement. A valid input signal on either leg
of the system will initiate the desired logic response via two separate, fail-safe,
output modules. Quad Modular Redundant (2oo4D) ESD system combines two
fault-tolerant 1oo2D processors. The term “D” in 1oo2D and 2oo4D is
“diagnostic” capability of the system to check voted channels.
Emergency Depressuring System: A system of valves, piping, actuating

devices, and ESD logic used during an emergency to rapidly and safely reduce
pressure in process equipment by controlled venting to a disposal system such
as a flare, burn pit or storage. Logic for automated emergency depressuring
systems resides within an ESD system. Refer to API STD 521, Guide for
Pressure-Relieving and Depressuring Systems.
Emergency Isolation Valve (EIV): A valve that, in the event of fire, rupture, or
loss of containment, is used to stop the release of flammable or combustible

liquids, combustible gas, or potentially toxic material. An EIV can be either hand-
operated or power-operated (using air, hydraulic, or electrical actuation). Power
operated EIVs can be manually or automatically actuated through an ESD
system or operator actuated by a local and/or remote actuating button,
depending on the design of the facility. A power operated EIV serving as the final
element of a SIF is called ZV on a P&ID, refer to SAES-J-003 for symbols and
identification. Application requirements for applying hand-operated or power
operated EIVs are listed in SAES-B-058 and SAES-B-064.
Emergency Shutdown System (ESD): A system composed of sensors, logic

solvers, and final elements for the purpose of taking the process, or specific
equipment in the process to a safe-state when predetermined conditions are
violated or when an operator initiates a shutdown. The system is designed to
isolate, de-energize, shutdown or depressure equipment in a process unit.
Another term commonly used throughout the hydrocarbon and petrochemical
industry is a SIS.
Fail-Safe: The capability to go to a predetermined safe-state in the event of a

specific malfunction.
Fail-Steady: Synonymous to fail-in-place or fail-in-last position.
Fault-Tolerant System: A system incorporating design features which enable

the system to detect and log transient or steady-state fault conditions and take
appropriate corrective action while remaining on-line and performing its specified
function.
Fire-Hazardous Zone: A three dimensional space defined by a fire scenario

envelope per SAES-B-006.
First Out Alarm (FOA): ESD logic that discriminates from a group of inputs the
input that tripped first to cause a shutdown.
Ground Fault Detector (GFD): A device that detects a ground fault (earth fault)
i.e. any failure that allows unintended connection of power circuit conductors with
the earth.
Hazardous Event: Event that can cause injury or damage to the health of
people, or damage to property or to the environment. A loss of containment of
flammable, combustible or toxic materials is considered a hazardous event.
HAZOP: A Process Hazard Analysis technique applied to processes to identify

hazards and operability issues which have the potential to place the process
plant, environment or personnel at risk. The HAZOP study identifies abnormal
process deviations that may require additional protection functions (refer to
SAER-5437).

High Integrity Protection Systems (HIPS): High availability, fail-safe SIS with
dedicated SIFs, designed to reduce the size of or replace a mechanical relief
system by isolating the source of the over-pressure. A HIPS may respond to any
typical process measurement such as level, pressure, or temperature. A HIPS
system is designed as an independent and separate safety protection layer from
any other Basic Process Control System (BPCS) e.g. DCS, RTU/SCADA and
ESD safety systems. A HIPS system must be in compliance throughout the
system Safety Life Cycle to the strict conditions of approval resulting from the risk
assessment, dynamic process simulations, and other specific design
considerations.
Independent Protection Layer (IPL): A control, prevention or mitigation

mechanism that reduces risk by a minimum, factor of 10. IPLs must be specific,
auditable, independent from the Initiating Cause (IC) and other IPLs, dependable
and capable of taking the process to a safe state within the Process Safety Time
(PSFT). Examples include relief valves or a control system such as the BPCS or
ESD.
Performance Based SIF: A SIF that with other Independent Protection Layers
(IPLs) and other elements like Conditional Modifiers and Enabling Conditions (if
they exist) achieve a Mitigated Event Frequency (MEF) that is equal to or less
than the hazard scenario tolerable risk.
Potentially Toxic Material: A liquid or a gas substance whereby the toxic

concentration in the gas phase, determined through equilibrium flash
calculations, exceeds its Immediately Dangerous to Life and Health (IDLH).
Prescriptive Based SIF: A SIF that is built in compliance with a prescriptive

based standard rather than to achieve a MEF that is equal to or less than the
hazard scenario tolerable risk.
Process Critical Equipment: Rotating equipment including turbines, electric

driven pumps, compressors or generators handling combustible, flammable or
toxic materials.
Probability of Failure on Demand (PFD): A value that indicates the probability

that a device or system will fail to respond to a demand in a specified interval of
time.
Process Hazard Analysis (PHA): Organized and systematic assessment of the

potential hazards associated with a process.
Process Safety Time (PSFT): The time between a failure occurring in the
process or the BPCS (with the potential to give rise to a hazardous event) and
the occurrence of the hazardous event if the SIF is not triggered.

Risk Area: A grouping of Process equipment and associated Control Systems

equipment which together perform a specific process function (refer to SAES-Z-
001).
Risk Reduction Factor (RRF): The reduction of risk that the SIF or other
protection layers provide when operating in the process. RRF = 1/ PFD.
Safe-State: The predetermined state of the process in terms of which flows

should be started or stopped, which process valves should be opened or closed
and the state of operation of any rotating equipment (pumps, compressors,
agitators) to protect against the process hazards.
Safety Integrity Level (SIL): Discrete level allocated to the SIF for specifying the
safety integrity requirements to be achieved by the SIS. The SIL is a measure of
the performance of the SIF in terms of PFD.
Safety Integrity Level PFDavg Risk Reduction Factor
1 ≥ 10-2 to < 10-1 >10 ≤ 100
2 ≥ 10-3 to < 10-2 >100 ≤ 1000
3 ≥ 10-4 to < 10-3 >1000 ≤ 10000
4 ≥10-5 to < 10-4 >10000 ≤ 100000
Safety Instrumented Function (SIF): A safety function implemented in the ESD,

consisting of any combination of sensor(s), logic solver(s), and final elements(s),
which is intended to achieve or maintain a safe state for the process, with respect
to a specific hazardous event scenario.
Safety Life Cycle: The sequence of activities involved in the implementation

of ESD systems from initial conception through to decommissioning. Refer to IEC
61511.
Safety Requirement Specification (SRS): The specification that contains all the
functional requirements for all the SIFs and their associated safety integrity
levels. Refer to SABP-Z-076.
Safety Response Time (SRT): The time between the moment the process
reaches the SIF trip condition, and the moment the SIF final element reaches its
safe state to prevent the identified hazard.
Safety Shutoff Valve (SSV): A fast closing valve that automatically shuts off the
gaseous or liquid fuel supply in response to a normal, emergency, or safety
shutdown signal. Also termed block valve, fuel shutdown valve or Safety Trip
Valve. A valve under the complete control and supervision of the Burner

Management System (BMS). Safety shutoff valves are not emergency isolation
valves (EIV) or valves labelled BV on the P&ID (refer to SAES-J-602).
Scan Time: ESD system scan time is the composite of input modules scan,
program execution, and output modules state transition time.
Shall: Indicates a mandatory requirement.
Spurious Trip Rate (STR): The rate of unscheduled shutdown of the process
each year due to malfunction of equipment or not an actual shutdown demand.
Triple Modular Redundant 2oo3 ESD (TMR): Fault tolerant systems using
3 separate processors with triplicated Input/Output (I/O) and bus structure. Each
processor executes its individual application program, simultaneously verifying
data, executing logic instructions, control calculations, clock and voter /
synchronization signals and performing comprehensive system diagnostics.
Process outputs are sent via triplicated paths to output modules where they are
voted 2oo3 to ensure logic and output integrity.
Wellhead Emergency Shutdown System (WESD): A special Emergency

Shutdown system for wellheads, with dedicated SIFs, isolating the source of
pressure in case of abnormal and predefined process conditions. It can be either
manually, locally or remotely, or automatically initiated.
ZV: A power operated emergency isolation valve that is the final element of a SIF
controlled from an Emergency Shutdown System (ESD).
ZV Local Control Panel: A local panel that provides pushbuttons for ZV open,
close, and test as well as valve status indication.
5 General Design Guidelines
The general design and management of ESD systems shall follow the safety
lifecycle requirements described in IEC 61511.
ESD systems shall contain SIFs and other prescriptive ESD functions as defined
in this standard and other Company standards.
Unless otherwise specified in the SRS, the SIF Response Time (SRT) to bring
the process to a safe state shall be within the hazard Process Safety Time
(PSFT). The intent is to ensure that the tolerable risk is not exceeded by
providing the necessary risk reduction for the process through the ESD and/or
other IPLs.

When SIL Assignment determines an ESD function is required to provide a risk

reduction factor less than 10 then the following shall be applied:
a. If the hazard scenario doesn’t have a BPCS Initiating Cause or IPL

then moving the SIF to the BPCS shall be considered.
b. If the hazard scenario has a BPCS Initiating Cause or IPL then this SIF
shall be maintained in the ESD and be designed as SIL 1.
SIFs shall be designed such that they can be periodically tested.
Unless otherwise specified in the SRS, I/Os for each SIF shall be contained
within the same ESD controller.
Use of ESD peer-to-peer communications shall comply with Section 7.9.
5.1 ESD Shutdown Levels
Saudi Aramco ESD functions (both prescriptive and performance based) logic
shall be organized into levels of shutdown as described below:
TOTAL PLANT SHUTDOWN (LEVEL 1): A total plant ESD effectively shuts
down the total plant or facility under emergency conditions. Isolation valves are
closed to stop the flow of combustible, flammable or potentially toxic fluids, stop
the heat input to process heaters or reboilers, and rotating equipment. Activation
of total plant ESD shall not stop or impede the operation of fire protection or
suppression systems, deluge systems, sump pumps, or critical utilities such as
instrument or process air.
UNIT ISOLATION AND DEPRESSURING (LEVEL 2): This shutdown layer

isolates an entire process unit, process train or process area involved in a fire or
other emergency, thus limiting the supply of fuel. This includes pumps, vessels,
compressors, etc., which comprise an entire process unit up to and including plot
limit boundaries. Associated emergency depressuring systems for process
vessels and equipment shall be applied when it is necessary to reduce the
potential of a boiling liquid expanding vapor explosion or to reduce inventories of
hazardous materials.
EQUIPMENT ISOLATION SYSTEM (LEVEL 3): A system of emergency

isolation valves used to isolate and trip individual equipment within a process unit
and prevent the release or potentially toxic material in the event of fire, rupture or
loss of containment.
EQUIPMENT PROTECTION SYSTEMS (LEVEL 4): Systems provided for the

protection of centrifugal pumps, rotating and reciprocating gas compressors, gas
expansion and combustion gas turbines (CGTs), electric motors, generators; and
forced or induced draft air fans.

5.2 SIL Assignment
SIFs shall be identified and assigned a SIL level based on the risk analysis and
methodologies outlined in SAEP-250.
5.3 Safety Instrumented Functions
SIFs assigned SIL 1, 2 or 3 shall be verified to achieve the target RRF and not be
less than the minimum performance requirements for the assigned SIL. Both SIL
Assignment and Verification shall comply with SAEP-250.
5.4 Prescriptive ESD Functions
In addition to SIFs, the ESD system shall contain prescriptive functions as

required by the design and Saudi Aramco mandatory standards. Prescriptive
functions shall meet the test interval requirements stated in 11.3.2.
Prescriptive ESD functions include the functions listed below and other functions
mandated by other MSAER:
a. ESD Shutdown initiated by ESD shutdown buttons.
b. Equipment and/or engineering requirements as specified by applicable

Saudi Aramco standards including SAES-J-90, SAES-B-057, SAES-B-
058, SAES-J-602, SAES-J-603, SAES-J-607, SAES-J-505, SAEP-354.
c. Licensor engineering requirements and previous safety design

experience for similar process.
Note:
Prescriptive ESD functions shall be documented in the SRS.
5.5 Potential SIFs
5.5.1 Process Design
SIFs are introduced to the process by the process design engineers to

prevent or mitigate the following:
a. Loss of containment of a hazardous material as a result of a

process parameter deviation.
b. Rotating equipment damage.
c. Out of specification products.

The decision to introduce a SIF is usually based on the apparent

hazards, process engineer’s experience, material and equipment
limitations, process licensor and standard requirements.
5.5.2 Gas Detection (Ref. SAES-J-505)
High-High concentration of gas detection for hydrogen sulfide or

combustible gas in air, as required by SAES-J-505.
5.5.3 SIFs Recommended by:
a. Process safety analysis studies like Process Hazards Analysis

(PHA) and Hazards and Operability Study (HAZOP) studies.
b. Studies that evaluate the impact of control and instrument

failures.
c. Flare and relief studies.
d. Quantitative risk assessment studies, etc.
5.6 Segregation
5.6.1 ESD systems, including controllers, I/O, instruments, and logic, shall
be designed such that they are segregated from, and totally
independent of BPCS.
Note:
Use of an integrated communication network containing Human Machine

Interface (HMI) and engineering workstations for control and safety is allowed.
5.6.2 In general, ESD and BPCS shall not share final elements. Where a
final element device in existing facilities is shared the control function
and the ESD function shall have separate outputs to the final element.
Note:
Shared final elements are likely to introduce common cause failures. When a
final element is shared further analysis should be conducted to demonstrate that
failure of any hardware or software outside the SIS cannot prevent any SIF from
operating.

5.6.3 ESD systems shall only contain SIFs and prescriptive safety functions
as identified in this section of the standard.
Exception:
Applications such as turbomachinery control and BMS may require BPCS
functions such as startup permissive signals and sequencing to be implemented
in the ESD. These functions shall be managed through the same processes
applicable to ESD (MOC, testing and maintenance).
5.6.4 Interfaces between ESD systems and BPCS shall be performed in a
discrete, hardwired manner or via an acceptable data communications
interface, per Section 7.8.
5.6.5 ESD Systems shall be segregated into their respective Process Control
Systems risk areas to increase system and process availability. Risk area
segregation shall comply with Section 7 of SAES-Z-001.
5.7 Failure Modes
5.7.1 ZVs shall be fail-safe and shall move to a specified safe-state position
upon loss of the ESD signal, electric power, pneumatic or hydraulic
supplies. Refer to Section 8. If an energized to trip control signal is
required the digital output signal shall be line monitored and a fault
alarm implemented. The line monitoring capability shall be specified for
the particular DO module. If an energized to trip control signal is
required the power supply shall be considered in SIL Verification.
5.7.2 The safe-state shall be the de-energized mode unless otherwise

required by a Process Hazards Analysis (e.g., HAZOP), process
constraints, the SRS and/or operational experience or licensor
agreements.
5.7.3 Unless otherwise specified the safe-state for a power operated ZV is

closed, and for a blowdown/depressuring ZV is open.
5.7.4 The safe-state of final elements shall be clearly indicated in the ISS,
P&IDs, SIF data sheet and SRS.
5.8 High Integrity Protection Systems (HIPS)
HIPS applications shall be designed, evaluated and approved as required by

SAEP-354.
6 Input Devices
This section provides the requirements for the design and selection of input
devices to be used for ESD service which includes transmitters, transducers,
process activated switches, push/pull buttons and relays.

6.1 Design Requirements for Input Devices
6.1.1 ESD input devices shall be HART/4-20mA transmitters.
6.1.2 Process actuated switches shall only be used when ESD digital or
analog transmitters are not suitable for the intended process service or
measurement application. Process actuated switches shall be selected
to be closed during normal process operation and shall open when the
shutdown condition is reached.
6.1.3 ESD input sensors shall meet or exceed all specified process and
environmental conditions. ESD sensors shall be capable of being
safely monitored and tested while the facility is operating.
6.1.4 ESD sensors shall be reliable, Saudi Aramco approved product and
purchased from approved Saudi Aramco vendors.
6.1.5 ESD transmitters shall be write-protected at the transmitter to prevent

inadvertent modification.
6.1.6 Analog ESD signals shall not be used as BPCS control variables.
6.1.7 A diagnostic alarm for an ESD transmitter failure (i.e. short circuit, high
range, and low range) shall be configured using signal over and under
range limits and indicated to the operator as a high priority alarm on
his/her workstation/HMI so that immediate corrective action is taken to
have the transmitter repaired or replaced.
6.1.8 ESD transmitters shall be configured to have a defined failure mode,

e.g. in the direction opposite to the trip setting or in the direction of the
trip setting based on individual plant operational philosophy.
If the transmitter is used to provide both Low-Low (LL) and High-High

(HH) ESD input signals to two SIFs, the failure mode shall be selected
in the direction that would have less impact on the plant.
6.1.9 The transmitter failure mode and ESD transmitter diagnostic logic may
be applied to minimize spurious trips where the design demonstrates
that the facility can be safely operated at normal operating conditions
by the BPCS. The failure of an ESD transmitter shall be alarmed as
high priority and the faulty transmitter repaired or replaced.
6.1.10 ESD transmitters which are voted in ESD logic shall be degraded per
the following table. The degradation of the voting may occur in logic or
with the failure of the transmitter configured in the direction of the trip.

Unless otherwise specified, a failure of a second transmitter within the

voting shall cause a trip.
Voting Degraded Mode Second Fault
1oo2 1oo1 Trip
2oo2 1oo1 Trip
2oo3 1oo2 Trip
2oon 1oon-1 Trip
2oon = 2 out of n components
6.1.11 Discrete hard-wired, ESD push/pull buttons shall be configured as

direct, normally closed inputs into shutdown logic. Indoor and Outdoor
installed ESD push/pull buttons shall comply with NFPA 70.
6.1.12 SIFs using thermocouple or RTD inputs shall incorporate burnout or

open-circuit protection logic. Unless otherwise stated in the SRS, a
thermocouple or RTD burnout causing open circuit shall initiate an
ESD trip signal.
6.1.13 Thermocouple inputs shall use temperature transmitters wired to ESD

I/O modules. Unless otherwise specified RTD inputs shall use
temperature transmitters wired to ESD I/O modules.
6.1.14 Proximity or micro-switches used as ESD input devices shall comply

with NFPA-70.
Note:
Position transmitters shall be used when the ZV valve position is a SIF initiator.
6.1.15 When a pressure switch is used, a pressure gauge shall be provided to

indicate the pressure reading, installed on the same side of the
process block valve as the pressure switch, and have its own isolation
valve.
6.1.16 ESD input devices shall be identified by nameplates showing the

instrument tag numbers per the requirements of SAES-J-003.
The device shall be clearly distinguished as an ESD device, for
example by the tag description being in printed/embossed white writing
on a red background.
6.2 Process Taps and Connections

An ESD sensor shall have its own dedicated process tap or connection separate
from a process control or monitoring instrument. Each transmitter shall be
capable of being calibrated in-service independently.
ESD level transmitters shall have separate process taps located at the same
elevation as the process control and monitoring transmitter taps. ESD level
transmitters shall also be calibrated for the same range as the process control
level transmitter to provide the means to accurately compare between level
variables, the ability to monitor the process during online maintenance and to
eliminate process blind spots for ESD transmitters.
Exceptions:
Differential pressure transmitters used for ESD and process control service may be
installed in parallel using the same primary element (e.g., orifice plate, venturi, and
flow nozzle) provided they have independent process isolation valves. Individual
transmitters shall be capable of being isolated while the other remains in service.
ESD Level transmitters may use the same process taps as the process control or
monitoring transmitters when the tap nozzle size is at least 50 mm (2 in.), the process
is non-plugging and the common isolation valves on the tap nozzle are car sealed
open. In addition, ESD and process control level transmitters shall have independent
level bridle isolation valves and shall be calibrated for the same range.
6.3 Multiple ESD Functions
6.3.1 This determination may use process dynamic simulation analysis, prior
ESD device's operating history or trip report data. A single transmitter
may be used to provide both Low-Low (LL) and High-High (HH) ESD
input signals if the transmitter's calibrated range spans both LL and HH
trip settings, and it is acceptable to bypass both LL and HH inputs at
the same time when performing maintenance on the transmitter. Refer
to SAER-6460 for guidance on the use of ESD bypasses.
6.4 Redundant ESD Devices
6.4.1 Multiple process measuring devices in a voting architecture (e.g., dual

or triplicated) shall be used when SIL Verification calculations show
that the reliability (MTBF) or PFDavg of the SIF cannot meet the
required STR or SIL. Refer to SAEP-250.
6.4.2 Multiple process measuring devices in a voting architecture shall be

used if mandated by prescriptive standards.
6.4.3 Voted input signals shall be assigned to separate input modules when
the system contains more than one input module of the required type,
and to separate racks if the system has multiple racks to avoid single
point of failure.

6.4.4 Sensors and final elements used in SIL 3 SIFs shall be voted to
provide a minimum hardware fault tolerance of 1 (SAEP-250).
6.5 Time Delays and Filters
6.5.1 ESD input time delays or filtering may be applied in ESD logic solver
based on an analysis of:
a. Process variable dynamics (i.e., the transient behavior of the

process that may require filtering or the use of a time delay).
b. Mechanical noise or vibration which contributes to unreliable

or spurious ESD device trips.
c. The proximity of an ESD device operating point to its trip

setting that might result in a spurious or premature device
trip when a process disturbance or transient is encountered.
d. Sensor response time characteristics such as inherent

sensor lag, dead-time or signal dampening.
6.5.2 ESD input time delay analysis shall include:
a. A statement of the time delay purpose.
b. Technical determination of the time delay required for the

application. This determination may use process dynamic
simulation analysis, prior ESD device's operating history or
trip report data.
c. Technical determination that the time delay may be safely

employed and falls within the equipment PSFT.
d. The ESD input time delay engineering analysis shall be

documented in the SRS.
Note:
When time delays and filters are applied, the analysis needs to demonstrate that
the system response time (including time delay) is within the PSFT.
6.5.3 All ESD input time delays shall be verified suitable for the application
via field testing during pre-commissioning.
6.6 Shutdown and Reset Buttons
6.6.1 ESD Shutdown Buttons

6.6.1.1 Hardwired ESD push/pull buttons shall be used to

manually initiate a shutdown for a plant or a unit
(Shutdown Levels 1 or 2), and shall be easily visible and
readily accessible to operations personnel, within an
operator's console HMI, a location inside the control room,
and within the process facility itself as per SAES-B-058.
6.6.1.2 ESD push buttons shall be provided with an extended

guard, shroud or similar feature to reduce the risk of
accidental actuation. Pull buttons do not require a physical
protective guard or shroud.
6.6.1.3 HMI software configured ESD activation buttons are

acceptable for operator-initiated equipment isolation
(Shutdown Level 3) provided that a physical plant or unit
(Shutdown Level 1 or 2) hard-wired ESD button is provided
on the console or within the control room. The operator-
initiated software ESD shutdown command shall include
an associated confirmation step before the ESD command
is executed. In addition, the communication guidelines of
Section 7.8 shall be followed.
Exception
HMI initiated shutdown of remote, unmanned plants via non-ESD

system (e.g. SCADA / RTU) without the provision of a physical
push/pull-button is allowed provided that a SIF demand shall
always override the HMI shutdown command.
6.6.1.4 ESD logic shall be configured such that the momentary

actuation of the ESD push or pull button will initiate a
shutdown.
6.6.1.5 Actuation of a manual ESD push/pull shutdown button or

software-configured ESD shutdown button in an electronic
system shall initiate an event log to time-tag the actuation
of the ESD button by its specific tag number and device
description.
6.6.2 ESD Reset Buttons
6.6.2.1 ESD logic shall be designed such that if it is de-energized

as a result of a trip, it can only be reenergized after the
deliberate, momentary actuation of an operator initiated
reset button. Reset buttons shall be provided at the unit or

equipment shutdown level. If an ESD system has been

reset or is in its normal operating state, the re-actuation of
its reset button shall not result in any abnormal transient or
change of state within the ESD logic.
6.6.2.2 For programmable electronic ESD systems logic reset

buttons shall be initiated from an operator's workstation
HMI and adhere to the communication requirements of
Section 7.8. The operator-initiated software ESD reset
buttons shall include an associated confirmation step
before the reset command is executed.
6.6.2.3 Actuation of a logic reset button in a Programmable

Electronic System shall also initiate an event log, to time-
tag the actuation of the reset by its specific tag number and
device description.
6.6.2.4 For non-programmable ESD systems a reset push button

shall be located in close proximity to the ESD shutdown
push/pull button within the operator's console/HMI.
6.6.2.5 Resetting ESD system logic shall not cause a ZV or other

equipment to automatically return to its normal operating
position or state.
6.6.2.6 Automatic reset action for ESD logic, is not permissible.

Exception:
Blowdown logic may be designed with an automatic reset so that

the blowdown valve is returned to its normal operating closed
position under the control of the ESD logic.
6.7 ESD Input, Output and Startup Bypasses
6.7.1 ESD Bypass Procedure
The activation of input bypasses, including the required authority level,

shall comply with a Manager approved facility Operating Instruction
Manual or Management Procedure. Prior approval from plant
management shall be obtained before an ESD input is bypassed or a
ZV bypass valve is operated. See SAER-6460 for further guidance on
the use of ESD bypasses.
6.7.2 ESD Input Bypasses

6.7.2.1 ESD sensors shall have a maintenance input bypass

switch. Bypass switches shall be software-configured for
programmable controller based ESD systems using a
restrictive authority access mechanism such as a key lock
(physical switch) or password (HMI software configured
switch) with a separate confirmation step. Hardwired bypass
switches shall only be used for non-programmable type
ESD systems or where operator workstations are not
available.
6.7.2.2 ESD input bypasses shall only be used for testing ESD
input instruments and for repair and replacement of faulty
instruments. ESD input bypasses shall not be used to
facilitate startup or override safety functions which do not
require maintenance or testing.
6.7.2.3 Activation of an input bypass switch shall confirm the

bypass logic and cause an associated common
bypass/force status indicator on all graphic DCS screens to
be illuminated.
6.7.2.4 Unless otherwise specified input bypass switches are not

required for ESD sensors that are voted in the ESD logic
as 2oon (e.g., 2oo2, 2oo3, etc.). See paragraph 6.1.10 for
degrade modes for voted transmitters.
6.7.2.5 Input bypasses shall not result in the loss of measurement

and / or annunciation of the condition being monitored by
the ESD.
6.7.2.6 Activation or deactivation of a bypass switch shall initiate

an event log which archives the change of state of the
bypass switch with its tag number and device description.
6.7.3 ESD Output Bypasses
6.7.3.1 Operator accessible output bypass switches shall not be

used.
6.7.3.2 Requirements for full flow bypass valves in parallel with

ZVs are defined in Section 8.7.
6.7.4 ESD Automatic Startup Bypasses and Permissive
6.7.4.1 Automatic startup bypass shall be configured for devices

which would prevent the normal startup of plant equipment

such as minimum flow, level, pressure, temperature, motor

load startup-current and vibration. Startup bypasses shall
remain active until the plant or equipment reaches the
normal operating parameters or when a prescribed time
period has elapsed. Automatic bypasses shall only be
activated when the ESD logic confirms the process is in
the safe-state.
6.7.4.2 ESD maintenance bypass switches shall not be used to

facilitate startup. All ESD inputs shall be active and normal
during equipment startup. Faults on ESD input devices
shall be repaired before startup can proceed.
6.7.4.3 Manual startup permissive bypass switches shall not be

used. Automatic startup permissive in applications such as
turbomachinery control and BMS shall be active and
normal during equipment startup. Faults to input devices
used for permissives must be repaired before startup can
proceed.
6.7.4.4 Activation or deactivation of an automatic startup bypass

switch shall initiate an event log which archives the change
of state of the bypass switch with its tag number and
device description.
6.7.5 ESD Input/Output Forcing Procedures
6.7.5.1 Forcing of input or output ESD signals in the ESD logic

solver shall comply with a Manager approved facility
Operating Instruction Manual or Management Procedure.
Prior approval from plant management shall be obtained
before an ESD signal is forced. Forcing ESD signals shall
not be used to facilitate startup.
6.7.5.2 Forcing of input or output ESD signals shall illuminate an

associated common bypass/force status indicator on all
DCS graphic screens.
6.7.5.3 Forcing of input or output ESD signals shall initiate an

event log which archives the change of state of the signal
switch with its tag number and description.
6.8 Process Pre-Trip Alarm Requirements
6.8.1 Process Pre-Trip Alarms

6.8.1.1 Process pre-trip alarms are required where there is

sufficient time for the operator to take corrective action to
stabilize the process or to prevent a plant shutdown.
Process pre-trip alarms shall be handled in accordance
with SAES-Z-001.
6.8.1.2 Process pre-trip alarms shall use a BPCS transmitter when

available. Where a BPCS transmitter is not available for a
pre-trip alarm an ESD transmitter may be used for this
purpose but the alarm cannot be considered as an
independent layer of protection.
6.8.2 ESD Trip Alarm Annunciation
6.8.2.1 A shutdown initiating device shall be interconnected to a

discrete, multi-point alarm annunciator or to an annunciator
display configured within the BPCS.
6.8.2.2 Annunciator logic and functionality shall reside in the ESD

system and perform first out trip discrimination of ESD
inputs.
6.8.2.3 ESD inputs shall be annunciated via a unique, audible

alarm each time an ESD trip signal is initiated. The audible
alarm shall continue to sound until acknowledged or reset
by an operator.
6.8.2.4 Alarms shall be annunciated on loss of required ESD

utilities such as low instrument air pressure, loss of one or
more system power sources/supplies and loss of hydraulic
pressure.
6.8.2.5 ESD trip alarms shall be combined into first-out groups, per
equipment within each ESD system, to distinguish between
initial and subsequent alarms.
6.8.3 Output Validation, Verification and Annunciation
The change of state of the final ESD device shall be monitored by a

separate field sensor such as limit switch, position transmitter or motor
contactor auxiliary contact. Application logic shall compare the ESD
output command with final device feedback signals and provide a high
priority alarm when the final device does not reach the intended ESD
state within an acceptable time, as indicated in the SRS. The validation
application logic for the change in state of the final ESD device may be
implemented in the ESD or BPCS.

Note:
The ESD output validity on alarm logic shall only be activated when the final
device fails to achieve the safe state following a trip. If required by the
application, final element mismatch alarms shall be configured as a separate tag.
7 ESD Systems and Auxiliary Equipment
This section establishes the criteria for the design of ESD and the related
auxiliary equipment such as power supplies and grounding.
7.1 Programmable Controller Based ESD Systems
Technically acceptable Dual Modular Redundant (1oo2D), Triple Modular

Redundant (2oo3), or Quad Modular Redundant (2oo4D) ESD system that
combines two fault tolerant 1oo2D processors, programmable controller based
ESD systems shall be applied as per the specific material requirements for
programmable controller based ESD systems in 34-SAMSS-623.
7.2 Solid-State ESD Systems
Refer to 34-SAMSS-621 for specific material requirements for solid state based
ESD systems.
7.3 Wellhead Emergency Shutdown System (WESD).
For engineering requirements for WESD refer to 34-SAMSS-630.
7.4 Power Supplies
7.4.1 ESD systems and field devices shall be powered from negative-leg,
grounded power supplies that are in-turn, powered from separate
branch circuits of UPS systems (e.g., separate distribution panels).
The intent is that there is no single point of failure in the power
distribution to the system.
7.4.2 Unless otherwise specified ESD field instrumentation shall be powered

by 24 VDC.
7.4.3 120 - 240 VAC, 48 VDC or 125 VDC power may be used for minor
additions or modifications to existing ESD field instrumentation.
7.4.4 For remote area ESD application the following shall be applied:
7.4.4.1 ESD systems and field devices shall be powered from two
sources; one is line power and the other is from a battery

backed up DC power system. The intent is that there is no

single point of failure in the power distribution to the
system.
7.4.4.2 Battery backup DC power systems shall comply with

SAES-P-103.
7.5 Sequence of Events (SOE) and First Out Alarm
A SOE utility within a programmable electronic ESD system shall time stamp and
log the change of state of all discrete ESD input trip initiators and ESD outputs to
shutdown devices, shutdown buttons, manual reset buttons, and the transition of
analog/digital devices past shutdown limits. The event logs shall include the first
out alarm, device tag number, and device description time-stamped within 300
milliseconds.
7.6 Input and Output Signal Isolation
7.6.1 Individual input/output signal point isolation, if required, shall be

accomplished by using I/O modules that incorporate individual point
isolation and be part of the Vendor’s approved product.
7.6.2 ESD systems utilizing solid-state outputs to achieve signal isolation

shall be rated for the maximum load and in-rush current of the intended
final device (e.g., motor control circuit contactor) and be part of the
Vendor’s approved product.
7.6.3 Electromechanical relays shall be used for replication of digital inputs

or outputs when the ESD system is incapable of meeting signal
isolation specifications. Indoor and outdoor electromechanical relays
shall comply with 34-SAMSS-820.
7.7 Wiring Methods, Grounding and Ground Fault Detection Systems (GFD)
7.7.1 ESD wiring methods for connecting field devices to field junction
boxes, through to marshaling cabinets shall be consistent with the
requirements of SAES-J-902.
7.7.2 Grounding design shall be per vendor standard recommendations and

per the applicable sections of SAES-J-902 whichever is more stringent.
7.7.3 Ungrounded or floating ESD system power supplies shall not be used
except where modifications are required to existing ungrounded
systems or equipment.
7.7.4 Process facilities using ungrounded DC supply voltages for ESD

systems shall incorporate GFD systems to monitor leakage current to

ground. GFD circuitry shall be designed to continuously monitor

floating electrical circuits within field wiring and alert maintenance
personnel, via an integral alarm indicator and a set of contacts routed
to an annunciator, when resistance to earth falls below a nominal 1 K
ohms.
7.7.4.1 Commercially available modular type GFD components

shall be used for GFD systems. GFD should be performed
on an individual loop basis to be able to discriminate line
faults for a maximum grouping of 40 I/O points per GFD
module and providing there is no impact on operations
during maintenance and testing for line fault conditions.
7.7.4.2 The ground fault detector shall be capable of detecting

independent ground faults for different groups of points,
without adversely affecting other point groupings, when
using the same power supply. Potential faults or failures
within GFD modules, circuitry or external wiring shall in no
way compromise the integrity of ESD inputs and outputs.
7.8 ESD Communications to DCS/BPCS
7.8.1 No restrictions are placed on the transmission of READ-ONLY data

from an ESD system to an external DCS/BPCS.
7.8.2 ESD bi-directional communication paths and devices used to transmit

READ-WRITE data such as time synchronization signals, ESD input
bypass requests, ESD shutdown or reset commands shall comply with
the following:
7.8.2.1 Communication paths and devices shall be, functionally

redundant, utilizing electrically and physically isolated
communications interfaces with automatic communications
channel fail-over.
Exception:
Integration of the DCS and ESD networks is acceptable provided

that the network uses an approved SIL 3 rated safety
communications protocol and that network switch connections are
clearly identified as safety related.
Note:
Port and path redundancy is not required for application program

configuration, testing or simulation via a workstation, or for a read-
only type interface with external computers.

7.8.2.2 Communication interfaces shall be off-the-shelf, using

existing, industry standard media and communications
protocols such as Modbus or Ethernet or the Vendor
approved proprietary protocol.
7.8.2.3 The protocol data message transmission shall incorporate

error checking schemes such as Cyclical Redundancy
Checking (CRC), Longitudinal Redundancy Checking
(LRC) or Check Sums, in conjunction with bit parity
checks, fail-safe transmission time-out, message fault
words, and loss of communication path alarms.
7.8.2.4 The ESD operating system and application program is

write-protected, such that CPU is protected from alteration
by a combination of either data locking devices, key lock,
or password security techniques.
7.8.2.5 Source password or key lock protection, in conjunction with

a separate confirmation acknowledge step is required to
accept bypass commands.
7.8.2.6 The normal operation of the ESD system shall not be

impaired by any communication path or device failure.
7.8.2.7 Refer to section 15 in SAES-Z-001 for additional

requirement on ESD interfaces to DCS/BPCS.
7.8.3 No changes shall be allowed to ESD application programs via an

external communications interface.
7.9 ESD Peer to Peer Communications
7.9.1 ESD peer-to-peer signals may be used for the communication of the
following:
a. Pull/push button shutdown signals between respective

ESD controllers and shall comply with the requirements
stated in 34-SAMSS-623.
b. To propagate a plant or unit level shutdown to other SIF

functions in other units or plants.
c. To propagate a unit level shutdown to SIFs (isolation ZV or

diverter valves) in another unit so that they can be sent to
the safe state.

d. To implement a SIF with sensor and final element

connected to two different Logic Solvers as explained and
justified in the SRS.
7.9.2 ESD peer-to-peer signals shall be communicated directly from one

ESD peer to another and utilize a SIL 3 capable safety
communications protocol. ESD peer-to-peer communications signals
shall not be transferred via BPCS or any other non-ESD system.
7.9.3 The SRS shall document when ESD peer-to-peer communication is

utilized and define the required fault reaction on loss of
communication.
8 Final Shutdown Devices
Final shutdown instruments generally consist of two distinct classes of devices:
a. Valves: Power-operated emergency isolation valves or safety shutoff

valves that prevent the flow of process fluids, (i.e., hydrocarbons,
hydrogen, cryogenics, etc.) or toxic materials into or out of a vessel,
pipe, or a process plant/unit, or blowdown depressuring valves.
b. Interposing relays or energy interruption devices:
These are devices which safely and reliably interrupt the flow of energy or power
to a particular piece of equipment or process area, e.g., motor starter cutouts for
electric driven motors to bring process or equipment to a safe state. Interposing
relays can also be used to interface ESD system outputs to final elements that
operate at a different voltage.
8.1 ZV General Guidelines
This section establishes the requirements for the design and selection of ZV
assemblies consisting of the valve and actuator, with the associated control
equipment such as limit switches or valve position transmitter, solenoid valve,
etc.
8.1.1 Mandatory requirements for applying, locating, and fireproofing power

operated emergency isolation valves and their integral control
components such as limit switches are provided in SAES-B-006,
SAES-B-009, SAES-B-058, and SAES-B-070.
8.1.2 ZV actuator selection guidelines are provided in this standard;

however, for more detailed design requirements refer to 34-SAMSS-
716 for valve actuators.
8.1.3 Requirements for pipeline EIVs refer to SAES-B-064.

8.2 ZV Design
8.2.1 ZVs shall be suitable for the specific application and supplied as an
integrated assembly of valve and actuator, with the associated control
equipment such as limit switches or valve position transmitter, solenoid
valve, etc. Valves shall meet construction, materials requirements of
SAES-L-108, and the related Saudi Aramco material specifications.
8.2.2 ZVs shall meet or exceed all specified process and environmental
conditions per the ISS.
8.2.3 ZVs specified with spring return actuators do not require fireproofing of
the actuator or local controls. When a ZV is located in or above a fire-
hazardous zone then a fusible plug on the air signal or fusible link shall
be installed within 1 meter (3 feet) of the spring return actuator to move
the valve to the fail-safe position in the event of a fire.
8.2.4 Double-acting and motor operated valves ZVs located in fire

hazardous zones shall meet the fireproofing requirements of SAES-B-
006.
8.2.5 ZVs shall be identified by nameplates showing the ZV tag description

per SAES-J-003. The ZV shall be clearly distinguished as an ESD
valve, for example by the tag description in white printed/embossed
writing on a red background.
8.2.6 Control valves installed in series with ZVs to manipulate a fuel supply,
a heat source, or a toxic fluid shall be interlocked with ZV logic such
that when the ZV is commanded to close, the control valve is forced to
the fail-safe position by a command to a BPCS control software
interlock.

8.3 ZV Actuators
8.3.1 ZV actuators shall be spring return fail-safe unless impractical due to

valve size, valve type or torque/thrust requirements. Spring return
actuators shall move the ZV to the fail-safe position upon loss of ESD
output signal, electrical power, instrument air or hydraulic pressure.
8.3.2 When spring return fail-safe actuators cannot be provided for ZVs,
alternative actuator types shall be considered such as double-acting,
or fail last Motor Operated Valves (MOVs) using reliable and
independent backup energy sources described in Section 8.6 to
perform as a fail-safe actuator.
8.3.3 Motor operated valve actuators specified for ZVs without spring-return
fail-safe mechanism shall meet the risk reduction requirements
specified for the SIF. The independent back up power supply shall be
in the SIF SIL Verification. ESD commands shall override all integral
MOV selector switch signals.
8.3.4 Pipeline MOVs which are EIVs and are not the final element of a SIF
do not require redundant power sources.
8.4 ZV Actuator Accessories
8.4.1 ZVs shall have open and close position visual indication mounted on
the valve actuator such that it is clearly visible to an operator located at
grade or on an accessible platform per SAES-B-054.
8.4.2 ZVs shall be equipped with open and closed limit switches or a valve
position transmitter. Where HMI is available the ZV position shall be
indicated on the operator's console.
8.4.3 ZV actuators shall be capable of manual (open/close) operation as per

the requirements of 34-SAMSS-716.
Note:
Safety Shutoff Valves for BMS applications do not require manual operators,
local pushbutton operator stations, or PST features. Refer to SAES-J-602.
8.5 The SIF response time including the ZV closure time shall not exceed the
process safety time and/or the specific requirements as stated in SAES-B-058,
SAES-B-064, and SAEP-354.

8.6 Power Sources for ZV Actuators
When a fail-safe spring-return actuator is not used, an independent and reliable

backup energy source shall be provided to drive the ZV to a fail-safe position.
The alternative power sources in this section are considered to be reliable and
independent:
8.6.1 Compressed air stored in a dedicated air accumulator, located outside

the fire-hazardous zone, in close proximity to a double-acting, piston-
operated ZV, sourced from an instrument air header via double non-
return, check valves.
8.6.1.1 Air accumulator shall be sized to move the ZV three

strokes from the normal operating position to the fail-safe
position and back to the normal operating position
8.6.1.2 The air accumulator shall be sized based on a starting air

pressure of 690 kPa (100 psig) and a final pressure of 415
kPa (60 psig).
8.6.1.3 Only one ZV shall be connected to an air accumulator

drum.
8.6.1.4 ZV air accumulator shall include a drain valve, inlet supply

redundant check valves in series and a local pressure
gauge.
8.6.2 Hydraulic fluid accumulator capable of moving a ZV with double-acting

actuators three strokes from the normal operating position to the fail-
safe position and back to the normal operating position upon loss of
utility supply, provided there is a hydraulic pump and a reliable power
source, power pack or a hand-pump for re-charging the hydraulic
system.
8.6.3 Fail-safe electric motor actuators, provided the electrical power for
operation and control is sourced from two independent power feeders
supported by a load-shedding scheme to maintain high availability and
protection. Loss of power to the MOV shall be monitored and alarmed
to the DCS.
8.7 ZV Local Control
8.7.1 Where partial stroke capability is adopted in the SIF SIL Verification to
extend the Full Stroke Testing (FST) interval, the ZV shall be provided
with local control and testing features as outlined in 34-SAMSS-634.

Commentary:
Facilities that can be shut down to allow full stroke valve testing or where valves
can be fully stroked in service, i.e., spared equipment or EIVs with full-flow
bypasses, partial stroke capability is not required. If full stroke testing can be
conducted without shutting down the process, valve partial stroke capability is not
required e.g. parallel identical processes that are not required to be both working
all the time.
8.7.2 When redundant processes are provided to perform a FST without

triggering a shutdown, PST capability shall not be utilized.
8.7.3 ZVs shall be provided with a means to initiate a full valve stroke test.
The valve stroke test shall be initiated from the local control panel or
remotely via the ESD/BPCS.
8.7.4 A ZV shall move to the defined shutdown position in the event that a
shutdown signal is initiated during stroke testing.
8.7.5 Resetting ESD system logic following a trip shall not cause a ZV or
other equipment to automatically move to the normal operating
position. Local operator action is required at a ZV's local control panel
to re-open a fail-closed ZV following a trip.
Commentary:
Opening and closing a ZV as part of a sequence in the ESD logic is not

considered a trip and therefore does not require a logic reset or local operator
action, e.g. BMS.
8.7.6 A local control panel shall be provided as the means to both open and
close a ZV in the field after an ESD logic reset.
8.8 Block and Bypass Valves
The installation of a full flow bypass valve in parallel with a ZV shall be

determined based on the need for maintenance, repair, and testing of the ZV with
mutual agreement between the Operating Department, Loss Prevention
Department’s Chief Fire Prevention Engineer, and P&CSD.
8.8.1 A bypass valve in parallel with a ZV shall be car-sealed closed and

meet shutoff and fire safety requirements of SAES-L-108.
8.8.2 A full flow bypass valve in parallel with ZVs shall only be used for
stroke testing ZV valves and repairing or replacing faulty ZVs.
8.8.3 Bypass and equalizing valves around ZVs shall be equipped with a
sealed, proximity type limit switch, monitoring the valve “closed”
position and providing an alarm remotely to the operator when the

bypass valve is not closed. Local pressure and differential pressure

gauges and/or transmitters shall be provided where pressure
equalization is required prior to opening a ZV.
8.8.4 Unless otherwise prohibited an upstream manual block valve shall be

provided for ZVs which fail-open such as for vapor depressuring and
liquid pull down systems. The manual upstream block valve shall be
car-sealed open and only be used for stroke testing ZV valves and
repairing or replacing faulty ZVs. ZV upstream block valves shall not
be used to facilitate startup.
9 Documentation
Documentation shall completely describe ESD functions and be kept up-to-date

at all times.
9.1 Design Verification
9.1.1 A SRS shall be developed per SABP-Z-076. The SRS shall include all
functions implemented in the ESD and be reviewed as part of the
project design review.
9.1.2 Verification of SIF SIL Assignments shall be achieved by the

calculation of the probability of failure on demand (PFDavg) and the
Spurious Trip Rate (STR) in accordance with SAEP-250 and as
required by this standard.
9.2 Application Logic Design Documentation (Ref. SAES-J-003)
The following documents (hard copy, electronic files and native electronic files)
shall be developed during project proposal or design phases and form the basis
for the development, verification and testing of new or revised ESD application
logic:
9.2.1 HAZOP Report identifying or verifying the type, function and trip
settings of protection instruments which function as required
emergency shutdown inputs and outputs.
9.2.2 Safety Integrity Level Assignment and Verification reports per

SAEP-250.
9.2.3 The ESD SRS consisting of the SIF specifications sheets and safety
functional requirements. Refer to SABP-Z-076 and SAEP-250.
9.2.4 Cause-and-Effect matrix diagrams which correlates ESD output

actions (tag number and device description) in response to process

shutdown inputs (by instrument tag number, device description and

shutdown trip setting, and SIF tag number).
9.2.5 Control logic narrative providing a written description of the basic

requirements for logic as defined in the Cause-and-Effect matrix
diagram and SIF specification.
9.2.6 Boolean or function block type logic diagrams graphically showing ESD
inputs, outputs and internal logic using conventional ANSI/ISA S5.2
logic elements.
9.3 System Design Documentation
Engineering design documentation for the ESD systems, emergency isolation

and depressuring systems and equipment protection systems shall be developed
during the project design as specified by the project including but not limited to
the following in project proposal and detailed design phases.
9.3.1 Project Proposal
Process Flow Diagrams/P&IDs

Instrument Index
I/O List & Summary
HAZOP Report
SIL Assignment Report
Safety Requirement Specification (SRS)
PAS PCS Block Diagram
Layouts (PIB, Control Room)
ESD Functional Specification Document
Cause & Effect Matrix Diagrams
9.3.2 Detailed Design
Process Flow Diagrams/P&IDs

Instrument Index
I/O List & Summary
Instrument Specification Sheets (ISS)
Instrument Loop Drawing (ILDs)
Interconnection Wiring Diagram ESD
Instrument Installation Schedule ESD
PAS Architecture
Instrument Cable Block Diagram ESD
HAZOP Report
SIL Assignment Report
SIL Verification Report
Safety Requirement Specification (SRS)

PAS PCS Block Diagram

Layouts (PIB, Control Room)
ESD Functional Specification Document
Cause & Effect Matrix Diagrams
NMR 601/602 and 602 Documentation
10 Application Logic
10.1 The application logic and system configuration shall include the specific
requirements stated in SRS.
10.2 The application logic and system configuration for programmable controller
based systems shall consider the specific requirements documented by the
manufacturer's safety installation guidelines and system alerts.
10.3 ESD logic shall be simple and understandable. Comments shall be inserted
within ESD logic to explain the function of each network and be descriptive
enough to allow maintenance and engineering to perform trouble shooting
without having to revert to separate logic narrative. ESD Logic shall clearly
indicate the associated SIF tag number.
10.4 Logic shall be clearly documented and organized according to the four shutdown
levels. Equipment isolation system (Level 3) logic within a unit shall be grouped
by equipment so that all logic for a piece of equipment are on consecutive logic
pages or networks. Logic shall also be organized so that logic for each individual
pumps, turbines, compressors, and SIFs is grouped on consecutive logic pages
or networks. Identical logic structures and elements (except for tag names and
addresses) shall be used for identifying ESD logic of equipment operating in
parallel trains, or which are controlled in a similar manner.
10.5 The logic developer must be consistent in selecting and applying logic elements
and developing a network structure between similar types of application
programs.
10.6 Soft copies of the latest version of the application programs, cross reference
tables and other source code shall be stored in a secure location. A written
procedure shall be in place at each operating facility detailing the backup
requirements of the ESD system applications.
10.7 The assignment of input and output addresses shall minimize or prevent a
potential failure of one module adversely affecting more than one critical piece of
equipment of a parallel process train. The assignment of inputs to separate
modules also applies to voted ESD input devices, such as 1oo2, 2oo2 or 2oo3,
when more than one input module is available.

10.8 Application logic and Boolean logic diagrams shall use the “positive” logic
convention per SAES-J-003. A healthy signal is to be represented by the ‘1’ state
and a trip signal represented by the ‘0’ state.
11 Testing and Validation
11.1 ESD System Validation
A validation of an ESD system shall confirm the requirements of the system

including:
a. The correct firmware version and the latest application program.
b. The correct function and installation of all hardware including I/O

modules, main processors, communication modules, power supplies,
and grounding.
c. The correct function and installation of interfaces and communications

to the BPCS including validation of all ESD related graphics and alarm
summaries.
11.2 Testing During Project Execution (Ref SAEP-750)
11.2.1 Functional testing is required during the Factory Acceptance Test and
Site Acceptance Test/Pre-commissioning.
11.2.2 The functional test shall validate the operation of each SIF as per the
requirements defined in the SRS.
11.2.3 The functional test shall validate the operation of each prescriptive SIF
as per Company and project specifications. Functional testing shall
also validate any start-up permissive logic implemented within the ESD
system.
11.2.4 Functional testing during FAT shall be conducted using simulated

inputs and outputs. Functional testing at site shall be conducted for
each SIF using actual input and output devices, as much as possible,
and shall include the following as a minimum:
a. The operation, calibration, and trip setting of all ESD input

devices.
b. The logic associated with voted inputs.
c. The proper functionality of application logic associated with

each SIF.

d. The correct operation of final elements.
e. The proper operation of manual shutdowns, bypasses and

resets.
f. Alarm functions, first out alarming and sequence of events.

Note:
Functional testing at site is typically conducted after completion of Loop

Checks. However, it may be conducted in parallel to loop checks upon Company
approval.
11.2.5 ESD functional tests shall be witnessed and verified by competent

proponent representatives from the responsible Operating,
Maintenance, and Engineering Departments.
11.2.6 Project records shall be kept and forwarded to Operations,

Maintenance, and Engineering Departments which document the ESD
logic, input device and final element testing, test results and exception
item resolutions.
11.3 Periodic Testing of Field Devices
11.3.1 The periodic testing interval for instrument sensors and final elements
in SIFs assigned SIL 1, 2 or 3 shall not exceed the test interval utilized
in the SIF SIL Verification calculations.
11.3.2 The periodic testing interval for instrument sensors and final elements
for prescriptive ESD functions shall be as follows:
a. Analog devices (such as transmitters, transducers, or trip

amplifiers) used as ESD inputs shall be physically and
functionally tested every 36 months.
b. Discrete devices (such as process switches) used as ESD

inputs shall be physically and functionally tested every year.
c. SIF, alarm and interlock logic shall be tested every T&I. The
test shall be conducted by simulating a process input for digital
and analog devises over the calibrated range of the device,
and verifying the appropriate ESD logic and response of the
final shutdown element.
d. ZV’s or SSVs that are automatically actuated, but not assigned

a SIL 1, 2 or 3 shall be fully stroked on a maximum of 3-year
basis or every T&I whichever is the lesser.

e. Power operated EIVs, activated by an operator action shall be

full stroke tested every five years.
f. ESD push/pull shutdown buttons shall be tested at the lesser of

three years or the T&I or whenever a planned operational
shutdown occurs.
11.3.3 Unplanned process shutdowns which drive ZVs and other SIF final
elements to their failsafe positions within the designed response time
are considered valid FST of the respective final elements (relays and
ZVs) and can be considered as final element proof tests.
11.3.4 Calibration records and test results for ESD input devices or sensors,
final elements, and internal ESD logic shall be documented and
archived for permanent record. Each test record shall include test
number, time/date, person performing the test, plant number,
instrument number, test result, etc. These records shall be made
available for periodic plant maintenance audits and Loss Prevention
Compliance Reviews.
11.3.5 Periodical testing of SIF sensors and final elements shall follow an
approved facility Operating Instruction Manual or Management
Procedure.
11.4 Periodic Testing of Shutdown Logic
11.4.1 ESD systems shall be periodically validated against their functional

requirements specifications. The validation will typically be performed
during the unit turnaround and consist of a verification of the ESD I/O
and shutdown logic. Calibrated signal simulators may be used during
these tests.
11.4.2 A SIF logic may be omitted from a periodic test if the SIF has not been
through any change such as performing a download, the operating
shutdown logic program has been compared to the control copy and is
identical, and there has been no addition of ESD I/O into the logic
since the last functional test on the shutdown logic.
12 Management of Change to ESD Systems
12.1 A written procedure shall be in place at each operating facility detailing the
requirements for the review and approval of all changes made to an ESD system.
12.2 Proposed changes to installed ESD systems, including the replacement of

existing devices with different instruments, shutdown trip setting or logic changes
or final element modifications shall be subjected to thorough review and approval

by qualified personnel from Operations, Engineering, Maintenance, Inspection,

and Loss Prevention.
12.3 Proposed changes shall undergo simulation, or emulation, validation and testing
before being commissioned and placed in-service.
12.4 The following steps shall be carried out prior to implementing any change within
an existing ESD system:
12.4.1 PHA/HAZOP of the new and/or modified parts of the process unit,
equipment or process, identifying the intent and effect of the change to
the existing ESD system.
12.4.2 LOPA if the PHA recommends a new SIF or identify the need to
reconducting the SIL Assignment for an existing SIF.
12.4.3 SIFs shall be verified for instrument type, function, failure modes, trip
setting and that the loop meets the assigned SIL.
12.4.4 Modification of the cause-and-effect matrix diagram which correlates

ESD output actions by tag number and device description, in response
to process shutdown inputs by instrument tag number, device
description, and shutdown trip setting).
12.4.5 Update of the related SRS documents for the SIF specification.
12.4.6 Development of a Boolean or Function Block type logic diagram

graphically showing ESD inputs, outputs and internal logic using
and/or, timer, or counter logic elements with basic logic statements,
comment blocks, tag numbers and device descriptions imbedded in the
diagram which describe the intended functionality.
12.4.7 A written description of the work and steps involved in implementing

the change, including any steps that might pose a risk to personnel,
process equipment, to the environment, or to the local community.
Document History
20 July 2022 Major revision.
13 July 2017 Major revision to optimize SMART ZV solutions, utilize position transmitters resulting in
less I/O’s, less spurious trips, reduced size and complexity, restrict the use of non-ESD
in ESD systems, and adopt safety requirements specifications document for SIS
lifecycle (SABP-Z-076).
22 April 2014 Major revision.

SAES-J-601

Uploaded by

SAES-J-601

Uploaded by

Engineering Standard 20 July 2022

Previous Revision: 12 July 2017 Next Revision: 20 July 2027

Saudi Aramco: Company General Use

© Saudi Arabian Oil Company, 2022 Page 2 of 49

Saudi Aramco: Company General Use

8.1 ZV General Guidelines ....................................................................................... 38

© Saudi Arabian Oil Company, 2022 Page 3 of 49

Saudi Aramco: Company General Use

(12 July 2017) (20 July 2022)

1.1 1.1 Modification Added the term; Safety Instrumented

1.2 1.2 Modification Editorial, added requirement to

1.3 1.3 Modification Editorial

1.4 1.4 Modification Editorial

3.1 3.1 Modification Upgrade of referenced standards

4.1 4.1 Modification Addition of 9, modification of 1 and

4.2 4.2 Modification Addition of 6 definitions, modification

5 5 Modification Introduction of the requirement of SIF

Expanding how SIFs with RR < 10

Deletion of requirement for

5.1 5.1 Modification Editorial

5.2 5.2 Modification Editorial

5.3 5.3 Modification Removal of reference to predefined

© Saudi Arabian Oil Company, 2022 Page 4 of 49

Saudi Aramco: Company General Use

(12 July 2017) (20 July 2022)

5.4 5.4 Modification Removal of examples of prescriptive

5.5 5.5 Modification Removal of potential SIFs and

5.5.3 5.5.6 Modification Editorial

5.6.1 5.6.1 Modification Editorial

5.6.2 5.6.2 Modification Editorial

5.6.3 5.6.3 Modification Editorial

5.7.1 5.7.1 Modification Distinguishing of ZVs from EIVs,

5.7.2 5.7.2 Modification Editorial

5.7.4 5.7.4 Modification Editorial

6.1.1 6.1.1 Modification Deletion of the expression “smart ZV”.

6.1.13 6.1.2 Modification Sequence figure change

6.1.6 6.1.6 Modification Allowing a delay on trip for transmitter

6.1.3 6.1.4 Modification Editorial

6.1.4 6.1.5 Modification Editorial

6.1.7 6.1.8 Modification Editorial

6.1.8 6.1.9 Modification Editorial

© Saudi Arabian Oil Company, 2022 Page 5 of 49

Saudi Aramco: Company General Use

(12 July 2017) (20 July 2022)

6.1.10 6.1.10 Modification Removal of material specification

6.1.11 6.1.12 Modification Editorial

- 6.4.2 Addition Use of multiple measurement voting

6.4.2 6.4.3 Addition Requirement to use I/O modules in

6.4.4 Addition Requirement for HFT of 1 for SIL 3

6.5.1 6.5.1 Deletion Editorial

6.5.2 6.5.2 Addition Addition of a commentary note

6.6.1.3 6.6.1.3 M, A Editorial + addition of an exception for

6.6.2.3 6.6.2.3 Modification Editorial

6.7.5 6.7.1 Modification Change location of clause only.

6.7.1.1 6.7.2.1 Modification Removal of the commentary note that

6.7.1.3 - Deletion Removal of this clause which restricts

6.7.1.4 6.7.2.3 Modification Change numbering and eliminate the

© Saudi Arabian Oil Company, 2022 Page 6 of 49

Saudi Aramco: Company General Use

(12 July 2017) (20 July 2022)

Adding the requirement to have a

6.7.1.5 6.7.2.4 Modification Change numbering only.

6.7.1.6 6.7.2.5 Modification Change numbering only.

6.7.1.7 6.7.2.6 Modification Change numbering and removal of

6.7.2.1 6.7.3.1 Modification Editorial

6.7.3 6.7.4 Modification Editorial

6.7.3.3 6.7.4.3 Modification Editorial + adding example of

6.7.5 - Deletion Moved to become 6.7.1

6.7.4 6.7.5 Deletion Deletion of requirement to initiate an

- 6.7.5.1 Modification Adding a number to this clause.

- 6.7.5.2 Addition New clause adding the requirement to

- 6.7.5.3 Addition New clause adding the requirement

7.1 7.1 Addition Addition of 2oo4D system to align

© Saudi Arabian Oil Company, 2022 Page 7 of 49

Saudi Aramco: Company General Use

(12 July 2017) (20 July 2022)