14 replies to this topic

[Chemie]

Dear Friends,

I had a discussion in our team regarding calculation of relief load from control valve failure case in a NG line.
The system is having two independent control valve in series(first and second @ 600 mts apart) for controlling pressure to the downstream unit. The second set of control valve is having two 100% control valve operating in parrallel. The downstream unit supplies the gas to two independent units via a branched process line. The second PCV is controlled by high selector signal coming from two independent PT. The PSV is located downstream of the second PCV.

The requirement of PSV is due to the pressure limitation from the downstream unit and also the wide variation of the incoming supply pressure figures(chances of pressure surges deviation from almost normal operation).

1. As two control valves are in series, I took credit for only one control valve failure at a time
2. It came up in our discussion that the relief load should be calculated based on maximum upstream pressure at the second PCV which in my opinion would be possible in case of first PCV fail(correct me if I am wrong).
3. The normal supply pressure of NG would be such that it would not have required to have two control valve in series. The supplier had given a wide range of supply condition for which control valve will be choked if designed at the max pressure. I suggested to put two control valve to mitigate the requirement of huge relief load for control valve failure case.

I would ask for experienced advice about:

1. Can we have multiple control valve in series failures at the same time?
2. The second set of control valves are having a common control, can we assume both control valve fail open at the same time of common controller failure.
3. What are the chances of having a DCS software failure which will mechanically fail open the designed fail close valve.
4. Can we take DCS software credit for calculating relief load?

I am not really sure about the action of the control valves in case of controller failure. I am in the impression that the control valve will go to design safe condition in case of controller fail.

For my little understanding and experience that I have I feel that there are too many factors that has to occur at the same time to have a huge relief load. Sudden increase in supply pressure, first PCV failure and also two second PCV fail open to arrive at the huge relief load.

Chemie

[pleckner]

Double jeopardy is defined as two or more failures that are unrelated and happen at the exact same time. If the failures are related or do not happen at the same exact time, then the multiple failures are credible. For example, if I loose power to a cooling water pump, the pump stops and I loose cooling water. This can trigger a relief in say a distillation column. These are two failures but are related.

In the case of normally failed closed control valves in series, we historically do not consider the valves failing at the same time in the fully opened position as being credible. We assume one valve fails in the opposite direction as to normal failure postition, i.e. a normally failed closed valve fails in the opened position. But the second valve is assumed to be in its maximum design operating position.

Therefore, you have two scenarios to calculate for, the first is the high pressure valve failing opened but the low pressure valve being in its design operating open position. The second would be the high pressure valve being in its maximum design open position and the low pressure vlave failing opened. For complete documentation, both scenarios must be calculated.

And yes, you historically assume the maximum upstream pressure and this upstream pressure may even be a relief condition by itself. Nothing says the source can't go into relief (or be close to it) and have the system still be in operation. This can be debated (and just might be in this Forum) but in my experience (which is rather extensive), this is what we do.

So in summary, one valve failure at a time. And no, you can't take the DCS software credit when calculating relieving rates. You can use instrumentaion or control to determine if there is a credible scenario but once a credible scenario is established, you do not take instrumentation into account to reduce the relieving rate.

[Chemie]

Thanks Phil,

I was in an opinion of supply pressure as a different entity. This is because the supply pressure for NG is normally constant and the high pressure used for design of the line and the control valve is higher by @50% of the normal supply pressure.

Regarding two control valve in series I was of the same opinion. For the maximum pressure downstream of the high pressure control valve, again it was assumed as a fail open case.

For the documentation purposes, I calculated both the flows, but was not confused with the double jeopardy.

Eventually I read some of the articles posted on the Cheresources website. They are really informative for a less experienced person like me.

Chemie

[itdepends]

For interest- I noticed someone mentioned not taking credit for the DCS system above to reduce relief scenarios- however- be aware that a DCS system can be responsible for multiple failures that might be otherwise considered double jeapordy.

E.g.- a tank with 5 pumps pumping out of it where some of the pumps are fed by a separate power supply- this was the situation I was faced with a while ago regarding vent sizing- the scenario concerned was total loss of outflow at design inflow- you would not normally consider all 5 pumps stopping as a credible scenario- except that a muck up in the DCS system can do this easily. e.g. someone installs an interlock to stop the pumps on HH level in a downstream tank.

[Chemie]

itdepends

I am sorry about the Late reply. To my understanding and experiene, the interlocks on the DCS are installed after considering the system has been deemed mechanically safe. I may be wrong in this view, I dont know. But now with whatever experience I gained I can say that DCS cannot be taken into credit for safety except when the whole instrumentation are covered under HIPPS. for calculating the relief load or specifying the material only the physical worst case have to be considered with no credit to be taken from the Instrumentation except HIPPS.

And regarding the pump failures all the pumps can fail in event of a power failure not due to DCS only. And this is a valid scenario as except the emergency power driven pumps the relief scenario have to be considered for the pumps failure.

Chemie

[djack77494]

I have a few comments regarding this discussion, and particularly "double jeopardy". First, it seems to me that you're stating that your two independent control valves are not so independent. If you have a single controller that supplies signals to both valves, then a single failure can cause both valves to open or close.

A expansion on this point concerns the application of double jeopardy considerations. My most recent experiences suggest casting a doubtful eye towards the "double jeopardy defense". Recent client preferences say that there must be ZERO connection between the two events; no event or logical sequence of events can lead to the simultaneous development of both jeopardies. An especially interesting situation develops in the case you have described. You have two independent pressure reducing valves which, I presume, drop pressure from a relatively high to a relatively low level. Let's consider them self contained pressure regulators for the moment so we can agree that they are indeed independent. What happens if the upstream regulator fails open? The pressure between the regulators will rise to near the upstream pressure, and we'll be relying on the downstream regulator to limit downstream pressure. Was it designed for this? Can its actuator handle the higher forces generated by this condition? If the answers are "yes", then we're partially "out of the woods"; we still have a workable solution despite one jeopardy. (If either answer is "no", then we have a problem with just a single jeopardy.)

Now I would ask, "How do we become aware that this jeopardy has occurred?" Is there a high pressure alarm between the two regulators? If not, when the upstream regulator fails, we may be completely unaware of the situation for a long period of time. We might even come to consider it "normal". After all, our design is sufficiently robust that it can perform as needed despite this failure. So if we obliviously "cruising along" in this "new normal mode of operation" and then the downstream regulator fails, can we call this "double jeopardy"? My clients say NO. If you do not identify the first jeopardy in a timely fashion, then you cannot assume that it will be addressed and repaired in a timely fashion. I'd welcome other thoughts about this.
Doug

[pleckner]

I posted a reply above on this above so I won't repeat but I will say that in the scenario just brought up, I agree. This is not double jeopardy.

But there is historic precedence and the very over cautious. If my customer has more strict policies than I would historically use, I always go with the customer; the customer is always right.

[Chemie]

Doug,

In the case which I described the two independent control valves(in parallel) are situated in the downstream of the main pressure let down valve. But they are interconnected with a common controller which will control the highest pressure of the downstream units. Even though there is a high selector they have two independent pressure transmitters.

I am still not sure what would be the action of the control valve in case of controller failure. remember the second set of control valves are designed to be fail close. Thinking more intimately the control failure is one scenario and then assuming that the control valve does not close is another scenario. Initially I assumed that only one control valve can fail close due to control valve failure as the only thing that can trigger both events is a mechanical blockage in the control valve. May be I am wrong, I was not sure if the control valves would behave in the opposite manner simultaneously with the controller failure. Imortantly during the scenario of control valve malfuction can we assume that both parallel control valve can have blockage at the same time to prevent them from closing in a natural designed manner.

But now I think it is better to assume both control valve failure due to controller failure, because if there is any remote possibility of this event occuring the relief valve has to be sized accordingly. As client is always right.
My concern was not to oversize the safety valve which may induce chattering in the valve.

Regarding the second control valve set, the actuators are specified at the design pressure of the first control valve which allows them to work with the excess upstream pressure from the failure of first control valve. Again it is based on the assumption that there is a control valve in the market which can react fast enough to maintain the downstream pressure even if there is a large surge in pressure. There is a pressure transmitter in the downstream of the first control valve which monitors the pressure with a high alarm. But I agree with you that if there were no pressure transmitters with high alarm then there would be a definate problem.

I would have liked to have some feedback from experienced control valve specialists regarding this matter. Specifically about the fast acting control valves.

Chemie

[pleckner]

Chemie:

If you would like a response from control systems people, I would strongly suggest you repost this in the General Engineering forum. And I know you tried hard, but your post is rather confusing so I also recommend you re-state the problem in terms of control valve actions. Also, re-title the post to attract some control systems people. I think you'll have a much better chance getting that response you are hoping for.

Now, I have a quesiton. Is this split range control you are trying to describe?

[rxnarang]

[[/quote]

I am concerned about using the term " Fail close" to take credit for a relieving event. FC or FO has nothing to do with mitigating an event. This is the fail position of the control valve in case of loss of instrument air( or motive force), and is used by control engineers to configure the spring of the actuator. The valve can also go full open or full close by any other means e.g. operator error or control loop malfunction. In HAZOPs I like to use the word " driven" open or close.

Without looking at the P&ID I would not hazard a guess on the viability of a double jeopardy. If there is ANYTHING in common between the two valves, including elements of control loop, then double jeopardy is out of the window.

[djack77494]

Rajiv,
I like your approach and I would concur with you about the use of the word "fail" vis-a-vis "driven". However, "fail" is in very widespread use, and I don't think our preferences will have much impact. Also, with possible solenoid valves in the instrument air supply, and with the widespread use of valve positioners, it is quite possible (likely) to have multiple failure modes.

I find myself in agreemeent with some of your other points as well. You correctly point out that "failure position" has nothing to do with mitigating an event. Rather, in my mind, the failure position aids you in describing hazardous scenarios. Thus, if you postulate a plant-wide instrument air (and somehow you also postulate that you may continue to operate) then it is useful to imagine what position your actuated valves will be in so that this impact may be evaluated. Regardless of the "fail position", I would always consider controller failure as a scenario, and in this scenario the valve will be in the worst possible position, no matter what the "fail" position is.

Going back to some of the earlier posts for a moment, Chemie better described his system in his most recent post. I would say to you to think about your total pressure control loop. Starting at the process connection, you surely have a block valve and a vent/bleed valve upstream of the pressure transducer. Thus it is quite possible for the pressure transducer to see atmospheric pressure if the instrument is blocked in and the pressure is then bled off. Both control valves would take appropriate action (probably fully open). This is not an unrealistic operation; blocking in and bleeding the impulse line to the transducer would be the first step in many instrument maintenance/adjustment functions. So it's actually very easy to imagine situations where this "double jeopardy" case can be precipitated.
HTH,
Doug

[rxnarang]

Doug,

You are correct. It is very easy to have both valve driven open, and the scenario you descibed is one. In fact, I wanted to say that taking credit for " double jeopardy" should be done with caution, and if I read your post correctly, you concur. I think I used the wrong expression to say that.

I wish people would post more sketches of the problems they face. This one can best be understood with a graphic.

Finally, can anybody tell me how remove" quote of the last posting". Everytime I press the reply button, the quote is automatically generated.

Regards

[Chemie]

Thanks All,

I agree that there are too many factors for mitigating a double jeopardy for control valve failure having a common control loop even if there are multiple transmitters in the loop.

But there is one point missing, in the last post it was mentioned that the pressure transmitter would see atmospheric pressure in event of maintanence, agreed but the controller software controlling the control valves which is suppposed to be at the downstream of the pressure trasnmitters will be sensing only the higher pressure which will be taken from the other transmitter which is still functioning. Can we assume both the pressure transmitters are taken into maintainence at the same instance?

Again I ascertain that I am not against the forum about not considering the total relief load, but I am trying to find a logical understanding of the whole system and how the events are mitigated. The safe approach I took was not to consider a double jeopardy and calculate the relief load accordingly based on the worst case control valve failure.

I would like to attach a rough sketch at this time hope it works

Chemie

Attached Files

•  20060712111000197.pdf   56.38KB   249 downloads

[rxnarang]

From the sketch it is apparaent that the two control loops are independent, so a common loop failure can be ruled out.

However, if the upstream valve is driven open, then can the downstream valve(s) do the duty? If they can, then why do we need two control valves is series? If, as I suspect, the downstream valve cannot do the duty, then a possible scenario is that this valve(s) can start "hunting" i.e. because it is only designed for fine control, higher upstream pressure can make this valve open and close rapidly.

Which will mean that the downstream pressure vessel will need to be protected.

Scenario II: Downstream valves driven open. Can the upstream valve do the duty? I suspect it cannot do fine pressure control, but it will not hunt. Gross pressure control is OK.


If the above scenario is correct then the design should be for upstream valve driven open and downstream valve(s) go open due to its inability to control pressure.

Regards

[Chemie]

Rajiv,

Thanks for your opinion. As I said earlier, my only concern was that can we find a fast acting control valve to control the pressure for upstream pressure surge? While simulating on Hysys I was able to control the pressure but that is an ideal case and I would rather have a control valve vendor confirm the availability of the valve rather than rely on Hysys PID values.

Chemie