----- ----- # ESD Systems ### Recommendations for Emergency Shutdown and Related Safety Systems (Second Edition 2021) ----- First published in 2009 by Witherby Publishing Second edition published 2021 ISBN: 978-1-85609-998-1 eBook ISBN: 978-1-85609-999-8 © Copyright of SIGTTO, Bermuda **The Society of International Gas Tanker and Terminal Operators (SIGTTO) is a non-profit making organisation dedicated** _to protect and promote the mutual interests of its members in matters related to the safe and reliable operation of gas_ _tankers and terminals within a sound environment. The Society was founded in 1979 and was granted consultative status_ _at the International Maritime Organization in November 1983._ www.sigtto.org **Notice of Terms of Use** While the information and advice given in this document (ESD Systems, Second Edition (2021)) has been developed using the best information currently available, it is intended purely as guidance to be used at the user’s own risk. No warranties or representations are given nor is any duty of care or responsibility accepted by The Society of International Gas Tanker and Terminal Operators (SIGTTO), the members or employees of SIGTTO, or by any person, firm, company or organisation who or which has been in any way concerned with the furnishing of information or data, the compilation or any translation, publishing, supply or sale of the document, for the accuracy of any information or advice in the document or any omission from the document or for any consequence whatsoever resulting directly or indirectly from compliance with, adoption of, or reliance on guidance contained in the document even if caused by failure to exercise reasonable care. Published by **Witherby Publishing Group Ltd** Navigation House, 3 Almondvale Business Park, Almondvale Way, Livingston EH54 6GA, Scotland, UK +44(0)1506 463 227 info@witherbys.com witherbys.com ----- #### Contents **1** **Introduction and Scope...................................................................................................................................... 1** 1.1 Introduction............................................................................................................................................... 3 1.2 Scope....................................................................................................................................................... 4 **2** **Key Safety System Philosophies.......................................................................................................................... 5** 2.1 System Segregation................................................................................................................................... 7 2.2 Independent and Fail-safe.......................................................................................................................... 8 2.3 System Availability.................................................................................................................................... 8 2.4 Alarm Management Lifecycle...................................................................................................................... 8 2.5 Maintenance and Testing............................................................................................................................ 9 **3** **ESD Systems.................................................................................................................................................... 11** 3.1 IGC Code Requirements........................................................................................................................... 13 3.2 Recommendations for ESD Systems........................................................................................................... 13 3.3 Testing.................................................................................................................................................... 18 **4** **Overflow Control and Vacuum Protection.......................................................................................................... 19** 4.1 IGC Code Requirements........................................................................................................................... 21 4.2 Recommendations for Overflow Control.................................................................................................... 22 4.3 Testing of Overflow Control...................................................................................................................... 23 **5** **Gas Burning Safety System.............................................................................................................................. 25** 5.1 IGC Code Requirements .......................................................................................................................... 27 5.2 Explanation of the GBSS and ESD Interface............................................................................................... 28 **6** **Ship Shore Link................................................................................................................................................ 31** 6.1 IGC Code Requirements........................................................................................................................... 33 6.2 Recommendations................................................................................................................................... 33 6.3 Compatibility.......................................................................................................................................... 34 6.4 Ship Shore Link Testing............................................................................................................................. 34 **7** **Emergency Release Systems............................................................................................................................. 37** 7.1 Design and Construction Standards.......................................................................................................... 39 7.2 Explanation of ERS and ESD Interface....................................................................................................... 40 **Annexes................................................................................................................................................................ 43** Annex 1 – IGC Code References....................................................................................................................... 45 Annex 2 – Ship Shore Link Systems.................................................................................................................... 48 Annex 3 – Glossary of Terms and Abbreviations................................................................................................. 57 Annex 4 – Reference List................................................................................................................................... 58 ----- ----- ## 1 Introduction and Scope ----- ----- ##### Introduction and Scope #### 1. Introduction and Scope ###### 1.1 Introduction Emergency shutdown (ESD) is a design feature that is used in process systems to reduce risk. In the liquefied gas industry, ESD is a safety system that is designed to minimise the consequences of an incident. This document is the outcome of a review of ESD systems on liquefied gas carriers. Although ESD systems are distinct on gas carriers, they interact with other safety systems on the ship and terminal[1]. Related safety systems include overflow control, ship shore link (SSL), vacuum protection, gas burning safety systems (GBSS) and emergency release systems (ERS). This document discusses the requirements of the IGC Code[2] for ESD and related safety systems and recommends additional measures. To help explain those recommendations, descriptions of the relevant safety systems are given. This new document updates and replaces the previous publication, ESD Arrangements & Linked Ship/Shore _Systems for Liquefied Gas Carriers (2009). This update benefits from advancements in safety philosophy,_ technological improvements and lessons learnt from incidents. 1 _Terminal refers to all receiving and exporting facilities, including floating and regasification facilities_ 2 IMO – International Code for the Construction and Equipment of Ships Carrying Liquefied Gases in Bulk (Reference 1) ----- ##### Introduction and Scope ###### 1.2 Scope This document is written at a level suitable for organisations involved in the design, integration and use of ESD and related safety systems on liquefied gas carriers and terminals. The guidance is written at a high level and assumes the reader is technically qualified and experienced in this subject. The recommendations in this document are for new gas carriers and terminals only and are not intended for existing gas carriers or terminals. Shipyards, system designers and owners of ships and terminals should review these recommendations when carrying out a major upgrade to ESD and related safety systems on an existing ship or terminal. The primary focus of this document is ESD systems for gas carriers, but it does provide minimum recommendations for related safety systems where necessary. This document does not provide substantial guidance for terminal ESD and ERS. Although the guidance in this document is particularly relevant to liquefied gas transfers, it may not be particularly relevant to regasification gas transfer operations. An overview of ESD linked systems is provided, but this document does not recommend any particular system. The owner should decide which system, or combination of systems, is suitable for their asset. ----- ## 2 Key Safety System Philosophies ----- ----- ##### Key Safety System Philosophies #### 2. Key Safety System Philosophies There are key philosophies that guide the design of safety systems and these can be found in the IGC Code[3 ] and the relevant IEC and ISO documents it references. This section will provide a high-level summary of some of the important concepts. ###### 2.1 System Segregation Although the IGC Code does not use layer of protection analysis (LOPA) terminology, it is helpful to use this concept to visualise the layers that the various systems form. A typical independent layer of protection diagram is shown in Figure 1. 6. Emergency response Mitigation 5. Physical protection systems 4. Safety system 3. Alarms and Prevention operator corrective action 2. Basic process control system 1. Design **Figure 1: Typical independent layers of protection** The control, monitoring and safety systems on a gas carrier can provide distinct and successive layers of protection. As a general concept, when the control of a process is not managed within a specific layer, then the next layer above is activated. Although not in chronological order for a specific hazard, Table 1 contains examples of the systems found in different layers. **Layer** **System** 2. Basic process control system Cargo tank gauging system 3. Alarms and operator corrective action Cargo tank high-level alarm 4. Safety system Cargo tank automatic shut-off valve 5. Physical protection systems Cargo tank relief valve **Table 1: Examples of systems in different layers** 3 IMO – International Code for the Construction and Equipment of Ships Carrying Liquefied Gases in Bulk (Reference 1) |Layer|System| |---|---| |2. Basic process control system|Cargo tank gauging system| |3. Alarms and operator corrective action|Cargo tank high-level alarm| |4. Safety system|Cargo tank automatic shut-off valve| |5. Physical protection systems|Cargo tank relief valve| ----- ##### Key Safety System Philosophies The systems within the cargo transfer process can be categorised according to their functions. Identifying the category of a system is important, as it dictates the requirements for that system. The IEC and ISO documents referenced in IGC Code 13.8 Automation systems provide valuable information and this document makes particular reference to IEC 60092-504[4] for design and testing of these safety systems. ###### 2.2 Independent and Fail-safe The key requirements for safety systems are that they are independent and fail-safe. Independent means that a failure in one part of the system will not affect the other. The degree of independence required will be determined by the Flag State but, typically, this need not extend to high-level power sources or conduit piping. The safety systems discussed in this document, such as the ESD system, vacuum protection and overflow control, provide a safety function and are required to be independent from control and monitoring or alarm functions. They are, typically, programmable logic controller (PLC) based systems and should comply with IGC Code 13.8 _Automation systems and IGC Code 13.9 System integration. The use of recognised standards IEC 15288[5] and_ _ISO 17894[6] is also recommended._ Fail-safe means that any failure will not lead to an unsafe condition. For example, fail-safe of the ESD system would stop the movement of cargo by stopping pumps, compressors and closing valves. ###### 2.3 System Availability ESD is an important safety system and it should always be active when there is any cargo on the ship. The ESD system should only be switched off for short periods of time for necessary maintenance. It may be inhibited temporarily for testing, but this should be for the minimum duration possible. If the design of a safety system or ESD system leads the operator to switch it off unintentionally or inappropriately then the reason for this should be thoroughly investigated. This should include whether the design of the system can be adjusted to reduce the risk of this occurring again. The ESD system should be designed to clearly indicate[7] when it is inhibited or switched off and it should not permit cargo transfer operations in these conditions. Cargo control systems should be designed to not permit cargo transfer operations unless the ESD system and ship shore link (SSL) are connected and active. The status of the ESD and SSL systems should be clearly visible in the cargo control room (CCR). Ship and terminal operators should ensure that all relevant safety systems, including ESD and SSL systems, are fully operational and active during cargo transfer operations. ###### 2.4 Alarm Management Lifecycle The requirements of the IGC Code are prescriptive in nature and the scope of the safety functions it covers may be sufficient for most gas carriers. However, for some designs of gas carriers, additional safety functions may be advisable. It is important to review the need for additional safety functions in a structured manner and follow 4 IEC 60092-504 – Electrical installations in ships – Part 504: Automation, control and instrumentation (Reference 2) 5 IEC 15288 – Systems and software engineering – System life cycle processes (Reference 3) 6 ISO 17894 – Ships and marine technology – Computer applications – General principles for the development and use of programmable electronic systems in marine applications (Reference 4) 7 Refer to SIGTTO – Recommendations for Management of Cargo Alarm Systems – 16. Critical Alarm and Action Panel (Reference 5) ----- ##### Key Safety System Philosophies industry standard best practice. Human factors should also be considered and potential dangers such as alarm _flooding[8] should be avoided._ Any change to the alarm system on the ship should be carried out using the principles of the alarm management lifecycle in IEC 62682[9]. Any changes to the alarm system should only be made by undergoing a documented process that involves a full hazard and operability (HAZOP) study and a management of change process. ###### 2.5 Maintenance and Testing Chapter 13 of the IGC Code requires automation systems to be designed, installed and tested in accordance with recognised standards, with particular reference to IEC 60092-504. This provides guidance on the requirements for documentation, maintenance and testing. Safety systems should be designed to ensure that it is practical to test all parts of the system. Operation and maintenance documentation should provide clear guidance on how to test the safety system and the required intervals for this to ensure that the safety system is maintained in operational condition. The IGC Code (18.6.2 and 18.10.5) requires cargo ESD and alarm systems to be tested before cargo transfer. This is typically carried out as part of pre-arrival tests, in the 24 hours before berthing. The SSL is tested after connection as part of pre-transfer tests. 8 Refer to SIGTTO – Recommendations for Management of Cargo Alarm Systems (Reference 5) 9 IEC 62682 – Management of alarm systems for the process industries (Reference 6) ----- ----- ## 3 ESD Systems ----- ----- ##### ESD Systems #### 3. ESD Systems ESD systems are safety systems that perform a critical function on a ship. This section provides a brief overview of IGC Code[10] requirements and gives recommendations for ESD systems, including testing. The ESD system refers to the entire system, including remotely operated valves (ESD valves) and the ESD system logic controller (ESD controller). ###### 3.1 IGC Code Requirements To understand the guidance in this document, it is recommended that the IGC Code requirements for ESD and related systems are read. For quick reference, notable current IGC Code requirements are listed in Annex 1. For ESD, the requirements are grouped under ESD system, ESD valves and ESD controller headings. ESD is a defined term in the IGC Code and should not be extended to cover every safety system that is used in an emergency. The IGC Code (5.5.1.2) states that: _“The ESD system is intended to return the cargo system to a safe static condition so that any remedial action can_ _be taken”._ It is important to understand that ESD systems and related safety systems are distinct. The requirements for ESD systems are typically found in IGC Code Chapters 5 and 18. Related systems are typically found in other IGC Code Chapters, such as Vacuum protection (Chapter 8), Overflow protection (Chapter 13) and Gas fuel (Chapter 18). Chapters 4 through to 7 in this document will address these systems, the ship shore link (SSL) and emergency release systems (ERS) in more detail. ###### 3.2 Recommendations for ESD Systems This section provides additional recommendations for and explanations of ESD systems. For related systems, see Chapters 4 through to 7. **3.2.1 ESD valves** ESD valves should be designed to close as quickly as possible, taking surge pressures into account. The IGC Code requires ESD valves to close within 30 seconds of actuation. This is measured from the time the pushbutton (eg as required by IGC Code 18.10.3.1) is pressed to activate ESD until the valve is fully closed. To allow for some design tolerance, the range of 25 to 30 seconds is practical for ship valves. Terminals should adjust valve timings with consideration for ship design limitations. When a ship is loading, terminal valves should close before ship valves to ensure that surge pressure is managed at the terminal side. Ships are generally not designed to withstand terminal surge pressures. If receiving terminals set their ERS valves to close faster than 5 seconds, this may cause unacceptable pressure surge on a ship that is discharging. For this reason, it is not recommended to set ERS valve closure timing at less than 5 seconds. Table 2 gives suggested valve timings for ship loading and discharge operations. For ship to ship transfers, both ships may keep their valve timing at between 25 to 30 seconds. 10 IMO – International Code for the Construction and Equipment of Ships Carrying Liquefied Gases in Bulk (Reference 1) ----- ##### ESD Systems |Col1|Ship ESD valves (seconds)|Terminal ESD valves (seconds)|Terminal ERS valves (seconds)| |---|---|---|---| |Ship loading|25 – 30|10 – 15|-| |Ship discharge|25 – 30|30 – 60|Minimum 5| **Table 2: Suggested valve timings** Although the IGC Code does not require ESD valves at the cargo tank for tanks 0.07 MPa and below, these are usually fitted in practice. Consequently, it is recommended to extend the IGC Code guidance and fit ESD valves on all liquid and vapour lines, even for tanks 0.07 MPa and below. It is useful to note that master gas valves (MGVs) are part of the gas burning safety system (GBSS), which is covered by the IGC Code in Chapter 16. Although an MGV is similar to an ESD valve, it is not an ESD valve and is not part of the ESD system. **3.2.2 Liquid detection in the vent system** On rare occasions, there is a possibility of cargo liquid presence in the vent system. This possibility is sufficiently serious to justify fitting additional liquid sensors to detect this event. As there is very low probability of liquid in the vent system, these sensors should not generate spurious activations. The design of the liquid sensors should prevent them from being overridden. The liquid sensors should trigger a full ESD on detection of liquid. See Initiator 4 – Liquid detection (cargo vent) in Table 3. These sensors should be placed in suitable locations in the vent system to detect the presence of liquid. The location of these sensors should be as close to the potential source as practicable. This will help to minimise the amount of liquid that escapes into the vent system. Multiple locations may need to be fitted with sensors to achieve this goal. These sensors should detect liquid directly, using a float type or equivalent method, and should not be based on temperature or gas detection. The system should be designed so that it does not activate when only cargo vapour is present. **3.2.3 ESD function overview** This section provides an overview of ESD systems. The primary functions of ESD are set by the IGC Code. The interface of ESD with related systems can be seen in Table 3. Analysis of credible scenarios helps to improve understanding of the necessary functions of a safety system. For example, as shown in Figure 2, fire detection in the cargo area would most likely be the result of loss of containment of flammable cargo. In this circumstance, a suitable system should lead to full shutdown of cargo transfer operations and any gas burning in the engine room. ----- ##### ESD Systems |Push-button (ESD – 18.10.3.1)|Liquid detection in cargo vent system| |---|---| |Col1|Col2|Col3|Col4|Col5|Col6|Col7|Col8| |---|---|---|---|---|---|---|---| ||||||||| |Cargo transfer is planned and monitored|||High-level alarm and operator action (13.3.1)|||Automatic actuate shutoff valve/ ESD (13.3.2)|| |Hydrocarbon (methane/ propane) Unignited release Push-button Liquid detection Loss of Overflow of (ESD – in cargo Gas detection containment cargo tank 18.10.3.1) vent system Cargo transfer High-level alarm Automatic actuate is planned and and operator shutoff valve/ Ignited monitored action (13.3.1) ESD (13.3.2) release Refer to Fire detection Fire protection unignited (ESD – (water spray release barriers 18.10.3.2) system – 11.3)|Col2|Col3|Col4|Col5| |---|---|---|---|---| |||||Unignited release| |||||| ||Gas detection|||| |||||| |||||Ignited release| ||Fire protection (water spray system – 11.3)|||| |||||| |Refer to unignited release barriers|Fire detection (ESD – 18.10.3.2)| |---|---| Loss of containment Overpressure Process piping failure Unignited release Cold spill Ignited release **Figure 2: Simplified bowties for loss of containment[11]** In the simplified bowties, it is clear that manual activation of ESD is a barrier on the right side (pushbutton 18.10.3.1). Barriers on the right are recovery barriers that are meant to mitigate the effects of the top event (loss of containment). The design of gas carriers incorporates manual ESD activation as an important aspect of the safety case. In the above scenario, loss of containment is the point when control of the process has been lost. It is important that personnel are trained to understand the exact point when control of the process has been lost and the importance of manual ESD activation. This can reduce any hesitancy to manually activate the ESD push-button to stop work in an emergency. When the cargo ESD is activated, it is recommended to follow the IGC Code principle and “return the cargo _system to a safe static condition”. There are four initiators shown in Figure 3, but additional initiators may be_ received from related systems, such as overflow control, vacuum protection and the GBSS. 11 IMO – International Code for the Construction and Equipment of Ships Carrying Liquefied Gases in Bulk (Reference 1) – references in bowtie Loss of containment Overflow of cargo tank Unignited release ----- ##### ESD Systems **Figure 3: ESD system function** Table 3 provides a summary of ESD and related system functions on an LNG carrier. Initiators from 1 to 6 are applicable to all gas carriers, including LPG carriers. Initiators 7 to 11 are dependent on the design of the ship. ----- ##### ESD Systems |Col1|Full shutdown (ESD + GBSS)|ü|ü|ü|ü|–|ü|ü|–|–|ü|–| |---|---|---|---|---|---|---|---|---|---|---|---|---| |Gas Burning Safety System (GBSS)|Valves (master gas)|ü|ü|ü|ü|–|ü|ü|ü|ü|ü|ü| ||Compressor (fuel mode)|ü|ü|ü|ü|–|ü|ü|ü|ü|ü|ü| ||Pumps (fuel mode)|ü|ü|ü|ü|–|ü|ü|ü|ü|ü|ü| |Emergency Shutdown System (ESD)|Compressor (reliq. mode)|ü|ü|ü|ü|–|ü|ü|–|–|ü|–| ||ESD link (to terminal)|ü|ü|ü|ü|ü|ü|ü|–|–|ü|–| ||Valves (tank)|ü|ü|ü|ü|ü|ü|ü|–|–|ü|–| ||Valves (manifold)|ü|ü|ü|ü|ü|ü|ü|–|–|ü|–| ||Compressor (cargo mode)|ü|ü|ü|ü|ü|ü|ü|–|–|ü|–| ||Pumps (cargo mode)|ü|ü|ü|ü|ü|ü|ü|–|–|ü|–| |Initiator||System failure (cargo ESD)|Push-button (ESD – 18.10.3.1)|Fire detection (cargo area)|Liquid detection (cargo vent)|ESD link (from terminal)|Overflow control (cargo tank)|Vacuum protection (cargo mode)|Master gas valve (receive shut signal)|Push-button (GBSS – 16.4.6/16.5.2.1)|Low suction pressure (fuel mode)|Fire detection (machinery area)| |||1|2|3|4|5|6|7|8|9|10|11| ----- ##### ESD Systems When using Table 3, it is useful to note the following: � _5 – ESD link (from terminal) does not trip the GBSS or reliquefication as the emergency is on the terminal_ � _7 – Vacuum protection (cargo mode) and 10 – Low suction pressure (fuel mode) can be the same_ protection on a membrane LNG carrier � _8 – Master gas valve (receive shut signal) refers to main valve and not individual consumers_ � _11 – Fire detection (machinery area) refers to the area that is not covered by 3 – Fire detection_ _(cargo area)._ ###### 3.3 Testing The IGC Code (18.6.2 and 18.10.5) requires cargo ESD and alarm systems to be tested before cargo transfer. This is typically carried out as part of pre-arrival tests, within 24 hours before berthing. The SSL (see Chapter 6) is tested after connection as part of pre-transfer tests. Not all ESD activation points need to be tested every time, as long as they are covered by a testing plan that covers the entire system within a specified time frame. This testing plan should form part of the ship’s planned maintenance routines. A formal system should be in place to demonstrate compliance with IGC Code 13.8.2 and IEC 60092-504 Chapter 12.2[13]. Manifold ESD valves should be tested as part of the pre-arrival test and after manifold connection as part of the _pre-transfer test. See Section 6.4 Ship Shore Link Testing for discussion of manifold valve testing._ ESD valves should close within 25 to 30 seconds of activation, ie the time a manual push-button is pressed. This is the most accurate method for testing, as the activation of an electrical point does not introduce any significant delay in the activation of the ESD system. Pneumatic systems are a useful part of the ESD system, but the nature of their design means that they are not the most straightforward activation point to test the ESD valve timing. This is because a variable delay is introduced in depressurising the system, so it is best to avoid this activation point for the purpose of checking the valve timing, where possible. Liquid detection in the vent system should be function tested as part of the pre-arrival test. At this stage, a visual inspection should be carried out for water or debris that may have accumulated in the sensing chamber. 13 IEC 60092-504 – Electrical installations in ships – Part 504: Automation, control and instrumentation (Reference 2) ----- ## 4 Overflow Control and Vacuum Protection ----- ----- ##### Vacuum Protection #### 4. Overflow Control and Vacuum Protection Overflow control and vacuum protection are safety systems that perform a critical function on a ship. This section provides a brief overview of IGC Code[14] requirements and gives recommendations for overflow control systems, including testing. ###### 4.1 IGC Code Requirements **4.1.1 Vacuum protection** Vacuum protection systems are required for certain cargo tank designs. These systems consist of two independent pressure switches that will send a signal to stop suction of liquid or vapour from the cargo tanks (IGC Code 8.3.1.1). This requirement is distinct from ESD systems, as it is contained in Chapter 8 of the IGC Code, Vent systems for _cargo containment. This is a system designed to protect the cargo tank from damage. The function of vacuum_ protection systems may also be achieved by activating the ESD system (IGC Code 18.10.4.1). Figure 4 shows vacuum protection options. Stop compressor (reliquefaction mode) Vacuum protection (cargo tank) Stop compressor (cargo mode) Stop pumps (cargo mode) Activate cargo ESD **Figure 4: Vacuum protection options** **4.1.2 Overflow control** Chapter 13 of the IGC Code requires overflow control to be provided for cargo tanks using two sensors that are both independent of the gauging system and of each other. For quick reference, notable requirements of the current IGC Code have been listed in Annex 1. Overflow control is an independent safety system, but it may use the ESD system to achieve its function, as shown in Figure 5. To prevent a cargo tank from becoming liquid full, it may use an ESD valve. It may also activate the ESD system for a full cargo shutdown to prevent excessive pressure in the loading line. Overflow control (cargo tank) Close valves (cargo tank) Activate cargo ESD **Figure 5: Overflow control options** 14 IMO – International Code for the Construction and Equipment of Ships Carrying Liquefied Gases in Bulk (Reference 1) ----- ##### Vacuum Protection The alarm required by IGC Code 13.3.1 provides a warning that the cargo tank is approaching a high level. As this sensor is independent of the gauging system, it can also serve to protect against level gauge failure. The sensor required by IGC Code 13.3.2 protects against overfilling caused by gauge failure, operator error or if the tank filling valve leaks after being shut. The section on overflow control also specifies verification, testing and interlock measures to reduce the risk of sensor failure. ###### 4.2 Recommendations for Overflow Control Although the IGC Code does not require overflow control for all types of cargo tanks, this is usually fitted in practice. Consequently, it is recommended to exceed the scope of the IGC Code guidance and fit overflow control for all cargo tanks, including any coolant tanks on deck. The layers of protection and the possible degradation factors can be seen in the highly simplified bowtie in Figure 6. If the high-level alarm (IGC Code 13.3.1) and automatic shutoff valve (IGC Code 13.3.2) are independent of the gauging system, and of each other, then they can fulfil the function of a barrier. By definition, a preventative barrier should be able to stop the threat independently. Overflow of cargo Hydrocarbon tank (methane/propane) Cargo transfer High-level alarm Automatic actuate is planned and and operator shutoff valve/ monitored action (13.3.1) ESD (13.3.2) Level alarm sensor fail Periodic proof Pre-operations Loss of test (13.3.5) testing (18.10.5) containment Level alarm sensor fail Periodic proof Pre-operations test (13.3.5) testing (18.10.5) Level alarm override on Interlock with Override is time manifold valve limited to maximum (18.1, Table – Note 4) 45 seconds **Figure 6: Simplified bowtie showing overflow threat[15]** Failure of the overflow control system is shown as escalation factors and these are mitigated by pre-arrival testing and periodic proof testing. Overflow control is an independent safety system, but it can make use of parts of the ESD system to achieve its function. For example, the shutoff valve on the cargo tank could be a dedicated valve for overflow control. However, if there is already an ESD valve at the cargo tank, then the overflow control can use this valve to achieve the function and operate the valve individually (ie without activating a full ESD). 15 IMO – International Code for the Construction and Equipment of Ships Carrying Liquefied Gases in Bulk (Reference 1) – references in bowtie |Overflow of cargo tank|Col2|Col3|Col4|Col5|Col6|Col7| |---|---|---|---|---|---|---| |||||||| |High-level alarm and operator action (13.3.1)|Automatic actuate shutoff valve/ ESD (13.3.2)| |---|---| Loss of containment Level alarm override on Level alarm sensor fail ----- ##### Vacuum Protection To prevent excessive surge pressure, the automatic shutoff sensor (IGC Code 13.3.2) may activate the ESD system and cause a full cargo shutdown. This will also shut the relevant equipment in the terminal down via the SSL. See Initiator 6 – Overflow control (cargo tank) in Table 3. Overflow systems can be activated by liquid movement in the tanks at sea, so the system may need to incorporate an override function. This override function introduces a failure mode to the overflow control system. Protection against this failure mode should be considered in the design (IGC Code 13.3.7). The system should be designed to clearly indicate[16] when the overflow control system is inhibited or switched off. It should not be possible to undertake cargo transfer operations during this condition. Where possible, the override system should be designed so that it cannot be switched off completely. A time delay should be set so that the overflow control will not activate at sea. The time delay will be unique to the ship’s rolling period and should not normally exceed 45 seconds. This time delay should be kept to a minimum and the assumptions used in the calculation should be provided in the overflow control system documentation. The status of the overflow control should be clearly visible in the cargo control room (CCR). Ship and terminal operators should ensure that all safety systems, including overflow control and vacuum protection systems, are fully operational and active during cargo transfer operations. ###### 4.3 Testing of Overflow Control The IGC Code has specific requirements for testing overflow control systems. A function test (IGC Code 13.3.6) should be carried out prior to cargo operations. This may be carried out as per the manufacturer’s instructions for a function test during the pre-arrival test. A proof test is a periodic test that is carried out to detect dangerous hidden faults in a safety system. The overflow control system should be proof tested (IGC Code 13.3.5) by raising the cargo liquid level at specified intervals. The cargo operational manual (IGC Code 18.2) should include a description of the procedure to test the high-level alarm (IGC Code 13.3.5) in a safe and controlled manner. Overflow control systems are typically based on a float, ultrasonic or radar design. For overflow control that is activated by a float-type sensor, failures caused by a damaged or punctured float can be identified by a proof test (IGC Code 13.3.5). This type of test is the actual scenario that the overflow control system is designed to protect against, so it also works for radar systems. Any alternate means of testing should clearly demonstrate how it is equivalent to a proof test. It should document how it addresses the possible failure modes that are specific to the system design. This alternate means of testing should be documented and would, typically, require Flag State approval. 16 Refer to SIGTTO – Recommendations for Management of Cargo Alarm Systems – 16. Critical Alarm and Action Panel (Reference 5) ----- ----- ## 5 Gas Burning Safety System ----- ----- ##### Gas Burning Safety System #### 5. Gas Burning Safety System The gas burning safety system (GBSS) performs a critical function. It is not part of the cargo system but, because it interfaces with the cargo ESD system, it is discussed here for completeness. This section does not provide recommendations on the GBSS, but it offers explanations to support understanding of ESD. ###### 5.1 IGC Code Requirements Chapter 16 of the IGC Code[17] dictates the safety systems for the use of cargo as a fuel. For quick reference, notable requirements of the current IGC Code have been listed in Annex 1. The GBSS refers to the entire system, including the master gas valve (MGV) and individual gas consumer isolation, and trips for rotating and fuel supply equipment. Chapter 16 specifies the initiators that would cause an MGV to shut. This may be for an individual gas consumer or for the entire fuel gas system, depending on the ship design. The initiators are shown in Figure 7. MGV actuation failure Leak detection Loss of inert gas pressure Loss of ventilation Gas detection Shut master gas valve (MGV) Boiler safety Internal combustion engine safety Gas turbine safety Push-button (MGV close) **Figure 7: Initiators causing MGV to shut** Chapter 16 of the IGC Code also specifies that push-buttons should be fitted to stop pumps and compressors that are used in the fuel gas system, as shown in Figure 8. 17 IMO – International Code for the Construction and Equipment of Ships Carrying Liquefied Gases in Bulk (Reference 1) ----- ##### Gas Burning Safety System |Push-button (fuel mode)|Col2| |---|---| **Figure 8: Push-button activation** Chapter 16 requires pumps and compressors that are used in the fuel gas system to stop on low suction pressure and fire detection in the engine room (Figure 9). Low suction pressure (fuel mode) Stop pumps (fuel mode) Fire detection (engine room) Stop compressor (fuel mode) **Figure 9: Low suction pressure and fire detection in engine room** ###### 5.2 Explanation of the GBSS and ESD Interface In practice, the initiators for shutting an MGV and stopping pumps and compressors result in the activation of the GBSS, which may also activate cargo ESD. This is shown in Figure 10. See Initiator 10 – Low suction _pressure (fuel mode) in Table 3._ Shut MGV Gas burning safety system (GBSS) Stop pumps (fuel mode) Stop compressor (fuel mode) Cargo ESD **Figure 10: GBSS activation** _Initiator 7 – Vacuum protection (cargo mode) and Initiator 10 – Low suction pressure (fuel mode) may be one_ and the same protection on a membrane LNG carrier. Therefore, depending on the ship design, this may have the effect of a full ESD. The IGC Code 18.10 states that the cargo ESD system need not apply to gas fuel compressors or pumps. This is practical if the emergency is at the terminal and the ESD signal is received via the link. For most serious situations on the cargo deck that would initiate a full ESD, such as fire in the compressor room or cargo tank overflow, it is safer to stop all cargo and vapour flow. Stopping the flow of liquid and vapour in an emergency is a key safety feature of the ESD system. ----- ##### Gas Burning Safety System Figures 11 and 12 show how the barriers are located on a highly simplified bowtie example. The design and routeing of the piping to the consumer in the engine room is according to requirements of the IGC Code. Hydrocarbon – LNG as fuel Gas leak in engine room Piping failure Pipe design for high Pipe and ducting Piping routeing (16.4.1) pressure failure (16.4.4) construction (16.4.7) **Figure 11: Simplified bowtie showing piping failure threat[18]** The areas for fire detection (within the scope of IGC Code 16.5.2.2) can be considered as distinct from the areas already covered by ESD (IGC Code 18.10.1.3 and 18.10.3.2). The cargo deck area will cause a full shutdown if there is fire detected on deck. The fire detected in the engine room may activate the GBSS or cause a full ESD, depending on the ship design. Hydrocarbon – LNG as fuel Unignited release Push-button (shut Double wall (with Leak detection Gas detection (16.3.2/ Gas leak in 16.4.6.2.1/16.4.8) MGV – 16.4.6.2.2 inert gas) or duct (16.4.2/16.4.6.2.1/ engine room /16.4.6.3.2) (with ventilation) 16.4.6.3.1) (16.4.3) Fire in engine room Automatic fuel supply Push-button (manual stop on fire detection stop – 16.5.2.1) (16.5.2.2) **Figure 12: Simplified bowtie showing gas leak in engine room consequence[19]19** The ship design should allow the ESD system to be tested without disrupting gas burning in the engine room. When this inhibitor is active, the indication should be clearly visible in the CCR. 18, 19 IMO – International Code for the Construction and Equipment of Ships Carrying Liquefied Gases in Bulk (Reference 1) – references in bowtie Gas leak in engine room Piping failure Unignited release ----- ----- ## 6 Ship Shore Link ----- ----- ##### Ship Shore Link #### 6. Ship Shore Link The purpose of the ship shore link (SSL) is to mitigate the consequences of an emergency by allowing either party to stop cargo[20] transfer in a safe manner. This section provides a brief overview of IGC Code[21] requirements and gives recommendations for the SSL, including testing. ###### 6.1 IGC Code Requirements The IGC Code (18.10.1.4) requires the ship’s ESD system to incorporate an SSL. The SSL extends the functionality of the ESD system by linking the ship and terminal. The SSL helps to prevent surge pressure from damaging the piping system. It also reduces the amount of cargo that is lost from its containment by reducing the time taken to stop pumps and shut valves. Stop compressor (cargo mode) Stop pumps (cargo mode) Receive ESD signal (from terminal) Send ESD signal (to terminal) Close valves (cargo manifold) Close valves (cargo tank) |Receive ESD signal (from ter minal)|Col2| |---|---| ||| ||| ||| **Figure 13: Ship shore link** ###### 6.2 Recommendations When an ESD occurs on a ship or terminal, the SSL sends a signal via the link. The received signal should initiate the shut down of the relevant parts of the cargo transfer system. When a ship or terminal receives an ESD signal, it is recommended that the signal is sent back. This will help detection of failures in the SSL. It is strongly recommended that all liquefied gas transfers are carried out with an SSL connected. The SSL adds significant safety improvement compared to cargo transfer operations carried out without a link or with an ESD pendant. All gas carriers that fall under the IGC Code, and terminals that are designed to receive them, are recommended to ensure that cargo transfers are carried out using linked ESD systems. It is also recommended that all ship to ship transfer operations use linked ESD systems. 20 For LNG bunkering, see SGMF – Recommendations for linked emergency shutdown (ESD) arrangements for LNG bunkering (Reference 7) 21 IMO – International Code for the Construction and Equipment of Ships Carrying Liquefied Gases in Bulk (Reference 1) ----- ##### Ship Shore Link Although ESD pendants provide some additional measure of safety for LPG transfers, it is recommended that linked systems are fitted and used as they provide faster response times and avoid the need for personnel to approach the cargo transfer area. The ESD system may be activated by personnel in response to an emergency situation on their asset or to an emergency situation nearby that directly affects their asset. Personnel should be trained and given clear instructions on when they can activate ESD if the emergency situation is not on their asset. ###### 6.3 Compatibility It is recommended that the ship owner fits the appropriate systems for the ship’s trading pattern. See Annex 2 for a brief overview of the types of link system that are typically used in the industry. Table 4 provides guidance on the types of ESD link suggested for LNG and LPG carriers. These may not be suitable in every case and the owner will need to ensure that they choose the best ESD link for their particular ship. Some terminals use backup SSL systems, such as pneumatic links, which are not covered in this table. **Type of ESD link** **Typically used for LNG** **Typically used for LPG** Fibre optic 6 pin  Electric 37 pin  Electric 6 pin   Electric 5 pin   **Table 4: Suggested ESD links for LNG and LPG carriers** For example, an LPG carrier that is trading worldwide may find maximum benefit from fitting both Electric 6 pin and Electric 5 pin. The use of an ESD pendant is no longer recommended. Terminals may fit the systems that are suitable for the types of ships that call at their facility. It is recommended that terminals fit suitable links to ensure that all ships are able to connect to the terminal system. For example, as a minimum, LPG terminals may fit Electric 5 pin or Electric 6 pin, or both. ###### 6.4 Ship Shore Link Testing The SSL should be inspected and tested as part of the pre-arrival test and after manifold connection as part of the pre-transfer test. For the pre-transfer test, the SSL is tested after connection to check that the link is communicating properly. ESD should be activated once from the ship and once from the terminal, to check that the signal is transmitted in both directions. During one of the tests, the manifold valve can be left open to check that it closes within 25 to 30 seconds. It is considered more efficient and acceptable to carry out most of the testing of push-buttons, high-level alarms and other ESD triggers during pre-arrival testing. It is considered preferable for pre-transfer testing to be limited to SSL testing and the manifold ESD valve timing check. |Type of ESD link|Typically used for LNG|Typically used for LPG| |---|---|---| |Fibre optic 6 pin||-| |Electric 37 pin||-| |Electric 6 pin||| |Electric 5 pin||| ----- ##### Ship Shore Link The SSL test should be carried out before any cargo transfer or cooldown operations begin. There is no need to carry out another ESD test in the cold condition. This historic practice started as a result of a certain valve design that could get stuck once it was cooled down. For modern valves, this issue has not been observed. If considered necessary for the manifold valves, an operation check can be carried out after cooldown to ensure that they are moving properly. This cold valve test should not interfere with any jetty boil-off recovery operations, so where such systems are in operation, the vapour valve operation check may be omitted. The system may be designed with the option to test the ESD link without tripping the GBSS. If so, it may be safer to provide the inhibit function with a timer that automatically resets after a suitable period. ----- ----- ## 7 Emergency Release Systems ----- ----- ##### Emergency Release Systems #### 7. Emergency Release Systems The function of an emergency release system (ERS) is to protect the cargo transfer system and marine loading arm (MLA) and minimise spillage of liquefied gas through quick disconnection if a ship drifts out of its operating envelope. The ERS is not part of the ESD system, but because it interfaces with the terminal and ship ESD systems, it is discussed in this chapter. This document does not provide recommendations for the ERS other than valve closure timing. Figure 14 shows an operating envelope, shutdown envelope and disconnection envelope of an MLA. **Figure 14: MLA safety envelope** ###### 7.1 Design and Construction Standards MLAs are typically designed, constructed and tested using the following two key publications: 1. _Design and Construction Specification for Marine Loading Arms (Reference 8)._ 2. _ISO 16904 – Design and testing of LNG marine transfer arms for conventional onshore terminals_ (Reference 9). To better understand the discussion in this document, it is recommended that the above publications are read. ----- ##### Emergency Release Systems ###### 7.2 Explanation of ERS and ESD Interface The ERS is typically used for liquefied gas duties, but not all MLAs come fitted with one. This discussion is not relevant to MLAs that do not have an ERS fitted. The layers of protection and the possible degradation factors can be seen in the highly simplified bowties in Figures 15 to 17. The example selected is a threat from adverse weather and the consequence is structural damage to the loading arm. Natural environment/ weather conditions Adverse weather (wind and sea state) Structural damage to loading arm Mooring equipment failure Loss of position Structural damage to jetty Passing ship surge effect **Figure 15: Simplified bowtie for loss of position** Natural environment/ weather conditions Adverse weather Loss of position (wind and sea state) Protective location of Terminal operating Monitor weather terminal jetty weather limits forecasts **Figure 16: Simplified bowtie showing adverse weather threat** Loss of position Adverse weather (wind and sea state) Passing ship surge effect Structural damage to jetty ----- ##### Emergency Release Systems The ERS will trigger an emergency shutdown when the MLA moves into the shutdown area. This causes the following to happen without delay: 1. ERS sends a signal to terminal ESD system. 2. Terminal ESD system is activated. 3. Terminal sends signal to ship (via ESD link). 4. Ship ESD system activates. |Col1|Structural damage to loading arm| |---|---| Loss of position Structural damage to loading arm ESD stops transfer on ship and terminal (18.10.1.4) ERS valve timing not less than 5 seconds ESD valves designed to limit surge (5.5.1.2/ 18.10.1.1) |Col1|Process piping damage due to surge effect| |---|---| Process piping damage due to surge effect **Figure 17: Simplified bowtie showing structural damage to loading arm consequence[22]** When the MLA moves into the disconnection area, the ERS will trigger an emergency release signal. This will cause the following to happen: 1. ERS sends a signal to terminal ESD system. 2. Terminal ESD system is activated. 3. Terminal sends signal to ship (via ESD link). 4. Ship ESD system activates. 5. ERS valves close (eg within 5 to 10 seconds). 6. Emergency release coupler (ERC) releases within 2 seconds. 7. MLA retracts under power. The time allocated for ERS valves to close is dependent on the terminal design and is not necessarily fixed at 5 to 10 seconds. For receiving terminals, setting a value for ERS valves below 5 seconds may cause unacceptable pressure surge on a discharging ship. For this reason, it is not recommended to set the ERS valves to close faster than 5 seconds. 22 IMO – International Code for the Construction and Equipment of Ships Carrying Liquefied Gases in Bulk (Reference 1) – references in bowtie ----- ----- ## Annexes ----- ----- ##### Annexes #### Annex 1 – IGC Code References This section provides a summary of ESD and related references in the IGC Code (2016 Edition)[23]. ESD systems on liquefied gas carriers should be designed to meet the requirements of the IGC Code found in Chapters 5 and 18. Other sections of the IGC Code that are relevant for this discussion on ESD systems are: � Chapter 8 – Vacuum protection � Chapter 11 – Water spray � Chapter 13 – Overflow control, Gas detection, Automation � Chapter 16 – Gas fuel � Chapter 17 – Special requirements. ###### Overview of ESD Requirements in the IGC Code The ESD system includes the remote operated valves (ESD valves) and the ESD system logic controller (ESD controller). Notable requirements are listed below with the IGC Code reference in brackets. **ESD system** � Cargo operation manual to provide information on ESD system (18.2.2.9) � fit ESD valves as appropriate to stop cargo flow or leakage in an emergency (5.5.1.2/18.10.1.1) � design should avoid surge pressure in cargo pipework (5.5.1.2/18.10.1.1) � initiations not in Table 18.1 should prove that they do not reduce integrity and reliability of the system (18.10.1.3) � fit a ship shore link (18.10.1.4) � provide a flow chart of functions in CCR and navigation bridge (18.10.1.5) � handle trapped liquid (18.10.2.1.2) � test before cargo transfer (18.10.5/18.6.2) � minimum is manual activation (18.10.3.1) � automatic activation on fire in cargo area (18.10.3.2) � allow testing of overflow control (18.10.3.4). **ESD valve** � Defined as any valve operated by ESD system (18.10.2.1.1) � fail closed on loss of actuating pressure (18.10.2.1.2) � indicate actual valve position (18.10.2.1.2) � capable of local manual closure (18.10.2.1.2) � remote operated valve (5.5.1.2/18.10.2.1.2) � required at manifold (5.5.1.2/18.10.2.2) 23 IMO – International Code for the Construction and Equipment of Ships Carrying Liquefied Gases in Bulk (Reference 1) ----- ##### Annexes � required for manifold liquid and vapour (5.5.3.1) � required for liquid and vapour at cargo tank if maximum allowable relief valve setting (MARV) > 0.07 MPa (5.5.2.2) � liquid valves close within 30 seconds (18.10.2.1.3) � ESD valve timing – when used as shutoff valve for overflow control (13.3.2/18.10.2.1.4). **ESD controller** Input signals: � ESD push-button activated (18.10.3.1/18.10.1.3) � fire detection in cargo area or cargo machinery (18.10.1.3/18.10.3.2) � cargo tank low pressure (18.10.4.1) � overflow control (18.10.1.3/18.10.4.2) � signal from terminal (18.10.1.3) � loss of actuating power for ESD valves (18.10.1.3) � loss of electrical power to controller (18.10.1.3) � level alarm override (18.10.1.3). Output signals: � Shut ESD valves (5.5.1.2/18.10.1.3) � trip cargo pumps (5.5.1.2/18.10.1.3/18.10.3.3) � trip cargo compressor systems (5.5.1.2/18.10.1.2/18.10.1.3/18.10.3.3) � send ESD signal to terminal (18.10.1.3) � start water spray – ethylene oxide (17.14.10). ###### IGC Code Chapter 8 – Vacuum protection � Two independent pressure switches stop suction of liquid or vapour from the cargo tanks (8.3.1.1) � may also be handled by the ESD system (18.10.4.1). ###### IGC Code Chapter 11 – Water spray � ESD valves (and master gas valves) to be protected with a water spray system (11.3.1.5) � automatic activation for ethylene oxide (17.14.10). ----- ##### Annexes ###### IGC Code Chapter 13 – Overflow control, Gas detection, Automation **Overflow control** Overflow control should be provided for certain cargo tanks using two independent sensors that are independent of the gauging system and of each other. They also have the following IGC Code requirements: � Independent sensor to activate a high-level alarm (13.3.1) � independent sensor to actuate a liquid shutoff valve (13.3.2) � should avoid surge pressure (13.3.2) � the liquid shutoff valve may be a separate valve or ESD valve (13.3.3). **Gas detection** � Gas detection may activate safety systems as required by Chapter 16 – Gas fuel (13.6.17). ###### IGC Code Chapter 16 – Gas fuel The gas fuel safety functions described in this section may interface with the ESD system. The individual gas consumer isolation valve is part of an automatic, double block and bleed system which should fail closed on loss of actuating power (16.4.5). This valve is normally located in the gas valve room. Master gas valve (MGV) refers to a specific valve located in the cargo area (16.4.6.1). This valve will shut automatically due to the following IGC Code requirements: � Leak detection (16.4.2/16.4.6.2.1.2/16.4.6.2.1.3/16.4.6.3.1.1/16.4.6.3.1.2) � loss of inert gas pressure (16.4.3.1) � loss of ventilation (16.4.3.2/16.4.6.2.1.4/16.4.6.2.1.5/16.4.6.3.1.3) � gas detection – 60% lower flammable limit (LFL) (16.4.6.2.1.1/16.4.8) � boiler safety (16.6.3) � internal combustion engine safety (16.7.3) � gas turbine safety (16.8.3). Manual push-buttons should be provided to shut the MGV from inside the space and from one remote location (16.4.6.2.2/16.4.6.3.2). Rotating equipment (16.5.2.1) used for cargo conditioning for use as fuel should be stopped by a manual remote stop from the following locations: � Engine room � cargo control room � navigation bridge � fire control station. Fuel supply equipment (16.5.2.2) should be automatically stopped due to: � Low suction pressure � fire detection. ----- ##### Annexes #### Annex 2 – Ship Shore Link Systems ###### 6 Pin Fibre Optic This type of connector, shown in Figure A1, is commonly used in LNG applications. Table A1 shows the pin configuration for this connector. **Figure A1: 6 pin fibre optic connector** **Core** **Direction** **Analogue configuration** **Digital configuration** 1 Ship to shore 4-Channel multiplex data 2 Shore to ship 3 Ship to shore LNG ESD (5kHz Trip,10kHz Healthy+/-10%) 4 Shore to ship 5 Ship to shore - Digital signal 6 Shore to ship - Digital signal **Table A1: Pin configuration for a fibre optic connector** Key points to note for this connector are: � The fibre should be 50/125µm multimode fibre only � excessive joints in cable runs or dirty connections add to optical losses which can degrade the signal path � although V.23 is the modem standard, in practice off the shelf (OTS) V.23 modems may not be directly compatible and may require additional configuration. The new modems need to be compatible with the existing old ones � public and plant telephones are analogue telephone exchange lines connected at the shore side, with analogue telephone handsets connected on board the ship � _hotphone refers to a DC signalling phone system compatible with the original Iwatsu TS3 standard_ � a digital ship shore link (SSL) via SONET initially allows for a direct repeat of the functionality as interfaced over the original four cores. In enhanced installations, such as floating storage and regasification units (FSRUs), compressed natural gas (CNG) ESD, additional telephony and process data can be transferred via these cores |Core|Direction|Analogue configuration|Digital configuration| |---|---|---|---| |1|Ship to shore|4-Channel multiplex data|-| |2|Shore to ship||-| |3|Ship to shore|LNG ESD (5kHz Trip,10kHz Healthy+/-10%)|-| |4|Shore to ship||-| |5|Ship to shore|-|Digital signal| |6|Shore to ship|-|Digital signal| ----- ##### Annexes � when carrying out ship to ship (STS) operations, a cross-over umbilical cable will be required to cross the transmit and receive cores. Without other major configuration changes, in STS mode, only ESD signals will work � for FSRU operations, the connections are configured similarly to a terminal and all channels typically work. ###### 37 Pin Electric This type of connector, shown in Figure A2, is commonly used in LNG applications. 1 2 37 3 **Figure A2: 37 pin electric connector** The model in use in SSLs has 37 electrical contacts, of which 36 are usually electrically connected via an umbilical cable. The convention used is that any LNG transfer practice should follow the standard pinout configuration. In the case of a floating storage unit (FSU) or a floating storage and regasification unit (FSRU), all the liquid transfer shutdown signals will be via the pairs 13/14 and 15/16. Any additional signals required by the application, such as CNG ESD in an FSRU, should use the alternate ESD pins, as used in the majority of FSRU installations to date. Details to note for this connector are: � Flameproof connectors are the main hazardous area protection � public and plant telephones are analogue telephone exchange lines connected at the shore side and analogue telephone handsets are connected on board the ship � _hotphone refers to a DC signaling phone system compatible with the original Iwatsu TS3 standard. In_ some cases, a lift to ring phone may be used in electric mode. When the handset is lifted in this mode, the counterpart phone rings automatically, via a lift to ring exchange generator installed on the shore. Although hotphone mode is considered the primary mode, the mode of operation should be confirmed � a continuity link is a feature used as a ‘connected’ confirmation signal to allow voltage to be applied to shore supplied telephony signals. In case an umbilical cable breaks, the continuity function will detect the loss of signal and isolate the telephone voltages at the source. Two pairs are defined, but only one pair is required to be in place. This is a legacy of older systems � mooring line monitoring (MLM) data should be compatible with the legacy MTL3058 signal converter protocols to maintain compatibility 1 2 37 3 ----- ##### Annexes � when carrying out STS operations, one ship will have to reconfigure itself to a pseudo shore system and reverse the ESD pin pairs, without other major configuration changes. In STS mode, only ESD and hotphone signals will work � to assist with connector mating, it is important to identify the larger internal key profile to allow alignment with the counterpart. Table A2 shows the pin configurations for a 37 pin electric connector. |Col1|LNG Carrier|Col3|FSRU|Col5| |---|---|---|---|---| |Pin|Function|Alternate function/notes|Function|Alternate function/notes| |1|NOT USED|Legacy signal|NOT USED|-| |2|||-|-| |3|NOT USED|Legacy signal|NOT USED|-| |4|||-|-| |5|Hotphone|Legacy signal/can be used in DC signal hotphone mode or lift to ring (private line) mode|Hotphone|DC signal hotphone mode only| |6|||-|-| |7|Public phone|Telephone handset is fitted on the LNG carrier (LNGC)|Public phone|-| |8|||-|-| |9|Plant phone|Telephone handset is fitted on the LNGC|Plant phone|-| |10|||-|-| |11|NOT USED|Legacy signal|NOT USED|-| |12|||-|-| |13|Shore to ship ESD|Volt-free contact on shore – closed when healthy|Shore to ship ESD (LNG)|Or FSRU to LNGC ESD (LNG)| |14|||-|-| |15|Ship to shore ESD|Volt-free contact on ship – closed when healthy|Ship to shore ESD (LNG)|Or LNGC to FSRU ESD (LNG)| |16|||-|-| |17|Continuity link|Hard wired volt-free contact on ship – closed when healthy|Continuity link|-| |18|||-|-| |19|Continuity link|Hard wired volt-free contact on ship – closed when healthy|Continuity link|-| |20|||-|-| |21|NOT USED|Legacy signal|NOT USED|-| |22|||-|-| |23|NOT USED|Legacy signal|NOT USED|-| |24|||-|-| ----- ##### Annexes |25|NOT USED|Legacy signal|Shore to FSRU ESD (CNG)|-| |---|---|---|---|---| |26|||-|-| |27|NOT USED|Legacy signal|FSRU to shore ESD (CNG)|-| |28|||-|-| |29|Shore test voltage|29 = +24vDC 30 = 0V|Shore test voltage|29 = +24vDC 30 = 0V| |30|||-|-| |31|MLM|31 = 0V common reference 32 = Receive on ship (transmit from shore) 33 = Transmit from ship (receive on shore)|MLM|31 = 0V common reference 32 = Receive on ship (transmit from shore) 33 = Transmit from ship (receive on shore)| |32|||-|-| |33|||-|-| |34|NOT USED|-|NOT USED|-| |35|Ship test voltage|35 = 0V 36 = +24VDC|Ship test voltage|35 = 0V 36 = +24VDC| |36|||-|-| |37|NOT USED|-|NOT USED|-| **Table A2: Pin configurations for a 37 pin electric connector** ----- ##### Annexes ###### 6 Pin Electric This type of connector, shown in Figure A3, is used in LPG and LNG applications. The model in use in SSLs has six electrical contacts with two connectors used, of which all six cores are usually electrically connected via an umbilical cable. **Figure A3: 6 pin electric connector** Details to note: � Flameproof connectors are the main hazardous area protection � the connectors’ original design purpose was for internal use in non-LNG markets, so they require protection from the environment when deck-mounted � public and plant telephones are analogue telephone exchange lines connected at the shore side and analogue telephone handsets are connected on board the ship � _hotphone refers to a DC signalling phone system compatible with the original Iwatsu TS3 standard. In_ 6 pin electric connections, a lift to ring phone is typically used. When the handset is lifted, the counterpart phone rings automatically via a lift to ring exchange generator installed on the shore. The mode of operation should be confirmed � some connectors have pin 6 connected to the chassis earth (connector manufacturer delivery condition). These should be removed to prevent inadvertent earth connections between ship and shore. The configuration shown in Table A3 is typical, but it is important to note that some Japanese terminals use other configurations. **ESD Connecter** **Pin** **Telephone Connecter** 1 ESD ship shore Hotphone 2 3 ESD shore ship Plant telephone 4 - 5 Public telephone - 6 **Table A3: Pin configurations for a 6 pin electric connector** |ESD Connecter|Pin|Telephone Connecter| |---|---|---| |ESD ship shore|1|Hotphone| ||2|| |ESD shore ship|3|Plant telephone| ||4|| |-|5|Public telephone| |-|6|| ----- ##### Annexes ###### 5 Pin Electric This type of connector, shown in Figure A4, is commonly used in LPG applications. 3 N 2 1 N 3 1 2 **Figure A4: Pin designation in 5 pin electric connector** The ship shore electrical umbilical cable is made of twisted pairs of wires without armour or screen. This avoids the hazard of a potentially incendive spark if the insulating sheath is cut by an earthed object on the jetty. The pin designations are given in Table A4. **1** + Intrinsically safe circuit, nominal 24v DC, 20mA **2** – Intrinsically safe circuit, nominal 24v DC, 20mA **3** + Spare **N** – Spare **E** Not connected **Table A4: Pin configurations for a 5 pin electric connector** It should be noted that some old 5 pin links have reversed polarity (1 = - and 2 = +), and it is recommended that compatibility is always verified. Figures A5 and A6 give further information on the male and female connectors. As only two of the five pins in the international connector are required for the ESD function, a pair of spare cores could be made available for other functions while still allowing compatibility with existing installations. As intrinsically-safe multiplexers are readily available, it may be feasible to use this technology to pass a variety of data signals via the unused spare. The fibre optic system uses a four-channel multiplexer for telephones and for exchange of mooring tension data. As intrinsically-safe multiplexers with up to 64 channels are already in use in the gas industry, the potential exists to expand the use of the 5 pin link for telephony and data transfer, via an agreed protocol. |1|+|Intrinsically safe circuit, nominal 24v DC, 20mA| |---|---|---| |2|–|Intrinsically safe circuit, nominal 24v DC, 20mA| |3|+|Spare| |N|–|Spare| |E||Not connected| N 3 1 2 3 N 2 1 ----- ##### Annexes Free movement of mating part Note: The retaining ring and locknut are not part of the interface specification. ø33.0 ø38.0 ø32.0 ø32.0 2.70 2.70 2.70 90.0° 45.0° 150.0° 4.90 2.70 2.70 2.70 104.0° 52.0° 137.0° 5 off male solid 2.4 mm O/D PIN on 11.1 mm PCD 2 start acme-2g style thread major DIA-1½”, pitch ½” Note-IP sealing arrangement show for example O-ring sealing 5 off female 2.45 mm I/D socket with split spring contact 15.0 3.5 2.8 5.25 2.90 2.90 2.90 104.0° 52.0° 45.0° 137.0° ø21.5 ø20.0 ø23.3 Minimum IP rating: IP67 Operable temperature range: 40° C < Ta < +60° C 2.90 2.90 90.0° 150.0° |Dimension Tolerances|Col2|Col3|5-way connector pin designations|Col5|Col6| |---|---|---|---|---|---| |Linear|0.00 +0.0|5 –0.05|1|+|Intrinsically safe circuit, nominal 24v dc, up to 20mA Healthy, <4mA ESD| |Linear|0.0 +0.1|–0.1|2|–|Intrinsically safe circuit, nominal 24v dc, up to 20mA Healthy, <4mA ESD| |Angular|0.0 +0.1°|–0.1°|3|+|Spare (used for pendant system when switched on)| |Angular|0 +1°|–1°|N|–|Spare (used for pendant system when switched on)| |All other tolerances as drawing|||E||Not connected| |Dimensio|n unit mm||||| **Figure A5: Example of recommended 5 pin twist connector interface arrangement: male and female connectors** Male Contact Pin Typical pin and socket arrangement shown – alternate designs must be compatible Pin and Socket Description-Connector Pin and Socket Material-Copper (KS D 5101) Gold Plated Spring Description-Pin Retaining Spring 4.80 [0.00] -0.05 2.50 ± 0.01 ø3.4 R1.0 Female Contact Pin 6.0 17.0 4.7 1.2 4.5 ø3.3 ø3.6 ø2.40 ± 0.01 18.9 Spring Pin Retainer 2.0 1.0 0.80 ± 0.01 |± 0.01|17.0 4.7|Col3| |---|---|---| |||| |||| ||6.4|| 1.4 |Tolerance|Dim ± 0.1|ension Units|mm| |---|---|---|---| **Figure A6: Example of recommended 5 pin twist connector interface arrangement: male and female contact details** ----- ##### Annexes ###### Pneumatic Connections The earliest SSLs used in LNG projects were simple pneumatic umbilical links, comprised of an air hose coupled directly into the ship’s air security system. Such systems are inherently slow in operation and suffer from problems caused by dirt or moisture. It is difficult, if not impossible, to achieve accurate and repeatable timing. These drawbacks have led to the development of electronic ESD systems with fibre optic or various intrinsicallysafe electric systems providing the SSL. In the majority of terminals, pneumatic links are now only provided as a backup in the event of failure of the main optical fibre or electrical link. A typical system is shown in Figure A7. Pressure switch Air regulator Solenoid operated Needle dump valve valve Hose coupling Pressure gauge Test valve **Figure A7: Typical pneumatic link** At least two types of connector are in use, but the most common is the standard ½” MIL-C-51234 quick connector. The connector type can vary, so this should be clarified during the compatibility review. ###### Cyber Security Organisations should review their ESD systems to check for cyber security risks. Information on the hardware architecture should be passed on to cyber security experts. Even if the ship sends data from their side, the risk is mitigated if the information terminates in an analogue box. This section aims to provide cyber security specialists with relevant information. It will summarise the type of information that may be sent over typical ESD links into analogue and digital signals. As digital signals are typically the area of concern for cyber security, more detail is provided on these types of transmission. **Fibre optic 6 pin** There are two types of configurations typically found for this 6-core fibre optic connector. One configuration uses cores 1 to 4 and the other uses cores 5 to 6. ----- ##### Annexes **Cores 1 to 4** This configuration uses two fibre optic cores for ESD transmission and two fibre optic cores for telecommunication transmission. The two cores that are used for ESD transmission carry an analogue signal between the ship and terminal. The two cores that are used for telecommunications are further split into four channels: � Channel 1 is used for digital signals using a modem (mooring tension data). These modems are typically hardwired at both the ship and terminal interfaces � Channels 2 to 4 are used for analogue signals (telephone). **Cores 5 to 6** This configuration uses two fibre optic cores for digital transmission. This configuration can be used for: � ESD signal � telephone signal � ethernet link. **Electric 37 pin** There are two possible data channels available via this link and both are very similar to the fibre options. The MLM data can be sent between shore and ship and serial data is the interface. The SSL includes data converters to make the data compatible to the format used in the now obsolete MLT3058 serial repeaters. Due to a change in hazardous area certification for Ex’i’ around 2003, the MTL barrier parts cannot be sourced directly. However as the Pyle protection is Ex’d’, non-certified alternate converters can be used. There exists the same limited potential for malicious interference. For FSRU or FSU type systems where a data link to shore is required, ethernet extenders have been utilised. These operate in pairs and are similar to modems. They allow an ethernet connection between ship and shore and the same hazards as the fibre digital data channel exist. Note that the bandwidth is limited by the quality of the cables and connections. **Electric 6 pin** This type of connector is configured to use four pins for analogue ESD signals. Sometimes one of the spare pins is connected to ground. This connector is not typically configured to carry digital signals. **Electric 5 Pin** This type of connector is configured to use two pins for analogue ESD signals. Two other pins may be used for testing. This connector is not typically configured to carry digital signals. ----- ##### Annexes #### Annex 3 – Glossary of Terms and Abbreviations **CCR Cargo Control Room** **CNG Compressed Natural Gas** **ERC** Emergency Release Coupler **ERS Emergency Release System** **ESD Emergency Shutdown** **FSRU Floating Storage and Regasification Unit** **FSU Floating Storage Unit** **GBSS Gas Burning Safety System** **HAZOP Hazard and Operability Study** **IEC International Electrotechnical Commission** **IMO International Maritime Organization** **ISO International Organization for Standardization** **LNGC Liquefied Natural Gas Carrier** **LOPA Layer of Protection Analysis** **MARV Maximum Allowable Relief Valve Setting** **MGV Master Gas Valve** **MLA Marine Loading Arm** **OCIMF Oil Companies International Marine Forum** **OTS Off the Shelf** **PLC Programmable Logic Controller** **SSL Ship Shore Link** **STS Ship to Ship** **Terminal Refers to all receiving and exporting facilities, including floating and regasification facilities** ----- ##### Annexes #### Annex 4 – Reference List 1. IMO – International Code for the Construction and Equipment of Ships Carrying Liquefied Gases in Bulk (IGC Code) 2. IEC – 60092-504 – Electrical installations in ships – Part 504: Automation, control and instrumentation 3. IEC – 15288 – Systems and software engineering – System life cycle processes 4. ISO – 17894 – Ships and marine technology – Computer applications – General principles for the development and use of programmable electronic systems in marine applications 5. SIGTTO – Recommendations for Management of Cargo Alarm Systems 6. IEC – 62682 – Management of alarm systems for the process industries 7. SGMF – Recommendations for linked emergency shutdown (ESD) arrangements for LNG bunkering 8. OCIMF – Design and Construction Specification for Marine Loading Arms 9. ISO – 16904 – Design and testing of LNG marine transfer arms for conventional onshore terminals ----- ----- -----