Raghava Nayak, Functional Safety Expert, Sydney, Australia, and
Venkat Pattabathula, Principal Consultant, SVP Chemical Plant Services, Australia
Most of the world’s 600 or so ammonia plants and their downstream derivatives facilities were built in the last century. Although technologically advanced when built, they are not as safe as today’s new plants, typically using programmable logic controllers (PLCs) with triple modular redundancy (TMR).
Before the 1970s, process safety relied to a large extent on pneumatic trips. PLCs did not penetrate the market until the 1980s. TMR arrived in the mid-to-late 1990s along with smart digital transmitters. PLCs with Safety Integrity Level 3 (SIL 3) are now standard. Continuous transmitters are currently displacing switches because operators can more easily change their settings and because smart transmitters have so far fewer dangerous, undetected failures than switches. However, systemic failures can still occur in revamps because operators tend to replace existing systems without checking the effect of a revamp on the entire Plant.
Plant design is at the core of plant safety. The Basic Process Control Systems (BPCS) comes next, followed by operator intervention, alarm systems, and the Safety Instrumented System (SIS). The SIS is an important layer of protection because it can provide the highest level than other layers, as shown in Figure 1.
Figure 2 identifies the safety-related monitoring steps over a plant’s life cycle. Safety over-sight continues until a plant is decommissioned. A plant’s SIS design begins with hazard identification (HAZID) and risk assessment once the Piping & Instrumentation Diagram (P&ID) is ready.
Nowadays, most companies mandate risk assessment, whether it is an upgrade or a brand new plant. The project’s Safety Instrumented Functions (SIF) are then identified, and SILs are assigned. Each SIL (1 through 4) represents an order of magnitude risk. The higher the SIL, the greater the expected impact of a failure is. Table 1 below shows the relationship between SIL and the probability of failure.
The SIL allocation techniques, shown in IEC 61511, are:
The first two techniques are qualitative. The risk matrix is generally used for screening. The risk graph was commonly used until a few years ago. Its shown in Figure 3.
Risk graph analysis usually takes a team of process engineers, instrument engineers, and operating personnel. Since qualitative analysis is subjective, LOPA, a semi-quantitative method, is currently the preferred way to determine SIL. Table 2 is a typical LOPA Template. LOPA software is commercially available.
In the LOPA method, the plant owner sets the target tolerability criteria. The standard criteria for preventing a fatality is one in a million per year. The SIL requirement is the net difference between the target tolerability and the sum of failure frequencies mitigated by various independent layers of protection already built into the plant design.
A major accident can have multiple initiating causes, each with its frequency of occurrence. For example, over-pressuring a vessel, which, in turn, might cause a fire, an explosion, and a toxic release. Initiating causes such as a loss of cooling water supply, a temperature control loop failure, or a blocked outlet might trigger the incident. These initiating causes can have a different frequency of occurrence and different risks (consequence X frequency). A SIF requirement is derived for each initiating cause, and usually, the highest SIL of all the scenarios is used. Cases with many causes or multiple scenarios with the same or similar SIL (risk) may warrant a look at the overall SIL because it could be higher than the individual SILs.
Overrating the SIS system may increase Capex and Opex and may not protect the Plant fully from significant accidents. Several ammonia plants’ SIS studies indicated a significant SIL-spread between the risk graph and LOPA methods. Therefore, a review of the SIL allocation study by a peer group and an independent specialist is recommended, especially when SIL 3 or higher ratings are involved.
For a typical ammonia plant, the following items are rated as SIL 1 and 2:
SIS systems related to package units such as the syngas, air and refrigeration compressors, and drivers can also be combined with the SIS process unit.
About 70 percent of SIFs for ammonia/urea plants are rated SIL1 or lower. About 30 percent are SIL 2. Occasionally, a plant is rated SIL 3, but SIL 3 is generally avoided because of its higher cost.
The SIL allocation step provides the list of SIL-rated systems and determines the SIS logic solver’s size. A Safety Requirement System (SRS) and functional design specification is developed for procuring the components.
Many plants have chosen to upgrade safety instrumentation on a piecemeal, maintenance replacement basis. For example, they have upgraded a PLC to SIL 3 without modifying the associated transmitters and shutdown valves even though these field devices contribute significantly to failure rates. Experience shows that budgeting liberally from the beginning of a safety upgrade project saves costly retrofits later.