A protective system designed with de-energize-to-trip components is one in which a single component failure will place the equipment or unit in a safe state, usually shutdown. Typical single component failures are power or air failures, blown fuses, and broken input or output signals. If improperly designed, single circuit de-energize-to-trip designs may be prone to nuisance trips and alarms because one single component (out of perhaps hundreds) causes a shutdown. Obviously the nuisance trip and alarm are immediately detectable and can have serious impact on the productivity of the plant and operator confidence in the system. Nuisance shutdown frequency is a function of the complexity and number of components in the system. If excessive, the frequency of nuisance shutdowns can be reduced by the selection and installation of more reliable or redundant components.
The design of a reliable de-energize-to-trip protective system must ensure that the system is placed in a shutdown state upon failure of any single system component. The following guidelines should be observed:
• Pneumatically or hydraulically operated actuators for shutdown valves should move to the safe position on loss of actuator power supply.
• Solenoid valves should be energized during plant operation, and moved to the safe position when power is removed or lost (de-energize-to-trip).
• Sensing-device contacts should be closed during normal or safe operations and should open when the shutdown condition is reached.
• Failure of the air or electric supply to a measuring instrument used in a shutdown system should cause the output to move toward the trip condition. In some cases this will require the use of reverse-acting transmitters. If this cannot be achieved, consideration should be given to installing instruments to alarm on measuring instrument power failure.
• The sample flow of an analyzer used in a trip system should be monitored. Loss of flow or significant reduction in flow should initiate an alarm.
• Shutdown systems using thermocouples should be provided with a thermocouple burnout protection device. On thermocouple burnout, the converter output will be driven away from the shutdown trip setting. A separate alarm should be installed to detect the burnout.
Most shutdown systems, and all alarm systems, should be designed with de-energize-to-trip components in order to immediately bring protective system component failures to the attention of the operators. The biggest drawback to this type of design, the possibility of nuisance trips, is less of a concern now with the use of more reliable and redundant electronic equipment.
Use of a de-energize-to-trip system does not guarantee that a component failure will immediately cause the plant to shut down. In fact the operators may not know that the protective system is not in working order. For example, a process lead to a field switch could become plugged, making it unable to sense a possibly dangerous operating condition, or a valve could become stuck in its normal operating position, unable to move to the fail-safe position. Such equipment failures can be detected only through a regular, documented testing program.