Instrument Air Dump / Shutdown System

[JJJ2000]

All,

I have worked in several plants that have a hardwired Instrument-Air-Dump switch. In every case the plant was extremely uncomfortable with the thought of actually using this system as you might imagine. One of these plants was a large hydrocarbon processing plant with a full-fledged SIS system installed that required two switches to be simultaneously pulled on opposite sides of the control room in order to dump the air. Other plants had a simple covered quarter turn switch.

Is there a requirement that anyone knows of in any code or standard to have an instrument air dump? We are having difficulty thinking of a plausible scenario in which we would use such a system. This facility does not have an SIS. We only have a DCS and a few PLCs to control our facility.

For the SIS-system case I was under the impression that it existed for the highly unlikely scenario in which a nearby lightening strike / power surge only partially destroys the brains of the SIS, causing it to act in a "crazy" manner. Then the air would be dumped to stop the insane control system from creating unsafe situations in the plant. I know the likelihood of this scenario is vanishingly small, but this is what someone verbally suggested to me.

The other scenario is that in the event things get so bad that the control room must be abandoned in some kind of a disaster, then the last thing that the last two operators would do before "abandoning ship" would be to trip the instrument air dump. This scenario is only slightly more likely in my opinion. Our control room is in an over-pressure resistant building.

Does anyone else have any experience with this sort of thing? Are there any regulations or ISA standards or SIS standards that address this? I assume this is mainly a holdover from the old pneumatic control room days, but I have seen them in two plants built since 2000.

Thanks,
JJJ

 

[EmmanuelTop]

Is there any difference between IA dump and ESD-1 (total shutdown+blowdown), in terms of consequence actions of the SIS? If not, the IA dump seems to be an excessive safeguard.

Dejan IVANOVIC
Process Engineer, MSChE

 

[LittleInch]

I think the logic is more about what to do if your instrument air system is slowly dying for whatever reason (low air pressure in HAZOP speak). It is then quite easy to say that low air pressure could lead to some valves opening or closing before others or starting to crack open as the air pressure lowers compared to the spring force against them.

Therefore a sudden and complete loss of air is preferable (all you valves go to their Fail position, be it open or closed) compared to a slow death which has unknown consequences and actions.

Given that air or power should never be assumed to be available when you want it, the system should fail in a safe manner, be it isolated or vented. However you also clearly don't want what would in effect be an ESD1 accidentally so suitable precautions need to be taken against accidental operation of such a valve.

Remember - More details = better answers
Also: If you get a response it's polite to respond to it.

 

[Longinthetooth]

I must have led a sheltered life because I have never seen such an "IA dump system", even in the old pneumatic days- and I have worked in many hydrocarbon plants. Is this arrangement common in one particular segment of the industry? Without delving any further, it seems more dangerous than it is worth.

 

[EmmanuelTop]

I haven't seen one so far, and it is the first time I hear about possible effect of lightning on the SIS. I suppose lightning protection and grounding system exist in all plants for exact purpose to prevent from such events happening.

Dejan IVANOVIC
Process Engineer, MSChE

 

[bimr]

The OP's story is preposterous. What kind of facility has operators that are not properly trained for a scenario like this?

It is more likely that the plant would have redundancy in the instrument air system than an instrument air dump.

Perhaps Bella Liptak's book should be reviewed.

http://www.amazon.com/Instrument-Engineers-Handbook-Vol-Measurement/dp/0849310830

 

[Compositepro]

I, too, have never heard of such a feature. Perhaps it has to do with osha requirement to be able to shut-off energy sources in an emergency.

 

[moltenmetal]

We've done exactly one plant with an IA dump, and that was a kludge to fix what was, in my opinion, an improperly designed ESD- one that relied on the DCS being reliable during an ESD event in order to bring control valves (the ones without back-up air operated valves (XVs) in series connected to the trip system (which itself wasn't a full-on SIS) to their failure positions. Some of those valves had safety consequences- not major ones, but sufficient to be concerned about- and it was too late and too expensive at that point in the project to cut in XVs ahead of each of them. The only event which tripped the IA dump was a DCS watchdog timer failure, indicating that the DCS had lost its mind and was no longer able to fulfill its putative ESD function.

In the old days, the watchdog dropped power to all the master contactor coils on all the AC devices and at the same time dropped 24VDC power to all the analog and digital outputs by means of a relay, but with some modern DCSs this has become more difficult to accomplish without a ton of interposing relays. Some DCS mfgs seem to think that a watchdog timer itself is a thing of the past, but personally I don't think there's a person alive who knows for sure that a system as complex as a DCS has zero chance of going off and contemplating philosophy rather than paying attention to the plant. The watchdog does add a trivial amount of additional risk of downtime, in return for high certainty that if and when the DCS loses its mind, the plant goes to a safe state.

 

[EmmanuelTop]

Wouldn't be easier to install SIS solenoid valve on the Instrument Air supply line of these DCS control valves with limited safety function? As you say, leaving control valves to perform partial safety function is sometimes permitted for services where failure of control valve to move to desired position would not cause a significant (incremental) hazard and where ALARP approach does not justify the use of fully rated process XV (SDV). I have seen plenty of these on water lines and sometimes LP fuel gas lines. In any case, SIS solenoid sounds much better than IA dump. My opinion.

Dejan IVANOVIC
Process Engineer, MSChE

 

[mbt22]

When do the operating procedures say it should be used? Alarm response manual? HAZOP? Safety case? LOPA?

This facility does not have an SIS. We only have a DCS and a few PLCs to control our facility.

For this case, it makes sense to me. DCS watchdog dumps the air, or maybe a hardwired ESD button. If you have more than one major instrument air user, the same functionality could 'island' a damaged area and allow the rest of the plant to run on.

I think the logic is more about what to do if your instrument air system is slowly dying for whatever reason

I've experienced this, and we used the instrument air pressure dump. Every valve to its fail-safe position at the same time, rather than as and when each actuators spring overcomes the falling pressure. Again, this is a plant without an SIS.

Matt

 

[JJJ2000]

All,

First off, thank you for so many replies so fast. Let me try to fill in the gaps from my original post:

For the current plant in question:
1. There is no SIS system.
2. There is a backup nitrogen supply to the IA header that is supposedly very reliable (per AL)
3. The air dump valve is also hardwired to several relays for key breakers in the MCC.
4. This system is completely isolated from the DCS and can only be activated by an operator.
5. Our procedures do not address ever using this system (which is a problem we are currently trying to fix).

For the previous plant with the SIS:
I suspect that what we actually had was an ESD-1 manual activation switch. I'm following up to see what the switch is actually labeled in the control room. In the case of that plant we had a lot of trouble just before start-up trying to define the criteria under which a shift supervisor could actually use the system. In the event of a true emergency I didn't want these guys making phone calls. The initial advice from our leadership was "never ever use this system."

I suspect that what I really have in the current plant is a poor-man's hardwired ESD-1 system.

Thanks for your help.

 

[EmmanuelTop]

For the plant without SIS it seems that an IA dump would bring the control valves (which are intended to perform safety function as well) to their fail-safe position immediately, without waiting for this to happen within 5 or 10 or 15 minutes or whatever is the surge volume in the IA receiver, like LittleInch said. This makes sense - and I have witnessed such event - in case of DCS blackout, when you can lose all DCS synoptics and have no idea what is going on in the plant.

For the plant with SIS this seems completely redundant as the SIS is able to perform the same thing in a split second - a predefined fault signal from DCS going off could simply trigger ESD-1.



Dejan IVANOVIC
Process Engineer, MSChE

 

[JJJ2000]

Thanks for everyone's help with this.

I called the control room of the plant with the SIS system and confirmed that the buttons that I clumsily referred to as the "Instrument Air Dump" are actually labeled "ESD." Clearly I have very little experience with SIS systems.

Based on the discussion above I think these are the scenarios in which a non-SIS plant would use an IA-dump system:

1. IA system is slowly dying and for some reason backup nitrogen can't keep up or is inoperable, leading to low IA pressure and uncertain valve operation.
2. DCS failure (DCS loses its mind, the operators lose control of the DCS, or operators lose monitoring of the DCS)
3. Post-explosion large IA leaks in the plant, leading to uncertain operation of valves because even with backup nitrogen, the leaks are so large IA header can't be maintained everywhere.

Did I miss anything?

Again, thanks for all of the responses on this.

 

[EmmanuelTop]

Now that makes sense for the plant with SIS system - there is actually an ESD (ESD-1) push button for ultimate emergency. Thank you for coming back to confirm this item. IA Dump wouldn't make much sense there.

For a plant without SIS, all 3 points from your last post boil down to the same thing - an emergency condition which requires certain response in absence of a dedicated system that would normally perform these actions. Dumping Instrument Air in rapid fashion would then bring all control valves in their fail-safe position, acting as a safeguard.

One additional thing worth checking in these plants is whether the Flare system is adequately sized to handle all reliefs resulting from instantaneous loss of Instrument Air. There may be a catch.

Dejan IVANOVIC
Process Engineer, MSChE