Hello, and welcome ! Today we are going to learn about what anEmergency Shutdown (or ESD) system is.
Before ! First, let us consider a smallcontrol system assembling a toy car. We have several parts thatneed to go in a certain place. We have two sets of wheels, abase where the wheels attach, and the shell of the vehicle whichsits atop the completed base.
Sounds simple, right? Well, what would happen if there wasa problem with the control system, and the parts got assembledin the wrong order? If that was the case, toprevent damage to the machine, an operator may choose toperform an Emergency Stop, to be able to quickly stop themachine and make it safe to enter.
This is the premise behind something that is usedin almost any control system that you can think of, all over the world.
Our toy car example demonstratesthe function of an emergency stop, whereas what we are going to learnabout today is an Emergency Shutdown, something which is a little differentthan a standard emergency stop function.
What an “Emergency Shutdown” doeswhich an “Emergency Stop” does not, is to be able to detect apotentially hazardous condition and react to it by shutting the system down to protect personnel, facilities,and even the environment.
Now we are going to consider an EmergencyShutdown in a real-world environment, in the Oil and Gas industry.
In the Oil and Gas industry, anEmergency Shutdown is a safety system that is designed to minimize theconsequences of an emergency situation, such as a failure, to reducethe potential of flooding, escape of hazardous materials,or outbreak of fire.
This is normally done by monitoringthe state of field mounted sensors, valves, trip relays and inputsto a control system as alarms.
The control system isable to determine a cause and effect type analysis which aredetermined to protect the facility.
The Emergency Shutdown does not need tocompletely shut down the entire plant. This can sometimes be more dangerous.
What the system will do isto minimize the effects. It could be to reduce the number of plant itemsavailable or shut down part of the systems. In the event of a fire, a Fire Damper controlsystem may override existing controls to open or close vents as needed,and close fire doors.
There are so many examples of what anEmergency Shutdown system might be used for. In a system that isolateshydrocarbon inventories, it is of great importance that anEmergency Shutdown system is effective so that nothing is releasedinto the atmosphere.
Another important use of an Emergency Shutdownis in an Emergency Ventilation system. When a problem is detectedwhich requires rapid venting, it is crucial that a safety systemcan detect and react to the problem, or even detect it before it becomes one.
An example of an Emergency Ventilationsystem could be a smoke detection system. If a fire is detected, the system would likely shut down allplant equipment to contain the fire, not allowing oxygen into allow it to burn, but if smoke was detected theymay want to vent the smoke out, therefore switching onplant equipment to do so.
Emergency Shutdown systems usuallyhave their own logic controller, one that reacts to failures muchfaster than a normal PLC system.
Milliseconds count, and can be the differencebetween a problem and a catastrophic failure. Safety systems use a classificationbased on risk and probability.
This is called SafetyIntegrity Level – or SIL. There are 4 levels to SIL. SIL Level 1 represents the integrityrequired to avoid relatively minor incidents and is likely to be satisfied by acertain degree of fault tolerant design using guidelines thatfollow good practice.
SIL Level 2 represents the integrity toavoid more serious, but limited incidents some of which may result in seriousinjury or death to one or more persons. SIL Level 3 represents the integrity required to avoidserious incidents involving a number of fatalities and/or serious injuries.
SIL Level 4 represents the integrity levelrequired to avoid disastrous accidents. When designing the safetysystem, the required level, and associated risk is taken intoaccount by using a safety matrix.
This will look at each of the risks, andattach a probability and consequence to them, to get to the required safety integritylevel required for the safety system. Wow! That is a lot to take in, and we understand if you needto watch this video again What have we learned today? Safety systems are essentially separate controlsystems that interrupt main PLC controllers under emergency conditions, such as an Emergency Shutdown scenario.
Different to an EmergencyStop pushbutton on a panel, or inside a machine cell, the EmergencyShutdown system can detect potential failures based upon fieldsensors,valves,and trip relays and react quicker than us humans can to stop the escalation of a smallproblem becoming a catastrophe! Every alarm on a system is assigned arating based upon its probability to occur and the consequence if it does.
The higher the potential consequence, the higher the integrity rating ofthe safety system is required to be. Of course, there are otherfactors that can be involved, but these are designed andimplemented on a case by case basis. Ok, that’s all for today.