Process and control system design decisions are often predicated on the assumption that emergency shutdowns are always the safe response to upsets to maintain the asset integrity according the corporate risk assessment matrix. However, these emergency actions may impose significant risks to the integrity of the process unit and the personnel. Alternative intervention actions and/or design decisions may provide less risky solutions.
In point of fact, even assuming that the emergency shutdown of a process unit or a facility can be accomplished in something like perfect safety, bringing the process back online can often be a risky proposition, particularly given the substantial costs that down time can impose on a facility restart. Further, the emergency shutdown itself may impose significant risks on up- and downstream units, and the equipment itself. In many cases, less drastic process control and safeguarding actions – such as reduced firing or keeping the pilot flames alive – may be available and significantly less risky.
The core concept here is having more control layers with less drastic actions, which may be activated before the safety layer with emergency shutdowns will become activated. Then you will end up with a process control system – at least for your most critical control loops – whose optional control protection layer structure will look like this:
Layer 1: Regular PID control
Layer 2: Protective PID control
Layer 3: Process alarm with operator intervention
Layer 4: Process safeguarding actions (also called: Cutback system)
Inherent safer designs will also reduce the demand on emergency shutdowns considerably and should be considered as the technology of choice if available.