Sunday, May 27, 2018

IAM Search

Safety Instrumented Functions and Systems

A Safety Instrumented Function, or SIF, is one or more components designed to execute a specific safety-related task in the event of a specific dangerous condition. The over-temperature shutdown switch inside a clothes dryer or an electric water heater is a simple, domestic example of an SIF, shutting off the source of energy to the appliance in the event of a detected over-temperature condition. Safety Instrumented Functions are alternatively referred to as Instrument Protective Functions, or IPFs.

A Safety Instrumented System, or SIS, is a collection of SIFs designed to bring an industrial process to a safe condition in the event of any one of multiple dangerous detected conditions. Also known as Emergency Shutdown (ESD) or Protective Instrument Systems (PIS), these systems serve as an additional “layer” of protection against process equipment damage, adverse environmental impact, and/or human injury beyond the protection normally offered by a properly operating regulatory control system.

Some industries, such as chemical processing and nuclear power, have extensively employed safety instrumented systems for many decades. Likewise, automatic shutdown controls have been standard on steam boilers and combustion furnaces for years. The increasing capability of modern instrumentation, coupled with the realization of enormous costs (both social and fiscal) resulting from industrial disasters has pushed safety instrumentation to new levels of sophistication and new breadths of application. It is the purpose of this section to explore some common safety instrumented system concepts as well as some specific industrial applications.

One of the challenges inherent to safety instrumented system design is to balance the goal of maximum safety against the goal of maximum economy. If an industrial manufacturing facility is equipped with enough sensors and layered safety shutdown systems to virtually ensure no unsafe condition will ever prevail, that same facility will be plagued by “false alarm” and “spurious trip” events1 where the safety systems malfunction in a manner detrimental to the profitable operation of the facility. In other words, a process system designed with an emphasis on automatic shut-down will probably shut down more frequently than it actually needs to. While the avoidance of unsafe process conditions is obviously a noble goal, it cannot come at the expense of economically practical operation or else there will be no reason for the facility to exist at all2. A safety system must provide reliability in its intended protective function, but not at the expense of minimizing the operational availability of the process itself.

To illustrate the tension between reliability and availability in a safety system, we may analyze a double-block shutoff valve3 system for a petroleum pipeline:

The safety function of these block valves is, of course, to shut off flow from the petroleum source to the distribution pipeline in the event that the pipeline suffers a leak or rupture. Having two block valves in “series” adds an additional layer of safety, in that only one of the block valves need shut to fulfill the safety (reliability) function. Note the use of two different valve actuator technologies: one electric (motor) and the other a piston (either pneumatic or hydraulically actuated). This diversity of actuator technologies helps avoid common-cause failures, helping to ensure both valves will not simultaneously fail due to a single cause.

However, the typical operation of the pipeline demands both block valves be open in order for petroleum to flow through. The presence of redundant (dual) block valves, while increasing safety, decrease operational availability for the pipeline. If either of the two block valves happened to fail shut when they were called to open, the pipeline would be needlessly shut down.

A precise method of quantifying reliability and availability for redundant systems is to label the system according to how many redundant elements need to function properly in order to achieve the desired result. If the desired result for our double-block valve array is to shut down the pipeline in the event of a detected leak or rupture, we would say the system is one out of two (1oo2) redundant for safety reliability. In other words, only one out of the two redundant valves needs to function properly (shut off) in order to bring the pipeline to a safe condition. If the desired result is to open flow to the pipeline when it is known the pipeline is leak-free, we would say the system is two out of two (2oo2) redundant for operational availability. This means both of the two block valves need to function properly (open up) in order to allow petroleum to flow through the pipeline.

This numerical notation showing the number of essential elements versus number of total elements is often referred to as MooN (“M out of N”) notation, or sometimes as NooM (“N out of M”) notation4.

A complementary method of quantifying reliability and availability for redundant systems is to label in terms of how many element failures the system may sustain while still achieving the desired result. For this series set of double block valves, the safety (shutdown) function has a fault tolerance of one (1), since one of the valves may fail to shut when called upon but the other valve remains sufficient in itself to shut off the flow of petroleum to the pipeline. The operational availability of the system, however, has a fault tolerance of zero (0). Both block valves must open up when called upon in order to establish flow through the pipeline.

It should be clearly evident that a series set of block valves emphasizes safety (the ability to shut off flow through the pipeline) at the expense of availability (the ability to allow flow through the pipeline). We may now analyze a parallel block valve scheme to compare its redundant characteristics:



In this system, the safety (reliability) redundancy function is 2oo2, since both block valves would have to shut off in order to bring the pipeline to a safe condition in the event of a detected pipeline leak. However, operational availability would be 1oo2, since only one of the two valves would have to open up in order to establish flow through the pipeline. Thus, a parallel block valve array emphasizes availability (the ability to allow flow through the pipeline) at the expense of safety (the ability to shut off flow through the pipeline).

Another way to express the redundant behavior of the parallel block valve array is to say that the safety reliability function has a fault tolerance of zero (0), while the operational availability function has a fault tolerance of one (1).

One way to increase the fault tolerance of a redundant system is to increase the number of redundant components, forming arrays of greater complexity. Consider this quadruple block valve array, designed to serve the same function on a petroleum pipeline:


In order to fulfill its safety function of shutting off the flow of petroleum to the pipeline, both parallel pipe “branches” must be shut off. At first, this might seem to indicate a two-out-of-four (2oo4) redundancy, because all we would need is for one valve in each branch (two valves total) out of the four valves to shut off in order to shut off flow to the pipeline. We must remember, however, that we do not have the luxury of assuming idealized faults. If only two of the four valves function properly in shutting off, they just might happen to be two valves in the same branch, in which case two valves properly functioning is not enough to guarantee a safe pipeline condition. Thus, this redundant system actually exhibits three-out-of-four (3oo4) redundancy for safety (i.e. it has a safety fault tolerance of one), because we need three out of the four block valves to properly shut off in order to guarantee a safe pipeline condition.

Analyzing this quadruple block valve array for operational availability, we see that three out of the four valves need to function properly (open up) in order to guarantee flow to the pipeline. Once again, it may appear at first as though all we need are two of the four valves to open up in order to establish flow to the pipeline, but this will not be enough if those two valves are in different parallel branches. So, this system exhibits three-out-of-four (3oo4) redundancy with respect to operational availability (i.e. it has an operational fault tolerance of one).


SIS Sensors

Perhaps the simplest form of sensor providing process information for a safety instrumented function is a process switch. Examples of process switches include temperature switches, pressure switches, level switches, and flow switches5. SIS sensors must be properly calibrated and configured to indicate the presence of a dangerous condition. They must be separate and distinct from the sensors used for regulatory control, in order to ensure a level of safety protection beyond that of the basic process control system.

Referring to the clothes dryer and domestic water heater over-temperature shutdown switches, these high-temperature shutdown sensors are distinctly separate from the regulatory (temperature-controlling) sensors used to maintain the appliance’s temperature at setpoint. As such, they should only ever spring into action in the event of a high-temperature failure of the basic control system. That is, the over-temperature safety switch on a clothes dryer or a water heater should only everreach its high-temperature limit if the normal temperature control system of the appliance fails to do its job of regulating temperature to normal levels.

A modern trend in safety instrumented systems is to use continuous process transmitters rather than discrete process switches to detect dangerous process conditions. Any process transmitter – analog or digital – may be used as a safety shutdown sensor if its signal is compared against a “trip” limit value by a comparator relay or function block. This comparator function provides an on-or-off (discrete) output based on the transmitter’s signal value relative to the trip point.

A simplified example of a continuous transmitter used as a discrete alarm and trip device is shown here, where analog comparators generate discrete “trip” and “alarm” signals based on the measured value of liquid in a vessel. Note the necessity of two level switches on the other side of the vessel to perform the same dual alarm and trip functions:


Benefits to using a continuous transmitter instead of discrete switches include the ability to easily change the alarm or trip value, and better diagnostic capability. The latter point is not as obvious as the former, and deserves more explanation. A transmitter continuously measuring liquid level will produce an output signal that varies over time with the measured process variable. A “healthy” transmitter should therefore exhibit a continuously changing output signal, proportional to the degree of change in the process. Discrete process switches, in contrast to transmitters, provide no indication of “healthy” operation. The only time a process switch should ever change states is when its trip limit is reached, which in the case of a safety shutdown sensor indicates a dangerous (rare) condition. A process switch showing a “normal” process variable may indeed be functional and indicating properly, but it might also be failed and incapable of registering a dangerous condition should one arise – there is no way to tell by monitoring its un-changing status. The continuously varying output of a process transmitter therefore serves as an indicator6 of proper function.

In applications where Safety Instrumented Function (SIF) reliability is paramount, redundant transmitters may be installed to yield additional reliability. The following photograph shows triple-redundant transmitters measuring liquid flow by sensing differential pressure dropped across an orifice plate:



A single orifice plate develops the pressure drop, with the three differential pressure transmitters “tubed” in parallel with each other, all the “high” side ports connected together through common7 impulse tubing and all the “low” side ports connected together through common impulse tubing. These particular transmitters happen to be FOUNDATION Fieldbus rather than 4-20 mA analog electronic. The yellow instrument tray cable (ITC) used to connect each transmitter to a segment coupling device may be clearly seen in this photograph.

The “trick” to using redundant transmitters is to have the system self-determine what the actual process value is in the event one or more of the redundant transmitters disagree with each other. Voting is the name given to this important function, and it often takes the form of signal selector functions:


Multiple selection criteria are typically offered by “voting” modules, including high, low, average, and median. A “high” select voter would be suitable for applications where the dangerous condition is a large measured value, the voting module selecting the highest-valued transmitter signal in an effort to err on the side of safety. This would represent a 1oo3 safety redundancy (since only one transmitter out of the three would have to register beyond the high trip level in order to initiate the shutdown). A “low” select voter would, of course, be suitable for any application where the dangerous condition is a small measured value (once again providing a 1oo3 safety redundancy).

The “average” selection function merely calculates and outputs the mathematical average of all transmitter signals – a strategy prone to problems if one of the redundant transmitters happens to fail in the “safe” direction (thus skewing the average value away from the “dangerous” direction and thereby possibly causing the system to respond to an actual dangerous condition later than it should).

The median select criterion is very useful in safety systems because it effectively ignores any measurements deviating substantially from the others. Median selector functions may be constructed of high- and low-select function blocks in either of the following manners:



The best way to prove to yourself the median-selecting abilities of both function block networks is to perform a series of “thought experiments” where you declare three arbitrary transmitter signal values, then follow through the selection functions until you reach the output. For any three signal values you might choose, the result should always be the same: the median signal value is the one chosen by the voter.

Three transmitters filtered through a median select function effectively provide a 2oo3 safety redundancy, since just a single transmitter registering a value beyond the safety trip point would be ignored by the voting function. Two or more transmitters would have to register values past the trip point in order to initiate a shutdown.


SIS Controllers (Logic Solvers)

Control hardware for safety instrumented functions should be separate from the control hardware used to regulate the process, if only for the simple reason that the SIF exists to bring the process to a safe state in the event of any unsafe condition arising, including dangerous failure of the basic regulatory controls. If a single piece of control hardware served the dual purposes of regulation and shutdown, a failure within that hardware resulting in loss of regulation (normal control) would not be protected because the safety function would be disabled by the same fault.

Safety controls are usually discrete with regard to their output signals. When a process needs to be shut down for safety reasons, the steps to implement the shutdown often take the form of opening and closing certain valves fully rather than partially. This sort of all-or-nothing control action is most easily implemented in the form of discrete signals triggering solenoid valves or electric motor actuators. A digital controller specially designed for and tasked with the execution of safety instrumented functions is usually called a logic solver, or sometimes a safety PLC, in recognition of this discrete-output nature.

A photograph of a “safety PLC” used as an SIS in an oil refinery processing unit is shown here, the controller being a Siemens “Quadlog” model:



Although logic solvers are usually designed with levels of self-diagnostics and internal redundancy beyond that of a normal PLC, logic solver programming is very much the same. Ladder Diagram (LD) and Function Block Diagram (FBD) are two popular graphical programming languages used in logic solvers. These two programming languages are limited by their very nature to sets of well-defined algorithms, unlike text-based languages which grant the human programmer much more freedom in determining what will be done and how. A strong rationale for programming logic solvers in a more limited language is safety: the more flexible and unbounded a programming language is, the more potential there will be for complicated “run-time” errors that may be very difficult to troubleshoot. The ISA safety standard number 84 classifies industrial programming languages as either Fixed Programming Languages (FPL), Limited Variability Languages (LVL), or Full Variability Languages (FVL). Ladder Diagram and Function Block Diagram programming are both considered to be “limited variability” languages, whereas Instruction List (and traditional computer programming languages such as C/C++, FORTRAN, BASIC, etc.) are considered “full variability” languages with all the attendant potential for complex errors.


SIS Final Control Elements

When a dangerous condition in a volatile process is sensed by process transmitters (or process switches), triggering a shutdown response from the logic solver, the final control elements must move with decisive and swift action. Such positive response may be obtained from a standard regulatory control valve (such as a globe-type throttling valve), but for more critical applications a rotary ball or plug valve may be more suitable. If the valve in question is used for safety shutdown purposes only and not regulation, it is often referred to as a chopper valve for its ability to “chop” (shut off quickly and securely) the process fluid flow. A more formal term for this is an Emergency Isolation Valve, or EIV.

Some process applications may tolerate the over-loading of both control and safety functions in a single valve, using the valve to regulate fluid flow during normal operation and fully stroke (either open or closed depending on the application) during a shutdown condition. A common method of achieving this dual functionality is to install a solenoid valve in-line with the actuating air pressure line, such that the valve’s normal pneumatic signal may be interrupted at any moment, immediately driving the valve to a fail-safe position at the command of a discrete “trip” signal.

Such a “trip” solenoid (sometimes referred to as a dump solenoid, because it “dumps” all air pressure stored in the actuating mechanism) is shown here, connected to a fail-closed (air-to-open) control valve:


Compressed air passes through the solenoid valve from the I/P transducer to the valve’s pneumatic diaphragm actuator when energized, the letter “E” and arrow showing this path in the diagram. When de-energized, the solenoid valve blocks air pressure coming from the I/P and vents all air pressure from the valve’s actuating diaphragm as shown by the letter “D” and arrow. Venting all actuating air pressure from a fail-closed valve will cause the valve to fail closed, obviously.

If we wished to have the fail fail open on demand, we could use the exact same solenoid and instrument air plumbing, but swap the fail-closed control valve for a fail-open control valve. When energized (regular operation), the solenoid would pass variable air pressure from the I/P transducer to the valve actuator so it could serve its regulating purpose. When de-energized, the solenoid would force the valve to the fully-open position.

For applications where it is safer to lock the control valve in its last position than to have it fail either fully closed or fully open, we might elect to use a solenoid valve in a different manner:


Here, de-energization of the solenoid valve causes the I/P transducer’s air pressure output to vent, while trapping and holding all air pressure inside the actuator at the trip time. Regardless of the valve’s “natural” fail-safe state, this system forces the valve to lock position8 until the solenoid is re-energized.

An example of a trip solenoid installed on a control valve appears in the following photograph. This valve also happens to have a hand jack wheel installed in the actuating mechanism, allowing a human operator to manually override the valve position by forcing it closed (or open) when the hand wheel is turned sufficiently:


Of all the components of a Safety Instrumented System (SIS), the final control elements (valves) are generally the least reliable, contributing most towards the system’s probability of failure on demand (PFD). Sensors generally come in at second place in their contribution toward unreliability, and logic solvers a distant third place. Redundancy may be applied to control elements by creating valve networks where the failure of a single valve does not cause the system as a whole to fail.Unfortunately, this approach is extremely expensive, as valves have both high capital and high maintenance costs compared to SIS sensors and logic solvers.

A less expensive approach than redundancy to increasing safety valve reliability is to perform regular proof tests of their operation. This is commonly referred to in the industry as partial stroke testing. Rather than proof-test each safety valve to its full travel, which would interrupt normal process operations, the valve is commanded to move only part of its full travel. If the valve responds well to this “partial stroke” test, there is a high probability that it is able to move all the way, thus fulfilling the basic requirements of a proof test without actually shutting the process down9.


Safety Integrity Levels

A common way of ranking the reliability of a Safety Instrumented Function (SIF) is to use a simple numerical scale from one to four, with four being extremely reliable and one being only moderately reliable:


  SIL number  
  Required Safety Availability (RSA)  

  Probability of Failure on Demand (PFD)  

1 90% to 99% 0.1 to 0.01
2 99% to 99.9% 0.01 to 0.001
3 99.9% to 99.99% 0.001 to 0.0001
4 99.99% to 99.999% 0.0001 to 0.00001

The Required Safety Availability (RSA) value refers to the reliability of a Safety Instrumented Function in performing its duty. This is the probability that the SIF will perform as needed, when needed. Conversely, the Probability of Failure on Demand (PFD) is the mathematical complement of RSA (PFD = 1 - RSA), expressing the probability that the SIF will fail to perform as needed, when needed.

Conveniently, the SIL number matches the minimum number of “nines” in the Required Safety Availability (RSA) value. For instance, a safety instrumented function with a Probability of Failure on Demand (PFD) of 0.00073, will have an RSA value of 99.927%, which equates to a SIL 3 rating.

It is important to understand that SIL ratings apply only to whole Safety Instrumented Functions, and not to specific devices or even to entire systems or processes. An overpressure protection system on a chemical reactor process with a SIL rating of 2, for example, has a Probability of Failure on Demand between 0.01 and 0.001 of all critical components of that specific shutdown system, from the sensor(s) to the logic solver to the final control element(s) to the vessel itself including relief valves and other auxiliary equipment. If there arises a need to decrease the probability that the reactor vessel will become overpressured, engineers have a variety of options at their disposal for doing so. The safety instruments themselves might be upgraded, preventive maintenance schedules increased in frequency, or even process equipment changed to make an overpressure event less likely.

SIL ratings do not apply to an entire process. It is quite possible that the chemical reactor mentioned in the previous paragraph with an overpressure protection system SIL rating of 3 might have an overtemperature protection system SIL rating of only 2, due to differences in how the two different safety systems function.

Adding to this confusion is the fact that many instrument manufacturers rate their products as approved for use in certain SIL-rated applications. It is easy to misunderstand these claims, thinking that a safety instrumented function will be rated at some SIL value simply because instruments rated for that SIL value are used to implement it. In reality, the SIL value of any safety function is a much more complex determination. It is possible, for instance, to purchase and install a pressure transmitter rated for use in SIL 2 applications, and have the safety function as a whole be less than 99% reliable (PFD greater than 0.01, or a SIL level no greater than 1).

As with so many other complex calculations in instrumentation engineering, there exist software packages with all the necessary formulae pre-programmed for engineers and technicians alike to use for calculating SIL ratings of safety instrumented functions. These software tools not only factor in the inherent reliability ratings of different system components, but also correct for preventive maintenance schedules and proof testing intervals so the user may determine the proper maintenance attention required to achieve a given SIL rating.


SIS Example: Burner Management Systems

One “classic” example of an industrial automatic shutdown system is a Burner Management System (or BMS) designed to monitor the operation of a combustion burner and shut off the fuel supply in the event of a dangerous condition. Sometimes referred to as flame safety systems, these systems watch for such potentially dangerous conditions as low fuel pressure, high fuel pressure, and loss of flame. Other dangerous conditions related to the process being heated (such as low water level for a steam boiler) may be included as additional trip conditions.

The safety shutdown action of a burner management system is to halt the flow of fuel to the burner in the event of any hazardous detected condition. The final control element is therefore one or more shutoff valves (and sometimes a vent valve in addition) to positively stop fuel flow to the burner.

A typical ultraviolet flame sensor appears in this photograph:


This flame sensor is sensitive to ultraviolet light only, not to visible or infrared light. The reason for this specific sensitivity is to ensure the sensor will not be “fooled” by the visible or infrared glow of hot surfaces inside the firebox if ever the flame goes out unexpectedly. Since ultraviolet light is emitted only by an active gas-fueled flame, the sensor acts as a true flame detector, and not a heat detector.

One of the more popular models of fuel gas safety shutoff valve used in the United States for burner management systems is shown here, manufactured by Maxon:


This particular model of shutoff valve has a viewing window on it where a metal tag linked to the valve mechanism marked “Open” (in red) or “Shut” (in black) positively indicates the valve’s mechanical status. Like most safety shutoff valves on burner systems, this valve is electrically actuated, and will automatically close by spring tension in the event of a power loss.

Another safety shutoff valve, this one manufactured by ITT, is shown here:


Close inspection of the nameplate on this ITT safety valve reveals several important details. Like the Maxon safety valve, it is electrically actuated, with a “holding” current indicated as 0.14 amps at 120 volts AC. Inside the valve is an “auxiliary” switch designed to actuate when the valve has mechanically reached the full “open” position. An additional switch, labeled valve seal over-travel interlock, indicates when the valve has securely reached the full “shut” position. This “valve seal” switch generates a proof of closure signal used in burner management systems to verify a safe shutdown condition of the fuel line. Both switches are rated to carry 15 amps of current at 120 VAC, which is important when designing the electrical details of the system to ensure the switch will not be tasked with too much current.

A simple P&ID for a gas-fired combustion burner system is shown here. The piping and valving shown is typical for a single burner. Multiple-burner systems are often equipped with individual shutoff valve manifolds and individual fuel pressure limit switches. Each burner, if multiple exist in the same furnace, must be equipped with its own flame sensor:

Note the use of double-block and bleed shutdown valves to positively isolate the fuel gas supply from the burner in the event of an emergency shutdown. The two block valves are specially designed for the purpose (such as the Maxon and ITT safety valves previously shown), while the bleed valve is often nothing more than an ordinary electric solenoid valve.

Most burner management systems are charged with a dual role: both to manage the safe shutdown of a burner in the event of a hazardous condition, and the safe start-up of a burner in normal conditions. Start-up of a large industrial burner system usually includes a lengthy purge time prior to ignition where the combustion air damper is left wide-open and the blower running for several minutes to positively purge the firebox of any residual fuel vapors. After the purge time, the burner management system will ignite the burner (or sometimes ignite a smaller burner called the pilot, which in turn will light the main burner). A burner management system handles all these pre-ignition and timing functions to ensure the burners will ignite safely and without incident.

While many industrial burners are managed by electromechanical relay or analog electronic control systems, the modern trend is toward microprocessor-based digital electronic controls. One popular system is the Honeywell 7800 series burner control system, an example of which is shown in this photograph:


Microprocessor controls provide numerous advantages over relay-based and analog electronic burner management systems. Timing of purge cycles is far more accurate with microprocessor control, and the requisite purge time is more difficult to override10. Microprocessor-based burner controls usually have digital networking capability as well, allowing the connection of multiple controls to a single computer for remote monitoring.

The Honeywell 7800 series additionally offers local “annunciator” modules to visually indicate the status of permissive (interlock) contacts, showing maintenance personnel which switches are closed and what state the burner control system is in:



The entire “gas train” piping system for a dual-fuel boiler at a wastewater treatment facility appears in the following photograph. Note the use of double-block and bleed valves on both “trains” (one for utility-supplied natural gas and the other for “sludge gas” produced by the facility’s anaerobic digesters), the block valves for each train happening to be of different manufacture. A Honeywell 7800 flame safety control system is located in the blue enclosure:



SIS Example: Water Treatment Oxygen Purge System

One of the processes of municipal wastewater treatment is the aerobic digestion of organic matter by bacteria. This process emulates one of many waste-decomposition processes in nature, performed on an accelerated time frame for the needs of large wastewater volumes in cities. The process consists of supplying naturally occurring bacteria within the wastewater with enough oxygen to metabolize the organic waste matter, which to the bacteria is food. In some treatment facilities, this aeration is performed with ambient air. In other facilities, it is performed with nearly pure oxygen.

Aerobic decomposition is usually part of a larger process called activated sludge, whereby the effluent from the decomposition process is separated into solids (sludge) and liquid (supernatant), with a large fraction of the sludge recycled back to the aerobic chamber to sustain a healthy culture of bacteria and also ensure adequate retention time for decomposition to occur. Separating liquids from solids and recycling the solids ensures a short retention time for the liquid (allowing high processing rates) and a long retention time for the solids (ensuring thorough digestion of organic matter by the bacteria).

A simplified P&ID of an activated sludge water treatment system is shown here, showing how both the oxygen flow into the aeration chamber and the sludge recycle flow back to the aeration chamber are controlled as a function of influent wastewater flow:

Aerobic decomposition performed with ambient air as the oxidizer is a very simple and safe process. Pure oxygen may be chosen instead of ambient air because it accelerates the metabolism of the bacteria, allowing more processing flow capacity in less physical space. For the same reason that pure oxygen accelerates bacterial metabolism, it also accelerates combustion of any flammable substances. This means if ever a flammable vapor or liquid were to enter the aeration chamber, there would be a risk of explosion.

Although flammable liquids are not a normal component of municipal wastewater, it is possible for flammable liquids to find their way to the wastewater treatment plant. One possibility is the event of a fuel carrier vehicle spilling its cargo, with gasoline or some other volatile fuel draining into a sewer system tunnel through holes in a grate. Such an occurrence is not normal, but certainly possible. Furthermore, it may occur without warning for the operations personnel to take preemptive action at the wastewater treatment plant.

To decrease this safety hazard, Low Explosive Limit (LEL) sensors installed on the aeration chamber detect and signal the presence of flammable gases or vapors inside the chamber. If any of the sensors register the presence of flammable substances, a safety shutdown system purges the chamber of pure oxygen by taking the following steps:

  • Stop the flow of pure oxygen into the aeration chamber

  • Open large vent valves to atmosphere

  • Start air blowers to purge the chamber of residual pure oxygen


As with the P&ID, this diagram is a simplified representation of the real safety shutdown system. In a real system, multiple analytical high-alarm (LEL) sensors work to detect the presence of flammable gases or vapors, and the oxygen block valve arrangement would most likely be a double block and bleed rather than a single block valve.

The following photograph shows an LEL sensor mounted inside an insulated enclosure for protection from cold weather conditions at a wastewater treatment facility:


In this photograph, we see a purge air blower used to sweep the aeration chamber of pure oxygen during an emergency shutdown condition:



Since this is a centrifugal blower, providing no seal against air flow through it when stopped, an automatic purge valve located downstream (not to be confused with the manually-actuated vent valve seen in this photograph) is installed to block off the blower from the oxygen-filled chamber. This purge valve remains shut during normal operation, and opens only after the blower has started to initiate a purge.


SIS Example: Nuclear Reactor Scram Controls

Nuclear fission is a process by which the nuclei of specific types of atoms (most notably uranium-235 and plutonium-239) undergo spontaneous disintegration upon the absorption of an extra neutron, with the release of significant thermal energy and additional neutrons. A quantity of fissile material subjected to a source of neutron particle radiation will begin to fission, releasing massive quantities of heat which may then be used to boil water into steam and drive steam turbine engines to generate electricity. The “chain reaction” of neutrons splitting fissile atoms, which then eject more neutrons to split more fissile atoms, is inherently exponential in nature, but may be regulated by natural and artificial control loops.

A simplified diagram of a pressurized11 water reactor (PWR) appears here:


In the United States of America, nuclear reactors are designed to exhibit what is called a negative temperature coefficient, which means the chain reaction naturally slows as the temperature of the coolant increases. This physical tendency, engineered by the configuration of the reactor core and the design of the coolant system, adds a measure of self-stabilization to what would otherwise be an inherently unstable (“runaway”) process.

Additional regulation ability comes from the insertion of special control rods into the reactor core, designed to absorb neutrons and prevent them from “splitting” more atoms. With enough control rods inserted into a reactor core, a chain reaction cannot self-sustain. With enough control rods withdrawn from a freshly-fueled reactor core, the chain reaction will grow to an intensity strong enough to damage the reactor. Control rod position thus constitutes the primary method of power control for a fission reactor, and also the first12 means of emergency shutdown.

Due to the intense radiation flux near an operating power reactor, these control rods must be manipulated remotely rather than by direct human actuation. Nuclear reactor control rod actuators are typically special electric motors developed for this critical application.

A photograph13 showing the control rod array at the top of the ill-fated reactor at Three-Mile Island nuclear power plant appears here, with a mass of control cables connecting the rod actuators to the reactor control system:



Rapid insertion of control rods into a reactor core for emergency shutdown purposes is called a scram. Accounts vary as to the origin of this term, whether it has meaning as a technical acronym or as a colloquial expression to evacuate an area. Regardless of its etymology, a “scram” is an event to be avoided if possible. Like all industrial processes, a nuclear reactor fulfills its intended purpose only when operating. Shutdowns represent not only loss of revenue for the operating company, but also loss of power to local utilities and possible disruption of critical public services (heating, cooling, water pumping, fire protection, traffic control, etc.). An emergency shutdown system at a nuclear power plant must fulfill the opposing roles of safety and availability, with an extremely high degree of instrument reliability.

The electric motor actuators intended for normal operation of control rods are generally too slow to use for scram purposes. Hydraulic actuators capable of overriding the electric motor actuation may be used for scram insertion. Some early pressurized-water reactor scram system designs used a simple mechanical latch, disengaging the control rods from their motor actuators and letting gravity draw the rods fully into the reactor core.

A partial list of criteria sufficient to initiate a scram is shown here:

  • Detected earthquake

  • Reactor pressure high

  • Reactor pressure low

  • Reactor water level low (BWR only)

  • Reactor differential temperature high

  • Main steam isolation valve shut

  • Detected high radioactivity in coolant loop

  • Detected high radioactivity in containment building

  • Manual shutdown switch(es)

  • Control system power loss

  • Core neutron flux high

  • Core neutron flux rate-of-change (period) high


The last two criteria bear further explanation. Since each fission event (the “splitting” of one fuel atom’s nucleus by an absorbed neutron) results in a well-defined range of thermal energy release and also a well-defined range of additional neutrons released, the number of neutrons detected in the reactor core at any given moment is an approximate indication of the core’s thermal power. Neutron radiation flux measurement is therefore a fundamental process variable for fission reactor control, and also for safety shutdown. If sensors detect an excessive neutron flux, the reactor should be “scrammed” to avoid damage due to overheating. Likewise, if sensors detect a neutron flux level that is rising at an excessive rate, it indicates the possibility of a runaway chain-reaction which should also initiate a reactor “scram.”

In keeping with the high level of reliability and emphasis on safety for nuclear reactor shutdown controls, a common redundant strategy for sensors and logic is two-out-of-four, or 2oo4. A contact logic diagram showing a 2oo4 configuration appears here:



1Many synonyms exist to describe the action of a safety system needlessly shutting down a process. The term “nuisance trip” is often (aptly) used to describe such events. Another (more charitable) label is “fail-to-safe,” meaning the failure brings the process to a safe condition, as opposed to a dangerous condition.

2Of course, there do exist industrial facilities operating at a financial loss for the greater public benefit (e.g. certain waste processing operations), but these are the exception rather than the rule. It is obviously the point of a business to turn a profit, and so the vast majority of industries simply cannot sustain a philosophy of safety at any cost. One could argue that a “paranoid” safety system even at a waste processing plant is unsustainable, because too many “false trips” result in inefficient processing of the waste, posing a greater public health threat the longer it remains unprocessed.

3As drawn, these valves happen to be ball-design, the first actuated by an electric motor and the second actuated by a pneumatic piston. As is often the case with redundant instruments, an effort is made to diversify the technology applied to the redundant elements in order to minimize the probability of common-cause failures. If both block valves were electrically actuated, a failure of the electric power supply would disable both valves. If both block valves were pneumatically actuated, a failure of the compressed air supply would disable both valves. The use of one electric valve and one pneumatic valve grants greater independence of operation to the double-block valve system.

4For what it’s worth, the ISA safety standard 84 defines this notation as “MooN,” but I have seen sufficient examples of the contrary (“NooM”) to question the authority of either label.

5For a general introduction to process switches, refer to Discrete Process Measurement.

6Of course, the presence of some variation in a transmitter’s output over time is no guarantee of proper operation. Some failures may cause a transmitter to output a randomly “walking” signal when in fact it is not registering the process at all. However, being able to measure the continuous output of a process transmitter provides the instrument technician with far more data than is available with a discrete process switch. A safety transmitter’s output signal may be correlated against the output signal of another transmitter measuring the same process variable, perhaps even the transmitter used in the regulatory control loop. If two transmitters measuring the same process variable agree closely with one another over time, chances are extremely good are both functioning properly.

7It should be noted that the use of a single orifice plate and of common (parallel-connected) impulse lines represents a point of common-cause failure. A blockage at one or more of the orifice plate ports, or a closure of a manual block valve, would disable all three transmitters. As such, this might not be the best method of achieving high flow-measurement reliability.

8This is assuming, of course, that there are no air leaks anywhere in the actuator, tubing, or solenoid which would cause the trapped pressure to decrease over time.

9Of course, if there is opportunity to fully stroke the safety valve to the point of process shutdown without undue interruption to production, this is the superior way of performing valve proof tests. Such “test-to-shutdown” proof testing may be scheduled at a time convenient to operations personnel, such as at the beginning of a planned process shutdown.

10Yes, maintenance and operations personnel alike are often tempted to bypass the purge time of a burner management system out of impatience and a desire to resume production. I have personally witnessed this in action, performed by an electrician with a screwdriver and a “jumper” wire, overriding the timing function of a flame safety system during a troubleshooting exercise simply to get the job done faster. The electrician’s rationale was that since the burner system was having problems lighting, and had been repeatedly purged in prior attempts, the purge cycle did not have to be full-length in subsequent attempts. I asked him if he would feel comfortable repeating those same words in court as part of the investigation of why the furnace exploded. He didn’t think this was funny.

11Boiling-water reactors (BWR), the other major design type in the United States, output saturated steam at the top rather than heated water. Control rods enter a BWR from the bottom of the pressure vessel, rather than from the top as is standard for PWRs.

12Other means of reactor shutdown exist, such as the purposeful injection of “neutron poisons” into the coolant system which act as neutron-absorbing control rods on a molecular level. The insertion of “scram” rods into the reactor, though, is by far the fastest method for quenching the chain-reaction.

13This appears courtesy of the Nuclear Regulatory Commission’s special inquiry group report following the accident at Three Mile Island, on page 159.

Go Back to Lessons in Instrumentation Table of Contents

Comments (0)Add Comment

Write comment

security code
Write the displayed characters


Related Articles


  • ...more


Important: All images are copyrighted to their respective owners. All content cited is derived from their respective sources.

Contact us for information and your inquiries. IAMechatronics is open to link exchanges.

IAMechatronics Login