A process plant shutdown system is a functional safety countermeasure crucial in any hazardous process plant such as oil and gas production plants and oil refineries. The concept also applies to non-process facilities such as nuclear plants. These systems are used to protect people, assets, and the environment when process conditions get out of the safe design envelope the equipment was designed for.
As the name suggests, these systems are not intended for controlling the process itself but rather for protection. Process control is performed by means of an independent process control systems (PCS) and should not be relied upon to execute critical safety actions.
Although functionally separate, process control and shutdown systems are usually interfaced under one system, called an integrated control and safety system (ICSS). Shutdown systems typically use equipment that is SIL 2 certified as a minimum, whereas control systems can start with SIL 1. SIL applies to both hardware and software requirements such as cards, processors redundancy and voting functions.
There are two main types of safety shutdown systems in process plants:[1]
An automatic PSD typically isolates the system by shutdown isolation valves, thus bringing it to a safe state before the process parameters, such as level, temperature or pressure, exit the system safe design envelope. Its inputs are critical process signals from the likes of pressure and temperature transmitters, which must be separate from those used for process control. This separation provides redundancy and reliability.
These systems may also be redefined in terms of ESD/EDP levels as:
The safety shutdown system shall shut down the facilities to a safe state in case of an emergency situation, thus protecting personnel, the environment and the asset. The safety shutdown system shall manage all inputs and outputs relative to emergency shutdown (ESD) functions (environment and personnel protection). Inputs include for example manual activation and signals from the fire and gas system (FGS). Apart from the actuation of shutdown valves and blowdown valves, outputs include isolation of electrical sources, power shutdown, activation of fire pumps, etc. ESD is usually activated when a loss of containment and/or a fire is detected, although it may be activated at any time the plant operators feel it is necessary to preserve life, assets and the environment.
The main objectives of the fire and gas system are to:
Emergency depressurization, or blowdown, is an important system for safeguarding process plant in the event of an emergency. Equipment such as pressure vessels exposed to fire could undergo catastrophic failure leading to an uncontrolled loss of containment. Depressurization reduces potential failure by removing inventory from the plant thereby decreasing the internal mechanical stresses and extending the plant’s integrity at elevated temperatures.[2] Its function is distinct from that of pressure relief valves, which are passive devices opening if pressure reaches a value above the process safety trip, but still below the design pressure of the equipment. Relief valves complement the PSD.
A process plant is typically divided into isolatable sections by emergency shutdown valves (ESDVs). Each section may be designated as belonging to a fire zone that is depressurized by a dedicated blowdown valve (BDV) or set of BDVs. During ESD conditions, the depressurization of only specific isolatable sections is undertaken. However, during more widespread emergency circumstances, the whole facility may be depressurized.
In a typical depressurization system, the goal is typically reduce the pressure in the plant to less than 50% of the design pressure or to 7 barg, whichever is lower, within 15 minutes.
Disposal of blowdown fluids is generally to flare systems or, if safe to do so, non-fired blowdown drums. Blowdown may be strategically delayed by fire zone to shave peak flow and allow the flare to deal with the incoming gas. This is generally referred to as a staggered blowdown.A depressurization system comprises an actuated valve and a restriction orifice. The BDV valve is normally held in the closed position but opens on demand or on failure of the actuator. A restriction orifice (RO) downstream of the BDV is sized to achieve the desired blowdown rate. A locked-open valve may be located downstream of the orifice. The valve, in the closed position, allows the functionality of the BDV to be tested without depressurizing that section of the plant.[3]