JOE RYDBERG (CITGO)
CITGO typically seeks process safety consultants to help with SIS design including SIL selection.  Kenexis is such a company who has provided the following technical information regarding depressurization systems.   

There are a multitude of different initiating events (loss of recycle gas, reactor internal failure, coking, catalyst loading errors, etc)  that can cause a runaway to occur, and a wide variety of options for dealing with the runaway reaction, depending on its severity. Furthermore, safeguards that are effective against one initiating event might not be effective for another and some of the safeguards are only partially effective. Also, some of the safeguards share equipment items, which further complicates a LOPA. Due to the complexity of this hazard some operating companies have chosen to go beyond a traditional LOPA for picking SIL targets all the way to a more quantitative analysis using fault tree.   In this analysis we have determined that the typical shutdown design which will allow tolerable risk to be achieved includes two depressuring valves. These depressuring valves are typically sized for low rate (150#/min) and high rate (300#/min). Operationally, you would trigger the low rate first and try to get the process back under control and if that fails, go to the high rate. Also, the sizing will vary based on licensor, Shell and Chevron licensed technology varies from what is stated above which is for the UOP Unicracker, but they’re in the same ballpark.

The initial reason for the two separate valves was not reliability requirements to achieve a SIL target. There were two valves in this application way before SIL was invented. The licensors saw that thermal runaway was a problem, and in order to decrease reaction rate you need to decrease pressure (thereby decreasing concentration of reactants).  Opening either the low rate or high rate depressuring valves will cause the process and unit to dramatically shift.  Opening the high rate depressuring valve can be particularly impactful, potentially causing reactor or flare system damage.   While one or two high rate depressurings is not expected to significantly damage the reactor vessel, the process licensors generally take great care in preventing a spurious activation of the depressuring valves, especially to the high rate valve.

In order to prevent spurious activation of the high rate valve it is typically an air-to-open valve. Air to open depressuring valves are allowed and compliant with IEC / ISA 61511, but when used require additional consideration specifically, back-up “power” and alarms on loss of utility.  This usually takes the shape of a volume bottle and check valve combination on the instrument air supply (sized for 3 strokes usually), and a low pressure alarm on the volume bottle.  While some apply this same design technique to the low rate valve, not everyone does because the consequence of activating the low rate valve is not as severe. That said, there is nothing wrong with using the same air-to-open design as the high rate valve.

On an additional note, we are currently seeing many refiners revisit the choice of a high-rate and a low rate valve. In recent years, the activity of hydroprocessing catalysts and severity of hydroprocessing has increased. Many of the scenarios that previously were controlled with a low-rate depressuring now require the high-rate depressuring.  As a result some in the industry are considering the use of two high-rate valves instead of the low-rate / high-rate combination.   It is common that the combination of two depressuring valves - 300#/min and 150#/min automated with temperature bed sensors and a SIL2 rated logic solver are required to get to SIL 2 for most hazard scenarios for the valve system.  

Returning to CITGO’s experience, for all the hydrotreaters in the CITGO system, there are remote manual depressurization or dump valves.  After reviewing approximately fifteen HDT’s in the CITGO system, the de-pressurization valves are fail closed.

For the hydrocracker, there are two dump valves, a smaller valve (when opens, de-pressures the unit at a rate of 100psi/min) and a larger valve (when opens, de-pressures the unit at a rate of 300psi/min).  The larger dump valve opens when the recycle compressor shuts down or when reactor bed temperature indicators hit 825F.  The smaller dump valve opens when reactor temperature indicators hit 800F.  The hydrocracker is also outfitted with a third “manual” dump valve to flare.  The de-pressurization valves are fail closed.

API recommended practice 521 discusses the need for de-pressuring systems for both temperature runaway and to protect equipment against stress rupture from fire, particularly in systems that operate above 250psig in vapor only service.  The following factors should be recognized to ensure reliability of the valve during a fire:

•    Valve size, de-pressuring rate
•    Failure position (specifying FO) and reliability– flare capacity should not be exceeded to avoid environmental impact (note – multiple unit flaring could occur when there is a loss of instrument air)
•    Redundant air, N2, or bottles for valve actuation 
•    Location, fire protection, accessibility during a fire

MAX LAWRENCE (Shell Global Solutions): 
SIL-2 requires robust SIL-2 components throughout the input -> solver -> output activation chain.  Multiple (voting only when identical) inputs are generally available for a dedicated high-reliability computer separate from basic control.  The chief difficulty is in achieving SIL-2 reliability for the output – depressuring valve(s).  There are two general approaches:  redundancy and testing.  Location factors and precise details will determine which is most suitable.  Failure mode should be determined by SIL analysis, but at least one depressuring valve should be fail-open (i.e., air to close) to handle the instrument-air failure case.

For a hydrotreater that does not require SIL-2, it is prudent for at least one depressuring valve be fail-open (i.e., air to close) to address the instrument-air failure case.

CHRISTINA HAASSER (Honeywell UOP)
In a hydrocracker, a UOP design specifies low and high rate depressuring valves.  The SIL 2 rating is on the High Rate Depressuring valves. UOP designs for SIL-2 rating by having two valves in parallel. There are provisions to allow each of the valves to be independently blocked in to permit a full stroke test of the valve. This arrangement allows one valve to still be in service protecting the unit while the other valve is tested. Since the majority of the pressure drop is across the orifice plate, having two valves in parallel does not change the depressuring rate significantly. 

Testing interval is another aspect of meeting SIL-2 requirement. UOP has maximum testing intervals that our system designs are based on. Final testing intervals are dependent on customer requirements and local regulations.

For Hydrotreaters, UOP design has a single rate of depressuring and the valve is specified to be Fail Closed because the catalyst in a hydrotreating unit is not usually as active as hydrocracking catalyst and is not expected to experience an immediate temperature excursion upon loss of recycle gas.  Therefore, there is no incentive to provide automatic depressurization on loss of recycle gas.  If the recycle gas compressor can be restarted without too much delay, operation can resume without having to re-pressure the unit.  The operator always has the option to initiate depressuring if the situation requires it.  

UOP designs Hydrocracking Low Rate Depressure valve as Fail Open. This low rate depressuring valve opens upon loss of Instrument Air. The intent is to prevent a temperature excursion in the event of a plant wide instrument air failure. The high rate depressuring valve is Fail Closed. If required, the operator always has the option to manually initiate high rate depressuring because of instrument air reservoirs that are sized for at least 3 strokes of the valve.

LARS JORGENSEN( Haldor Topsoe)
Initiators and final elements for auto depressurization are designed according to the International Electrotechnical Commission (IEC) standard 61511 and must fulfill SIL-2 capability. Initiators will typically be 1-ouf-of-X high-high temperature readings in the catalyst bed or reactor skin temperature. Spurious trips are reduced by having low-scale burnout. Another initiator is typically the loss of treat gas, which is done to avoid stagnant hot liquid. Spurious trips for this flow measurement are reduced by a 2-out-of-3 philosophy in which two measurements should read low-low flow. A high axial temperature difference and/or rate-of-change over the catalyst bed can add another level of protection.
For a hydrotreater, with less than SIL-2 requirements, the depressurization valve will be designed as fail-open to ensure functionality on loss of instrument air. This valve would be a manual activated system. To reduce the risk of spuriously failing open, the system will be provided with a safe-air bottle and a low instrument air pressure alarm (this also applies for hydrocrackers). Additionally, two solenoids in series to prevent shutdown if one solenoid fails can be considered if allowed by Layers of Protection Assessment (LOPA).