Pdvsa: Manual de Ingenieria de Riesgos

PDVSA
MANUAL DE INGENIERIA DE RIESGOS

VOLUMEN 1
PDVSA N TITULO
IRP01 SAFETY INTERLOCK SYSTEMS, EMERGENCY

ISOLATION, EMERGENCY DEPRESSURIZATION AND
EMERGENCY VENTING SYSTEMS
2 ABR.97 REVISION GENERAL 56 L.T. J.J. A.N.
1 MAY.93 REVISION GENERAL 25 J.R.
0 DIC.85 APROBACION 25 J.R.
REV. FECHA DESCRIPCION PAG. REV. APROB. APROB.
APROB. Luis Hernndez FECHA ABR.97 APROB. Carlos Corrie FECHA ABR.97
E1994 ESPECIALISTAS
MANUAL DE INGENIERIA DE RIESGOS PDVSA IRP01
PDVSA
REVISION FECHA
SAFETY INTERLOCK SYSTEMS, EMERGENCY
ISOLATION, EMERGENCY DEPRESSURIZATION 2 ABR.97
AND EMERGENCY VENTING SYSTEMS Pgina 1
Men Principal Indice manual Indice norma
Indice
1 INTRODUCTION . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
2 APPLICATIONS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
3 REFERENCES . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
3.1 PDVSA Petrleos de Venezuela . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
3.2 API American Petroleum Institute . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
3.3 ISA Instrument Society of America . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
3.4 NFPA National Fire Prtection Association . . . . . . . . . . . . . . . . . . . . . . . . . 4
3.5 ISO International Standards Organization . . . . . . . . . . . . . . . . . . . . . . . . . 4
3.6 IEC International Electrotechnical Commission . . . . . . . . . . . . . . . . . . . . 4
4 DEFINITIONS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
4.1 Class IA Liquids . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
4.2 Liquefied Petroleum Gas (LPG) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
4.3 Liquefied Natural Gas (LNG) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
4.4 Natural Gas Liquids (NGL) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
4.5 Flammable Liquid . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
4.6 Flash Point . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
4.7 Probability of Failure on Demand (PFD) . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
4.8 Valve Type A . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
4.9 Valve Type B . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
4.10 Valve Type C . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
4.11 Valve Type D . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
5 BASIC CONCEPTION OF DESIGN . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
6 SAFETY INTERLOCK SYSTEMS (SIS) . . . . . . . . . . . . . . . . . . . . . . . . 6
6.1 Aspects of Safety Interlock Systems Design . . . . . . . . . . . . . . . . . . . . . . . . 6
6.2 Applications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
7 EMERGENCY ISOLATION SYSTEM . . . . . . . . . . . . . . . . . . . . . . . . . . 22
7.1 Aspects of Emergency Isolation Valve Design . . . . . . . . . . . . . . . . . . . . . . . 23
7.2 Application . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
8 EMERGENCY DEPRESSURIZATION AND DEINVENTORY SYSTEMS
(EDS) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30
8.1 Design Aspects of Emergency Depressurizing . . . . . . . . . . . . . . . . . . . . . . 30
8.2 Design Aspects of Emergency Deinventorying Systems . . . . . . . . . . . . . 32
8.3 Water Displacement Systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32
9 EMERGENCY VENTING SYSTEMS . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
9.1 Design Aspects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
PDVSA
REVISION FECHA
9.2 Application . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35
10 OVERPRESSURE RELIEF DESIGN . . . . . . . . . . . . . . . . . . . . . . . . . . 39
10.1 Relief Design . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39
10.2 Overpressure Relief Devices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41
10.3 Miscellaneous Relief Devices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45
11 FLARE SYSTEMS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45
11.1 Types of Flares . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45
12 BLOWDOWN SYSTEMS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50
12.1 Aspects of Blowdown Systems Design . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50
13 RESPONSIBILITIES . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51
APPENDIX . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52
A Reliability Theory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52
B Methods for Determining Safety Integrity Level for Safety Interlock Systems . . . . . . . . 53
B.1 Safety Layer Risk Matrix . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54
B.2 Consequence Only Method . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54
B.3 HAZOP Approach . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55
B.4 Fault Tree Approach . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55
PDVSA
REVISION FECHA
1 INTRODUCTION
This Standard establishes the minimal design requirements that must be met by
the safety interlock systems, emergency isolation systems, emergency
depressurizing, emergency venting, relief, flare, blowdown systems in equipment
and plants. These requirements guarantee a reasonable protection to personnel
and facilities against the potential risks of fire and/or explosion and hazardous
releases that can result in emergency situations in installations of the Industria
Petrolera y Petroqumica Nacional (IPPN).
The requirements established in official laws, regulations, decrees and Industrial
Standards in effect, will prevail over anything addressed in this Standard, except
when this is more stringent. This Standard is based on the application of the latest
technologies and industry practices established by recognized national and
international organizations and by the IPPNs own experience for preventing and
protecting against fires, explosions, and other hazardous releases.
This Standard is mandatory for all new facilities of IPPN, for major modifications
in existing installations, or when existing installations have risk levels that are not
compatible with the policies and objectives established at IPPN corporate level
regarding flammable and toxic release prevention and mitigation systems.
2 APPLICATIONS
This Standard is applicable to all facilities of the IPPN, located onshore and
offshore.
3 REFERENCES
The last edition of fallowing documents shall be used.
3.1 PDVSA Petrleos de Venezuela

IRC03 Revestimiento Contra Incendio
IRS02 Criterios para el Anlisis Cuantitativo de Riesgos.
IRI01 Sistema de Deteccin y Alarma de Incendio
IRI02 Sistema de Deteccin de Gase Inflamables/Txicos.
K331 Instrument Power Supplies
K333 Valve Actuators
K336 Alarms and Protection System
K337 Furnace Instrumentation
K339 Rotating Equipment Instrumentation
MDP08SA01 Principios Bsicos
MDP08SA02 Consideraciones de Contingencia y Determinacin de
Flujos de Alivio
PDVSA
REVISION FECHA
MDP08SA03 Dispositivos de Alivio de Presin

MDP08SA04 Procedimientos para Especificar y Dimensiionar Vlvulas
de Alivio de Presin
MDP08SA05 Instalacin de Vlvulas de Presin
MDP08SD01 Sistemas de Disposicin
3.2 API American Petroleum Institute

RP 520 Sizing, Selection, and Installation of PressureRelieving Devices
in Refineries, Part I and II.
STD 620 Design and Construction of Large, Welded, LowPressure
Storage Tanks.
RP 521 Guide for PressureRelieving and Depressuring Systems.
STD 2000 Venting Atmospheric and LowPressure Storage Tanks
Nonrefrigerated and Refrigerated.
API 2510 Design & Construction of LPG Installations.
3.3 ISA Instrument Society of America

S84.01 Application of Safety Instrumented Systems for the Process
Industries.
3.4 NFPA National Fire Prtection Association

59 Standard for the Storage and Handling of Liquefied Petroleum
Gases at Utility Gas Plants.
69 Standard on Explosion Prevention Systems
85C Standard for the Prevention of Furnace Explosions/Implosions in
Multiple Burner Boilers Furnaces.
3.5 ISO International Standards Organization

10418 Analysis, Design, Installation, and Testing of Basic Surface
Safety Systems for Offshore Production Platforms (replace API
RP14c).
3.6 IEC International Electrotechnical Commission

1508 Functional Safety of Safetyrelated Systems
4 DEFINITIONS
4.1 Class IA Liquids
Flammable liquids having flash points below 73 F (22,8 C) and having a boiling
point below 100 F (37,8 F).
PDVSA
REVISION FECHA
4.2 Liquefied Petroleum Gas (LPG)

Any product with a vapor pressure not exceeding the allowable pressure for
commercial propane, containing mainly one or a mixture of the following
hydrocarbons: propane, propylene, butane and butylene.
4.3 Liquefied Natural Gas (LNG)

A fluid in liquid phase, containing mainly methane. May contain small quantities
of ethane, propane, nitrogen, or other components normally present in natural
gas.
4.4 Natural Gas Liquids (NGL)

A fluid in liquid phase, containing mainly propane, butane, pentane and natural
gasoline, with lesser quantities of ethane.
4.5 Flammable Liquid

Liquid with a flash point under 37,8 C (100 F) and an absolute vapor pressure
less than 280 kPa (40 psi) at such temperature.
4.6 Flash Point

Minimum temperature at which a liquid gives off vapors at concentrations capable
of forming a flammable mixture with air at the liquid surface.
4.7 Probability of Failure on Demand (PFD)

A value that indicates the probability of a system failing to respond to a demand.
The average probability of a system failing to respond to a demand in a specified
time interval is referred to as PFDavg.
4.8 Valve Type A

Fire safety (i.e., nonsoft seated) manual valve located less than 7,5 meters from
protected equipment.
4.9 Valve Type B

Manual valve located more than 7,5 meters from protected equipment.
4.10 Valve Type C

Remotely operated valve with activation mechanism (e.g., switch) adjacent to
valve. These valves are selected for rapid isolation of equipment or vessels.
4.11 Valve Type D

Remotely operated valve or automatic valve, with activation mechanism located
away from valve, at a safe location.
PDVSA
REVISION FECHA
Requirements for emergency isolation valves are specified in Section 7.0.
5 BASIC CONCEPTION OF DESIGN

This Standard incorporates the minimum design requirements for the safety
interlock systems, emergency isolation systems, emergency depressurizing and
emergency venting and relief, flare and blowdown systems of equipment and
plants. The underlying assumption is that the installations to be protected have
been planned and constructed according to basic engineering principles and the
best practical experience accumulated to date by the IPPN.
In those particular cases where unique safety concerns exist or where a risk
analysis indicates a high risk level, the design of safety systems may need to
exceed the minimum requirements established in this Standard. The same
premise must apply to existing installations where a risk analysis justifies the need
to augment the safety protection systems.
The risk analysis must consider the following general criteria, in accordance with
PDVSA Standard IRS02 Criterios para el Anlisis Cuantitativo de Riesgos:
a. Intrinsic risk level of the installation.
b. Criticality or operational importance of the installation.
c. Asset value and reposition time.
d. Risk to public.
e. Geographic location of the installation.
f. Availability of personnel to take actions during emergencies and response
time.
6 SAFETY INTERLOCK SYSTEMS (SIS)

The design of SIS shall be in accordance of PDVSA K333, K336 and Manual
de Diseo de Proceso Safety Design Section.
Safety Interlock Systems (SIS) are systems composed of the sensors, logic
solvers, and final control elements for the purpose of taking the process to a safe
state when predefined temperature and pressure are reached.
The following four subsections discuss basic concepts relating to the design of
safety interlock systems in general. They include the Safety Integrity Level (SIL),
failsafe design, energized vs. deenergized to trip and others.
6.1 Aspects of Safety Interlock Systems Design

The safety interlock systems, once activated, will be able to perform any of the
following functions: shutdown of machinery, isolation of energy sources or flow,
PDVSA
REVISION FECHA
opening of valves to reduce temperature and pressure, and bypassing of fluid

streams. The most important aspects to be considered in the design of safety
interlock systems are highlighted below.
6.1.1 Safety Integrity Level
The Safety Integrity Level (SIL) is defined as the level of safety performance of
SIS. This level is characterized by the degree of redundancy in the system, the
frequency of testing of the system, the use of diagnostic fault detection, etc. The
Instrument Society of America (Standard ISAS84.01) designates three levels of
SIL, where the higher the SIL number, the better the expected safety performance
of the SIS.
The designation of a SIL value to a design is based on the Probability of Failure
on Demand. This PFD value indicates the probability of a system failing to respond
to a demand. The average probability of a system failing to respond to a demand
in a specified time interval, PFDAVG, is the actual value used in designating the
SIL value. (Note that the concept of reliability theory is introduced in Appendix A.)
Table 1 lists the definitions for the three levels of SILs to be utilized in design.
TABLA 1. DEFINITIONS OF SAFETY INTEGRITY LEVELS (SIL)

SIL PROBABILITY OF SAFETY EXAMPLES OF SYSTEMS THAT TYPICALLY
FAILURE ON AVAILABILITY WILL MEET THE SIL PFDAVG DEFINITION

DEMAND AVERAGE RANGE

RANGE (PFDAVG)*
SIL 1

101 to 102

0.9 to 0.99

Nonredundant design: typically a single sensor,
single logic solver, and a single final control

element. May consist of a simple relay or a

programmable electronic system (PES).

SIL 2 102 to 103 0.99 to 0.999 Partially redundant interlock design (some but

not all interlock system components provided
with backups). Requires more diagnostics and

typically includes redundancy of the logic solver
and sensors, with redundancy of the final control

element as necessary.
SIL 3

103 to 104 0.999 to 0.9999 Total redundancy (each component of the

interlock system installed with at least one

backup). Typically two separate and diverse one
of one voting (1oo1) arrangements, each with

their own sensor, logic solver, and final control
element. The 1oo1 arrangements would be

connected in a one of two (1oo2) voting scheme.

Diverse separation, redundancy, and exhaustive
diagnostic capabilities characterize this system.
* The concept of PFD is discribed in the PDVSA IRS02.
PDVSA
REVISION FECHA
Formal SIL selection and documentation are required to be accomplished as part

of the process safety activities taking place during design. ISA Standard S84.01
offers four sample methods to determine the SIL for a SIS: a safety layer risk
matrix, the consequence only method, the HAZOP approach and a fault tree
approach. They are described in more detail in Appendix B and PDVSA IRS02 .
The following steps show how the determination of SIL and subsequent need for
SIS is accomplished during process safety review activities:
1. Identify potential hazardous event.
2. Evaluate consequences and likelihood for hazardous events.
3. Evaluate preventive, protective, and mitigating process safety features for
these events, other than SIS.
4. Decide if a SIS is appropriate for this application.
5. Determine target SIL for the SIS.
6. Determine other process safetyrelated specifications and design criteria.
6.1.2 FailSafe Design
All safety interlock systems should fail in a safe condition. This means that the
safety interlock system must include design features and an output state that
signals the malfunction of an essential component or of a required energy source.
Essential components and energy sources are those required for performing the
interlock function. When a system failure is detected, the failsafe safety
interlock system may:
S Initiate the interlock action that automatically takes the process to a safe state.
S Signal the failure without being able to continue monitoring the process until the
fault is corrected.
S Initiate changes in process conditions to lower operating risks while the safety
interlock system is in a failed state.
S Initiate action that automatically signals the failure, replaces the failed
component, and continues monitoring the process.
The failsafe design of equipment such as control and solenoid valves (in case
of failure of signal, instrument air or electricity) should be based on overall process
consequences. This methodology, however, should not discourage design
approaches that tend to minimize false trips provided no aspect of safety is
compromised.
PDVSA
REVISION FECHA
6.1.3 Energizedtotrip vs. Deenergizedtotrip

Safety Interlock Systems (SIS) can be designed to be deenergizedtotrip
(normally energized, the final element moves to a safe state on loss of energy)
or energizedtotrip (normally deenergized, the final element must be energized
to drive it to a safe state). The advantages and disadvantages of both are
discussed below.
Deenergizetotrip systems have the following advantages:

S Simpler design.
S Failures such as loss of power, broken wires, or unmade connections result in
a safe state for the system.
S Failsafe compatible. In most interlock systems the outputs deenergize or a
backup system takes control when a component or circuit failure occurs in the
logic associated with a particular output, if that failure would prevent the
interlock from responding to a demand.
S Design approach with the greatest operating experience.
S Failevident (a failure is easily identified an inability to operate the system).
The disadvantages of deenergizedtotrip systems are:
S Difficult to test.
S Leads to spurious trips if the power supply is unreliable.
Energizedtotrip systems have the following advantages:
S Minimizes spurious shutdowns when the normal power supply is unreliable.
The disadvantages of an energizedtotrip system are:
S Complicated design.
S Not fail safe compatible (if a component fails, the shutdown will not be
activated).
S Difficulty to detect system or component failure.
S Needs very rigid administrative controls and procedures to be followed on loss
of power and/or circuit continuity.
Normally, a deenergizedtotrip system is preferred because of its inherent
safety. However, spurious trips are not desirable from the operational point of view
nor from the safety point of view, as the probability of serious accidents is higher
during shutdown and startup. Thus, in a plant where the normal power supply is
not reliable, consideration should be given to an energizedtotrip system. An
energizedtotrip system must be extensively evaluated and deemed suitable by
the process hazard review team. An energizedtotrip system cannot be installed
in a facility without appropriate external means of taking corrective action upon
power or continuity failure (for example, a facility lacking formal maintenance
PDVSA
REVISION FECHA
programs, that may result in undue delays to repair SIS failed components and
thus, operate in an unsafe condition without SIS). The justification for installation
of energizedtotrip systems must be documented along with the unique
maintenance requirements for the system.
All energizedtotrip safety interlock systems must have the following

capabilities:
a. Diagnostics to detect failures in the wiring between the input sensors and
logic solver and between the logic solver and the final control elements. For
example, provision for a pilot current continuously monitored to ensure
circuit continuity, but of low enough magnitude not to affect proper
input/output operation.
b. Redundant electrical power supply such as battery backed DC power,

and/or UPS systems for sufficient time to bring the process to a safe
condition.
c. Alarms on loss of SIS power.
d. Frequent testing and active diagnostics monitoring total safety interlock

system performance.
e. Independent manual safety shutdown means and process shutdown

means.
6.1.4 General Requirements of Safety Interlock Systems
The following general requirements apply for all safety interlock systems, and
include excerpts from ISAS84.01:
1. SIS operations should always be automatic, that is, its activation should not
depend on an operator responding to an abnormal condition. Operator
intervention may be part of the overall mitigation plan for a hazardous event,
but should be independent from the SIS.
2. A SIS may have a single safety function or multiple safety functions that have
a common logic solver and/or input and output devices. When multiple
safety functions share common components, the common components
shall satisfy the highest SIL of the shared safety function. Components of the
system that are not common must meet the SIL requirements for the safety
function they address. When multiple SISs are combined in a system where
they share common logic or components, the potential for common cause
faults is increased. Programming, accessibility, maintenance,
PDVSA
REVISION FECHA
communication, power supplies, and security are typical common cause

issues to consider.
3. The following design considerations should be taken into account when
designing a SIS to meet a particular SIL:
Separation, meaning the use of multiple devices or systems to
segregate control functions from safety functions. Separation can be
implemented by identical elements or by diverse elements.
Redundancy, meaning the use of multiple elements or systems to
perform the same function. Redundancy can be implemented by
identical elements or by diverse elements.
Software design considerations.
Technology selection.
Failure rates and failure modes.
Architecture.
Power sources.
Common cause failures.
Diagnostics (tests performed periodically and automatically to detect
covert faults that prevent the SIS from responding to a demand).
Field devices.
User interface.
Security.
Wiring Practices.
Documentation.
Functional test interval.
4. The action of any nonsafety function, if implemented by the SIS, shall not
interrupt or compromise any SIS safety functions. Devices such as a bypass
switch interlock switch or any other application should be used.
5. The required safe states of each SIS component required for the safety
function shall be defined. Devices such as a bypass switch inter lock switch
or any other application should be used
6. The SIS shall be designed such that once it has placed the process in a safe
state, it shall remain in a safe state until a manual reset has been initiated.
The requirement for a manual or automatic reset shall be defined early on
in the design safety requirement specifications.
7. Manual operation, meaning independent of the logic solver, shall be
provided to actuate the SIS final elements, unless otherwise directed by the
safety requirement specifications.
PDVSA
REVISION FECHA
8. Any undetected single fault that causes a SIS failure shall result in an
automatic, predetermined, safe failure action; and/or a safe process
condition if the appropriate response action is undertaken.
9. The design shall apply codes and standards for environmental and
hazardous area classification (NFPA 70, National Electrical Code, Article
500).
10. SIS Input/Output power circuits shall be separated from circuits used for any
other purpose except where the sensor or final control element is shared.
11. Manual trips (push bottons, etc.) must be equipped with covers to avoid
accidental trips.
12. Control systems for safety interlock should be designed to be able to be
tested frequently without shut down of the equipment they are protecting.
13. A control valve from the BPCS shall not be used as the only final element
for SIL 3. A safety review shall be required to use a single BPCS control valve
as the only final element for SIL 1 and 2.
14. Safety interlock systems may be activated by signals originating in gas or fire
detection systems, according to PDVSA Standard IRI02 Sistema de
Deteccin de Gases Inflamables/Txicos and PDVSA Standard IRI01
Sistema Automtico de Deteccin y Alarma de Incendio.
PDVSA
REVISION FECHA
a. SIS Logic Solver

Logic solver are the electrical/electronic/ programmable electronic systems
(E/E/PES) components or subsystems that execute the application logic.
Electronic and programmable electronics include input/output modules.
1. The logic solver supplier shall provide an integrated design including, where
applicable, input module(s), output module(s), maintenance interface
device(s), communication(s) and utility software. The integrated design
shall be documented.
2. The logic solver supplier shall provide Mean Time To Failure (MTTF) data,
covert failure mode listing, and frequency of occurrence of identified covert
failures (see PDVSA Standard for Procurement of Equipment). The method
and data for the above shall be provided.
3. Programmable electronic systems logic solvers shall have methods
(internal and/or external) to protect against covert faults (e.g., comparison
of logic solver performance versus process action, embedded or application
software testing the logic solver performance).
4. The logic solver shall be separated from the Basic Process Control Systems
(BPCS) except where some applications have combined BPCS and SIS
functions in one logic solver (e.g., gas turbines). In these cases, the
BPCS/SIS logic solver shall meet the Safety Integrity Level (SIL).
5. The logic solver shall be designed to ensure the process will not
automatically restart when power is restored, unless process hazard
reviews indicate this is appropriate.
6. Logic solver shall be fail safe and a general purpose (PES) must not be used,
see Table 1 and ISA S84.01 paragraph B.4.6.3 and B.4.6.4.
b. Field Devices
Field devices are the equipment connected to the field side of the SIS input/output
terminals. Such equipment includes field wiring, sensors, final control elements,
and those operator, maintenance, engineering, and communication interface
devices hardwired to SIS input/output terminals.
a. Field Wiring
Each individual field device shall have its own dedicated wiring to the system
input/output, except in the following cases:
1. Multiple connected discrete sensors connected in series to a single input
if the sensors monitor the same process condition (e.g., motor overload).
2. Multiple connected final control elements to a single output if each final
control element services the same process condition.
PDVSA
REVISION FECHA
3. Approved systems such as fire and gas detection systems.

4. The fire proofing must be according to PDVSA IRC02 Revestimiento
Contra Incendio
b. Sensors
Minimum requirements for all sensors in SIS are given below:
1. Smart sensors shall be writeprotected to prevent inadvertent modification
from a remote location.
2. Sensors of SIS shall be separated from the sensors of the Basic Process
Control Systems (BPCS). Two exceptions are allowed provided the failure
of the sensor does not create a condition that the SIS is intended to protect
against:
If redundant sensors are used, they may be connected to both the
BPCS and the SIS provided that any failure in the BPCS will not affect
the proper operation of the sensor or the ability of the SIS to read the
sensor properly.
If a process hazard analysis or risk analysis determines that one or
more protection layers other than the BPCS and the SIS offers
protection redundant to that provided by the sensor.
c. Final Control Elements
Final control elements are the actuators that regulate the supply of energy
or material to the process. These actuators are most often valves, but also
could be variable frequency drives (VFD), valve positioners, or louver
positioners.
A control valve from the BPCS shall not be used as the only final element
for SIL 3. A safety review shall be required to use a single BPCS control valve
as the only final element for SIL 1 and 2.
d. Operator Interface Requirements
Operator interface refers to that media (e.g., CRTs, indicating lights,
pushbottons, horns, alarms, etc.) used to communicate information
between the operator and the SIS.
1. The operator interface system design shall take into consideration the loss
of the SIS operator interface and the resulting requirements as defined by
appropriate safety review. The design shall ensure that, upon failure of the
SIS operator interface, sufficient alternate means shall be provided for the
operator to bring the process to a safe state and that the automatic
functions of the SIS are not compromised.
2. The SIS status information that is critical to maintaining the SIL shall be
available as part of the operator interface. This information may include:
PDVSA
REVISION FECHA
Where the process is in its sequence

Indication that SIS protective action has occurred
Indication that a protective function is bypassed
Indication that automatic action(s) such as degradation of voting
and/or fault handling has occurred
Status of sensors and final control elements
The loss of energy where that energy loss impacts safety
The results of comparison diagnostics; and
Failure of environmental conditioning equipment that is necessary to
support the SIS (air conditioning, etc.).
3. Changes to the SIS application software shall not be allowed from the SIS
operator interface. If safety related information needs to be transmitted
from the BPCS to the SIS, systems that offer the ability to selectively allow
writing to a SIS variable should be used. An operator interface shall not be
capable of enabling and disabling the readwrite access.
e. Maintenance/Engineering Interface Requirements
Maintenance/Engineering interface refers to that media provided to allow
proper SIS maintenance. It can include instructions and diagnostics that
may be found in software, programming terminals, diagnostic tools,
indicators, bypass devices, test devices and calibration devices.
1. The design of the SIS maintenance/engineering interface shall be such that
any failure of this interface shall not adversely affect the ability of the SIS to
bring the process to a safe state. This may require disconnecting of
maintenance/engineering interfaces, such as programming panels during
normal SIS operation.
2. The maintenance/engineering interface shall provide the following
functions:
Access security protection to the SIS operating mode, program, data,
means of disabling alarm communication, test, bypass, maintenance,
etc.
Access to SIS diagnostics, voting and fault handling services
Access to add, delete or modify application software
Access to data necessary to troubleshoot the SIS
PDVSA
REVISION FECHA
f. Communication Interface Requirements

Communication interface refers to the hardware and software
communication interface between the SIS and other devices such as the
operator interface, maintenance/engineer interfaces, BPCS, network or
peripherals.
1. The design and communication interface of the SIS shall ensure that any
failure of the communication interface (e.g., common cause faults) shall not
adversely affect the ability of the SIS to bring the process to a safe state.
2. Communication signals shall be isolated from other energy sources through
the use of good engineering practices, such as the use of shielded cable
while maintaining a single ground plane with a single dedicated power
source, or the use of fiber optics.
c. Power Sources
Power sources associated to SIS include electrical power, pneumatic power, and
hydraulic power. The design shall ensure that each power source meets the
needs of the SIS, with strict adherence to electrical codes. Examples of AC
electrical power considerations are voltage and current range, frequency range,
nonlinear loads, AC transfer, time, overload and shortcircuit protection and
coordination, lightning protection, protection against transients such as spikes,
surges, brown outs, and electrical noises, protection against under and
overvoltages, grounding, and backup systems. Examples of DC power
considerations are voltage and current ranges and nonlinear loads. Pneumatic
power considerations include pressure and volume required, gas free of moisture
or contaminants, lubrication where required, and backup systems.
Considerations regarding hydraulic power are pressure and volume required, a
fluid free of contaminants and adequate fluid properties.
d. System Environment
All environmental conditions to which the SIS will be exposed and the operating
environmental specifications for all components of the SIS shall be considered in
the design. This includes but is not limited to temperature, humidity, contaminants,
grounding, Electro Magnetic Interference/Radio Frequency Interference
(EMI/RFI), shock/vibration, electrostatic discharge, electrical area classification,
flooding, and earthquakes.
e. Application Logic Requirements
It must be ensured that the manufacturers of equipment used in SIS service
maintain a formal revision and release control program for the equipment,
including applicable software. The use of visible markings or user interfaces to
identify this information is acceptable (e.g.; part #, serial #, batch #, etc.).
f. Maintenance or Testing Design Requirements
PDVSA
REVISION FECHA
The reliability of a safety system is directly proportional to its maintenance and

testing, thus, great care must be taken in assuring that provisions exist for easy
maintenance and testing of all SIS components (accessibility, provisions to
minimize process disturbances, etc.).
1. The design shall allow for testing of overall system. It shall be possible to test
final element actuation in response to sensor operation. Where the interval
between scheduled process downtime is greater that the required functional
test interval, then online testing facilities are required.
2. When online testing is required, test facilities shall be an integral part of the
SIS design to test for covert failures.
3. When test and/or bypass facilities are included in the SIS, they shall conform
with the following:
Operator shall be alerted to the bypass of any portion of the SIS via
an alarm and/or operating procedure.
Bypassing of any portion of the SIS shall not result in the loss of
detection and/or annunciation of the condition(s) being monitored.
4. Forcing of inputs and outputs without taking the SIS out of service shall not
be allowed unless supplemented by procedures and access security.
6.2 Applications
Safety interlock systems are to be installed in the following equipment and
process lines:
6.2.1 Compressors, turbines, motors
a. Compressors of a capacity greater than 150 KW (200 HP) operated from a
control room.
b. Reciprocating and centrifugal compressors; electrical motors; and internal
combustion, steam and gas turbines must have safety devices, shutdown
and alarm systems as indicated in Table 2.
c. Trip of emergency shutdown for compressor stations must be located, as a
minimum, in two locations separated at least 75 meters from each other, to
allow activation of the system if one location is inaccessible. An emergency
shutdown trip device must be located adjacent to the main entrance and the
another one outside the compressor station.
d. The activation of an emergency shutdown must perform the following
actions: trip the machine, close gas inlet and outlet lines, open purge valves,
close fuel feed to motors and turbines or deactivate feed to electrical motors.
The motors on the following equipment are the exception: firewater pumps,
PDVSA
REVISION FECHA
cooling water and instrument air compressors and/or compressed air for
respiratory protection equipment, pumps for bearings, and valves and
motors necessary during emergencies as identified by the users
experience.
e. Combustible gas shutoff valves must be designed to fail closed upon loss
of the energy that activates them.
f. Depressurization valves must be designed to fail open upon loss of the
energy that activates them.
PDVSA
REVISION FECHA
TABLA 2. ALARM AND SAFETY INTERLOCK SYSTEMS FOR MOTORS, TURBINES

AND COMPRESSORS

EQUIPMENT

COMPRESSORS INTERNAL TURBINES

ELECTRICAL
COMBUSTION

RECIPROC. CENTRIF. GAS VAPOR MOTORS
MOTOR

HIGH OR LOW VOLTAGE IN LINE S

MOTOR OVERLOAD S

HIGH WINDINGS TEMPERATURE A

FLAME FAILURE S

LOSS OF PURGE AIR A

HIGH TEMPERATURE IN CASING A A A

HIGH COOLING WATER TEMP. A

HIGH EXHAUST TEMPERATURE A

HIGH HIGH EXHAUST
A
TEMPERATURE

HIGH BEARING TEMPERATURE

A A A

HIGH COMBUSTION

A
TEMPERATURE

AXIAL DISPLACEMENT
HIGH DISCHARGE TEMPERATURE
S A A

EXCESSIVE VIBRATION A A A A A

OVERSPEED S S S S S

HIGH EXHAUST HEADER
A

PRESSURE

HIGH DISCHARGE PRESSURE A A

LOW DISCHARGE PRESSURE A

LOW LOW DISCHARGE PRESSURE S S

LOW SUCTION PRESSURE A A

LOW LOW SUCTION PRESSURE S S

HIGH LIQUID LEVEL IN SUCTION
A A
SCRUBBER

HIGH HIGH LIQUID LEVEL IN

S S
SUCTION SCRUBBER

HIGH FUEL GAS PRESSURE A

LOW FUEL GAS PRESSURE S

LOW OIL LEVEL (LUBE) A A A A A

HIGH LUBE OIL TEMPERATURE A A A A A

LOW OIL PRESSURE IN SEAL A

LOW LOW OIL PRESSURE IN SEAL S

LOW OIL LEVEL IN SEAL
A
OVERHEAD TANK
PDVSA
REVISION FECHA

EQUIPMENT

COMPRESSORS INTERNAL TURBINES

ELECTRICAL
COMBUSTION
MOTORS

RECIPROC. CENTRIF. MOTOR GAS VAPOR

LOW LOW OIL LEVEL IN SEAL
S
OVERHEAD TANK

OVERHEAD TANK
HIGH LEVEL IN SEAL OIL

FAILURE OF STARTING CLUTCH
A

TO ENGAGE OR DISENGAGE

HIGH OIL PRESSURE A

LOW OIL PRESSURE (LUBE) A A A A A

LOW LOW OIL PRESSURE (LUBE) S S S S S

LOW CONTROL OIL PRESSURE A

HIGH OIL FILTER DIFFERENTIAL
A A A A A
PRESSURE
A: Alarm
S: Shutdown
6.2.2 Furnaces and Combustion equipment
a. An emergency isolation valve must be installed in process feed to furnace.
If this valve is manual, it must be located no closer than 15 meters from
furnace. If the valve is required to be installed closer than 15 meters from the
furnace, it must be remotely operated and insulated from heat according to
requirements in PDVSA Standard IRC03 Revestimiento Contra
Incendios.
b. An automatic closure valve with manual resetting must be installed in fuel
feed to furnace. This valve must be activated upon low fuel pressure, low
product flow or high temperature in exit line. In equipment using gas fuel, an
alternative may be to use double blocking and a vent activated by burner
flame detectors.
c. In addition to requirements in b., a process control valve in the fuel feed line
to the furnace must be provided with the capability to close remotely from
the control room. This requirement is applicable when the emergency
isolation valve is an automatic valve, then the same signal that actuates the
automatic valve must activate the control valve, which must provide a tight
seal. (See PDVSA K337)
d. All fuel streams to furnaces, boilers and other combustion equipment
(including pilot gas) must have a manual isolation valve located at least 15
meters from equipment, in an accessible site. This requirement can be
waived if there is a valve in the fuel feed line at the plant battery limits that
PDVSA
REVISION FECHA
can be closed without creating risks or conflicts with other operational

actions that could be necessary during an emergency in the plant.
e. Boilers must contain only those equipment associated with steam
production. Boilers must have the following controls and/or safety devices:
1. Safety controls common to all boilers:
a. Alarm on high and low water level in steam drum
b. Alarms on low low water level in steam drum
c. Alarms on high high water level in steam drum
d. Interlock to close fuel feed upon high high or low low water level in
steam drum
e. Alarms and interlock in air flow to close fuel feed upon failure of draft
fan
2. Controls for boilers utilizing gas as fuel:
a. High and low gas pressure switch
b. Block valves for the main burner and pilot
c. Purge valves with safety closure on main burner and pilot
d. Flame analyzer with interlock during startup.
The valves described in e.2.a and e.2.b must activate upon an indication of
deviation from normal operation in boiler control instrumentation.
3. Controls for boilers utilizing oil as fuel:
a. Supervision of the pressure differential between atomization steam
and fuel oil in the combustion range
b. Closure of the safety valve on the fuel oil stream
c. Flame analyzer with interlock during start up
d. Isolation valve for pilot gas
The valves described in item e.3.b and e.3.d must activate upon an indication of
deviations from normal operation in boiler control instrumentation.
f. All the points considered before must be include along with the NFPA 85C
6.2.3 Critical flow streams
Any critical process stream, as determined by a risk analysis, may have isolation
valves type D, operated automatically or remotely from control room, if the
actuation of such valve is a step in the plant emergency shutdown procedure.
6.2.4 Gas Process and Handling (NGL, LNG, LPG)
NGL, LNG and LPG plants must have safety interlock systems, as indicated
below:
PDVSA
REVISION FECHA
a. Isolation valves type D to allow isolation of critical equipment and/or

systems. These valves must close upon failure of electrical supply to
process equipment.
b. The activation of a safety interlock must perform the following actions: trip
the equipment, close gas inlet and outlet lines, open purge valves, close fuel
feed to engines and turbines or deactivate feed to electrical motors. The
drivers on the following equipment are the exception: firewater pumps,
cooling water and instrument air compressors and/or compressed air for
respiratory protection equipment, lube oil pumps for bearings, and valves
and motors necessary during emergencies as identified by the users
experience.
c. Purge valves must open upon failure of electrical supply to process
equipment.
6.2.5 Special Cases
Remote emergency shutdown systems in plants or equipment may be justified in
special cases to allow immediate and safe shutdown. This determination should
be made during a risk analysis conducted according to the criteria and parameters
established in Section 5 of this Standard. Contingent on the risk analysis, the
following equipment or installation must be provided with remote shutdown
systems:
a. Cooling Towers
The cooling towers must be provided with two (2) manual switches to turn
off the fans. One switch must be located at ground level and the other one
at the top of the structure. Similarly, the cooling towers must be provided with
vibration switches on all fans. The start switch for the electrical motors for
the water pumps must be located no less than 7,5 meters from the base of
the cooling tower.
b. Installations in Remote Locations
A remotely operated safety interlock system must be provided for remote
installations, not permanently manned. The safety interlock system must be
able to be activated via transmission means such as telemetry, or remotely
operated from a control room that is permanently staffed.
7 EMERGENCY ISOLATION SYSTEM

The failures of machines, furnace tubes, pumps, compressors, vessels and
equipment handling and/or processing flammable or combustible liquids and
gases are recognized causes of major fires. In light of these facts, isolation valves
type A, B, C, or D must be strategically installed in equipment and throughout the
plant. These valves will allow isolation of affected equipment or sections in order
to limit the quantity of material feeding and increasing the size of the fire.
PDVSA
REVISION FECHA
The values (distance/inventory) that appears on this section are given only as
reference. The final installation must be based on the performance of a
quantitative risk analysis according to the PDVSA IRS02.
7.1 Aspects of Emergency Isolation Valve Design

Isolation valves are used to divide a plant into areas and thus prevent the flow of
flammable and/or combustible products and the propagation of emergencies. The
location, access and other requirements that affect the installation of the isolation
valves are shown in detail in Tables 3 and 4.
PDVSA
REVISION FECHA
TABLA 3. ASPECTS TO CONSIDER REGARDING LOCATION AND SELECTION OF

ISOLATION VALVES

VALVE
MANUAL
TYPE
AUTOMATIC

VALVE REQUIREMENTS
OPERATION OPERATION

A B C* D*

Located at vessel nozzle (outside skirt). X

Located at least 7,5 meters horizontally from X X
protected equipment and at least 4,5 meters from

operating floor level.

Without location restriction (see note 1) X

Long stemmed operation from platform or above

the operating floor level (without chain or pulley).
X X

Accessible located at least 7,5 meters X X

horizontally from protected equipment.

Normally limited to 200 mm (8) valves and X
smaller.

Normally used only for 250 mm (10) valves and
larger.
X

Without restrictions on valve size X X
* All isolation valves type C and D must meet the following requirements:
NOTE 1:
It is preferable that the feed cables and signal cabling be buried up to a point immediately below
the remotely operated isolation valve. However, all the system components for operation of
isolation valves type D, installed externally and at 7,5 meters from the protected equipment, must
be able to remain operable for 20 minutes of fire exposure.
The relays for thermal overload should not be installed in electrical motors of emergency shutdown
or safety shutdown valves.
PDVSA
REVISION FECHA
TABLA 4. ASPECTS TO CONSIDER REGARDING LOCATION AND SELECTION OF

ISOLATION VALVES TYPE C AND D

AUTOMATIC ISOLATION VALVE

REMOTE ACTUATION TYPE OF VALVE

C** D**
Field location

See Notes 1, 2, 3 See Notes 1, 2, 3

Adjacent to valve X

Located at least 7,5 meters horizontally from X

protected equipment and at least 4,5 meters

above operating floor level.

Located at operating floor level and at least X
equipment.
12 meters horizontally from protected

Operation from platform or operating floor
X
level.

Accessibly located at least 7,5 meters X X

horizontally from protected equipment
* * All isolation valves type C and D must meet the following requirements:
NOTE 2:
In addition to the requirements indicated in Table 3, the actuation devices for
emergency operation of the isolation valves type D must meet the following
location requirements:
a. Must be installed in the control room for the following cases: valves on
furnace exit lines, isolation of compressors, steam purge, deinventory of
liquids and closure of critical flows (e.g., pump suction).
b. To isolate other equipment, these devices must be installed in the field. It is
preferable to locate and group near the access ways.
NOTE 3:
In addition to the requirements for the actuation devices and the isolation valves
type D indicated in Note 2, when valves type D are required for the startup of
equipment and testing of valves, they should meet the following requirements:
a. When the main emergency actuation device is located in the control room,
an additional actuation device must be installed adjacent to the remotely
actuated valve.
PDVSA
REVISION FECHA
b. When the main emergency actuation device is located in the field, there
should not be additional devices unless they are required for operational
reasons.
All the isolation valves type C and D must comply with the following requirements:
a. The valves must be actuated by a pneumatic rotation motor, electrical motor
or a hydraulic or pneumatic piston. Diaphragm operated valves should never
be utilized.
b. If the valves are air actuated, it must be ensured that the air supply is reliable
and the air backup capacity is capable of moving all the valves during two
(2) complete cycles, under fire conditions.
c. If the valves are actuated by an electrical motor, the energy source must
come from the unit emergency circuit and/or the installation. The capacity
of the emergency generator must be verified. Power may also be supplied
from the preferential system, in case there is no emergency circuit available.
d. If the valves are actuated by a hydraulic piston, all necessary arrangements
must be made so that in cases of extreme urgency where there is loss of
electricity, the pressure of the hydraulic oil would be sufficient to actuate at
least the critical valves.
e. The power sources to eliminate the electronic or pneumatic signal
transmission system must be highly reliable. The level of reliability must be
consistent with the specified SIL or equal to the power supply utilized in the
control room.
f. The emergency isolation valves that could be exposed to radiation produced
by a fire must comply with the requirement of the PDVSA IRC03
Revestimiento Contra Incendios.
g. The operational controls must consist of actuation devices to move the
valves to closed or open position, respectively.
h. All the manual operation control must be provided with adequate
mechanical guards to prevent accidental operation.
i. The remotely operated emergency isolation valves that are normally open,
do not require block valves or bypass. The remotely operated emergency
isolation valves that are normally closed, require block valves, installed
upstream of emergency valves so that it can be tested. This requriement
may be changed if deemed unnecessary as the result of a risk analysis.
j. The position of the block valves must be able to be identified by visual
inspection.
k. The device for actuating the automatic isolation valves type D must have
valve position indicator lights.
PDVSA
REVISION FECHA
7.2 Application
Individual block valves must be used with equipment such as pumps,
compressors, vessels, furnaces, heat exchangers and at plants battery limits, as
a function of the criteria described below.
7.2.1 Pumps
a. Pumps inaccessible in a fire must have isolation valves downstream or
upstream of connected equipment or remotely operated suction valve.
b. Install isolation valve (type B, C or D) in pump suction line, when inventory
in vessel is either:
Liquefied flammable gas over 2.100 gallons
Liquid hydrocarbons at temperature equal or greater than
autoignition its flash point and above 2.100 gallons inventory
Liquid hydrocarbons at 4.000 gallons
c. When there are pump suction lines from more than one vessel, emergency
isolation valves for equipment must be provided. If selection criteria result
in different types for valves indicated in Table 3 and 4, then, it is not required
to duplicate the isolation facilities, but the most demanding isolation
requirement must be applied.
d. If there is a requirement for isolation valve type D in multistage pumps with
parallel discharge headers, these valves must be installed at the suction of
each pump.
7.2.2 Compressors
a. Must install isolation valves at the inlet and outlet of the compressor train
driven by a single motor, turbine or engine greater than 150 KW (200 HP)
which handle flammable gases. See PDVSA K339.
1. solation valves of type B or D must be installed in compressors with
capacities between 150 KW to 750 KW (200 1000 HP).
2. Isolation valves of type D must be installed in compressors with capacities
greater than 750 KW (1.000 HP). However, normal practice is to use type
D valves for all compressors specified in a.1. The isolation valves must be
located at least 7,5 meters from compressor, if piping layout allows it.
b. If compressors are as specified in 7.2.2.a and are multi stage, with normal
capacity greater than 4 m3 (1.000 gallons) of hydrocarbons per stage at
normal levels, the valves must be installed in suction and discharge lines
between stages
c. For compressors, the purge suction and discharge valves must be
interlocked with shutdown of machine, such that upon shutdown of machine,
the purge valve opens and suction and discharge valve close.
PDVSA
REVISION FECHA
7.2.3 Vessels
Must install isolation valves for vessels with liquid hydrocarbons at a vapor
pressure of 1,05 kg/cm2 (15 psi) at 37,8 C (100 F) with the following conditions:
a. If inventory is between 4 and 40 m3 (1.056 10.560 gallons), calculated at
upper operational limit, include trays and vertical reboilers for the case of
towers (without taking into account the inventory level). Must install isolation
valves type A in each line with a diameter of 50 mm (2) or under that are
connected below the working level.
b. If inventory greater than 40 m3 (10.560 gallons) calculated as specified in
7.2.3.a, must install valve type A in each line connected below the range of
operational level, independent of diameter. These requirement could apply
to small inventories with special factors such as high corrosion rate, high
pressure, cryogenic or toxic materials, if a quantitative risk analysis has
justified it.
High Risk Vessels
High risk vessels are those that have large volumes of liquid hydrocarbons and
unfavorable risk conditions. Large volumes include those greater than 40 m3
(10.560 gallons) of liquid hydrocarbons stored at a temperature above their flash
point, measured from the highest working level. Unfavorable risk conditions
include, but are not limited to, limited access for firefighting, inadequate
separation between equipment and congested piping and equipment
arrangement. In general, the installation of block valves for this type of equipment
must be determined based on a risk analysis that takes into account the indicated
factors. However, isolation valves Type D must be installed in each normally open
line connected below the normal liquid level to allow for rapid isolation of the
vessel inventory in case of fire.
7.2.4 Furnaces
a. Must install block valves type B or D, to close the process flow (flammable
liquids) in the furnace coils, when the exit pressure in the coils exceeds 14,28
kg/cm2 (203 psi). These valves may be operated manually or automatically,
however, the valves for manual operation will be installed in each furnace
stream, at a minimum of 15 meters away from the furnace.
For furnaces with exit coil exit pressures above 71 kg/cm2 (1.015 psi),
isolation valves type D must be installed at the furnace outlet.
b. The installation of emergency isolation valves in the furnaces must be
supported by a risk analysis that covers the following factors: high pressure,
volatile liquids inventory, lack of steam purge systems downstream of the
oven, lack of system for deinventory, and design problems associated with
the safety system to guarantee flow continuity. Additionally, the criteria and
parameters established in Section 5 of this Standard must be considered.
PDVSA
REVISION FECHA
c. The use of check valves to isolate the oven must be avoided.
7.2.5 Heat Exchangers

Emergency isolation valves must be installed to isolate heat exchangers in case
of fractures or uncontrollable leaks due to thermal shocks, if the flammable liquids
are present at a temperature above their flash point.
In such cases, and when it is justified based on a risk analysis, isolation valves
type B, C or D will be installed according to size and location, and located at the
exchanger inlet and outlet piping.
7.2.6 Plant Battery Limit

a. It is required to install block valves for emergency isolation of each
pressurized line entering or leaving the battery limits of the plant, except the
flare lines and the relief valves headers.
b. The block valves to isolate the battery limits of the plants may be grouped
in headers or manifolds and must be adequately labeled.
c. Valves type B or C must be used, as per the aspects identified in Tables 3
and 4, but with the following exceptions:
no height limitation
block valves type C of 250 mm (10) and greater will be required only
for toxic and flammable materials. Block valves type B may be utilized
for other services
d. Required to install isolation valves type B or C in equipment adjacent to
headers at battery limits, keeping the required distance of 7,5 meters
between the valves and the protected equipment, as per Tables 3 and 4. This
distance also refers to any equipment installed, except low fire risk
installations such as those handling non flammable products or products
with high flash point, at temperatures largely below flash point.
7.2.7 Critical Locations

Emergency isolation valves type D may be installed upstream of points where
large releases of hazardous material are liable to occur (such as pumps and hose
connections).
It is unnecessary and undesirable to install an emergency isolation valve between
every inventory and every expected leakage point, since every device itself
introduces further chances of leakage. The decision whether emergency
isolation is required should be based on a risk analysis (consequence and
probability of the leak).
PDVSA
REVISION FECHA
8 EMERGENCY DEPRESSURIZATION AND DEINVENTORY SYSTEMS

(EDS)
The emergency depressurizing systems facilitate the rapid shutdown of a plant
in case of a mechanical failure and/or fire. The purpose of these systems is to
reduce, in a rapid and controlled manner, the pressure in equipment and
operational systems to avoid breaks due to mechanical failures and prolonged
releases. In general, the objective of emergency depressurizing systems is to
facilitate the control of a fire within 1 hour in conjunction with the other fire
protection systems.
In this manner, it is possible to reduce the duration of a fire, via deinventorying
of flammable products in the affected section of a plant. Generally, this operation
involves the depressurization of equipment and/or the removal of liquids, which
can be achieved using normal process mechanisms, vapor relief systems, or
facilities for liquid deinventorying.
8.1 Design Aspects of Emergency Depressurizing

a. Depressurizing systems are installed in high pressure equipment, such that
the material fatigue of the vessels and the risk of failure due to fire exposure,
may be reduced in an emergency situation. These vapor relief systems must
be installed in equipment operating above 17,9 kg/cm2 (254 psi). They are
normally installed in reactors for catalytic reformers, hydrocrackers,
hydrodesulfuration, hydrofining, etc. In other equipment such as
fractionators of light products or compensation tanks operating above 17,9
kg/cm2 (254 psi), the installation of emergency depressurizing must be
considered if the flammable liquid (in excess of 5.600 m3) contained in the
vessel or group of vessels, excluding pumps and piping, expands
adiabatically from the operating condition to the atmospheric pressure and
self ignites (e.g., hydrogen containing fluids).
b. Two or more vessels can be grouped to be connected to a depressurizing
system via a single connection that has adequate capacity for
depressurizing within the permitted time as long as no means can exist for
blocking any of the equipment components being protected from the single
depressuring connection.
c. The design of the systems must guarantee a pressure reduction in the
equipment or operational systems from its normal operating pressure to
50% of the design pressure in a maximum time period of fifteen (15) minutes.
A maximum time period greater than 15 minutes must be based on the
performance of a quantitative risk analysis according to PDVSA IRS02.
This aspect must be met for every vessel in the case where there are groups
of vessels connected to a single depressurization system.
PDVSA
REVISION FECHA
d. Valves type D with actuation from control room and discharge to a safe
location (normally a closed system or flare) must be installed in
depressurizing systems.
When two (2) or more depressurization vents are installed in a process unit,
the type D remotely actuated block valves must actuate separately.
e. For determining depressurizing rate, the following aspects must be
considered:
Flow rate and heat supply to process.
Simultaneous depressurizing through normal process devices or
mechanisms cannot be relied upon.
The need for backflow to prevent the installation of automatic closure
devices such as check valves or control valves of other equipment
connected to a single depressurizing system.
f. Connections for depressurizing should discharge to a pressure relief
manifold or a vapor/liquid separator and ultimately to a flare system. If other
pressure relief devices are connected to the relieving manifold, the back
pressure imposed by the EDS must be considered in sizing the relief header
(see g).
g. The discharge manifold size must be determined assuming a fire in a single
fire zone with all depressurizing and relief valve systems in that zone lifting
simultaneously. This single fire zone must meet all of the following criteria:
Have equipment not provided with depressurization systems
Have equipment connected to same depressurization system
Equipment must discharge to the depressurization system as a result
of fire exposure.
Each fire risk area must be analyzed following the criteria set forth above.
The size of the header will be determined such that during the most critical
situation, the backpressure of all relief devices discharging to the header will
not exceed design limitations on the relief valves. When discharge manifolds
and relief headers are sized, the relief contingency that produces the
greatest backpressure must be identified. Cooling water failure, power
failure, and valve malfunction are examples of typical relief contingencies
that may be considered as they may require the activation of several
pressure relief devices.
h. The vapors from depressurization can be discharged to atmosphere if they
satisfy the criteria applied to atmospheric relief valves, including
environmental regulations, as long as the discharged products will be
vapors under any foreseeable circumstance.
PDVSA
REVISION FECHA
i. When discharging vapors that could generate temperatures less than 0 C,

care must be taken to ensure that the materials of construction for the
blowdown system have a low transition temperature. Similarly, it must be
ensured that the system is fabricated with appropriate methods and is
adequate to prevent stress concentrations resulting from the cooling to
which it will be exposed.
j. The design of pipe anchors and supports on discharge manifolds may
require special consideration. Sudden changes in flow rate and temperature
can produce large reaction forces; if liquids are present in the relief system,
the momentum forces may be significant. Refer to API 520, Part II for more
information on piping design.
8.2 Design Aspects of Emergency Deinventorying Systems

These systems have a specific application. They are utilized to displace inventory
of flammable products from equipment at high risk, when no other normal means
are available. The maximum allowable time is two hours for total displacement
of the flammable product. The design of the displacement system must consider
the following factors:
a. Connections for deinventorying must be at the lowest point of equipment
or associated piping
b. For volumes of flammable products between 20 and 40 m3 (3,150 and
10,560 gallons), the diameter of the connection must be at least 50 mm (2).
c. For inventory volumes greater than 40 m3 (10,560 gallons) the diameter of
the connection should be sized to meet the required deinventorying time, but
must be at least 100 mm (4).
d. It is required to install isolation valves type D in the connection for
deinventorying of equipment
e. The connection for deinventorying must be coupled to a closed drain
header and subsequently to a transfer vessel or knockout drum.
8.3 Water Displacement Systems

These consist of connections to displace liquid hydrocarbons with water allowing
the halting of uncontrolled releases of hydrocarbons due to breaches or cracks
in vessels or tanks. The method consists of injecting water through a connection
at the tank bottoms, such that as the liquid hydrocarbon is displaced by water, it
ceases to leak through the crack allowing the repair of the leak in a safe manner.
The water displacement system requires a water source at a higher pressure than
the sum of the pressure inside the vessel and the static pressure of the
hydrocarbon in the vessel. This method should not be applied if operation
temperature is above 200 F.
PDVSA
REVISION FECHA
The water displacement method has limited application but it may be considered
as an alternative to isolation or deinventory of volatile liquids in high risk areas,
where there are no other alternatives.
9 EMERGENCY VENTING SYSTEMS

Emergency venting systems are defined as a group of pipes and accessories that
transport hazardous and flammable gases and vapors from the outlet of any relief
or safety valve to a predetermined point where they discharge to atmosphere.
The venting systems are used to protect vessels and/or equipment containing
liquids, liquefied gases and compressed gases, against overpressures that may
originate upon exposure to a fire. Venting systems may also be used for vessel
deinventorying providing that the design temperature of the vessel is not
exceeded during venting (e.g., liquified gases).
9.1 Design Aspects

Venting systems must be designed to allow transport of vapors and gases to safe
destinations. Similarly, the system must be able to handle vapors from process
water and cooling water or other effluent streams that may be contaminated with
hydrocarbons, thus creating hazardous conditions if they were discharged
directly to drain systems.
The design of the venting systems also may be applicable to equipment operating
under vacuum conditions, in a continuous or intermittent manner. These systems
must be designed to withstand vacuum conditions, in a continuous or intermittent
manner. They must be designed to operate under vacuum conditions or must be
provided with devices or systems to allow safe operations under both vacuum or
pressurized conditions.
PDVSA
REVISION FECHA
The venting system design must meet the following requirements:

a. Discharges to atmosphere must be located at least 30 meters from
continuos ignition. Nevertheless, they must be located at a safe place based
on a dispertion and radiation analysis result.
b. Vent pipes must be installed on all atmospheric vessel relief valves, to
discharge at least 3 meters above any working platform and a separation
distance of at least 30 meters from other working platforms.
c. Gases and vapors discharged from vent pipes must not present injury risk
to personnel or risk of equipment damage
d. In locations where vapor and gas atmospheric discharge pipes can be
affected by electrical discharges (static and lightning), the vent pipe must
have a coupled connection to discharge steam or any other inert gas in the
vertical piping of the venting system so a fire in the discharge can be
suffocated. (See section 9.1.1)
e. Hydrocarbons lighter than 68 API, that is with relative density of 0,709 at 15
C (59 F) and 1,03 kg/cm2 (14,7 psi) must be vented to a safe location, or
to a flare or vent stack.
f. Flammable liquids and/or combustible liquids with operating temperatures
below their flash point, can discharge to closed drain systems with valves.
g. Discharges of vapor or condensate must be through steam traps. Neither
discharge must go to pathways or areas visited by personnel or close to
equipment working at temperatures above 315 C (600 F).
h. Relief device discharge piping must be supported and anchored to
withstand the resulting reaction forces.
i. All vertical vent piping must have a drain or weep hole at its base to eliminate
water that could accumulate within the piping.
j. All relief valves venting liquid or twophase fluid must discharge through a
separator, except relief valves installed to release liquid thermal expansion.
Vent headers designed to receive liquids or condensibles must be
selfdraining to avoid liquid accumulation in the piping.
k. Residual light ends in vessels with volumes less than or equal to 0,1 m3 (26
gallons) can be vented to atmosphere when equipment is out of service or
for major maintenance.
9.1.1 Flame Arresters on Vent Systems
A flame arrester is a device permeable to gas flow but impermeable to any flame
it may encounter under anticipated service conditions. It must both quench the
flame and cool the products sufficiently to prevent reignition at the arrester outlet
.
PDVSA
REVISION FECHA
End of line or deflagration flame arresters are used to prevent a flame

propagating into a system from outside (such as via a tank vent). They are called
deflagration flame arresters because being close to the end of the line, there is
insufficient runup distance for deflagrationtodetonation transition to develop
inside the piping.
a. Atmospheric vents for tanks or process vessels storing Class IA liquids shall
be fitted with approved flame arresters. The exception are crude tanks of
3.000 barrels or less in crude producing areas, and aboveground
atmospheric tanks under 1.000 gallons.
b. Flame arresters required in a. above may be omitted where conditions are
such that their use may, in case of obstruction, result in tank damage (e.g.,
under PV vents or refrigerated atmospheric storage tanks due to potential
for ice pluggage.)
c. Flame arresters are not considered necessary below a pressure/vacuum
valve. To address the possibility of airborne sparks, a tested flame screen
shall be installed on the vacuum port.
d. It is essential that any arrester be properly tested under conditions that
simulate the proposed service.
e. It is essential that transition to detonation does not occur in the piping
between the atmosphere and the deflagration flame arrester. Hence, if any
significant length of piping is involved it should not contain
turbulencepromoting obstructions such as tees, elbows, valves, or other
flow restrictions. If a deflagration is capable of transition to detonation before
reaching the arrester, a detonation flame arrester must be used.
f. Flame arresters are a potential cause of vent blockage and tank collapse.
They must be designed for periodic maintenance including any associated
pressure and temperature sensors, or ancillary equipment, for example,
where a liquid seal must be maintained.
9.2 Application
9.2.1 Venting of Tanks and Vessels
a. Fixed Roof Tanks (atmospheric)
Fixed roof tanks must be provided with vents to prevent positive pressures
or vacuum conditions exceeding the design limitations. Pressure variations
can be expected during filling and emptying of the tanks, due to atmospheric
temperature changes, or during fire situations in the area.
All fixed roof tanks must be provided with vacuum breakerpressure relief
valves when they store flammable liquids with flash points within 4 C (72 F)
of the maximum temperature expected at the liquid surface.
PDVSA
REVISION FECHA
Fixed roof tanks must be provided with additional venting capacity to reduce
the rupture possibility on the seams due to pressure oscillations caused by
vapor or light ends in the tank. The size of the venting must be in accordance
with API RP 2000. In situations where stored materials can generate vapors
in the flammable range, inert gas blanketing must be considered. Designs
for maintaining low flammable concentrations are discussed in NFPA 69,
Explosion Prevention Systems.
b. Low Design Pressure Vessels
Spheres or vessels designed for a maximum pressure of 1 kg/cm2 (14,3 psi)
must be designed in accordance with API 620. The relief valves may
discharge directly to the atmosphere through a vertical vent extending a
minimum of 3 meters above the highest structure of the vessel or platform.
The relief valves may also discharge to a flare system.
c. High Design Pressure Vessels
Spheres and cylindrical vessels must be designed in accordance with the
latest edition of the ASME Boiler and Pressure Vessel Code Section VIII
or other national or internationally recognized codes. When the relief valves
discharge directly to the atmosphere, they must do so through a vertical vent
piping extending a minimum of 3 meters above the highest structure of the
vessel or platform. The relief valve may also discharge to a flare system.
d. LPG Tanks
The discharge coming from the venting of pressure relief valves or from a
common header containing LPG must be routed to atmosphere or to a flare
system. When the discharge is routed to atmosphere, the area must be free
from potential flames that could affect other tanks, piping, equipment, and
structures. Similarly, the entrance of vapors to the LPG tank confined space
must be prevented.
e. Knockout drums
The purpose of a knockout drum is to receive the discharges from the relief
valves of a closed system, drains, or purged and diverted liquid or vapor
streams to be burned and disposed of safely in adequate storage. They are
designed to prevent liquid hydrocarbons from going directly to the flare.
The knockout drum is designed to separate liquids and vapors, but
additional condensation may occur if the vapors vented from the knockout
drum exit at a temperature above the ambient temperature.
Condensable knockout drum
The condensable knockout drum allows reducing the capacity requirements for
the flare and prevention of the discharge of condensable hydrocarbons to the
atmosphere. The condensable hydrocarbons and the water effluents are
PDVSA
REVISION FECHA
discharged through a seal system into a contained drain system or slop tank and
the noncondensable light hydrocarbon vapors vent to the flare or atmosphere.
The knockout drum discharges vapors to a vent or flare system, which must
conform to the following conditions:
S The vent pipe must be located at a minimum of 15 meters above ground level
and at a minimum of 3 meters above any equipment that is located at a
horizontal distance of 15 m. Nevertheless, the vent pipe must be located at a
safe place based on the results of a dispertion analysis.
S The radiation intensity shall not exceed the limits for operational personnel
exposure (1500 BTU/hrft2).
S The design must take into consideration the adjacent equipment and work
areas in determining the adequate dispersion of flammable and toxic products.
S The vent must have means for vapor or inert gas injection, or other effective
means to prevent flame flashback and/or to extinguish it.
S The design pressure of the drum must be 10,5 kg/cm2 (1500 psi).
f. Disengaging Drum:
The disengaging drums are utilized to separate liquid hydrocarbons and
gaseous contaminants from the effluent streams in the plants. The object is
to allow safely discharge of effluent streams to the drain system.
The exit vapors for the disengaging drum can discharge to the atmosphere
or to the flare, however, for atmospheric discharge it must be subject to the
following conditions:
The vent pipe shall be located at a safe location based on the results
of dispersion and radiation analysis.
The radiation intensity shall not exceed the limits for operational
personnel exposure (1500 BTU/hft2).
Ground level or work platform level concentrations must not exceed
the threshold limit value (TLV) of any toxic vapor that could be vented.
The vent piping must be vertical and oriented upwards. It must be
provided with steam or inert gas injection for fire protection by
suffocating the fire or by forcing the flame to receed. Steam should not
be used in systems venting cold vapors (< 0C).
g. Waste Drums (Slop Tanks)
The design of plants must include safe elimination of waste products such
as:
Liquid hydrocarbons accumulated in noncondensable knockout
drums, coming from safety valves, closed drains and drains from
separator drums.
PDVSA
REVISION FECHA
Emulsions and waterhydrocarbon mixtures coming from ballast

separators and products from tank bottoms.
Offspec products due to start up and shutdowns of plants.
Streams that could be diverted due to safety interlock of equipment.
Slop tanks should be designed to handle the widest range of possible
conditions and incorporate the same safety features as a process vessel
designed for such conditions.
9.2.2 Venting in Compressors
The relief valves in the discharge of compressor or gas scrubbers must discharge
to a vent line, located outside and above the compressor building eaves.
Bypasses around the relief valves on compressors should be avoided, if the
discharge is through a relief header shared with other relief devices. Since block
valves in bypasses are often inadvertently left open after repair or major
maintenance, this allows backflow and backpressure from the common relief
header to the compressor through the open relief path.
a. Additional Requirements for Reciprocating Compressors
The vent piping for the stuffing box and yoke for reciprocating compressors
in flammable or toxic service, must be installed according to the following
requirements:
The vent and drain piping must be independent to prevent a mixture
of gases or backflow from the vent or drain systems.
The piping for vents, drains, service air, and flammable gases must
be independent.
The headers for draining leaks from compressors and venting from
the stuffing box will not be used for discharging liquid from condensate
traps in the interstages of the compressor.
The venting line of the stuffing box must include a separator.
The venting line from the stuffing box must be provided with a
threeway valve to allow leak detection.
9.2.3 Venting in Pumps
Nonhazardous fluid pumps must have a casing venting to discharge to open
drain or pump base.
9.2.4 Venting in Heat Exchangers
Heat exchangers that have block valves for maintenance operations must be
considered as vessels according to contents and inventory and would be treated
as subsection 7.3.2 of these guidelines.
PDVSA
REVISION FECHA
10 OVERPRESSURE RELIEF DESIGN

This document intends to present guidelines for the conceptual design phase of
overpressure relief systems. PDVSA Manual de Diseo de Proceso Safety
Design Section. shall be consulted for guidance on the detailed design of Safety
Relief Protection Systems.
The relief requirements shall be established at an early stage of the project and
must be fully developed before the design specification stage.
10.1 Relief Design

10.1.1 Relief Scenario
Relief valve sizing must be based on the maximum rate that must be relieved to
protect equipment against overpressure due to any single cause or worst
credible relief scenario. The worst credible relief scenario shall be identified
through formal evaluations such as HAZOPs, fault trees, consequence modeling.
All the calculation should be based on API RP520 and 521. Potential
overpressurization causes that must be taken into account include (but are not
limited to):
S Exposure to fire (pressure relief devices shall be sized for an external fire
scenario on all vessels and equipment that could be subjected to a sustained
external fire)
S Operational or Equipment Failure (pressure relief devices shall be sized for
worst case operational or equipment failure scenario, such as blocked outlets,
open manual valves to a different pressure system, control valve fails open on
high pressure vessel containing liquid which flashes to downstream vessel,
power failures, instrument air failures, cooling water failures, reflux or
recirculation failures, thermal expansions, vacuum, loss of motive steam to
ejectors used in vacuum services, tube rupture or air cooler failure in heat
exchangers, etc.).
S Process Upsets (pressure relief devices shall be sized for the worst case
anticipated process upsets, such as runaway reactions, inbalance of flowrates
in and out of process equipment, etc.).
10.1.2 TwoPhase Relief
As an initial part of the relief design, determination must be made whether two
phase relief is possible. In general, twophase flow requires a larger relief area
than all vapor or subcooled (nonflashing) liquid flow. Twophase flow sometimes
requires a relief system two to ten times larger than the vapor flow relief used for
standard calculations.
By way of definition, twophase flow is described as follows: boiling takes place
throughout the entire volume of the liquid, rather than solely at the surface. Each
PDVSA
REVISION FECHA
bubble occupies volume and displaces the liquid surface upward. Individual
bubbles are able to rise (slip) through the liquid (with a velocity that depends on
the buoyancy and surface tension) but are retarded by viscosity and the foamy
character of the fluid. If a sufficient volume of bubbles become trapped, the liquid
surface reaches the height of the relief device and twophase flow occurs through
the relief device.
Two systems for which twophase relief can occur are:
S Relief due to a runaway reaction (either through vaporization of the material or
generation of noncondensible gases such as CO2 or N2).
S The initial relief due to fire exposure from a vessel with high liquid level (>50%
of total height) will generally be twophase.
If twophase relief is possible, recognized technology for twophase emergency
relief system design shall be used to avoid undersizing a relief device and the
potentially catastrophic vessel overpressurization. The methodology developed
by the Design Institute for Emergency Relief Systems (DIERS) Emergency Relief
Systems Design Using DIERS Technology, a consortium of companies under the
auspices of the American Institute of Chemical Engineers (AIChE), is an important
means for addressing twophase relief situations, not covered adequately by
ASME and API Standards.
In addition to the overpressure concerns associated with undersizing a relief
valve, it should be understood that installing a grossly oversized relief valve may
not make for increased safety as the relief valve may chatter, that is repeatedly
and rapidly open and close, resulting in vibrationinduced leaks or valve
malfunctioning. Hence, it is critical that the system be understood and the relief
valve sized appropriately.
10.1.3 Installation
The installation procedure must fallow ASME Section VIII Division I.
10.1.4 Spare Relief Valves
It is recommended that spare relief valves be provided to allow inservice
maintenance of one of the relief valves by switching rather than shutdown. The
following guidelines shall be used in the design of systems with inservice spares:
a. They should be installed in parallel and isolated by fullport, threeway or
transflow valves at the inlet and outlet (when connected to a header).
b. A bleed valve should be provided between the relief valve and the inlet block
valve.
c. If standard block valves are to be used, key locks must be used to assure
a proper isolation sequence.
d. Upon a release through a relief valve, the performance of the valve that
relieved must be checked while a spare is in use.
PDVSA
REVISION FECHA
10.2 Overpressure Relief Devices

This section presents an overview of the most common types of relief devices and
their advantages and disadvantages. This information is provided to assist
designers in the selection of appropriate relief devices.
10.2.1 Conventional Relief Valves
Conventional relief valves operate when process pressure acts directly on the
disk and spring of a springloaded pressure relief valve to affects its opening.
Thus, the spring setting of the valve is affected by the differential pressure across
the valve due to process pressure vs expected builtup and superimposed
backpressure.
The advantages of conventional relief valves are:
S Cost effectiveness
S Availability in wide range of sizes
S Easily mantained
The main disadvantage of conventional relief valves is that they are limited to
systems where builtup back pressures do not exceed 10% of set pressure, such
as atmospheric venting through a short tail pipe or venting through a low pressure
relief manifold carrying the discharge of one or more valves.
10.2.2 Balanced Safety Relief Valves
As in a conventional relief valve, in the balanced safety relief valves, the process
fluid pressure acts directly on the disk and spring of the pressure relief valve.
However, the design of balanced pressure relief devices incorporates means
(typically a bellows) for reducing the effect of back pressure on the set pressure
and for minimizing the effect of builtup back pressure on performance
characteristics.
The advantage of balanced safety relief valves is that they can be used in systems
where builtup and/or superimposed back pressure is high or variable. A balance
valves capacity is not affected by back pressure until it rises to about 3040% of
set pressure.
The disadvantage of balanced safety relief valves is that the maximum
backpressure permitted may be limited for the mechanical limit of the back
pressure compensator (bellows) at higher set pressures.
Balanced relief valves can be bellows type or piston type. Both are described
below:
a. Bellows Type Balanced Relief Valves
Bellows type valves are designed to equalize back pressure forces on both
sides of the valve disk. The bellows is vented to either the atmosphere or a
PDVSA
REVISION FECHA
disposal system, provided the disposal system pressure is constant. In

addition to offsetting the effects of variable back pressure, the bellows acts
as a seal to process fluids.
The main advantage for bellows balanced relief valves is:
Can be used in situations where imposed back pressure is too high
for conventional relief views.
Can be used in corrosive or fouling services as the bellows protects
the spring, disk guide, and other top work parts from the process fluid.
The disadvantages of bellowstype balanced relief valves are:
Bellows valves are more costly than conventional valves
Require special maintenance and inspection to assure the integrity of
the bellows
Due to physical size limitations, there is not a wide variety of sizes and
valve designs (if corrosion isolation is the major factor, unbalanced
bellows valves have more sizes available)
b. Piston Type Balanced Relief Valves
Piston type valves have vented guides so that the back pressure on
opposing faces of the valve disk is canceled.
If corrosion protection of the balanced relief valve from the process fluid is
not required, the piston type is satisfactory.
10.2.3 Pilot Operated Relief Valves
In a pilot operated relief valve the major relieving device (the main valve) is
combined with and controlled by a selfactuating pressure relief valve (the pilot
control unit). The pilot is a springloaded valve that senses the process pressure
and opens the main valve by lowering the pressure on the top of an unbalanced
piston, diaphragm, or bellows of the main valve. Conversely, once the process
pressure is lowered to the blowdown pressure, the pilot closes the main valve by
permitting the pressure in the top of the main valve to increase.
The following are some advantages of pilot operated valves:
S They are designed to remain tightly closed until their set point is reached. This
means they are ideally suited for application where the operating pressure is
higher than 90% of the valve set pressure.
S Chattering of the valve due to back pressure is not possible.
S Set pressure is not affected by backpressure.
S Valves can be used in vapor or liquid service with backpressure greater than
50% of set pressure (subject to vendors specifications).
S A valves pilot and reseat pressure can be checked while the valve is in service.
PDVSA
REVISION FECHA
S Blowdown (difference between the set pressure and the closing pressure) can
be specified as low as 2% of set pressure.
S A pilot operated relief valve can be specified to have modulating action, that is,
to open only in proportion to the relief requirement. Thus, it reduces the upset
obtained in the process unit and the product lost to the flare whenever a minor
overpressure situation occurs. A modulating pilot operated valve has zero
percent blowdown. It is designed to reclose at its set pressure.
S May cost less than direct spring valves for those larger than 3inch size.
The following are some disadvantages of pilot operated relief valves:
S The valves have more restrictive temperature limits than do springloaded
valves.
S The technology is more complicated and so it takes more knowledge to specify
a pilot operated valve and install it correctly.
S The valve needs design features generally not associated with a springloaded
reliefvalve. There may be a filter in the sensing line if the service is dirty and
a backflow preventer if the valve discharges to a flare header system.
S These valves have more restrictive metallurgy selection.
S They may cost more than direct spring valves for those smaller than 3inch size
S Usually limited to clean services (e.g., not recommended for crude oil service).
10.2.4 Rupture Disks
A rupture disk is a device actuated by inlet static pressure and is designed to
function by the bursting of a pressure retaining disk. A rupture disk assembly
consists of a thin, circular membrane, made of metal, plastic, graphite, or a
combination of materials, that is firmly clamped in a disk holder. It can be installed
alone or in combination with other pressure relief devices. When rupture disk
support plates are required, the reduction in flow area caused by the plate must
be allowed for in the rupture disk size selection.
The following are some advantages of rupture disks:
S They can be installed upstream or downstream of relief valves in highly toxic
or corrosive services, to prevent corrosive or hot fluid or particulates from
contacting the relief valve or seat. Only rupture disks that have a
nonfragmenting design may be used beneath a pressure relief valve. When
used in this manner, a pressure indicator or switch must be provided to sense
pressure between the rupture disk and the relief valve.
S More effective than a relief valve in protecting equipment from sudden
explosions.
S Depending on material of construction, they are more resistant to corrosion or
plugging than other relief devices.
S They have applications in viscous and slurry services.
PDVSA
REVISION FECHA
S In limited services they are more cost effective than relief valves.
S They rupture only when designated pressure is reached and, therefore, do not
simmer like a relief valve.
The following are some disadvantages of rupture disks:
S When a disk ruptures, the entire contents of the system it is protecting may be
lost (they do not reseat).
S It is difficult to detect if a disk is leaking unless other instruments like pressure
indicators or burst disk indicators, detectors or alarms are installed in the disk
assembly.
S Old disks or those subject to high cycle fatigue may experience premature
failure due to metal fatigue. To minimize this, rupture disk burst pressure should
be set considerably above the full range of operating pressures. They may
require replacement every year depending on plant operating and
maintenance procedures.
S Rupture disks are subject to mishandling. Careful installation is of extreme
importance. The disks are made of thin, fragile metals and any deformation
during assembly may weaken them and result in premature rupture. In
addition, they are often mistakenly installed backwards that is the side that
is designed to burst when it is overpressured is not facing the protected vessel
thus creating a greater hazard by potentially increasing rupture pressure.
S Burst pressures are sensitive to temperature variations.
S Some types require greater operating margins.
Rupture Disks / Relief Valve Assemblies
Rupture disks may be installed upstream of the relief valve to prevent corrosion
of the pressure relief valve if the process fluid is corrosive. The following features
must be included:
a. The relief device capacity must be derated as required by ASME or vendor
data.
b. A pressure monitoring device must be installed between the rupture disk and
the relief valve to ensure that the rupture disk may still burst, even if a pinhole
exists in the disk creating undue backpressure.
A rupture disk may be installed downstream of a relief valve to protect the valve
from atmospheric or downstream fluids or to prevent valuable, noxious, or
flammable materials from leaking through the pressure relief valve to the
atmosphere. If the rupture disk is located after the relief valve, the bleed off device
must be installed between the valve and the rupture disk.
10.2.5 Liquid Seals
Liquid seals are Utube hydraulic loops whose diameter and seal depth are sized
to pass the design relieving rate at the required design pressure.
PDVSA
REVISION FECHA
The following are some advantages of liquid seals:

S Simple and relatively inexpensive for low pressure systems.
S The following are some disadvantages of liquid seals:
S There is a need for continuous seal fluid, during normal operations and after
a blowout
S There is a tendency of the liquid to surge, a liquid seal should not be used in
situations of rapid pressure rise.
S There is limited application to equipment with design pressure slightly above
atmospheric.
S There is a need for nonfreezing fluid or freeze protection in some locations.
10.2.6 PressureVacuum Relief Valves
These units combine both a pressure and a vacuum (PV) relief valve into one
assembly that mounts on a single nozzle on top of the tank. These valves are
normally sized to handle the maximum relief requirements under normal
conditions, not for emergency relief. An additional safety relief valve is placed on
the tank for emergency relief situations.
10.3 Miscellaneous Relief Devices

Other types of relief devices include:
S Fusible plugs or blowout plugs. Fusible plugs are used, for example, in chlorine
cylinders, they are made of a low melting point metal that would melt if exposed
to a fire.
S Designated failure points; such as weak seams that are used to preferentially
fail the top of a tank in case of fire exposure or internal explosion.
11 FLARE SYSTEMS
A flare provides a means for disposing of flammable, toxic or corrosive gaseous
effluents by burning them under controlled conditions and converting them to less
objectionable compounds. A flare must handle materials vented during all
operating conditions, including normal startup, and emergency conditions. The
three most common types of flares are discussed below.
11.1 Types of Flares

11.1.1 Elevated Flares
Elevated flares consist of a stack, flare tip, pilot burners, pilot ignition, and
associated facilities for fuel gas and steam. For most applications, the elevated
flare is the only acceptable means of flaring dirty gases that may result in the
evolution of particulates or corrosive compounds. The elevated flare is the most
common choice for total flare loads, or for handling overcapacity releases in
conjunction with multiple burner (multijet) ground flare.
PDVSA
REVISION FECHA
The advantages of elevated flares are the following:

S Appropriate for burning gases containing hydrogen sulfide, hydrocarbons and
other corrosive or toxic fluids.
S Provides the best dispersion of malodorous or toxic combustion products.
The disadvantages of elevated flares are as follows:
S Exposure of plant personnel and facilities to radiant heat during a major
release.
S Annoyance of the public due to the visible flame and sound
S Does not completely thermally distruct halogenated organic and other
thermally stable compounds.
11.1.2 Ground Flares
Ground flares are limited to uses where height requirements exist. Enclosed
ground flares avoid open flame exposure and provide better combustion
efficiency, and typically consist of a refractory lined structure that houses the
burners. Enclosed ground flares reduce luminosity and noise levels.
The main advantages of ground flares are reduced radiation and lower cost of
construction.
Some disadvantages of ground flares are:
S Promixity to ground limits application to gases not producing toxic or pollutant
byproducts during combustion.
S Requires large surface area.
11.1.3 Low Pressure Flares
They are usually designed to burn offgases from storage tanks containing VOCs
(volatile organic compounds), API separators, dissolved air flotation (DAF), and
other wastewater treatment units; and other plant units containing organic vapors
that operate at or near atmospheric pressure. When the system pressure is
insufficient to deliver the offgases to the flare, a blower may be installed after the
offgas pressure source but prior to any flashback prevention device.
If necessary, advantages of a blower in a low pressure system are:
S Provides adequate pressure without the need to modify the sources.
S Reduces the size of the flare header.
S Permits the use of the flashback prevention device of choice (not limited by
pressure drop across the device).
The disadvantages of a blower in a low pressure system are:
S Inherent hazard of potential sparks.
S System reliability.
PDVSA
REVISION FECHA
To minimize the disadvantages, explosionproof blowers and spare online

blowers are provided and preventive maintenance must be performed in the
system.
11.1.4 Aspects of Flare Systems Design
Recognized codes and standards must be used for the detailed design. The main
hazards associated with flaring are:
1. Explosions in the flare system.
2. Obstruction in the flare system.
3. Low temperature embrittlement of the pipework.
4. Heat radiation from the flare.
5. Liquid carryover into the flare.
6. Emission of toxic materials from the flare.
The following issues must be considered in flare system design:
a. Meeting regulatory concentration limits for toxic, corrosive and
flammable substances, noise and smoke from flare systems.
b. Location and spacing in relation to process units, storage areas,
grade level, and personnel. Criteria should be based on radiant heat
flux, and ground level concentrations of toxic or corrosive
components of the flare gas combustion products. A risk analysis or
consequence analysis including air dispersion and radiation
modeling should be used in the early stages of the design, as per
PDVSA IRS02.
c. The need for separation equipment to remove entrained liquids in the
flare gases.
d. Safe location of pilot ignition systems and their controls.
e. Prevention of oxygen from entering the system (air can enter as a
result of maintenance of a relief valve, diffusion down from the flare
tip when the flame is not operating, corrosion, etc.). The following
methods must be used for preventing dangerous air inleaks to the
flare system:
prevention of leaks
purge gas
monitoring of oxygen concentration
Prevention of leaks is the best approach (proper maintenance procedures to
avoid air into the flare system during relief valve maintenance, use of adequate
materials of construction to avoid corrosion induced leaks).
PDVSA
REVISION FECHA
Provision must be made for purging of the flare header with fuel gas or an inert
gas to avoid air leaks into the system if the flare gas pressure falls too low and to
prevent flameout due to low gas flow.
A separate flare system for oxygencontaining streams should be used if
necessary to avoid potential for explosions in the main header if flammable
concentrations are possible.
Water seals and flame arresters are used in flare systems to prevent flashback,
and molecular seals are also used to prevent air ingress. Water seal problems
include the creation of an uninterrupted gas passage through the water at high gas
flows, which can render the seal ineffective; the tendency to surge, which can
affect flare operation; and the need to continuously replace the water lost.
Proprietary water seals are available that overcome these difficulties.
The use of flame arrester and molecular seals are discouraged as they have the
serious disadvantage that they tend to plug up, obstructing the flare system.
11.1.5 General Flare Header Design Guidelines
Following are general guidelines for flare header design:
a. Extensive measures should be taken to avoid pockets, (i.e., low points) in
the flare header and associated piping.
b. Piping (discharge piping, subheaders and headers) should be free draining
to the knockout drum.
c. Consider intermediate knockout drums in or near process units if the flare
stack is located in a remote area of the plant.
d. Avoid sectionalizing the flare header to prevent maintenance problems with
valves and possible misoperation or malfunction.
e. Flare headers may collapse if a large volume of liquid is inadvertently
discharged into the header, exceeding the capacity of the piping supports.
To prevent such events, it is advisable to use criteria such as specifying the
pipe as halffull of liquid or otherwise ensure that the header can support the
weight of the liquid, and absorb the impact of any liquid slugs.
f. Flares handling combustible vapors from multiple relief valves must not be
used for venting air or steam during startup or at any time loss of flame is
likely.
g. Flame arresters should not be used in flare systems because they are
subject to plugging and during the cooling that follows a warm discharge, air
may be drawn back into the flare system through the flame arrester. Other
means for flashback prevention are more reliable such as continuous gas
purge.
PDVSA
REVISION FECHA
Collection Headers
It is desirable to combine effluent disposal systems based on similar pressures,
temperatures, compositions and quantities. The materials of construction of the
flare collection headers, flare stack and tip are determined by the composition of
the flare fluid (especially if corrosive or toxic) and the operating pressure and
temperature of the flare system. Some common headers and typical materials of
construction are:
S Cold flare header austenitic stainless steel is used for ethane and lighter
effluents which flash at 45C (50F).
S Intermediate Flare header low temperature carbon steel is used for cold, dry
effluents at temperatures from 45 to 0C (50 32F).
S Hot Flare Header carbon steel is used for hot, wet effluents above 0C (32
F).
S Sour Gas Header due to the corrosive and toxic nature of sour gas, a stainless
steel separate header and stack dedicated for sour gas is sometimes more
economical than providing a larger stainless steel header to handle a
combination of sour and nonsour streams.
11.1.6 Flare Knockout Drums
Design should conform to recognized codes and standards such as API RP 521.
Other considerations in the design of the knockout drum are:
a. A steam coil, jacket, or other means of heating is sometimes provided in the
drum to prevent high viscosity liquids from becoming too viscous to drain or
be pumped.
b. The drum should be sloped towards the liquid outlet nozzle.
c. Considerations should be given to the reactivity of all chemicals which may
be encountered, especially when external heating is applied.
11.1.7 Flare Seal Drums
The purpose of the seal drum is to prevent air ingress into the flare system, thus
providing flashback protection.
Seal drum design should conform to recognized codes and standards such as API
RP 521. Other considerations in the design of seal drums are:
a. They must be designed for at least 50 psig to withstand internal explosion.
b. The vapor space must be sized to avoid entraining the seal liquid in the flare
gas and to prevent surges of gas flow to the flare.
c. The seal drum capacity should have sufficient capacity to prevent backflow
under any circumstances.
PDVSA
REVISION FECHA
11.1.8 Flare Stack

The height of the flare is generally based on the radiant heat flux generated by the
flame and the dispersion of gas vented once the pilots fail. A risk analysis, (taking
into consideration wind effect, distance to structures and personnel, etc.) is
recommended to determine the optimum flare stack height. Flare stack design
must conform to recognized codes and standards such as API RP 521 and
PDVSA CB201P Mechurrio de Baja Presin.
12 BLOWDOWN SYSTEMS
Blowdown systems are systems designed to safely dispose of condensable
vapors, contaminated aqueous effluents, and various other liquid streams
generated due to plant emergencies.
12.1 Aspects of Blowdown Systems Design

The following requirements shall be met:
a. aBlowdown drums must be designed to handle overpressures that could
result from continuing runaway reaction or from external fire. A design
pressure of 50 psig is the minimum recommended.
b. Pressure relief should be provided in case of external fire or continuation of
any runaway reaction.
c. In designing vessel nozzles, attachments, supports, and internals,
consideration should be given to shock loadings resulting from thermal
effects, slugs of liquid, or gas expansion.
12.1.1 Equipment Drainage Systems
During upset conditions or shutdowns, process equipment items must be drained
of their contents to allow personnel safe entrance. For disposal of larger
inventories, the following guidelines may be used:
S For low boiling materials, drain to a closed drain header for further treatment
S For materials above their flash point, drain to a closed drain header for further
treatment
S For high boiling materials below their flash point, drain to the appropriate sewer.
S For aqueous liquids contaminated with low boilers, drain to water or caustic
disengaging drums for subsequent treatment. After pressure relief,
combinations may result in hydrate formation or freezing, resulting in plugging
problems.
S For aqueous liquids contaminated with low concentrations of high boilers, drain
to a vented section of an oily water sewer.
S For sour water contaminated with spent caustic, drain to an atmospheric tank
for subsequent disposal. The tank must be provided with a means to handle
any sour off gas
PDVSA
REVISION FECHA
S For toxic, corrosive or pollutant fluids, drain through a closed drain system for
collection and recycle to the plant for recovery or treatment
S For uncontaminated cooling water and steam condensate, drain to a clean
water or oily water sewer.
12.1.2 Disengaging Facilities
Disengaging facilities remove organic vapors or liquids or other contaminants
from utilities such as cooling water or steam. Requirements for the safe design of
disengaging drums have been covered under Subsection 9.2.1
12.1.3 Quench Drums

A quench drum is used to cool or partially condense vapors discharging from relief
devices by spraying water or other suitable liquid directly into the gas stream. By
condensing organics, this type of drum reduces flare loads and vapor loads to
other downstream facilities, and reduces the amount of organic emissions. The
use of this type of drum is limited by the type of organics present in the effluent.
The following guidelines must be followed in the design of quench drums:
a. They cannot be used for watermiscible organics, liquid low boilers, or fluids
below 0 C (32 F).
b. Vapor and liquid loads to the quench drum must be determined on the basis
that all relieving devices from process units will discharge under one
controlling contingency only (for example, cooling water or power failure).
c. Design pressure of the drum should be a minimum of 50 psig to withstand
an internal explosion
d. If the drum is treated as a pressure vessel, it should be provided with
overpressure protection
13 RESPONSIBILITIES
The responsibilities to ensure that the requirements set forth in this Standard are
met accordingly rest with the following individuals:
S Design of systems in compliance with these requirements is the responsibility
of the design engineer in charge of the project or sections.
S Review of the process safety of the design is the process safety coordinator.
S Assurance that the review team performs the required reviews is the
responsibility of the process safety coordinator.
S Determination of risk levels of project and conducting appropriate risk analysis
is the responsibility of the risk engineer.
PDVSA
REVISION FECHA
APPENDIX
A Reliability Theory
There are two concepts that form the basis for reliability analysis: repairability and
mission time.
Regarding interlock repairability, a device is repairable if maintenance can be
performed without hindering the capability of the interlock to work as designed
while the process is operating. A simple (but conservative) assumption is that
none of the components of the interlock system is repairable.
Mission time has to do with how long a device must function before it can be proof
tested and repaired. If the interlock system is not repairable, the only time it can
be safely tested and maintained is during shutdowns of the process system. This
time period between functional tests is the mission time during which the interlock
must be functional.
The reliability of an interlock system is defined as the probability that the interlock
system will function properly during its mission time, and is approximately:
P+
where
P = Probability that the component or system will not function as designed for the
entire mission time.
= Failure rate of a component (normally in failures per hour of service)
= Mission time the period of time that the component or system must operate
before being tested and repaired
If two failures must occur before the interlock system is incapable of operating, the
probability of failure is approximately:
P + 1 2
P + 1 2 2
For a three component failure the probability of failure becomes
P + 1 2 3
If the interlock system failure can occur in multiple ways, the probability that the
interlock system will fail during its mission time is
P total + Pi
PDVSA
REVISION FECHA
From the previous equations, the following guidelines can be set forth to improve
interlock reliability:
S As the reliability of an interlock depends on two variables, namely
Failure rate of the components used, and
Inspection and proof test frequency,
S Reducing the failure rate of the components or increasing the inspection
frequency of the system will improve the safety performance of an interlock
system. Maintenance is as important as component selection.
S The addition of a redundant interlock component generally improves the safety
of the system. When adding redundant components, the component with the
highest failure rate must be added first.
S Common cause failures can completely negate the apparent improvement of
interlock performance when duplicate components of the same type are
installed to increase redundancy. Examples of common cause faults are listed
below:
Same lot of defective parts,
Same location for primary and backup systems in a fire situation for
example, they both would be damaged,
Common susceptibility to environmental factors such as water, dirt, oil,
temperature, etc.
Same electric power supply for control and interlock systems,
Same operator or maintenance technician involved in several critical steps
of an operation
S To combat the impact of common cause failures it is advisable to use diverse
(different) and redundant components. A disadvantage of redundancy is that
false alarms or trips occur more often. Voting systems are recommended, for
example, three measuring devices are fitted instead of two and two out of three
(2oo3) must indicate the signal of concern before automatic action is taken.
S On highly redundant systems, human errors or inadequate testing equipment
during testing/maintenance provides the opportunity for common cause failure
(tools, procedures, calibration, training, etc.). It is advisable that the test
schedule be staggered so different crews are used, at different times. Proper
testing procedures and equipment for testing is necessary.
S The reasons for installing redundancy should be clearly documented and
explained to avoid a common weakness of a redundant system: neglect in
repairing one redundant component, since there is a second one available.
B Methods for Determining Safety Integrity Level for Safety Interlock Systems
This appendix illustrates four methods for determining, as part of process safety
activities, the Safety Integrity Level for Safety Interlock Systems.
PDVSA
REVISION FECHA
B.1 Safety Layer Risk Matrix

The method uses a layered qualitative matrix, shown in Figure B.1 that requires
an evaluation of the severity of the consequences for hazardous events that the
safety interlock system is protecting against. This also requires an evaluation of
the likelihood of occurrence for all the initiating events that could lead to
consequences. The third axis of the matrix requires a qualitative evaluation of the
effectiveness of other protection layers (such as engineered safety features or
protective systems or layers that typically involve special process designs,
process equipment, administrative procedures, the basic process control
systems, and/or planned responses to protect against an imminent hazard).
Layers, other than the safety interlock system under consideration, are evaluated
for their effectiveness in preventing the initiating event from leading to
consequences.
Fig B.1. SAMPLE RISK MATRIX FOR DETERMINING SIL
1 1 1
NA NA 1
NA NA NA
High
2 2 2
1 1 2 NA: No SIS required
Numbers in boxes are

SIL Levels for SIS
NA NA 1
Moderate
Consequence Severity
High
3 3 3
2 2 3
Moderate
Effectiveness of
1 1 2 Protection Layers
Low
Low Moderate High Low
Liklihood of Ocurrence
of Initiating Events
B.2 Consequence Only Method

This method only requires an evaluation of the severity of consequences, should
the SIS and other protective safety items fail. This method is simpler and
expedites SIL decisions by reducing time spent on evaluations. The trade off is
PDVSA
REVISION FECHA
that the design selection would be higher than predicted by other SIL selection (as
probability of occurrence is not taken into account and high consequence events
usually are infrequent). Erring on the side of designing a higher than necessary
SIL is a conservative approach. Sometimes it is preferred to save time spent in
risk evaluations and to incur the potential cost penalties imposed by selecting a
higher SIL than might otherwise result. Money spent on equal or better safety
performing SIS is felt to be a good investment on safety.
B.3 HAZOP Approach

In a HAZOP, a process segment is systematically analyzed using a set of guide
words to identify process deviations. Using a spreadsheet format, the cause of the
process deviations are listed, followed by potential consequences and
safeguards to prevent cause or mitigate consequences.
Based on the severity of the consequences, the teams feeling for the likelihood
of the upsets and overall performance of the protective system, the HAZOP team
decides whether a SIS is needed and the SIL level. Sometimes further evaluation
by the team of the equipment reliability and operation and maintenance costs is
required to determine the SIL level.
B.4 Fault Tree Approach

Fault trees are logic diagrams that systematically display sequences of failure.
Sequences of failure that begin with basic events, such as sensor failure, and lead
to a defined top event are diagrammed. The top event would be the one the
SIS is trying to protect against.
The top event frequency is calculated by estimating frequencies for initiating
events such as control valve failing to open, etc. and assuming a predetermined
SIL for the SIS (usually SIL 1). The fault tree results are evaluated and the team
decides whether another fault tree analysis is needed using a higher interlock
level. The team finally decides on the optimum SIL.

Pdvsa: Manual de Ingenieria de Riesgos

Transféré par

Informations du document

Titre original

Copyright

Formats disponibles

Partager ce document

Partager ou intégrer le document

Options de partage

Avez-vous trouvé ce document utile ?

Ce contenu est-il inapproprié ?

Droits d'auteur :

Formats disponibles

Pdvsa: Manual de Ingenieria de Riesgos

Transféré par

Droits d'auteur :

Formats disponibles

PDVSA

MANUAL DE INGENIERIA DE RIESGOS

IRP01 SAFETY INTERLOCK SYSTEMS, EMERGENCY

2 ABR.97 REVISION GENERAL 56 L.T. J.J. A.N.

1 MAY.93 REVISION GENERAL 25 J.R.

0 DIC.85 APROBACION 25 J.R.

REV. FECHA DESCRIPCION PAG. REV. APROB. APROB.

3.1 PDVSA Petrleos de Venezuela

MDP08SA03 Dispositivos de Alivio de Presin

3.2 API American Petroleum Institute

3.3 ISA Instrument Society of America

3.4 NFPA National Fire Prtection Association

3.5 ISO International Standards Organization

3.6 IEC International Electrotechnical Commission

4.2 Liquefied Petroleum Gas (LPG)

4.3 Liquefied Natural Gas (LNG)

4.4 Natural Gas Liquids (NGL)

4.5 Flammable Liquid

4.6 Flash Point

4.7 Probability of Failure on Demand (PFD)

4.8 Valve Type A

4.9 Valve Type B

4.10 Valve Type C

4.11 Valve Type D

Requirements for emergency isolation valves are specified in Section 7.0.

5 BASIC CONCEPTION OF DESIGN

6 SAFETY INTERLOCK SYSTEMS (SIS)

6.1 Aspects of Safety Interlock Systems Design

opening of valves to reduce temperature and pressure, and bypassing of fluid

TABLA 1. DEFINITIONS OF SAFETY INTEGRITY LEVELS (SIL)

Formal SIL selection and documentation are required to be accomplished as part

6.1.3 Energizedtotrip vs. Deenergizedtotrip

Deenergizetotrip systems have the following advantages:

All energizedtotrip safety interlock systems must have the following

b. Redundant electrical power supply such as battery backed DC power,

c. Alarms on loss of SIS power.

d. Frequent testing and active diagnostics monitoring total safety interlock

e. Independent manual safety shutdown means and process shutdown

6.1.4 General Requirements of Safety Interlock Systems

communication, power supplies, and security are typical common cause

a. SIS Logic Solver

3. Approved systems such as fire and gas detection systems.

Where the process is in its sequence

f. Communication Interface Requirements

The reliability of a safety system is directly proportional to its maintenance and

TABLA 2. ALARM AND SAFETY INTERLOCK SYSTEMS FOR MOTORS, TURBINES

can be closed without creating risks or conflicts with other operational

a. Isolation valves type D to allow isolation of critical equipment and/or

7 EMERGENCY ISOLATION SYSTEM

7.1 Aspects of Emergency Isolation Valve Design

TABLA 3. ASPECTS TO CONSIDER REGARDING LOCATION AND SELECTION OF

TABLA 4. ASPECTS TO CONSIDER REGARDING LOCATION AND SELECTION OF

c. The use of check valves to isolate the oven must be avoided.

7.2.5 Heat Exchangers

7.2.6 Plant Battery Limit

7.2.7 Critical Locations

8 EMERGENCY DEPRESSURIZATION AND DEINVENTORY SYSTEMS

8.1 Design Aspects of Emergency Depressurizing

i. When discharging vapors that could generate temperatures less than 0 C,

8.2 Design Aspects of Emergency Deinventorying Systems

8.3 Water Displacement Systems

9 EMERGENCY VENTING SYSTEMS

9.1 Design Aspects