Physical Address
304 North Cardinal St.
Dorchester Center, MA 02124
API Publ 535-1995 (Scan): Guide for the Installation and Use of Emergency Shutdown (ESD) Systems in the Petroleum Industry – Technical Overview and Compliance Notes
Key Technical Requirements, Implementation Highlights, and Regulatory Considerations for ESD Systems in Upstream, Midstream, and Downstream Petroleum Facilities
Scope and Purpose
API Publication 535-1995 (Scan), titled Guide for the Installation and Use of Emergency Shutdown (ESD) Systems in the Petroleum Industry, was developed by the American Petroleum Institute to provide a consistent, risk-based methodology for the design, installation, testing, and maintenance of emergency shutdown systems in petroleum processing, storage, and transportation facilities. The publication addresses the need for reliable isolation of hazardous inventories upon detection of abnormal conditions, including fires, gas releases, and process upsets.
Although not a mandatory standard, API Publ 535 serves as a recommended practice that has been widely adopted by operators, engineering contractors, and regulatory bodies. Its scope covers upstream (onshore and offshore), midstream (pipeline terminals, tank farms), and downstream (refineries, petrochemical plants) applications. The publication emphasizes a systematic approach to ensure that ESD functions are available when required and that they do not degrade plant operability unnecessarily.
Note: API Publ 535-1995 is out of print but remains referenced in many existing facility operating procedures. The “Scan” designation indicates it is a scanned copy of the original paper document. For new projects, users should also consult API RP 14C, API RP 553, and IEC 61511 for updated requirements.
Technical Requirements and System Design
Risk Classification and Initiating Criteria
API Publ 535 establishes a two-tier classification of ESD actions: ESD-1 (total shutdown of a facility or major unit) and ESD-2 (partial shutdown or isolation of a specific section). The publication provides detailed tables linking initiating events (e.g., manual pushbutton, fire detection, gas detection, process alarm) to the appropriate shutdown level. Designers are required to define the LOPA (Layer of Protection Analysis) or risk matrix to justify the number and independence of ESD subsystems.
Component Requirements
| Component | Required Feature | Typical Testing Frequency |
|---|---|---|
| Emergency shutdown (ESD) valves | Fail‐safe closure within 2% of closing time in design specification; positive shut‐off (ISO 5208 Rate A or API 598) | Quarterly full‐stroke test; annual partial stroke test for high‐cycle service |
| Fire safe valve actuators | Meet API 607 or API 6FA fire safe requirements; actuator storage capacity for ≥2 full cycles | Annual functional test; visual inspection every 6 months |
| Shutdown pushbuttons | Palm‐operated, yellow/red, against panel; must be guarded to prevent accidental activation | Visual inspection monthly; functional test every 3 years |
| Logic solvers (E/E/PES) | Accredited by a recognized third party (e.g., TÜV Rheinland) for SIL 2 or higher | Proof test interval per manufacturer; at least every 5 years |
Independence and Redundancy
The publication mandates that ESD systems be independent from the basic process control system (BPCS) to prevent common‐cause failures. Redundant sensors (2oo2, 2oo3 voting) are required for high‐risk applications. Signal transmission must be via hardwired connections or approved fieldbus protocols that are immune to communication delays. API Publ 535 also cautions against using hydraulic or pneumatic logic for safety functions unless equipped with online testability.
Important design consideration: API Publ 535 requires that any manual ESD button, when activated, bypasses all process control interlocks to achieve the shutdown state within the time defined by the safety requirement specification (SRS).
Implementation and Testing Highlights
Installation Practices
API Publ 535 contains specific guidance on the installation of ESD valves—requiring them to be located as close as possible to the vessel/boundary nozzle and, for flammable services, fitted with remotely operated emergency shutdown (ESD) actuators that are fail‐close. In hazardous areas, all components must be certified for the appropriate gas group and temperature class (e.g., Ex d IIB T6). The publication also provides recommendations for the placement of manual pushbuttons (e.g., at escape paths, control room, emergency assembly points) and for the marking of ESD equipment with distinctive colors and placards.
Best practice tip: When applying API Publ 535 to brownfield modifications, conduct a pre‐installation walkdown using the standard’s checklists to identify any deviations from its requirements. Discrepancies should be recorded in a deviation register and, where risk is high, a temporary compensating measure should be implemented.
Compliance and Regulatory Notes
Although API Publ 535 is a recommended practice, its principles have been incorporated into multiple regulatory frameworks. In the United States, OSHA 29 CFR 1910.119 (Process Safety Management) implicitly references such publications for compliance with mechanical integrity and operating discipline. In the European Union, the Seveso III Directive (2012/18/EU) and the ATEX directives (94/9/EC, 1999/92/EC) align with the general provisions of API Publ 535 for isolation and emergency shutdown. Many operators have adopted the document as a base requirement for their corporate ESD standards.
For a new facility, demonstrating compliance with API Publ 535 can simplify the acceptance of the ESD design by third‐party verifiers (such as classification societies, insurance inspectors, or local authorities). However, note that the standard has not been updated since 1995; users must supplement it with newer guidance from ISO 61511, API RP 553, and API RP 14C for issues like cybersecurity, SIL verification, and software validation.
Critical compliance note: If an operator chooses to deviate from a recommendation of API Publ 535, the rationale (e.g., use of an alternative standard, risk justification) must be formally documented and accepted by the relevant project risk reviewer or authority having jurisdiction. In the event of an incident, failure to follow this documentation process could lead to findings of inadequate safety management.
Frequently Asked Questions
Q: Is API Publ 535 still considered active or current?
A: API Publ 535-1995 is no longer maintained as an active API standard; however, many existing petroleum facilities continue to reference it in their safety manuals. For new designs, it is advisable to use current versions of API RP 14C, IEC 61511, or API RP 553.
A: API Publ 535-1995 is no longer maintained as an active API standard; however, many existing petroleum facilities continue to reference it in their safety manuals. For new designs, it is advisable to use current versions of API RP 14C, IEC 61511, or API RP 553.
Q: Does API Publ 535 require SIL (Safety Integrity Level) assessments?
A: The 1995 edition does not mandate formal SIL allocation per IEC 61508/61511 because the SIL framework became widespread after its publication. Nevertheless, the document’s emphasis on risk reduction and independent layers provides a foundational approach that aligns with modern SIL concepts. Most competent assessors consider ESD systems designed to API Publ 535 as typically achieving SIL 2 equivalent when the recommended testing frequencies are followed.
A: The 1995 edition does not mandate formal SIL allocation per IEC 61508/61511 because the SIL framework became widespread after its publication. Nevertheless, the document’s emphasis on risk reduction and independent layers provides a foundational approach that aligns with modern SIL concepts. Most competent assessors consider ESD systems designed to API Publ 535 as typically achieving SIL 2 equivalent when the recommended testing frequencies are followed.
Q: How does API Publ 535 address cybersecurity of ESD systems?
A: The 1995 publication predates current cybersecurity concerns and therefore contains no specific digital security provisions. Users must supplement it with standards such as ISA 62443 (IEC 62443) and NIST SP 800-82 to protect ESD logic solvers and communication networks from cyber threats.
A: The 1995 publication predates current cybersecurity concerns and therefore contains no specific digital security provisions. Users must supplement it with standards such as ISA 62443 (IEC 62443) and NIST SP 800-82 to protect ESD logic solvers and communication networks from cyber threats.
Q: Can API Publ 535 be used for temporary or mobile installations (e.g., well test facilities, workover rigs)?
A: Yes, but with caution. The publication’s principles can be adapted; however, temporary installations often require shorter proof test intervals, remote shut‐down capability, and enhanced manual initiation points. Operators should develop a specific criteria document based on API Publ 535 for such applications.
A: Yes, but with caution. The publication’s principles can be adapted; however, temporary installations often require shorter proof test intervals, remote shut‐down capability, and enhanced manual initiation points. Operators should develop a specific criteria document based on API Publ 535 for such applications.
© 2026 – This article provides an overview of API Publ 535-1995 (Scan). The original document is owned by the American Petroleum Institute. Users should always refer to the current version of the applicable standard for precise requirements.