Boiler Technical Terms

30th July 2016 boiler technical terms
Hydrotest Pressure Vs Design Pressure.

Design pressure is usually the pressure set by process engineer, based on the results of a simulation or similar study.
Hydrotest pressure is the actual pressure the vessel is tested at. Usually the hydrotest pressure is 1.3 times the design
pressure (ASME requirement).
So if the design pressure is 100 KPa(g), the hydrotest pressure would be 130 KPa(g). Therefore the rule (or requirement) is
called 10/13 rule.
Maximum allowable Working pressure (MAWP) Vs Design pressure

Design pressure is usually the pressure set by process engineer, based on the results of a simulation or similar study. MAWP
is the pressure based on the actual characteristics of the vessel/equipment (which is usually manufactured to exceed the
specifications set by process engineer). Maximum allowable working pressure is always greater than or equal to design
pressure.
Permissive, interlock - Difference

The PERMISSIVES, are some conditions that need to be satisfied before you can start the machine. For e.g. a compressor can
be started only when there is sufficient suction pressure.
INTERLOCK: During the process, if a condition fails, interlocks are activated. For e.g. a pump shutdown interlock is activated
when the level of drum goes low.
An interlock can also be a permissive, but the converse is not true. For the compressor example (in Permissives), if insufficient
suction pressure is a permissive, the compressor will not shutdown, if there is insufficient suction pressure. It is just a
condition for the system to start. But if insufficient suction pressure was an interlock, the system will shutdown, when ever the
suction pressure goes below a fixed value. But once shutdown, all the permissives need to be satisfied before the system can
start again.
Hot bolting
Hot bolting is a method of replacing the bolts on a live line. Normally done one bolt at a time. Hot bolting should be used only
when there is no other reasonable choice.
The criteria typically followed is something like:

• The operating pressure must be less than 75% of the MAWP as allowed under ANSI B16.5 at the operating temp of the piping
or process system to be hot bolted.
• The flange must have a minimum of 8 bolts
• The process temperature must be between 4°and 71° C.
• All flanges and associated system equipment must be adequately supported, i.e. no excessive vibration or pulsation.
Monitoring for hydrocarbons is also a must during the operation. Generally the procedure for hot bolting is the same sequence
as for a tightening operation.
• The gasket area must not show signs of leakage. Piping, flanges, and bolts must not be severely corroded, i.e., to the point of
affecting their integrity.
• Existing flange bolts/nuts must be tight and of the correct size and grade.
Hot Bolting" Calculations
I am looking for advice regarding the appropriate calculation method to find the maximum operating pressure we can allow
when we perform a Hot Bolt procedure (ie, removing one bolt at a time for maintenace purposes). I can run the calculations
using an ASME Section VII calculator (Mr. Pedersen's), but when you reduce the number of bolts by 1, it simply re-distributes
the remaining bolts over the diameter. If I remove half the bolts (to accurately reflect the increased distance between adjacent
bolts) to get the correct spacing, the bolt stress for MAWP is too conservative as compared to removing only one bolt (I am
looking at my limiting factor being bolt stress from either MAWP or seating perspective- whichever is greater).
I have never heard of anyone taking one bolt at a time for maintenance purposes from a pressurised vessel, sounds extremely
dangerous to me.
RossABQ - yes, one bolt at a time...but not necessarily "replacing" - we often just remove one bolt, clean it up, put some sort of
lubricant on it (the lubricant issue is a whole other can of worms), and then re-install the bolt/nut. We do this on flanges
associated with piping AND on vessel manways....most often in preparation for turnaround maintenance, but also on the rare
occasions when we find a bolt has some corrosion or when when find a "short bolt" (ie, a bolt that is too short and the nut is
not fully engaged...usually on facilites we acquired at one time or another) or when we find a nut or bolt that is not the correct
grade....in any of these cases we would then replace the bolt and/or nut. desertfox - I don't believe it is "extrememly
dangerous" - the industry has been doing this forever. Most of the larger companies have specific procedures for this
operation (I have copies of the BP, ConocoPhillips, and the EEMUA Information sheet for Hot Bolting). Folks, thanx for your
interests...and look forward to your thoughts and suggestions for the flange limit calcs.
Hot bolting is fairly common, I've been around it quite a bit before. It's simply replacing the bolts on a live line. You do it a bolt
at a time. That being said, hot bolting should be usedo nly when there is no otehr reasonable choice.
The criteria typically followed is something like:

• The operating pressure must be less than 75% of the MAWP as allowed under ANSI B16.5 at the operating temp of the piping
or process system to be hot bolted.
• The flange must have a minimum of 8 bolts
• The process temperature must be between 40°and 160° Fahrenheit.
• All flanges and associated system equipment must be adequately supported, i.e. no excessive vibration or pulsation.
Monitoring for hydrocarbosn is also a must during the operation. Generally the procedure for hot bolting is the same sequence
as for a tightening operation.
• The gasket area must not show signs of leakage. Piping, flanges, and bolts must not be severely corroded, i.e., to the point of
affecting their integrity.
• Existing flange bolts/nuts must be tight and of the correct size and grade.
In my opinion, the answer to your stud bolt question is.... "it depends"....!!!It depends mostly on the cost and degree of corrosion
on the bolt. If the bolt is of large diameter and of expensive materials, it pays to be carefull and reuse it. Smaller, more
common materials may be replaced as a mater of policy
We have hot bolted at 1250F @ 250 psig. We routinely hot bolt polymer lines at 600F @ 1500 psig. Our process requires that we
completely dismantle a production unit at overhaul. This involves the removal of several thousand studs, mainly B-16 5/8"-@
1/2" but considerable B8 Cl2 material. Part of these production units are components that use H11 SHCS that are changed out
and reused on set schedule of approximately 15 days. Each line has 48 of these components that have 98 SHCS. As we have 17
lines the reuse of studs and bolts is almost a necessity. Tough there is not a formal inspection of the studs they are screened
by adding 2 nuts to each stud during a process we call Daging, the addition of a collodial graphite lubricant. We run each stud
through a Pyrolysis Furnace to remove any existing Dag and the disassembled studs and nuts are run through the Daging bath,
Dag and water. After Daging the studs and nuts are assembled with a full nut engagement on each end of the stud. I would say
less than 1% are rejected during this process. about 90% of the rejected studs are recovered by lite duty mechanics. It is a
very rare occurrence when a mechanic has problem with a stud when the piping is reassembled. Some of the studs in use are
over 40 years old as witnessed by some Crane Alloy Studs from the 50's that are found in service. At various times I've
removed a sample of studs and physically measured the threads and have never seen anything approaching rejection. There is
problem sometime with meaning of "hot bolting" being taken as retorquing a bolted connection at operating conditions. "Hot
bolting" and "hot torquing" are two separate operations. Care has to be taken with both operations. I've seen sevral problems
with "hot torquing" were people forget the proper tightening sequence.
POWER PLANT OPERATION

BY MUJIYONO
BOILER
Definition
As per Indian Boiler Act 1923, Boiler is defined as any closed vessel exceeding 22.75 liters in capacity which is used exclusively
for generating steam under pressure and includes any mounting or accessories attached to such vessel, which is wholly or
partially under pressure, when steam is shut off.
A good Boiler should have some essential qualities.
1. Capable to meet large load fluctuations.
2. Fuel efficient i.e. to generate maximum steam with minimum fuel consumption.
3. Ability to start-up quickly.
4. Easy in maintenance and inspection.
5. Occupy less floor space.
6. Lower friction loss in water and flue gas circuit
7. Little attention for operation and maintenance.
Systems in a Boiler
A Boiler mainly contains following systems :
1. Feed water system.
2. Steam system.
3. Air system.
4. Flue gas system.
5. Fuel handling system.
6. Ash handling system.
Boiler Mountings
Fittings on a Boiler which are required for its safe and efficient operation are called mountings. These are as follows :
1. Safety valve
2. Water level sight glass (gauge glass)
3. Pressure gauge
4. Blow down valve
5. Main steam stop valve
6. Feed water check valve (NRV)
7. Air Vent
8. Start-up vent
9. Manhole
Boiler Accessories
The devices which are used in a Boiler as an integral part and help to run the Boiler efficiently are called Boiler Accessories.
These are :
1. Super heater
2. De-super heater
3. Economizer
4. Air Pre-heater
5. Soot Blower
6. Feed Pump
7. ID and FD fans
8. Ash Removal system
9. Fuel supply system
10. Dosing system
11. Deaerator
Steam Generation In A Boiler..contd

In a Boiler fuel is burnt to get heat energy which is converted from chemical energy stored in a fuel. This heat energy is utilized
to produce steam from feed water.
Fuel is fired in the furnace of the Boiler. Different fuel is used in different Boilers. Accordingly furnace is designed. Water tubes
are arranged around the furnace and flue gas path. Water tube arrangement made around the furnace is called as water wall.
Feed water is circulated in these tubes. Water comes to water wall from Boiler drum, and circulated back to drum after
absorbing heat. Due to difference in density which is created due to difference in temperature, water circulates in these tubes
naturally. Therefore, it is called Natural Circulation.
During circulation of water in tubes, steam is generated and collected at the upper part of the Drum. This is called Saturated
Steam corresponding to Boiler drum pressure. This steam is further heated in Superheaters and becomes superheated steam.
Boiler Drum is filled with fresh feed water. The feed water, before entering into drum is heated at Economizer. Economizer is
placed at the flue gas path. Most of the heat of the flue gas is utilized inside the Boiler. Still considerable amount of heat energy
is available in it. This heat is utilized in Economizer to heat up the feed water.
For burning of fuel, required Oxygen is obtained from atmospheric air. Air is required in Boiler furnace for combustion. This is
supplied by Forced Draught (FD) fan. This air is heated at air pre-heater (APH) before being sent into furnace. If cold air is used
then there will be loss in energy. Air pre-heater is placed at the flue gas path after Economizer. Air pre-heater is a heat
exchanger which exchanges the heat of flue gas to the cold air, which is to be used in furnace. By heating the air, burning of
fuel is easier and loss of energy is minimized. If hot flue gas would not be used to heat up feed water at Economizer and air at
Air Pre-heater then it would escape into atmosphere.
Finally the flue gas passes through Electrostatic Precipitator (ESP) and exhausted to atmosphere through chimney. At ESP the
dust particle in the flue gas is trapped and clean gas escapes to atmosphere.
Ash which is produced in the Boiler due to combustion of solid fuel is collected at Boiler bottom and also in Economizer, Air
Pre-heater and ESP. This ash is disposed off with the help of suitable ash handling system.
Preparations for Cold Start-up

1. All the manhole doors should be in close condition. Tightness of the Nuts and Bolts of the man hole doors to be checked
properly.
2. All the water wall drain lines should be in close condition.
3. All the steam drain lines should be in open condition.
4. Start-up vent Root Manual isolation valve should be in open condition.
5. Drum level should be at Normal Water Level (NWL).
6. Continuous Blow Down (CBD) and Intermittent Blow Down (IBD) drains should be in close condition.
7. All the super heater vents including Drum vent and Puppy Header vent should be in open condition.
8. Before and After Isolation valves at Feed Control Station (FCS) should be in open condition.
9. Attemperation Control valve before and after isolation valve should be in open condition .
10. Hydra step should be in healthy condition.
11. Safety valves should be in healthy condition.
12. Main Steam stop valve and by- pass valve should be in close condition.
13. Soot blower manual isolation valve and control valve should be in close condition.
14.Boiler Drum Gauge glass steam side and water side isolation cocks should be in open condition.
15. HP Dosing Pumps should be in Healthy condition and open suction and discharge valves of the pump.
16. Solution in HP Dosing agitator tank should be at normal level.
17. Boiler Feed Pumps should be in healthy condition.
18.Deaerator water level should be maintained at 60% by taking DM Transfer pump in service.
19. Air compressors should be in healthy condition.
20. Ash handling systems should be in healthy condition.
21. ESP should be in healthy condition.
22. ID fan damper should be in Zero position.
23. All the interlocks and protection should be checked properly viz. Drum level low, Deaerator level low, Boiler Feed Pump
(BFP) discharge pressure low, Flue gas temperature at Post Combustion Chamber (PCC) outlet high, silo level.
Cold Start-up process

1. After Kiln light-up, when flue gas temperature at PCC outlet increases to more than 450 deg.C, open ID fan damper 5%. Due
to natural draught created by chimney, flue gas passes through Boiler and slow heating and expansion takes place.
2. After opening of ID fan damper, Boiler furnace temperature rises slowly. When the furnace temperature rises to 250 deg C,
Open ID fan damper 10%.
3. When Flue gas temperature at PCC outlet rises more than 600 deg C., close the ID fan damper and start ID fan.
4. When Drum pressure reaches 5 Kg/cm2, close the Drum vent and Puppy header vent.
5. When Boiler Drum pressure reaches 20 Kg/cm2, give blow down of the water wall to remove the deposition or sludge.
6. By adjusting damper opening raise the Boiler pressure upto 45 kg/cm2 and 485 deg C.
7. Start-up vent should be in open condition since the admittance of hot flue gas in boiler.
8. Open the Main steam line drains in between Boiler Main Steam Stop Valve (MSSV) and TG MSSV.
9. Open the MSSV by pass valve to remove all the condensate in main steam line and ensure that TG MSSV is in close condition.
10. After removal of all the condensates in Main steam line and proper line heating, open Main Steam stop valve of Boiler.
11. Close Super heater drains.
12. Put Drum level controller in Auto mode.
13. Put Attemperator controller in Auto mode.
14. Close Start up vent as per the steam demand of TG set.
15. Charge ESP when Flue gas temperature after Economizer reaches 160deg. C
Finally the flue gas passes through Electrostatic Precipitator (ESP) and exhausted to atmosphere through chimney. At ESP the
dust particle in the flue gas is trapped and clean gas escapes to atmosphere.
Ash which is produced in the Boiler due to combustion of solid fuel is collected at Boiler bottom and also in Economizer, Air
Pre-heater and ESP. This ash is disposed off with the help of suitable ash handling system.
Start-up of Waste Heat Recovery Boiler (WHRB)

Hot Start-up
Start-up of Boiler within 2 Hrs of Tripping of Boiler is known as the Hot Start-up of Boiler.
1. Ensure the Drum level of Boiler. It should be at Normal water level.
2. Start Air Compressors.
3. Start Boiler Feed water Pump.
4. Start ID fan with ID damper in Zero position.
5. Open Start-up vent.
6. Slowly open damper of ID fan. Watch Drum level.
7. Regulate Boiler pressure by opening start-up vent.
8. Super heater temperature has to be maintained with the help of attemperator control valve.
9. Raise the Boiler pressure upto 45 Kg/cm2 and temperature to 485 deg C.
10. Open the drains of Main steam line in between Main Steam Stop Valve (MSSV) of Boiler and Turbine.
11. Open By-pass valve of MSSV.
12. Condensate, if any, will be drained out and main steam line heating will be carried out by opening of by-pass valve.
13. After ensuring proper Main steam line heating, open Main
14. steam stop valve.
15. Close all drains in main steam line.
16. Charge ESP when flue gas temperature at Economizer outlet reaches 160 deg C
17. Put drum level controller and attemperator controller in Auto mode.
18. Regulate the pressure of Boiler with the help of start-up vent.
19. Close Start-up vent as per the steam demand of TG set.
20. Normalize ID fan damper by gradual opening and loading of Boiler.
Charging of De-areator
It removes the dissolved gases from the condensate mechanically by following two laws
1. Henry’s Law
2. Dalton’s Law of Partial Pressure.
· According to Henry’s Law, Solubility of dissolved gases decreases by increasing water temperature. So by charging steam
in Deaerator water temperature increases and soluble gases in condensate departs.
· According to Dalton’s Law of Partial Pressure Pm= Ps+Pa
Where Pm= Partial pressure of Mixture
Ps= Partial pressure of Steam
Pa= Partial pressure of Air
· The partial pressure of air present inside the Deaerator comes out
· through Deaerator vent for equilibrium state.
Procedure Of Charging
1. Ensure DM Storage Tank level is more than 60%.
2. Start DM Transfer Pump by opening Recirculation valve.
3. Ensure Deaerator level is 60%. If the level is less then take the make up water .
4. Open all drain lines of Pegging PRDS line and observe that condensate is completely drained out.
5. Slowly open Pegging PRDS pressure Control Valve and ensure that condensate is drained out completely. Then close the
drains.
6. Gradually increase the pressure to 2.8 Kg/cm2 by increasing pegging PRDS pressure control valve.
7. Slowly heat the Deaerator by opening the heating line isolation valve and raise the Deaerator temperature to 90 deg C.
8. Open the before and after isolation valve of Deaerator Pressure Control valve. Then open the pressure control valve
gradually. Slowly increase the Deaerator pressure upto 2 kg/cm2 .After that put the Deaerator Pressure control valve in Auto
mode.
9. Start LP Dosing pump.
10. In LP Dosing Hydrazine is used. Hydrazine removes oxygen by chemical reaction.
11. EQUATION- N2H4+O2=2H2O+N2
12. By adding Hydrazine dissolved oxygen becomes water and Nitrogen gas releases.
WHRB Interlocks
1. If Drum level becomes very low i.e. 25% then ID fan Trips and Emergency cap opens
2. This is to protect the Boiler tubes. At low Drum level, heat flux input has to be cut off, to protect the Boiler tubes, otherwise
starvation takes place.
3. If PCC out let temperature rises to 1050 deg C then ID fan damper becomes Zero and Emergency Cap opens.
4. This protection is incorporatedto protect the Boiler tubes from overheating.
5. If all BFPs trip then ID fan damper becomes Zero and Emergency cap opens.
6. When all running BFPs Trip, then Drum level falls drastically. To protect the Boiler from starvation heat flux input should be
cut off.
7. If Deaerator level becomes very low i.e.25% then All BFPs Trip.
8. Running of BFPs at Low Deaerator Level is harmful for the Pump.
9. If Ash Silo level is high, all ash handling systems stop.
10. When ash Silo is at high level then conveying more ash from ash handling systems results line blockage of ash conveying
line. To prevent this, it is better to stop the systems and unload ash from Ash Silo.
11. Boiler Main steam stop valve will not open if by-pass MOV of MSSV is in close condition.
12. This protection is to avoid line hammering due to presence of condensate in main steam line and to prevent carry over of
condensate towards Turbine side.
13. Boiler Feed Water MOV will not open if by-pass MOV of Feed water MOV is in close condition.
14. If feed water is empty in Economizer and in the pipe line after Feed water MOV, then by opening Feed water MOV directly
without opening FW by-pass, MOV will lead to overloading of BFP, resulting BFP Trip.
15. ESP trips, if Ash Hopper level is high.
16. ESP has high voltage. Ash has presence of combustibles.
17. This protection is to safeguard ESP at Ash Hopper level high.
18. ESP can not be charged without starting of Purge Air Blower.
20. This is to Seal the ESP by the air from Purge Air Blower before charging it.
22. ESP can not be charged till flue gas inlet temperature reaches 160 deg C.
23. This is to avoid deposition of moisture and oil content influe gas on ESP.
1. Decrease in Drum level

a. Tripping of Feed Pump
If Boiler feed Pump trips then Feed water supply to Boiler interrupts and leads to lowering of Drum level. If this has happened
then ensure that the auto stand-by Boiler feed pump has started in Auto mode. If the auto stand-by Boiler Feed pump has failed
to start in Auto mode then start the Boiler feed pump manually otherwise Boiler will suffer from starvation and ultimately it will
lead to Boiler trip to protect the Boiler.
b. Tube failure in Economizer

If Boiler Economizer tube fails then water supply to Boiler Drum will be affected. This leads to decrease in drum level and Feed
Control valve will open more to compensate the Drum level to Normal water level, which leads to overloading of Boiler Feed
pump.
Observe the steam flow and feed water flow. If feed water demand to drum is increasing then observe any sound from the
furnace. If tube has failed inside boiler then hissing sound comes and it can be noticed from outside. Simultaneously check the
smoke from the chimney. If it is of white colour then tube failure in side the furnace is confirmed.
c. Unit getting into Island mode

When Unit comes to Island mode, it follows the load connected to the Generator. Suppose Unit is generating more power than
the Unit load and exporting to Grid.
At the time of Islanding, Generator will follow the load connected in this Unit and the Governing Control Valves would close
according to load and allow the steam to pass through Turbine. The surplus amount of steam will remain in Boiler which
increases the Drum pressure. This drum pressure will exert a downward thrust to the drum level and it decreases drastically.
d. Whether CBD valve, EBD valve or IBD valve opened?

If any operating personnel has opened any of these valves without proper reason or intimation then also drum level decreases
rapidly. Ensure first then close the valve or regulate it observing the drum level.
2. INCREASE IN DRUM LEVEL

a. Whether Cold start-up in Boiler is in progress?
During Cold start-up when water temperature reaches 900 C then formation of bubble starts. This is known as swelling
phenomenon. If this is the case then blow down has to be given to maintain the drum level at Normal water level.
b. Whether Instrument air compressor tripped and air lock unit at feed control station failed?
If Instrument air compressor trips, then air lock unit of control valve at feed control station keeps the control valve at a
position at which it was, before supply of instrument air. This is known as stay put condition. If air lock unit fails to keep the
feed station control valve at stay put condition, then when supply of instrument air fails, it leads to 100% opening of control
valve. If this happens, start the instrument air compressor as early as possible and regulate the feed station control valve.
c. Whether Start-up vent has opened or safety valve popped up?
By opening start-up vent, when Boiler is in steaming condition, supply of steam to Turbine Drum level increases rapidly due to
release of pressure in drum. If the steam demand in TG has reduced to a large extent then it results Boiler drum pressure rise
quickly and at that instant drum level falls rapidly. When start-up vent is operated to release the surplus steam or safety valve
pops up, then drum level increases rapidly. In this case at first ensure for what reason the pressure in Boiler has increased. If
drum level is increasing drastically then give blow down to regulate it. Because at higher side drum level, the steam quality will
be affected and carry over of water particles to super heaters and turbine will take place, which is very much harmful.
d. Whether Start-up vent has opened or safety valve popped up? Continued….
Operation should not be carried out when Boiler is in loaded condition. Donot close the Feed Control valve fully if drum level
rises because if the control valve is closed completely, the feed water in Economizer tubes, which was passing to Drum, will
became steam due to heat in flue gas and when feed water supply through Economizer will be again established through Feed
control valve then hammering in Economizer tubes due to presence of steam. This may lead to Economizer tube failure. After
ensuring the reason, close the start-up vent and dump the surplus steam in Condenser. Ensure that the safety valve has been
reset in its position and no passing is observed.
e. Whether drum level transmitter is malfunctioning?

If drum level transmitter is malfunctioning then observe the level in hydrastep and immediately inform shift in charge and
instrument personnel about this.
f. Whether rapid heat supply to Boiler?

If heat supply to Boiler will be increased suddenly with a huge amount then it affects the drum level and it swells. To avoid this
regulate the heat input supply in a gradual loading manner. Sudden and huge amount of heat supply will overheat the grain
structure of the tubes and it suffers from fatigue. In course of time tube fails.
g. Whether stand-by Boiler Feed Pump has started?

When stand-by Boiler feed water pump has started with running Boiler feed water pump, then Drum level increases because at
that opening in Boiler feed Control valve when feed water pressure increases, more feed water flows to drum due to that
opening of control valve and leads to increase in drum level. This case normally happens during scheduled Equipment change
over of Boiler feed water pump. At first the stand-by feed water pump is started and discharge valve of the respective feed
water pump is opened. After that the previously running Boiler feed pump is stopped. Ensure whether it is a scheduled
equipment change over.
h. Whether TG has come to Island mode?

If TG has come to Island mode then Boiler pressure increases as there is a cut off steam demand as Generator has to follow
the load, connected to it in this unit. If unit was exporting the power to Grid then the surplus power will be reduced at that
instant,
which the Governor of the TG set will follow. It closes the control valve and steam pressure rises in Boiler accordingly. Ensure
that the unit is running under Island mode. Open the start up vent to release the pressure. Ensure that the Safety valve has
popped up or not. If popped up then it has reset properly or not. Observe the drum level during this operation. Observe the
Dump control valve is functioning properly or not. If it is responding properly then try to supply steam to condenser by closing
start-up vent after ensuring that Boiler pressure has reduced and safety valve has reset.
h. Whether TG tripped?
If turbine trips then steam demand in Turbine will cut off and resulting Boiler pressure rise. Ensure Dump circuit is healthy.
Open the Control valve of dump and close the start-up vent after ensuring that the safety valve reset.
i. Whether any Cooling water pump in TG has tripped?

When Cooling water pump in TG for Condenser condensate cooling trips then the vacuum in condenser drops quickly and at that
instant if the auto stand-by pump fails to start then the load set point at Generator has to be reduced with immediate effect.
Otherwise the TG will trip due to low vacuum. When load set point at Generator decreased suddenly then Boiler pressure
increases. In this case communicate with the TG operator and open start-up vent and lower the Load set point. Try to start the
Main cooling water pump manually. After restoration of cooling water pump divert the steam from start-up vent by closing it to
the dump circuit and normalize the load of Generator.
3. Decrease in Boiler Steam Pressure

a. Whether flue gas inlet temperature has reduced?
If flue gas inlet temperature reduces then it steam generation reduces in Boiler and pressure drops. This has to be observed
very carefully and the generator Load set point has to be lowered, otherwise the TG will trip when the Main steam pressure
becomes low.
b. Whether more steam demand at TG end?

If the unit is running at low load as steam generation in Boiler is low. If as a mal operation Load set point at Generator is given
more than steam generation then Boiler pressure decreases. and TG is running with low load set point. Unit is importing power
from Grid. If unit came to Island mode then the Generator will follow the load which is connected to it and load set point at
Generator increases than the steam generation in Boiler. So Boiler pressure decreases. As we can not change the load set
point of Generator by putting lower set point value, Load on the Generator has to be lowered by cutting off the load connected
to it. Choose the less important load connected to Generator and cut off it as quickly as possible otherwise the unit will suffer
from Black out condition due to TG trip at Main steam pressure low and Grid power is unavailable.
The same case happens when the steam generation in Boiler is low
c. Whether superheater tube failed?

If superheater tube fails then Boiler steam pressure decreases. Observe steam flow and feed water flow. If steam flow is at
lowering trend and feed water flow is at increasing trend then it indicates that tube has failed. If the tube failure has occurred
in side the furnace then white smoke comes out from chimney. When steam pressure decreases then reduce the Generator set
point accordingly to avoid TG trip at main steam pressure low and ensure whether tube has failed or not. If tube has failed then
Boiler shut down has to be taken to replace the failed tube with a new tube.
d. Whether ID fan damper has closed to zero position?

This case happens when flue gas temperature at Post Combustion Chamber reaches 10500 C. Flue gas flow to Boiler cut off
when ID damper closes. It means heat supply to Boiler has cut off. It results in less steam generation. So when ID damper
closes due to high PCC temperature, immediate load reduction has to be carried out in Generator to avoid TG trip due to Main
steam pressure low.
e. Whether hand lever of Safety valve has been operated?

If any person has operated the hand lever of safety valve without proper communication with the operating personnel for
sometime then Boiler steam pressure decreases and drum level increases.
4. INCREASE IN MAIN STEAM TEMPERATURE

a. Whether Boiler is loaded with huge amount of heat suddenly?
Main steam temperature rises if flue gas temperature at Boiler inlet rises suddenly. As superheaters are located at convection
zone, therefore when flue gas temperature rises, it increases the superheater temperature. If attemperator control valve fails
to control the main steam temperature then TG will trip due to main steam temperature going high. In order to avoid such a
situation, if main steam temperature rises due to rise in flue gas temperature, then immediately attemperator control valve
has to be taken to manual mode and attemperation should be increased. Also communicate with the kiln personnel about the
sudden rise in flue gas temperature.
b. Whether Soot Blowing is in progress?

During soot blowing, steam temperature rises because more steam is required for soot blowing and heat input to the Boiler
has been increased by opening the ID fan damper. So during soot blowing, main steam temperature has to be observed
carefully. If attemperator control valve fails to control the rise in main steam temperature in auto mode, then it has to be
controlled taking it to manual mode.
c. Whether Attemperation control valve is in manual mode or wrong value command input by the operator?
Normally it happens when there is a high fluctuation in main steam temperature. The attemperation control valve fails to
control the temperature in Auto mode. So the concerned operator has to take the attemperation control valve to manual mode
to control the temperature. But if he forgets to put this control valve in Auto mode after stabilization of main steam
temperature, then it will remain in manual mode and during more heat input from Kiln, the main steam temperature would rise.
Also sometimes operator puts wrong value command for attemperation control valve opening from control station in manual
mode, which would result in increase in main steam temperature.
d. Whether forget to open before and after isolation valves of attemperation Control valve?
This situation comes during cold start-up of Boiler, if the inspection and checking was not done properly by the operation
personnel. During initial period, this thing cannot be noticed but at the time of main steam temperature rise by opening
attemperation control valve flow of water cannot be established as before and after isolation valves are in close condition. So
care has to be taken for proper inspection and checking before start-up.
5. DECREASE IN MAIN STEAM TEMPERATURE

a. Whether inlet flue gas temperature has dropped?
If flue gas inlet temperature drops due to problem in Kiln side then main steam temperature decreases. So if main steam
temperature is in decreasing trend then first observe the flue gas inlet temperature to Boiler.
b. Whether Load set point is given in Generator more than the Steam generation?
If Load set point in Generator is given more than the steam generation in Boiler then main steam pressure decreases and also
the main steam temperature decreases
c. Whether valve sheet of Attemperation control valve is eroded?

This situation comes during Low Load operation of Boiler. If heat input to Boiler is low, then steam generation reduces and also
the power generation. At that time, feed water passes due to eroded valve sheet of attemperation control valve and decreases
main steam temperature.
d. Whether ID damper has become Zero due to PCC outlet temperature High?
When Post Combustion Chamber temperature increases more than 10500C, opening of ID damper becomes Zero. At that time
heat supply to Boiler from Kiln stops suddenly. So it results in rapid decrease in main steam temperature. If this situation
arrives, then attemperation control valve has to be taken to Manual mode from Auto mode and decreasing main steam
temperature has to be controlled.
6. FURNACE DRAUGHT TOWARDS POSITIVE SIDE

a. Whether tube failure has occurred in side furnace?
In furnace, the draught is maintained at negative side to carry out the hot flue gas, ash and other suspended particles from kiln
to chimney through ID fan. If Boiler tube fails inside furnace then draught goes towards positive side. As steam density is
higher than air density. Also it adds an additional load on ID fan. So ID fan takes more current in this situation.
b. Whether draught transmitter is showing wrong value?

This can be known if other draught transmitters in flue gas path are showing right value and one of these is showing erratic
value. This problem should be brought to the notice to shift in charge and instrumentation personnel.
7. LONG RETRACTABLE SOOT BLOWER IS NOT AT ITS ORIGINAL POSITION

a. Whether Long Retractable soot blower’s chain has broken during Soot Blowing operation?
If chain breaks at intermediate position of lancer tube during soot blowing by LRSB, then motor will be unable to retract it to
the original position i.e. home position. Check the position of lancer tube, when soot blowing operation is in progress and chain
has broken. In this situation, donot cut off steam flow through lancer tube. It is because it is situated in high heat zone i.e. at
convection zone. As steam acts as a coolant, it will take the heat added to the lancer tube and will protect the lancer tube from
over heating and bending. The lancer tube has to be drawn out manually. After ensuring that it has been drawn to its home
position, steam through the lancer tube can be cut off and chain maintenance work can be carried out.
b. Whether home position limit switch is malfunctioning?

This may happen after completion of soot blowing by Long Retractable Soot Blower. The limit switch at home position may not
give home position feed back of the LRSB due to malfunction. If this case happens then immediately the position of the lancer
tube has to be checked. Limit switch at home position has to be rectified by Instrumentation department.
c. HAMMERING OF MAIN STEAM LINE DURING CHARGING.

Usually main steam line hammering occurs if the condensate present in that line is not properly drained out and pipe line is in
cold condition. If huge amount of steam is allowed to pass through that pipe line then line hammering takes place which is very
much harmful for the pipe line. So to avoid this case happening always open the drain of the pipe line. Observe the condensate
is drained properly from that pipe line. After completion of condensate draining, warm-up the pipe line with very less quantity
of steam. Gradually increase the pipe line temperature. After confirmation that the line is properly heated, more steam flow
can be allowed.
Steam Turbine
Steam turbine is a mechanical device that extracts thermal energy from steam and converts it into mechanical work. Interiors
of a turbine consists of several sets of blades. Some set of blades are fixed at casing ( Fixed Blade) and some set of blades are
fixed on the rotor ( Moving Blade) .
Fixed blades convert potential energy of the steam into kinetic energy and direct the flow to moving blades. Moving blades
convert this kinetic energy in to force, caused by pressure drop and result in rotation of turbine shaft. Steam is allowed to
enter into the turbine through control valve. This steam after passing through different stages of blades is allowed to exhaust.
The exhaust steam is condensed in a condenser and condensate then reused in boiler.
1. Impulse Turbine
2. Reaction Turbine
1) IMPULSE TURBINE:
In Impulse turbine instead of set fixed blades a set of nozzles are fitted in the casing. Pressure drop of steam takes place in
these nozzles and velocity of steam increases. This high velocity jet of steam contains significant amount of kinetic energy. This
high velocity steam is passed through a set of moving blades, where pressure of the steam remains constant and velocity
decreases.
2) REACTION TURBINE:
In reaction turbine fixed blades are fixed in the casing. Shape of these blades is such that the space between the blades has
cross section same as shape of nozzle. Moving blades are fixed to the rotor. Fixed blades guide the steam to moving blades .
Blade shape is so designed that steam glides over the blades. Steam while gliding over moving blades produces reaction on the
blade. This reaction force produce the rotates the rotor.
1. Casing
2. Rotor
3. Moving Blade
4. Fixed Blade
5. Steam Sealing System
6. Bearing
Ø Joural Bearing
Ø Thrust Bearing
7. Gland
8. Exhaust Hood
9. Emergency Stop Valve
10. Governing Valve And Control Valve
11. Barring Devices.
12. Governing Systems
v CASING
Casing of turbine plays important role for the performance of a turbine. This is the outer shell of turbine. Fixed blades and
nozzles are attached to this. Casing facilitates to accommodate moving parts and provides passage for steam. Normally it is
formed by casting. As the temperature of steam for operating turbine is high so, normally Cr, Mo alloy steel casting is used for
casing of a turbine. Metal to metal joint sealing is done to ensure no leakage of steam.
v ROTOR
Rotor is the moving part of a turbine which extracts work from steam. This is the heaviest part of the turbine. Normally total
shaft is manufactured by forging. Rotor consist of shaft moving blade and inter stage sealing labyrinth. Thrust collar is
provided to take care of axial thrust of rotor during various load conditions. Rotor of the turbine is allowed to expand
uniformly. Rotor of the turbine should not be allowed to remain stand still when it is hot. Due to its self weight there is a chance
of sagging or deformation. Rotor
v Moving Blades
Enthalpy of steam is converted into rotational energy as it passes through turbine blade sets. In each stage of the turbine
there are moving and fixed blade. As in each step pressure of steam decreases, its volume increases. The blade has to handle
more volume of steam. Blade has to withstand high pressure and temperature of steam. Good tensile and fatigue strength is
required. Good vibration damping property, low ductility, resistance to corrosion and erosion is essential. Blade can be divided
into three portions.
1. Tip
2. Profile
3. Root
v Fixed Blades
Fixed blades facilitate expansion of steam and guide it to flow over subsequent moving blade row. Partition between pressure
stages in a turbine casing are called diaphragms. It holds vane shaped nozzles or fixed it
MAIN COMPONENTS OF STEAM TURBINE

1. JOURNAL BEARING
Journal bearing is a cylinder, which surrounds the shaft and is filled with some form of fluid lubricant. It consists of a split
outer shell of hard metal and soft metal at the inner cylindrical part. In this bearing a shaft or journal rotates inside the
bearing over a layer of lubricating oil, separating the shaft and bearing through a fluid film by dynamic principle. Inner surface
of this bearing is coated with a soft metal called as white metal or Babbitt. This is a tin or lead based alloy.
2. THRUST BEARING

Journal bearings are used to take radial load of the shaft. But it can’t take axial load. Shaft is permitted to float to both axial
direction. But the axial float is restricted to certain limit. Excessive axial shift may damage rotating and fixed parts. For this
thrust bearing is provided.
EMERGENCY STOP VALVE

Ø This valve is normally hydraulically operated. The valve opens hydraulically against a spring force. To close the valve
hydraulically
Ø Fluid is drained and valve closes immediately due to force of spring. This valve is normally fully open and fully close type.
Auxiliary System Of Steam Turbine

1. OIL SYSTEM
Ø Oil tank
Ø Oil Pump
Ø Oil Cooler
Ø Oil Filter
Ø Oil Centrifuge
Ø Oil Over Head Tank
Ø Accumulator
2. CONDENSATE SYSTEM
3. GLAND SEALING SYSTEM
4. STEAM EJECTOR AND VACCUM SYSTEM
5. CONDENSER
6. COOLING WATER SYSTEM
Turbine Cold Startup Sequence Method

Operation of steam turbine is a complex process. Before starting the rolling of a turbine, auxiliary systems are to be properly
put in service. Normally for start up of a turbine some operations are followed in sequence.
v Charging of Steam Pipe Line

From Boiler, steam is carried to turbine main steam pipe line. In cold condition, special care is to be taken to heat up the steam
line and allow gradual thermal expansion, before giving full load on the turbine.
Drain points are provided at the steam line to drain out condensate present in steam pipe line, that is formed due to
condensation of steam. First of all, these drains are opened before charging steam on the pipe line. After condensate is drained
out boiler main steam stop by pass valve is opened slowly .
Some steam is allowed to flow through the pipe line and it starts gaining heat from the steam and steam is condensed. At the
beginning, condensate along with some steam is allowed to come out through the drain. These drains are throttled slowly and
closed when no more condensate but only dry steam comes out from the drain.
Steam traps provided in the pipe line are kept in line once drains are closed. Then Main Steam Stop Valve of the boiler is
opened slowly so that the line temperature is increased gradually. Ensure extraction is not restricted anywhere. Watch the
temperature of bypass reaching the normal level after which stop valve of boiler can be opened fully.
To circulate cooling water in the Condenser, cooling water pumps are to be started.
Before starting pump

1. Ensure Sump level of the cooling tower basin is normal (>80%)
2. Keep suction valve of the pump in open condition & discharge in closed condition.
3. Ensure inlet & outlet cooling water valves of Condenser distributer valves of cooling tower are in open condition .
4. Ensure vents provided at Condenser water box are in open condition to remove trapped air.
5. Start the pump & open the discharge valve .
6. Observe whether cooling water is falling on the cooling tower or not.
7. Ensure that distribution of cooling water in all chambers is equal, otherwise adjust the valves provided at the distribution
header .
8. Observe whether all the cooling water pumps are sharing load or not.
9. Once Turbine is started and loaded, cooling tower fans can be started one by one as per requirement.
Starting Of M.O.P ( Main Oil Pump )

1. Before starting of M.O.P check the healthy condition of Main Oil Tank ( M.O.T ) low level switch from H.M.I .
2. Before starting M.O.P, check oil level in M.O.P oil cup as well as oil level in A.O.P & E.O.P oil cups.
3. Ensure again suction & discharge valves of M.O.P, A.O.P & E.O.P are in open condition .
4. Start M.O.P .
5. Open J.O.P suction line coming from M.O.P & A.O.P discharge header , then open its discharge valve .
6. Put A.O.P, J.O.P & E.O.P in auto selection mode.
Taking Oil Cooler into Line

1. When M.O.P starts, oil circulates to the circuit through oil cooler
2. To ensure oil is passing through the oil cooler or not, see through the view glass after opening the air vent of oil cooler
3. After confirming oil is passing through the vent valve to M.O.T, close the vent valve
4. Open the oil equalizing line of standby oil cooler and wait for some time to fill it with oil, then close the equalizing valve
5. Maintain lub oil temperature in between 420C - 450C by adjusting the outlet cooling water valve of online cooler
Taking Oil Cooler into Line

1. When M.O.P starts, oil circulates to the circuit through oil cooler
2. To ensure oil is passing through the oil cooler or not, see through the view glass after opening the air vent of oil cooler
3. After confirming oil is passing through the vent valve to M.O.T, close the vent valve
4. Open the oil equalizing line of standby oil cooler and wait for some time to fill it with oil, then close the equalizing valve
5. Maintain lub oil temperature in between 420C - 450C by adjusting the outlet cooling water valve of online cooler
Checking Of Lub Oil Header Pressure and Individual Bearing Pressure

1. Check the lub. oil header pressure from field and H.M.I . It must be more than 3Kg/cm2.
2. Check the individual bearing oil pressure
i. TG Front Journal Bearing – 1.2 Kg/cm2
ii. TG Thrust Bearing – 1.2 Kg/cm2
iii. TG Rear Journal Bearing – 1.2 Kg/cm2
iv. Gear Box – 2 Kg/cm2
v. Alternator Front Journal Bearing – 1 Kg/cm2
vi. Alternator Rear Journal Bearing – 1 Kg/cm2
3. Check individual bearing's return oil line view glass whether oil is passing through it or not.
4. Check overhead tank oil return line view glass , ensure oil flow through return oil line then close quick filling valve of
overhead tank .
5. Check healthiness of overhead tank oil level indicator .
Once the above systems are in service, gland steam can be charged at gland. Care is to be taken while charging gland steam in
a cold Turbine. As the gland area of Turbine is at normal temperature during cold condition, hot gland steam may produce
thermal shock at that area. To avoid this, steam is to be charged slowly and condensate produced is to be drained through
gland steam drain.
Following steps are to be followed for gland steam charging :
1. Charging of auxiliary PRDS (Pressure Reducing & De Superheating)
2. Charging of Gland Header
3. Charging Of Aux PRDS (Pressure Reducing And De-Superheating)
4. Open all drain valves
5. Open main manual isolation valve before & after PCV (Pressure Control Valve)
6. Open PCV by 5% from operation station
7. Open PCV by 10% as soon as condensate comes out from line
8. Close all drain valves
9. Put the PCV in Auto mode with desired pressure set point
10. Open manual isolation valve of TCV ( Temperature Control Valve)
11. Observe the temperature and then put TCV in auto mode with desired temperature set point
Charging of Gland Header

1. Open all drain valves of gland steam header
2. Open gland steam header manual isolation valve
3. Open gland steam header PCV by 5% for line heating.
4. Open gland steam header PCV by 10% to increase gland steam header pressure
5. Close all drain valve in gland steam header
6. Put gland steam header PCV in auto mode with desired pressure set point.
Exhaust steam of turbine is condensed at condenser with the help of cooling water. The condensate produced is evacuated
from the condenser by the help of Condensate Extraction Pump (CEP). This condensate passes through gland seal condenser
and ejector condenser to gain heat of the gland steam and ejector steam respectively. So the temperature of condensate
increases there before feeding to deaerator for further use at boiler.
This condensate is further heated at L.P. Heater (if provided) by using LP Steam extraction of turbine.
To put the condensate system in operation, following steps are required to be followed:
1. Ensure condenser hot well level is adequate, otherwise fill the hot well with make up DM Water
2. Open Suction and discharge valves of the pump. Ensure differential pressure of the strainer is normal
3. Open condensate inlet and outlet valves of gland seal condenser, ejector condenser and LP Heater
4. Put the re-circulation control valve in auto mode
5. Open pump gland cooling valve and start the pump
The condensate will pass through gland seal condenser & ejector condenser. It should be re circulated to condenser again
through recirculation control valve. Once steam starts entering into turbine, discharge control valve can be put in auto mode
to maintain level of the hot well.
If the condensate extraction pump is to be started and if there is vacuum inside the condenser, then vacuum balance line valve
is to be opened to avoid any air trapped inside the pump.
Before Main steam enters into the turbine, there should be vacuum in the condenser. First of all, starting ejector is used to
evacuate air from condenser. This is a single stage non-condensing type ejector.
Take the following steps to build up vacuum by starting ejector:

1. Ensure availability of auxiliary steam at desired pressure & temperature
2. Ensure the vacuum breaker valve of the condenser is closed.
3. Ensure cooling water is circulating in the condenser and turbine gland is charged fully
4. Open steam valve of the starting ejector
5. Observe steam is vented to atmosphere
6. Open ejector air valve
7. Observe vacuum inside condenser is increasing slowly.
8. Main ejector is to be taken into line once turbine is loaded and starting ejector is to be stopped then.
To put main ejector into line, following steps to be followed :

Main ejector is to be taken into line once turbine is loaded. Starting ejector is to be stopped then. To put main ejector in line,
following steps to be followed.
1. Ensure Condensate Extraction Pump (CEP) is running .
2. Ensure cooling water inlet and outlet valves of the ejector condenser are opened.
3. Vent out air from water box of the ejector condenser by opening rotametre valve.
4. Open ejector condensate trap before and after isolation valve
5. Fill up the “U” tube by water locally
6. Open flash box stand pipe isolation valve
7. Close all drain valves of ejector
8. Open the main isolation valve of the ejector steam line
9. Slowly open the air line valve of the ejector and observe vacuum is increasing.
When vacuum is stable, then the slowly ejector can be stopped by closing air valve first then the steam valve of ejector.
Once Auxiliary systems are in operation and full vacuum is obtained inside, condenser turbine can be started. Turbine is
required to be started in two different conditions.
1. Cold Start-Up
2. Hot Start-Up
In cold startup turbine is started from cold condition. In this case, special care is taken for proper heating of casing and rotor
for proper thermal expansion. As both rotor and casing are in cold condition it requires time for heat up. But in case of hot
start up both casing and rotor are in hot condition. So it can be started within a short period.
Startup Curve
To allow proper thermal explanation of casing and rotor, the turbine manufacturer’s advise is to be followed for start up
procedure.
Ø steam should not enter immediately to turbine as it may damage the turbine due to uneven expansion.
Ø Manufacturers suggest soaking time for low idle speed and high idle speed for proper thermal expansion between rotor and
casing means to hold the turbine at the particular speed for a particular time, then allow the turbine speed to higher range.
Soaking time is different for cold startup and hot startup. Manufacturer’s advice should always be followed strictly for soaking
and start up curve in cold startup and hot start up conditions.
Turbine Rolling Preparation..contd

To start rolling of turbine, some steps are followed depending upon mode of starting (Auto or Manual) and types of governing
system (Hydraulic or Electro Hydraulic)
Before rolling of turbine check, ensure the following points :

1. Lube oil level and control oil pressure are normal
2. Lube oil temperature is between 42 to 450C
3. Ensure gland sealing system is in operation and gland sealing pressure is normal
4. Ensure starting ejector is in the line and condenser pressure is -0.9 kg/cm2
5. Ensure cooling water is circulating in condenser and auxiliary cooling water in lub. oil cooler
6. Ensure the casing drain, TG inlet steam line drain, TG warm
7. up vent and drain are in open condition
8. Ensure Accumulator is in line
9. Ensure over head oil tank is full and return oil flow is visible in the viewing glass
10. Ensure Condensate Extraction pump (CEP) is in operation
11. Ensure Exhaust hood spray solenoid valve is in operating condition.
12. Open the bypass of Turbine Steam stop valve (TSSV)
13. Ensure complete removal of condensate from TG inlet line and ensure the temperature of TG inlet steam is rising after
throttling drain valves. Open Turbine Steam Stop Valve (TSSV)
14. Throttle the warm up vent as per requirement and observe steam temperature is rising. Once steam temperature reaches
at desired temperature, then prepare for TG rolling.]
TG Rolling
1. Reset the governor from wood yard SOS
2. Reset from HMI
3. Engage trip lever and ensure build up of trip oil pressure at governing console
4. Open E.S.V. (Emergency Stop Valve) from H.M.I.
5. Check physically the opening of ESV (Emergency Stop Valve)
6. Give run command from HMI
7. Observe the rise in rpm gradually. RPM goes up and after reaching 1000 rpm (Low Idle speed) automatically, it will hold for
15 minutes in hot start up and 30 minutes in cold startup (in case of auto rolling). Otherwise hold the speed as advised by the
manufacturer.
8. Ensure oil pressure is normal. Check vibration and any abnormal sound
9. First stop barring gear then stop jack oil pump (J.O.P)
10. Get the relay reset before 2000 rpm
11. After completion of the hold time at 1000 rpm, R.P.M. goes from low idle speed to high idle speed 2500 rpm, if it is in auto
mode, otherwise increase the speed manually
12. After reaching 2500 rpm, it holds for 15 minutes in case of hot startup and 30 minutes in case of cold startup automatically.
If it is not auto rolling, hold the speed as per advice of manufacturer.
13. Close the TG casing drain, inlet steam line drain, warm up vent, warm up drain
14.Check the lube oil pressure at different bearings and check bearing temperature and vibration and record it.
15. After completion of high idle speed (2500 rpm) soaking time. R.P.M. will rise up to rated speed 7500 rpm
16.Maintain lube oil pressure and temperature at different bearings as per the manufacturer’s advice
17. Maintain TG inlet pressure and temperature as per design
18. Give clearance to synchronize to generate power.
Turbine Auxiliary System
In Power Plant other than turbine, there are other associated systems. The systems are required for running of a turbine. Most
of the important components and systems for auxiliary systems are :
1. Oil System
2. Condensate System
3. Gland sealing System
4. Ejector and Vacuum System
5. Cooling water System
6. Condenser
Oil System
Lubricating oil is supplied to the bearings and used for governing of turbine. Main function of lubricating oil is to :
1. Lubricate the bearings.
2. Cooling of bearings.
3. Flush out metallic debris.
4. Control speed of the turbine. \
Principles of Lubrication
To maintain a film of lubricant between the surfaces in running condition any one of the following principle of lubrication
prevails.
1. Hydro dynamic lubrication
2. Hydrostatic lubrication
3. Elasto-hydrodynamic lubrication
If none of the above conditions exists the condition will be of :-

Boundary lubrication
Hydrodynamic Lubrication
Also called Full Flood Lubrication/Wedge film lubrication
Wedge film formation due to geometry & speed.
a. In hydrodynamic principle fluid viscosity is not sufficient to maintain a film between the moving surfaces & higher pressure
required to support the load until the fluid film is established, the required pressure generated internally by dynamic action.
b. The wedge film lifts the journal and allows complete separation
c. The formation of a thick fluid film that will separate two surfaces and support a load as the two surfaces move with
respect to each other.
By feeding oil from an external source under heavy pressure into the pocket machined into the bottom of the bearings, the
journal can be lifted and floated on fluid films.
When the journal reaches a speed sufficient to create hydrodynamic films the external pressure can be turned off and the
bearing will continue to operate in hydrodynamic manner.
Components of Lubricating Oil System

Main components of lubricating oil system are :
1. Oil tank
2. Oil pumps
3. Oil filter
4. Oil centrifuge
5. Oil overhead tank
6. Accumulators
Oil tank
Total oil for the system is stored in the this tank. The tank has adequate capacity to hold sufficient oil during running & stop
condition. The tank base is made sloped to one side, so that the sediment in oil can be collected in the lower area and can be
drained out by opening drain valve. The tank has level measurement facility to give alarm for low oil level. Also a level glass is
provided to find out tank level at any instant. Suitable tapings are provided to facilitate oil suction for oil pumps, draining of
return oil from bearings and governing system, connection for oil centrifuge, fill up of fresh oil etc.
One oil mist fan is provided on the tank to vent out any oil vapor and keep the tank slightly below atmospheric pressure.
Oil Pump
To pump oil from the oil tank to various lubrication points and controlling purpose, oil pumps are provided. Normally three
pumps are provided. These pumps are :
1. Main oil pump ( M.O.P )
2. Auxiliary oil pump ( A.O.P )
3. Emergency oil pump ( M.O.P )
Oil Coolers
Normally two oil coolers of 100% capacity are provided to cool down entire oil supplied to turbine bearings,gearbox,and
generator bearings for lubrication. Governing oil is not cooled at oil cooler. This oil taken out before oil cooler. One cooler is
put on line and another one is kept as standby. Online changeover facility is provided to take the standby cooler in to service,
without interruption of oil supply, while turbine is running.
Before changeover, it is to be ensured that the standby cooler is filled with oil and air is vented out properly. Otherwise there
will be air lock and oil supply to bearings may interrupt.
Oil cooler is a shell and tube type heat exchanger. Cooling water flows inside the tube bundle and oil flows at the shell side.
Cooling water for oil cooler is obtained from main cooling water system of power plant. Regulating valves are provided at the
inlet and outlet of the cooling water supply line.
To increase and decrease oil temperature, cooling water flow is decreased and increased respectively through these
regulating valves. Always the cooling water outlet valve is regulated to vary flow of cooling water. At any case cooling water
inlet valve is not to be throttled as sufficient cooling water will not available inside tub and tube may damage.
Drain point is provided at the cooler to drain out settled sediment at bottom of the cooler.
Oil Filters
Oil coming out from cooler is passed through oil filter to remove any contaminated particle or debris. Filter is normally basket
type with removable filter cartridge. Like cooler there are two filters of 100% capacity each with suitable online changeover
arrangement. The oil is filtered up to 20-25 micron level on these filters before circulating in bearings.
Differential pressure across the filter is measured which indicates the choking condition of filter cartridge. If differential
pressure is high it indicates, filter is choked and needs cleaning.
Before changeover of oil filter when turbine is in operation, it is to be ensured that standby filter is completely filled and no air
is trapped inside. Filter cartridge of standby filter is always to be kept clean, so that at any moment this can be taken in to line,
if required.
Oil Centrifuge..contd.
Centrifuge is a machine which separates water and solid particles from oil. This is achieved by centrifugal force of a high speed
rotating bowl inside the separator. Due to centrifugal force, heavier particles are displaced towards the outer periphery of the
bowl and the lighter oil is displaced towards center of the bowl, where it is collected and sent back to main oil tank.
Steam Ejector And Vacuum System

Vacuum is maintained by continuously evacuating non condensing gases from the condenser with the help of steam ejector.
Pressure of non condensing gases decrease condenser efficiency. For removing non condensing gas to create vacuum in the
condenser normally steam ejector is used. This is like a pump in which venturi effect of a converging and diverging nozzle is
used to convert pressure energy of steam to velocity energy to create suction effect.
WORKING PRINCIPLE OF EJECTOR

High pressure motive steam enters to ejector chest through nozzle and then expanded. Pressure energy of steam is converted
into velocity. Increased velocity causes reduced pressure which socks vapour.Diffuser section then compress the steam
vapour mixture then exhausted to condenser.
Operating Procedure Of Ejector System

1. Circulate condensate through ejector condenser.
2. Open steam of ejector. So it will create vacuum in inter ejector condenser.
3. Open steam of ejector.
4. Open air valve of condenser.
Condenser
Condenser is an important Auxiliary equipment of any steam turbine. Exhaust steam of turbine is exhausted in to condenser,
where it is condensed in vacuum. By maintaining vacuum in condenser, maximum energy can be extracted from steam and
turbine efficiency increases. Condensate obtained is utilized again at boiler for steam formation.
There are different types of condenser. Some of the important types of condensers are listed below.
1. Jet type condenser
2. Air condenser
3. Surface condenser
Surface Condenser
This type of condenser is widely used at power plants. Cooling water is not mixed with condensate in this case. Condensate
obtained is pure and can be used in boiler. This is a shell type and tube type heat exchanger. Shell of the condenser is closed.
Tubes are arranged inside the shell in which cooling water flows. Condenser neck is connected to the exhaust hood of turbine.
An expansion joint is provided in-between to facilitate thermal expansion.
Steam from turbine flows at the shell side of condenser and cooling water flows inside the tube. Main components of a surface
condenser are :
- Shell - Hot well
- Air outlet - Tube
- Rapture disk - Water box
Overhead Tank
Oil accumulator is provided on the governing or control oil line of the turbine. This accumulator maintains oil pressure in the
line during momentary fluctuation of oil pressure during oil pump change over or sudden operation of servomotor of governing
valve.
In the accumulator an inert gas filled bladder is provided. Gas pressure inside the bladder is maintained slightly below the
normal oil pressure.
During normal operation, oil pressure of the line compress the bladder and oil is occupied in the oil space of the accumulator.
When, pressure at the line drops, the bladder is expanded, due to the inside gas pressure. So it pushes out oil of space to the
line and takes care momentary oil pressure fluctuation.
Oil Accumulator
Oil accumulator is provided on the governing or control oil line of the turbine. This accumulator maintains oil pressure in the
line during momentary fluctuation of oil pressure during oil pump change over or sudden operation of servomotor of governing
valve.
In the accumulator an inert gas filled bladder is provided. Gas pressure inside the bladder is maintained slightly below the
normal oil pressure.
During normal operation, oil pressure of the line compress the bladder and oil is occupied in the oil space of the accumulator.
When, pressure at the line drops, the bladder is expanded, due to the inside gas pressure. So it pushes out oil of space to the
line and takes care momentary oil pressure fluctuation.
Emergency Situation In Steam Turbine
Steam Turbine is a critical rotating equipment. High temperature and pressure steam is used to rotate the turbine at high
speed. Mass of the rotating part is high. There is always chance of severe misshapen leading to fatal accident and damage of
high cost equipment. Incase of any system goes wrong generation of power may be interrupted for a longer period leading to
heavy loss to the plant. So the power plant engineer should be trained enough to face any emergency situation, at any time and
properly handled emergency situations.
1) Overspeed
Due to failure of governing system the turbine speed may become dangerously high. Rotor can rotate momentarily without
damage up to 110% of rated speed. At higher speed rotor stress increases. Due to high centrifugal forces the blades which are
fixed to the rotor may come out. Failure of blade root can cause severe accident and damage to turbine. To avoid dangerous
over speed turbine is provided with mechanical and electrical over speed trip arrangements. Tripping limits are set in such a
way that turbine speed does not exceed 110% of rated speed. These overspeed tripping limits are to be checked regularly.
Mechanical overspeed device is to be set within set limit and checked at suitable intervals. At any circumstance overspeed
tripping limit is not to be bypassed. If overspeed tripping does not work, immediately stop the turbine by applying emergency
trip push button. For the 18.5 MW turbine at Tata Sponge, overspeed tripping limit is 7865 rpm.
2 ) Failure Of Lubrication Oil System :
Lubrication Oil is used to lubricate and cool down bearing metal. Sometimes the lubrication oil supply may be interrupted due to
failure of pumps, leakage in oil line or choking of oil filter. This condition may damage bearings and gear box. If such an incident
happens for any reason, the turbine is required to be stopped as soon as possible. Low lube oil header pressure tripping is
incorporated with turbine to trip the turbine immediately. If lube oil header pressure becomes 1kg/cm2, oil supply is to be
restored as early as possible. After resuming oil supply, if possible, turbine is to be rotated manually to find out any damage
(inspect bearings).
3. High Vibration
Rotor of the turbine rotates at high speed. Any deformation or unbalance of the rotor produces high vibration. Sometimes
deposits on blades and damage of any rotating part may create heavy vibration. Damage of journal bearing may also produce
vibration. The moving and rotating parts of the turbine are closed spaced. Due to disturbance in rotor shaft or differential
expansion, there is chance of rubbing. Rubbing creates high vibration and abnormal sound, so at any case high vibration of
turbine is not be overlooked. Incase of high vibration the turbine should be stopped immediately and turbine internals to be
inspected to avoid further damage. High vibration protection in logic is incorporated with turbine to trip the turbine when
turbine front and rear journal bearing vibration goes to 156 Micron and gear box front and rear journal bearing goes to 340
microns.
4) High Bearing Temperature
High bearing temperature occurs due to inadequate oil flow in the bearing or metal to metal contact in between bearing and
rotor. High temperature damages Babbitt material of the bearing. In case of high temperature of the bearing, a turbine is
required to be stopped. Oil supply to bearing is to be checked and if required bearing is to be opened for inspection. High
bearing temperature protection logic is provided to turbine. For different bearing 1150C is a tripping limit.
5) Failure Of Barring Device
When turbine is stopped in hot condition, it is to be put on barring. In some situation just after stopping turbine barring gear
may be found not working. It is not recommended to keep the rotor in standstill condition. By any means rotor is to be rotated
normally by hand barring arrangements provided to change the rotor position by 180◦C continuously.
6) High Condenser Hot Well Level
Due to problem in condensate extraction pumps, sometimes the condensate cannot be evacuated from hot well. So hot well
level becomes high. In this situation there is possibility that water level in condenser increases and enters into turbine through
exhaust hood. Condenser vacuum reduces drastically in this condition. If at any case water enters into a running turbine it
creates a serious situation and damages the turbine. Load is to be reduced on turbine in this situation. If situation is not
controllable, turbine is to be stopped.
9) High Steam Parameter
Like low steam temperature and pressure, high steam temperature and pressure is not desirable for turbine operation. High
steam temperature may damage turbine as the metrology of the turbine is designed for a particular temperature.
10) Low Condenser Vacuum
Due to vacuum in condenser the steam from turbine is easily exhausted into condenser. If vacuum inside the condenser drops,
it restricts exhaust of steam of turbine. This creates back pressure inside turbine. Vacuum may drop due to failure in cooling
water system, failure of ejectors, or leaking condenser air line. Standby ejector or starting ejector is to be immediately taken
into line. Leaking air line is to be arrested promptly or cooling water supply to be increased. If vacuum is not improved, the
turbine is to be stopped immediately. Low vacuum protection logic is provided to trip the turbine when condenser vacuum
drops to -0.4 kg/cm2.
11) Failure Of Cooling Water Systems
Due to failure of cooling water pumps or choking in cooling water circuit, cooling water supply may be reduced or interrupted.
In this case turbine exhaust steam cannot be condensed. This will increase the pressure of the condenser and drop the
vacuum. Rapture disks of the condenser may rapture, heavy back pressure will be created in turbine. In this case load is to be
reduced first and care is to be taken to normalize cooling water supply. If situation does not improve then turbine is to stopped.
Black Out maneuver Method for WHRB Power Plant
Both the TG fails and Grid not available : (BLACK OUT CONDITION)
1. In the above cases ( Total blackout condition ) ensure availability of DG emergency power to all the emergency drives of
both the CPP within 10 seconds (i.e. Boiler main steam stop valve, Auxiliary oil pump, Barring gear, Emergency oil pump, Boiler
feed pump discharge valve, CPP area lighting & Jack oil pump & TG steam stop valve )
2. Ensure from field pressure gauge that lubrication continues in both the TG by gravity method (oil flows from over head tank
to all the TG bearings and returns to main oil tank by drain header )
3. Ensure from HMI & field that Emergency oil pump is running through DC power & oil supply continues to all the bearings.
4. Start the Jack oil pump of TG.
5. If emergency power is not available within 10 seconds, then immediately contact the Electrical Shift In Charge about the
matter and try to resume emergency power as quickly as possible, with the help of Shift In Charge CPP & Shift In Charge
Electrical.
6. After resuming of emergency power, close main steam stop valve of all the three Boilers and maintain the drum pressure
through start-up vent.
7. In blackout condition, ensure that Kiln stack cap will remain 100% open till the availability of boiler feed pump. If stack cap is
closed or partially closed, then contact Kiln control rooms to open the same through Shift In Charge CPP.
8. In blackout condition, all the boilers will be in hot box-up condition.
9. Ensure emergency stop valve of TG is in closed condition
10. Close the TG inlet motorised valve .
11. Close all the boilers feed pump discharge motorised valves.
12. After resuming of emergency power, auxiliary oil pump will start in auto mode. Ensure the same from field & HMI, then stop
the emergency oil pump from panel and put it in auto mode.
13. After resuming of 1000kva DG, power start one feed pump of CPP-1 and supply water to all three boilers and maintain the
drum level up to 40% .
Difference between BPCS and SIS

It is important to realize and understand the fundamental difference between process control and safety control. Process
control systems are active, or dynamic. They have analog inputs and analog outputs, perform math and number crunching, and
have feedback loops. Process controls act positively to maintain or change process conditions. They are there to help obtain
best performance from the process and often are used to push the performance to the limits that can safely be achieved.
Hence, most failures in these systems are inherently self-revealing. PCS must be flexible enough to allow frequent changes.
Process parameters (e.g. set points, PID settings, MAN/AUTO, etc) require changing. Portions of the system may also be placed
in bypass, and the process may be controlled manually. They are not built with safety in mind and are not dedicated to the task.
Because they are operating at all times they are not expected to have diagnostic routines searching for faults. Click here for
more information on safety-related PCS. Safety systems, however, are just the opposite of process control systems. They are
dormant, or passive. They sit there doing nothing and hopefully will never be called into action. An example would be a pressure
relief valve. Normally the valve is closed. It only opens when the pressure reaches the set value. If the pressure never exceeds
that value, the valve never operates. Many failures in these systems may not be self-revealing. If the relief valve is plugged,
there is no immediate indication. A PLC could be hung up in an endless loop. Without a watchdog timer, the system would not be
able to recognize the problem. There is a need for extensive diagnostics in dormant, passive safety-related systems. Safety
systems should be incorruptible – need to be kept to a fixed set of rules and access for changes carefully restricted. And they
must be highly reliable and be able to respond instantly when a hazardous situation develops.
How to Reduce Common SIF/SIS Mistakes

Don Rozette
Monday, January 14, 2013 - 8:00am
A recently published study by Great Britain’s HSE broke the safety lifecycle into three major areas:
Hazards Assessment/SIF Specification
SIF Design and Verification
Operation and Maintenance
Not surprisingly the study concluded that 44% of all SIS/SIF related errors occurred during the hazards
assessment/specification phase of the lifecycle. The study goes further to state that many of these errors occurred because
the SIF/SIS designer incorrectly considered the interactions of one SIF to the rest of the process. In essence, the activation of
one SIF whether demand or spuriously based which then caused unforeseen demands, and hazards in other areas of the
process.
During a recent panel discussion, one of the panelists challenged the audience with the question “Why are they called shut-
down systems, shouldn’t we really call them keep running systems?” His premise was that the engineering discipline as a
whole had become enamored with or “sold on” the “fail-safe” design. Not only is this not required by the standard, but as
mentioned above spurious activation of a SIF can in fact cause hazards elsewhere that may not have been considered during
the hazards assessment/SIF specification phase of the lifecycle.
If the user has a comparative process indication that is independent of the initiating event, it is possible to design the SIF to be
“fault tolerant” without increasing hardware count or cost. In the example below, you can see that SIF-003 is a 2oo2 voted
sensor arrangement, which based strictly on voting architecture is an extremely reliable design. Also note that there is an
independent high pressure sensor and associated high pressure alarm. In this case the SIF designer could have used a 1oo1
voting architecture for SIF-003. By using the comparative process indication the engineer could have implemented a deviation
alarm based on any difference between the SIF sensor indication and the comparative BPCS sensor indication. Not only would
that arrangement be significantly safer, it would be almost as reliable, with 1/3 less cost to install and maintain.
Below is a list of common initiating events that should be considered during the hazards assessment/SIF specification phase of
the lifecycle. How well we manage or reduce the probabilities associated with initiating events such as these, means taking a
pro-active view of risk. (e.g. plan for the best, but prepare for the worst).
Type of Initiating Event Examples
External Events High Wind
Seismic Event
Flooding
Lightning
Vehicle Impact
Fire or Explosion in an adjacent area
Equipment Failures BPCS (basic process control system) component failure.
Utility failure.
Vessel/Piping failure due to wear, fatigue, or corrosion.
Vessel/Piping failure caused by specification, design, or manufacturing defect.
Vessel/Piping failure caused by over or under pressurization.
Vibration induced failure (e.g. rotating equipment)
Failures caused by inadequate maintenance/repair.
Failures caused by temperature extremes.
Failures resulting from flow surge or hydraulic hammer.
Human Failures Failure to properly execute a task, by omitting steps, or improperly sequencing steps of a task.
Failure to observe or respond appropriately to conditions or prompts by the system or process.
At this point it is necessary to differentiate initiating events from latent or root causes. Initiating events are distinctly different
from root or latent causes. In general, root or latent causes create latent weaknesses in a system. When a challenge arises or
a demand is made on the system, these weaknesses give rise to an initiating event. For example:
• “Inadequate operator training” is not an initiating event, but is a potential underlying cause of an initiating event of the
‘human failure’ type.
• “Inadequate test and inspection” is not an initiating event, but is a potential underlying cause of an initiating event of the
‘equipment failure’ type
One of the most common “silos” in industry today exists between the group responsible for process safety management and
the group that manages instrumentation and controls. Ensuring that these two groups can pass information, and work “hand-
in-glove” means that the two need to share the responsibility of hazards assessment and SIF specification, which can best be
enabled by working from a common management platform. APM’s Asset Safety work process is enabled through the complete
integration of hazards analysis with a TUV certified SIF design verification and periodic validation platform that encompasses
the entire lifecycle. Common mistakes associated with requirements specification can be reduced, functional safety can be
improved and lifecycle costs can be optimized, through the application of a little common sense and a work platform that pro-
actively manages the entire scope of the lifecycle.
See my reply in BLUE....
I need detailed response of my below mentioned queries related to design engineering of instrument works.
1-The difference between documents "instrument index" and "instrument I/O list".
Instrument index consist of types of instrument installed in the plant whereas instrument IO list shows instruments connected
to BPCS/SIS Systems...
2-The difference between "segment wiring diagrams" and "instrument termination diagrams".
Both can be part of instrument loop diagram... depending on complexity & no of terminations involved... segment wiring
diagrams & instruments termination diagrams are referred in Instrument loop diagrams.... segment wiring diagram shows only
one segment of the entire loop whereas instrument termination diagrams shows how instrument is connected to BPCS... e.g. a
Gas Chromatograph (GC).. to BPCS it is instrument, but it depends on how GC is sending data to BPCS or how BPCS is reading
data from GC... it could be via two. three , four , 5 , 10 or 25 wire connection or via some industrial communication protocol..
now Instrument termination diagrams shows how both instrument & BPCS are connected...
3-Is data sheets preparation regarding "PCV" and "PSV" in instruments scope of work?? How, PSV and PCV are sized?
If you are involved in commissioning of new plant, then data sheet will be provided to you as part of As Built documents by
EPC...If you are in maintenance then in case there is new installation of PSV or PRV or CV then it is responsibility of instrument
engineer to collect data from Process Engineering/Project Engineering and prepare a data sheet...Sizing of PSV or PRV is not
easy and I would suggest that you should start with simplest Control Valve rather than jumping directly to PSV or PRV... Each
vendor provides sizing tools for its CV/PSV/PRVs... and basics of CV sizing remains same most of the time.. but it may differ,
all is subject to how vendors has designed the Valve...
4-What is difference between "Fail close" and "Fail open" position of control valves.
Both terms are used when Safe State of Valve is considered..(Please refer to Plant HAZOP documents for definition of Safe
State for each valve)... Fail Close or Fail Open means in case of failure of air supply, 4-20mA or 24Vdc or CV diaphragm rupture,
the valve will go to pre-determined safe position i.e. Close or Open respectively...
5-The difference between "RTD" and "thermocouples".Which is better for temperature measurement.
Principle of operation for both is different...
RTD is relatively more accurate and exhibit linear characteristics from low to medium range temperatures ... Whereas TC are
relatively less accurate but exhibit linear characteristics from low to very high ranges temperatures...
6-What is difference between "FFB (Foundation field bus) " and "conventional" protocol.Define the conditions where these are
applicable.
There is not such things as Conventional Protocol... Please re-phrase your question...
7-Why "digital signals" are used for on/off operations?? and analogue signals for control/measure operations?.Please
highlight the basic difference of both methodologies.
Because you can't use it other way around.... Please re-phrase your question with some problems??
A word of advice... This forum is for discussion/problem solution... Some questions you have asked requires a big explanation, I
would suggest you to buy & read few instrumentation & control system books.... It would be beneficial for you and also for rest
of the members if you ask question too the point and if necessary give an explanation with some examples...
Have a few more comments on a few of your questions.
3- Sizing of PRV and PSV are not necessarily the responsibility of the Instrument Engineer. Sameen is correct as far as new
installation is concerned. But for maintenance, it depends from plant to plant since responsibility may be distributed separately
in different organizations. As an example, the plant I work at, designing & sizing of all kinds of valves falls under the domain of
Process Engineering. They will develop data sheets which they will then hand over to the instrument engineer for procurement
of the valve. Once valve is procured, the project engineer (mechanical engineer) will have it installed in the field and the
instrument section will be responsible for electrical and pneumatic connections. As for the PSV, that is completely out of
Instrument Engineer's domain. It is designed by the Process Engineer and installation and maintenance falls under domain of
stationary equipment maintenance section.
7- I agree with Sameen that it is not possible to have it the other way round. Digital signals have just 02 states (on & off). For
control purposes, generally the requirement is to have infinite intermediate values between say 0 - 100%, something that is
quite unachievable through use of digital signals.
Re: Difference between HAZOP and PHA
by Black Onyx » 10 Jul 2012, 16:33

Nabeel,
Process Hazard Analysis (or PHA) is a study that should be carried out for identification of Risk associated with operation of a
High Hazard Process and provide mitigating actions (aka layers of protections) to reduce the associated risk to an acceptable
level (sometimes called ALARP or As Low As Reasonably Practicable).
PHA may be carried out at following different stages of life cycle of a plant i.e.
1. Conceptual Stage PHA (when only basic technology / design is known)
2. Detailed PHA (when 70%~90% design is locked and complete details are available)
3. Pre-Startup PHA
4. Baseline PHA (after successful commissioning has been carried out)
5. Cyclic PHA (once in 5 years for HHP)
6. Decommissioning or Mothball PHA
Now PHA itself consists of two Parts
1. Consequence Analysis, which is further classified into
a. Qualitative Consequence Analysis
b. Quantitative Risk Analysis (QRA)
2. Process Hazard Review or PHR (which can be done using anyone or a combination of following technique)
a. HAZOP (Hazard & Operability) Study
b. What-if Method Study
c. Checklist Method
d. FMEA (Failure Mode & Effect Analysis)
e. FTA (Fault Tree Analysis)
In addition sometimes, various other studies are carried as part of PHR, such as, Facility Siting, Human Factor (HF) analysis
etc.
Following few outlines could help to asses the criticality of new site.
Process safety information.

Work place & process hazard analysis, consultation and action planning.
Responsibilities & participation of personnel.
Written operating procedures for all operation phases and limitations.
Permit system.
Compliance auditing.
Employee & contractor safety information & training.
Mechanical integrity evaluation & maintenance systems.
Design, fabrication & installation.
Emergency planning, response & training.
Pre-startup safety reviews.
Management of change procedures.
Incident investigation.
Piper Alpha Incident
by ashfaqanwer » 25 Nov 2010, 05:06

The accident that occurred on board the offshore platform Piper Alpha in July 1988 killed 167 people and cost billions of dollars
in property damage.
It was caused by a massive fire, which was not the result of an unpredictable “act of God” but of an accumulation of errors and
questionable decisions. Most of them were rooted in the organization, its structure, procedures, and culture.
Some of the causal factors of the incident include:-

1. Platform Design issues
2. Site Mgt was not authorized to shutdown the plant without prior approval from top Mgt stationed onshore.
3. Blast walls were not available
4. Temporary under-rated blind installed in place of removed PSV
5. Communication gap between both shifts as incoming shift was not knowledgeable on removal of PSV.
6. Emergency Response decision makers died in the first explosion & no stand-in had been nominated
7. Fire pumps were on manual mode as divers were working on suction line
8. Helicopter could not land on the platform due to flame & heavy smoke
9. Inadequate firefighting equipment
My findings are as below:-

1. PTW permit to work system is not up-todate at that time. Now a days PTW has a key, lock and key safe system which ensures
that the person issuing the permit can only withdraw a permit after unlocking the lock with the key, which is in the costody of
Manager Operations.
2. The facility is designed for pumping oil only, it can not be modified for Gas extraction due to pressure difference in oil and
gas extraction.
3. No NRVs non return valves are placed on branch pipe lines connecting with main pipe line.
Accident of ABB Generator at Jamnagar, India

STAY SAFE!!! TRAINING, TRAINING, AND MORE TRAINING!!!!!!!
Accident of ABB Generator (130.5MW) at Jamnagar, Reliance Industries Ltd,

India
Please find an accident of ABB Generator (130.5MW).It is good lesson to be learn, what can go wrong if isolation and
normalization procedures are not followed. Self isolation may lead to disaster.
Please find below an incident which has lead to the complete damage of Steam Turbine Unit.
The main reason for this incident is "CLOSING OF CONTROL OIL RETURN LINE MANUAL ISOLATION VALVES FOR SOME MAINTENANCE
WORK AND NOT OPENED AFTER COMPLETION OF THE WORK".
The generator Exciter end and Turbine end Shaft was found sheared off and shaft thrown into pieces. The steam turbine got
blasted and all high pressure/temperature steam hot liquid poured into all the cables and auxiliary systems surrounding it. The
scene is entirely like a war Zone.
Findings:
In the control oil (Hydraulic skid) 4 fluid coolers isolation valves (in return line) in fluid side were all found in closed condition.
On investigation, it is understood that the mech. main. took permit to replace hydraulic oil in the Control Oil Hydraulic Skid. The
mechanical maintenance had done their self isolation on the 4 fluid coolers isolation valves in fluid side without informing
operation , without reopening/normalization (as required) they had cleared the Permit.
When there was a turbine trip, the fluid could not drain from hydraulic operated servomotors. Thus, obstructing the stop valve
closure function. Due to pressure build-up in the return line the connector on drain line busted and the stop valves remained
open even after the trip request (until the rupture of the piping connection that acted as drain).Due to the closed condition of 4
fluid coolers isolation valves (in return line) the problem was experienced even during the startup before accident. The control
valves lost control and led to quick speedup (loss of control and fast speed up) this resulted in servo valve drain port
pressurization to abnormal level, thus avoiding the correct closure & movement of the control valves.
As per inspection, and also after examination of event recorder log indicated all the trip requests were present, so it was
concluded that the cause of the accident is located on the hydraulic part of the control
system, i.e. an improper status of the above said isolation valves, left without normalizing after maintenance work. The
defective closure of stop and control valves upon trip request has generated a turbine/generator over-speed situation (even it
was not possible to establish the speed value accurately as speed reached beyond sensing scale, but surely at least >4000
rpm) .
Safety Incident Circular of a Pressure Vessel Hydrotest Failure in Chine in early 2008.
This vessel was manufactured by a vessel vendor in China and the plate was of Chinese mill origin. Unfortunately this is another
example of serious equipment/material failures with equipment being sourced out of the rapidly developing economies such as
China, Eastern Bloc and others. These examples are becoming almost a weekly occurrence now and are exhibiting failure
modes not seen in the mature manufacturing economies since the 1930's. Again we need to ensure vigilance in the acceptance
of manufacturers and once more I stress the need to know where the base materials are sourced from. Apparently this
pressure vessel had reached fifty percent of the required test pressure when the shell ruptured. A metallurgical failure report
is not available however from the photographs a number of observations could be made regarding the quality of the material
and the welding.
Lessons & Learnings:
(1) All base metal requirements shall be specified in P.O Requisition per project/Industry Code requirements.
(2) Consult specialists (i.e., Materials and Corrosion Engineers) whenever you doubt.
(3) All inspection (from base materials to final products) should be performed per the codes, specs & standards.
(4) Especially when you selected the manufacturers in China, the above (1), (2) & (3) will be a very important message.
octane, let me put some light on PHA methodologies, which are;
Qualitative Hazard / Risk Assessment
Job Safety Analysis (JSA)
Logic diagrams
What-if/Checklist
Failure Modes and Effects Analysis (FMEA)
Hazard and Operability Study (HAZOP)
Quantitative Hazard / Risk Assessment
Fault Tree Analysis (FTA)
In-process energy modeling
Event probabilities
Risk/cost trade-off
Every method has its own limitations including pros n cons. For example FMEA method is frequently used to asses the hazards
and risk with in any logic or control loops. And HAZOP technique is used for huge and complex processes, due to its
systematical approach. Whereas What-if / Checklist is a very detailed and usually recommended of simple processes due to
lack of in-scope/out-scope features.
SIL
The concept of safety integrity levels (SILs) was introduced during the development of BS EN 61508 (BSI 2002) as a measure of
the quality or dependability of a system which has a safety function – a measure of the confidence with which the system can
be expected to perform that function.
Following are 2 popular methods of determining SIL requirements to process industry installations:
– risk graph methods
- layer of protection analysis (LOPA
But all these methods requires a lot of data, assumptions & calculations.
Is there any key avaiable to determine SIL requirement for any specific process / component?
Actually I need to determine SIL prior to design a protection system for an ammonia refrigeration loop which have ~15 Metric
ton ammonia in it. Should it be SIL-1 or 2 or 3?
ANSI S84.04 requires that companies assign a target SIL for all Safety Instrmented Systems (SIS). As well, after a PHA study,
the study team may determine that certain critical systems require that a SIL be assigned. The assignment is based on the
amount of risk reduction that is necessary to mitigate the risk associated with the process to an acceptable level. All of the SIS
design, operation and maintenance choices must then be verified against the target SIL.
The first step for assignment of Target SIL is to use your (updated) PHA’s or conduct new PHA’s to screen for the hazards.
HAZOP is most commonly used methodology. If the risk is unacceptable then it is reduced or eliminated using non-SIS or SIS
elements. You consider SIS only after all the non-SIS protection layers have been considered. HAZOP’s identify risks in terms of
the likelihood and the severity of the hazards. Target SILs are assigned to SIF’s of the SIS identified in the PHA studies. Various
methodologies are available for assignment of target SILs. As in the case with PHA studies, the assignment of Target SILs must
involve people with the relevant expertise and experience. Methodologies used for determining SILs include, but are not limited
to:
•Consequence only
•Risk Graph
•Layered Risk Matrix
•Risk matrix
•Layer of protection
•Fault tree analysis
Which ever tehnic is used the greatest increase in cost occurs when the decision is made that the SIL must be higher than SIL
1. The selection of SIL 2 or SIL 3 forces the SIS design toward device redundancy and diversity. With this recognition, many
companies are taking the approach that "a safety system is a safety system and therefore should be SIL 3". This eliminates the
arguments about whether escape is possible, someone will be injured or killed or the impact will be on-site and/or off-site. It
saves time in the PHA process, reduces documentation in justifying the SIL choice, and ensures consistency across process
units. Unfortunately, there is no easy answer when it comes to assigning SILs. The choice involves examining safety,
community, environmental, and economic risks. Most importantly, tools must be developed at the corporate level to ensure that
the choice of SIL is consistent with a company’s risk management philosophy and that the assignment method is congruent with
the existing characteristics of the corporate risk assessment methodologies. Following can however be used as a conservative
guide,
SIL 4 --- For hazards that can lead to Catastrophic Community Impact
SIL 3 --- For hazards that can lead to Employee and Community Impact
SIL 2 --- For hazards that can lead to Major Property and Production Protection. Possible Injury to employee
SIL 1 --- For hazards that can lead to Minor Property and Production Protection
Difference between MAT and MDMT

Usually, MDMT is designated based on the transition temperature below which the impact energy absorbance capacity starts to
decrease. Ideally both MAT and MDMT should be same. However, if you take the vessel below MDMT, to get further lower MAT,
the Vessel will not take any impact and will fail in brittle mode, without any elongation. It can be said that MAT can be lower than
MDMT but in that case the vessel will not be able to withstand any impact or energy absorbance in case of any sudden loading.
At a specific pressure, I understand there should be a minimum allowable temperature for the vessel. If operating far below
the design pressure, I understand that we can set a minimum allowable temperature even lower that MDMT. What do you think?
Yes, for that case you can have a lower temperature range. But bear in mind MDMT is for "impact loading" and not for "static
loading" like pressure. If you talk about pressure only, even at design pressure, you can have temperature lower than MDMT.
Think about any sudden loading case which may occur, no matter how low operating pressure you are using than the design
pressure, the vessel will not take any energy and fail suddenly.
Hydrotest after welding

A contractor has manufactured some columns for us ( design is based on ASME VIII). Column has internal supports directly
welded to shell. Now contractor wants to relocate some of these supports and weld them again on some different location
inside column with shell. As per AI ( Authorized Inspector) hydro test is not required after welding. Only R1 form and repair
procedure approved by AI is required. I want to know is it same as AI is saying? or hydro test is required? I s there some
exemption from hydro after welding on pressure parts?
API 510 gives complete authority to AI in deciding the need of a hydrostatic test after the weld repair.
Ask him for an appropriate NDE to be done on the new weld and the older surface.
These columns are not in service so API 510 is not applicable. These are fabricated in work shop and just transported to site for
erection but it came to know that there were some supports welding issues
Looking at the kind of repair which doesn't involve the full thickness of the material at the weld joint, hydrostatic test doesn't
stand as a necessity. Perform MPT if it is carbon steel or PT if stainless. That would suffice the requirement of testing the new
welds. In case, there would have been a major repair involving a butt (or groove) weld, I would have recommended 100%
radiography with still no hydro.As a client, if you still want to go for hydro after this repair, please ask AI to go for that. Being
the owner of the equipment, you have that right of raising the concern.
Pipeline hydrotesting
After sectional(partial)replacement we are planning to carry out hydrotesting of cross country pipeline.However, due to time
constraint one section of corroded piping are composite wrapped at corroded location to withstand the maximum allowable
operating pressure of the pipeline. My question is for calculating hydrotest pressure whether only remaining corroded
thickness will be taken in consideration without composite wrapping or both will be considered. Any reference standard to
reply is highly appreciated. The test shall be done at test pressure recommended by the construction code. What's the code in
this case?The test pressure shall not be compromised for new piping sections just because of one composite repair. I would
have only accepted the new sections once they are tested at 1.5 times of design pressure if following ASME B31.3 as
construction code.
Re: IS Isolators & Functional Safety??

Let me explain this by example. A device is Intrinsically safe if it does not carry enough energy to cause an explosion incase a
short circuit or over-current condition exists causing ignition conditions at the device. For this purpose you have intermediate
isolating devices which lie outside of the Classified (Zone0 /Div1) area in a control cabinet, and further feeds the instruments
(usually Sensor).
The purpose of an Intrinsically Safe instrument (or loop using an IS isolator) is quite different from that of an SIS System. IS
isolator is used to limit chances of an explosion as stated in Wasif's explanation. However, an SIS system is normally a
protection system to protect the operating equipment in case of a parameter/process upset, often by initiating a partial or
complete process shutdown.
Of course, an IS isolator may be used in an SIS system. However, even in that case the purpose of the isolator would be to
reduce chances of explosion and not to improve or alter the availability of the system. An SIS may also be used without an
isolator (in which case again there will be no impact on the availability of the system), but you may run the risk of letting
excess energy into a classified area which might itself cause an explosion. In that case, I'd say Yes, you are affecting the safety
figures. An isolator in an SIS system does make the overall system more safe, but it does not affect the availability provided
that the mtbf of the isolator is not below that of all other components in the SIS system. Of course, SIL rating of the isolator
will also come in play then. I hope I have understood your query and responded accordingly.
Dear Ali, IS Isolators are part of the SIS loops.. we agree on that.. Since SIL Calculations are done on the loop level not at the
system level.. Therefore, availability figures of IS Isolators & all possible scenarios of failures of IS Isolators are also
required...I agree with concept that IS Isolators are used to reduce probability of explosion in the hazardous area.. But I don't
agree with the it doesn't alter availability of system..In functional safety there are two things which are greatly emphasized:
1) Safety when all components are integrated together & Safety at component level
2) Availability of smallest items can affect the availability of the whole system (system is strongest as its weakest link)
In simple words, failure of IS Isolators will result in failure of loop functionality.. which in turn will result in failure of safety
function..
""High Availability does not always ensure Safety""A safe device is made with intention to ensure safety...
A available device is made with intention to maximize availability... My query was what kind of impact we'll see in SIS system due
to IS Isolator failures & what kind of IS Isolator failures we should look in to when designing a SIS System??
RBV or MOV?
RBV is a Remote Block Valve. Its basically an isolation valve or ESD valve.Question: Is there any standard that determines
pneumatically operated valves or motor operated valves for purposes of isolation of a natural gas line during a fire?
Okay, well, yes volume isolation needs to be enforced for pipeline applications.MOV's MAY be used for shutdown applications,
there is a variety of SIL-3 certified EH valves available on the market with spring return (enabling fail-safe position). You just
have to take notice of your process requirements. Most significantly, the closure time. Especially with liquids, closure time is
very sensitive. You need quick closure, but you don't need slam-shut, otherwise a surge can occur. Then, since this is going to
be a remote location, you need to consider the supply of power to the MOV - check with your electrical disciplines whether you
can take LV cables to the distance that you require. Additionally, you will need a 415V UPS, since MOVs on emergency service
will most definitely need to be powered from a UPS - a regular power supply will not do. So you can compare the cost of
installing a 415V UPS, the feasibility of running power cables to remote areas against the option of pneumatic valves. The point
is, you can use a suitable MOV for isolation, but conventional pneumatic valves are more reliable. And in most cases, pneumatic
valves will also prove to be more economically and technically feasible. Once you do a background study on all the
requirements of both cases, you'll get a clearer picture of your particular scenario.
Thanks Absar. The central idea im taking here is that there is nothing against standards in using either an MOV or conventional
pneumatic valves. It basically comes down to technical and economic feasibility.What does the acronym "EH" refer to though?
Electro-hydraulic. Because you will definitely not be using conventional electrical-only motorized valves for safety applications.
And yeah, there is nothing in the standards against using EH valves, because SIL-3 certified valve actuators are available on
the market. But application of those is rarely every feasible, so a background study is a must here.
PLC - Architecture Vs Safety

Hi Guys,Does a QMR architecture is much more safer than a TMR or DMR?? Is there any relationship between architecture &
safety???
Sameen, its obvious in N Modular Redundancy, chances of incidents due to malfunctioning of loop decreases with N increases.
But at the cost of higher capital cost. So yes QMR is much more reliable than TMR and DMR. Reliability is defined as the
probability of not failing in a particular environment for a specific mission time. Reliability is a statistical probability and there
are no absolutes or guarantees. The goal is to increase the odds of success as much as you can within reason. So we can
safety is a function of reliability i.e. higher the reliability of the control system, more safer you equipment will be.
Hi Ibrahim,I agree with concept of reliability. But safety is something that is embedded into the system... For a safety system,
the most important thing that you always want is that it should fail in predetermined safe state. By using different
architectures, we increase the availability of the system & in terms reliability of the system.. but in the mean time we make it
more complex. Tests are performed to figure out all the possible failure scenarios and measures are taken so that if system
fails it should not fail in danger state. But looking at the system complexity, the big Question comes.. Have we covered all
possibilities?? Answer is NO... and not knowing is big enough justification... so system can be reliable and more available but I
doubt that it becomes more safer with complex architecture..So question still stands that Does QMR architecture is more
"SAFER" than TMR or DMR?
Sameen,
This answer to this question is not very simple. However, if I were to place the redundancy schemes in order of safety, this is
what my order would be,
2004 / 1oo3 --> 2oo3 / 1oo2D --> 2oo2
Control Systems have 2 important parameters that a consumer might be interested in

1- the system does not fail, i.e. high availability or fault tolerance,
2- the system must fail in a safe manner, i.e. high safety level.
You are absolutely correct in saying that as availability increases, safety level is compromised.
For instance, 1oo1 voting is the simplest to install. It can be programmed to be fail-safe and hence vote a trip. The disadvantage
of the scheme is that the production losses will be higher due to false trips, and therefore the system cannot be termed as
fault-tolerant at all. 1oo1D voting is an improvement over 1oo1 voting, the architecture improves fault-tolerance by converting
dangerous failures into safe failures by de-energizing the output.
Comparing this to the 2oo2 configuration, now both the votes will need to be present to effect a shutdown. The system will be
more fault tolerant than the 1oo1 configuration but safety level will be compromised since there will be conditions in which one
of the units might be out service (for instance during maintenance) and in that case, even if the other unit votes a trip, trip will
not be actuated. 2oo2 configuration is also referred to as a 2-1-0 scheme. It is estimated to be three times more available than
the TMR architecture, but only half as safe as a simplex (single channel) configuration. This is because both channels must fail
for the system to experience a spurious trip, and both must operate for the system to achieve the safe state, and herein lies
the problem.
The solution is provided by the 1oo2D configuration, which provides the availability level of the 2oo2 scheme and the safety level
of the 1oo1 scehem. In the 1oo2D configuration the convention used will be that only one of the two votes need be present to
shutdown. In case of a single failure, its diagnostic contact will open the output channel and remove that unit from service. The
SIS function then continues to be performed by the remaining channel. The system can then be said to operating on a 1oo1D
configuration. That is normally the scheme operates with a 2-1-0 configuration but reverts to 2-0 scheme when a fault occurs
that cannot be resolved. However, such a scheme depends greatly on the system's internal diagnostics.
Then come the TMR systems. The advantage of the TMR system is their relatively lesser dependence on the system's internal
diagnostics. Simple voting can be used to determine a fault in any one of the units after which the faulty unit can be eliminated
from control. The TMR systems also have 2 possible degradation modes, the 3-2-0 and the 3-2-1 mode, the former being safer
while the latter ensuring higher availability. The level of fault tolerance can definitely be improved if adequate internal
diagnostics are also incorporate into the TMR scheme. Summing it up, the objective of increasing redundancy is to improve
availability and not safety. The determining factor is that how is the system (whether DMR, TMR or QMR) designed to ensure
high safety level in spite of increased redundancy and that pretty much depends on how the manufacturer has designed the
internal diagnostics of the system, that is to say how has the manufacturer ensured that there is no instance where a process
may be left in a vulnerable state. For instance, there are some QMR control systems that have 2 independent channels, both
channels being redundant within themselves (thats how they get the QUAD configuration) and capable of operating at SIL3
independently. Moreover, the two channels are entirely isolated and keep monitoring each other for faults. The internal
diagnostics are designed such that at least one of the channels must be entirely fault-free fot continued operation. In addition
what also determines how safe/available a system is the possible degradation modes available. In that aspect, the QMR scheme
is at least compatible with the TMR scheme since both have the same number of degradation modes, i.e. 3-2-0 and 4-2-0.
Another aspect is comparison of PFD(avg) expressions for each system. Referring to ISA TR84.02, Part 2, 1998, one can quickly
determine that the Quad (2oo4) architecture is comparable to the ultra safe 1oo3 architecture, as both have cubic terms in
their equations for PFD. By comparison, TMR (2oo3) is comparable to the 1oo2D architecture in that both have squared (second
order) terms in their equations. This comparison concludes that the QMR (2oo4) architecture provides an order of magnitude
better safety performance than either TMR (2oo3) or 1oo2D architecture, and is a major technological enhancement in safety
system performance.Heres a comparison of these architectures.
1oo2: PFD avg. = (λ^DU)^2 x (TI/3)^2 + . . .
1oo3: PFD avg. = (λ^DU)^3 x (TI/4)^3 + . . .
2oo3: PFD avg = (λ^DU)^2 x (TI)^2 + . . .
2oo4: PFD avg = (λ^DU)^3 x (TI)^3 + . . .
This is the reason why I listed the schemes in the order that I did in the start of my reply. I hope I have clarified.
Just a thought - first, the level of redundancy does not imply a safer system. Even a simple redundant system can be safer
than a QMR system (as proven by many FMEDA reports that can be viewed from websites of system vendors, including
Invensys). If a system in rated for the particular SIL level, the level of redundancy of the system, in my opinion, is irrelevant.
What is the link... "Inherent Safety & Functional Safety

Functional Safety is concerned with products or systems whose failure to operate reliably could harm people or the
environment. It is the part of the overall safety that depends on the correct function of safety-related systems for risk
reduction. These systems have to carry out their intended functions (safety functions) under defined error conditions and with
a defined high probability. An inherently safe process on the other hand, has a low level of danger even if things go wrong. In
context of a process industry, an inherently safe design is one that avoids hazards instead of controlling them, particularly by
reducing the amount of hazardous material and the number of hazardous operations in the plant.In simpler words, inherent
safety implies that the process/equipment is designed such that even in case of a failure, the level of danger will be low and
therefore would not result in serious personnel/equipment damage.Functional safety on the other hand is a concept applied to
a safety system in place reduce or mitigate the risks of a process going wrong, or to prevent the process from going wrong in
the first place.
Inherent safety is a concept particularly used in the chemical and process industries. An inherently safe process has a low
level of danger even if things go wrong. It is used in contrast to safe systems where a high degree of hazard is controlled by
protective systems. It should not be confused with intrinsic safety which is a particular technology for electrical systems in
potentially flammable atmospheres. As perfect safety cannot be achieved, common practice is to talk about inherently safer
design. “An inherently safer design is one that avoids hazards instead of controlling them, particularly by reducing the amount
of hazardous material and the number of hazardous operations in the plant.”
Functional Safety is the part of the overall safety of a system or piece of equipment that depends on the system or equipment
operating correctly in response to its inputs, including the safe management of likely operator errors, hardware failures and
environmental changes
Line monitoring & SIL 3 applications??

Hi Guys, Is line monitoring mandatory requirement for SIL 3 Applications?
I think, you get confused with LOPA and SIL. Line (piping network or pipeline) monitoring is a function of LOPA (Layer Of
Protection Analysis) and as far my knowledge it has no relation with Safety Integrity Level(s). SIL is a function of Electronic
control and protection systems, where as inspection plans for pipelines, PSVs and other mechanical protections are governed
by LOPA.
yeap, I got it now. Sameen as far I know line monitoring technique is a sort of preventive maintenance. Either you have
configured some logic in PLC to diagnose open or short circuiting to let operator know thru an alarm, or you do it thru a
maintenance plan manually. Maintenance of associated SIS, for proper functioning is a mandate for that specific SIL. For
example if a SIF loop failed to execute on demand due to lack of maintenance, safety integrity level decreased due to associated
SIF failure. So yes, line monitoring is mandatory requirement for all SILs. Mostly independent on-skid type PLCs force shutdown
the system in case of open/short circuits. (I have experienced such configuration in SOLAR gas-turbine driven compressors).
Hi Ibrahim, I don't agree on account that line monitoring is used for maintenance.. it is one of fault detection technique same as
Functionality checking, Consistency checking, Signal comparison, Checking pairs, Loopback testing, Watchdog timers, Bus
monitoring, Power supply monitoring.. and safety PLC performs diagnose the system again and again to detect fault which can
make system to fail in danger mode. Main objective of such huge number of diagnostic & fault techniques are to detect hidden
(Latent) faults.. Thus, line monitoring in actual improves PFD of the system.. thus it is mandatory for SIL 3 application...For a
Fault Tolerant System three things are important, fault detection, fault Isolation & fault identification... mostly a simplex safety
system is designed to fail safe on single fault detection but in redundant safety system architectures fault isolation & fault
identification can really improve PFD figures of a safety system..Major requirements for SIL 3 Loop is redundancy and line
monitoring of IOs..Line monitoring is mandatory requirement, but question arises that will it make the loop to fail in safe
manner... the answer is NO (it is only fault detection technique),therefore, for SIL 3 loop, redundancy is must requirement, in
case if there is STUCK ON or OFF the loop will be voted and fault will be detected and fault will be isolated for
maintenance...There were days when relay based systems were used to for ESD, BMS applications.. I don't think they were using
any line monitoring.. , that is why they used to have many spurious trips and a lot of safety incidents...
Excellent knowledge sharing, I must say. So we concluded that line monitoring is a must but where redundancy is available, its
better to alarm operator about faults in line, rather than just tripping the machine upon loose connection.
Guys, Thats a pretty good discussion here. Sameen, it seems quite convincing from your account that line monitoring is an
important element as far as SIL implementation is concerned. The next direct question that I wanna draw here is, how is line
monitoring technique generally employed. Ive come across accounts where the use of an End-of-Line Module or Resistance s is
discussed, but it still quite vague to me as to how is the technique generally useful. Can one of you guys throw some light on
this please? Id even love if anyone of you can share some literature or link regarding the same.
4 Rules For Designing Safety into Control Systems

Nov 13, 2012 3:47:49 AM | Posted by Brad Ems
in
Share
When you see a talk about safety, your first expectation is probably something on proper PPE, procedures or other aspects of
safety that are typical fodder for safety “toolbox talks.” What I’d like to discuss in this post, at least in a very general way, is
how to design safety into your process control system.
First off, a disclaimer: I am an engineer, although not (yet) a PE and I have no certification in any safety-related field. I do have
roughly 30 years of experience in working around heavy equipment, much of it quite dangerous to life, limb, and property if the
risks are not properly managed. In that time, a picture of what process safety is and how to achieve it has become clear.
That said, safety is not something that can be overlaid onto a process as an afterthought, at least not quickly, easily, or
cheaply. For proper implementation of a safe process system, safety concepts must be designed in from the outset. Ideally,
once the basic process design is complete and drawings are available, a deep review of them begins. This review has a number
of names, but I’ll call it the process hazard analysis (PHA). This analysis looks at the hazards of the process, their scope,
severity, and probable frequency of occurrence. From this, a hazard mitigation plan is developed. There are several standards
developed, such as SIL, that have been developed to quantify these risks. Be sure to choose one applicable to your process and
industry before initiating the PHA.
The first line of defense in any process is the basic process control system (BPCS), which should be designed and programmed
to keep all process parameters within safe limits, and to alarm and/or take action when those limits are approached. The PHA,
however, will almost certainly have shown that there are some risks in your system that have sufficient frequency, severity, or
scope that they require mitigation that is more reliable than a standard BPCS can provide.
That is where the safety system comes in. A properly-designed safety system will examine inputs from the system (which may
also include operator-initiated devices like E-stop buttons), and through logical analysis decide if a hazardous situation exists.
Should such a condition be detected, the safety system will then shut down the process in a predefined, orderly manner
designed to remove energy from the process and put it into a safe condition. Note that process design here is extremely
important: valves, dampers, and other actuators must be designed to fail both electrically and mechanically in a safe condition.
4 basic rules for the safety system include:
1. It is usually separate from the BPCS. There are safety controllers that integrate both safety and non-safety devices, but their
functions are still distinct. More common are systems that have completely separate hardware and/or software from the
BPCS.
2. Redundancy is almost always a requirement. In all but the most benign and riskless processes, there will be hazards that
require a high degree of reliability. To achieve this, redundant circuits, devices, and even controllers are implemented to avoid
a single point of failure from allowing the safety function to fail when called upon.
3. The safety system is self-monitoring. Safety output devices (relays, valves, VFDs, etc.) are monitored by the safety system
itself to ensure that they do indeed move to a safe state when called upon to do so. Should a safety device fail, its redundant
partner will still bring the process to a safe shutdown state, and the safety system must then prevent the BPCS from allowing
operation until the failed component is repaired or replaced. In addition, most safety systems have the ability to self-monitor
for wiring problems that may prevent reliable operation, though they may require special wiring and/or programming to
enable this feature.
4. Devices in the safety system must be rated for safety duty. Devices such as contactors, VFDs, pushbuttons, valves,
transmitters, and so on, are available for duty in safety systems. Be sure to confirm that the devices you are choosing are so
rated, as they are made with specialized materials and designed for high reliability.
Process safety has become a more critical focus of industry in the past twenty years, with many manufacturers marketing
products and services intended to achieve a high degree of reliability in shutdown systems. As a result, prices for hardware
and software have plummeted and it is no longer a difficult or expensive task to find vendors and support for your design
efforts. It is therefore a high priority, in my mind, that engineers take the time to understand how safety systems are properly
implemented to protect their employers’ and clients’ property, surrounding communities, environment, employees, and bottom
line.
Safe Failure Fraction (SFF)

The safe failure fraction is similar to diagnostic coverage (DC) but also takes account of any inherent tendency to fail towards
a safe state. For example, when a fuse blows, there is a failure but it is highly probable that the failure will be to an open circuit
which, in most cases, would be a “safe” failure. SFF is (the sum of the rate of “safe” failures plus the rate of detected
dangerous failures) divided by (the sum of the rate of “safe” failures plus the rate of detected and undetected dangerous
failures). It is important to realize that the only types of failures to be considered are those which could have some affect on
the safety function. Most low complexity mechanical devices such as E-stop buttons and interlock switches will (on their own)
have a relatively low SFF. Most electronic devices for safety have designed in redundancy and monitoring therefore an SFF of
greater than 90% is common although this is usually completely due to the Diagnostic Coverage capability.
Use Elegant Design to Bolster Inherent Safety

Embrace a variety of strategies that can eliminate hazards from operation
Trevor Kletz was able to simplify the concept of inherent safety in such a way that everyone “gets it.” His mantra “What you
don’t have can’t leak” is so clear and powerful that it has grabbed the attention of all stakeholders, including owner/operators,
labor, community members and regulators, who have an interest in safer processing facilities of all types. It expresses a vision
that we all seek, one where no harm comes from the operation of process facilities that manufacture the materials that make
our lives better every day. Of course, the concept of inherent safety goes beyond simply not having materials that potentially
could damage the pipes, vessels and equipment that make up manufacturing facilities. We must understand all the ways those
materials can be involved in incidents that harm people, the environment and our facilities. Without a thorough understanding
of those scenarios and how they can occur, we can’t properly evaluate the risks posed by different technological approaches
and effectively apply inherently safer technologies.
Sulfonic Acid Plant

Figure 1. Traditional design includes a compressor and knockout drum.
For example, the lower annual corrosion rate of a stainless alloy compared to carbon steel in some processes may seem
compelling. However, chloride exposure may cause stress corrosion cracking in the alloy; this damage is difficult to detect
before a catastrophic component failure occurs. So, in fact, the inherently safer option may be to use carbon steel while
implementing a strong inspection and replacement program that manages the hazard of corrosion effectively.
Fundamental Strategies
Kletz in his groundbreaking 1984 paper [1] described four basic strategies for achieving inherently safer processes:
• intensification;
• substitution;
• attenuation; and
• limitation of effects.
In its 2007 book, “Inherently Safer Chemical Processes: A Life Cycle Approach” [2], the Center for Chemical Process Safety
translated those terms into simpler ones readily understood by a wider audience than just safety professionals:
• substitute — replace a material with a less hazardous one;
• minimize — reduce the quantities of hazardous substances;
• moderate — use less hazardous conditions, a less hazardous form of a material or facilities that minimize the impact of a
release of hazardous material or energy; and
• simplify — design facilities that eliminate unnecessary complexity and make operating errors less likely, and that
accommodate errors that occur.
Let’s consider their application to the use of a chlorine cylinder:
• substitute — change from chlorine to a bromine tablet;
• minimize — keep only one cylinder on the site;
• moderate — connect a vacuum inductor to the cylinder; and
• simplify — adopt a distinct design with unique connections for chlorine hoses.
Other strategies can complement these simple ones. Here, we introduce the phrase “elegant design” to represent the selection
of process technology, equipment, design or layout that makes higher-potential-consequence scenarios non-credible. Elegant
design may take advantage of a number of Kletz’s strategies — and may even go beyond them to achieve risk reduction,
minimization, or elimination.
Safer Set-Up
Figure 2. Modified design requires less inventory of SO2 and eliminates equipment that could leak toxic material.
Simply put, the concept of inherently safer design is: “What can’t happen can’t happen.”
Any number of design features can contribute to preventing something from happening. Substitution and some elegant design
solutions can provide absolute certainty against an occurrence. Minimization, moderation and other elegant designs can afford
a reasonable certainty. Instructions and procedures can help but offer the least degree of certainty. All are desirable steps
toward a safer processing facility.
Every strategy doesn’t have to result in the complete elimination of the hazard or risk scenario. When we can make an
incorrect action or assembly impossible (or at least very difficult) or design to accommodate the error without harm, we use
the term “mistake proofing.” Where doable at a reasonable cost, this may be an attractive strategy because it rarely
introduces alternative scenarios. For our chlorine cylinder example, mistake proofing might include using unique connections
for the hoses.
In contrast, mistake tolerant systems provide timely feedback when a mistake happens, the means (either before or after loss
of containment) to correct the error before an undesirable outcome occurs, or, if not corrected, reduced consequences from
the mistake. For the chlorine cylinder, a mistake tolerant strategy might involve isolating chlorine inside buildings that have a
chlorine vapor recovery system.
Putting The Strategies To Use
To illustrate the application of inherent safety strategies, let’s look at several real-world situations: sulfonic acid plant design,
aluminum chloride (AlCl3) handling, a utility station and an electrical switchgear.
Sulfonic acid plant design. Reacting sulfur trioxide (SO3) dissolved in sulfur dioxide (SO2) with an alkylate feed produces
sulfonic acid. This is an exothermic reaction that boils off SO2 as its primary means of heat removal. The SO2 performs the
role of mutual solvent to allow intimate contacting between alkylate and SO3, which otherwise would only react at their mutual
surface. All of the materials are flammable. The SO2 and SO3 are both inhalation toxics.
The heat of reaction boils the SO2 and SO3 from the reactor. In the traditional plant design (Figure 1), two drums collect the
boiled-off vapor and allow the return of SO3 and any knocked-out liquid to the reactor. A compressor and cooling water
exchanger provide cooled, liquefied SO2 for recycling to the reactor.
Following inherently safer design principles, the process was modified to eliminate the compressor and collector drums and
replace the standard pumps with seal-less ones (Figure 2). This very significantly reduced the inventory of SO2 required to
operate the process and removed two pieces of rotating equipment, each of which had the potential to leak toxic material to
the air. In addition, because a Freon refrigerant is used, the bulk of the SO2 now is at a temperature not far from its boiling
point, which minimizes vaporization in the event of a leak. However, these process safety improvements were achieved by using
an ozone reactive material rather than cooling water.
The minimization and moderation strategies enhanced process safety — but opportunities exist to make the process even more
inherently safe:
• Use the cooling exchanger as knockout pot and provide for gravity drain of cooled SO2 back to the reactor, eliminating the
pump. (This requires relocation of the SO3 injection point.)
• Find a safer solvent than SO2.
Figure 4. In the event of drain-line plugging, water will overflow at the air break rather than back up into the silo.
In addition, even greater inherent safety may be possible by avoiding the process altogether, such as by switching to sulfonic
acid alternatives that are made via inherently safer processes.
Aluminum chloride handling, part 1. Figure 3 depicts part of a process that uses AlCl3 as an ionic polymerization catalyst. AlCl3
is a powder that reacts violently with water to form toxic hydrogen chloride (HCl) gas and aluminum hydroxide (Al(OH) 3). Its
contact with skin results in burns. Low-pressure nitrogen is used to unload AlCl3 from delivery trucks and transport the
material to smaller vessels from which it is conveyed into the reactor. The AlCl3 is a very fine powder, some of which will
travel with the nitrogen. All conveying nitrogen is returned to a silo that can contain as much as 80,000 lb of AlCl3. It then
passes through a filter that returns most of the AlCl3 to the silo. What passes through the filter is scrubbed from the nitrogen
in a packed tower where water is sprinkled down through the bed as the nitrogen rises and is released from an elevated vent
stack. The slightly acidic water drops through a “p-trap” and then goes to the wastewater sewer.
This is a fairly simple process — but what happens if the p-trap plugs? Water will flood the scrubbing tower and back up in the
line towards the silo. Because the top of the vent from the scrubber is considerably higher than the filter on top of the silo, the
water eventually will reach the silo, resulting in a highly exothermic reaction and generation of HCl gas that can’t be contained
within the silo.
The normal way to address this issue would have been to install level sensors in the packed tower with alarms and automated
trip of the scrubbing water. An elegant and inherently safer design was to provide an air break in the water to the scrubbing
tower (Figure 4). The top of the funnel is at an elevation considerably lower than that of the filter — thus, if a plug occurs in the
drain line, the water runs out the top of the funnel. Little-to-no pressure head was required to get the water through the
distributor inside the tower.
This modification was far less costly than installing the safety critical devices first considered.
It’s difficult to put this inherent safety strategy into any of the four basic ones. It’s simply an elegant design solution that works
to make the scenario of water backing into the silo non-credible.
Aluminum chloride handling, part 2. Figure 5 shows the situation that existed at the reactor in the same plant with the AlCl3
silo. The AlCl3 passes at a controlled rate through a rotary feeder into the reactor. The AlCl3 has a tendency to plug the
standpipe between the feeder and the reactor. An operator’s natural inclination is to blow the plug free and into the reactor
using 140-psi nitrogen available close by. Fortunately, there’s never enough catalyst in the standpipe to cause a runaway
reaction.
What can go wrong in this situation? If the valve between the bleeder where the nitrogen is injected and the day pot is left open
or leaks, the nitrogen overpressures the day pot, blowing the rupture disk and sending fine AlCl3 powder over several acres.
To make the situation more mistake tolerant, the nitrogen source within a hose length of the bleeder was reduced in pressure
to 75 psi, well below the set pressure of the rupture disc on the AlCl3 day pot. To prevent an operator from being tempted to
adjust the pressure of that regulated nitrogen, a safety valve that relieves to an elevated location limits the pressure.
This didn’t prevent one ambitious operator from stringing two nitrogen hoses together to bring 140-psi nitrogen to the day pot
after working unsuccessfully for several hours to remove a clogged drop line using the 75-psi source.
Utility station. The use of a hose connected to a utility station is one of the most common ways that operators interact with
process facilities. Figure 6 depicts a typical set-up for a utility station near the point of use that provides water, steam,
nitrogen and air.
What could go wrong here? How could this set-up be improved?
In the modified utility station design, each utility was given a different type of connection. Each line not only was labeled but
also color coded in a fashion that allowed even those suffering from color blindness to distinguish the utility based on the line’s
lightness or darkness. The distinct connector and color of each hose made mismatching, and therefore mistaking, the utility
being connected to the process very unlikely. In addition, the arrangement of the utility station was modified to separate the air
and nitrogen supply to provide one more barrier to mistakenly using nitrogen to drive a tool in a confined space.
Utility Station
Figure 6. Use of similar types of connections makes it easy to connect a hose to the wrong utility; opting for distinct
connections and color-coding makes hookup mistakes unlikely.
It remains possible for some ambitious soul to prepare a crossover connection by appropriating the right set of fittings.
Therefore, you must carefully control these utility station fittings.
This is an application of the mistake proofing form of inherently safer design.
Electrical switchgear. Figure 7 depicts an electrical switchgear in 2,300-V service. It serves as the primary electrical
disconnect and lockout point for isolating a large pump when it needs service.
Where does the lock go to ensure that the equipment can’t be re-energized while repairs are being made? There is a hasp
conveniently placed in plain view on the handle that opens the cabinet door. However, the lock actually should go through a little
tab above the disconnect switch that can be pulled out when the switch is in the off position.
You could try training your personnel on the proper location for the lock. You could put a sign on the cabinet to indicate where
the lock goes. Then you could realize operators will hang the lock in the wrong location before they look for a sign that would
tell them the right location — and put another sign on the wrong location that says: “Lockout lock does not go here!” However,
eventually even that sign becomes just background noise.
We tried all these things before happening upon a solution that worked — cutting off the hasp on the door handle!
An operator knows a lock must be placed on the switchgear. Now, if the operator forgets exactly where the lock should go, the
person will think about it and either come up with the right — and only — solution or ask. The possibility of making a mistake no
longer exists.
Is this inherently safer switchgear? Yes.
Does it fall into one of the four basic inherent safety strategies? Not really, although it may be a form of mistake proofing.
The Key To Success
Application of inherent safety principles is just one aspect of making safety second nature. For each situation, other
approaches may be equally effective as the basic four and may be economically feasible when none of the four are. Moreover,
it’s important to realize that mandating the use of inherent safety is like placing signs throughout the workplace that say: “Be
Safe.” Each has little benefit until you have translated the mindset into practical application.
You achieve expertise in the practical application of inherent safety principles through the diligent and repeated search for and
application of inherently safer solutions. This experience is what makes a safety engineer effective and a process plant a safer
place to earn a living. You train your brain to spot applications for solutions you’ve seen before and you apply principles you’ve
used before to solve new problems. The end result is a mindset that makes safety second nature.
http://managementstudyguide.com/planning_advantages.htm [http://managementstudyguide.com/planning_advantages.htm]
Prevention through design: adopting inherently safer approaches
15 August 2014
Graeme Ellis, principal safety consultant at ABB Consulting, has been responsible for developing new Inherent Safety in Design
(ISD) guidance on behalf of the Energy Institute. Here, he outlines the benefits this method brings compared to traditional
safety approaches, as presented at the unveiling of the new guidance at Hazards 24, IChemE’s leading process safety
conference which took place in Edinburgh in May 2014.
Stock image
Process safety accidents normally involve the failure of several protective barriers, leading to the tightening of management
controls to assure performance. But what about the alternative? The ‘inherently safe approach’ involves removing hazards or
minimising their consequences through initial design rather than relying on ‘bolt-on’ protection that can, and does, fail.
The Health and Safety Executive (HSE) defines this ‘inherently safe’ approach to hazard management as “one that tries to avoid
or eliminate hazards, or reduce their magnitude, severity, or likelihood of occurrence, by careful attention to the fundamental
design and layout.”
Whilst there are good examples of inherently safe designs in a range of industries from process to energy industry, there is a
noticeable lack of design methods to ensure opportunities are systematically identified and exploited. What is required is a
change of approach amongst project leaders in the upstream and downstream energy industry, away from a design culture
that currently favours ‘bolt-on’ safety features.
The first issue of the Energy Institute (EI) guidance on Inherent Safety was published in 2005 and aimed to reduce the
occurrences of unnecessary risks in design safety cases for the UK offshore oil and gas sector. Now, nine years later in 2014,
it is necessary to bring the guidance up-to-date to meet new regulations and be more widely applied throughout the energy
sector. The scope of this new guidance has been broadened to large and small organisations covering offshore production
platforms, onshore refineries, fuel storage facilities, and power generation stations.
The guidance proposes that companies should develop procedures to ensure that options to improve inherent safety are
systematically reviewed throughout the design lifecycle. This should mean that all opportunities to eliminate or minimize
hazards at source have been assessed.
It is recognised that implementing improvements will in practice be subject to cost, schedule and technology constraints.
Assessments should consider total project and lifecycle costs, as inherent safety options may require more expensive major
equipment items whilst reducing the overall capital and operating expenditure.
Traditional approach versus inherently safer approach
If we take an example of a common hazard we can compare and contrast the traditional approach taken by design teams with
an alternative inherently safer approach that could be adopted. A common hazard is the overpressure and rupture of a vessel
due to a loss of temperature control.
A traditional safety approach would involve designing a vessel for normal operating pressures and then adding a high
temperature trip, isolating the heating system and a pressure relief system designed for the maximum rate of vaporisation.
Incorporating these protective features will require additional costs as well as maintenance costs which need to be factored
in. With an inherent safety approach the key is elimination - this means a vessel with its design pressure above the maximum
credible pressure – with the costlier vessel offset by savings in providing and maintaining the add-on systems.
For major projects in the energy industry, an inherent safety workshop at the concept selection stage is recommended, before
HAZID (Hazard Identification) studies required during the subsequent front-end engineering design (FEED) stage.
The concept stage workshop should ensure that:

• project objectives and processes are fully understood;
• project impact on existing facilities are fully considered;
• learnings are taken from relavant process safety incidents;
• the introduction of news hazardous substances are taken into consideration;
• new process technologies and conditions are taken into consideration;
• new updates to regulatory process safety documentation are reviewed and applied;
• Increased hazards to people, transportation methods and external hazards such as earthquakes are fully considered;
• suitable Design Guidelines, Codes of Practice, and Standards are factored into plans; and
• existing emergency facilities are adequate to meet increased demands.
An inherent safety workshop will not be appropriate for all projects particularly where existing technology is required. When it
is suitable, the workshop team identifies potential hazardous events based on a process block diagram and applies inherent
safety principles to identify improvement options, following the inherent safety principles hierarchy: elimination, substitution,
minimisation, moderation, segregation and simplification.
Principle Meaning
Elimination Avoid the hazard completely
Substitution Reduce the hazard severity by changing nature of hazard
Minimisation Reduce the hazard severity by changing scale of hazard
Moderation Reduce the hazard severity by minimising the impact of a release or hazardous event
Segregation Limitation of effects reducing potential for hazard to cause harm
Simplification Reduce the hazard likelihood by inherent features of the design
Figure 1: A Table outlining the principles of inherent safety
For every process option there should be a process block diagram, which should be carefully considered and prepared in
advance. For example a new offshore production may well include options for subsea facilities, a normally unmanned
installation, or a fully occupied platform. Each block should represent a process system, e.g. storage, heating, separation, or
transfer. The blocks and connecting lines should show basic process parameters such as pressure, temperature and fluid
composition.
The inherent safety workshop team firstly ‘brainstorms’ potential hazardous events at each process block based on its
knowledge and experience. The inherent safety principles will then be applied to assess process design options, focussing on
elimination or reduction of the hazard, rather than reducing the likelihood by providing ‘bolt-on’ risk reduction measures.
Cost-benefit analysis
Following the inherent safety workshop several design options may need to be assessed for either a process system or an
entire process route. Some form of cost-benefit analysis will often be required to choose between options, although in many
cases a simple qualitative judgement by an experienced study team should be sufficient.
It is at this point that a HAZID study at the subsequent FEED stage further identifies credible hazard scenarios and assesses
whether further measures are required to reduce risks to a tolerable level. HAZID study teams often default to providing
additional ‘add-on’ risk reduction measures to reduce the event likelihood, rather than first looking for inherently safer options.
It is recommended that procedures for HAZID studies are reviewed, to ensure that the team is encouraged to fully explore
inherently safer design options.
The focus for improvement is elimination

Throughout the energy industry there is an acceptance of the importance of inherent safety principles, however the
application of structured reviews during the design stage of projects has not gained general acceptance in a similar way to
traditional approaches such as HAZID and Hazard and Operability (HAZOP) studies. The main difference is that the ISD focus for
improvement is elimination and reduction of hazards rather than provision of ‘add on’ risk reduction measures.
Whilst process designers will point to examples of inherent safety features considered to be good practice, I believe that
opportunities for applying inherent safety in design are not being systematically assessed. This is potentially due to a lack of
awareness of this topic or lack of tools to be applied during normal projects to encourage inherent safety thinking. Design
teams may also believe there is a lack of opportunity to apply inherent safety in design for established technology, particularly
when the basic design is ’standardised’ or provided under license.
Inherent safety in design can however be applied to all stages of the design lifecycle, although it is generally agreed that the
greatest benefits will be obtained during the early concept stage.
Legislative drivers
There is an increasing expectation from US and EU regulators that inherent safety is assessed during the early stages of
design. The EU Offshore Safety directive 2013 related to offshore oil and gas operations requires “a description of the design
process for the production operations and systems, from an initial concept to the submitted design or selection of an existing
installation, the relevant standards used, and the design concepts included in the process”, and later requires the Competent
Authority to ensure “how the design decisions described in the design notification have taken account of risk management so
as to ensure inherent safety and environmental principles are incorporated.”
Failure to comply with requirements such as those stated in the EU Safety Offshore Directive (2013) or guidance on the EU
onshore ‘Seveso III’ Directive, could result in significant delays and costs at later stages of the project.
On the other hand there is the US OSHA PSM standard, a standard which requires companies handling hazardous substances to
carry out Process Hazard Analysis to identify and assess hazards, but has no specific requirement for inherent safety in
design. However, there is an increasing awareness of the importance of ISD in the US, and some States are starting to
mandate inherent safety assessments for new process designs.
Aside from these legislative drivers, there are many benefits from applying inherent safety early in the project before
decisions have been made on the choice of equipment. At this early stage, the design only appears ‘on paper’, allowing
significant changes to be made, achieving substantial reduction in risks, and potentially reducing the overall lifecycle costs. As
the design progresses and the process is increasingly fixed, it becomes more difficult and costly to make changes and the
benefits in terms of hazard and risk reduction on the overall process become limited.
The new ISD guidance (Energy Institute, 2014) outlines how the effective application of inherent safety in design can provide the
following benefits:
• unlike traditional approaches to process safety that require expensive 'add-on' risk reduction measures, inherent safety in
design provides an opportunity to identify improvements that can reduce overall capital and operating expenditure;
• the principle of 'minimisation' challenges large inventories of dangerous substances and promotes smaller equipment with
reduced cost and weight, particularly beneficial for offshore platforms;
• eliminating or reducing hazards early in the design will avoid potential delays caused by re-design to meet risk criteria;
• reduction in process equipment and 'add-on' safety systems reducing the time for design, procurement, construction and
installation;
• less reliance on 'add-on' safety systems decreases maintenance, repair and inspection costs during facility lifecycle; and
• reducing the number of hazardous activities and hence number of personnel exposed to risks and the likelihood for human
failure.
In many cases the benefits of an inherent safety improvement option will be clear, whereas in other cases there may be
conflicts between options that need detailed assessment to resolve. There may also be conflicting pressures on the project
team, including factors such as cost implications, operational flexibility, personal preferences, available information or
pressures due to project schedule.
Conclusions
Inherent safety is not a new topic but the process industry has often failed to maximise the hazard reduction potential from
this approach and reap the benefits including reduced lifecycle costs. Whilst international codes of practice often fail to
promote inherent safety and can perpetuate risk reduction using ‘bolt-on’ safety systems, global regulators are now requiring
demonstrations that inherent safety improvement options have been effectively assessed using structured techniques.
The main additional requirement for design teams is to carry out structured inherent safety workshops during the concept
stage when the greatest opportunity exists to benefit from applying inherent safety. The inherent safety approach has reduced
benefits during the latter stages of design, but should nevertheless be actively encouraged during HAZID and HAZOP studies as
a preferred option in place of traditional ‘bolt-on’ safety systems.
The most inherently safe process will not always be the most attractive economically and the technology may be unproven.
Design teams should be aware that technology continues to evolve, and inherent safety options that are not economically
attractive for a current project should be retained for consideration on future projects. The design stage presents the
greatest opportunity to reduce risks from process facilities that pose the potential for significant harm to both people and the
environment.
Legislating for Inherent safety in the US: Reflections on the ongoing debate
10 Feb 2014
Kehinde Shaba
0
There has been a recent public exchange of views between the head of the US Chemical Safety Board (CSB) (Rafael Moure-
Eraso) and Cal Dooley (head of the American Chemical Council, an industry trade association). This exchange was precipitated
by the former who argued (in a New York Times Op-Ed piece) that enshrining Inherently Safer Design (ISD) principles in law is
central to achieving a significant reduction in safety incidents, with several recent large incidents cited. Dooley has taken a dim
view of this suggestion.
Is Inherent Safety legislatable?
Whether or not implementing inherent safety into law will improve achieve safety standards is of course debatable, but the
available evidence on application of similar principles (As Low as Reasonably Practical [ALARP], So Far as is Reasonably
Practical [SFAIRP], the Precautionary Principle, Best Available Technology Not Entailing Excessive Cost [BATNEEC]) in other
geographies suggests that it will. It is well known that European countries—especially the northern European ones—have
arguably the best safety records in world.
It is worth noting that these concepts generally tend to be qualified when used in the European sense and require a sense of
balance versus other competing considerations such as risk, benefit and cost. It goes without saying that the benefits provided
by a course of action should always be weighed against the cost required to achieve it. Additionally, the idea of zero risk is a
fallacy and is not prudent public policy.
The success of such initiatives goes beyond codifying requirements in law. There are numerous practical considerations that
need to be in place not least a highly competent regulator and most importantly “buy in” by all stakeholders. This latter point is
probably the most instructive and definitive – it is difficult to achieve commitment without involvement and engagement.
The case against…
Dooley writes1 that “Inherently safer approaches are already considered by companies”. If the industry already considers
these principles, surely implementing them in legislation shouldn’t be an issue? It seems odd that there should be an
unwelcome negative reaction to an activity already engaged in by industry.
Another opposition argument is the extent to which such a law would unenforceable. Dooley continues – “But mandating them is
impractical and would create a regulatory requirement that has been recognised by one official of the Environmental
Protection Agency as ‘monumentally difficult’ ”. This is a point worthy of note. Philosophies such as ISD, ALARP etc. thrive
largely because they are implemented in performance based regulatory regimes where emphasis is placed on the outcome
rather than the method of achieving the outcome. US legislation is for the most part, largely prescriptive (i.e. very particular
on what must be done and how), and hence how ISD would work in that environment would be monumentally difficult.
It is fair to say this initiative can present significant challenges, but the European example is proof that it works. Going forward,
the real question here is whether the concerned stakeholders are willing to come together, agree and commit to a plan of
action—in legislation or otherwise—that will help improve the current safety standards, which it is fair to say (and few would
disagree) can be improved.
Statement from CSB Chairperson Rafael Moure-Eraso on the Passing of Noted Chemical Process Safety Expert Professor
Trevor Kletz
Click here to see CSB video excerpts from Dr. Trevor Kletz

CSB board members and staff are saddened to learn of the death of the one of the world’s greatest authorities on chemical
process safety, Dr. Trevor Kletz. Starting as a research chemist in the United Kingdom, Dr. Kletz’s career in industry
established him as an expert in chemical process safety, safety culture, and as an advocate – indeed the father of – the
concept of inherently safer technology and processes. One of his seminal papers was entitled, “What You Don’t Have Can’t
Leak.” His teachings on accident investigations refocused the emphasis from individual lapses to systems failures and safer
design. These concepts fostered a revolution in modern safety management thinking.
After retiring in 1982, Dr. Kletz established a second career as an author, speaker and academic. He served in recent years as
adjunct professor of the Texas A&M University and Visiting Professor of Chemical Engineering at Loughborough University in
the UK. We felt particularly attached to the work of Dr. Kletz as his commentary – excerpted from a CSB interview with him --
is featured prominently in our 2008 CSB safety video, “Anatomy of a Disaster,” which tells the story of the BP Texas City
refinery accident in 2005 that killed 15 workers and injured 180 others.
In the video, Dr. Kletz says, “There's an old saying that if you think safety is expensive, try an accident. Accidents cost a lot of
money. And, not only in damage to plant and in claims for injury, but also in the loss of the company's reputation.” And in
another segment, on the company’s reporting and learning culture: “Well, after an accident, managers often say, ‘I didn't know
this was happening or not happening,’ as the case may be, ‘if I'd known it, I'd have stopped it.’ Now this is bad management. It's
the manager's job to know what is going on. And, he can do that by going round and by keeping his eyes open and reading the
accident reports in detail.”
These are typical of the ways in which this wonderful man, so committed to preventing accidents and saving lives,
communicated in such plain and effective language. Consider this typically pointed comment – also from our video – that gets
to the heart of why accident prevention should be about looking for root causes, and not individual blame: “For a long time,
people were saying that most accidents were due to human error and this is true in a sense but it's not very helpful. It's a bit
like saying that falls are due to gravity.”
The titles of just some of Dr. Kletz’s many authoritative books display his keen focus on making processes safer: “What Went
Wrong?” “Lessons from Accidents,” “Process Plants – a Handbook for Inherently Safer Design,” and “By Accident--a Life
Preventing Them in Industry.”
So today we mourn the loss of Trevor Kletz, whose lifetime of work has unquestionably resulted in workers’ lives saved and
accidents prevented – a legacy we will try to emulate at the CSB.
Process Safety Lessons Learned

Process safety has been a popular topic these days. Unfortunately, it has hit mainstream press because of high profile safety
incidents such as last year’s Deepwater Horizon accident in the Gulf of Mexico. On a positive note, process safety isn’t just for
the experts anymore. Many process industry business leaders and managers are taking a stern look at their organization and
wondering if they are protected or not. Still, some are making the mistake of assuming that their past success operating safely
is an indicator of future process-safety success.
I just read an article by Walt Boyes titled Process Plants Accidents – Careful. We Don’t Want to Learn from This. Walt makes
some really strong points about the lack of process safety improvements over the past 25-plus years, since the 1984 Bhopal,
India incident got the process safety management (PSM) ball rolling. Walt once corrected me on a point that he did not make in
his article. A couple of years ago, I was talking to him about the need to simplify regulatory compliance and he told me that I
had it all wrong.
Walt said, “If the goal is to be regulatory compliant, then you are missing the point.” Walt’s point was that regulatory
compliance is not a goal to strive for. If you are hoping to improve your safety by becoming “regulatory compliant” then you
are setting yourself up to fall woefully short of actually managing your process safety. The regulatory compliant mindset can
lead you onto all sorts of stray paths if you are not careful. This is a major contributor to many ineffective safety programs and
management cultures today. During the investigations into the Deepwater Horizon incident, we saw clear examples of very
smart people making irrational decisions because their goal was to meet the regulatory compliance requirements set by the
Mineral Management Service (MMS) in the Gulf of Mexico. Instead, it is important to focus on the goal–managing process safety.
In addition to the regulatory compliance goal inadequacy, many of the key points provided in the 2008 U.S. Chemical Safety
Board (CSB) video title Anatomy of a Disaster are still valuable lessons for the process industry to learn. If you haven’t
watched this video yet, I urge you to schedule an hour into your calendar and take the time to learn some lessons from a
recent industry event. With permission from the CSB, I have picked out some of the more valuable quotes from the process
safety experts that were interviewed in the video.
“There’s an old saying that if you think safety is expensive try an accident. Accidents cost a lot of money, not only in damage to
plant and claims to injuries but also in the loss of the company’s reputation.”-Dr. Trevor Kletz
This week I read the IndustryWeek article, BP Refines Post-Spill Drilling Strategy. Less than a year after the Deepwater Horizon
incident, there are already signs of BP’s top management taking a leadership role in driving process safety management in
their company. Change like this isn’t something that can be driven from the bottom up. You need top down support to make this
happen. The article discusses some of the safety culture and management changes that the new CEO Robert Dudley says are
happening at BP. Dudley is quoted as saying that production shutdowns are costly, but “safety is good business.”
“My fear is that some of the other refineries within the United States will feel, that couldn’t happen to me. And the ones that
feel that couldn’t happen at their site are the ones that are set up to have it happen there.” – Glenn Erwin
This is one of the major challenges that the process industry faces. After the Deepwater Horizon incident, leaders from several
multinational oil companies testified before Congress that something like this couldn’t happen to them. This is a natural
response to this kind of industry event. However, the major oil producers did come together after recognition that their
emergency response plans were all pretty much the same and they were indeed subject to some of the same problems. Exxon
Mobil, Shell, Conoco Phillips, Chevron, and BP have since formed a non-profit organization, the Marine Well Containment
Company, which will provide a rapid response system to capture and contain oil in the event of another blowout in the Gulf of
Mexico.
“Process safety deals with the fires, explosions, and toxic releases and things like that. You can have a very good accident rate
for what we call “hard hat accidents” and not for process ones.” – Dr. Trevor Kletz
It is common to see process industry facilities with signs reminding you to hold onto handrails, watch where you are walking,
and to be careful not to be burned by spilled coffee. If you drive down Highway 225 in southeast Houston, you are likely to see
dozens of signs outside of refineries and chemical plants that display hundreds of thousands of man-hours without a lost time
or total recordable incident. While this is very important to celebrate personal safety management milestones, it has little
connection with process safety performance. Having a very low lost-time accident rate can induce a feeling of complacency
and a false sense that safety is being well managed. Key lessons from recent incidents were the need to focus on leading and
lagging indicators in addition to personal safety metrics. The AIChE Center for Chemical Process Safety (CCPS) has recently
made significant progress developing process safety metrics.
“The fact that you’ve gone for 20 years without a catastrophic event is no guarantee that there won’t be one tomorrow.” –
Prof. Andrew Hopkins
Personal safety focuses on preventing high frequency, lower consequence incidents like slips, trips, and falls. Process safety
focuses on preventing much lower frequency events with a catastrophic consequence. Many process safety hazards are
estimated to be likely to occur only once in the life of a facility, or even only once in the life of an industry.
Some hazardous event frequencies are measured in terms of once in thousands of years. These events typically result from
multiple causes related to a complex sequence of failures in equipment, people, processes, and decision-making. So, often the
process industry celebrates the personal safety successes while having to fight complacency on the need for continuous
process safety vigilance. Some safety engineers complain that change is hard to justify because current practices have not
resulted in any safety incidents. It often takes a catastrophic kind of event to invigorate the organization’s focus and
commitment around process safety.
Posted 30th July 2016 by kishorereddy kattukolu
View comments

Boiler Technical Terms

Încărcat de

Informații document

Drepturi de autor

Formate disponibile

Partajați acest document

Partajați sau inserați document

Opțiuni de partajare

Vi se pare util acest document?

Este necorespunzător acest conținut?

Drepturi de autor:

Formate disponibile

Boiler Technical Terms

Încărcat de

Drepturi de autor:

Formate disponibile

30th July 2016 boiler technical terms

Hydrotest Pressure Vs Design Pressure.

Maximum allowable Working pressure (MAWP) Vs Design pressure

Permissive, interlock - Difference

The criteria typically followed is something like:

The criteria typically followed is something like:

POWER PLANT OPERATION

Steam Generation In A Boiler..contd

Preparations for Cold Start-up

Cold Start-up process

Start-up of Waste Heat Recovery Boiler (WHRB)

1. Decrease in Drum level

b. Tube failure in Economizer

c. Unit getting into Island mode

d. Whether CBD valve, EBD valve or IBD valve opened?

2. INCREASE IN DRUM LEVEL

e. Whether drum level transmitter is malfunctioning?

f. Whether rapid heat supply to Boiler?

g. Whether stand-by Boiler Feed Pump has started?

h. Whether TG has come to Island mode?

i. Whether any Cooling water pump in TG has tripped?

3. Decrease in Boiler Steam Pressure

b. Whether more steam demand at TG end?

c. Whether superheater tube failed?

d. Whether ID fan damper has closed to zero position?

e. Whether hand lever of Safety valve has been operated?

4. INCREASE IN MAIN STEAM TEMPERATURE

b. Whether Soot Blowing is in progress?

5. DECREASE IN MAIN STEAM TEMPERATURE

c. Whether valve sheet of Attemperation control valve is eroded?

6. FURNACE DRAUGHT TOWARDS POSITIVE SIDE

b. Whether draught transmitter is showing wrong value?

7. LONG RETRACTABLE SOOT BLOWER IS NOT AT ITS ORIGINAL POSITION

b. Whether home position limit switch is malfunctioning?

c. HAMMERING OF MAIN STEAM LINE DURING CHARGING.

MAIN COMPONENTS OF STEAM TURBINE

2. THRUST BEARING

EMERGENCY STOP VALVE

Auxiliary System Of Steam Turbine

Turbine Cold Startup Sequence Method

v Charging of Steam Pipe Line

Before starting pump

Starting Of M.O.P ( Main Oil Pump )

Taking Oil Cooler into Line

Taking Oil Cooler into Line

Checking Of Lub Oil Header Pressure and Individual Bearing Pressure

Charging of Gland Header

Take the following steps to build up vacuum by starting ejector:

To put main ejector into line, following steps to be followed :

Turbine Rolling Preparation..contd

Before rolling of turbine check, ensure the following points :

If none of the above conditions exists the condition will be of :-

Components of Lubricating Oil System

Steam Ejector And Vacuum System

WORKING PRINCIPLE OF EJECTOR

Operating Procedure Of Ejector System

Black Out maneuver Method for WHRB Power Plant

Difference between BPCS and SIS

How to Reduce Common SIF/SIS Mistakes

See my reply in BLUE....

Re: Difference between HAZOP and PHA

by Black Onyx » 10 Jul 2012, 16:33

Process safety information.

Piper Alpha Incident