Hydrotest Pressure Vs Design Pressure.

Design pressure is usually the pressure set by process engineer,

based on the results of a simulation or similar study. Hydrotest
pressure is the actual pressure the vessel is tested at. Usually the
hydrotest pressure is 1.3 times the design pressure (ASME
requirement).
So if the design pressure is 100 KPa(g), the hydrotest pressure
would be 130 KPa(g). Therefore the rule (or requirement) is called
10/13 rule.

Maximum allowable Working pressure (MAWP) Vs Design

pressure
Design pressure is usually the pressure set by process engineer,
based on the results of a simulation or similar study. MAWP is the
pressure based on the actual characteristics of the
vessel/equipment (which is usually manufactured to exceed the
specifications set by process engineer). Maximum allowable
working pressure is always greater than or equal to design
pressure.

Permissive, interlock - Difference

The PERMISSIVES, are some conditions that need to be satisfied
before you can start the machine. For e.g. a compressor can be
started only when there is sufficient suction pressure.
INTERLOCK: During the process, if a condition fails, interlocks are
activated. For e.g. a pump shutdown interlock is activated when
the level of drum goes low.
An interlock can also be a permissive, but the converse is not
true. For the compressor example (in Permissives), if insufficient

suction pressure is a permissive, the compressor will not

shutdown, if there is insufficient suction pressure. It is just a
condition for the system to start. But if insufficient suction
pressure was an interlock, the system will shutdown, when ever
the suction pressure goes below a fixed value. But once
shutdown, all the permissives need to be satisfied before the
system can start again.

Hot bolting
Hot bolting is a method of replacing the bolts on a live line.
Normally done one bolt at a time. Hot bolting should be used only
when there is no other reasonable choice.

The criteria typically followed is something like:

The operating pressure must be less than 75% of the MAWP as
allowed under ANSI B16.5 at the operating temp of the piping or
process system to be hot bolted.
The flange must have a minimum of 8 bolts
The process temperature must be between 4and 71 C.
All flanges and associated system equipment must be
adequately supported, i.e. no excessive vibration or pulsation.
Monitoring for hydrocarbons is also a must during the operation.
Generally the procedure for hot bolting is the same sequence as
for a tightening operation.
The gasket area must not show signs of leakage. Piping, flanges,
and bolts must not be severely corroded, i.e., to the point of
affecting their integrity.

 Existing flange bolts/nuts must be tight and of the correct size

and grade.
Hot Bolting" Calculations
I am looking for advice regarding the appropriate calculation
method to find the maximum operating pressure we can allow
when we perform a Hot Bolt procedure (ie, removing one bolt at a
time for maintenace purposes). I can run the calculations using
an ASME Section VII calculator (Mr. Pedersen's), but when you
reduce the number of bolts by 1, it simply re-distributes the
remaining bolts over the diameter. If I remove half the bolts (to
accurately reflect the increased distance between adjacent bolts)
to get the correct spacing, the bolt stress for MAWP is too
conservative as compared to removing only one bolt (I am looking
at my limiting factor being bolt stress from either MAWP or
seating perspective- whichever is greater).
I have never heard of anyone taking one bolt at a time for
maintenance purposes from a pressurised vessel, sounds
extremely dangerous to me.
RossABQ - yes, one bolt at a time...but not necessarily "replacing"
- we often just remove one bolt, clean it up, put some sort of
lubricant on it (the lubricant issue is a whole other can of worms),
and then re-install the bolt/nut. We do this on flanges associated
with piping AND on vessel manways....most often in preparation
for turnaround maintenance, but also on the rare occasions when
we find a bolt has some corrosion or when when find a "short
bolt" (ie, a bolt that is too short and the nut is not fully
engaged...usually on facilites we acquired at one time or another)
or when we find a nut or bolt that is not the correct grade....in any
of these cases we would then replace the bolt and/or nut.
desertfox - I don't believe it is "extrememly dangerous" - the
industry has been doing this forever. Most of the larger
companies have specific procedures for this operation (I have

copies of the BP, ConocoPhillips, and the EEMUA Information

sheet for Hot Bolting). Folks, thanx for your interests...and look
forward to your thoughts and suggestions for the flange limit
calcs.
Hot bolting is fairly common, I've been around it quite a bit
before. It's simply replacing the bolts on a live line. You do it a
bolt at a time. That being said, hot bolting should be usedo nly
when there is no otehr reasonable choice.

The criteria typically followed is something like:

The operating pressure must be less than 75% of the MAWP as
allowed under ANSI B16.5 at the operating temp of the piping or
process system to be hot bolted.
The flange must have a minimum of 8 bolts
The process temperature must be between 40and 160
Fahrenheit.
All flanges and associated system equipment must be
adequately supported, i.e. no excessive vibration or pulsation.
Monitoring for hydrocarbosn is also a must during the operation.
Generally the procedure for hot bolting is the same sequence as
for a tightening operation.
The gasket area must not show signs of leakage. Piping, flanges,
and bolts must not be severely corroded, i.e., to the point of
affecting their integrity.
Existing flange bolts/nuts must be tight and of the correct size
and grade.
In my opinion, the answer to your stud bolt question is.... "it
depends"....!!!It depends mostly on the cost and degree of

corrosion on the bolt. If the bolt is of large diameter and of

expensive materials, it pays to be carefull and reuse it. Smaller,
more common materials may be replaced as a mater of policy
We have hot bolted at 1250F @ 250 psig. We routinely hot bolt
polymer lines at 600F @ 1500 psig. Our process requires that we
completely dismantle a production unit at overhaul. This involves
the removal of several thousand studs, mainly B-16 5/8"-@ 1/2"
but considerable B8 Cl2 material. Part of these production units
are components that use H11 SHCS that are changed out and
reused on set schedule of approximately 15 days. Each line has
48 of these components that have 98 SHCS. As we have 17 lines
the reuse of studs and bolts is almost a necessity. Tough there is
not a formal inspection of the studs they are screened by adding
2 nuts to each stud during a process we call Daging, the addition
of a collodial graphite lubricant. We run each stud through a
Pyrolysis Furnace to remove any existing Dag and the
disassembled studs and nuts are run through the Daging bath,
Dag and water. After Daging the studs and nuts are assembled
with a full nut engagement on each end of the stud. I would say
less than 1% are rejected during this process. about 90% of the
rejected studs are recovered by lite duty mechanics. It is a very
rare occurrence when a mechanic has problem with a stud when
the piping is reassembled. Some of the studs in use are over 40
years old as witnessed by some Crane Alloy Studs from the 50's
that are found in service. At various times I've removed a sample
of studs and physically measured the threads and have never
seen anything approaching rejection. There is problem sometime
with meaning of "hot bolting" being taken as retorquing a bolted
connection at operating conditions. "Hot bolting" and "hot
torquing" are two separate operations. Care has to be taken with
both operations. I've seen sevral problems with "hot torquing"
were people forget the proper tightening sequence.

POWER PLANT OPERATION

BY MUJIYONO
BOILER
Definition
As per Indian Boiler Act 1923, Boiler is defined as any closed
vessel exceeding 22.75 liters in capacity which is used exclusively
for generating steam under pressure and includes any mounting
or accessories attached to such vessel, which is wholly or partially
under pressure, when steam is shut off.
A good Boiler should have some essential qualities.
1.

Capable to meet large load fluctuations.

2. Fuel efficient i.e. to generate maximum steam with minimum

fuel consumption.
3.

Ability to start-up quickly.

4.

Easy in maintenance and inspection.

5.

Occupy less floor space.

6.

Lower friction loss in water and flue gas circuit

7.

Little attention for operation and maintenance.

Systems in a Boiler
A Boiler mainly contains following systems :
1.

Feed water system.

2.

Steam system.

3.

Air system.

4.

Flue gas system.

5.

Fuel handling system.

6.

Ash handling system.

Boiler Mountings
Fittings on a Boiler which are required for its safe and efficient
operation are called mountings. These are as follows :
1.

Safety valve

2.

Water level sight glass (gauge glass)

3.

Pressure gauge

4.

Blow down valve

5.

Main steam stop valve

6.

Feed water check valve (NRV)

7.

Air Vent

8.

Start-up vent

9.

Manhole

Boiler Accessories
The devices which are used in a Boiler as an integral part and
help to run the Boiler efficiently are called Boiler Accessories.
These are :
1.

Super heater

2.

De-super heater

3.

Economizer

4.

Air Pre-heater

5.

Soot Blower

6.

Feed Pump

7.

ID and FD fans

8.

Ash Removal system

9.

Fuel supply system

10. Dosing system

11. Deaerator

Steam Generation In A Boiler..contd

In a Boiler fuel is burnt to get heat energy which is converted from
chemical energy stored in a fuel. This heat energy is utilized to
produce steam from feed water.

Fuel is fired in the furnace of the Boiler. Different fuel is used in

different Boilers. Accordingly furnace is designed. Water tubes are
arranged around the furnace and flue gas path. Water tube
arrangement made around the furnace is called as water wall.
Feed water is circulated in these tubes. Water comes to water wall
from Boiler drum, and circulated back to drum after absorbing
heat. Due to difference in density which is created due to
difference in temperature, water circulates in these tubes
naturally. Therefore, it is called Natural Circulation.

During circulation of water in tubes, steam is generated and

collected at the upper part of the Drum. This is called Saturated
Steam corresponding to Boiler drum pressure. This steam is
further heated in Superheaters and becomes superheated steam.

Boiler Drum is filled with fresh feed water. The feed water, before
entering into drum is heated at Economizer. Economizer is placed
at the flue gas path. Most of the heat of the flue gas is utilized
inside the Boiler. Still considerable amount of heat energy is
available in it. This heat is utilized in Economizer to heat up the
feed water.

For burning of fuel, required Oxygen is obtained from atmospheric

air. Air is required in Boiler furnace for combustion. This is
supplied by Forced Draught (FD) fan. This air is heated at air preheater (APH) before being sent into furnace. If cold air is used
then there will be loss in energy. Air pre-heater is placed at the
flue gas path after Economizer. Air pre-heater is a heat exchanger
which exchanges the heat of flue gas to the cold air, which is to
be used in furnace. By heating the air, burning of fuel is easier
and loss of energy is minimized. If hot flue gas would not be used
to heat up feed water at Economizer and air at Air Pre-heater then
it would escape into atmosphere.

Finally the flue gas passes through Electrostatic Precipitator (ESP)

and exhausted to atmosphere through chimney. At ESP the dust
particle in the flue gas is trapped and clean gas escapes to
atmosphere.

Ash which is produced in the Boiler due to combustion of solid fuel

is collected at Boiler bottom and also in Economizer, Air Preheater and ESP. This ash is disposed off with the help of suitable
ash handling system.

Preparations for Cold Start-up

1. All the manhole doors should be in close condition. Tightness
of the Nuts and Bolts of the man hole doors to be checked
properly.
2.

All the water wall drain lines should be in close condition.

3.

All the steam drain lines should be in open condition.

4.
Start-up vent Root Manual isolation valve should be in open
condition.
5.

Drum level should be at Normal Water Level (NWL).

6. Continuous Blow Down (CBD) and Intermittent Blow Down

(IBD) drains should be in close condition.
7. All the super heater vents including Drum vent and Puppy
Header vent should be in open condition.
8.
Before and After Isolation valves at Feed Control Station
(FCS) should be in open condition.
9.
Attemperation Control valve before and after isolation valve
should be in open condition .
10. Hydra step should be in healthy condition.
11. Safety valves should be in healthy condition.

12. Main Steam stop valve and by- pass valve should be in close
condition.
13. Soot blower manual isolation valve and control valve should
be in close condition.
14.Boiler Drum Gauge glass steam side and water side isolation
cocks should be in open condition.
15. HP Dosing Pumps should be in Healthy condition and open
suction and discharge valves of the pump.
16. Solution in HP Dosing agitator tank should be at normal
level.
17. Boiler Feed Pumps should be in healthy condition.
18.Deaerator water level should be maintained at 60% by taking
DM Transfer pump in service.
19. Air compressors should be in healthy condition.
20. Ash handling systems should be in healthy condition.
21. ESP should be in healthy condition.
22. ID fan damper should be in Zero position.
23. All the interlocks and protection should be checked properly
viz. Drum level low, Deaerator level low, Boiler Feed Pump (BFP)
discharge pressure low, Flue gas temperature at Post Combustion
Chamber (PCC) outlet high, silo level.

Cold Start-up process

1.
After Kiln light-up, when flue gas temperature at PCC outlet
increases to more than 450 deg.C, open ID fan damper 5%. Due
to natural draught created by chimney, flue gas passes through
Boiler and slow heating and expansion takes place.
2.
After opening of ID fan damper, Boiler furnace temperature
rises slowly. When the furnace temperature rises to 250 deg C,
Open ID fan damper 10%.
3.
When Flue gas temperature at PCC outlet rises more than
600 deg C., close the ID fan damper and start ID fan.
4.
When Drum pressure reaches 5 Kg/cm2, close the Drum vent
and Puppy header vent.
5.
When Boiler Drum pressure reaches 20 Kg/cm2, give blow
down of the water wall to remove the deposition or sludge.
6. By adjusting damper opening raise the Boiler pressure upto
45 kg/cm2 and 485 deg C.
7. Start-up vent should be in open condition since the
admittance of hot flue gas in boiler.
8. Open the Main steam line drains in between Boiler Main
Steam Stop Valve (MSSV) and TG MSSV.
9. Open the MSSV by pass valve to remove all the condensate in
main steam line and ensure that TG MSSV is in close condition.
10. After removal of all the condensates in Main steam line and
proper line heating, open Main Steam stop valve of Boiler.
11. Close Super heater drains.
12. Put Drum level controller in Auto mode.
13. Put Attemperator controller in Auto mode.
14. Close Start up vent as per the steam demand of TG set.

15. Charge ESP when Flue gas temperature after Economizer

reaches 160deg. C

Finally the flue gas passes through Electrostatic Precipitator (ESP)

and exhausted to atmosphere through chimney. At ESP the dust
particle in the flue gas is trapped and clean gas escapes to
atmosphere.
Ash which is produced in the Boiler due to combustion of solid fuel
is collected at Boiler bottom and also in Economizer, Air Preheater and ESP. This ash is disposed off with the help of suitable
ash handling system.

Start-up of Waste Heat Recovery Boiler (WHRB)

Hot Start-up

Start-up of Boiler within 2 Hrs of Tripping of Boiler is known as the

Hot Start-up of Boiler.
1.
Ensure the Drum level of Boiler. It should be at Normal water
level.
2.

Start Air Compressors.

3.

Start Boiler Feed water Pump.

4.

Start ID fan with ID damper in Zero position.

5.

Open Start-up vent.

6.

Slowly open damper of ID fan. Watch Drum level.

7.

Regulate Boiler pressure by opening start-up vent.

8.
Super heater temperature has to be maintained with the
help of attemperator control valve.
9. Raise the Boiler pressure upto 45 Kg/cm2 and temperature to
485 deg C.
10. Open the drains of Main steam line in between Main Steam
Stop Valve (MSSV) of Boiler and Turbine.
11. Open By-pass valve of MSSV.
12. Condensate, if any, will be drained out and main steam line
heating will be carried out by opening of by-pass valve.
13. After ensuring proper Main steam line heating, open Main
14. steam stop valve.
15. Close all drains in main steam line.
16. Charge ESP when flue gas temperature at Economizer outlet
reaches 160 deg C
17. Put drum level controller and attemperator controller in Auto
mode.
18. Regulate the pressure of Boiler with the help of start-up vent.
19. Close Start-up vent as per the steam demand of TG set.
20. Normalize ID fan damper by gradual opening and loading of
Boiler.

Charging of De-areator

It removes the dissolved gases from the condensate mechanically

by following two laws
1.

Henrys Law

2.

Daltons Law of Partial Pressure.

According to Henrys Law, Solubility of dissolved gases

decreases by increasing water temperature. So by charging steam
in Deaerator water temperature increases and soluble gases in
condensate departs.

According to Daltons Law of Partial Pressure Pm= Ps+Pa

Where Pm= Partial pressure of Mixture

Ps= Partial pressure of Steam
Pa= Partial pressure of Air

The partial pressure of air present inside the Deaerator

comes out

through Deaerator vent for equilibrium state.

Procedure Of Charging
1. Ensure DM Storage Tank level is more than 60%.
2. Start DM Transfer Pump by opening Recirculation valve.
3. Ensure Deaerator level is 60%. If the level is less then take the
make up water .
4. Open all drain lines of Pegging PRDS line and observe that
condensate is completely drained out.
5. Slowly open Pegging PRDS pressure Control Valve and ensure
that condensate is drained out completely. Then close the drains.

6. Gradually increase the pressure to 2.8 Kg/cm2 by increasing

pegging PRDS pressure control valve.
7. Slowly heat the Deaerator by opening the heating line isolation
valve and raise the Deaerator temperature to 90 deg C.
8. Open the before and after isolation valve of Deaerator Pressure
Control valve. Then open the pressure control valve gradually.
Slowly increase the Deaerator pressure upto 2 kg/cm2 .After that
put the Deaerator Pressure control valve in Auto mode.
9. Start LP Dosing pump.
10. In LP Dosing Hydrazine is used. Hydrazine removes oxygen
by chemical reaction.
11. EQUATION- N2H4+O2=2H2O+N2
12. By adding Hydrazine dissolved oxygen becomes water and
Nitrogen gas releases.

WHRB Interlocks
1.
If Drum level becomes very low i.e. 25% then ID fan Trips
and Emergency cap opens
2.
This is to protect the Boiler tubes. At low Drum level, heat
flux input has to be cut off, to protect the Boiler tubes, otherwise
starvation takes place.
3.
If PCC out let temperature rises to 1050 deg C then ID fan
damper becomes Zero and Emergency Cap opens.
4.
This protection is incorporatedto protect the Boiler tubes
from overheating.

5.
If all BFPs trip then ID fan damper becomes Zero and
Emergency cap opens.
6.
When all running BFPs Trip, then Drum level falls drastically.
To protect the Boiler from starvation heat flux input should be cut
off.
7.
If Deaerator level becomes very low i.e.25% then All BFPs
Trip.
8.
Running of BFPs at Low Deaerator Level is harmful for the
Pump.
9.

If Ash Silo level is high, all ash handling systems stop.

10. When ash Silo is at high level then conveying more ash from
ash handling systems results line blockage of ash conveying line.
To prevent this, it is better to stop the systems and unload ash
from Ash Silo.
11. Boiler Main steam stop valve will not open if by-pass MOV of
MSSV is in close condition.
12. This protection is to avoid line hammering due to presence of
condensate in main steam line and to prevent carry over of
condensate towards Turbine side.
13. Boiler Feed Water MOV will not open if by-pass MOV of Feed
water MOV is in close condition.
14. If feed water is empty in Economizer and in the pipe line
after Feed water MOV, then by opening Feed water MOV directly
without opening FW by-pass, MOV will lead to overloading of BFP,
resulting BFP Trip.
15. ESP trips, if Ash Hopper level is high.
16. ESP has high voltage. Ash has presence of combustibles.
17. This protection is to safeguard ESP at Ash Hopper level high.

18. ESP can not be charged without starting of Purge Air Blower.
20. This is to Seal the ESP by the air from Purge Air Blower
before charging it.
22. ESP can not be charged till flue gas inlet temperature reaches
160 deg C.
23. This is to avoid deposition of moisture and oil content influe
gas on ESP.

1.

Decrease in Drum level

a.

Tripping of Feed Pump

If Boiler feed Pump trips then Feed water supply to Boiler

interrupts and leads to lowering of Drum level. If this has
happened then ensure that the auto stand-by Boiler feed pump
has started in Auto mode. If the auto stand-by Boiler Feed pump
has failed to start in Auto mode then start the Boiler feed pump
manually otherwise Boiler will suffer from starvation and
ultimately it will lead to Boiler trip to protect the Boiler.

b.

Tube failure in Economizer

If Boiler Economizer tube fails then water supply to Boiler Drum

will be affected. This leads to decrease in drum level and Feed
Control valve will open more to compensate the Drum level to
Normal water level, which leads to overloading of Boiler Feed
pump.
Observe the steam flow and feed water flow. If feed water
demand to drum is increasing then observe any sound from the
furnace. If tube has failed inside boiler then hissing sound comes

and it can be noticed from outside. Simultaneously check the

smoke from the chimney. If it is of white colour then tube failure in
side the furnace is confirmed.

c.

Unit getting into Island mode

When Unit comes to Island mode, it follows the load connected to

the Generator. Suppose Unit is generating more power than the
Unit load and exporting to Grid.
At the time of Islanding, Generator will follow the load connected
in this Unit and the Governing Control Valves would close
according to load and allow the steam to pass through Turbine.
The surplus amount of steam will remain in Boiler which increases
the Drum pressure. This drum pressure will exert a downward
thrust to the drum level and it decreases drastically.

d.

Whether CBD valve, EBD valve or IBD valve opened?

If any operating personnel has opened any of these valves

without proper reason or intimation then also drum level
decreases rapidly. Ensure first then close the valve or regulate it
observing the drum level.

2.

INCREASE IN DRUM LEVEL

a. Whether Cold start-up in Boiler is in progress?

During Cold start-up when water temperature reaches 900 C then
formation of bubble starts. This is known as swelling

phenomenon. If this is the case then blow down has to be given to

maintain the drum level at Normal water level.

b. Whether Instrument air compressor tripped and air lock unit

at feed control station failed?
If Instrument air compressor trips, then air lock unit of control
valve at feed control station keeps the control valve at a position
at which it was, before supply of instrument air. This is known as
stay put condition. If air lock unit fails to keep the feed station
control valve at stay put condition, then when supply of
instrument air fails, it leads to 100% opening of control valve. If
this happens, start the instrument air compressor as early as
possible and regulate the feed station control valve.

c.
Whether Start-up vent has opened or safety valve popped
up?
By opening start-up vent, when Boiler is in steaming condition,
supply of steam to Turbine Drum level increases rapidly due to
release of pressure in drum. If the steam demand in TG has
reduced to a large extent then it results Boiler drum pressure rise
quickly and at that instant drum level falls rapidly. When start-up
vent is operated to release the surplus steam or safety valve pops
up, then drum level increases rapidly. In this case at first ensure
for what reason the pressure in Boiler has increased. If drum level
is increasing drastically then give blow down to regulate it.
Because at higher side drum level, the steam quality will be

affected and carry over of water particles to super heaters and

turbine will take place, which is very much harmful.

d. Whether Start-up vent has opened or safety valve popped

up? Continued.
Operation should not be carried out when Boiler is in loaded
condition. Donot close the Feed Control valve fully if drum level
rises because if the control valve is closed completely, the feed
water in Economizer tubes, which was passing to Drum, will
became steam due to heat in flue gas and when feed water
supply through Economizer will be again established through Feed
control valve then hammering in Economizer tubes due to
presence of steam. This may lead to Economizer tube failure.
After ensuring the reason, close the start-up vent and dump the
surplus steam in Condenser. Ensure that the safety valve has
been reset in its position and no passing is observed.

e.

Whether drum level transmitter is malfunctioning?

If drum level transmitter is malfunctioning then observe the level

in hydrastep and immediately inform shift in charge and
instrument personnel about this.

f.

Whether rapid heat supply to Boiler?

If heat supply to Boiler will be increased suddenly with a huge

amount then it affects the drum level and it swells. To avoid this
regulate the heat input supply in a gradual loading manner.
Sudden and huge amount of heat supply will overheat the grain
structure of the tubes and it suffers from fatigue. In course of time
tube fails.

g.

Whether stand-by Boiler Feed Pump has started?

When stand-by Boiler feed water pump has started with running
Boiler feed water pump, then Drum level increases because at
that opening in Boiler feed Control valve when feed water
pressure increases, more feed water flows to drum due to that
opening of control valve and leads to increase in drum level. This
case normally happens during scheduled Equipment change over
of Boiler feed water pump. At first the stand-by feed water pump
is started and discharge valve of the respective feed water pump
is opened. After that the previously running Boiler feed pump is
stopped. Ensure whether it is a scheduled equipment change
over.

h.

Whether TG has come to Island mode?

If TG has come to Island mode then Boiler pressure increases as

there is a cut off steam demand as Generator has to follow the
load, connected to it in this unit. If unit was exporting the power
to Grid then the surplus power will be reduced at that instant,
which the Governor of the TG set will follow. It closes the control
valve and steam pressure rises in Boiler accordingly. Ensure that
the unit is running under Island mode. Open the start up vent to
release the pressure. Ensure that the Safety valve has popped up
or not. If popped up then it has reset properly or not. Observe the
drum level during this operation. Observe the Dump control valve
is functioning properly or not. If it is responding properly then try
to supply steam to condenser by closing start-up vent after
ensuring that Boiler pressure has reduced and safety valve has
reset.

h. Whether TG tripped?
If turbine trips then steam demand in Turbine will cut off and
resulting Boiler pressure rise. Ensure Dump circuit is healthy.
Open the Control valve of dump and close the start-up vent after
ensuring that the safety valve reset.

i.

Whether any Cooling water pump in TG has tripped?

When Cooling water pump in TG for Condenser condensate

cooling trips then the vacuum in condenser drops quickly and at
that instant if the auto stand-by pump fails to start then the load
set point at Generator has to be reduced with immediate effect.
Otherwise the TG will trip due to low vacuum. When load set point
at Generator decreased suddenly then Boiler pressure increases.
In this case communicate with the TG operator and open start-up
vent and lower the Load set point. Try to start the Main cooling
water pump manually. After restoration of cooling water pump
divert the steam from start-up vent by closing it to the dump
circuit and normalize the load of Generator.

3.

Decrease in Boiler Steam Pressure

a.

Whether flue gas inlet temperature has reduced?

If flue gas inlet temperature reduces then it steam generation

reduces in Boiler and pressure drops. This has to be observed
very carefully and the generator Load set point has to be lowered,
otherwise the TG will trip when the Main steam pressure becomes
low.

b.

Whether more steam demand at TG end?

If the unit is running at low load as steam generation in Boiler is

low. If as a mal operation Load set point at Generator is given
more than steam generation then Boiler pressure decreases. and
TG is running with low load set point. Unit is importing power from
Grid. If unit came to Island mode then the Generator will follow
the load which is connected to it and load set point at Generator
increases than the steam generation in Boiler. So Boiler pressure
decreases. As we can not change the load set point of Generator
by putting lower set point value, Load on the Generator has to be
lowered by cutting off the load connected to it. Choose the less
important load connected to Generator and cut off it as quickly as
possible otherwise the unit will suffer from Black out condition
due to TG trip at Main steam pressure low and Grid power is
unavailable.
The same case happens when the steam generation in Boiler is
low

c.

Whether superheater tube failed?

If superheater tube fails then Boiler steam pressure decreases.

Observe steam flow and feed water flow. If steam flow is at
lowering trend and feed water flow is at increasing trend then it
indicates that tube has failed. If the tube failure has occurred in
side the furnace then white smoke comes out from chimney.
When steam pressure decreases then reduce the Generator set
point accordingly to avoid TG trip at main steam pressure low and
ensure whether tube has failed or not. If tube has failed then
Boiler shut down has to be taken to replace the failed tube with a
new tube.

d.

Whether ID fan damper has closed to zero position?

This case happens when flue gas temperature at Post Combustion

Chamber reaches 10500 C. Flue gas flow to Boiler cut off when ID
damper closes. It means heat supply to Boiler has cut off. It
results in less steam generation. So when ID damper closes due
to high PCC temperature, immediate load reduction has to be
carried out in Generator to avoid TG trip due to Main steam
pressure low.

e.

Whether hand lever of Safety valve has been operated?

If any person has operated the hand lever of safety valve without
proper communication with the operating personnel for sometime
then Boiler steam pressure decreases and drum level increases.

4.

INCREASE IN MAIN STEAM TEMPERATURE

a.
Whether Boiler is loaded with huge amount of heat
suddenly?
Main steam temperature rises if flue gas temperature at Boiler
inlet rises suddenly. As superheaters are located at convection
zone, therefore when flue gas temperature rises, it increases the
superheater temperature. If attemperator control valve fails to
control the main steam temperature then TG will trip due to main
steam temperature going high. In order to avoid such a situation,
if main steam temperature rises due to rise in flue gas
temperature, then immediately attemperator control valve has to
be taken to manual mode and attemperation should be increased.
Also communicate with the kiln personnel about the sudden rise
in flue gas temperature.

b.

Whether Soot Blowing is in progress?

During soot blowing, steam temperature rises because more

steam is required for soot blowing and heat input to the Boiler has
been increased by opening the ID fan damper. So during soot
blowing, main steam temperature has to be observed carefully. If
attemperator control valve fails to control the rise in main steam
temperature in auto mode, then it has to be controlled taking it to
manual mode.

c.
Whether Attemperation control valve is in manual mode or
wrong value command input by the operator?
Normally it happens when there is a high fluctuation in main
steam temperature. The attemperation control valve fails to
control the temperature in Auto mode. So the concerned operator
has to take the attemperation control valve to manual mode to
control the temperature. But if he forgets to put this control valve
in Auto mode after stabilization of main steam temperature, then
it will remain in manual mode and during more heat input from
Kiln, the main steam temperature would rise. Also sometimes
operator puts wrong value command for attemperation control
valve opening from control station in manual mode, which would
result in increase in main steam temperature.

d.
Whether forget to open before and after isolation valves of
attemperation Control valve?
This situation comes during cold start-up of Boiler, if the
inspection and checking was not done properly by the operation
personnel. During initial period, this thing cannot be noticed but
at the time of main steam temperature rise by opening

attemperation control valve flow of water cannot be established

as before and after isolation valves are in close condition. So care
has to be taken for proper inspection and checking before startup.

5.

DECREASE IN MAIN STEAM TEMPERATURE

a.

Whether inlet flue gas temperature has dropped?

If flue gas inlet temperature drops due to problem in Kiln side

then main steam temperature decreases. So if main steam
temperature is in decreasing trend then first observe the flue gas
inlet temperature to Boiler.

b.
Whether Load set point is given in Generator more than the
Steam generation?
If Load set point in Generator is given more than the steam
generation in Boiler then main steam pressure decreases and also
the main steam temperature decreases

c.
Whether valve sheet of Attemperation control valve is
eroded?
This situation comes during Low Load operation of Boiler. If heat
input to Boiler is low, then steam generation reduces and also the
power generation. At that time, feed water passes due to eroded
valve sheet of attemperation control valve and decreases main
steam temperature.

d.
Whether ID damper has become Zero due to PCC outlet
temperature High?

When Post Combustion Chamber temperature increases more

than 10500C, opening of ID damper becomes Zero. At that time
heat supply to Boiler from Kiln stops suddenly. So it results in
rapid decrease in main steam temperature. If this situation
arrives, then attemperation control valve has to be taken to
Manual mode from Auto mode and decreasing main steam
temperature has to be controlled.

6.

FURNACE DRAUGHT TOWARDS POSITIVE SIDE

a.

Whether tube failure has occurred in side furnace?

In furnace, the draught is maintained at negative side to carry out

the hot flue gas, ash and other suspended particles from kiln to
chimney through ID fan. If Boiler tube fails inside furnace then
draught goes towards positive side. As steam density is higher
than air density. Also it adds an additional load on ID fan. So ID
fan takes more current in this situation.

b. Whether draught transmitter is showing wrong value?

This can be known if other draught transmitters in flue gas path
are showing right value and one of these is showing erratic value.
This problem should be brought to the notice to shift in charge
and instrumentation personnel.

7.
LONG RETRACTABLE SOOT BLOWER IS NOT AT ITS ORIGINAL
POSITION
a.
Whether Long Retractable soot blowers chain has broken
during Soot Blowing operation?

If chain breaks at intermediate position of lancer tube during soot

blowing by LRSB, then motor will be unable to retract it to the
original position i.e. home position. Check the position of lancer
tube, when soot blowing operation is in progress and chain has
broken. In this situation, donot cut off steam flow through lancer
tube. It is because it is situated in high heat zone i.e. at
convection zone. As steam acts as a coolant, it will take the heat
added to the lancer tube and will protect the lancer tube from
over heating and bending. The lancer tube has to be drawn out
manually. After ensuring that it has been drawn to its home
position, steam through the lancer tube can be cut off and chain
maintenance work can be carried out.

b.

Whether home position limit switch is malfunctioning?

This may happen after completion of soot blowing by Long

Retractable Soot Blower. The limit switch at home position may
not give home position feed back of the LRSB due to malfunction.
If this case happens then immediately the position of the lancer
tube has to be checked. Limit switch at home position has to be
rectified by Instrumentation department.

c.

HAMMERING OF MAIN STEAM LINE DURING CHARGING.

Usually main steam line hammering occurs if the condensate

present in that line is not properly drained out and pipe line is in
cold condition. If huge amount of steam is allowed to pass
through that pipe line then line hammering takes place which is
very much harmful for the pipe line. So to avoid this case
happening always open the drain of the pipe line. Observe the
condensate is drained properly from that pipe line. After
completion of condensate draining, warm-up the pipe line with
very less quantity of steam. Gradually increase the pipe line

temperature. After confirmation that the line is properly heated,

more steam flow can be allowed.

Steam Turbine
Steam turbine is a mechanical device that extracts thermal
energy from steam and converts it into mechanical work.
Interiors of a turbine consists of several sets of blades. Some set
of blades are fixed at casing ( Fixed Blade) and some set of blades
are fixed on the rotor ( Moving Blade) .
Fixed blades convert potential energy of the steam into kinetic
energy and direct the flow to moving blades. Moving blades
convert this kinetic energy in to force, caused by pressure drop
and result in rotation of turbine shaft. Steam is allowed to enter
into the turbine through control valve. This steam after passing
through different stages of blades is allowed to exhaust. The
exhaust steam is condensed in a condenser and condensate then
reused in boiler.
1.

Impulse Turbine

2.

Reaction Turbine

1) IMPULSE TURBINE:
In Impulse turbine instead of set fixed blades a set of nozzles are
fitted in the casing. Pressure drop of steam takes place in these
nozzles and velocity of steam increases. This high velocity jet of
steam contains significant amount of kinetic energy. This high
velocity steam is passed through a set of moving blades, where
pressure of the steam remains constant and velocity decreases.

2) REACTION TURBINE:
In reaction turbine fixed blades are fixed in the casing. Shape of
these blades is such that the space between the blades has cross
section same as shape of nozzle. Moving blades are fixed to the
rotor. Fixed blades guide the steam to moving blades . Blade
shape is so designed that steam glides over the blades. Steam
while gliding over moving blades produces reaction on the blade.
This reaction force produce the rotates the rotor.
1.

Casing

2.

Rotor

3.

Moving Blade

4.

Fixed Blade

5.

Steam Sealing System

6.

Bearing

Joural Bearing
Thrust Bearing
7.

Gland

8.

Exhaust Hood

9.

Emergency Stop Valve

10. Governing Valve And Control Valve

11.

Barring Devices.

12.

Governing Systems

v CASING

Casing of turbine plays important role for the performance of a

turbine. This is the outer shell of turbine. Fixed blades and nozzles
are attached to this. Casing facilitates to accommodate moving
parts and provides passage for steam. Normally it is formed by
casting. As the temperature of steam for operating turbine is high
so, normally Cr, Mo alloy steel casting is used for casing of a
turbine. Metal to metal joint sealing is done to ensure no leakage
of steam.

v ROTOR
Rotor is the moving part of a turbine which extracts work from
steam. This is the heaviest part of the turbine. Normally total
shaft is manufactured by forging. Rotor consist of shaft moving
blade and inter stage sealing labyrinth. Thrust collar is provided
to take care of axial thrust of rotor during various load conditions.
Rotor of the turbine is allowed to expand uniformly. Rotor of the
turbine should not be allowed to remain stand still when it is hot.
Due to its self weight there is a chance of sagging or deformation.
Rotor
v Moving Blades
Enthalpy of steam is converted into rotational energy as it passes
through turbine blade sets. In each stage of the turbine there are
moving and fixed blade. As in each step pressure of steam
decreases, its volume increases. The blade has to handle more
volume of steam. Blade has to withstand high pressure and
temperature of steam. Good tensile and fatigue strength is
required. Good vibration damping property, low ductility,
resistance to corrosion and erosion is essential. Blade can be
divided into three portions.
1.

Tip

2.

Profile

3.

Root

v Fixed Blades
Fixed blades facilitate expansion of steam and guide it to flow
over subsequent moving blade row. Partition between pressure
stages in a turbine casing are called diaphragms. It holds vane
shaped nozzles or fixed it

MAIN COMPONENTS OF STEAM TURBINE

1.

JOURNAL BEARING

Journal bearing is a cylinder, which surrounds the shaft and is

filled with some form of fluid lubricant. It consists of a split outer
shell of hard metal and soft metal at the inner cylindrical part. In
this bearing a shaft or journal rotates inside the bearing over a
layer of lubricating oil, separating the shaft and bearing through a
fluid film by dynamic principle. Inner surface of this bearing is
coated with a soft metal called as white metal or Babbitt. This is a
tin or lead based alloy.

2.

THRUST BEARING

Journal bearings are used to take radial load of the shaft. But it
cant take axial load. Shaft is permitted to float to both axial
direction. But the axial float is restricted to certain limit. Excessive
axial shift may damage rotating and fixed parts. For this thrust
bearing is provided.

EMERGENCY STOP VALVE

This valve is normally hydraulically operated. The valve opens
hydraulically against a spring force. To close the valve
hydraulically
Fluid is drained and valve closes immediately due to force of
spring. This valve is normally fully open and fully close type.

Auxiliary System Of Steam Turbine

1.

OIL SYSTEM

Oil tank
Oil Pump
Oil Cooler
Oil Filter
Oil Centrifuge
Oil Over Head Tank
Accumulator
2.

CONDENSATE SYSTEM

3.

GLAND SEALING SYSTEM

4.

STEAM EJECTOR AND VACCUM SYSTEM

5.

CONDENSER

6.

COOLING WATER SYSTEM

Turbine Cold Startup Sequence Method

Operation of steam turbine is a complex process. Before starting
the rolling of a turbine, auxiliary systems are to be properly put in
service. Normally for start up of a turbine some operations are
followed in sequence.

v Charging of Steam Pipe Line

From Boiler, steam is carried to turbine main steam pipe line. In
cold condition, special care is to be taken to heat up the steam
line and allow gradual thermal expansion, before giving full load
on the turbine.
Drain points are provided at the steam line to drain out
condensate present in steam pipe line, that is formed due to
condensation of steam. First of all, these drains are opened before
charging steam on the pipe line. After condensate is drained out
boiler main steam stop by pass valve is opened slowly .
Some steam is allowed to flow through the pipe line and it starts
gaining heat from the steam and steam is condensed. At the
beginning, condensate along with some steam is allowed to come
out through the drain. These drains are throttled slowly and
closed when no more condensate but only dry steam comes out
from the drain.
Steam traps provided in the pipe line are kept in line once drains
are closed. Then Main Steam Stop Valve of the boiler is opened
slowly so that the line temperature is increased gradually. Ensure
extraction is not restricted anywhere. Watch the temperature of

bypass reaching the normal level after which stop valve of boiler
can be opened fully.
To circulate cooling water in the Condenser, cooling water pumps
are to be started.

Before starting pump

1.
Ensure Sump level of the cooling tower basin is normal
(>80%)
2.
Keep suction valve of the pump in open condition &
discharge in closed condition.
3.
Ensure inlet & outlet cooling water valves of Condenser
distributer valves of cooling tower are in open condition .
4.
Ensure vents provided at Condenser water box are in open
condition to remove trapped air.
5.

Start the pump & open the discharge valve .

6.
Observe whether cooling water is falling on the cooling tower
or not.
7.
Ensure that distribution of cooling water in all chambers is
equal, otherwise adjust the valves provided at the distribution
header .
8.
Observe whether all the cooling water pumps are sharing
load or not.
9.
Once Turbine is started and loaded, cooling tower fans can
be started one by one as per requirement.

Starting Of M.O.P ( Main Oil Pump )

1.
Before starting of M.O.P check the healthy condition of Main
Oil Tank ( M.O.T ) low level switch from H.M.I .
2. Before starting M.O.P, check oil level in M.O.P oil cup as well
as oil level in A.O.P & E.O.P oil cups.
3.
Ensure again suction & discharge valves of M.O.P, A.O.P &
E.O.P are in open condition .
4.

Start M.O.P .

5.
Open J.O.P suction line coming from M.O.P & A.O.P discharge
header , then open its discharge valve .
6.

Put A.O.P, J.O.P & E.O.P in auto selection mode.

Taking Oil Cooler into Line

1.
When M.O.P starts, oil circulates to the circuit through oil
cooler
2. To ensure oil is passing through the oil cooler or not, see
through the view glass after opening the air vent of oil cooler
3. After confirming oil is passing through the vent valve to
M.O.T, close the vent valve
4.
Open the oil equalizing line of standby oil cooler and wait for
some time to fill it with oil, then close the equalizing valve
5. Maintain lub oil temperature in between 420C - 450C by
adjusting the outlet cooling water valve of online cooler

Taking Oil Cooler into Line

1.
When M.O.P starts, oil circulates to the circuit through oil
cooler
2. To ensure oil is passing through the oil cooler or not, see
through the view glass after opening the air vent of oil cooler
3.
After confirming oil is passing through the vent valve to
M.O.T, close the vent valve
4.
Open the oil equalizing line of standby oil cooler and wait for
some time to fill it with oil, then close the equalizing valve
5. Maintain lub oil temperature in between 420C - 450C by
adjusting the outlet cooling water valve of online cooler

Checking Of Lub Oil Header Pressure and Individual Bearing

Pressure
1. Check the lub. oil header pressure from field and H.M.I . It
must be more than 3Kg/cm2.
2.

Check the individual bearing oil pressure

i.

TG Front Journal

Bearing 1.2 Kg/cm2

ii.

TG Thrust Bearing 1.2

Kg/cm2
iii.

TG Rear Journal Bearing

iv.

Gear Box 2 Kg/cm2

1.2 Kg/cm2

v.
Bearing 1 Kg/cm2

Alternator Front Journal

vi.

Alternator Rear Journal

Bearing 1 Kg/cm2
3. Check individual bearing's return oil line view glass whether
oil is passing through it or not.
4. Check overhead tank oil return line view glass , ensure oil flow
through return oil line then close quick filling valve of overhead
tank .
5.

Check healthiness of overhead tank oil level indicator .

Once the above systems are in service, gland steam can be

charged at gland. Care is to be taken while charging gland steam
in a cold Turbine. As the gland area of Turbine is at normal
temperature during cold condition, hot gland steam may produce
thermal shock at that area. To avoid this, steam is to be charged
slowly and condensate produced is to be drained through gland
steam drain.
Following steps are to be followed for gland steam charging :
1.
Charging of auxiliary PRDS (Pressure Reducing & De
Superheating)
2.

Charging of Gland Header

3.
Charging Of Aux PRDS (Pressure Reducing And DeSuperheating)
4.

Open all drain valves

5.
Open main manual isolation valve before & after PCV
(Pressure Control Valve)
6.

Open PCV by 5% from operation station

7.
Open PCV by 10% as soon as condensate comes out from
line

8.

Close all drain valves

9.

Put the PCV in Auto mode with desired pressure set point

10. Open manual isolation valve of TCV ( Temperature Control

Valve)
11. Observe the temperature and then put TCV in auto mode
with desired temperature set point

Charging of Gland Header

1.

Open all drain valves of gland steam header

2.

Open gland steam header manual isolation valve

3.

Open gland steam header PCV by 5% for line heating.

4.
Open gland steam header PCV by 10% to increase gland
steam header pressure
5.

Close all drain valve in gland steam header

6.
Put gland steam header PCV in auto mode with desired
pressure set point.
Exhaust steam of turbine is condensed at condenser with the help
of cooling water. The condensate produced is evacuated from the
condenser by the help of Condensate Extraction Pump (CEP). This
condensate passes through gland seal condenser and ejector
condenser to gain heat of the gland steam and ejector steam
respectively. So the temperature of condensate increases there
before feeding to deaerator for further use at boiler.
This condensate is further heated at L.P. Heater (if provided) by
using LP Steam extraction of turbine.

To put the condensate system in operation, following steps are

required to be followed:
1. Ensure condenser hot well level is adequate, otherwise fill the
hot well with make up DM Water
2. Open Suction and discharge valves of the pump. Ensure
differential pressure of the strainer is normal
3.
Open condensate inlet and outlet valves of gland seal
condenser, ejector condenser and LP Heater
4.

Put the re-circulation control valve in auto mode

5.

Open pump gland cooling valve and start the pump

The condensate will pass through gland seal condenser & ejector
condenser. It should be re circulated to condenser again through
recirculation control valve. Once steam starts entering into
turbine, discharge control valve can be put in auto mode to
maintain level of the hot well.
If the condensate extraction pump is to be started and if there is
vacuum inside the condenser, then vacuum balance line valve is
to be opened to avoid any air trapped inside the pump.

Before Main steam enters into the turbine, there should be

vacuum in the condenser. First of all, starting ejector is used to
evacuate air from condenser. This is a single stage noncondensing type ejector.

Take the following steps to build up vacuum by starting

ejector:

1.
Ensure availability of auxiliary steam at desired pressure &
temperature
2.

Ensure the vacuum breaker valve of the condenser is closed.

3. Ensure cooling water is circulating in the condenser and

turbine gland is charged fully
4.

Open steam valve of the starting ejector

5.

Observe steam is vented to atmosphere

6.

Open ejector air valve

7.

Observe vacuum inside condenser is increasing slowly.

8. Main ejector is to be taken into line once turbine is loaded and

starting ejector is to be stopped then.

To put main ejector into line, following steps to be followed :

Main ejector is to be taken into line once turbine is loaded.
Starting ejector is to be stopped then. To put main ejector in line,
following steps to be followed.
1.

Ensure Condensate Extraction Pump (CEP) is running .

2.
Ensure cooling water inlet and outlet valves of the ejector
condenser are opened.
3. Vent out air from water box of the ejector condenser by
opening rotametre valve.
4.
Open ejector condensate trap before and after isolation
valve
5.

Fill up the U tube by water locally

6.

Open flash box stand pipe isolation valve

7.

Close all drain valves of ejector

8.

Open the main isolation valve of the ejector steam line

9. Slowly open the air line valve of the ejector and observe
vacuum is increasing.
When vacuum is stable, then the slowly ejector can be stopped by
closing air valve first then the steam valve of ejector.
Once Auxiliary systems are in operation and full vacuum is
obtained inside, condenser turbine can be started. Turbine is
required to be started in two different conditions.
1.

Cold Start-Up

2.

Hot Start-Up

In cold startup turbine is started from cold condition. In this case,

special care is taken for proper heating of casing and rotor for
proper thermal expansion. As both rotor and casing are in cold
condition it requires time for heat up. But in case of hot start up
both casing and rotor are in hot condition. So it can be started
within a short period.

Startup Curve
To allow proper thermal explanation of casing and rotor, the
turbine manufacturers advise is to be followed for start up
procedure.
steam should not enter immediately to turbine as it may
damage the turbine due to uneven expansion.
Manufacturers suggest soaking time for low idle speed and high
idle speed for proper thermal expansion between rotor and
casing means to hold the turbine at the particular speed for a
particular time, then allow the turbine speed to higher range.

Soaking time is different for cold startup and hot startup.

Manufacturers advice should always be followed strictly for
soaking and start up curve in cold startup and hot start up
conditions.

Turbine Rolling Preparation..contd

To start rolling of turbine, some steps are followed depending
upon mode of starting (Auto or Manual) and types of governing
system (Hydraulic or Electro Hydraulic)

Before rolling of turbine check, ensure the following points :

1.

Lube oil level and control oil pressure are normal

2.

Lube oil temperature is between 42 to 450C

3.
Ensure gland sealing system is in operation and gland
sealing pressure is normal
4.
Ensure starting ejector is in the line and condenser pressure
is -0.9 kg/cm2
5.
Ensure cooling water is circulating in condenser and auxiliary
cooling water in lub. oil cooler
6.

Ensure the casing drain, TG inlet steam line drain, TG warm

7.

up vent and drain are in open condition

8.

Ensure Accumulator is in line

9.
Ensure over head oil tank is full and return oil flow is visible
in the viewing glass
10. Ensure Condensate Extraction pump (CEP) is in operation

11. Ensure Exhaust hood spray solenoid valve is in operating

condition.
12.

Open the bypass of Turbine Steam stop valve (TSSV)

13. Ensure complete removal of condensate from TG inlet line

and ensure the temperature of TG inlet steam is rising after
throttling drain valves. Open Turbine Steam Stop Valve (TSSV)
14. Throttle the warm up vent as per requirement and observe
steam temperature is rising. Once steam temperature reaches at
desired temperature, then prepare for TG rolling.]

TG Rolling
1.

Reset the governor from wood yard SOS

2.

Reset from HMI

3.
Engage trip lever and ensure build up of trip oil pressure at
governing console
4.

Open E.S.V. (Emergency Stop Valve) from H.M.I.

5.

Check physically the opening of ESV (Emergency Stop Valve)

6.

Give run command from HMI

7. Observe the rise in rpm gradually. RPM goes up and after

reaching 1000 rpm (Low Idle speed) automatically, it will hold for
15 minutes in hot start up and 30 minutes in cold startup (in case
of auto rolling). Otherwise hold the speed as advised by the
manufacturer.
8.
Ensure oil pressure is normal. Check vibration and any
abnormal sound

9.

First stop barring gear then stop jack oil pump (J.O.P)

10. Get the relay reset before 2000 rpm

11. After completion of the hold time at 1000 rpm, R.P.M. goes
from low idle speed to high idle speed 2500 rpm, if it is in auto
mode, otherwise increase the speed manually
12. After reaching 2500 rpm, it holds for 15 minutes in case of
hot startup and 30 minutes in case of cold startup automatically. If
it is not auto rolling, hold the speed as per advice of
manufacturer.
13. Close the TG casing drain, inlet steam line drain, warm up
vent, warm up drain
14.Check the lube oil pressure at different bearings and check
bearing temperature and vibration and record it.
15. After completion of high idle speed (2500 rpm) soaking time.
R.P.M. will rise up to rated speed 7500 rpm
16.Maintain lube oil pressure and temperature at different
bearings as per the manufacturers advice
17. Maintain TG inlet pressure and temperature as per design
18. Give clearance to synchronize to generate power.
Turbine Auxiliary System
In Power Plant other than turbine, there are other associated
systems. The systems are required for running of a turbine. Most
of the important components and systems for auxiliary systems
are :
1.

Oil System

2.

Condensate System

3.

Gland sealing System

4.

Ejector and Vacuum System

5.

Cooling water System

6.

Condenser

Oil System
Lubricating oil is supplied to the bearings and used for governing
of turbine. Main function of lubricating oil is to :
1.

Lubricate the bearings.

2.

Cooling of bearings.

3.

Flush out metallic debris.

4.

Control speed of the turbine. \

Principles of Lubrication
To maintain a film of lubricant between the surfaces in running
condition any one of the following principle of lubrication
prevails.
1.

Hydro dynamic lubrication

2.

Hydrostatic lubrication

3.

Elasto-hydrodynamic lubrication

If none of the above conditions exists the condition will be of :Boundary lubrication

Hydrodynamic Lubrication

Also called Full Flood Lubrication/Wedge film lubrication

Wedge film formation due to geometry & speed.
a.
In hydrodynamic principle fluid viscosity is not sufficient to
maintain a film between the moving surfaces & higher pressure
required to support the load until the fluid film is established, the
required pressure generated internally by dynamic action.
b.
The wedge film lifts the journal and allows complete
separation
c.
The formation of a thick fluid film that will separate two
surfaces and support a load as the two surfaces move with
respect to each other.

By feeding oil from an external source under heavy pressure into

the pocket machined into the bottom of the bearings, the journal
can be lifted and floated on fluid films.
When the journal reaches a speed sufficient to create
hydrodynamic films the external pressure can be turned off and
the bearing will continue to operate in hydrodynamic manner.

Components of Lubricating Oil System

Main components of lubricating oil system are :
1.

Oil tank

2.

Oil pumps

3.

Oil filter

4.

Oil centrifuge

5.

Oil overhead tank

6.

Accumulators

Oil tank
Total oil for the system is stored in the this tank. The tank has
adequate capacity to hold sufficient oil during running & stop
condition. The tank base is made sloped to one side, so that the
sediment in oil can be collected in the lower area and can be
drained out by opening drain valve. The tank has level
measurement facility to give alarm for low oil level. Also a level
glass is provided to find out tank level at any instant. Suitable
tapings are provided to facilitate oil suction for oil pumps, draining
of return oil from bearings and governing system, connection for
oil centrifuge, fill up of fresh oil etc.
One oil mist fan is provided on the tank to vent out any oil vapor
and keep the tank slightly below atmospheric pressure.

Oil Pump
To pump oil from the oil tank to various lubrication points and
controlling purpose, oil pumps are provided. Normally three
pumps are provided. These pumps are :
1.

Main oil pump ( M.O.P )

2.

Auxiliary oil pump ( A.O.P )

3.

Emergency oil pump ( M.O.P )

Oil Coolers
Normally two oil coolers of 100% capacity are provided to cool
down entire oil supplied to turbine bearings,gearbox,and

generator bearings for lubrication. Governing oil is not cooled at

oil cooler. This oil taken out before oil cooler. One cooler is put on
line and another one is kept as standby. Online changeover facility
is provided to take the standby cooler in to service, without
interruption of oil supply, while turbine is running.
Before changeover, it is to be ensured that the standby cooler is
filled with oil and air is vented out properly. Otherwise there will
be air lock and oil supply to bearings may interrupt.
Oil cooler is a shell and tube type heat exchanger. Cooling water
flows inside the tube bundle and oil flows at the shell side. Cooling
water for oil cooler is obtained from main cooling water system of
power plant. Regulating valves are provided at the inlet and outlet
of the cooling water supply line.
To increase and decrease oil temperature, cooling water flow is
decreased and increased respectively through these regulating
valves. Always the cooling water outlet valve is regulated to vary
flow of cooling water. At any case cooling water inlet valve is not
to be throttled as sufficient cooling water will not available inside
tub and tube may damage.
Drain point is provided at the cooler to drain out settled sediment
at bottom of the cooler.

Oil Filters
Oil coming out from cooler is passed through oil filter to remove
any contaminated particle or debris. Filter is normally basket type
with removable filter cartridge. Like cooler there are two filters of
100% capacity each with suitable online changeover
arrangement. The oil is filtered up to 20-25 micron level on these
filters before circulating in bearings.

Differential pressure across the filter is measured which indicates

the choking condition of filter cartridge. If differential pressure is
high it indicates, filter is choked and needs cleaning.
Before changeover of oil filter when turbine is in operation, it is to
be ensured that standby filter is completely filled and no air is
trapped inside. Filter cartridge of standby filter is always to be
kept clean, so that at any moment this can be taken in to line, if
required.

Oil Centrifuge..contd.
Centrifuge is a machine which separates water and solid particles
from oil. This is achieved by centrifugal force of a high speed
rotating bowl inside the separator. Due to centrifugal force,
heavier particles are displaced towards the outer periphery of the
bowl and the lighter oil is displaced towards center of the bowl,
where it is collected and sent back to main oil tank.

Steam Ejector And Vacuum System

Vacuum is maintained by continuously evacuating non
condensing gases from the condenser with the help of steam
ejector. Pressure of non condensing gases decrease condenser
efficiency. For removing non condensing gas to create vacuum in
the condenser normally steam ejector is used. This is like a pump
in which venturi effect of a converging and diverging nozzle is
used to convert pressure energy of steam to velocity energy to
create suction effect.

WORKING PRINCIPLE OF EJECTOR

High pressure motive steam enters to ejector chest through

nozzle and then expanded. Pressure energy of steam is converted
into velocity. Increased velocity causes reduced pressure which
socks vapour.Diffuser section then compress the steam vapour
mixture then exhausted to condenser.

Operating Procedure Of Ejector System

1.

Circulate condensate through ejector condenser.

2. Open steam of ejector. So it will create vacuum in inter ejector

condenser.
3.

Open steam of ejector.

4.

Open air valve of condenser.

Condenser
Condenser is an important Auxiliary equipment of any steam
turbine. Exhaust steam of turbine is exhausted in to condenser,
where it is condensed in vacuum. By maintaining vacuum in
condenser, maximum energy can be extracted from steam and
turbine efficiency increases. Condensate obtained is utilized again
at boiler for steam formation.

There are different types of condenser. Some of the important

types of condensers are listed below.
1.

Jet type condenser

2.

Air condenser

3.

Surface condenser

Surface Condenser
This type of condenser is widely used at power plants. Cooling
water is not mixed with condensate in this case. Condensate
obtained is pure and can be used in boiler. This is a shell type and
tube type heat exchanger. Shell of the condenser is closed. Tubes
are arranged inside the shell in which cooling water flows.
Condenser neck is connected to the exhaust hood of turbine. An
expansion joint is provided in-between to facilitate thermal
expansion.
Steam from turbine flows at the shell side of condenser and
cooling water flows inside the tube. Main components of a surface
condenser are :
- Shell
- Air outlet
- Rapture disk

- Hot well
- Tube
- Water box

Overhead Tank
Oil accumulator is provided on the governing or control oil line of
the turbine. This accumulator maintains oil pressure in the line
during momentary fluctuation of oil pressure during oil pump
change over or sudden operation of servomotor of governing
valve.
In the accumulator an inert gas filled bladder is provided. Gas
pressure inside the bladder is maintained slightly below the
normal oil pressure.

During normal operation, oil pressure of the line compress the

bladder and oil is occupied in the oil space of the accumulator.
When, pressure at the line drops, the bladder is expanded, due to
the inside gas pressure. So it pushes out oil of space to the line
and takes care momentary oil pressure fluctuation.
Oil Accumulator
Oil accumulator is provided on the governing or control oil line of
the turbine. This accumulator maintains oil pressure in the line
during momentary fluctuation of oil pressure during oil pump
change over or sudden operation of servomotor of governing
valve.
In the accumulator an inert gas filled bladder is provided. Gas
pressure inside the bladder is maintained slightly below the
normal oil pressure.
During normal operation, oil pressure of the line compress the
bladder and oil is occupied in the oil space of the accumulator.
When, pressure at the line drops, the bladder is expanded, due to
the inside gas pressure. So it pushes out oil of space to the line
and takes care momentary oil pressure fluctuation.
Emergency Situation In Steam Turbine
Steam Turbine is a critical rotating equipment. High temperature
and pressure steam is used to rotate the turbine at high speed.
Mass of the rotating part is high. There is always chance of
severe misshapen leading to fatal accident and damage of high
cost equipment. Incase of any system goes wrong generation of
power may be interrupted for a longer period leading to heavy
loss to the plant. So the power plant engineer should be trained
enough to face any emergency situation, at any time and properly
handled emergency situations.
1) Overspeed

Due to failure of governing system the turbine speed may become

dangerously high. Rotor can rotate momentarily without damage
up to 110% of rated speed. At higher speed rotor stress increases.
Due to high centrifugal forces the blades which are fixed to the
rotor may come out. Failure of blade root can cause severe
accident and damage to turbine. To avoid dangerous over speed
turbine is provided with mechanical and electrical over speed trip
arrangements. Tripping limits are set in such a way that turbine
speed does not exceed 110% of rated speed. These overspeed
tripping limits are to be checked regularly. Mechanical overspeed
device is to be set within set limit and checked at suitable
intervals. At any circumstance overspeed tripping limit is not to
be bypassed. If overspeed tripping does not work, immediately
stop the turbine by applying emergency trip push button. For the
18.5 MW turbine at Tata Sponge, overspeed tripping limit is 7865
rpm.
2 ) Failure Of Lubrication Oil System :
Lubrication Oil is used to lubricate and cool down bearing metal.
Sometimes the lubrication oil supply may be interrupted due to
failure of pumps, leakage in oil line or choking of oil filter. This
condition may damage bearings and gear box. If such an incident
happens for any reason, the turbine is required to be stopped as
soon as possible. Low lube oil header pressure tripping is
incorporated with turbine to trip the turbine immediately. If lube
oil header pressure becomes 1kg/cm2, oil supply is to be restored
as early as possible. After resuming oil supply, if possible, turbine
is to be rotated manually to find out any damage (inspect
bearings).
3. High Vibration
Rotor of the turbine rotates at high speed. Any deformation or
unbalance of the rotor produces high vibration. Sometimes
deposits on blades and damage of any rotating part may create

heavy vibration. Damage of journal bearing may also produce

vibration. The moving and rotating parts of the turbine are closed
spaced. Due to disturbance in rotor shaft or differential expansion,
there is chance of rubbing. Rubbing creates high vibration and
abnormal sound, so at any case high vibration of turbine is not be
overlooked. Incase of high vibration the turbine should be stopped
immediately and turbine internals to be inspected to avoid further
damage. High vibration protection in logic is incorporated with
turbine to trip the turbine when turbine front and rear journal
bearing vibration goes to 156 Micron and gear box front and rear
journal bearing goes to 340 microns.
4) High Bearing Temperature
High bearing temperature occurs due to inadequate oil flow in the
bearing or metal to metal contact in between bearing and rotor.
High temperature damages Babbitt material of the bearing. In
case of high temperature of the bearing, a turbine is required to
be stopped. Oil supply to bearing is to be checked and if required
bearing is to be opened for inspection. High bearing temperature
protection logic is provided to turbine. For different bearing 1150C
is a tripping limit.
5) Failure Of Barring Device
When turbine is stopped in hot condition, it is to be put on
barring. In some situation just after stopping turbine barring gear
may be found not working. It is not recommended to keep the
rotor in standstill condition. By any means rotor is to be rotated
normally by hand barring arrangements provided to change the
rotor position by 180C continuously.
6) High Condenser Hot Well Level
Due to problem in condensate extraction pumps, sometimes the
condensate cannot be evacuated from hot well. So hot well level
becomes high. In this situation there is possibility that water level

in condenser increases and enters into turbine through exhaust

hood. Condenser vacuum reduces drastically in this condition. If
at any case water enters into a running turbine it creates a
serious situation and damages the turbine. Load is to be reduced
on turbine in this situation. If situation is not controllable, turbine
is to be stopped.
9) High Steam Parameter
Like low steam temperature and pressure, high steam
temperature and pressure is not desirable for turbine operation.
High steam temperature may damage turbine as the metrology of
the turbine is designed for a particular temperature.
10) Low Condenser Vacuum
Due to vacuum in condenser the steam from turbine is easily
exhausted into condenser. If vacuum inside the condenser drops,
it restricts exhaust of steam of turbine. This creates back pressure
inside turbine. Vacuum may drop due to failure in cooling water
system, failure of ejectors, or leaking condenser air line. Standby
ejector or starting ejector is to be immediately taken into line.
Leaking air line is to be arrested promptly or cooling water supply
to be increased. If vacuum is not improved, the turbine is to be
stopped immediately. Low vacuum protection logic is provided to
trip the turbine when condenser vacuum drops to -0.4 kg/cm2.
11) Failure Of Cooling Water Systems
Due to failure of cooling water pumps or choking in cooling water
circuit, cooling water supply may be reduced or interrupted. In
this case turbine exhaust steam cannot be condensed. This will
increase the pressure of the condenser and drop the vacuum.
Rapture disks of the condenser may rapture, heavy back pressure
will be created in turbine. In this case load is to be reduced first
and care is to be taken to normalize cooling water supply. If
situation does not improve then turbine is to stopped.

Black Out maneuver Method for WHRB Power Plant

Both the TG fails and Grid not available : (BLACK OUT CONDITION)
1. In the above cases ( Total blackout condition ) ensure
availability of DG emergency power to all the emergency drives
of both the CPP within 10 seconds (i.e. Boiler main steam stop
valve, Auxiliary oil pump, Barring gear, Emergency oil pump,
Boiler feed pump discharge valve, CPP area lighting & Jack oil
pump & TG steam stop valve )
2. Ensure from field pressure gauge that lubrication continues in
both the TG by gravity method (oil flows from over head tank to
all the TG bearings and returns to main oil tank by drain header )
3. Ensure from HMI & field that Emergency oil pump is running
through DC power & oil supply continues to all the bearings.
4.

Start the Jack oil pump of TG.

5. If emergency power is not available within 10 seconds, then

immediately contact the Electrical Shift In Charge about the
matter and try to resume emergency power as quickly as
possible, with the help of Shift In Charge CPP & Shift In Charge
Electrical.
6. After resuming of emergency power, close main steam stop
valve of all the three Boilers and maintain the drum pressure
through start-up vent.
7. In blackout condition, ensure that Kiln stack cap will remain
100% open till the availability of boiler feed pump. If stack cap is
closed or partially closed, then contact Kiln control rooms to open
the same through Shift In Charge CPP.

8. In blackout condition, all the boilers will be in hot box-up

condition.
9.

Ensure emergency stop valve of TG is in closed condition

10. Close the TG inlet motorised valve .

11. Close all the boilers feed pump discharge motorised valves.
12. After resuming of emergency power, auxiliary oil pump will
start in auto mode. Ensure the same from field & HMI, then stop
the emergency oil pump from panel and put it in auto mode.
13. After resuming of 1000kva DG, power start one feed pump of
CPP-1 and supply water to all three boilers and maintain the drum
level up to 40% .

Difference between BPCS and SIS

It is important to realize and understand the fundamental
difference between process control and safety control. Process
control systems are active, or dynamic. They have analog inputs
and analog outputs, perform math and number crunching, and
have feedback loops. Process controls act positively to maintain
or change process conditions. They are there to help obtain best
performance from the process and often are used to push the
performance to the limits that can safely be achieved. Hence,
most failures in these systems are inherently self-revealing. PCS
must be flexible enough to allow frequent changes. Process
parameters (e.g. set points, PID settings, MAN/AUTO, etc) require
changing. Portions of the system may also be placed in bypass,
and the process may be controlled manually. They are not built
with safety in mind and are not dedicated to the task. Because
they are operating at all times they are not expected to have
diagnostic routines searching for faults. Click here for more
information on safety-related PCS. Safety systems, however, are

just the opposite of process control systems. They are dormant, or

passive. They sit there doing nothing and hopefully will never be
called into action. An example would be a pressure relief valve.
Normally the valve is closed. It only opens when the pressure
reaches the set value. If the pressure never exceeds that value,
the valve never operates. Many failures in these systems may not
be self-revealing. If the relief valve is plugged, there is no
immediate indication. A PLC could be hung up in an endless loop.
Without a watchdog timer, the system would not be able to
recognize the problem. There is a need for extensive diagnostics
in dormant, passive safety-related systems. Safety systems
should be incorruptible need to be kept to a fixed set of rules
and access for changes carefully restricted. And they must be
highly reliable and be able to respond instantly when a hazardous
situation develops.

How to Reduce Common SIF/SIS Mistakes

Don Rozette
Monday, January 14, 2013 - 8:00am

A recently published study by Great Britains HSE broke the safety

lifecycle into three major areas:
Hazards Assessment/SIF Specification
SIF Design and Verification
Operation and Maintenance

Not surprisingly the study concluded that 44% of all SIS/SIF

related errors occurred during the hazards

assessment/specification phase of the lifecycle. The study goes

further to state that many of these errors occurred because the
SIF/SIS designer incorrectly considered the interactions of one SIF
to the rest of the process. In essence, the activation of one SIF
whether demand or spuriously based which then caused
unforeseen demands, and hazards in other areas of the process.

During a recent panel discussion, one of the panelists challenged

the audience with the question Why are they called shut-down
systems, shouldnt we really call them keep running systems?
His premise was that the engineering discipline as a whole had
become enamored with or sold on the fail-safe design. Not
only is this not required by the standard, but as mentioned above
spurious activation of a SIF can in fact cause hazards elsewhere
that may not have been considered during the hazards
assessment/SIF specification phase of the lifecycle.
If the user has a comparative process indication that is
independent of the initiating event, it is possible to design the SIF
to be fault tolerant without increasing hardware count or cost.
In the example below, you can see that SIF-003 is a 2oo2 voted
sensor arrangement, which based strictly on voting architecture is
an extremely reliable design. Also note that there is an
independent high pressure sensor and associated high pressure
alarm. In this case the SIF designer could have used a 1oo1
voting architecture for SIF-003. By using the comparative process
indication the engineer could have implemented a deviation
alarm based on any difference between the SIF sensor indication
and the comparative BPCS sensor indication. Not only would that
arrangement be significantly safer, it would be almost as reliable,
with 1/3 less cost to install and maintain.

Below is a list of common initiating events that should be

considered during the hazards assessment/SIF specification phase
of the lifecycle. How well we manage or reduce the probabilities
associated with initiating events such as these, means taking a
pro-active view of risk. (e.g. plan for the best, but prepare for the
worst).
Type of Initiating Event
External Events

Examples

High Wind

Seismic Event
Flooding
Lightning
Vehicle Impact
Fire or Explosion in an adjacent area

Equipment Failures BPCS (basic process control system)

component failure.
Utility failure.
Vessel/Piping failure due to wear, fatigue, or corrosion.
Vessel/Piping failure caused by specification, design, or
manufacturing defect.
Vessel/Piping failure caused by over or under pressurization.
Vibration induced failure (e.g. rotating equipment)
Failures caused by inadequate maintenance/repair.
Failures caused by temperature extremes.
Failures resulting from flow surge or hydraulic hammer.
Human Failures
Failure to properly execute a task, by omitting
steps, or improperly sequencing steps of a task.
Failure to observe or respond appropriately to conditions or
prompts by the system or process.
At this point it is necessary to differentiate initiating events from
latent or root causes. Initiating events are distinctly different from
root or latent causes. In general, root or latent causes create
latent weaknesses in a system. When a challenge arises or a
demand is made on the system, these weaknesses give rise to an
initiating event. For example:
Inadequate operator training is not an initiating event, but is
a potential underlying cause of an initiating event of the human
failure type.
Inadequate test and inspection is not an initiating event, but
is a potential underlying cause of an initiating event of the
equipment failure type

One of the most common silos in industry today exists between

the group responsible for process safety management and the
group that manages instrumentation and controls. Ensuring that
these two groups can pass information, and work hand-in-glove
means that the two need to share the responsibility of hazards
assessment and SIF specification, which can best be enabled by
working from a common management platform. APMs Asset
Safety work process is enabled through the complete integration
of hazards analysis with a TUV certified SIF design verification and
periodic validation platform that encompasses the entire lifecycle.
Common mistakes associated with requirements specification can
be reduced, functional safety can be improved and lifecycle costs
can be optimized, through the application of a little common
sense and a work platform that pro-actively manages the entire
scope of the lifecycle.

See my reply in BLUE....

I need detailed response of my below mentioned queries related

to design engineering of instrument works.

1-The difference between documents "instrument index" and

"instrument I/O list".

Instrument index consist of types of instrument installed in the

plant whereas instrument IO list shows instruments connected to
BPCS/SIS Systems...

2-The difference between "segment wiring diagrams" and

"instrument termination diagrams".
Both can be part of instrument loop diagram... depending on
complexity & no of terminations involved... segment wiring
diagrams & instruments termination diagrams are referred in
Instrument loop diagrams.... segment wiring diagram shows only
one segment of the entire loop whereas instrument termination
diagrams shows how instrument is connected to BPCS... e.g. a
Gas Chromatograph (GC).. to BPCS it is instrument, but it depends
on how GC is sending data to BPCS or how BPCS is reading data
from GC... it could be via two. three , four , 5 , 10 or 25 wire
connection or via some industrial communication protocol.. now
Instrument termination diagrams shows how both instrument &
BPCS are connected...

3-Is data sheets preparation regarding "PCV" and "PSV" in

instruments scope of work?? How, PSV and PCV are sized?

If you are involved in commissioning of new plant, then data

sheet will be provided to you as part of As Built documents by
EPC...If you are in maintenance then in case there is new
installation of PSV or PRV or CV then it is responsibility of
instrument engineer to collect data from Process
Engineering/Project Engineering and prepare a data sheet...Sizing
of PSV or PRV is not easy and I would suggest that you should
start with simplest Control Valve rather than jumping directly to
PSV or PRV... Each vendor provides sizing tools for its
CV/PSV/PRVs... and basics of CV sizing remains same most of the
time.. but it may differ, all is subject to how vendors has designed
the Valve...

4-What is difference between "Fail close" and "Fail open" position

of control valves.

Both terms are used when Safe State of Valve is considered..

(Please refer to Plant HAZOP documents for definition of Safe
State for each valve)... Fail Close or Fail Open means in case of
failure of air supply, 4-20mA or 24Vdc or CV diaphragm rupture,
the valve will go to pre-determined safe position i.e. Close or
Open respectively...
5-The difference between "RTD" and "thermocouples".Which is
better for temperature measurement.
Principle of operation for both is different...
RTD is relatively more accurate and exhibit linear characteristics
from low to medium range temperatures ... Whereas TC are
relatively less accurate but exhibit linear characteristics from low
to very high ranges temperatures...
6-What is difference between "FFB (Foundation field bus) " and
"conventional" protocol.Define the conditions where these are
applicable.
There is not such things as Conventional Protocol... Please rephrase your question...
7-Why "digital signals" are used for on/off operations?? and
analogue signals for control/measure operations?.Please highlight
the basic difference of both methodologies.
Because you can't use it other way around.... Please re-phrase
your question with some problems??
A word of advice... This forum is for discussion/problem solution...
Some questions you have asked requires a big explanation, I
would suggest you to buy & read few instrumentation & control

system books.... It would be beneficial for you and also for rest of
the members if you ask question too the point and if necessary
give an explanation with some examples...
Have a few more comments on a few of your questions.
3- Sizing of PRV and PSV are not necessarily the responsibility of
the Instrument Engineer. Sameen is correct as far as new
installation is concerned. But for maintenance, it depends from
plant to plant since responsibility may be distributed separately in
different organizations. As an example, the plant I work at,
designing & sizing of all kinds of valves falls under the domain of
Process Engineering. They will develop data sheets which they will
then hand over to the instrument engineer for procurement of the
valve. Once valve is procured, the project engineer (mechanical
engineer) will have it installed in the field and the instrument
section will be responsible for electrical and pneumatic
connections. As for the PSV, that is completely out of Instrument
Engineer's domain. It is designed by the Process Engineer and
installation and maintenance falls under domain of stationary
equipment maintenance section.
7- I agree with Sameen that it is not possible to have it the other
way round. Digital signals have just 02 states (on & off). For
control purposes, generally the requirement is to have infinite
intermediate values between say 0 - 100%, something that is
quite unachievable through use of digital signals.

Re: Difference between HAZOP and PHA

by Black Onyx 10 Jul 2012, 16:33

Nabeel,

Process Hazard Analysis (or PHA) is a study that should be carried

out for identification of Risk associated with operation of a High
Hazard Process and provide mitigating actions (aka layers of
protections) to reduce the associated risk to an acceptable level
(sometimes called ALARP or As Low As Reasonably Practicable).

PHA may be carried out at following different stages of life cycle

of a plant i.e.
1. Conceptual Stage PHA (when only basic technology / design is
known)
2. Detailed PHA (when 70%~90% design is locked and complete
details are available)
3. Pre-Startup PHA
4. Baseline PHA (after successful commissioning has been carried
out)
5. Cyclic PHA (once in 5 years for HHP)
6. Decommissioning or Mothball PHA
Now PHA itself consists of two Parts
1. Consequence Analysis, which is further classified into
a. Qualitative Consequence Analysis
b. Quantitative Risk Analysis (QRA)
2. Process Hazard Review or PHR (which can be done using
anyone or a combination of following technique)
a. HAZOP (Hazard & Operability) Study
b. What-if Method Study

c. Checklist Method
d. FMEA (Failure Mode & Effect Analysis)
e. FTA (Fault Tree Analysis)
In addition sometimes, various other studies are carried as part of
PHR, such as, Facility Siting, Human Factor (HF) analysis etc.

Following few outlines could help to asses the criticality of new

site.

Process safety information.

Work place & process hazard analysis, consultation and action
planning.
Responsibilities & participation of personnel.
Written operating procedures for all operation phases and
limitations.
Permit system.
Compliance auditing.
Employee & contractor safety information & training.
Mechanical integrity evaluation & maintenance systems.
Design, fabrication & installation.
Emergency planning, response & training.
Pre-startup safety reviews.
Management of change procedures.
Incident investigation.

Piper Alpha Incident

by ashfaqanwer 25 Nov 2010, 05:06

The accident that occurred on board the offshore platform Piper
Alpha in July 1988 killed 167 people and cost billions of dollars in
property damage.
It was caused by a massive fire, which was not the result of an
unpredictable act of God but of an accumulation of errors and
questionable decisions. Most of them were rooted in the
organization, its structure, procedures, and culture.

Some of the causal factors of the incident include:1. Platform Design issues
2. Site Mgt was not authorized to shutdown the plant without prior
approval from top Mgt stationed onshore.
3. Blast walls were not available
4. Temporary under-rated blind installed in place of removed PSV
5. Communication gap between both shifts as incoming shift was
not knowledgeable on removal of PSV.
6. Emergency Response decision makers died in the first
explosion & no stand-in had been nominated
7. Fire pumps were on manual mode as divers were working on
suction line
8. Helicopter could not land on the platform due to flame & heavy
smoke

9. Inadequate firefighting equipment

My findings are as below:1. PTW permit to work system is not up-todate at that time. Now a
days PTW has a key, lock and key safe system which ensures that
the person issuing the permit can only withdraw a permit after
unlocking the lock with the key, which is in the costody of
Manager Operations.
2. The facility is designed for pumping oil only, it can not be
modified for Gas extraction due to pressure difference in oil and
gas extraction.
3. No NRVs non return valves are placed on branch pipe lines
connecting with main pipe line.

Accident of ABB Generator at Jamnagar, India

STAY SAFE!!! TRAINING, TRAINING, AND MORE TRAINING!!!!!!!

Accident of ABB Generator (130.5MW) at Jamnagar, Reliance

Industries Ltd,
India
Please find an accident of ABB Generator (130.5MW).It is good
lesson to be learn, what can go wrong if isolation and
normalization procedures are not followed. Self isolation may lead
to disaster.
Please find below an incident which has lead to the complete
damage of Steam Turbine Unit.

The main reason for this incident is "CLOSING OF CONTROL OIL

RETURN LINE MANUAL ISOLATION VALVES FOR SOME
MAINTENANCE WORK AND NOT OPENED AFTER COMPLETION OF
THE WORK".
The generator Exciter end and Turbine end Shaft was found
sheared off and shaft thrown into pieces. The steam turbine got
blasted and all high pressure/temperature steam hot liquid poured
into all the cables and auxiliary systems surrounding it. The scene
is entirely like a war Zone.
Findings:
In the control oil (Hydraulic skid) 4 fluid coolers isolation valves (in
return line) in fluid side were all found in closed condition. On
investigation, it is understood that the mech. main. took permit to
replace hydraulic oil in the Control Oil Hydraulic Skid. The
mechanical maintenance had done their self isolation on the 4
fluid coolers isolation valves in fluid side without informing
operation , without reopening/normalization (as required) they
had cleared the Permit.
When there was a turbine trip, the fluid could not drain from
hydraulic operated servomotors. Thus, obstructing the stop valve
closure function. Due to pressure build-up in the return line the
connector on drain line busted and the stop valves remained open
even after the trip request (until the rupture of the piping
connection that acted as drain).Due to the closed condition of 4
fluid coolers isolation valves (in return line) the problem was
experienced even during the startup before accident. The control
valves lost control and led to quick speedup (loss of control and
fast speed up) this resulted in servo valve drain port
pressurization to abnormal level, thus avoiding the correct closure
& movement of the control valves.
As per inspection, and also after examination of event recorder
log indicated all the trip requests were present, so it was

concluded that the cause of the accident is located on the

hydraulic part of the control
system, i.e. an improper status of the above said isolation valves,
left without normalizing after maintenance work. The defective
closure of stop and control valves upon trip request has generated
a turbine/generator over-speed situation (even it was not possible
to establish the speed value accurately as speed reached beyond
sensing scale, but surely at least >4000 rpm) .

Safety Incident Circular of a Pressure Vessel Hydrotest Failure in

Chine in early 2008.
This vessel was manufactured by a vessel vendor in China and
the plate was of Chinese mill origin. Unfortunately this is another
example of serious equipment/material failures with equipment
being sourced out of the rapidly developing economies such as
China, Eastern Bloc and others. These examples are becoming
almost a weekly occurrence now and are exhibiting failure modes
not seen in the mature manufacturing economies since the
1930's. Again we need to ensure vigilance in the acceptance of
manufacturers and once more I stress the need to know where
the base materials are sourced from. Apparently this pressure
vessel had reached fifty percent of the required test pressure
when the shell ruptured. A metallurgical failure report is not
available however from the photographs a number of
observations could be made regarding the quality of the material
and the welding.
Lessons & Learnings:
(1) All base metal requirements shall be specified in P.O
Requisition per project/Industry Code requirements.
(2) Consult specialists (i.e., Materials and Corrosion Engineers)
whenever you doubt.

(3) All inspection (from base materials to final products) should be

performed per the codes, specs & standards.
(4) Especially when you selected the manufacturers in China, the
above (1), (2) & (3) will be a very important message.
octane, let me put some light on PHA methodologies, which are;
Qualitative Hazard / Risk Assessment
Job Safety Analysis (JSA)
Logic diagrams
What-if/Checklist
Failure Modes and Effects Analysis (FMEA)
Hazard and Operability Study (HAZOP)
Quantitative Hazard / Risk Assessment
Fault Tree Analysis (FTA)
In-process energy modeling
Event probabilities
Risk/cost trade-off
Every method has its own limitations including pros n cons. For
example FMEA method is frequently used to asses the hazards
and risk with in any logic or control loops. And HAZOP technique is
used for huge and complex processes, due to its systematical
approach. Whereas What-if / Checklist is a very detailed and
usually recommended of simple processes due to lack of inscope/out-scope features.

SIL

The concept of safety integrity levels (SILs) was introduced during

the development of BS EN 61508 (BSI 2002) as a measure of the
quality or dependability of a system which has a safety function
a measure of the confidence with which the system can be
expected to perform that function.
Following are 2 popular methods of determining SIL requirements
to process industry installations:
risk graph methods
- layer of protection analysis (LOPA
But all these methods requires a lot of data, assumptions &
calculations.
Is there any key avaiable to determine SIL requirement for any
specific process / component?
Actually I need to determine SIL prior to design a protection
system for an ammonia refrigeration loop which have ~15 Metric
ton ammonia in it. Should it be SIL-1 or 2 or 3?
ANSI S84.04 requires that companies assign a target SIL for all
Safety Instrmented Systems (SIS). As well, after a PHA study, the
study team may determine that certain critical systems require
that a SIL be assigned. The assignment is based on the amount of
risk reduction that is necessary to mitigate the risk associated
with the process to an acceptable level. All of the SIS design,
operation and maintenance choices must then be verified against
the target SIL.
The first step for assignment of Target SIL is to use your (updated)
PHAs or conduct new PHAs to screen for the hazards. HAZOP is
most commonly used methodology. If the risk is unacceptable
then it is reduced or eliminated using non-SIS or SIS elements.
You consider SIS only after all the non-SIS protection layers have
been considered. HAZOPs identify risks in terms of the likelihood

and the severity of the hazards. Target SILs are assigned to SIFs
of the SIS identified in the PHA studies. Various methodologies are
available for assignment of target SILs. As in the case with PHA
studies, the assignment of Target SILs must involve people with
the relevant expertise and experience. Methodologies used for
determining SILs include, but are not limited to:
Consequence only
Risk Graph
Layered Risk Matrix
Risk matrix
Layer of protection
Fault tree analysis
Which ever tehnic is used the greatest increase in cost occurs
when the decision is made that the SIL must be higher than SIL 1.
The selection of SIL 2 or SIL 3 forces the SIS design toward device
redundancy and diversity. With this recognition, many companies
are taking the approach that "a safety system is a safety system
and therefore should be SIL 3". This eliminates the arguments
about whether escape is possible, someone will be injured or
killed or the impact will be on-site and/or off-site. It saves time in
the PHA process, reduces documentation in justifying the SIL
choice, and ensures consistency across process units.
Unfortunately, there is no easy answer when it comes to assigning
SILs. The choice involves examining safety, community,
environmental, and economic risks. Most importantly, tools must
be developed at the corporate level to ensure that the choice of
SIL is consistent with a companys risk management philosophy
and that the assignment method is congruent with the existing
characteristics of the corporate risk assessment methodologies.
Following can however be used as a conservative guide,

SIL 4 --- For hazards that can lead to Catastrophic Community

Impact
SIL 3 --- For hazards that can lead to Employee and Community
Impact
SIL 2 --- For hazards that can lead to Major Property and
Production Protection. Possible Injury to employee
SIL 1 --- For hazards that can lead to Minor Property and
Production Protection

Difference between MAT and MDMT

Usually, MDMT is designated based on the transition temperature
below which the impact energy absorbance capacity starts to
decrease. Ideally both MAT and MDMT should be same. However,
if you take the vessel below MDMT, to get further lower MAT, the
Vessel will not take any impact and will fail in brittle mode,
without any elongation. It can be said that MAT can be lower than
MDMT but in that case the vessel will not be able to withstand any
impact or energy absorbance in case of any sudden loading.
At a specific pressure, I understand there should be a minimum
allowable temperature for the vessel. If operating far below the
design pressure, I understand that we can set a minimum
allowable temperature even lower that MDMT. What do you think?
Yes, for that case you can have a lower temperature range. But
bear in mind MDMT is for "impact loading" and not for "static
loading" like pressure. If you talk about pressure only, even at
design pressure, you can have temperature lower than MDMT.
Think about any sudden loading case which may occur, no matter
how low operating pressure you are using than the design
pressure, the vessel will not take any energy and fail suddenly.

Hydrotest after welding

A contractor has manufactured some columns for us ( design is
based on ASME VIII). Column has internal supports directly welded
to shell. Now contractor wants to relocate some of these supports
and weld them again on some different location inside column
with shell. As per AI ( Authorized Inspector) hydro test is not
required after welding. Only R1 form and repair procedure
approved by AI is required. I want to know is it same as AI is
saying? or hydro test is required? I s there some exemption from
hydro after welding on pressure parts?
API 510 gives complete authority to AI in deciding the need of a
hydrostatic test after the weld repair.
Ask him for an appropriate NDE to be done on the new weld and
the older surface.
These columns are not in service so API 510 is not applicable.
These are fabricated in work shop and just transported to site for
erection but it came to know that there were some supports
welding issues
Looking at the kind of repair which doesn't involve the full
thickness of the material at the weld joint, hydrostatic test doesn't
stand as a necessity. Perform MPT if it is carbon steel or PT if
stainless. That would suffice the requirement of testing the new
welds. In case, there would have been a major repair involving a
butt (or groove) weld, I would have recommended 100%
radiography with still no hydro.As a client, if you still want to go
for hydro after this repair, please ask AI to go for that. Being the
owner of the equipment, you have that right of raising the
concern.

Pipeline hydrotesting
After sectional(partial)replacement we are planning to carry out
hydrotesting of cross country pipeline.However, due to time
constraint one section of corroded piping are composite wrapped
at corroded location to withstand the maximum allowable
operating pressure of the pipeline. My question is for calculating
hydrotest pressure whether only remaining corroded thickness
will be taken in consideration without composite wrapping or both
will be considered. Any reference standard to reply is highly
appreciated. The test shall be done at test pressure
recommended by the construction code. What's the code in this
case?The test pressure shall not be compromised for new piping
sections just because of one composite repair. I would have only
accepted the new sections once they are tested at 1.5 times of
design pressure if following ASME B31.3 as construction code.

Re: IS Isolators & Functional Safety??

Let me explain this by example. A device is Intrinsically safe if it
does not carry enough energy to cause an explosion incase a
short circuit or over-current condition exists causing ignition
conditions at the device. For this purpose you have intermediate
isolating devices which lie outside of the Classified (Zone0 /Div1)
area in a control cabinet, and further feeds the instruments
(usually Sensor).
The purpose of an Intrinsically Safe instrument (or loop using an
IS isolator) is quite different from that of an SIS System. IS isolator
is used to limit chances of an explosion as stated in Wasif's
explanation. However, an SIS system is normally a protection
system to protect the operating equipment in case of a
parameter/process upset, often by initiating a partial or complete
process shutdown.

Of course, an IS isolator may be used in an SIS system. However,

even in that case the purpose of the isolator would be to reduce
chances of explosion and not to improve or alter the availability of
the system. An SIS may also be used without an isolator (in which
case again there will be no impact on the availability of the
system), but you may run the risk of letting excess energy into a
classified area which might itself cause an explosion. In that case,
I'd say Yes, you are affecting the safety figures. An isolator in an
SIS system does make the overall system more safe, but it does
not affect the availability provided that the mtbf of the isolator is
not below that of all other components in the SIS system. Of
course, SIL rating of the isolator will also come in play then. I hope
I have understood your query and responded accordingly.
Dear Ali, IS Isolators are part of the SIS loops.. we agree on that..
Since SIL Calculations are done on the loop level not at the
system level.. Therefore, availability figures of IS Isolators & all
possible scenarios of failures of IS Isolators are also required...I
agree with concept that IS Isolators are used to reduce probability
of explosion in the hazardous area.. But I don't agree with the it
doesn't alter availability of system..In functional safety there are
two things which are greatly emphasized:
1) Safety when all components are integrated together & Safety
at component level
2) Availability of smallest items can affect the availability of the
whole system (system is strongest as its weakest link)
In simple words, failure of IS Isolators will result in failure of loop
functionality.. which in turn will result in failure of safety function..
""High Availability does not always ensure Safety""A safe device is
made with intention to ensure safety...
A available device is made with intention to maximize
availability... My query was what kind of impact we'll see in SIS

system due to IS Isolator failures & what kind of IS Isolator failures

we should look in to when designing a SIS System??

RBV or MOV?
RBV is a Remote Block Valve. Its basically an isolation valve or
ESD valve.Question: Is there any standard that determines
pneumatically operated valves or motor operated valves for
purposes of isolation of a natural gas line during a fire?
Okay, well, yes volume isolation needs to be enforced for pipeline
applications.MOV's MAY be used for shutdown applications, there
is a variety of SIL-3 certified EH valves available on the market
with spring return (enabling fail-safe position). You just have to
take notice of your process requirements. Most significantly, the
closure time. Especially with liquids, closure time is very sensitive.
You need quick closure, but you don't need slam-shut, otherwise a
surge can occur. Then, since this is going to be a remote location,
you need to consider the supply of power to the MOV - check with
your electrical disciplines whether you can take LV cables to the
distance that you require. Additionally, you will need a 415V UPS,
since MOVs on emergency service will most definitely need to be
powered from a UPS - a regular power supply will not do. So you
can compare the cost of installing a 415V UPS, the feasibility of
running power cables to remote areas against the option of
pneumatic valves. The point is, you can use a suitable MOV for
isolation, but conventional pneumatic valves are more reliable.
And in most cases, pneumatic valves will also prove to be more
economically and technically feasible. Once you do a background
study on all the requirements of both cases, you'll get a clearer
picture of your particular scenario.

Thanks Absar. The central idea im taking here is that there is

nothing against standards in using either an MOV or conventional
pneumatic valves. It basically comes down to technical and
economic feasibility.What does the acronym "EH" refer to though?
Electro-hydraulic. Because you will definitely not be using
conventional electrical-only motorized valves for safety
applications. And yeah, there is nothing in the standards against
using EH valves, because SIL-3 certified valve actuators are
available on the market. But application of those is rarely every
feasible, so a background study is a must here.

PLC - Architecture Vs Safety

Hi Guys,Does a QMR architecture is much more safer than a TMR
or DMR?? Is there any relationship between architecture &
safety???
Sameen, its obvious in N Modular Redundancy, chances of
incidents due to malfunctioning of loop decreases with N
increases. But at the cost of higher capital cost. So yes QMR is
much more reliable than TMR and DMR. Reliability is defined as
the probability of not failing in a particular environment for a
specific mission time. Reliability is a statistical probability and
there are no absolutes or guarantees. The goal is to increase the
odds of success as much as you can within reason. So we can
safety is a function of reliability i.e. higher the reliability of the
control system, more safer you equipment will be.
Hi Ibrahim,I agree with concept of reliability. But safety is
something that is embedded into the system... For a safety
system, the most important thing that you always want is that it
should fail in predetermined safe state. By using different
architectures, we increase the availability of the system & in
terms reliability of the system.. but in the mean time we make it

more complex. Tests are performed to figure out all the possible
failure scenarios and measures are taken so that if system fails it
should not fail in danger state. But looking at the system
complexity, the big Question comes.. Have we covered all
possibilities?? Answer is NO... and not knowing is big enough
justification... so system can be reliable and more available but I
doubt that it becomes more safer with complex architecture..So
question still stands that Does QMR architecture is more "SAFER"
than TMR or DMR?
Sameen,

This answer to this question is not very simple. However, if I were

to place the redundancy schemes in order of safety, this is what
my order would be,
2004 / 1oo3 --> 2oo3 / 1oo2D --> 2oo2

Control Systems have 2 important parameters that a consumer

might be interested in
1- the system does not fail, i.e. high availability or fault tolerance,
2- the system must fail in a safe manner, i.e. high safety level.
You are absolutely correct in saying that as availability increases,
safety level is compromised.
For instance, 1oo1 voting is the simplest to install. It can be
programmed to be fail-safe and hence vote a trip. The
disadvantage of the scheme is that the production losses will be
higher due to false trips, and therefore the system cannot be
termed as fault-tolerant at all. 1oo1D voting is an improvement

over 1oo1 voting, the architecture improves fault-tolerance by

converting dangerous failures into safe failures by de-energizing
the output.

Comparing this to the 2oo2 configuration, now both the votes will
need to be present to effect a shutdown. The system will be more
fault tolerant than the 1oo1 configuration but safety level will be
compromised since there will be conditions in which one of the
units might be out service (for instance during maintenance) and
in that case, even if the other unit votes a trip, trip will not be
actuated. 2oo2 configuration is also referred to as a 2-1-0
scheme. It is estimated to be three times more available than the
TMR architecture, but only half as safe as a simplex (single
channel) configuration. This is because both channels must fail for
the system to experience a spurious trip, and both must operate
for the system to achieve the safe state, and herein lies the
problem.

The solution is provided by the 1oo2D configuration, which

provides the availability level of the 2oo2 scheme and the safety
level of the 1oo1 scehem. In the 1oo2D configuration the
convention used will be that only one of the two votes need be
present to shutdown. In case of a single failure, its diagnostic
contact will open the output channel and remove that unit from

service. The SIS function then continues to be performed by the

remaining channel. The system can then be said to operating on a
1oo1D configuration. That is normally the scheme operates with a
2-1-0 configuration but reverts to 2-0 scheme when a fault occurs
that cannot be resolved. However, such a scheme depends
greatly on the system's internal diagnostics.

Then come the TMR systems. The advantage of the TMR system is
their relatively lesser dependence on the system's internal
diagnostics. Simple voting can be used to determine a fault in any
one of the units after which the faulty unit can be eliminated from
control. The TMR systems also have 2 possible degradation
modes, the 3-2-0 and the 3-2-1 mode, the former being safer
while the latter ensuring higher availability. The level of fault
tolerance can definitely be improved if adequate internal
diagnostics are also incorporate into the TMR scheme. Summing
it up, the objective of increasing redundancy is to improve
availability and not safety. The determining factor is that how is
the system (whether DMR, TMR or QMR) designed to ensure high
safety level in spite of increased redundancy and that pretty
much depends on how the manufacturer has designed the
internal diagnostics of the system, that is to say how has the
manufacturer ensured that there is no instance where a process
may be left in a vulnerable state. For instance, there are some
QMR control systems that have 2 independent channels, both
channels being redundant within themselves (thats how they get
the QUAD configuration) and capable of operating at SIL3
independently. Moreover, the two channels are entirely isolated
and keep monitoring each other for faults. The internal
diagnostics are designed such that at least one of the channels
must be entirely fault-free fot continued operation. In addition
what also determines how safe/available a system is the possible
degradation modes available. In that aspect, the QMR scheme is

at least compatible with the TMR scheme since both have the
same number of degradation modes, i.e. 3-2-0 and 4-2-0. Another
aspect is comparison of PFD(avg) expressions for each system.
Referring to ISA TR84.02, Part 2, 1998, one can quickly determine
that the Quad (2oo4) architecture is comparable to the ultra safe
1oo3 architecture, as both have cubic terms in their equations for
PFD. By comparison, TMR (2oo3) is comparable to the 1oo2D
architecture in that both have squared (second order) terms in
their equations. This comparison concludes that the QMR (2oo4)
architecture provides an order of magnitude better safety
performance than either TMR (2oo3) or 1oo2D architecture, and is
a major technological enhancement in safety system
performance.Heres a comparison of these architectures.
1oo2: PFD avg. = (^DU)^2 x (TI/3)^2 + . . .
1oo3: PFD avg. = (^DU)^3 x (TI/4)^3 + . . .
2oo3: PFD avg = (^DU)^2 x (TI)^2 + . . .
2oo4: PFD avg = (^DU)^3 x (TI)^3 + . . .
This is the reason why I listed the schemes in the order that I did
in the start of my reply. I hope I have clarified.
Just a thought - first, the level of redundancy does not imply a
safer system. Even a simple redundant system can be safer than
a QMR system (as proven by many FMEDA reports that can be
viewed from websites of system vendors, including Invensys). If a
system in rated for the particular SIL level, the level of
redundancy of the system, in my opinion, is irrelevant.

What is the link... "Inherent Safety & Functional Safety

Functional Safety is concerned with products or systems whose

failure to operate reliably could harm people or the environment.
It is the part of the overall safety that depends on the correct
function of safety-related systems for risk reduction. These
systems have to carry out their intended functions (safety
functions) under defined error conditions and with a defined high
probability. An inherently safe process on the other hand, has a
low level of danger even if things go wrong. In context of a
process industry, an inherently safe design is one that avoids
hazards instead of controlling them, particularly by reducing the
amount of hazardous material and the number of hazardous
operations in the plant.In simpler words, inherent safety implies
that the process/equipment is designed such that even in case of
a failure, the level of danger will be low and therefore would not
result in serious personnel/equipment damage.Functional safety
on the other hand is a concept applied to a safety system in place
reduce or mitigate the risks of a process going wrong, or to
prevent the process from going wrong in the first place.
Inherent safety is a concept particularly used in the chemical and
process industries. An inherently safe process has a low level of
danger even if things go wrong. It is used in contrast to safe
systems where a high degree of hazard is controlled by protective
systems. It should not be confused with intrinsic safety which is a
particular technology for electrical systems in potentially
flammable atmospheres. As perfect safety cannot be achieved,
common practice is to talk about inherently safer design. An
inherently safer design is one that avoids hazards instead of
controlling them, particularly by reducing the amount of
hazardous material and the number of hazardous operations in
the plant.

Functional Safety is the part of the overall safety of a system or

piece of equipment that depends on the system or equipment

operating correctly in response to its inputs, including the safe

management of likely operator errors, hardware failures and
environmental changes

Line monitoring & SIL 3 applications??

Hi Guys, Is line monitoring mandatory requirement for SIL 3
Applications?
I think, you get confused with LOPA and SIL. Line (piping network
or pipeline) monitoring is a function of LOPA (Layer Of Protection
Analysis) and as far my knowledge it has no relation with Safety
Integrity Level(s). SIL is a function of Electronic control and
protection systems, where as inspection plans for pipelines, PSVs
and other mechanical protections are governed by LOPA.
yeap, I got it now. Sameen as far I know line monitoring technique
is a sort of preventive maintenance. Either you have configured
some logic in PLC to diagnose open or short circuiting to let
operator know thru an alarm, or you do it thru a maintenance
plan manually. Maintenance of associated SIS, for proper
functioning is a mandate for that specific SIL. For example if a SIF
loop failed to execute on demand due to lack of maintenance,
safety integrity level decreased due to associated SIF failure. So
yes, line monitoring is mandatory requirement for all SILs. Mostly
independent on-skid type PLCs force shutdown the system in case
of open/short circuits. (I have experienced such configuration in
SOLAR gas-turbine driven compressors).
Hi Ibrahim, I don't agree on account that line monitoring is used
for maintenance.. it is one of fault detection technique same as
Functionality checking, Consistency checking, Signal comparison,
Checking pairs, Loopback testing, Watchdog timers, Bus
monitoring, Power supply monitoring.. and safety PLC performs
diagnose the system again and again to detect fault which can

make system to fail in danger mode. Main objective of such huge

number of diagnostic & fault techniques are to detect hidden
(Latent) faults.. Thus, line monitoring in actual improves PFD of
the system.. thus it is mandatory for SIL 3 application...For a Fault
Tolerant System three things are important, fault detection, fault
Isolation & fault identification... mostly a simplex safety system is
designed to fail safe on single fault detection but in redundant
safety system architectures fault isolation & fault identification
can really improve PFD figures of a safety system..Major
requirements for SIL 3 Loop is redundancy and line monitoring of
IOs..Line monitoring is mandatory requirement, but question
arises that will it make the loop to fail in safe manner... the
answer is NO (it is only fault detection technique),therefore, for
SIL 3 loop, redundancy is must requirement, in case if there is
STUCK ON or OFF the loop will be voted and fault will be detected
and fault will be isolated for maintenance...There were days when
relay based systems were used to for ESD, BMS applications.. I
don't think they were using any line monitoring.. , that is why they
used to have many spurious trips and a lot of safety incidents...
Excellent knowledge sharing, I must say. So we concluded that
line monitoring is a must but where redundancy is available, its
better to alarm operator about faults in line, rather than just
tripping the machine upon loose connection.
Guys, Thats a pretty good discussion here. Sameen, it seems
quite convincing from your account that line monitoring is an
important element as far as SIL implementation is concerned. The
next direct question that I wanna draw here is, how is line
monitoring technique generally employed. Ive come across
accounts where the use of an End-of-Line Module or Resistance s
is discussed, but it still quite vague to me as to how is the
technique generally useful. Can one of you guys throw some light
on this please? Id even love if anyone of you can share some
literature or link regarding the same.

4 Rules For Designing Safety into Control Systems

Nov 13, 2012 3:47:49 AM | Posted by Brad Ems

in
Share

When you see a talk about safety, your first expectation is

probably something on proper PPE, procedures or other aspects of
safety that are typical fodder for safety toolbox talks. What Id
like to discuss in this post, at least in a very general way, is how
to design safety into your process control system.

First off, a disclaimer: I am an engineer, although not (yet) a PE

and I have no certification in any safety-related field. I do have
roughly 30 years of experience in working around heavy
equipment, much of it quite dangerous to life, limb, and property
if the risks are not properly managed. In that time, a picture of
what process safety is and how to achieve it has become clear.

That said, safety is not something that can be overlaid onto a

process as an afterthought, at least not quickly, easily, or cheaply.
For proper implementation of a safe process system, safety
concepts must be designed in from the outset. Ideally, once the
basic process design is complete and drawings are available, a
deep review of them begins. This review has a number of names,
but Ill call it the process hazard analysis (PHA). This analysis
looks at the hazards of the process, their scope, severity, and
probable frequency of occurrence. From this, a hazard mitigation
plan is developed. There are several standards developed, such
as SIL, that have been developed to quantify these risks. Be sure
to choose one applicable to your process and industry before
initiating the PHA.

The first line of defense in any process is the basic process control
system (BPCS), which should be designed and programmed to
keep all process parameters within safe limits, and to alarm
and/or take action when those limits are approached. The PHA,
however, will almost certainly have shown that there are some
risks in your system that have sufficient frequency, severity, or
scope that they require mitigation that is more reliable than a
standard BPCS can provide.

That is where the safety system comes in. A properly-designed

safety system will examine inputs from the system (which may
also include operator-initiated devices like E-stop buttons), and
through logical analysis decide if a hazardous situation exists.
Should such a condition be detected, the safety system will then
shut down the process in a predefined, orderly manner designed
to remove energy from the process and put it into a safe
condition. Note that process design here is extremely important:

valves, dampers, and other actuators must be designed to fail

both electrically and mechanically in a safe condition.

4 basic rules for the safety system include:

1. It is usually separate from the BPCS. There are safety

controllers that integrate both safety and non-safety devices, but
their functions are still distinct. More common are systems that
have completely separate hardware and/or software from the
BPCS.

2. Redundancy is almost always a requirement. In all but the most

benign and riskless processes, there will be hazards that require a
high degree of reliability. To achieve this, redundant circuits,
devices, and even controllers are implemented to avoid a single
point of failure from allowing the safety function to fail when
called upon.

3. The safety system is self-monitoring. Safety output devices

(relays, valves, VFDs, etc.) are monitored by the safety system
itself to ensure that they do indeed move to a safe state when
called upon to do so. Should a safety device fail, its redundant
partner will still bring the process to a safe shutdown state, and
the safety system must then prevent the BPCS from allowing
operation until the failed component is repaired or replaced. In
addition, most safety systems have the ability to self-monitor for
wiring problems that may prevent reliable operation, though they
may require special wiring and/or programming to enable this
feature.

4. Devices in the safety system must be rated for safety duty.

Devices such as contactors, VFDs, pushbuttons, valves,
transmitters, and so on, are available for duty in safety systems.
Be sure to confirm that the devices you are choosing are so rated,
as they are made with specialized materials and designed for high
reliability.
Process safety has become a more critical focus of industry in the
past twenty years, with many manufacturers marketing products
and services intended to achieve a high degree of reliability in
shutdown systems. As a result, prices for hardware and software
have plummeted and it is no longer a difficult or expensive task to
find vendors and support for your design efforts. It is therefore a
high priority, in my mind, that engineers take the time to
understand how safety systems are properly implemented to
protect their employers and clients property, surrounding
communities, environment, employees, and bottom line.

Safe Failure Fraction (SFF)

The safe failure fraction is similar to diagnostic coverage (DC) but
also takes account of any inherent tendency to fail towards a safe
state. For example, when a fuse blows, there is a failure but it is
highly probable that the failure will be to an open circuit which, in
most cases, would be a safe failure. SFF is (the sum of the rate
of safe failures plus the rate of detected dangerous failures)
divided by (the sum of the rate of safe failures plus the rate of
detected and undetected dangerous failures). It is important to
realize that the only types of failures to be considered are those
which could have some affect on the safety function. Most low
complexity mechanical devices such as E-stop buttons and
interlock switches will (on their own) have a relatively low SFF.
Most electronic devices for safety have designed in redundancy
and monitoring therefore an SFF of greater than 90% is common

although this is usually completely due to the Diagnostic

Coverage capability.

Use Elegant Design to Bolster Inherent Safety

Embrace a variety of strategies that can eliminate hazards from
operation
Trevor Kletz was able to simplify the concept of inherent safety in
such a way that everyone gets it. His mantra What you dont
have cant leak is so clear and powerful that it has grabbed the
attention of all stakeholders, including owner/operators, labor,
community members and regulators, who have an interest in
safer processing facilities of all types. It expresses a vision that
we all seek, one where no harm comes from the operation of
process facilities that manufacture the materials that make our
lives better every day. Of course, the concept of inherent safety
goes beyond simply not having materials that potentially could
damage the pipes, vessels and equipment that make up
manufacturing facilities. We must understand all the ways those
materials can be involved in incidents that harm people, the
environment and our facilities. Without a thorough understanding
of those scenarios and how they can occur, we cant properly
evaluate the risks posed by different technological approaches
and effectively apply inherently safer technologies.

Sulfonic Acid Plant

Figure 1. Traditional design includes a compressor and knockout
drum.
For example, the lower annual corrosion rate of a stainless alloy
compared to carbon steel in some processes may seem
compelling. However, chloride exposure may cause stress
corrosion cracking in the alloy; this damage is difficult to detect
before a catastrophic component failure occurs. So, in fact, the
inherently safer option may be to use carbon steel while
implementing a strong inspection and replacement program that
manages the hazard of corrosion effectively.
Fundamental Strategies
Kletz in his groundbreaking 1984 paper [1] described four basic
strategies for achieving inherently safer processes:

 intensification;
substitution;
attenuation; and
limitation of effects.
In its 2007 book, Inherently Safer Chemical Processes: A Life
Cycle Approach [2], the Center for Chemical Process Safety
translated those terms into simpler ones readily understood by a
wider audience than just safety professionals:
substitute replace a material with a less hazardous one;
minimize reduce the quantities of hazardous substances;
moderate use less hazardous conditions, a less hazardous
form of a material or facilities that minimize the impact of a
release of hazardous material or energy; and
simplify design facilities that eliminate unnecessary
complexity and make operating errors less likely, and that
accommodate errors that occur.
Lets consider their application to the use of a chlorine cylinder:
substitute change from chlorine to a bromine tablet;
minimize keep only one cylinder on the site;
moderate connect a vacuum inductor to the cylinder; and
simplify adopt a distinct design with unique connections for
chlorine hoses.
Other strategies can complement these simple ones. Here, we
introduce the phrase elegant design to represent the selection
of process technology, equipment, design or layout that makes
higher-potential-consequence scenarios non-credible. Elegant
design may take advantage of a number of Kletzs strategies

and may even go beyond them to achieve risk reduction,

minimization, or elimination.

Safer Set-Up
Figure 2. Modified design requires less inventory of SO2 and
eliminates equipment that could leak toxic material.
Simply put, the concept of inherently safer design is: What cant
happen cant happen.

Any number of design features can contribute to preventing

something from happening. Substitution and some elegant design
solutions can provide absolute certainty against an occurrence.
Minimization, moderation and other elegant designs can afford a
reasonable certainty. Instructions and procedures can help but
offer the least degree of certainty. All are desirable steps toward a
safer processing facility.

Every strategy doesnt have to result in the complete elimination

of the hazard or risk scenario. When we can make an incorrect
action or assembly impossible (or at least very difficult) or design
to accommodate the error without harm, we use the term

mistake proofing. Where doable at a reasonable cost, this may

be an attractive strategy because it rarely introduces alternative
scenarios. For our chlorine cylinder example, mistake proofing
might include using unique connections for the hoses.

In contrast, mistake tolerant systems provide timely feedback

when a mistake happens, the means (either before or after loss of
containment) to correct the error before an undesirable outcome
occurs, or, if not corrected, reduced consequences from the
mistake. For the chlorine cylinder, a mistake tolerant strategy
might involve isolating chlorine inside buildings that have a
chlorine vapor recovery system.
Putting The Strategies To Use
To illustrate the application of inherent safety strategies, lets look
at several real-world situations: sulfonic acid plant design,
aluminum chloride (AlCl3) handling, a utility station and an
electrical switchgear.
Sulfonic acid plant design. Reacting sulfur trioxide (SO3) dissolved
in sulfur dioxide (SO2) with an alkylate feed produces sulfonic
acid. This is an exothermic reaction that boils off SO2 as its
primary means of heat removal. The SO2 performs the role of
mutual solvent to allow intimate contacting between alkylate and
SO3, which otherwise would only react at their mutual surface. All
of the materials are flammable. The SO2 and SO3 are both
inhalation toxics.

The heat of reaction boils the SO2 and SO3 from the reactor. In
the traditional plant design (Figure 1), two drums collect the
boiled-off vapor and allow the return of SO3 and any knocked-out
liquid to the reactor. A compressor and cooling water exchanger
provide cooled, liquefied SO2 for recycling to the reactor.
Following inherently safer design principles, the process was
modified to eliminate the compressor and collector drums and
replace the standard pumps with seal-less ones (Figure 2). This
very significantly reduced the inventory of SO2 required to
operate the process and removed two pieces of rotating
equipment, each of which had the potential to leak toxic material
to the air. In addition, because a Freon refrigerant is used, the
bulk of the SO2 now is at a temperature not far from its boiling
point, which minimizes vaporization in the event of a leak.
However, these process safety improvements were achieved by
using an ozone reactive material rather than cooling water.
The minimization and moderation strategies enhanced process
safety but opportunities exist to make the process even more
inherently safe:
Use the cooling exchanger as knockout pot and provide for
gravity drain of cooled SO2 back to the reactor, eliminating the
pump. (This requires relocation of the SO3 injection point.)

 Find a safer solvent than SO2.

Figure 4. In the event of drain-line plugging, water will overflow at

the air break rather than back up into the silo.
In addition, even greater inherent safety may be possible by
avoiding the process altogether, such as by switching to sulfonic
acid alternatives that are made via inherently safer processes.

Aluminum chloride handling, part 1. Figure 3 depicts part of a

process that uses AlCl3 as an ionic polymerization catalyst. AlCl3
is a powder that reacts violently with water to form toxic
hydrogen chloride (HCl) gas and aluminum hydroxide (Al(OH) 3).
Its contact with skin results in burns. Low-pressure nitrogen is
used to unload AlCl3 from delivery trucks and transport the
material to smaller vessels from which it is conveyed into the
reactor. The AlCl3 is a very fine powder, some of which will travel
with the nitrogen. All conveying nitrogen is returned to a silo that
can contain as much as 80,000 lb of AlCl3. It then passes through
a filter that returns most of the AlCl3 to the silo. What passes
through the filter is scrubbed from the nitrogen in a packed tower
where water is sprinkled down through the bed as the nitrogen
rises and is released from an elevated vent stack. The slightly

acidic water drops through a p-trap and then goes to the

wastewater sewer.
This is a fairly simple process but what happens if the p-trap
plugs? Water will flood the scrubbing tower and back up in the
line towards the silo. Because the top of the vent from the
scrubber is considerably higher than the filter on top of the silo,
the water eventually will reach the silo, resulting in a highly
exothermic reaction and generation of HCl gas that cant be
contained within the silo.
The normal way to address this issue would have been to install
level sensors in the packed tower with alarms and automated trip
of the scrubbing water. An elegant and inherently safer design
was to provide an air break in the water to the scrubbing tower
(Figure 4). The top of the funnel is at an elevation considerably
lower than that of the filter thus, if a plug occurs in the drain
line, the water runs out the top of the funnel. Little-to-no pressure
head was required to get the water through the distributor inside
the tower.
This modification was far less costly than installing the safety
critical devices first considered.
Its difficult to put this inherent safety strategy into any of the four
basic ones. Its simply an elegant design solution that works to
make the scenario of water backing into the silo non-credible.
Aluminum chloride handling, part 2. Figure 5 shows the situation
that existed at the reactor in the same plant with the AlCl3 silo.
The AlCl3 passes at a controlled rate through a rotary feeder into
the reactor. The AlCl3 has a tendency to plug the standpipe
between the feeder and the reactor. An operators natural
inclination is to blow the plug free and into the reactor using 140psi nitrogen available close by. Fortunately, theres never enough
catalyst in the standpipe to cause a runaway reaction.

What can go wrong in this situation? If the valve between the

bleeder where the nitrogen is injected and the day pot is left open
or leaks, the nitrogen overpressures the day pot, blowing the
rupture disk and sending fine AlCl3 powder over several acres.

To make the situation more mistake tolerant, the nitrogen source

within a hose length of the bleeder was reduced in pressure to 75
psi, well below the set pressure of the rupture disc on the AlCl3
day pot. To prevent an operator from being tempted to adjust the
pressure of that regulated nitrogen, a safety valve that relieves to
an elevated location limits the pressure.
This didnt prevent one ambitious operator from stringing two
nitrogen hoses together to bring 140-psi nitrogen to the day pot
after working unsuccessfully for several hours to remove a
clogged drop line using the 75-psi source.
Utility station. The use of a hose connected to a utility station is
one of the most common ways that operators interact with
process facilities. Figure 6 depicts a typical set-up for a utility
station near the point of use that provides water, steam, nitrogen
and air.
What could go wrong here? How could this set-up be improved?

In the modified utility station design, each utility was given a

different type of connection. Each line not only was labeled but
also color coded in a fashion that allowed even those suffering
from color blindness to distinguish the utility based on the lines
lightness or darkness. The distinct connector and color of each
hose made mismatching, and therefore mistaking, the utility
being connected to the process very unlikely. In addition, the
arrangement of the utility station was modified to separate the air
and nitrogen supply to provide one more barrier to mistakenly
using nitrogen to drive a tool in a confined space.

Utility Station
Figure 6. Use of similar types of connections makes it easy to
connect a hose to the wrong utility; opting for distinct connections
and color-coding makes hookup mistakes unlikely.
It remains possible for some ambitious soul to prepare a crossover
connection by appropriating the right set of fittings. Therefore,
you must carefully control these utility station fittings.
This is an application of the mistake proofing form of inherently
safer design.

Electrical switchgear. Figure 7 depicts an electrical switchgear in

2,300-V service. It serves as the primary electrical disconnect and
lockout point for isolating a large pump when it needs service.
Where does the lock go to ensure that the equipment cant be reenergized while repairs are being made? There is a hasp
conveniently placed in plain view on the handle that opens the
cabinet door. However, the lock actually should go through a little
tab above the disconnect switch that can be pulled out when the
switch is in the off position.
You could try training your personnel on the proper location for
the lock. You could put a sign on the cabinet to indicate where the
lock goes. Then you could realize operators will hang the lock in
the wrong location before they look for a sign that would tell them
the right location and put another sign on the wrong location
that says: Lockout lock does not go here! However, eventually
even that sign becomes just background noise.

We tried all these things before happening upon a solution that

worked cutting off the hasp on the door handle!

An operator knows a lock must be placed on the switchgear. Now,

if the operator forgets exactly where the lock should go, the
person will think about it and either come up with the right and
only solution or ask. The possibility of making a mistake no
longer exists.
Is this inherently safer switchgear? Yes.
Does it fall into one of the four basic inherent safety strategies?
Not really, although it may be a form of mistake proofing.
The Key To Success
Application of inherent safety principles is just one aspect of
making safety second nature. For each situation, other
approaches may be equally effective as the basic four and may be
economically feasible when none of the four are. Moreover, its
important to realize that mandating the use of inherent safety is
like placing signs throughout the workplace that say: Be Safe.
Each has little benefit until you have translated the mindset into
practical application.
You achieve expertise in the practical application of inherent
safety principles through the diligent and repeated search for and
application of inherently safer solutions. This experience is what
makes a safety engineer effective and a process plant a safer
place to earn a living. You train your brain to spot applications for
solutions youve seen before and you apply principles youve used
before to solve new problems. The end result is a mindset that
makes safety second nature.
http://managementstudyguide.com/planning_advantages.htm

Prevention through design: adopting inherently safer approaches

15 August 2014
Graeme Ellis, principal safety consultant at ABB Consulting, has
been responsible for developing new Inherent Safety in Design
(ISD) guidance on behalf of the Energy Institute. Here, he outlines
the benefits this method brings compared to traditional safety
approaches, as presented at the unveiling of the new guidance at
Hazards 24, IChemEs leading process safety conference which
took place in Edinburgh in May 2014.

Stock image

Process safety accidents normally involve the failure of several

protective barriers, leading to the tightening of management
controls to assure performance. But what about the alternative?
The inherently safe approach involves removing hazards or
minimising their consequences through initial design rather than
relying on bolt-on protection that can, and does, fail.

The Health and Safety Executive (HSE) defines this inherently

safe approach to hazard management as one that tries to avoid
or eliminate hazards, or reduce their magnitude, severity, or
likelihood of occurrence, by careful attention to the fundamental
design and layout.
Whilst there are good examples of inherently safe designs in a
range of industries from process to energy industry, there is a
noticeable lack of design methods to ensure opportunities are
systematically identified and exploited. What is required is a
change of approach amongst project leaders in the upstream and
downstream energy industry, away from a design culture that
currently favours bolt-on safety features.

The first issue of the Energy Institute (EI) guidance on Inherent

Safety was published in 2005 and aimed to reduce the
occurrences of unnecessary risks in design safety cases for the UK
offshore oil and gas sector. Now, nine years later in 2014, it is
necessary to bring the guidance up-to-date to meet new
regulations and be more widely applied throughout the energy
sector. The scope of this new guidance has been broadened to
large and small organisations covering offshore production
platforms, onshore refineries, fuel storage facilities, and power
generation stations.

The guidance proposes that companies should develop

procedures to ensure that options to improve inherent safety are
systematically reviewed throughout the design lifecycle. This
should mean that all opportunities to eliminate or minimize
hazards at source have been assessed.
It is recognised that implementing improvements will in practice
be subject to cost, schedule and technology constraints.
Assessments should consider total project and lifecycle costs, as
inherent safety options may require more expensive major
equipment items whilst reducing the overall capital and operating
expenditure.

Traditional approach versus inherently safer approach

If we take an example of a common hazard we can compare and

contrast the traditional approach taken by design teams with an
alternative inherently safer approach that could be adopted. A

common hazard is the overpressure and rupture of a vessel due

to a loss of temperature control.

A traditional safety approach would involve designing a vessel for

normal operating pressures and then adding a high temperature
trip, isolating the heating system and a pressure relief system
designed for the maximum rate of vaporisation. Incorporating
these protective features will require additional costs as well as
maintenance costs which need to be factored in. With an inherent
safety approach the key is elimination - this means a vessel with
its design pressure above the maximum credible pressure with
the costlier vessel offset by savings in providing and maintaining
the add-on systems.

For major projects in the energy industry, an inherent safety

workshop at the concept selection stage is recommended, before
HAZID (Hazard Identification) studies required during the
subsequent front-end engineering design (FEED) stage.

The concept stage workshop should ensure that:

project objectives and processes are fully understood;
project impact on existing facilities are fully considered;
learnings are taken from relavant process safety incidents;
the introduction of news hazardous substances are taken into
consideration;
new process technologies and conditions are taken into
consideration;

 new updates to regulatory process safety documentation are

reviewed and applied;
Increased hazards to people, transportation methods and
external hazards such as earthquakes are fully considered;
suitable Design Guidelines, Codes of Practice, and Standards
are factored into plans; and
existing emergency facilities are adequate to meet increased
demands.

An inherent safety workshop will not be appropriate for all

projects particularly where existing technology is required. When
it is suitable, the workshop team identifies potential hazardous
events based on a process block diagram and applies inherent
safety principles to identify improvement options, following the
inherent safety principles hierarchy: elimination, substitution,
minimisation, moderation, segregation and simplification.
Principle Meaning
Elimination

Avoid the hazard completely

Substitution
hazard

Reduce the hazard severity by changing nature of

Minimisation
hazard

Reduce the hazard severity by changing scale of

Moderation
Reduce the hazard severity by minimising the
impact of a release or hazardous event
Segregation
Limitation of effects reducing potential for hazard
to cause harm
Simplification Reduce the hazard likelihood by inherent features
of the design

Figure 1: A Table outlining the principles of inherent safety

For every process option there should be a process block

diagram, which should be carefully considered and prepared in
advance. For example a new offshore production may well include
options for subsea facilities, a normally unmanned installation, or
a fully occupied platform. Each block should represent a process
system, e.g. storage, heating, separation, or transfer. The blocks
and connecting lines should show basic process parameters such
as pressure, temperature and fluid composition.

The inherent safety workshop team firstly brainstorms potential

hazardous events at each process block based on its knowledge
and experience. The inherent safety principles will then be
applied to assess process design options, focussing on elimination
or reduction of the hazard, rather than reducing the likelihood by
providing bolt-on risk reduction measures.

Cost-benefit analysis

Following the inherent safety workshop several design options

may need to be assessed for either a process system or an entire
process route. Some form of cost-benefit analysis will often be
required to choose between options, although in many cases a
simple qualitative judgement by an experienced study team
should be sufficient.

It is at this point that a HAZID study at the subsequent FEED

stage further identifies credible hazard scenarios and assesses
whether further measures are required to reduce risks to a
tolerable level. HAZID study teams often default to providing
additional add-on risk reduction measures to reduce the event
likelihood, rather than first looking for inherently safer options. It
is recommended that procedures for HAZID studies are reviewed,
to ensure that the team is encouraged to fully explore inherently
safer design options.

The focus for improvement is elimination

Throughout the energy industry there is an acceptance of the

importance of inherent safety principles, however the application
of structured reviews during the design stage of projects has not
gained general acceptance in a similar way to traditional
approaches such as HAZID and Hazard and Operability (HAZOP)
studies. The main difference is that the ISD focus for improvement
is elimination and reduction of hazards rather than provision of
add on risk reduction measures.

Whilst process designers will point to examples of inherent safety

features considered to be good practice, I believe that
opportunities for applying inherent safety in design are not being
systematically assessed. This is potentially due to a lack of
awareness of this topic or lack of tools to be applied during
normal projects to encourage inherent safety thinking. Design
teams may also believe there is a lack of opportunity to apply
inherent safety in design for established technology, particularly
when the basic design is standardised or provided under license.

Inherent safety in design can however be applied to all stages of

the design lifecycle, although it is generally agreed that the
greatest benefits will be obtained during the early concept stage.

Legislative drivers

There is an increasing expectation from US and EU regulators

that inherent safety is assessed during the early stages of design.
The EU Offshore Safety directive 2013 related to offshore oil and
gas operations requires a description of the design process for
the production operations and systems, from an initial concept to
the submitted design or selection of an existing installation, the
relevant standards used, and the design concepts included in the
process, and later requires the Competent Authority to ensure
how the design decisions described in the design notification
have taken account of risk management so as to ensure inherent
safety and environmental principles are incorporated.

Failure to comply with requirements such as those stated in the

EU Safety Offshore Directive (2013) or guidance on the EU
onshore Seveso III Directive, could result in significant delays
and costs at later stages of the project.

On the other hand there is the US OSHA PSM standard, a

standard which requires companies handling hazardous
substances to carry out Process Hazard Analysis to identify and
assess hazards, but has no specific requirement for inherent
safety in design. However, there is an increasing awareness of
the importance of ISD in the US, and some States are starting to
mandate inherent safety assessments for new process designs.

Aside from these legislative drivers, there are many benefits from
applying inherent safety early in the project before decisions have
been made on the choice of equipment. At this early stage, the
design only appears on paper, allowing significant changes to be
made, achieving substantial reduction in risks, and potentially
reducing the overall lifecycle costs. As the design progresses and
the process is increasingly fixed, it becomes more difficult and
costly to make changes and the benefits in terms of hazard and
risk reduction on the overall process become limited.

The new ISD guidance (Energy Institute, 2014) outlines how the
effective application of inherent safety in design can provide the
following benefits:
unlike traditional approaches to process safety that require
expensive 'add-on' risk reduction measures, inherent safety in
design provides an opportunity to identify improvements that can
reduce overall capital and operating expenditure;
the principle of 'minimisation' challenges large inventories of
dangerous substances and promotes smaller equipment with
reduced cost and weight, particularly beneficial for offshore
platforms;
eliminating or reducing hazards early in the design will avoid
potential delays caused by re-design to meet risk criteria;
reduction in process equipment and 'add-on' safety systems
reducing the time for design, procurement, construction and
installation;
less reliance on 'add-on' safety systems decreases
maintenance, repair and inspection costs during facility lifecycle;
and

 reducing the number of hazardous activities and hence

number of personnel exposed to risks and the likelihood for
human failure.
In many cases the benefits of an inherent safety improvement
option will be clear, whereas in other cases there may be conflicts
between options that need detailed assessment to resolve. There
may also be conflicting pressures on the project team, including
factors such as cost implications, operational flexibility, personal
preferences, available information or pressures due to project
schedule.
Conclusions
Inherent safety is not a new topic but the process industry has
often failed to maximise the hazard reduction potential from this
approach and reap the benefits including reduced lifecycle costs.
Whilst international codes of practice often fail to promote
inherent safety and can perpetuate risk reduction using bolt-on
safety systems, global regulators are now requiring
demonstrations that inherent safety improvement options have
been effectively assessed using structured techniques.
The main additional requirement for design teams is to carry out
structured inherent safety workshops during the concept stage
when the greatest opportunity exists to benefit from applying
inherent safety. The inherent safety approach has reduced
benefits during the latter stages of design, but should
nevertheless be actively encouraged during HAZID and HAZOP
studies as a preferred option in place of traditional bolt-on safety
systems.
The most inherently safe process will not always be the most
attractive economically and the technology may be unproven.
Design teams should be aware that technology continues to
evolve, and inherent safety options that are not economically
attractive for a current project should be retained for

consideration on future projects. The design stage presents the

greatest opportunity to reduce risks from process facilities that
pose the potential for significant harm to both people and the
environment.

Legislating for Inherent safety in the US: Reflections on the

ongoing debate
10 Feb 2014
Kehinde Shaba
0

There has been a recent public exchange of views between the

head of the US Chemical Safety Board (CSB) (Rafael Moure-Eraso)
and Cal Dooley (head of the American Chemical Council, an
industry trade association). This exchange was precipitated by the
former who argued (in a New York Times Op-Ed piece) that
enshrining Inherently Safer Design (ISD) principles in law is
central to achieving a significant reduction in safety incidents,
with several recent large incidents cited. Dooley has taken a dim
view of this suggestion.
Is Inherent Safety legislatable?

Whether or not implementing inherent safety into law will improve

achieve safety standards is of course debatable, but the available
evidence on application of similar principles (As Low as
Reasonably Practical [ALARP], So Far as is Reasonably Practical
[SFAIRP], the Precautionary Principle, Best Available Technology

Not Entailing Excessive Cost [BATNEEC]) in other geographies

suggests that it will. It is well known that European countries
especially the northern European oneshave arguably the best
safety records in world.

It is worth noting that these concepts generally tend to be

qualified when used in the European sense and require a sense of
balance versus other competing considerations such as risk,
benefit and cost. It goes without saying that the benefits provided
by a course of action should always be weighed against the cost
required to achieve it. Additionally, the idea of zero risk is a
fallacy and is not prudent public policy.

The success of such initiatives goes beyond codifying

requirements in law. There are numerous practical considerations
that need to be in place not least a highly competent regulator
and most importantly buy in by all stakeholders. This latter
point is probably the most instructive and definitive it is difficult
to achieve commitment without involvement and engagement.
The case against
Dooley writes1 that Inherently safer approaches are already
considered by companies. If the industry already considers these
principles, surely implementing them in legislation shouldnt be
an issue? It seems odd that there should be an unwelcome
negative reaction to an activity already engaged in by industry.
Another opposition argument is the extent to which such a law
would unenforceable. Dooley continues But mandating them is
impractical and would create a regulatory requirement that has
been recognised by one official of the Environmental Protection
Agency as monumentally difficult . This is a point worthy of
note. Philosophies such as ISD, ALARP etc. thrive largely because

they are implemented in performance based regulatory regimes

where emphasis is placed on the outcome rather than the method
of achieving the outcome. US legislation is for the most part,
largely prescriptive (i.e. very particular on what must be done and
how), and hence how ISD would work in that environment would
be monumentally difficult.
It is fair to say this initiative can present significant challenges,
but the European example is proof that it works. Going forward,
the real question here is whether the concerned stakeholders are
willing to come together, agree and commit to a plan of actionin
legislation or otherwisethat will help improve the current safety
standards, which it is fair to say (and few would disagree) can be
improved.

Statement from CSB Chairperson Rafael Moure-Eraso on the

Passing of Noted Chemical Process Safety Expert Professor Trevor
Kletz
Click here to see CSB video excerpts from Dr. Trevor Kletz

CSB board members and staff are saddened to learn of the death
of the one of the worlds greatest authorities on chemical process
safety, Dr. Trevor Kletz. Starting as a research chemist in the
United Kingdom, Dr. Kletzs career in industry established him as
an expert in chemical process safety, safety culture, and as an
advocate indeed the father of the concept of inherently safer
technology and processes. One of his seminal papers was
entitled, What You Dont Have Cant Leak. His teachings on
accident investigations refocused the emphasis from individual
lapses to systems failures and safer design. These concepts
fostered a revolution in modern safety management thinking.

After retiring in 1982, Dr. Kletz established a second career as an

author, speaker and academic. He served in recent years as
adjunct professor of the Texas A&M University and Visiting
Professor of Chemical Engineering at Loughborough University in
the UK. We felt particularly attached to the work of Dr. Kletz as his
commentary excerpted from a CSB interview with him -- is
featured prominently in our 2008 CSB safety video, Anatomy of a
Disaster, which tells the story of the BP Texas City refinery
accident in 2005 that killed 15 workers and injured 180 others.
In the video, Dr. Kletz says, There's an old saying that if you
think safety is expensive, try an accident. Accidents cost a lot of
money. And, not only in damage to plant and in claims for injury,
but also in the loss of the company's reputation. And in another
segment, on the companys reporting and learning culture: Well,
after an accident, managers often say, I didn't know this was
happening or not happening, as the case may be, if I'd known it,
I'd have stopped it. Now this is bad management. It's the
manager's job to know what is going on. And, he can do that by
going round and by keeping his eyes open and reading the
accident reports in detail.
These are typical of the ways in which this wonderful man, so
committed to preventing accidents and saving lives,
communicated in such plain and effective language. Consider this
typically pointed comment also from our video that gets to the
heart of why accident prevention should be about looking for root
causes, and not individual blame: For a long time, people were
saying that most accidents were due to human error and this is
true in a sense but it's not very helpful. It's a bit like saying that
falls are due to gravity.

The titles of just some of Dr. Kletzs many authoritative books

display his keen focus on making processes safer: What Went

Wrong? Lessons from Accidents, Process Plants a Handbook

for Inherently Safer Design, and By Accident--a Life Preventing
Them in Industry.
So today we mourn the loss of Trevor Kletz, whose lifetime of
work has unquestionably resulted in workers lives saved and
accidents prevented a legacy we will try to emulate at the CSB.

Process Safety Lessons Learned

Process safety has been a popular topic these days.
Unfortunately, it has hit mainstream press because of high profile
safety incidents such as last years Deepwater Horizon accident in
the Gulf of Mexico. On a positive note, process safety isnt just for
the experts anymore. Many process industry business leaders and
managers are taking a stern look at their organization and
wondering if they are protected or not. Still, some are making the
mistake of assuming that their past success operating safely is an
indicator of future process-safety success.
I just read an article by Walt Boyes titled Process Plants Accidents
Careful. We Dont Want to Learn from This. Walt makes some
really strong points about the lack of process safety
improvements over the past 25-plus years, since the 1984
Bhopal, India incident got the process safety management (PSM)
ball rolling. Walt once corrected me on a point that he did not
make in his article. A couple of years ago, I was talking to him
about the need to simplify regulatory compliance and he told me
that I had it all wrong.
Walt said, If the goal is to be regulatory compliant, then you are
missing the point. Walts point was that regulatory compliance is
not a goal to strive for. If you are hoping to improve your safety
by becoming regulatory compliant then you are setting yourself
up to fall woefully short of actually managing your process safety.

The regulatory compliant mindset can lead you onto all sorts of
stray paths if you are not careful. This is a major contributor to
many ineffective safety programs and management cultures
today. During the investigations into the Deepwater Horizon
incident, we saw clear examples of very smart people making
irrational decisions because their goal was to meet the regulatory
compliance requirements set by the Mineral Management Service
(MMS) in the Gulf of Mexico. Instead, it is important to focus on
the goalmanaging process safety.
In addition to the regulatory compliance goal inadequacy, many
of the key points provided in the 2008 U.S. Chemical Safety Board
(CSB) video title Anatomy of a Disaster are still valuable lessons
for the process industry to learn. If you havent watched this video
yet, I urge you to schedule an hour into your calendar and take
the time to learn some lessons from a recent industry event. With
permission from the CSB, I have picked out some of the more
valuable quotes from the process safety experts that were
interviewed in the video.
Theres an old saying that if you think safety is expensive try an
accident. Accidents cost a lot of money, not only in damage to
plant and claims to injuries but also in the loss of the companys
reputation.-Dr. Trevor Kletz
This week I read the IndustryWeek article, BP Refines Post-Spill
Drilling Strategy. Less than a year after the Deepwater Horizon
incident, there are already signs of BPs top management taking a
leadership role in driving process safety management in their
company. Change like this isnt something that can be driven from
the bottom up. You need top down support to make this happen.
The article discusses some of the safety culture and management
changes that the new CEO Robert Dudley says are happening at
BP. Dudley is quoted as saying that production shutdowns are
costly, but safety is good business.

My fear is that some of the other refineries within the United

States will feel, that couldnt happen to me. And the ones that
feel that couldnt happen at their site are the ones that are set up
to have it happen there. Glenn Erwin
This is one of the major challenges that the process industry
faces. After the Deepwater Horizon incident, leaders from several
multinational oil companies testified before Congress that
something like this couldnt happen to them. This is a natural
response to this kind of industry event. However, the major oil
producers did come together after recognition that their
emergency response plans were all pretty much the same and
they were indeed subject to some of the same problems. Exxon
Mobil, Shell, Conoco Phillips, Chevron, and BP have since formed a
non-profit organization, the Marine Well Containment Company,
which will provide a rapid response system to capture and contain
oil in the event of another blowout in the Gulf of Mexico.
Process safety deals with the fires, explosions, and toxic releases
and things like that. You can have a very good accident rate for
what we call hard hat accidents and not for process ones. Dr.
Trevor Kletz
It is common to see process industry facilities with signs
reminding you to hold onto handrails, watch where you are
walking, and to be careful not to be burned by spilled coffee. If
you drive down Highway 225 in southeast Houston, you are likely
to see dozens of signs outside of refineries and chemical plants
that display hundreds of thousands of man-hours without a lost
time or total recordable incident. While this is very important to
celebrate personal safety management milestones, it has little
connection with process safety performance. Having a very low
lost-time accident rate can induce a feeling of complacency and a
false sense that safety is being well managed. Key lessons from
recent incidents were the need to focus on leading and lagging
indicators in addition to personal safety metrics. The AIChE Center

for Chemical Process Safety (CCPS) has recently made significant

progress developing process safety metrics.
The fact that youve gone for 20 years without a catastrophic
event is no guarantee that there wont be one tomorrow. Prof.
Andrew Hopkins
Personal safety focuses on preventing high frequency, lower
consequence incidents like slips, trips, and falls. Process safety
focuses on preventing much lower frequency events with a
catastrophic consequence. Many process safety hazards are
estimated to be likely to occur only once in the life of a facility, or
even only once in the life of an industry.
Some hazardous event frequencies are measured in terms of once
in thousands of years. These events typically result from multiple
causes related to a complex sequence of failures in equipment,
people, processes, and decision-making. So, often the process
industry celebrates the personal safety successes while having to
fight complacency on the need for continuous process safety
vigilance. Some safety engineers complain that change is hard to
justify because current practices have not resulted in any safety
incidents. It often takes a catastrophic kind of event to invigorate
the organizations focus and commitment around process safety.