BRANN-, GASS- OG NØDAVSTENGNINGSSYSTEMER, 11.-12. APRIL 2012, BRITANNIA HOTEL, TRONDHEIM FAHRAD PAKSHAD, RAMBOLL OIL&GAS
Subject of the discourse: Introduction to emergency stop and start systems Contents: Why do we need them? What are the typical application areas? What are their main elements? What are their typical Safety Related Specifications?
Emergency stop (Shutdown), start Why do we need them? Answer: we need them in order to Protect: - Human life - Environment - Asset But from what
From hazards leading to accidents!
Hazards mechanical electrical thermal ergonomic Toxicity Radiation Examples Falling object Height from the ground High pressure Rotating elements Electrostatic Live parts Short circuits Explosion Flame Hot/cold surfaces Noise Vibration Humidity Lighting Gases Liquids Solids Electromagnetic Ionizing
Safety in machinery Safety in process Safety-related stop functions Emergency stop Emergency shutdown Deenergize De-pressurise
General Emergency stop specifications: accessible, Recognizable, reliable and Safe Emergency stop can be in form of a Button (mushroom style), wire, rope, Bar, Handle, foot pedal or a combination of devises.
DIRECTIVE 98/37/EC Machinery PSA regulations: Management, Facilities IEC 60947-5-5 deals specifically with electrical emergency stop devices with mechanical latching function Arbeidstilsynet: Lov om arbeidsmiljø, arbeidstid og stillingsvern mv. (arbeidsmiljøloven) 4-4. Krav til det fysiske arbeidsmiljøet Arbeidstilsynet: Forskrift om tekniske innretninger 16. Nødstoppinnretninger ISO 13850 and EN418 deal with requirements for the emergency stop function of a machine, whatever be the energy used; IEC 60204-1 giving additional requirements for an emergency stop function realized by the electrical equipment of a machine; IEC 60947-5-1 specifying electrical characteristics of electromechanical control circuit devices.
DIRECTIVE 98/37/EC Machinery Emergency stop Each machine must be fitted with one or more emergency stop devices to enable actual or impending danger to be averted. The following exceptions apply: machines in which an emergency stop device would not lessen the risk, either because it would not reduce the stopping time or because it would not enable the special measures required to deal with the risk to be taken, hand-held portable machines and hand-guided machines. This device must: have clearly identifiable, clearly visible and quickly accessible controls, stop the dangerous process as quickly as possible, without creating additional hazards, where necessary, trigger or permit the triggering of certain safeguard movements.
IEC 60947-5-5 3.1 emergency stop (function or signal) function or signal which is intended: to avert or to reduce hazards to persons, damage to machinery or to work in progress; to be initiated by a single human action. 3.2 emergency stop device a manually operated control circuit device used to initiate an emergency stop function [ISO/IEC 13850:3.2, modified]
4.2 Indications on buttons 4.2.1 Buttons used as actuators of an emergency stop device shall be colored red. When a background exists behind the actuator, and as far as it is practicable, it shall be colored yellow. 4.2.2 The direction of unlatching shall be clearly identified when resetting is achieved by rotation of the button. NOTE See also IEC 60073 and ISO 3864.
Operational requirement: Emergency stop devices should meet the requirements defined by IEC 60947-5-5. In common with all other actuators the emergency stop operation should result in it mechanically latched in and not delatching until the device itself has been reset. Without exception operation of the emergency stop should result in the deenergisation of the emergency stop control circuit ensuring Fail Safe operation. The resetting of the emergency stop device itself must not allow the machine to a restart.
Initiator Logic Solver End End Element Element Transmitter IPS Shutdown Valve Instrument Protective System HLSD xxx IA
Example: Universal lathe with emergency stop button
The sketch shows a typical starting circuit for a 3-phase electric motor. The main circuit (black) consists of: Fuses Contactor Overload protection Control circuit (red) consists of: Fuse On / off buttons Emergency stop button Auxiliary contactor Contactor
Example: Emergency stop push buttons to shut down a X-Ray Generation facility X-Ray Generator Shut-Off Procedure The multi-user macromolecular x-ray crystallography facility (XRF) at the Kasha Laboratory Building (KLB) in the Institute of Molecular Biophysics (IMB) X-Ray Facility Shut-Off Procedure During an emergency involving either one of the x-ray generators, the power to that generator alone can be turned-off by pushing the round red-colored 'Emergency' button located in the middle of that x-ray generator. During a Facility-wide emergency, the power to the entire Facility can be turned-off by pushing the red-colored round 'Emergency Stop' button located on either side of the Facility. The fluorescent lights will NOT be affected.
But what about the ships? Do we have any brake, emergency stop for sea going vessels? In a sea going vessel, unlike land transport, there are no brakes that are provided to stop the ship when needed. The stopping of the vessel is done by reversing the rotational direction of the Main engine and thereby the propeller. This stops or reduces the speed of the vessel heading towards the collision course. In the crash maneuvering the main engine is subjected to severe stress and loading, but the safety of ship and life is assured.
But what about the airplanes? Do we have any brake, emergency stop? At the airport, aircraft carrier or helipad Stop (emergency stop): visual signaling between ground personnel and pilots on an ICAO aircraft marshalling signals But it will be an emergency (crash) landing after you are airborne.
Other examples for emergency stop (brake): Car handbrake Train emergency brake Elevator emergency brake Drilling drawwork emergency stop Norsok D-001 Drilling facilities - Conveyer belt emergency stop - Crane emergency stop
In oil & gas business there is special kind of emergency stop systems called Emergency Shutdown system (ESD), Process Shutdown system (PSD). These Safety Instrumented Systems (SIS) are part of a set of safety barriers to bring the risk level to As Low As reasonably Practicable (ALARP).
Emergency shut down (ESD) principle hierarchy Norsok S-001
Well integrity during production and injection from or to a reservoir NORSOK standard D-010
Welll integrity during wireline (WL) operations. A wireline operation is a technique for deployment of various electrical or mechanical downhole tools (logging tools, plugs, packers, perforating guns, shifting tools, pulling tools etc.) on electrical cables, braided cables or slickline. The operations are performed in pressurised wells or in dead wells. NORSOK standard D-010 Running WL through surface production tree
PSA audit finding: Emergency shutdown system independence: The PSD and ESD systems for controlling the emergency shutdown valves (ESD valves) are not independent. Basis: Both ESD and PSD operate a common pilot valve for closing ESD valves. If the PSD system fails to close the ESD valve because of common pilot valve failure, the ESD system will not be able to close the valve either. Photo not related to the case
PSA audit finding: Closing time for emergency shutdown valves: It should be clarified whether valves with an ESD function (barrier function) meet the functional requirements. Manual valve 4,5 bar PSD 3 ports, 2 positions valve Auto-reset ESD 3 ports, 2 positions valve Manual rest Basis: The ESD9 signal activates three valves; XHV11002, XHV11003 and XHV11004. A review of maintenance history showed that valve XHV11002 had a closing time of 3.45 minutes. The typically closed within 45 seconds. Performance requirements had not been established for closing time or leak rates. Air supply 4,5 bar Check valve Filter/Regulator with Aut. drain Opening Photo not related to the case Closing
ISO 14121-1 Risk assessment; establishes general principles related to safety of machninery
NORSOK standard R-002
ISO 13849-1:2006
ISO 13849-1:2006
ISO 13849-1:2006
Emergency Start Emergency??
Emergency core cooling system (ECCS)
Emergency start systems The most common turbinedriven electric generator units employed today for emergency or standby power use gas or oil for fuel. Various grades of oil and both natural and propane gas may be used. Other less common sources of fuel are kerosene or gasoline. Service can be restored from about a 10 s minimum to several minutes, depending upon the turbine used.
Emergency start systems Availability of multiple utility service systems can be improved by adding a standby engine generator set capable of supplying the more critical load.
5.15.3 Emergency operation Offshore cranes on floating installations and lifting appliances for the lifting of persons shall be equipped with an emergency operation system. The system shall be able to move the load in any direction, in case of a main power failure or a control system failure, utilising a secondary independent power supply system and a secondary independent control system. The control devices shall be of hold-to-run type, and shall be clearly and permanently marked. A separate emergency stop shall be provided for the emergency operation system. 41
SIS typical Main elements
SIS Initiators, Local field PBs Remote PBs (e.g., from CCR) Input signals from other systems (e.g., from F&GD to ESD system) Process sensors (e.g., from PSD sensors) Built-in system interlocks (e.g., automatic start-up of EG by zero voltage detection on emergency SWG 43
SIS logic solver, None Relay configuration PLC HW solid state 44
SIS final element, shut-off valves (incl. Actuators and solenoid valves) Relays and contactors Fire water pumps Emergency generators HW solid state 45
SIS safety requirements specifications
Ref.: 61511-1 SIS safety requirements specifications, Includes requirements related to among other the following Description of the safety instrumented function; Definition of the safe state of the process; Demand rate on the safety instrumented function; proof-test intervals; Response time Safety integrity level (SIL) Trip point; Criteria for successful operation, for example, requirements for tight shutoff valves; Logic relationship between process inputs and outputs, including logic Manual shutdown; Resetting ; starting up and restarting 47
Energize or de-energize to trip; Maximum allowable spurious trip rate; Failure modes and desired response of the SIS in the event of fault(s) being detected in the SIS (for example, alarms, automatic shutdown); Interfaces between the SIS and any other system Overrides/inhibits/bypasses including how they will be cleared; Mean time to repair Survivability, for example, time required for a valve to remain operational in the event of a fire 48
THANK YOU FOR YOUR ATTENTION ANY QUESTIONS / COMMENTS?