Emergency Shutdown System, ESD
An emergency shutdown, ESD system is the hardwired layer of safety that drives a process to a defined safe state on demand. It is a particular form of safety instrumented system, dedicated to high-consequence shutdown actions like blocking inlet flow, depressurizing a unit, or isolating a section of a pipeline. On offshore and oil & gas facilities the term ESD is preferred over SIS, although the IEC 61511 framework that governs design and proof testing is the same.
Read one of your own drawings.
Drop a P&ID, instrument index, or schedule. Tagsight reads it to the tag and opens a workspace you keep when you sign in.
PDF · DWG · DXF · TIFF · PNG · XLSX
An emergency shutdown system is the safety instrumented system in its most decisive form. A function whose action is not to trim or alarm but to stop. On oil and gas production, LNG, and offshore facilities the ESD term is preferred over SIS, but the governing framework is identical, IEC 61511 for the lifecycle and the SIL allocation that sizes the redundancy. What distinguishes an ESD on the drawing and in the document set is its tiered structure. Most operators partition shutdown into levels, where a high-tier demand executes a platform-wide or unit-wide stop and an inventory blowdown, and a low-tier demand isolates a single compartment or item of equipment. The cause-and-effect matrix is the master record of which initiating event drives which level, and the ESDV and SDV valves that execute those levels carry a heavier line weight and an explicit fail-safe direction on the P&ID. Because an ESD action is broad and expensive when it fires without cause, the voting on its initiators is chosen to balance the loss of a spurious shutdown against the consequence of a missed real demand. The ESD valve list, with each valve's trip class, fail direction, and stroke-time requirement, is the part of the structured tag set that the safety integrator and the proof-test team work from, kept separate from the regulatory control scope for the same independence reason as the rest of the SIS.
ESD levels and partitioning.
Most operators run a tiered ESD architecture, sometimes called ESD-1, ESD-2, ESD-3 or shutdown levels. Higher levels initiate broader actions. Total platform shutdown, manned-spaces evacuation, blowdown of inventory. Lower levels isolate a single piece of equipment or a compartment. The drawing-side representation uses ESDV-prefixed valves and SDV-prefixed sub-system valves, with cause-and-effect matrices documenting which initiating events trigger which level.
What ESD looks like on a drawing.
ESD valves carry a heavier line weight than process valves on most drawing standards, frequently with an ESD designation in the tag prefix and the trip class, 1oo2, 2oo3 annotated nearby. Fail-safe direction, FC for fail-close, FO for fail-open is always called out. Blowdown valves often share the ESD prefix family because they execute as part of the same shutdown sequence.
Frequently asked.
Is an ESD the same thing as an SIS.
An ESD is one type of SIS, scoped specifically to shutdown actions. An SIS more broadly can include alarming and partial trip actions. ESD is reserved for the full shutdown function. Oil and gas projects use ESD as the primary term, while petrochemical and refining projects use SIS.
How does the ESD relate to the cause-and-effect matrix.
The cause-and-effect matrix is the master record of ESD logic. Rows are initiating events, high level, gas detection, manual button, columns are actions, close ESDV-101, depressurize sector A, stop pump. The matrix drives the ESD logic-solver configuration and is audited alongside the P&ID set.
Who tests an ESD system and how often.
The owner-operator's instrument technicians perform proof testing on a schedule determined by the SIL allocation for each safety instrumented function. SIL 2 functions typically require proof tests every one to two years. SIL 3 functions every six to twelve months. The proof test verifies the full trip path from initiating sensor through logic solver to final element, including ESDV stroke-testing against the specified close time.