Section 12 — Instruments and Controls

Protective Instrumentation Systems

IPE Engineering Practice IPE-EP-12-10-1

Document number: IPE-EP-12-10-1 · Section: 12 — Instruments and Controls

1.0

1.1

1.2

1.3

2.0

3.0

3.1

3.2

3.3

3.4

3.5

3.6

SCOPE

This Practice details the requirements for the categorization and design of protective instrumentation systems.

Conventional pressure relief valves, electrical protection relays, and mechanical overspeed trips are not covered by this Practice.

Any deviations from this Practice must be approved by the procedure given in EP 1–1–3.

REFERENCES

The latest edition of the following standards and publications are referred to herein, and shall be used with this Practice.

STANDARDS AND PUBLICATIONS

IPE Engineering Practices
EP 1–1–3 Deviations to IPE Engineering Practices EP 3–7–1 Pressure Relieving Systems EP 3–7–4 Use of Protective Instrumentation in Pressure Relieving Systems EP 3–7–3 Register of Pressure Relieving Systems EP 11–2–1 Fireproofing EP 12–1–1 Control Systems EP 12–10–2 Testing of Protective Instrumentation Systems EP 13–2–1 Electrical Detail Design and Construction Practice EP 15–4–1 Principles and Practices for Inspection and Testing of Plant Equipment
ANSI/FCI
B16.104 Quality Control Standard for Control Valve Seat Leakage (FCI 70-2)

DEFINITIONS

Responsible Post/Person - The post/person nominated by the Senior Operating Manager to carry out the Protective Instrument Systems testing program.

Senior Operating Manager - The person appointed and responsible for the safety and operation of a particular plant.

Reliability Analysis - A mathematical technique for assessing in probability terms the performance of a component or system.

Triple Modular Redundant (TMR) - A system that employs three isolated, parallel control circuits. The system uses two–out–of three voting to provide high integrity, error–free, uninterrupted process operation with no single point of failure.

Owner’s Engineer - A Inflection Point Engineering, LLC appointed engineer. Owner - Inflection Point Engineering, LLC.

3.7 Protective Instrumentation - Instrumentation provided to prevent losses of all kinds, particularly in process upsets or emergencies, as distinct from instrumentation provided for normal process control.

CATEGORIZATION

All protective instrumentation systems shall be assigned one of the Categories described in paragraphs 4.6, 4.7, and 4.8 of this Practice.
To determine the Category of the protective system, a systematic examination of the protective instrumentation design shall be carried out. The procedures in IPE Engineering Services PSM Manual should be followed. The variability in pressure, temperature, flow and level should be considered to establish the abnormal conditions that could occur.
A schedule should be prepared listing all process conditions monitored by the protective system. It shall be assumed that conventional pressure relief devices function according to design requirements. No credit shall be taken for check valves. Multiple simultaneous failures should be considered only when the consequences are likely and result in serious hazard to personnel.
The consequences of the failures should be reviewed and the acceptability determined. All protective instrumentation systems necessary to prevent unacceptable conditions should be listed with the results of the protective systems failing to operate. At this point, a Category should be identified.
Where Category 1 systems are identified, design modifications should be considered to avoid this requirement. The number of Category 1 systems should be minimized and shall be subject to approval by the Owner’s Engineer.
Category 1 Instrument systems requiring a reliability greater than normal, where failure to act on demand could result in serious injury to personnel. Examples of Category 1 systems are:
Systems, not requiring design to ASME Code, where over pressure protection is provided solely by instrumentation. Often this equipment cannot be protected by conventional pressure relief devices. Pressure vessels designed to the ASME Code require pressure relief devices and cannot be protected solely by instrumentation.
Systems having relief valves discharging to a closed system, sized by taking credit for operating automatic pressure limiting instrumentation.
Systems having relief valves discharging to atmosphere where the protective instrument is mandated by Statutory Authority requirements.
Systems that can release toxic gases in concentrations exceeding the Immediately Hazardous to Life and Health (IDLH) level, in areas normally accessible by workers.
Category 2 Instrument systems where adequate self–actuating devices are available to prevent unacceptable equipment failure or serious injury to personnel if the protective instrumentation fails. Examples of Category 2 systems are:
This includes instrumentation systems designed to protect against unacceptable damage to the environment or serious commercial consequences.

Systems having relief valves discharging to atmosphere, where the protective system is not mandated by Statutory Authority, but where there is a requirement to reduce demand on these devices for environmental reasons.
Burner management systems on fired steam generators.
Protection against damage to unspared equipment essential for production.
Category 3 Instrument systems which are designed to prevent minimal financial loss or process interruption. Examples of Category 3 systems are:
Systems designed to limit the loss of products where a failure to operate could result in a release through the conventional pressure relieving devices.
Low flow shutdowns and equipments trips where failure to operate could result in damaged to spared or non essential equipment.
Where failure to operate could result in loss of product quality.
Remote actuated equipment isolation control and isolation valves where manual isolation valves are also available within a safe distance.
Interlock and sequencing systems not required or included in Category 1 or Category 2 systems.

USE IN PRESSURE RELIEVING SYSTEMS

The use of protective instrument systems in pressure relieving system shall comply with EP 3– 7–4.

DESIGN PROCEDURES

A systematic approach is required to implement protective instrument systems in a cost effective manner. Project Safety Reviews and Hazard and Operability Studies shall be carried out per the IPE Engineering Services PSM Manual.

SYSTEMS DESCRIPTION

The following hardware is used for protective instrument systems:
Relay systems (electro mechanical)
Pneumatic or hydraulic systems
Solid state systems (hardwired electronic logic)
Programmable systems (PLC, DCS, TMR)
Relay systems should be used where the ease of application, operation, and simple logic are the prime considerations. Relay systems are usually stand alone and not integrated with other protective systems or the plant control system. The installed and maintenance cost of relay system should be compared to solid state and programmable systems for multiple relay installations.
Pneumatic and hydraulic systems are used only for special applications, and shall be subject to approval by the Owner’s Engineer. Pneumatic and hydraulic systems are common on LPG loading racks.

Solid state systems should be used where their ease of application and greater reliability are of importance. They are generally applicable to a wide application where the function of the system is fixed and unchangeable.
Programmable systems include the following types:
Programmable Logic Controller (PLC)
Distributed Control Systems (DCS)
Triple Modular Redundant Systems (TMR)
General Purpose Computer Systems
Programmable systems are used where flexibility, complex interaction, and calculations are the prime consideration. General purpose computer systems shall not be used for protective instrumentation. PLC and DCS systems may be used for Category 2 and Category 3 systems. The only programmable system acceptable in Category 1 systems are TMR systems.

GENERAL DESIGN REQUIREMENTS

The effect of failure of any function or group of functions shall be considered in the design of protective instrumentation.
Protective systems, their associated sensing and actuating devices (when required by the protective category) and their connections to the process shall be physically separate from all other control and alarm equipment. Terminals, junction boxes, instrument boxes, isolators and other points of access to the protective systems shall be distinctively marked.
All instrumentation shall meet the requirements of EP 12–1–1.
Category 1 systems shall fail safe, de–energized to trip. The use of a normally deenergized systems (energized to trip) in Category 2 and Category 3 systems shall be approved by the Owner’s Engineer.
For Category 1 applications, a single fault shall not cause failure to operate (failure to trip).
For Category 2 applications involving serious economic loss, the case for multiple sensors, logic and final actuation devices should be considered by evaluation of the additional costs against the probability of reducing economic loss. This evaluation should be a cost/benefit calculation which takes account of ongoing inspection and maintenance.
For Category 2 applications involving serious environmental pollution, the case for multiple sensors, logic and final activation devices should be considered. The evaluation should consider the cost of reliability against the probability of preventing unacceptable environmental pollution.
For Category 3 applications the use of single sensor, logic, and final actuation device is normally considered adequate.
Where multiple sensors are used in voting systems, two out of three, should be provided to reduce the probability of trips for spurious reasons. It will normally be sufficient to provide multiple sensors and logic and vote on the outputs from logic. A voting arrangement of the final actuation device should only be provided if spurious trip or failure to trip are not acceptable. Systems based on one out of two logic should only be used where it has been shown by analysis that the spurious trip rate is acceptable.

The need for manual override facilities should be avoided on Category 1 applications. Where there is a need for manual override, the locking facilities provided shall be such as to require a unique control procedure and approval authority, as defined by the Owner’s Engineer.
Where the protective instrumentation switches and alarms from several units are in a single control room, it shall be possible to isolate the protective instrumentation system on a unit without impairing the operation of protective systems on the other units.
For all Categories, manual initiation of trip shall be possible.
All electrical design and installation shall comply with EP 13–2–1.
Unless exempted by the Owners Engineer provisions for continuous testing shall be included in the system design.

CATEGORY 1 REQUIREMENTS

Category 1 systems shall fail safe, de–energized to trip.
Category 1 systems installed in high fire risk areas should be installed with passive fire protection in accordance with EP 11–2–1 unless other engineered solutions are implemented with approval of the Owners Engineer.
A conditioned power supply, battery backed, UPS, and a dedicated circuit breaker or fuse shall be used for Category 1 systems.
Category 1 systems should not share cabinets, programmable devices, I/O housing, field transmission cables, and junction boxes with the plant control system. Where sharing occurs the Category 1 system shall be clearly identified and segregated when possible.
If programmable systems are specified, they shall be the TMR type. Single processor PLC or DCS systems shall not be used. Precautions shall be taken to separate individual sensing channels, in order to avoid degradation of the protection through common faults in the system.
Mechanical or software interlocks shall be in place to prevent unauthorized modification to the logic or software.
On–Line programming or modification is not permitted without written approval of the Senior Operating Manager. Authorization for on–line programming and modification shall be per EP 3– 5–3.
Key switch bypasses for testing inputs are permitted for individual inputs only. Key lock shall not bypass multiple devices. Control room annunciation (alarm) of the key switch in bypass is required.

CATEGORY 1 FIELD INSTRUMENTS

“One of Two” or “Two of Three” inputs shall be provided for tripping Category 1 systems. To minimize the possibility of common mode failure, diversity of manufacturer or model should be considered.

When devices are used that fail without indication, the testing interval shall be considered in the design. This testing interval may be shorter that the general testing interval of the trip system. If this test interval cannot be met, devices that reveal failure shall be substituted. An example is substituting a pressure transmitter for a pressure switch.
Trip valves on Category 1 systems should normally move by springs to the position required by initiation of the protective instrumentation on signal or motive power failure. Electrically–driven valves may not function because of power or control wiring failures. If electrically–driven valves are used, the power supply, power and control wiring, and installation details shall be approved by the owners engineer.
Category 1 trip valves shall not be used for any other function. They shall not be fitted with handwheels and no bypasses shall be installed. Fail closed valves in shutdown service shall provide leak protection to a minimum of ANSI IV shutoff per ANSI/FCI B16–104.
Solenoid valves used in Category 1 systems shall be designed to be manually reset locally. Manual reset prior to re–start is required.

CATEGORY 2 REQUIREMENTS

System design requirements shall be determined after considering the following:
Consequences of failure to operate and operation for spurious reasons.
The cost of spurious trips versus the cost of failures to trip.
Additional cost of testing or additional fault monitoring is acceptable.
Category 2 systems should not share cabinets, programmable devices, I/O housing, field transmission cables, and junction boxes with the plant control system. Use of the plant control system for Category 2 protective systems shall be approved by the Owner’s Engineer.

CATEGORY 2 FIELD INSTRUMENTS

Redundant field inputs are not required.
When devices are used that fail without indication, the testing interval should be considered in the design. This testing interval may be shorter that the general testing interval of the trip system. If this test interval cannot be met, devices that reveal failure shall be substituted. An example is substituting a pressure transmitter for a pressure switch.
The ability to test all devices in place should be provided.
A manual reset to re–start is required.
Control valves may be used for Category 2 trip systems. Bypasses and handwheels may be provided. Bypass valves or handwheels provided on Category 2 systems shall be secured to prevent unauthorized operation or bypassing of the trip. The methods of securing the valves or handwheel shall be approved by the Owner’s Engineer.

CATEGORY 3 REQUIREMENTS

System design requirements shall be determined after considering the following:
Consequences of failure to operate and operation for spurious reasons.
The cost of spurious trips versus the cost of failures to trip.
Additional cost of testing or additional fault monitoring is acceptable.
Category 3 systems may share racks, programming devices, I/O housing, field transmission cables, and junction boxes with the plant control system. Use of the plant control system for Category 3 protective systems shall be approved by the Owner’s Engineer.

CATEGORY 3 FIELD INSTRUMENTS

Redundant field inputs are not required.
When devices are used that fail without indication, the testing interval should be considered in the design. This testing interval may be shorter that the general testing interval of the trip system. If this test interval cannot be met, devices that reveal failure shall be substituted. An example is substituting a pressure transmitter for a pressure switch.
The ability to test all devices in place should be provided.
A manual reset to re–start should be considered.
Control valves may be used for Category 3 trip systems. Bypasses and handwheels may be provided.

TESTING

The on site Testing of Protective Instrument Systems shall conform to EP 12–10–2.

DOCUMENTATION FOR CATEGORY 1

Design documentation shall be maintained for each Category 1 system. This design documentation shall form part of the Register of Pressure Relieving Systems. EP 3–7–3 defines the requirements of the Register of Pressure Relieving Systems.

DOCUMENTATION FOR CATEGORY 2

The design documentation should be similar to Category 1. Category 2 systems are not required to be placed on the Register of Pressure Relieving Systems.

DOCUMENTATION FOR CATEGORY 3

Normal project documentation should be adequate for Category 3 systems.

© 2026 Inflection Point Engineering, LLC. All rights reserved. The content of this page — including calculation methods, reference data, written analysis, interactive tools, and source code — is the intellectual property of Inflection Point Engineering, LLC and is protected under applicable copyright, trademark, and trade secret laws. Unauthorized reproduction, redistribution, modification, or derivative use in whole or in part is prohibited without prior written consent.

Disclaimer. This material is provided for informational and educational purposes only and does not constitute professional engineering advice. Calculations, reference data, and methodologies are based on published standards and accepted engineering practice but are not a substitute for engineering judgment, site-specific analysis, or review by a licensed Professional Engineer. Inflection Point Engineering, LLC makes no warranties, express or implied, regarding the accuracy, completeness, or fitness for a particular purpose of any content presented here, and shall not be liable for any direct, indirect, incidental, or consequential damages arising from its use. Users assume all risk associated with applying this content to real-world design, operations, or decisions.