“You may hate gravity, but gravity doesn’t care.” — Clayton Christensen
In May 1946, a scientist at Los Alamos was demonstrating the criticality of plutonium. The demonstration consisted of lowering the upper hemisphere of a spherical shell around a mass of plutonium. As he lowered it, however, it slipped and completed the spherical shell, causing the mass to go critical. Fortunately for the seven others in the room, the scientist reached over and separated the upper hemisphere manually, before the reaction became self-sustaining. The others survived, but he died from radiation poisoning.
Energizing to Go to a Safe State
The set-up for that 1946 demonstration relied on energizing to go into a safe state: to reduce to less than criticality, the top hemisphere needed to be lifted. All that the set-up needed to become unsafe was to lose the constraints that kept the hemisphere raised—in this case, a screwdriver—and let gravity do its inevitable work.
In hindsight, it is easy to see that a safer set-up would have been one where the top hemisphere was fixed, and the lower hemisphere lifted into place. Then, on loss of the energy to lift the hemisphere into place, it would have fallen away, which was the safer state. (Safer, not safe. It’s hard to argue that anything about working with a mass of plutonium is safe. Safe would have meant not doing the demonstration at all.)
The greatest value of experience is that we can learn from the past. The first lesson to learn from this Los Alamos incident should be to rely on de-energizing to take us to a safe state. We call this “deenergize-to-trip” (DTT), rather than “energize-to-trip” (ETT).
Deenergize-to-Trip Final Control Elements
The concept of ETT means different things for different types of components, but generally, it means that some source of energy must be applied to the component to get it from the unsafe state to the safe state. A necessary feature of this concept is that there are two states, one safe, one unsafe. It takes energy to move from the safe state to the unsafe state. It also takes energy to move from the unsafe state to the safe state. So, what does it mean to de-energize?
Consider a balloon. It takes energy to fill the balloon, and it would be reasonable to consider an inflated balloon to be in the energized state. Energy is also expended when the balloon deflates. That energy, stored in the elastic tension of the balloon, is expended when the balloon is released. But most of us would be comfortable with calling a deflated balloon “de-energized”.
How about an air-actuated valve? When air pressure is applied, the actuator moves to the energized position, compressing or stretching a spring. When the pressurized air is vented, the stored energy in the spring moves the actuator to the de-energized position. The spring provides energy, and certainly, springs can break. Nonetheless, an unbroken spring wants to release its stored energy, and most of us are comfortable calling a spring “de-energized” when it is in the relaxed position rather than insisting that a spring is only de-energized when it is broken.
The same holds for solenoids. When electrical energy is applied, the solenoid moves to the energized position, compressing or stretching a spring. When electrical energy is removed, the stored energy in the spring moves the solenoid to the de-energized position. When the spring is in the relaxed position, it’s fair to consider the solenoid to be “de-energized.”
What is true for solenoids is also true for other electrically powered equipment. When an electrically powered motor (or for that matter, an air-driven motor or a steam turbine) is running, it is “energized”. It is only when a motor is not energized and not running that it can be considered “de-energized.” Likewise, heating elements are only in the de-energized state when they are isolated from the energy that they convert to heat.
Switches
At the other end of the loop from the final control element is the sensor. Transmitters, which operate on a continuous scale, are not thought of as either ETT or DTT. On the other hand, switches are discrete – either open or closed, on or off – and fall neatly into the “energized” or “deenergized” characterization. A switch that is closed, or on, is energized. Current moves through the switch. On the other hand, a switch that is open, or off, is de-energized.
This view tells us how we should consider sensor switches, such as level, flow, pressure, or temperature switches. A high-level switch is one that detects a level that is too high and causes a trip to a safe state. A level that is too high must put a DTT switch in the open or off position. If a high level causes a normally open switch to close, a normally off switch to turn on, then it is a ETT switch. When we have a choice, we should never choose to have a safety component be ETT.
What is important about DTT switches is that they are on/closed when things are normal and go to the off/open position when safe limits are exceeded. It doesn’t matter what the set point is, just how the switch responds to exceeding safe limits. A level switch at the bottom of a vessel is a high-level switch if it goes to the off/open position when the level at the bottom of the vessel goes above the switch setting. Likewise, a level switch at the top of a vessel is a low-level switch if it goes to the off/open position when the level at the top of the vessel drops below the switch setting. This is just as true for temperature switches, pressure switches, flow switches, and other discrete sensors.
Off/open = not safe.
When Utilities are Required to Be Safe
When a utility is required to go to the safe state, the need for that utility should be seen as ETT. The only exceptions, at least here on the surface of the earth, are gravity and atmosphere. We don’t have to worry about our gravity generator failing; gravity is a given. Likewise, a vent that opens to atmosphere can always count on the atmosphere being there.
When electricity, steam, compressed air, compressed nitrogen, cooling water, or any other utility is required for the process to be in the safe state, that action of going to the safe state is ETT. The utility must always be available, and it must remain available for the duration of the emergency.
One of the advantages of a DTT design is that the loss of a utility doesn’t change whether the design is in the safe state.
DTT Safety Functions
The best safety functions are those that are DTT, those that do not rely on an active source of energy to go to and stay in a safe state. That means that every component of the safety function must be DTT. If even one component of a safety function can be characterized as ETT, then the safety function itself must be characterized as ETT.
To make sure that your safety functions are the best that they can be, consider each component of each safety function and do whatever can be done to assure they are DTT. As the Los Alamos scientist who sacrificed his life to save those around him demonstrated, the consequences of ETT designs have far more potential to be catastrophic.
