In industrial facilities there are often hardwired and dedicated safety shutdown systems that are designed to vent/flare hydrocarbons, stop equipment, de-energize equipment, etc., when an emergency or upset condition has occurred.
This hardwired safety shutdown system is the last automated control layer before the physical protection devices such as PSVs operate to protect against a catastrophic loss.
Emergency Shutdown System
Below are seven questions to consider for your facility:
When was the last time that your facility’s hardwired ESD system was tested?
When you conduct a planned outage is testing your hardwired ESD system part of the outage? This is not a system that can be readily verified during normal plant operations so careful planning of when/how to test this system should be completed well in advance of an outage.
The testing also needs to be documented fully so that you have evidence and can later confirm that all of the system was checked and not just a part of it.
When doing testing all initiators (pushbuttons, hardwired trips, etc.) should be checked against all of the anticipated output functions (relays dropping out, ESD status alarm points ringing into your control system, etc.).
Has anything been added, deleted or modified that may have connections to the hard wired system?
- A running facility is always at risk of change. There may be a “night-shift temporary fix” that never is connected properly to the hardwired ESD system.
Are there new packages out in the plant that would keep running as they are not yet tied into the hard wired shutdown system?
- A new skid may be added to the plant, but was it hardwired connected to shut down with the plant wide ESD system?
If the system relies on relays held “on” would the contacts still open when the coil is de-energized?
- Electromagnetic relays are comprised of a coil and plunger that must physically move in order to open contacts. Corrosion and dust may inhibit the relay from changing state once the power is cutoff leaving the connected outputs to be left energized.
Do you have electronic relays in your ESD circuits? Is there leakage current that may hold an output on?
- Electronic relays that use transistor based control have leakage current. This has been known to intermittently cause signals to remain “on” that actually are intended to be “off”.
Are there output cards that are supposed to de-energize on a manual ESD that are no longer wired that way?
- When designing control systems outputs may be hardwired to disconnect on ESD. This can be a single point, a group of points, or entire I/O modules that are de-energized via the hardwired ESD system. There are some discrete outputs that you want to leave on no matter what, e.g., horns & beacons.
Therefore, if someone did not review the power distribution and ESD wiring schematics it is possible that devices that are supposed to disconnect/de-energize on ESD may be connected to channels that don’t open on ESD, and vice-versa.
Is your facility’s documentation reflective of your hardwired ESD system?
- If you do have facility changes are they being kept up to date in your documentation? There are many drawings and documents that may need to be updated. In some cases some are kept up to date, but perhaps some are forgotten about leading to discrepancies between the documents and drawings.
For example a hardwired ESD system may touch on:
- Shutdown Keys
- ESD wiring schematics
- Power distribution schematics
- Single Line Diagrams
- Control narratives
- Motor Control schematics
- I/O schematics
- Loop drawings
- Cable schedules
- Termination drawings
- Junction box drawings
- Termination & wiring databases (e.g., SmartPlant)
- Alarm summary
- Are each and every one of the documents up to date?
These are the sort of questions that need to regularly be reviewed and documented during that review. Your insurance company may dictate this and it’s just good business to take care of your hardwired ESD system!
BY BRENT SENIO, P.ENG.