The design of an ESD system has traditionally been based on independent and fail-safe component utilization. Independence implies they are segregated from other regulatory control and monitoring systems. Independence is typically obtained by physical separation, using separate process locations, impulse lines, controllers, input and output (I/O) instruments, logic devices, and wiring than that of the basic process control system (BPCS). This avoids common failures in the system. Fail-safe features are obtained by ensuring that selected components in an ESD system are such that during a failure of a component, the process reverts to a condition considered “safe.” Safe implies that the process or facility is not vulnerable to a catastrophic event due to a process release. For most facilities, this implies that pipelines that could supply fuel to the incident (i.e., incoming and outgoing) are shut off (i.e., isolated) and that high pressure, high-volume material supplies that are part of the incident are relieved to a remote disposal system.
Failures can either be fail safe or fail dangerously. Fail-safe incidents can be initiated by spurious trips that result in incidental shutdown of equipment or processes. Fail-dangerously incidents are initiated by undetected process design errors or operations, which disable the safety interlock. The fail-dangerously activation may also result from a process liquid or gas release, equipment damage, toxic vapor release, or fire and explosions.
The ESD system should be designed to be sufficiently reliable and fail safe so that (1) an unintended initiation of the ESD is reduced to acceptable low levels or as low as reasonably practical, (2) availability is maximized as a function of the frequency of system testing and maintenance, and (3) the fractional MTBF (meantime between failure) for the system is sufficiently large to reduce the hazard rate to an acceptable level, consistent with the demand rate of the system.
Fail-safe logic is referred to as de-energized to trip logic, since any impact to the inputs, outputs, wiring utility supplies, or component function should de-energize the final output allowing the safety device to revert to its fail-safe mode. The specification of fail safe for valves can be accomplished by failing close (FC), failing open (FO), or failing steady (FS), that is, in the last operating position depending on the service the valve is intended to perform. Valves that are specified to fail close on air or power failure should be provided with spring return actuators. The use of accumulators (pressurized vessels) should be avoided since these are less reliable fail-safe mechanisms (i.e., they require verification of pressure, filling, periodic certification testing, etc.) and are more vulnerable to external impacts of an incident. Control mechanisms including power, air, or hydraulic supplies to emergency valves (isolation, blowdown, depressurization, etc.) should be fireproofed if the valves are required to be operable during a fire situation.
For ESD emergency isolation valves (i.e., EIVs), a fail-safe mode is normally defined as fail close in order to prevent the continued flow of fuel to an incident. Blowdown or depressurization valves would be specified as fail open to allow inventories to be disposed of during an incident. Special circumstances may require the use of a fail-steady valve for operational or specialized purposes. These specialized applications are usually at isolation valves for individual components such as vessels, pumps, compressors, etc., where a backup EIV is also provided at the battery limits of the plant that is specified as fail close. The fail-safe mode can be defined as the action that is taken when the ESD system is activated. Since the function of the ESD system is to place the facility in its safest mode, by definition, the ESD activation mode is the fail-safe mode.