Government of Canada / Gouvernement du Canada
Symbol of the Government of Canada

Search

Canada–Newfoundland and Labrador Offshore Area Petroleum Operations Framework Regulations (SOR/2024-25)

Regulations are current to 2024-11-26 and last amended on 2024-10-28. Previous Versions

PART 10Installations, Wells and Pipelines (continued)

Installations (continued)

Systems and Equipment: Design, Installation, Commission and Other Requirements (continued)

Marginal note:General alarm system

  •  (1) An operator must ensure that an installation is equipped with a general alarm system that is capable of alerting persons on the installation of any hazards to safety or the environment other than fire or gas.

  • Marginal note:Additional requirements

    (2) The operator must ensure that the general alarm system is

    • (a) operational at all times other than when the system is being inspected, maintained or repaired;

    • (b) flagged as being subject to inspection, maintenance or repair, as required; and

    • (c) designed to prevent tampering.

  • Marginal note:Alternative means of alert

    (3) If a general alarm system is being inspected, maintained or repaired, the operator must ensure that there is an alternative means of alerting persons of the hazards referred to in subsection (1).

Marginal note:Gas release system

  •  (1) An operator must ensure that an installation that includes process tanks, process vessels and piping is equipped with a gas release system that has a flaring system, a pressure relief system, a depressurizing system or a cold vent system.

  • Marginal note:Risk assessment — design

    (2) The operator must ensure that the design of the gas release system is based on the results of the risk assessment conducted under subsection 107(1).

  • Marginal note:Design

    (3) The operator must ensure that the gas release system is designed to

    • (a) release gas and combustible liquid from an installation in a controlled manner without creating a hazard to safety;

    • (b) reduce pressure in the entire process system as quickly as possible while ensuring a safe and controlled release of pressure;

    • (c) minimize the effect on the environment;

    • (d) be activated from the main control centre and from control stations that meet the requirements set out in subsection (5); and

    • (e) ensure that oxygen cannot enter the system during normal operations.

  • Marginal note:Location — system

    (4) The operator must ensure that the gas release system is designed and located taking into account factors, including physical and environmental conditions, that affect the safe and normal flaring or emergency release of combustible liquid, gases or vapours so that when the system is in operation it does not damage the installation — or any other installation, vessel or support craft in proximity to it — or injure any person.

  • Marginal note:Control stations

    (5) The operator must ensure that the control stations from which the gas release system is activated are located and spaced so that they remain protected and accessible for safe operation of the system.

  • Marginal note:Flaring systems

    (6) The operator must, in respect of any flaring system, ensure that

    • (a) if an unlit release of gas could produce toxic gas concentrations or gas concentrations of more than 50% of the lower explosive limit of the released gas,

      • (i) the system has an automatic igniter system that has redundancy in its ignition capabilities, and

      • (ii) in the case of an open flare system, the system and any associated equipment are designed to ensure a continuous flame; and

    • (b) the system and any associated equipment are designed to

      • (i) withstand the radiated heat at the maximum flaring rate,

      • (ii) prevent flashback, and

      • (iii) withstand all loads to which they may be subjected.

  • Marginal note:Risk minimization — vents

    (7) The operator must ensure that any vent that is used to release gas into the atmosphere without combustion is designed and located in accordance with the measures referred to in clause 9(2)(b)(vi)(A) and subparagraph 10(2)(b)(vi) that are described in the operator’s safety plan and environmental protection plan, respectively.

  • Marginal note:Liquid removal

    (8) The operator must ensure that any liquid, other than water, that cannot be safely and reliably burned at the flare tip of a gas release system is removed from the gas before it enters the flare.

Marginal note:Fire and gas detection system

  •  (1) An operator must ensure that an installation is equipped with a fire and gas detection system.

  • Marginal note:Requirements

    (2) The operator must ensure that the fire and gas detection system

    • (a) provides continuous, reliable and automatic monitoring functions to allow persons to be alerted to the presence and location of fire and hazardous gas, as well as the concentration and composition of that gas;

    • (b) as far as is practicable, is functionally and physically independent of other essential systems or, if that is not practicable, is arranged so as not to adversely affect or be adversely affected by the operation of those systems;

    • (c) includes an alarm system with audible and visual alarms that are distinct from other types of alarms, that can be heard or seen at the main control centre and in other areas where persons are normally present, that are, on detection of fire or gas hazards, automatically activated and that can also be manually activated; and

    • (d) allows control measures, including those that are designed to be initiated automatically, to be initiated manually to prevent abnormal conditions from escalating and causing major accidental events.

  • Marginal note:Risk assessment — design

    (3) The operator must ensure that the design of the fire and gas detection system is based on the results of the risk assessment conducted under subsection 107(1).

  • Marginal note:Design

    (4) The operator must ensure that the fire and gas detection system is designed

    • (a) to detect the types of fire and hazardous gas releases identified in the risk assessment conducted under subsection 107(1);

    • (b) to detect hazardous gas and smoke in the air intakes of any mechanically ventilated non-hazardous areas; and

    • (c) such that the means to manually initiate fire and gas alarms are available at or near the office of the installation manager, at the main control centre, at every control station and at any other locations identified in the risk assessment conducted under subsection 107(1).

  • Marginal note:Requirements

    (5) The operator must ensure that the fire and gas detection system meets the following requirements:

    • (a) its detection components must

      • (i) be capable of detecting the types of fire and hazardous gas releases identified in the risk assessment conducted under subsection 107(1) in the areas in which they are located,

      • (ii) ensure reliable and early detection, taking into account their response characteristics, redundancy and performance under foreseeable conditions in which detection may be required,

      • (iii) be rated and maintained for use in the areas in which they are located, as those areas are classified in accordance with the classification system referred to in subsection 113(2), and

      • (iv) include failure and malfunction indicators;

    • (b) the system and its components must be protected from mechanical damage and damage caused by fire, explosion and physical and environmental conditions to which they may be exposed so that they remain capable of fulfilling their intended functions under all foreseeable operating conditions;

    • (c) the system must allow for all necessary information to be continuously provided to the main control centre and other strategic locations to permit the management of emergency situations; and

    • (d) the system must be capable of being reset only if the cause of its activation has been resolved.

  • Marginal note:Testing and maintenance

    (6) The operator must ensure, in relation to the testing and maintenance of the fire and gas detection system, that the following requirements are met:

    • (a) the system must be capable of being overridden for the purposes of testing and maintenance activities;

    • (b) override commands and functions must be applied for the shortest amount of time possible and with as few as possible being applied simultaneously; and

    • (c) the testing and maintenance activities must not impair the system beyond what is necessary to undertake those activities and must not impede its functioning.

  • Marginal note:Work permit

    (7) A work permit is required for the testing and maintenance of the fire and gas detection system.

  • Marginal note:Management of override effects

    (8) The work permit must set out measures to be taken to manage the effects of overriding the fire and gas detection system.

  • Marginal note:Leak repair

    (9) The operator must ensure that any leak of gas that is detected by the fire and gas detection system or by means of an auditory, olfactory or visual method — including the observation of the dripping of hydrocarbon liquids from an equipment component — is repaired

    • (a) immediately, if the repair is necessary for the purposes of safety or the conservation of petroleum resources; or

    • (b) as soon as the circumstances permit, in any other case.

Marginal note:Emergency shutdown system

  •  (1) An operator must ensure that an installation has an emergency shutdown system that is capable of

    • (a) shutting down all potential ignition sources and potential sources of flammable liquids or gases, including by isolating those sources;

    • (b) depressurizing all potential sources of flammable liquids or gases other than reservoirs;

    • (c) preventing abnormal conditions from escalating and causing major accidental events; and

    • (d) limiting the extent and duration of any major accidental event.

  • Marginal note:Studies and assessments — design

    (2) The operator must ensure that the design of the emergency shutdown system is based on studies, analyses and assessments that identify potential hazards and must assess the risks associated with those hazards, including the risk assessment conducted under subsection 107(1) and the risk and reliability analysis referred to in section 108.

  • Marginal note:Design

    (3) The operator must ensure that the emergency shutdown system is designed to

    • (a) allow for automated and manual activation to ensure effective shutdown;

    • (b) allow for the shutdown of any system or equipment to bring it to a safe state, unless the system or equipment has been rated to remain operational in the area in which it is located, as that area is classified in accordance with the classification system referred to in subsection 113(2);

    • (c) allow for the selective shutdown of ventilation systems, other than fans that are necessary for supplying combustion air to engines that are required to operate during emergency situations unless gas has been detected in the intake to those engines;

    • (d) allow for the isolation of petroleum and flammable fluid inventories, including reservoirs, wells, production systems and pipelines, from ignition sources;

    • (e) take into account the size and segregation of petroleum and flammable fluid inventories to limit the quantity of substances released on loss of containment;

    • (f) allow for the depressurization and the disposal of hydrocarbon inventories in a safe manner and to a safe location without cold venting;

    • (g) allow for the closure of the installation’s subsea and subsurface safety valves and of pipeline safety valves;

    • (h) take into account, in relation to all essential systems, the necessary timelines to support the safe escape, refuge and evacuation of persons and to maintain the integrity of the installation; and

    • (i) take into account the activation of the fixed fire suppression systems required under paragraph 134(4)(a).

  • Marginal note:Shutdown logic

    (4) The operator must ensure that the logic for the emergency shutdown system includes a hierarchy of shutdown levels, action sequences and timelines that are appropriate for the degree of risk posed by the hazards identified in the studies, analyses and assessments referred to in subsection (2).

  • Marginal note:Additional requirements

    (5) The operator must ensure, in relation to the emergency shutdown system, that

    • (a) the system is reliable and, as far as is practicable, it is functionally and physically independent of other essential systems or, if that is not practicable, it is arranged so as not to adversely affect or be adversely affected by the operation of those systems;

    • (b) the system includes an alarm system, with audible and visual alarms that are distinct from other types of alarms, that will automatically activate in the main control centre and at other strategic locations so that all affected persons, having regard to the hierarchy of shutdown levels referred to in subsection (4), are alerted to the emergency shutdown;

    • (c) there is continuous monitoring from the main control centre of the system’s status, including, if the system or part of the system is overridden, the extent and duration of the override;

    • (d) the system and its components are protected from mechanical damage and damage caused by fire, explosion and physical and environmental conditions to which they may be exposed so that they remain capable of fulfilling their intended functions under all foreseeable operating conditions;

    • (e) the system allows for all information that is necessary to permit the management of emergency situations to be continuously provided to the main control centre and other strategic locations, including information regarding

      • (i) the shutdown level and the source of activation of the system,

      • (ii) any shutdown effects that failed to execute on activation of the system, and

      • (iii) the status, including failure, of the system’s components;

    • (f) the system is capable of being activated from multiple manual activation points that are

      • (i) clearly marked,

      • (ii) protected against unintentional activation, and

      • (iii) located at

        • (A) in the case of manual activation points for the highest level of shutdown, the main control centre and other strategic locations, including aircraft landing areas and other embarkation stations, and

        • (B) in the case of all other manual activation points, strategic positions, at least one of which must not be in a hazardous area;

    • (g) the activation of the system from a manual activation point triggers the general alarm system referred to in section 130;

    • (h) if any part of the system is operated using a hydraulic or pneumatic accumulator,

      • (i) the accumulator

        • (A) is located as close as is practicable to the part that it is intended to operate, except if that part is part of a subsea production system, and

        • (B) has the capacity for a sufficient number of activations to ensure that shutdown can be achieved, and

      • (ii) the shutdown valves revert to a fail-safe mode in the event of a failure of the accumulator;

    • (i) the system is capable of testing both its input and output signal devices and its internal functions to ensure its functioning;

    • (j) in the event of a failure of the main electrical power supply referred to in subsection 122(4), the system has the capacity to function continuously until the main electrical power supply is restored or all shutdown operations have been concluded;

    • (k) in the event that an impairment of the system or any of its components increases the risk to safety or the environment, any other systems that support the emergency shutdown system reverts to a fail-safe mode;

    • (l) if two or more installations are connected or if there is temporary equipment that has an emergency shutdown system on an installation,

      • (i) the emergency shutdown systems of the connected installations are linked so that emergency shutdown signals are transmitted between those systems,

      • (ii) the emergency shutdown systems of the temporary equipment are linked to the installation’s emergency shutdown system so that emergency shutdown signals are transmitted between those systems, and

      • (iii) the logic for the emergency shutdown system of each of the connected installations and of the temporary equipment is re-evaluated and modified, if necessary, to take into account the fact that the emergency shutdown systems are linked, with the logic of the installation’s emergency shutdown system being given priority over that of any temporary equipment;

    • (m) the system is capable of being overridden or reset only if the cause of its activation has been resolved and there has been local confirmation that the equipment that gave rise to the system shutdown can be safely used; and

    • (n) override commands and functions are not capable of being unintentionally activated.

  • Marginal note:Testing and maintenance

    (6) If the emergency shutdown system is capable of being overridden for the purposes of testing and maintenance activities, the operator must ensure that the following requirements are met:

    • (a) override commands and functions must be applied for the shortest amount of time possible and with as few as possible being applied simultaneously; and

    • (b) the testing and maintenance activities must not impair the system beyond what is necessary to undertake those activities and must not impede the system’s functioning.

  • Marginal note:Work permit

    (7) A work permit is required for the testing and maintenance of the emergency shutdown system.

  • Marginal note:Management of override effects

    (8) The work permit must set out the measures to be taken to manage the effects of overriding the emergency shutdown system.

  • Marginal note:Closure — subsurface safety valve

    (9) In the case of a production installation, the operator must ensure that, if the emergency shutdown system is activated, any subsurface safety valve closes not later than two minutes after the tree safety valve has closed unless a longer delay is justified by the mechanical or production characteristics of the well.

 

Date modified: