This action might not be possible to undo. Are you sure you want to continue?
The Agrium Redwater Nitrogen Operations Ammonia 2 plant underwent a phased project to upgrade and modernize its automatic safety shutdown system. Agrium incorporated the use of Safety Integrity Levels in the functional design and detailed design of the safety shutdown system to ensure that all required protections were implemented in a safe and cost-effective manner. This paper discusses the methodology used to determine the scope of the system, the methodology used to define the functional design, the implementation strategy chosen and the key lessons learned from the execution of this project. John Mason, P.Eng. Agrium Inc. Joe Gluckie, RET Agrium Inc.
grium Inc. is a leading global producer and marketer of agricultural nutrients and industrial products, and a major retail supplier of agricultural products and services. It has production, marketing and retail operations in North America and South America. The Corporation produces and markets the four primary nutrients – nitrogen, phosphate, potash and sulphur –as well as micronutrients. Redwater Fertilizer Operations The Agrium Redwater Fertilizer Operations is located near the town of Redwater, Alberta, Canada approximately 30 km northeast of Edmonton. It was commissioned in 1968 with major expansions in 1981 and 1983. It now produces six products as follows: ammonia, urea, ammonium nitrate,
urea-ammonium nitrate solutions, monoammonium phosphate and ammonium sulphate. The plant is the largest Agrium complex and produces approximately 2 million tonnes of product per year. Redwater Ammonia Plants The Agrium Redwater Fertilizer Operations has two ammonia plants, both designed by Bechtel and Exxon. The original ammonia plant, Ammonia 1, was commissioned in 1968 and has an original nameplate capacity of 544 MTPD. It has been debottlenecked and currently has a nominal capacity of 810 MTPD. The second ammonia plant, Ammonia 2, was commissioned in 1983 and has an original nameplate capacity of 1600 MTPD. It has been debottlenecked to its current nominal capacity of 1920 MTPD.
AMMONIA TECHNICAL MANUAL
was damage to the secondary WHB due to lack of water. Table 1 gives the results of the internal Agrium survey. The study team included representation from each Agrium ammonia plant in North American. The exhaust from the gas turbine is utilized as the combustion air for the primary reformer in a co-generation scheme. Agrium has owned and operated the facilities since that time. As a result.The design of the Ammonia 2 plant is that of a conventional ammonia process with an industrial frame gas turbine driver for the process air compressor. Sherritt owned and operated the facilities until 1997 when they merged their newly formed subsidiary. Review of Industry Common Practices The industry review was both internal and external. there were five different original owners and operators and three different technology providers. The external review was an informal survey of our peers and an informal survey of the modern designs of Haldor Topsoe. This functional design was required to balance the protection afforded to the equipment with the operational reality of preserving on-stream time. Figure 1 is a flow chart of this methodology. They also identified that only one plant had a secondary reformer waste heat boiler (secondary WHB) low level trip. Agrium now has eight ammonia plants in North America and a 50% ownership in a ninth plant in Argentina. Their first concern was the risk of overheating the primary reformer during start-up. Through internal projects and acquisitions. Background FM Global. Agrium’ s insurance provider. The internal review included all the Agrium ammonia plants. Viridian. review these practices to determine what was required to mitigate the underlying risks to an acceptable level. History of Ownership The Redwater Fertilizer Operations was originally owned and operated by Imperial Oil Ltd (IOL). The methodology used to develop a standard practice was to determine the current practices in industry. and in response to FM Global’ s recommendations. The original project scope was to simply develop a standard set of safety interlocks for the primary reformer and the secondary WHB. In 1994 IOL divested all of its fertilizer assets and sold the Redwater Fertilizer Operations to Sherritt Inc. In 2002 Agrium undertook a study to determine what that strategy should be. the technical support was almost exclusively from Exxon’ s Basic Chemicals division. with Agrium Inc. FM Global had two major concerns. and then determine the functional design for implementation. which resulted in substantial influence on the design and practices of the facilities. and their second concern AMMONIA TECHNICAL MANUAL 110 2007 . however it became apparent early on that a functional design was also required. standard. Development of a Standard Practice In 2002 Agrium initiated a project to develop a primary reformer and secondary WHB safety shutdown. or trip. a majority-owned subsidiary of ExxonMobil Corp. KBR and Uhde. all of who put their own shutdown philosophy into the plant designs. Between the eight North American plants. The Redwater Fertilizer Operation (RFO) was IOL’ s only fertilizer asset. As part of Agrium’ s continuous improvement efforts in process safety management. identified that Agrium’ s ammonia plants did not have a common set of safety interlocks (trips) for their primary reformers. it was decided that the ammonia plants required a similar risk management strategy. The results of this study and the development of a primary reformer and secondary WHB safety shutdown standard instigated the modernization of Redwater Ammonia 2 safety shutdown system.
but there were no common actions taken in the event of such an occurrence trip (see Table 2). The plant personnel want high process on-stream time. • The only common primary reformer interlock within Agrium was low feed gas flow.g. The functional design would define the minimum implementation requirements for each interlock. Determine the level of unmitigated risk. excluding any automated interlock. The objective was to determine the risk that each interlock was intended to address. • Determine highest level of consequence of such an event in the categories of safety. Standard Practice Functional Design The initial intention was to include a functional design for each of the listed standard interlocks. environmental and cost using the “ 9 times out of 10”rule (i. so other interlocks for the primary reformer were neither precluded nor strictly required (e. the list of industry standard practices was scrutinized using typical risk measurement techniques. primary reformer process outlet temperature high). the consequence that will occur 9 times out of 10 events). the minimum number of field devices. the voting logic and the number of isolation and/or bleed valves for each interlock would be listed. de- • termine the frequency of the exposure to such an event. The results of the risk analysis are shown in Table 3. Each event whose unmitigated risk was deemed unacceptable by Agrium’ s corporate risk matrix formed part of the recommended practice. The ideal situation is as follows: • Sufficient voting and redundancy within the safety instrumented system so that the likeli- 2007 111 AMMONIA TECHNICAL MANUAL . The resulting standard practice for primary reformer and secondary WHB safety interlocks was as follows: • Secondary Reformer WHB Level Low • Air:Gas Ratio High • Steam:Gas Ratio Low • Fuel Gas Pressure Low • Firebox Pressure High (low draft) • Auxiliary Boiler Flame Out (KBR only) • Steam Flow Low + Flue Gas Temperature High These interlocks were considered a minimum. Agrium Standard Practice To determine Agrium’ s standard practice for primary reformer and secondary WHB safety interlocks. • Considering existing typical layers of protection. Agrium’ s risk matrix is shown in Figure 2. whereas the SIS needs to be on-line and functioning properly when an unsafe event occurs. The following approach was used: • Determine what event each interlock was in place to prevent. The challenge was to balance the wants of the plant personnel and the needs of the safety instrumented system (SIS).e. and then measure that against Agrium’ s acceptable level of unmitigated risk. For example.From these surveys the industry common practices were identified as follows: • Secondary Reformer WHB Level Low • Air:Gas Ratio High • Steam:Gas Ratio Low • Fuel Gas Pressure Low • Fuel Gas Pressure High • Firebox Pressure High (low draft) • Forced Draft Pressure Low (if FD fan present) • Process Gas Out Temperature High • Auxiliary Boiler Flame Out (KBR only) • Steam Flow Low + Flue Gas Temperature High The internal review also confirmed FM Global’ s opinion by revealing the following: • Only one Agrium plant had a low level trip on the secondary WHB.
It is logical and is based on Agrium’ s risk matrix (altered for SIL’ s). Instead. and plans were put in place to begin implementation. the team developed a logical methodology to determine each plant’ s individual requirements for the functional design. The existing Agrium risk matrix. The other benefit to this methodology is that it is not a one size fits all standard. At this point a weakness of the SIL methodology was revealed. A way to determine an acceptable MTTFs was required because it was unrealistic to design a system that would never result in a false trip (as requested by operations). With these two criteria. While the methodology provides excellent guidance on the required reliability of the safety instrumented loop and system. While these plants have the same safety and environmental risks. Agrium’ s risk matrix was adapted by converting the maximum level of acceptable unmitigated risk to SIL-0 and then increasing one SIL per consequence level and frequency level as shown in Figure 3. some of Agrium’ s plants are swing plants that only operate when the price and availability of natural gas supports their operation. The design team developed a methodology that is very similar to that used to determine the required PFD. it does not address false trips –also called mean time to spurious failure (MTTFs). was inadequate to provide any information or guidance for a SIS design. Depending on the interlock it may be a complete plant outage. It is as follows: • Determine the consequence of a false trip. While the frequency and consequence of an unsafe event is very similar in each plant.01-1996 or IEC 61511. management decided to implement the standard in the various plants sequentially. the instrument loop can be designed and verified. AMMONIA TECHNICAL MANUAL 112 2007 . It allows each plant to define its own required functional design based on their individual circumstances. such a system would be cost prohibitive. SIL-0 is defined as the level of risk where local management has discretion regarding actions or safeguards. This frequency is the maximum allowable MTTFs for the interlock. For example. The most logical alternative was to adopt safety integrity levels as defined in ISA S84. they have a lower consequence for an outage or equipment damage. In the end the team defined a standard set of interlocks for the primary reformer and secondary WHB but without a standard functional design. and Agrium’ s inexperience in modifying and retrofitting existing interlock systems. equipment damage. Using the corporate risk matrix determine the acceptable frequency for the consequence (that which corresponds to SIL-0). it does not address the operator’ s concern with on-stream time. etc. The order of execution was based on risk and timing of turnaround for field implementation. Due to the complexity of such projects. may • involve the risk of an environmental excursion. and • Sufficient redundancy and fail-safe characteristics that the likelihood the system does not work when required is also statistically insignificant. A different methodology was required to prevent over-design (and over spending) on the new interlocks. the consequence of a spurious trip can be very different. As such. That is.hood of a nuisance trip is statistically insignificant. The results of the previous risk analysis were then used to assign each interlock the maximum allowable probability of failure on demand (PFD) or SIL. a partial plant outage. However. as shown in Figure 2. The functional design for each interlock now has two design criteria – the PFD and the MTTFs. Implementation of Standard The standard and the design methodology received management approval.
A redundant mainframe 584 without I/O was present. It received the field process inputs and with a contact follower would drive the annunciator panel and the PLC with independent dry contacts. The concept of energize-to-trip was incorporated in both the input devices as well as in the output devices. The alarm loop for the process application was on a separate TTL module from the trip loop for a level of redundancy. The operator could then make the decision based on the fail-safe alarm system data and the independent distributed control system (DCS) process data. the design was energize-to-trip. The third. total reliance on software platform SIS’ s was eyed with skepticism. Independent process measuring alarm devices versus process measuring interlock devices. As a result. equipment and the environment. in terms of risk.As a result the Redwater Ammonia 2 plant was first because. despite the energize-to-trip design. Redwater Ammonia 2 Modernization Project The Redwater Ammonia 2 Plant Safety Shutdown System Modernization project has been executed in three distinct phases. but it was • 2007 113 AMMONIA TECHNICAL MANUAL . This design eliminated false trips due to poor wiring connections and burnt-out solenoid coils. The first was the safety of personnel. Logic Solver The heart of the SIS was the single on-line Modicon 584 general purpose programmable logic controller (GPPLC) with non-redundant input and output (I/O). In order to maintain a highly safe system. In the event that the non-fail safe trip device did not function on demand the alarm would alert the operator and transfer the final actions to the process operator. and it had an upcoming turnaround. it had the least amount of protection from automated interlocks on the primary reformer. or non-fail safe. • • Separate process taps and separate measuring devices for regulatory controls and SIS interlock devices. Hardware Design Basis: The hardware design was state-of-the-art in the early 1980’ s. a combination of a hardware and software platform was incorporated using a Rochester TTL printed circuit module type logic system. the following design features helped to contribute to the high safety integrity of the SIS by providing independent protective layers: With the fail-safe alarming design the non-fail safe trip device had an independent back up. and final. The following are the details of the hardware design: • Transistor Transistor Logic System Since the PLC was relatively new in the Chemical processing industry in the early 1980’ s. phase was initially unplanned but it was required to correct several issues identified in the detailed design of phase II. In order to minimize nuisance trips. it is the largest of the Agrium ammonia and urea plants. These alarm devices (inputs and outputs) were deenergize-to-alarm. or fail-safe. The first phase addressed long-standing issues related to its safety shutdown system. and the second was to minimize nuisance plant trips. some of which stemmed from the functional design of the plant’ s original safety shutdown system. Functional Design of Redwater’ s Original Safety Shutdown System Alarm and Interlock Design Philosophy: The original Safety Instrument System’ s (SIS) had two design functionalities. It included a programmable logic controller (PLC) and a transistor transistor logic (TTL) system. The second phase implemented the new Agrium standard interlocks for the primary reformer and secondary WHB.
• • Phase I Phase I was completed in 2003 as a separate initiative that focused on improving the reliability of the safety interlock system. and alarm reset features. 3. maintenance understood the basis for the required preventative maintenance. Level and pressure process measurements were interfaced to the SIS with external float and pressure switches respectively. Flow measurements were orifice meters with a combination of a pneumatic transmitter and a 3-15 psig pressure switch. Complete the instrumented loop designs and shutdown logic. the operator still had decision information available through the hardwired field inputs interfaced to the TTL system. The energize-totrip design allowed the I/O cables to be switched quickly to the hot spare processor if the main processor failed. the functional design was supported on all levels. The primary scope of work is depicted in Figure 5. Process Measuring (Input) Devices The process alarm and trip conditions were provided to the SIS in a dry contact format. there was an inherent flaw in that loose wires or burnt out solenoid coils were not detected until they were required to function. There were no field changes. and management agreed that the chosen design would be the lowest cost solution to meet both the PFD and the MTTFs. The main part of this project was an upgrade to the PLC platform. some safety functions in the PLC were migrated to the new SPLC that had the capability to continually test the integrity of the output loops.Functional Design The functional designs of the safety instrumented loops were completed using the methodology outlined above. This panel was limited to hardwired trip buttons for critical equipment. Most final elements were single block valves. to partially replace the safety functions of the Modicon 584 PLC and to set up a fault tolerant and high diagnostics logic solver platform. A Triconex triple modular redundant (TMR) safety PLC (SPLC) was installed AMMONIA TECHNICAL MANUAL 114 2007 . Step 1 . 3. 1. alarm flashing. 2. Operations understood and agreed with the basis for each loop’ s reliability. Determine the actions to take in the event of an unsafe event. as shown in Figure 4. Plant personnel were involved to define the functional design. Double block and bleed was not used. alarm acknowledge. 2. Detailed Functional Specification The detailed functional specification was determined in a three-step process as follows: 1. Phase II Phase II was the implementation of Agrium’ s primary reformer and secondary WHB safety interlock standard. Determine the functional design of the safety instrument loops. Temperature applications utilized thermocouples with Acromag solid state electronic devices that generated the dry contact. • Annunciator Panel The annunciator panel was a dedicated hardwired platform with no software internal to the system. Field Output Devices The field output devices were mostly 24 vdc trip solenoids interfaced to final safety block valves. In order to improve the safety reliability of the SIS. Also inherent in the annunciator panel were the typical first out.not on-line as reliable automated switching platforms were not available. With their involvement. If the PLC failed. Because the existing SIS was designed energizeto-trip.
. The design team believed that it required a very different mind set for the operator to make the decision to trip the plant and then take action. 4. it was found that 2oo2 SIL rated transmitters provided a higher SIL rating and a lower MTTFs at a lower installed cost than a 2oo3 voting system with standard transmitters. Existing process switches were replaced with 2oo2 SIL rated transmitters. Annunciator Bay • 2007 115 AMMONIA TECHNICAL MANUAL . To implement a system that would interpret process data and trip the plant. Detailed Design The detailed design of the system attempted to stay with the most modern available proven technology.Step 2 . The installation of an extensive automated interlock system was a major shift in operational philosophy for the plant. 3.Actions in Response to Unsafe Event This step was the most time consuming due to Redwater’ s history and culture. We soon discovered that following this philosophy and designing the resulting actions into an existing facility that has not had such a system is not a trivial matter. This information was translated into the trip narrative. it had to be done right or the system would not be accepted. the loop becomes a 1oo1 voting system. During the preliminary loop SIL validation. The following is a description of the design details: • Field Input Devices 1. outputs and actions required by each of the new plant trips. without human intervention was a dramatic departure from the status quo. As such we adopted the philosophy that if the plant was to trip automatically that it should also be brought to a safe state and ready for restart with as little human intervention as possible. This methodology of translation provided a level of quality control to ensure that the final logic that was implemented achieved the desired goals of the functional design. The complete diagram for this trip covered 11 sheets. As a result. the detailed design introduced features and opportunities that had not been experienced by Redwater personnel before. The installed transmitters were SIL stamped by TUV. Figure 6 shows an example of a small portion of the cause and effect diagram for the secondary WHB low level trip. These transmitters replace the single process alarm switches and the single process trip switches. • The operator was well trained and reliable. As such. into the logic diagrams. owned and operated by Imperial Oil Ltd. as a major shareholder. • The operator also had a highly reliable hard-wired annunciator panel with all critical information and functions. In the case where a transmitter fails. The transmitters were configured to fail to the trip condition to provide high safety integrity for the SIS. or parts of the plant. Since the plant was originally designed. The philosophy at the time can be summarized as follows: • The facility was designed for high on stream factor and availability. therefore the SIS was designed for very low MTTFs. it had been self-insured and relied on its own design practices to mitigate risk to an acceptable level. eventually. 2. They were not merely rated by a mathematical Failure Mode and Effects Analysis (FMEA). the trip key and. All new process inputs were specified as two-out-of-two (2oo2) voting SIL rated transmitters. with Exxon Inc. • The operator had a highly reliable DCS to monitor and inform him of the process state. Step 3 –Cause and Effect Diagrams The design team utilized cause and effect diagrams to convey the inputs. versus having an instrumented system decide the plant must trip and then expect the operator to take certain actions.
Final Design SIL Validation All new safety interlock loops underwent a final SIL validation to ensure they met their individual SIL and MTTFs requirements. • Logic Solver This phase of the project continued to build upon the TMR platform installed in Phase I. the new ESD valves were installed with field reset solenoids. In addition to training. The field reset solenoids created a new problem because their current draw was higher than that available from the TMR logic solver’ s supervisory module. alarms and bypass switches were segregated into plant sections. transmitter deviations. the annunciator bay has proven its worth during a couple of short-lived DCS loss of views. The logic solver monitors SIL transmitter health. 2.All plant alarms are time stamped and stored in the DCS historian making the annunciator bay redundant. The ability to stroke test these valves on line improved the SIL ratings of the individual safety interlocks. and identifies when field trip devices fail to operate on demand. DCS batch sequence graphic table for primary reformer start-up permissive • • • AMMONIA TECHNICAL MANUAL 116 2007 . Following a site standard. DCS writes to the logic solver were not permitted. However. the operator now has significantly more access to the ESD process than previously. Interlock narrative table 4. The status lights. Simplified logic diagrams on DCS graphics 5. Because this phase of the project only dealt with the front-end safety interlocks. Instead a limited amount of hard wire connections between the two systems was implemented. Other considerations in the design basis were as follows: 1. 4. As a result of acting on these improvements. While the permissive system is an important component of the overall risk management strategy. one of the biggest challenges was the significant amount of cross wiring required between the existing Modicon logic solver and the new Triconex logic solver. this paper does not cover this aspect of the project. the following was implemented: 1. 2. To ensure SIS integrity. Logic solver trip sequence of events (SOE) 6. The new emergency shut down (ESD) valves were installed with mechanical online partial valve stroke testing capability. Field ESD valves were physically timed for their individual stroke time in order to establish the failed to operate diagnostic alarm set point in the logic solver. As a result these digital output loops had to include a fire and gas integrity type supervisory relay module (SRM). and operations personnel have come to depend on its presence after more than two decades of operational experience. and the labeling was improved to provide better descriptions. Shutdown key in tabular format 2. bypass switches were clearly separated into maintenance and start-up bypasses. Field Output Devices 1. • Primary Reformer Start-Up Permissive The detailed design review with FM Global resulted in the project scope being expanded to include a start-up permissive system for the primary reformer. 3. Operator Access to Process Information As the detail design progressed. the design team identified several areas to improve the ESD information provided to the operators. It alarms all such conditions. Therefore the original concept of providing the operator with limited annunciator bay windows was followed but with several improvements. Logic diagram narratives 3.
This plan allowed for monitoring to ensure that any bias or initial errors would not cause false trips. The issues that caused this delay are as follows: 1. As a result it was extremely challenging to complete the engineering on schedule. the SIL transmitters received extensive monitoring for months prior to full commissioning.it was Agrium’ s first experience and we discovered that the Edmonton area was not abundant with SIL project experience. 2007 117 AMMONIA TECHNICAL MANUAL . These contractors were resident on-site with the exception of the logic solver programmer. Due to other high priority projects availability of site resources (operations and technical) was a real challenge. Often several weeks would pass between meetings. A logic simulator was developed and extensive logic function testing occurred prior to downloading the logic to the logic solver. Part of the commissioning plan was to put the SIL transmitters on-line before they were fully commissioned as safety interlock inputs. function tested and forced open or closed) and the new process tap points for the SIL transmitters. Most of the issues during the detailed engineering phase were a result of the SIL project learning curve . One ESD bleed valve had to be relocated. Agrium handled all project management. The design team (operations. The following are the lessons (re)learned with this project: • Risks of Fast Track Projects With very minimal FEED work prior to the AFE appropriation. Because the commissioning plans were delayed. which included procurement. site technical and contract technical) was more accustomed to single analog loop design.Lessons Learned • Engineering & Project Management Agrium chose to manage the design using several individual contractor engineers while retaining overall responsibility for the final product. Logic design is very much inter related requiring continual understanding of how each design change may impact or contribute to another unfavorable event. Significant learning and diligence was required as the team was dealing with the entire plant interlock system and not a single loop. As a result it was difficult to meet as a group on a consistent basis. As proof of design. loop function testing. As typical with fast-tracked projects. Field work The project was approved in Q4 2003 for implementation during the upcoming turnaround in Q3 2004. 2. Lesson . Upon reconvening.Ensure adequate FEED • Redesign of Plant Interlock Logic The project experienced significant delays in the interlock logic design. and one ESD block valve could have been located elsewhere to avoid a costly access platform. The strategy was to complete all mechanical tie-ins and installations during the turnaround and to commission the system on-line after proper design work was completed. beyond the project’ s control. the project experienced several setbacks. and commissioning. the design effort had to restart to refresh everyone’ s memory. some piping errors occurred. to date these newly installed input devices would not have caused a spurious trip. The function testing was done with Agrium operations and engineering participation. construction. As a result of limited time for Front End Engineering Development (FEED) the initial field work was limited to the new ESD valves (which were installed.
Interlock Clean-Up The main objective of this phase is to consolidate the front-end safety interlocks to a single logic solver. the spare system can be utilized for simulation and testing new interlock logic programming. Three existing paired SIL transmitters are located in the same field enclosure and depend on the same single source for heat (steam). A solution had to be quickly determined. To achieve this objective. a potential common mode failure was identified. Then when the plant was undergoing start-up after the turnaround.Ensure adequate FEED • Software The logic solver’ s SOE capability has the ability to display the first out trip device and all subsequent events. Then. To prevent a failure due to loss of heat in this enclosure the project investigated the following three options: pro- AMMONIA TECHNICAL MANUAL 118 2007 . and the other serves the gas turbine governor system. which is not accessible to the operator. Numerous devices in the annunciator bay will also be migrated from the Modicon to the Triconex. Common Mode Failure Potential During the FEED for phase III.Lesson . The main improvement items are as follows: 1. In addition.Confer with more than one consultant for new application designs. Triconex SPLC Simulator Redwater Ammonia 2 has two Triconex SPLC’ s. phase III was in the midst of detailed engineering. the remaining front end interlocks will be moved from the Modi- con GPPLC to the Triconex SPLC. 2. Both systems share common spare modules that are stored in the site storehouse. These items were not within the phase II project scope so they were postponed to phase III. Lesson . 3. due to the fast track procurement. The implementation plans are scheduled for the plant turnaround in August 2007. • Hardware A significant challenge was the discovery that the new logic solver DO module had a current limitation that was insufficient to operate the field reset solenoids. it was discovered that the time required to hold the field resets significantly increased. Our first SOE design in Phase I resulted in the SOE history only being available on the logic solver workstation. The project scope also includes replacing an additional three sets of pressure switches with voting SIL transmitters to improve the integrity of the NH3 front end SIS. procured and installed. One serves the SIS applications as described in this paper. Lesson . Any spare modules that fail will result in a DCS alarm. Phase III At the time of writing. sufficient SRM’ s were not available. Sequence Of Events The Triconex SOE will be reconfigured so that the historical data can be displayed on a DCS screen for the operator. eliminating the temporary cross wiring between the two logic solvers.Project needs to identify and obtain timely commitments from all resources during the FEED phase. so some loops had to be redesigned with an Amot and solenoid combination. Improvements Several improvement items were identified during the phase II engineering. the storehouse stock modules will be installed in an energized spare simulator chassis that is interfaced to the DCS. To reduce the risk that spare modules are not in working condition.
Acknowledgements The authors thank the many participants who took part in the informal external survey or provided input to the design and execution of this project. provide alternate heat source with electrical tracing. and Excida for all their help in understanding SIL applications and validations. In particular we thank Saskferco. Future Plans With the knowledge gained on this project. The current plan is to continue executing the projects sequentially to make the best use of available resources. At the time of writing a solution had not been chosen. Agrium has started to update the safety interlock systems of their other ammonia plants. Haldor Topsøe A/S. or provide a low temperature alarm for the instrument enclosure. 2007 119 AMMONIA TECHNICAL MANUAL . Canadian Fertilizers.vide multiple steam sources. KBR and Uhde for their help in developing the primary reformer and secondary WHB interlock standard. We also thank HTA/S for their technical review of our functional design.
Agrium Nitrogen Operations Borger Carseland Fort Saskatchewan Kenai Redwater Internal Review Saskferco Belle Plaine Peer Review HTAS (Profertil) Current Review Uhde KBR CFI Medicine Hat Industry “ Best” Practices Figure 1 –Flow Chart of Methodology used to Determine Industry “ Standard”Practices AMMONIA TECHNICAL MANUAL 120 2007 .
FREQUENCY CONSEQUENCE A B C D E Frequent Probable Remote Improbable Highly Improbable H1 H1 H1 M L H1 H1 H1 L N H2 H2 M L N H3 M L N N M L N N N Figure 2 –Agrium Corporate Risk Management Matrix prior to Incorporation of Safety Integrity Levels FREQUENCY Highly Improbable CONSEQUENCE A B C D E Frequent Probable Remote Improbable X X SIL 3 SIL 2 SIL 1 X SIL 3 SIL 2 SIL 1 L SIL 3 SIL 2 SIL 1 L N SIL 2 SIL 1 L N N SIL 1 L N N N Figure 3 –Agrium Corporate Risk Management Matrix after Incorporation of Safety Integrity Levels 2007 121 AMMONIA TECHNICAL MANUAL .
Figure 4 –Phase I Limited Scope of Work (Example) Figure 5 –Phase II Scope of Work (Example) AMMONIA TECHNICAL MANUAL 122 2007 .
03/05/02 Figure 6 –Cause and Effect Diagram Example (Portion of Secondary Reformer WHB Low Level Trip) Feed Gas F Low S:G Ratio Low Steam F Low Induced Draft P High Fuel Gas P Low Fuel Gas P High Forced Draft P Low Steam Drum L Low Process Air F Low Aux Boiler Flame Out Process Out T High Flue Gas T High + Steam F Low BNO CNO FNO KNO 1 KNO 2 RNO 2 P P P P P P P P P P P P P P P P P P P P P P P P P P Table 1 –Existing Primary Reformer Safety Interlocks and Trips within Agrium Ammonia Plants 2007 123 AMMONIA TECHNICAL MANUAL .Maintain MS System Pressure 1-3 Stop Process Air 1A Protect Process Air Coil 1-4 Protect Air Compressor Stop Primary Reformer Pilot Fuel 1B Minimize Primary Reformer Thermal Cycle 1-1 Stop Gas Turbine Governor Remove Heat Stop Primary Reformer Main Fuel 1C Bypass WHB Protect Boiler 3A Stop Feed Gas Flow 1D 1-2 Conserve Water Open WHB Bypass Valve TV-234 DCS Revisions: 1-5 0 Issued for Review .
Stop Fuel Stop Process Air Open Steam to Air Coil Isolate Methanator Trip Syn Gas Compressor BNO CNO FNO KNO 1 KNO 2 RNO 2 P P P P P P P P P Table 2 –Automated Actions in Response to a Feed Gas Low Flow Scenario within Agrium Ammonia Plants WHB L Low Air:Gas Ratio High Steam FLow + Flue Gas T High Steam:Gas Ratio Low Fuel Gas P Low Fuel Gas P High Firebox P High (draft low) Forced Draft P Low Process Out T High Aux Boiler Flame Out Frequency Personnel Environment Costs / Penalties Risk Level 4 no no C H2 4 no no C H2 3 no no B H2 4 no no C H2 3 D no B H2 3 no no D L 4 D no D M 3 no no D L 2 no no D L 3 C no C M Table 3 –Results of Agrium Risk Analysis on Industry Best Practices AMMONIA TECHNICAL MANUAL 124 2007 .
Glossary of Acronyms ACRONYM DCS DO ESD FEED FMEA GPPLC I/O MTTFs PFD PLC SIL SIS SOE SPLC SRM TTL TMR WHB 1oo1 2oo2 2oo3 DESCRIPTION Distributed Control System Digital Output Emergency Shut Down Front End Engineering Development Failure Mode and Effects Analysis General Purpose Programmable Logic Controller Input / Output Mean Time To Fail (spurious) Probability of Failure on Demand Programmable Logic Controller Safety Integrity Level Safety Instrument System Sequence Of Events Safety Programmable Logic Controller Supervisory Relay Module Transistor Transistor Logic Triple Modular Redundant Waste Heat Boiler 1 Out Of 1 voting decision 2 Out Of 2 voting decision 2 Out Of 3 voting decision 2007 125 AMMONIA TECHNICAL MANUAL .
This action might not be possible to undo. Are you sure you want to continue?
We've moved you to where you read on your other device.
Get the full title to continue listening from where you left off, or restart the preview.