Tek-Tips is the largest IT community on the Internet today!
Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!
-
Congratulations JAE on being selected by the Eng-Tips community for having the most helpful posts in the forums last week. Way to Go!
ESDV operate as normal day to day Process function
- Thread starter PleG
- Start date
The more often a block valve is operated, the higher risk of damage to the seats or trash in the seat which can harm its ability to seal in an emergency.
I don't know of any code that prohibits cycling an ESD for reasons not related to an emergency (or preventative maintenance), but I sure don't do it.
David
I don't know of any code that prohibits cycling an ESD for reasons not related to an emergency (or preventative maintenance), but I sure don't do it.
David
- Thread starter
- #3
Thanks David,
In all my designs I have never done this either. I have a client that wants to do this and I cannot, for the life of me, find any code stating that you are not allowed to do this. API only tells me that: ESD equipment must be additional and independent to the normal process. So, extra ESD solenoid driven from the independent ESD system on the hydraulic or air supply, is exactly that. I thought it should be an additional (ESD) valve, driven from an independent system.
Also, SIL only says that it must have a sertain number of cycles to be be at a certain SIL rating. (ESDV's can reach this cycle).
I need some code numbers and I have searched the net for hours.... no luck!
In all my designs I have never done this either. I have a client that wants to do this and I cannot, for the life of me, find any code stating that you are not allowed to do this. API only tells me that: ESD equipment must be additional and independent to the normal process. So, extra ESD solenoid driven from the independent ESD system on the hydraulic or air supply, is exactly that. I thought it should be an additional (ESD) valve, driven from an independent system.
Also, SIL only says that it must have a sertain number of cycles to be be at a certain SIL rating. (ESDV's can reach this cycle).
I need some code numbers and I have searched the net for hours.... no luck!
There are no codes. We were faced with the installation of control and ESD system on over 150 underground storage wells. The wells we to be opened and closed almost daily and have esd valves. Mind you, there are three 8" lines to control and ESD. That would have been 6 *' 300 to 900 ansi valves. Then you want independant ESD and Control logic to the wells scattered over 3 square miles?
We fired the I&E specialist and we combined services and put in 1 control/esd system and 3 valves (plus an ED body to do the fine control). The state inspectors approved it and gave a get out of jail free letter to boot.
Of course we had manual valves on each well required by state law. If you believe you are going to ware the valves out and they won't seal, shut the area in and repair the vale more often to get over some SIL target.
We fired the I&E specialist and we combined services and put in 1 control/esd system and 3 valves (plus an ED body to do the fine control). The state inspectors approved it and gave a get out of jail free letter to boot.
Of course we had manual valves on each well required by state law. If you believe you are going to ware the valves out and they won't seal, shut the area in and repair the vale more often to get over some SIL target.
Separate basic process control functions from safety instrumented system functions. If 29 CFR 1910.119 applies, study ISA 84 parts 1 through 3. If offshore review API RP 14C.
ISA S84.00.01 P1
10.3 SIS safety requirements
10.3.1 These requirements shall be sufficient to design the SIS and shall include the following:
...many words ...
NOTE Non-safety instrumented functions may be carried out by the SIS to ensure orderly shutdown or faster start-up. These should be separated from the safety instrumented functions.
11.6.3 Each individual field device shall have its own dedicated wiring to the system input/output, except in the following cases. Multiple discrete sensors are connected in series to a single input and the sensors all monitor the same process condition (for example, motor overloads). Multiple final elements are connected to a single output.
NOTE For two valves connected to one output, both valves are required to change state at the same time for all the safety instrumented functions that use the two valves. A digital bus communication with overall safety performance that meets the integrity requirements of the SIF it services.
Codes applation depends upon the industry. The petroleum industry is generally covered by 1910.119.
ISA S84.00.01 P1
10.3 SIS safety requirements
10.3.1 These requirements shall be sufficient to design the SIS and shall include the following:
...many words ...
NOTE Non-safety instrumented functions may be carried out by the SIS to ensure orderly shutdown or faster start-up. These should be separated from the safety instrumented functions.
11.6.3 Each individual field device shall have its own dedicated wiring to the system input/output, except in the following cases. Multiple discrete sensors are connected in series to a single input and the sensors all monitor the same process condition (for example, motor overloads). Multiple final elements are connected to a single output.
NOTE For two valves connected to one output, both valves are required to change state at the same time for all the safety instrumented functions that use the two valves. A digital bus communication with overall safety performance that meets the integrity requirements of the SIF it services.
Codes applation depends upon the industry. The petroleum industry is generally covered by 1910.119.
- Thread starter
- #6
Gentlemen,
Thank u very much, fellow engineers, for your interest and comments on my post.
Geeeeeeeeeeeeeeez, lolol... I read and read and read code after spec after report.
I understand the rules as: Seperate control system for ESD and seperate control system for process control. Therefore: Seperate Instruments and Seperate ESDV's, not to be used for normal process functions.
Regards
Pieter
Thank u very much, fellow engineers, for your interest and comments on my post.
Geeeeeeeeeeeeeeez, lolol... I read and read and read code after spec after report.
I understand the rules as: Seperate control system for ESD and seperate control system for process control. Therefore: Seperate Instruments and Seperate ESDV's, not to be used for normal process functions.
Regards
Pieter
I disagree. It says each device will have its own wiring to the I/O of the controller. It doesn't say you cannot have the enddive do multiple tasks in the controller ie PLC. It allows sharing of wiring if it makes sense where valves must operate together. The alternative would be to have three output ports each triggered by the PLC to close three valves or 1 output port that uses 1 wire to all three valves. Its like in the olden days we had to have a seperated shutdown PLC than the PLC doing the control. now we put in a big DCS and do it all.
By the way OSHA doesn't mandated ISA 84 and API RP is just that a recommended practice, as owner operator its your choice.
By the way OSHA doesn't mandated ISA 84 and API RP is just that a recommended practice, as owner operator its your choice.
OSHA 29CFR1910.119 applies to processes that involve a chemical at or above the specified threshold quantities listed in the appendix of this CFR. "The employer shall document that equipment complies with recognized and generally accepted good engineering practices." This establishes a requirement to comply with consensus standards. Thus, many claim that compliance with ISA 84 is mandatory. If failing to comply and an incident occurs this issue would be in front of the criminal and civil juries.
ISA 84
Don't just look at the paragraph posted. Read the standard. It is extensive.
API RP 14C
This is the law for the offshore industry within the United States. It is required by the Department of Interior, Minerals Management Service.
3.4 PREMISES FOR BASIC ANALYSIS AND
DESIGN
The recommended analysis and design procedures for a platform safety system are based on the following premises:
a. The process facility will be designed for safe operation in accordance with good engineering practices.
b. The safety system should provide two levels of protection to prevent or minimize the effects of an equipment failure within the process. The two levels of protection should be independent of and in addition to the control devices used in normal process operation. In general, the two levels should be provided by functionally different types of safety devices for a wider spectrum of coverage. Two identical devices would have the same characteristics and might have the same inherent weaknesses.
c. The two levels of protection should be the highest order (primary) and next highest order (secondary) available. Judgment is required to determine these two highest orders for a given situation. As an example, two levels of protection from a rupture due to overpressure might be provided by a PSH and a PSL. The PSH prevents the rupture by shutting in affected equipment before pressure becomes excessive, and the PSL shuts in affected equipment after the rupture occurs. However, a PSV is selected in lieu of the PSL because it prevents the rupture by relieving excess volumes to a safe location. Moreover, its fast response could prevent a rupture in situations where the PSH might not effect corrective action fast enough.
ISA 84
Don't just look at the paragraph posted. Read the standard. It is extensive.
API RP 14C
This is the law for the offshore industry within the United States. It is required by the Department of Interior, Minerals Management Service.
3.4 PREMISES FOR BASIC ANALYSIS AND
DESIGN
The recommended analysis and design procedures for a platform safety system are based on the following premises:
a. The process facility will be designed for safe operation in accordance with good engineering practices.
b. The safety system should provide two levels of protection to prevent or minimize the effects of an equipment failure within the process. The two levels of protection should be independent of and in addition to the control devices used in normal process operation. In general, the two levels should be provided by functionally different types of safety devices for a wider spectrum of coverage. Two identical devices would have the same characteristics and might have the same inherent weaknesses.
c. The two levels of protection should be the highest order (primary) and next highest order (secondary) available. Judgment is required to determine these two highest orders for a given situation. As an example, two levels of protection from a rupture due to overpressure might be provided by a PSH and a PSL. The PSH prevents the rupture by shutting in affected equipment before pressure becomes excessive, and the PSL shuts in affected equipment after the rupture occurs. However, a PSV is selected in lieu of the PSL because it prevents the rupture by relieving excess volumes to a safe location. Moreover, its fast response could prevent a rupture in situations where the PSH might not effect corrective action fast enough.
I've been inspect lots of times by OSHA, not one inspector mandated ISA. We went over our PHA's, controls, ESD's and MI on the safety systems. OSHA cannot mandate as the law requires a performance based compliance. As a PE I stated my system was sound and the State of Texas has jurisdiction over PE's and "generally accepted good engineering practices". Read the opening paragraph of all API documents (I haven't on RP14) they all give the operator an out not to comply, but to document non compliance. Its like an "API compressor" ain't gonna happen, every unit I've bought had exceptions, there were a couple that claimed 100% compliance, but they were twice the price twice the delivery time.
Do not use fear as a driver to adopt things that are over kill. If the situation were right I'd use ISA 84, but the areas I see in upstream and midstream O&G do not call for 100% compliance to the standard.
Do not use fear as a driver to adopt things that are over kill. If the situation were right I'd use ISA 84, but the areas I see in upstream and midstream O&G do not call for 100% compliance to the standard.
Dennis,
I don't know whether or not your pipeline terminal has a propane cavern. If so, it may fall within the 29 CFR 1910.119 coverage.
I see the claims by many that ISA 84 is mandatory for compliance with 1910.119. I don't necessarily buy it either. However if an accident occurs, many people will investigate the problem. Some will review compliance with codes and standards. Within 1910.119 you must include a list or copy of the design standards. It may be interpreted to provide an out if the plant was built before current standards provided that regular safety audits document that the facility is safe. Once modified the new standards kick-in.
As suggest in the earlier post another problem is the courts. If an accident or release occurs you are in violation of 1910.119. At that point the plant was not safe. Further juries will be easily convinced that you should have implimented current standards. The jurors will especially want to get the energy companies as we approach or exceed $4 USD/US Gallon at the pumps. This is when failure to comply with ISA 84 will be front and center on live camera. It could be a bad scene.
I don't know whether or not your pipeline terminal has a propane cavern. If so, it may fall within the 29 CFR 1910.119 coverage.
I see the claims by many that ISA 84 is mandatory for compliance with 1910.119. I don't necessarily buy it either. However if an accident occurs, many people will investigate the problem. Some will review compliance with codes and standards. Within 1910.119 you must include a list or copy of the design standards. It may be interpreted to provide an out if the plant was built before current standards provided that regular safety audits document that the facility is safe. Once modified the new standards kick-in.
As suggest in the earlier post another problem is the courts. If an accident or release occurs you are in violation of 1910.119. At that point the plant was not safe. Further juries will be easily convinced that you should have implimented current standards. The jurors will especially want to get the energy companies as we approach or exceed $4 USD/US Gallon at the pumps. This is when failure to comply with ISA 84 will be front and center on live camera. It could be a bad scene.
- Thread starter
- #11
MMmmmmm,
Very interesting oppinions.
Mr. dcasto, as you say: "It says each device will have its own wiring to the I/O of the controller"
The plant I am designing, has two seperate systems already. a PLC ESD and a DCS control system. As I understand it, if you wire the valve to the ESD system then only "emergency" signals can operate the valve. If you wire it to the DCS then the communication link between the DCS and the ESD is not allowed to be used for ESD signals, so by installation I must either wire the valve to the ESD or to the DCS.
Scenario (during HAZOP):
One valve (ESD-type), (fail close) used for process divert control, wired to the DCS, with ESD solenoid in series with normal SOV.
Question: What happens if Valve fails stuck open?
Comment: No back up system. (Lawyers on my back, not a good thing)
Very interesting oppinions.
Mr. dcasto, as you say: "It says each device will have its own wiring to the I/O of the controller"
The plant I am designing, has two seperate systems already. a PLC ESD and a DCS control system. As I understand it, if you wire the valve to the ESD system then only "emergency" signals can operate the valve. If you wire it to the DCS then the communication link between the DCS and the ESD is not allowed to be used for ESD signals, so by installation I must either wire the valve to the ESD or to the DCS.
Scenario (during HAZOP):
One valve (ESD-type), (fail close) used for process divert control, wired to the DCS, with ESD solenoid in series with normal SOV.
Question: What happens if Valve fails stuck open?
Comment: No back up system. (Lawyers on my back, not a good thing)
Pleg, What if any valve fails, ESD, SDV, MOV, you are stuck, where is the backup in you ISA 84 compliant system.
All my facilities are PSM, underground storage because besides the 16,000,000 bbls underground we had 50,000 aboveground.
What makes your PLC anymore reliable than your DCS. To get to the basics of ISA 84, it syas you need to define your failure rate and do whatever you can (within reason) to limit failures and impact, exactly what OSHA PSM says. As for compliance in an accident, any lawyer will argue and win that ISA 84 isn't enough if you have even 1 fatality!!!
Learn from BP, they recieved fines for stating they would a standard and they didn't. Their problem was NOT following what they said they would do. I document what my system design is and what it will do and how many layers of protection (typically 1 or 2) depending on service. This all OSHA can review. They CANNOT make you use any standard. For every engineer you can bring in saying ISA 84 is the best, I'd line up two to disagree.
I challange anyone to tell me eactly the MTBF of a system and have absoltue data to prove the system installed is the best in the universe, better than at a nuke, better than the systems on an Airbus. Been in front of the jury on all that.
I iterate, ISA 84 has its place, not knocking it, and in most place I work, it doesn't fit well. A Fisher ROC is just as good as an Allen Bradley with a Fisher Delta V.
All my facilities are PSM, underground storage because besides the 16,000,000 bbls underground we had 50,000 aboveground.
What makes your PLC anymore reliable than your DCS. To get to the basics of ISA 84, it syas you need to define your failure rate and do whatever you can (within reason) to limit failures and impact, exactly what OSHA PSM says. As for compliance in an accident, any lawyer will argue and win that ISA 84 isn't enough if you have even 1 fatality!!!
Learn from BP, they recieved fines for stating they would a standard and they didn't. Their problem was NOT following what they said they would do. I document what my system design is and what it will do and how many layers of protection (typically 1 or 2) depending on service. This all OSHA can review. They CANNOT make you use any standard. For every engineer you can bring in saying ISA 84 is the best, I'd line up two to disagree.
I challange anyone to tell me eactly the MTBF of a system and have absoltue data to prove the system installed is the best in the universe, better than at a nuke, better than the systems on an Airbus. Been in front of the jury on all that.
I iterate, ISA 84 has its place, not knocking it, and in most place I work, it doesn't fit well. A Fisher ROC is just as good as an Allen Bradley with a Fisher Delta V.
- Thread starter
- #13
Sir,
You misunderstand.
I meant with (ESD-type)that it is on/off process valve with ESDV specs. No backup.
The normal operation is with XV doing the normal process operations AND the ESDV is in the open position, (fail close), giving the redundant backup. So if the Conrol or on/off valve fail, the ESDV is the backup.
Also, the PLC is NOT more reliable than the DCS, BUT it gives you the redundant backup. If the DCS fails to close in a process shutdown, the ESD will shut down the ESDV on the design limit. - me happy!
You misunderstand.
I meant with (ESD-type)that it is on/off process valve with ESDV specs. No backup.
The normal operation is with XV doing the normal process operations AND the ESDV is in the open position, (fail close), giving the redundant backup. So if the Conrol or on/off valve fail, the ESDV is the backup.
Also, the PLC is NOT more reliable than the DCS, BUT it gives you the redundant backup. If the DCS fails to close in a process shutdown, the ESD will shut down the ESDV on the design limit. - me happy!
PleG, So, your design allows for a double failures. Do you tripple voting sensors that activate the ESD too? If my facilities need two levels of protection I'd do the same instead of two ESD valves along with the normal control of process valave.
My Delta V DCS is no more reliable than my Fisher ROC or GE FANUC's. The Delta V cost 3 times as much and to top it off, it's HMI cannot be connected to our network because its to open to common viruses, its not an all around system.
My Delta V DCS is no more reliable than my Fisher ROC or GE FANUC's. The Delta V cost 3 times as much and to top it off, it's HMI cannot be connected to our network because its to open to common viruses, its not an all around system.
- Thread starter
- #15
Yip, We have tripple transmitters for two out of three voting on critical ESD systems, wired to the ESD PLC.
So my system will be:- a process diversion valve(XV) on each line, with one ESD valve upstream and common to both batch process diversion valves(XV's).
This project is an expansion on an existing Gas platform, all the systems already exist.
Thank you very much for the conversation, I really appreciate your interest and replies.
Regards
Pieter
So my system will be:- a process diversion valve(XV) on each line, with one ESD valve upstream and common to both batch process diversion valves(XV's).
This project is an expansion on an existing Gas platform, all the systems already exist.
Thank you very much for the conversation, I really appreciate your interest and replies.
Regards
Pieter
Thanks too. As with most engineering discussions, we are all right from where we look at the problem and when the facts come out we can see each others point.
I can agree that at you location and with your company specifications, you require multiple levels of protection. In a EO plant they have even more levels than you described and I hope the Nuke plant down the road has even more.
BTW PiperAlpha was not a level of protection nor PLC/DCS failure.
I can agree that at you location and with your company specifications, you require multiple levels of protection. In a EO plant they have even more levels than you described and I hope the Nuke plant down the road has even more.
BTW PiperAlpha was not a level of protection nor PLC/DCS failure.
- Thread starter
- #17
lolol.. I hope that they have more responsible people running your nuke plants than they have here running ours....
Did you see the documentary of PA? It is unbelievable that so many mistakes and situations happened consecutively.
Luckely, because of PA, all our procedures and reactions on our platforms have been corrected and all the mistakes on the operation procedures have been rectified.
Till later
Pieter
Did you see the documentary of PA? It is unbelievable that so many mistakes and situations happened consecutively.
Luckely, because of PA, all our procedures and reactions on our platforms have been corrected and all the mistakes on the operation procedures have been rectified.
Till later
Pieter
Some people don't learn lessons from accidents such as Piper Alpha. I worked on recent international platforms with gas-over-oil vane type actuators for the riser shutoff valves. The solenoid arrangement would close the valve upon electrical failue. However the double acting vane actuators use the high pressure process gas as the force medium with tubing between to hydraulic cylinders and the actuator. For my definition of fail-safe, a shutdown valve requires a spring to close the valve upon loss of electrical, pneumatic (instrument air or process gas) hydraulic or other medium. During a fire you want the riser valves to close without operator intervention.
- Status
Similar threads
- Locked
- Question