Matthew Meyers (Western Refining)

The panel concluded that 100% of the FCC units in their respective companies used the low slide valve dP over-ride to protect against reversals. The consensus of the panel was that having dual slide valves did not significantly increase the reliability of the system. The IEC 61511, 2003 definition of an Independent Protective Layer is the following:

1. The system must have a risk reduction factor of at least 100 (10-2).

2. It must be designed to protect against a specific event

3. It must operate independently of other protective layers (i.e., No common causes of unavailability)

4. Must have an availability of 0.9 or greater

5. Must be testable

Since the typical slide valve DP override system shares the low signal selector algorithm in the DCS with the regulatory control system, it cannot meet the strict IEC definition of independence. The control algorithm (or changes thereof) itself may be a common cause of unavailability.

The probability of failure on demand (PFD) for the slide valve DP override system depends upon a number of factors:

• Standpipe fluidization and stability

• Redundancy of DP transmitter field-side: all process taps and tubing are independent with reliable purges

• Each transmitter configured to fail low and SIL rated to prevent incorrect configuration changes

• Wiring from each transmitter to the BPCS in separate home run cables with redundant inputs to the BPCS

• BPCS configured to fail low on loss of signal from either DP transmitter

• Constant slide valve modulation and testing with good slide valve maintenance

• Dual slide valve hydraulic pumps with separate motive force sources (e.g., electrical and pneumatic)

• Slide valve skid alarm instrumentation to ensure availability: reserve accumulator in service, reserve accumulator pressure, position deviation alarms, loss of tracking, loss of feedback, etc.

All of these factors should be carefully considered before determining a PFD. Assuming each item is properly maintained and suitably stable over the course of the operating history, a PFD of 10-2 is achievable.

In terms of conducting a LOPA, the slide valve DP override system may be used to reduce the impact event frequency and thereby possibly reduce the risk. This may or may not affect SIL requirements, depending on other layers of protection that may be taken into account and the refinery-specific risk ranking matrix.

Mike Teders (Valero)

Low slide valve DP over-ride is used in every one of the Valero FCC units where a slide valve is used to control the catalyst circulation. The low dP over-ride is DCS based in our FCC units and we consider them to be an effective form of process control. In addition, we are developing a prescriptive design standard for an independent FCC shutdown system for our FCC units. The standard includes protection against a catalyst reversal by using low slide valve differential pressure to trigger a slide valve closure and trip the unit into a shutdown. Our FCC shutdown system is intended to be independent from the DCS based over-ride and would qualify as an Independent Protection Layer (IPL). We would not consider the DCS based over-ride to be an Independent Protection Layer (IPL) against a catalyst reversal if one of the hazard scenarios in the Layer of Protection Analysis (LOPA) included loss of the DCS controls.