Instrument-Air-Dump Switch - Required? 1

[JJJ2000]

​

All,

I have worked in several plants that have a hardwired Instrument-Air-Dump switch. In every case the plant was extremely uncomfortable with the thought of actually using this system as you might imagine. One of these plants was a large hydrocarbon processing plant with a full-fledged SIS system installed that required two switches to be simultaneously pulled on opposite sides of the control room in order to dump the air. Other plants had a simple covered quarter turn switch.

Is there a requirement that anyone knows of in any code or standard to have an instrument air dump? We are having difficulty thinking of a plausible scenario in which we would use such a system. This facility does not have an SIS. We only have a DCS and a few PLCs to control our facility.

For the SIS-system case I was under the impression that it existed for the highly unlikely scenario in which a nearby lightening strike / power surge only partially destroys the brains of the SIS, causing it to act in a "crazy" manner. Then the air would be dumped to stop the insane control system from creating unsafe situations in the plant. I know the likelihood of this scenario is vanishingly small, but this is what someone verbally suggested to me once.

The other scenario is that in the event things get so bad that the control room must be abandoned in some kind of a disaster, then the last thing that the last two operators would do before "abandoning ship" would be to trip the instrument air dump. This scenario is only slightly more likely in my opinion. Our control room is in an over-pressure resistant building.

Does anyone else have any experience with this sort of thing? Are there any regulations or ISA standards or SIS standards that address this?

Thanks,
JJJ

 

[btrueblood]

If the air can mix with the stuff being processed (hydrocarbons?) and create a blown fire or worse, an explosive mixture, then yes, having a way to dump the stored air charge to a safe, distant point, might be advisable. The other panic situations where you may want to rapidly stop the pneumatic processes could also be mapped (you and I have each found one such scenario). This would seem to be a good place to apply a FMEA (Failure Mode and Effects Analysis), i.e. figure out how each part of the system can break, what happens when the various parts of the system break down either individually or simultaneously, and then use that information to plan how you would safely stop the process in each case. You can go a step further and add probabilities to the failure tree to help guide a cost vs. reliability decision. The results could then be used in training, creating checklists, or in programming of automated systems, to accomplish the fail-safe goals. The FEMA may also point out that you lack instrumentation to tell you when a failure has occurred, or what type of failure has occurred, etc. which may push you to adding more sophistication to the instrumentation/automation systems, again these would be weighed on a cost vs. likelihood basis.

 

[MikeHalloran]

I have worked with several otherwise sane electronics engineers who habitually design their 'power/slave' boards (full of transistors and/or relays controlling bigger transistors, solenoids or motors) in such a way that pulling the ribbon cable coming from the controlling computer turns every 'controlled load' full ON. Said sparkys also typically specify cheap ribbon cable connectors without latches, guaranteeing that such an event WILL happen, and typically undersize the power circuit components and the supply wires enough to also guarantee collateral damage. It's become a line item on my own mental checklist.

Similarly, consideration of dumping instrument air should be accompanied by an FMEA evaluating each and every controlled module's behavior during such an event, to make sure that zero instrument air does not cause any process to be driven in an undesired direction, etc.





Mike Halloran
Pembroke Pines, FL, USA

 

[zeusfaber]

Good point Mike - I've seen aero engines destroyed through the designer not having thought through what he wanted to happen when power to the controller was cut.

A.