modernization of an ammonia plant safety shutdown system

11

Click here to load reader

Upload: john-mason

Post on 06-Jul-2016

233 views

Category:

Documents


8 download

TRANSCRIPT

Page 1: Modernization of an ammonia plant safety shutdown system

Modernization of an AmmoniaPlant Safety Shutdown SystemJohn Mason, P. Eng and Joe Gluckie, RETAgrium Inc, Fort Saskatchewan, Alberta, Canada; [email protected] (for correspondence)

Published online 26 February 2009 in Wiley InterScience (www.interscience.wiley.com). DOI 10.1002/prs.10300

The Agrium Redwater Nitrogen Operations Ammo-nia 2 plant underwent a phased project to upgradeand modernize its automatic safety shutdown system.Agrium incorporated the use of safety integrity levels inthe functional design and detailed design of the safetyshutdown system to ensure that all required protectionswere implemented in a safe and cost-effective manner.

This article discusses the methodology used todetermine the scope of the system, the methodologyused to define the functional design, the implementa-tion strategy chosen and the key lessons learned fromthe execution of this project. � 2009 American Insti-tute of Chemical Engineers Process Saf Prog 28: 282–292, 2009

Keywords: ammonia plant, shutdown, reformer,waste heat boiler

INTRODUCTIONAgrium Inc. is a leading global producer and mar-

keter of agricultural nutrients and industrial products,and a major retail supplier of agricultural productsand services. It has production, marketing and retailoperations in North America and South America.

The Corporation produces and markets the fourprimary nutrients – nitrogen, phosphate, potash andsulphur – as well as micronutrients.

Redwater Fertilizer OperationsThe Agrium Redwater Fertilizer Operations (RFO)

is located near the town of Redwater, Alberta, Canada�30 km northeast of Edmonton. It was commissionedin 1968 with major expansions in 1981 and 1983. Itnow produces six products as follows: ammonia,urea, ammonium nitrate, urea-ammonium nitrate sol-utions, monoammonium phosphate and ammoniumsulphate. The plant is the largest Agrium complexand produces �2 million tonnes of product per year.

Redwater Ammonia PlantsThe Agrium RFO has two ammonia plants, both

designed by Bechtel and Exxon. The original ammo-nia plant, Ammonia 1, was commissioned in 1968and has an original nameplate capacity of 544 MTPD.It has been debottlenecked and currently has a nomi-nal capacity of 810 MTPD.

The second ammonia plant, Ammonia 2, was com-missioned in 1983 and has an original nameplatecapacity of 1600 MTPD. It has been debottleneckedto its current nominal capacity of 1920 MTPD.

The design of the Ammonia 2 plant is that of aconventional ammonia process with an industrialframe gas turbine driver for the process air compres-sor. The exhaust from the gas turbine is utilized asthe combustion air for the primary reformer in acogeneration scheme.

History of OwnershipThe RFO was originally owned and operated by

Imperial Oil (IOL), a majority-owned subsidiary ofExxonMobil Corp. The RFO was IOL’s only fertilizerasset. As a result, the technical support was almostexclusively from Exxon’s Basic Chemicals division,which resulted in substantial influence on the designand practices of the facilities.

In 1994 IOL divested all of its fertilizer assets andsold the RFO to Sherritt. Sherritt owned and operatedthe facilities until 1997 when they merged their newlyformed subsidiary, Viridian, with Agrium. Agrium hasowned and operated the facilities since that time.

Through internal projects and acquisitions, Agriumnow has eight ammonia plants in North America anda 50% ownership in a ninth plant in Argentina.Between the eight North American plants, there werefive different original owners and operators and threedifferent technology providers, all of who put theirown shutdown philosophy into the plant designs.

BACKGROUNDFM Global, Agrium’s insurance provider, identified

that Agrium’s ammonia plants did not have a com-� 2009 American Institute of Chemical Engineers

282 September 2009 Published on behalf of the AIChE DOI 10.1002/prs Process Safety Progress (Vol.28, No.3)

Page 2: Modernization of an ammonia plant safety shutdown system

mon set of safety interlocks (trips) for their primaryreformers. They also identified that only one planthad a secondary reformer waste heat boiler (second-ary WHB) low level trip. FM Global had two majorconcerns. Their first concern was the risk of over-heating the primary reformer during start-up, andtheir second concern was damage to the secondaryWHB due to lack of water.

As part of Agrium’s continuous improvementefforts in process safety management, and inresponse to FM Global’s recommendations, it wasdecided that the ammonia plants required a similarrisk management strategy. In 2002 Agrium undertooka study to determine what that strategy should be.The results of this study and the development of aprimary reformer and secondary WHB safety shut-down standard instigated the modernization of theRFO Ammonia 2 safety shutdown system.

Development of a Standard PracticeIn 2002 Agrium initiated a project to develop a pri-

mary reformer and secondary WHB safety shutdown,or trip, standard. The study team included representa-tion from each Agrium ammonia plant in NorthAmerica. The original project scope was to simply de-velop a standard set of safety interlocks for the pri-mary reformer and the secondary WHB, however itbecame apparent early on that a functional designwas also required. This functional design wasrequired to balance the protection afforded to theequipment with the operational reality of preservingon-stream time.

The methodology used to develop a standardpractice was to determine the current practices inindustry, review these practices to determine whatwas required to mitigate the underlying risks to anacceptable level, and then determine the functionaldesign for implementation.

Figure 1. Flow chart of methodology used todetermine industry ‘‘Standard’’ practices. [Color figurecan be viewed in the online issue, which is availableat www.interscience.wiley.com.]

Table

1.

Exis

ting

prim

ary

refo

rmer

safe

tyin

terlock

san

dtrip

sw

ithin

Agrium

amm

onia

pla

nts

.

Feed

Gas

FLo

wS:

GRat

ioLo

wSt

eam

FLo

wIn

duce

dD

raft

PH

igh

FuelG

asP

Low

FuelG

asP

Hig

hForc

ed

Dra

ftP

Low

Steam

Dru

mL

Low

Pro

cess

Air

FLo

wAux

Boiler

Fla

me

Out

Pro

cess

Out

TH

igh

Flu

eG

asT

Hig

h1

Steam

FLo

w

Borg

er

��

��

Car

sela

nd

��

��

FtSa

sk�

��

��

��

��

Kenai

1�

Kenai

2�

Redw

ater

2�

��

Process Safety Progress (Vol.28, No.3) Published on behalf of the AIChE DOI 10.1002/prs September 2009 283

Page 3: Modernization of an ammonia plant safety shutdown system

Review of Industry Common PracticesThe industry review was both internal and exter-

nal. The internal review included all the Agrium am-monia plants. The external review was an informalsurvey of our peers and an informal survey of themodern designs of Haldor Topsoe, KBR and Uhde.Figure 1 is a flow chart of this methodology. Table 1gives the results of the internal Agrium survey.

From these surveys the industry common practiceswere identified as follows:

• Secondary reformer WHB level low• Air: gas ratio high• Steam: gas ratio low• Fuel gas pressure low• Fuel gas pressure high• Firebox pressure high (low draft)• Forced draft pressure low (if FD fan present)• Process gas out temperature high• Auxiliary boiler flame out (KBR only)• Steam flow low 1 flue gas temperature high

The internal review also confirmed FM Global’sopinion by revealing the following:

• Only one Agrium plant had a low level trip onthe secondary WHB.

• The only common primary reformer interlockwithin Agrium was low feed gas flow, but therewere no common actions taken in the event ofsuch an occurrence trip (see Table2).

Agrium Standard PracticeTo determine Agrium’s standard practice for pri-

mary reformer and secondary WHB safety interlocks,the list of industry standard practices was scrutinizedusing typical risk measurement techniques. Theobjective was to determine the risk that each inter-lock was intended to address, and then measure thatagainst Agrium’s acceptable level of unmitigated risk.Agrium’s risk matrix is shown in Figure 2.

The following approach was used:

• Determine what event each interlock was inplace to prevent.

• Determine highest level of consequence of suchan event in the categories of safety, environmen-

tal and cost using the ‘‘nine times out of 10’’ rule(i.e. the consequence that will occur nine timesout of 10 events).

• Considering existing typical layers of protection,excluding any automated interlock, determinethe frequency of the exposure to such an event.

• Determine the level of unmitigated risk.

Each event whose unmitigated risk was deemedunacceptable by Agrium’s corporate risk matrixformed part of the recommended practice. Theresults of the risk analysis are shown in Table3.

The resulting standard practice for primary re-former and secondary WHB safety interlocks was asfollows:

• Secondary reformer WHB level low• Air: gas ratio high• Steam: gas ratio low• Fuel gas pressure low• Firebox pressure high (low draft)• Auxiliary boiler flame out (KBR only)• Steam flow low 1 flue gas temperature high

These interlocks were considered a minimum, soother interlocks for the primary reformer were neitherprecluded nor strictly required (e.g. primary reformerprocess outlet temperature high).

Standard Practice Functional DesignThe initial intention was to include a functional

design for each of the listed standard interlocks. The

Table 2. Automated actions in response to a feed gas low flow scenario within Agrium ammonia plants.

StopFuel

Stop ProcessAir

Open Steamto Air Coil

IsolateMethanator

Trip Syn GasCompressor

Borger � �

Carseland � �

Ft Sask �

Kenai 1 �

Kenai 2 �

Redwater 2 � �

Figure 2. Agrium corporate risk management matrixbefore incorporation of safety integrity levels. [Colorfigure can be viewed in the online issue, which isavailable at www.interscience.wiley.com.]

284 September 2009 Published on behalf of the AIChE DOI 10.1002/prs Process Safety Progress (Vol.28, No.3)

Page 4: Modernization of an ammonia plant safety shutdown system

functional design would define the minimum imple-mentation requirements for each interlock. For exam-ple, the minimum number of field devices, the votinglogic and the number of isolation and/or bleed valvesfor each interlock would be listed.

The challenge was to balance the wants of theplant personnel and the needs of the safety instru-mented system (SIS). The plant personnel want highprocess on-stream time, whereas the SIS needs to beon-line and functioning properly when an unsafeevent occurs. The ideal situation is as follows:

• Sufficient voting and redundancy within the SISso that the likelihood of a nuisance trip is statis-tically insignificant, and

• Sufficient redundancy and fail-safe characteristicsthat the likelihood the system does not workwhen required is also statistically insignificant.

However, such a system would be cost prohibitive.The existing Agrium risk matrix, as shown in Fig-

ure 2, was inadequate to provide any information orguidance for a SIS design. The most logical alterna-tive was to adopt safety integrity levels (SIL) asdefined in ISA S84.01-1996 or IEC 61511. As such,Agrium’s risk matrix was adapted by converting themaximum level of acceptable unmitigated risk to SIL-0 and then increasing one SIL per consequence leveland frequency level as shown in Figure 3. SIL-0 isdefined as the level of risk where local managementhas discretion regarding actions or safeguards. Theresults of the previous risk analysis were then used toassign each interlock the maximum allowable proba-bility of failure on demand (PFD) or SIL.

At this point a weakness of the SIL methodologywas revealed. While the methodology provides excel-lent guidance on the required reliability of the safetyinstrumented loop and system, it does not addressthe operator’s concern with on-stream time. That is, itdoes not address false trips – also called mean timeto failure spurious (MTTFs).

A different methodology was required to preventover-design (and over spending) on the new inter-locks. A way to determine an acceptable MTTFs wasrequired because it was unrealistic to design a systemthat would never result in a false trip (as requestedby operations).

Figure 3. Agrium corporate risk management matrixafter incorporation of safety integrity levels. [Colorfigure can be viewed in the online issue, which isavailable at www.interscience.wiley.com.]

Table

3.

Resu

lts

ofAgrium

risk

anal

ysi

son

indust

rybest

pra

ctic

es.

WH

BL

Low

Air:G

asRat

ioH

igh

Steam

Flo

w1

Flu

eG

asT

Hig

hSt

eam

:Gas

Rat

ioLo

wFuelG

asP

Low

FuelG

asP

Hig

hFirebox

PH

igh

(dra

ftlo

w)

Forc

ed

Dra

ftP

Low

Pro

cess

Out

TH

igh

Aux

Boiler

Fla

me

Out

Fre

quency

44

34

33

43

23

Pers

onnel

No

No

No

No

DN

oD

No

No

C

Environm

ent

No

No

No

No

No

No

No

No

No

No

Cost

s/Penal

ties

CC

BC

BD

DD

DC

Ris

kLe

vel

H2

H2

H2

H2

H2

LM

LL

M

Process Safety Progress (Vol.28, No.3) Published on behalf of the AIChE DOI 10.1002/prs September 2009 285

Page 5: Modernization of an ammonia plant safety shutdown system

The design team developed a methodology that isvery similar to that used to determine the requiredPFD. It is logical and is based on Agrium’s risk matrix(altered for SIL’s). It is as follows:

• Determine the consequence of a false trip.Depending on the interlock it may be a com-plete plant outage, a partial plant outage, mayinvolve the risk of an environmental excursion,equipment damage, etc.

• Using the corporate risk matrix determine theacceptable frequency for the consequence (thatwhich corresponds to SIL-0). This frequency isthe maximum allowable MTTFs for the interlock.

The functional design for each interlock now hastwo design criteria—the PFD and the MTTFs. Withthese two criteria, the instrument loop can bedesigned and verified.

The other benefit to this methodology is that it isnot a one size fits all standard. It allows each plant todefine its own required functional design based ontheir individual circumstances. While the frequencyand consequence of an unsafe event are very similarin each plant, the consequence of a spurious trip canbe very different. For example, some of Agrium’splants are swing plants that only operate when theprice and availability of natural gas supports theiroperation. While these plants have the same safetyand environmental risks, they have a lower conse-quence for an outage or equipment damage.

In the end the team defined a standard set of inter-locks for the primary reformer and secondary WHBbut without a standard functional design. Instead, theteam developed a logical methodology to determineeach plant’s individual requirements for the func-tional design.

IMPLEMENTATION OF STANDARDThe standard and the design methodology

received management approval, and plans were putin place to begin implementation. Due to the com-plexity of such projects, and Agrium’s inexperience inmodifying and retrofitting existing interlock systems,management decided to implement the standard inthe various plants sequentially. The order of execu-tion was based on risk and timing of turnaround forfield implementation.

As a result the Redwater Ammonia 2 plant was firstbecause, in terms of risk, it is the largest of the Agriumammonia and urea plants, it had the least amount ofprotection from automated interlocks on the primaryreformer, and it had an upcoming turnaround.

REDWATER AMMONIA 2 MODERNIZATION PROJECTThe Redwater Ammonia 2 Plant Safety Shutdown

System Modernization project has been executed inthree distinct phases. The first phase addressed long-standing issues related to its safety shutdown system,some of which stemmed from the functional designof the plant’s original safety shutdown system. Thesecond phase implemented the new Agrium standardinterlocks for the primary reformer and secondaryWHB. The third, and final, phase was initially

unplanned but it was required to correct severalissues identified in the detailed design of phase II.

Functional Design of Redwater’s Original SafetyShutdown System

Alarm and Interlock Design Philosophy:The original SIS had two design functionalities.

The first was the safety of personnel, equipment andthe environment, and the second was to minimizenuisance plant trips.

To minimize nuisance trips, the design was ener-gize-to-trip, or nonfail safe. The concept of energize-to-trip was incorporated in both the input devicesand in the output devices. This design eliminatedfalse trips due to poor wiring connections and burnt-out solenoid coils.

To maintain a highly safe system, despite the ener-gize-to-trip design, the following design featureshelped to contribute to the high safety integrity of theSIS by providing independent protective layers:

• Separate process taps and separate measuringdevices for regulatory controls and SIS interlockdevices.

• Independent process measuring alarm devicesversus process measuring interlock devices.These alarm devices (inputs and outputs) weredeenergize-to-alarm, or fail-safe.

With the fail-safe alarming design the nonfail safetrip device had an independent back up. In the eventthat the nonfail safe trip device did not function ondemand the alarm would alert the operator and trans-fer the final actions to the process operator. Theoperator could then make the decision based on thefail-safe alarm system data and the independent dis-tributed control system (DCS) process data.

Hardware Design Basis:The hardware design was state-of-the-art in the

early 1980s. It included a programmable logic control-ler (PLC) and a transistor transistor logic (TTL) system.The following are the details of the hardware design:

• Transistor Transistor Logic SystemSince the PLC was relatively new in the Chemi-cal processing industry in the early 1980s, totalreliance on software platform SIS’s was eyedwith skepticism. As a result, a combination of ahardware and software platform was incorpo-rated using a Rochester TTL printed circuit mod-ule type logic system. It received the field proc-ess inputs and with a contact follower woulddrive the annunciator panel and the PLC with in-dependent dry contacts. The alarm loop for theprocess application was on a separate TTL mod-ule from the trip loop for a level of redundancy.

• Logic SolverThe heart of the SIS was the single on-line Modi-con 584 general purpose programmable logiccontroller (GPPLC) with nonredundant inputand output (I/O). A redundant mainframe 584without I/O was present, but it was not on-line as

286 September 2009 Published on behalf of the AIChE DOI 10.1002/prs Process Safety Progress (Vol.28, No.3)

Page 6: Modernization of an ammonia plant safety shutdown system

reliable automated switching platforms were notavailable. The energize-to-trip design allowed theI/O cables to be switched quickly to the hot spareprocessor if the main processor failed.

• Annunciator PanelThe annunciator panel was a dedicated hard-wired system with no software. If the PLC failed,the operator still had decision information avail-able through the hardwired field inputs inter-faced to the TTL system. This panel was limitedto hardwired trip buttons for critical equipment.Also inherent in the annunciator panel were thetypical first out, alarm flashing, alarm acknowl-edge, and alarm reset features.

• Process Measuring (Input) DevicesThe process alarm and trip conditions were pro-vided to the SIS in a dry contact format.

1. Level and pressure process measurements wereinterfaced to the SIS with external float andpressure switches respectively.

2. Flow measurements were orifice meters with acombination of a pneumatic transmitter and a3–15 psig pressure switch.

3. Temperature applications utilized thermocou-ples with Acromag solid state electronic devicesthat generated the dry contact.

• Field Output DevicesThe field output devices were mostly 24 vdc tripsolenoids interfaced to final safety block valves.Most final elements were single block valves.Double block and bleed was not used.

Phase IPhase I was completed in 2003 as a separate initia-

tive that focused on improving the reliability of thesafety interlock system. The main part of this projectwas an upgrade to the PLC platform, as shown in Fig-ure 4. A Triconex triple modular redundant (TMR)safety PLC (SPLC) was installed to partially replacethe safety functions of the Modicon 584 PLC and toset up a fault tolerant and high diagnostics logicsolver platform. There were no field changes.

Because the existing SIS was designed energize-to-trip, there was an inherent flaw in that loose wires orburnt out solenoid coils were not detected until theywere required to function. To improve the safety reli-ability of the SIS, some safety functions in the PLC weremigrated to the new SPLC that had the capability tocontinually test the integrity of the output loops.

Phase IIPhase II was the implementation of Agrium’s primary

reformer and secondary WHB safety interlock standard.The primary scope of work is depicted in Figure 5.

Detailed Functional SpecificationThe detailed functional specification was deter-

mined in a three-step process as follows:

1. Determine the functional design of the safetyinstrument loops.

2. Determine the actions to take in the event of anunsafe event.

3. Complete the instrumented loop designs and shut-down logic.

Figure 4. Phase I limited scope of work (example).

Process Safety Progress (Vol.28, No.3) Published on behalf of the AIChE DOI 10.1002/prs September 2009 287

Page 7: Modernization of an ammonia plant safety shutdown system

Step 1—Functional DesignThe functional designs of the safety instrumented

loops were completed using the methodology outlinedabove. Plant personnel were involved to define thefunctional design. With their involvement, the func-tional design was supported on all levels. Operationsunderstood and agreed with the basis for each loop’sreliability, maintenance understood the basis for therequired preventative maintenance, and managementagreed that the chosen design would be the lowestcost solution to meet both the PFD and the MTTFs.

Step 2—Actions in Response to Unsafe EventThis step was the most time consuming due to Red-

water’s history and culture. The installation of anextensive automated interlock system was a major shiftin operational philosophy for the plant. As such, it hadto be done right or the system would not be accepted.

Since the plant was originally designed, ownedand operated by IOL, with Exxon as a major share-holder, it had been self-insured and relied on its owndesign practices to mitigate risk to an acceptablelevel. The philosophy at the time can be summarizedas follows:

• The facility was designed for high on streamfactor and availability, therefore the SIS wasdesigned for very low MTTFs.

• The operator had a highly reliable DCS to moni-tor and inform him of the process state.

• The operator also had a highly reliable hard-wired annunciator panel with all critical informa-tion and functions.

• The operator was well trained and reliable.

To implement a system that would interpret proc-ess data and trip the plant, or parts of the plant, with-out human intervention was a dramatic departurefrom the status quo. The design team believed that itrequired a very different mind set for the operator tomake the decision to trip the plant and then takeaction, versus having an instrumented system decidethe plant must trip and then expect the operator totake certain actions. As such we adopted the philoso-phy that if the plant was to trip automatically that itshould also be brought to a safe state and ready forrestart with as little human intervention as possible.We soon discovered that following this philosophyand designing the resulting actions into an existingfacility that has not had such a system is not a trivialmatter.

Step 3—Cause and Effect DiagramsThe design team utilized cause and effect diagrams

to convey the inputs, outputs and actions required byeach of the new plant trips. This information wastranslated into the trip narrative, the trip key and,eventually, into the logic diagrams. This methodologyof translation provided a level of quality control toensure that the final logic that was implementedachieved the desired goals of the functional design.

Figure 6 shows an example of a small portion ofthe cause and effect diagram for the secondary WHBlow level trip. The complete diagram for this tripcovered 11 sheets.

Detailed DesignThe detailed design of the system attempted to

stay with the most modern available proven

Figure 5. Phase II scope of work (example).

288 September 2009 Published on behalf of the AIChE DOI 10.1002/prs Process Safety Progress (Vol.28, No.3)

Page 8: Modernization of an ammonia plant safety shutdown system

technology. As a result, the detailed design intro-duced features and opportunities that had not beenexperienced by Redwater personnel before. The fol-lowing is a description of the design details:

• Field Input Devices

1. All new process inputs were specified as two-out-of-two (2oo2) voting SIL rated transmitters.During the preliminary loop SIL validation, itwas found that 2oo2 SIL rated transmitters pro-vided a higher SIL rating and a lower MTTFs ata lower installed cost than a 2oo3 voting systemwith standard transmitters.

2. Existing process switches were replaced with2oo2 SIL rated transmitters. These transmittersreplace the single process alarm switches andthe single process trip switches.

3. The installed transmitters were SIL stamped byTUV. They were not merely rated by a mathemat-ical Failure Mode and Effects Analysis (FMEA).

4. The transmitters were configured to fail to thetrip condition to provide high safety integrity

for the SIS. In the case where a transmitter fails,the loop becomes a 1oo1 voting system.

• Annunciator BayAll plant alarms are time stamped and stored inthe DCS historian making the annunciator bayredundant. However, the annunciator bay hasproven its worth during a couple of short-livedDCS loss of views, and operations personnelhave come to depend on its presence after morethan two decades of operational experience.Therefore the original concept of providing theoperator with limited annunciator bay windowswas followed but with several improvements.The status lights, alarms and bypass switcheswere segregated into plant sections, bypassswitches were clearly separated into mainte-nance and start-up bypasses, and the labelingwas improved to provide better descriptions.

• Logic SolverThis phase of the project continued to build uponthe TMR platform installed in Phase I. Becausethis phase of the project only dealt with the front-

Figure 6. Cause and effect diagram example (portion of secondary reformer WHB low level trip).

Process Safety Progress (Vol.28, No.3) Published on behalf of the AIChE DOI 10.1002/prs September 2009 289

Page 9: Modernization of an ammonia plant safety shutdown system

end safety interlocks, one of the biggest chal-lenges was the significant amount of cross wiringrequired between the existing Modicon logicsolver and the new Triconex logic solver. Otherconsiderations in the design basis were as follows:

1. To ensure SIS integrity, DCS writes to the logicsolver were not permitted. Instead a limitedamount of hard wire connections between thetwo systems was implemented.

2. The logic solver monitors SIL transmitter health,transmitter deviations, and identifies when fieldtrip devices fail to operate on demand. It alarmsall such conditions.

• Field Output Devices

1. The new emergency shut down (ESD) valveswere installed with mechanical on-line partialvalve stroke testing capability. The ability tostroke test these valves on line improved theSIL ratings of the individual safety interlocks.

2. Following a site standard, the new ESD valveswere installed with field reset solenoids.

3. The field reset solenoids created a new problembecause their current draw was higher than thatavailable from the TMR logic solver’s supervi-sory module. As a result these digital outputloops had to include a fire and gas integritytype supervisory relay module (SRM).

4. Field ESD valves were physically timed for theirindividual stroke time to establish the failed to op-erate diagnostic alarm set point in the logic solver.

• Primary Reformer Start-Up PermissiveThe detailed design review with FM Globalresulted in the project scope being expanded toinclude a start-up permissive system for the pri-mary reformer. While the permissive system isan important component of the overall risk man-agement strategy, this article does not cover thisaspect of the project.

• Final Design SIL ValidationAll new safety interlock loops underwent a finalSIL validation to ensure they met their individualSIL and MTTFs requirements.

• Operator Access to Process InformationAs the detail design progressed, the design teamidentified several areas to improve the ESD in-formation provided to the operators. As a resultof acting on these improvements, the operatornow has significantly more access to the ESDprocess than previously. In addition to training,the following was implemented:

1. Shutdown key in tabular format2. Logic diagram narratives3. Interlock narrative table4. Simplified logic diagrams on DCS graphics5. Logic solver trip sequence of events (SOE)6. DCS batch sequence graphic table for primary

reformer start-up permissive

• Engineering and Project ManagementAgrium chose to manage the design using sev-eral individual contractor engineers while retain-ing overall responsibility for the final product.These contractors were resident on-site with theexception of the logic solver programmer.A logic simulator was developed and extensivelogic function testing occurred before download-ing the logic to the logic solver. The functiontesting was done with Agrium operations andengineering participation.Agrium handled all project management, whichincluded procurement, construction, loop func-tion testing, and commissioning.

Field WorkThe project was approved in Q4 2003 for implemen-

tation during the upcoming turnaround in Q3 2004. As aresult of limited time for Front End Engineering Devel-opment (FEED) the initial field work was limited to thenew ESD valves (which were installed, function testedand forced open or closed) and the new process tappoints for the SIL transmitters. The strategy was to com-plete all mechanical tie-ins and installations during theturnaround and to commission the system on-line afterproper design work was completed.

Part of the commissioning plan was to put the SILtransmitters on-line before they were fully commis-sioned as safety interlock inputs. This plan allowedfor monitoring to ensure that any bias or initial errorswould not cause false trips. Because the commission-ing plans were delayed, beyond the project’s control,the SIL transmitters received extensive monitoring formonths before full commissioning. As proof ofdesign, to date these newly installed input deviceswould not have caused a spurious trip.

Lessons LearnedThe following are the lessons (re)learned with this

project:

• Risks of Fast Track ProjectsWith very minimal FEED work before the AFEappropriation, the project experienced severalsetbacks. Most of the issues during the detailedengineering phase were a result of the SIL pro-ject learning curve – it was Agrium’s first experi-ence and we discovered that the Edmonton areawas not abundant with SIL project experience.As a result it was extremely challenging to com-plete the engineering on schedule.As typical with fast-tracked projects, some pipingerrors occurred. One ESD bleed valve had to be relo-cated, and one ESD block valve could have beenlocated elsewhere to avoid a costly access platform.Lesson - Ensure adequate FEED

• Redesign of Plant Interlock LogicThe project experienced significant delays in theinterlock logic design. The issues that causedthis delay are as follows:

1. Due to other high priority projects availabilityof site resources (operations and technical) was

290 September 2009 Published on behalf of the AIChE DOI 10.1002/prs Process Safety Progress (Vol.28, No.3)

Page 10: Modernization of an ammonia plant safety shutdown system

a real challenge. As a result it was difficult tomeet as a group on a consistent basis. Oftenseveral weeks would pass between meetings.Upon reconvening, the design effort had torestart to refresh everyone’s memory.

2. The design team (operations, site technical andcontract technical) was more accustomed to sin-gle analog loop design. Significant learning anddiligence was required as the team was dealingwith the entire plant interlock system and not asingle loop. Logic design is very much interrelated requiring continual understanding ofhow each design change may impact or con-tribute to another unfavorable event.

Lesson - Project needs to identify and obtaintimely commitments from all resources during theFEED phase.

• HardwareA significant challenge was the discovery thatthe new logic solver DO module had a currentlimitation that was insufficient to operate thefield reset solenoids. A solution had to bequickly determined, procured and installed.Then, due to the fast track procurement, suffi-cient SRM’s were not available, so some loopshad to be redesigned with an Amot and solenoidcombination.Then when the plant was undergoing start-upafter the turnaround, it was discovered that thetime required to hold the field resets significantlyincreased.Lesson - Ensure adequate FEED

• SoftwareThe logic solver’s SOE capability has the abilityto display the first out trip device and all subse-quent events. Our first SOE design in Phase Iresulted in the SOE history only being availableon the logic solver workstation, which is not ac-cessible to the operator.Lesson - Confer with more than one consultant fornew application designs.

Phase IIIAt the time of writing, phase III was in the midst

of detailed engineering. The implementation plansare scheduled for the plant turnaround in August2007.

Interlock Clean-UpThe main objective of this phase is to consolidate

the front-end safety interlocks to a single logic solver.To achieve this objective, the remaining front endinterlocks will be moved from the Modicon GPPLC tothe Triconex SPLC, eliminating the temporary crosswiring between the two logic solvers. Numerousdevices in the annunciator bay will also be migratedfrom the Modicon to the Triconex.

The project scope also includes replacing an addi-tional three sets of pressure switches with voting SILtransmitters to improve the integrity of the NH3 frontend SIS.

ImprovementsSeveral improvement items were identified during

the phase II engineering. These items were not withinthe phase II project scope so they were postponed tophase III. The main improvement items are as follows:

1. Sequence Of EventsThe Triconex SOE will be reconfigured so that thehistorical data can be displayed on a DCS screenfor the operator.

2. Triconex SPLC SimulatorRedwater Ammonia 2 has two Triconex SPLC’s.One serves the SIS applications as described inthis article, and the other serves the gas turbinegovernor system. Both systems share commonspare modules that are stored in the site store-house. To reduce the risk that spare modules arenot in working condition, the storehouse stockmodules will be installed in an energized sparesimulator chassis that is interfaced to the DCS. Anyspare modules that fail will result in a DCS alarm.In addition, the spare system can be utilized forsimulation and testing new interlock logic pro-gramming.

3. Common Mode Failure PotentialDuring the FEED for phase III, a potential com-mon mode failure was identified. Three existingpaired SIL transmitters are located in the samefield enclosure and depend on the same singlesource for heat (steam). To prevent a failure dueto loss of heat in this enclosure the project investi-gated the following three options: provide multiplesteam sources, provide alternate heat source withelectrical tracing, or provide a low temperaturealarm for the instrument enclosure. At the time ofwriting a solution had not been chosen.

FUTURE PLANSWith the knowledge gained on this project,

Agrium has started to update the safety interlock sys-tems of their other ammonia plants. The current planis to continue executing the projects sequentially tomake the best use of available resources.

NOMENCLATUREDCS = Distributed Control SystemDO = Digital OutputESD = Emergency Shut Down

FEED = Front End Engineering DevelopmentFMEA = Failure Mode and Effects Analysis

GPPLC = General Purpose Programmable LogicController

I/O = Input/OutputMTTFs = Mean Time To Fail (spurious)

PFD = Probability of Failure on DemandPLC = Programmable Logic ControllerSIL = Safety Integrity LevelSIS = Safety Instrument System

SOE = Sequence Of EventsSPLC = Safety Programmable Logic ControllerSRM = Supervisory Relay ModuleTTL = Transistor Transistor Logic

Process Safety Progress (Vol.28, No.3) Published on behalf of the AIChE DOI 10.1002/prs September 2009 291

Page 11: Modernization of an ammonia plant safety shutdown system

TMR = Triple Modular RedundantWHB = Waste Heat Boiler1oo1 = 1 Out Of 1 voting decision2oo2 = 2 Out Of 2 voting decision2oo3 = 2 Out Of 3 voting decision

ACKNOWLEDGMENTSThe authors thank the many participants who took

part in the informal external survey or provided inputto the design and execution of this project. In particu-lar we thank Saskferco, Canadian Fertilizers, HaldorTopsøe A/S, KBR and Uhde for their help in develop-ing the primary reformer and secondary WHB interlockstandard. We also thank HTA/S for their technicalreview of our functional design, and exida for all theirhelp in understanding SIL applications and validations.

FOR FURTHER READING1. A.M. Dowell, Layer of protection analysis and

inherently safer processes, Process Safety Progress18 (1999), 214–220.

2. W.M. Goble, Control Systems Safety Evaluationand Reliability, 2nd ed., ISA, Research TrianglePark, NC, 1998.

3. W.M. Goble and C. Harry, Safety InstrumentedSystems Verification: Practical Probabilistic Calcu-lations, ISA, Research Triangle Park, NC, 2005.

4. W.K. Goddard, Use LOPA to determine protectivesystem requirements, Chem Eng Prog 103(2) (2007),47–51.

5. P. Gruhn and C. Harry, Safety Shutdown Systems:Design, Analysis and Justification, ISA, ResearchTriangle Park, NC, 1998.

6. E.M. Marszal and W.S. Eric, Safety Integrity LevelSelection: Systematic Methods Including Layer ofProtection Analysis, ISA, Research Triangle Park,NC, 2002.

7. Guidelines for Chemical Process Quantitative RiskAnalysis, 2nd ed., Wiley, Hoboken, NJ, 2000.

8. Guidelines for Hazard Evaluation Procedures, 2nded., Wiley, Hoboken, NJ, 1992.

9. Guidelines for Safe and Reliable InstrumentedProtective Systems, Wiley, Hoboken, NJ, 2007.

10. Layer of Protection Analysis: Simplified ProcessRisk Assessment, Center for Chemical ProcessSafety of the AIChE, New York, NY, 2001.

11. SIL Assessment Techniques Report, ACM FacilitySafety, Calgary, AB, 2005.

292 September 2009 Published on behalf of the AIChE DOI 10.1002/prs Process Safety Progress (Vol.28, No.3)