N I TTR
NI R IC
Improved safety system
in a nitric acid plant
The existing alarm and safety
system in a nitric acid plant
in Croatia was replaced by a
new microprocessor-based
system in order to increase
the safety requirements
and to modernise the
production process. The
main task of such a system
is to continuously monitor all
important process parameters
and quickly inform operators
about potential dangers that
could lead to disastrous
consequences and associated
hazards.
Above: Petrokemija nitric acid
plant in Kutina, Croatia.
Nitrogen+Syngas 322 | March -April 2013
C A CI
C D ALAR
T
he nitric acid production process is a
very demanding process from a safety
standpoint. Special attention must be
taken regarding power recovery by the turbo
set and the reactor section. The turbo set is
the mechanical equipment that drives the
air and nitrous oxide compressors. In the
reactor section, there are special precondi-
tions relating to the exothermal reactions
involving the oxidation of a gaseous mixture
of ammonia and air. In order to prevent dis-
astrous consequences and hazards, the
nitric acid production process must be con-
tinuously monitored using control and safety
systems. A control system is considered to
be safety related if it provides functions that
significantly reduce the risk of a hazard,
and in combination with other risk reduction
measures, reduces the overall risk to a tol-
erable level, or if it is required to function,
maintains or achieves a safe state for the
equipment under control.
The project scope
Petrokemija is a fertilizer producer located
in Kutina, Croatia. Nitric acid is produced
in a dual pressure process in two identical
A L AR
AL A R M A N D SAF
ARM SAA FE
F E TY
FETYT SSYS
YS
S TE
TEMM
production lines with an overall production
capacity of 810 t/d of 100 % HNO3. The
original alarm and safety system in the
nitric acid plant at Petrokemija consisted of
a combination of an electrical relay-based
safety system and transistorised alarm
modules. However, over the years, it had
become very unreliable and it was neces-
sary to revamp and upgrade it to a new
microprocessor-based system. The original
system provided the following functions,
which were also required in the new system:
● logic inputs and outputs for the first fail-
ure sequence;
● switching off the motors;
● control using NO (normal open) con-
tacts and alarm signal repetition with
visual and acoustic control.
The existing system was replaced in three
phases: the analysis phase, the imple-
mentation phase, the operation and main-
tenance phase. All three phases were
carried out in accordance with the interna-
tional standard IEC 61508 and IEC 61511
for the functional safety of safety instru-
mented systems.
49
NITRIC ACID ALARM AND SAFETY SYSTEM

Table 1: Main causes and effects for emergency shutdown procedure

Possible causes Effects

Emergency STOP pushbutton in the control room 1. Closing the two electrical solenoid valves at the pipe of the gaseous
ammonia and opening the startup relief valve.
Emergency STOP pushbutton at the local control panel
of the turbo set 2. Closing the extraction valve of the nitric acid from the absorption tower.

Steam turbine overspeed 3. Closing the inlet valve of the quenching water before the steam super
heaters.
Tail gas turbine overspeed
4. The recirculating pump for the steam super heaters is stopped.
Axial displacement of air compressor rotor
5. Emergency shutdown procedure of the turbo set, quick trip, which
Axial displacement of nitrous gas compressor rotor comprises:

Axial displacement of steam turbine rotor 5.1. Closing the steam inlet valve for the steam turbine.

Axial displacement of tail gas turbine rotor 5.2. Opening the relief valve of the air compressor to the atmosphere.

Low pressure of the lubrication oil for the turbo set 5.3. Opening the relief valve of the nitrous gas compressor to the
atmosphere.
Low pressure of the vacuum in the steam turbine
condenser 5.4. Closing the inlet valve for the tail gas turbine.

Low temperature of the tail gas before the DeNOx reactor 5.5. Opening the bypass valve of the tail gas turbine to relieve it.

Low temperature of the tail gas after the tail gas turbine 6. Closing the control valve of the liquid ammonia for the DeNOx system

Fig 1: ESD and alarm system configuration Defects and safety effects in
production
ES/OS OS
operator & engineering station operator station Two different sets of defects were recog-
nised at the Petrokemija plant. Defects
I represents the most serious defects in
production, after which the emergency
shutdown procedure for the whole process
(turbo set and process unit) must be con-
ducted as soon as possible. In the case of
the defects II, the process unit must first
be shut down, while the power recovery
with the turbo set may remain operational
for three minutes to ensure the proper blow
down procedure for all parts of the equip-
industrial ethernet ment and pipes in the nitric acid production
redundant process unit. Both defects I and II result
in the corresponding safety effects in the
AS41 7 H /F
production: the protection of process equip-
ment and process staff in order to avoid
possible hazardous situations. Table 1
shows the main causes and effects of
the emergency shutdown sequence and
ET200M failsafe
DP (redundant)

Table 2 lists the same for the normal

shutdown sequence. Each cause will auto-
standard

ET200M matically and simultaneously trigger all the

effects that are listed in the right-hand col-
ET200M umn of the Tables 1 and 2.
In addition to the already mentioned
PROFIBUS
-

ET200M signal safety causes and effects, there are further

alarm states, trips and interlocks for proc-
ess parameters that trigger an alarm as
a preliminary warning so the operator can

50 Nitrogen+Syngas 322 | March - April 2013

 NITRIC ACID ALARM AND SAFETY SYSTEM

Table 2: Main causes and effects for normal shutdown procedure

Possible causes Effects

Very high level of liquid ammonia in the ammonia 1. Closing the two electrical solenoid valve at the pipe of the gaseous
evaporator ammonia and opening the startup relief valve
High pressure of the gaseous ammonia after ammonia
evaporator 2. Closing the extraction valve of the nitric acid from the absorption tower.

Low pressure of the air for the oxidation with the
gaseous ammonia
Malfunction of the boiler feed water recirculation in the
water jackets of the burners
Malfunction of the recirculation of the boiler feed water
in the boiler
Very high level of the nitric acid in the separator before
the inlet of nitrous gas compressor
Low pressure of the cooling water
Low pressure of the instrumental air
3. Closing the inlet valve of the quenching water before the steam super
heaters.
4. Stop of the recirculation pump for the steam super heaters.
5. Normal shutdown procedure of the turbo set after 3 minutes, slow trip,
which comprises:
5.1. Closing the steam inlet valve for the steam turbine.
5.2. Opening the relief valve of the air compressor to the atmosphere.

High temperature of the catalytic gauzes

5.3. Opening the relief valve of the nitrous gas compressor to the
Failure of the electrical power atmosphere.
Normal STOP pushbutton in the control room
5.4. Closing the inlet tail gas turbine.
Normal STOP pushbutton at the local control panel of
turbo set
5.5. Opening the bypass valve of the tail gas turbine to relieve it.
Low temperature of the tail gas before the DeNOx reactor
Low temperature of the tail gas after the tail gas turbine 6. Closing the control valve of the liquid ammonia for the DeNOx system.

take the necessary action to prevent an
unexpected shutdown. The possible alarm
states, trips and interlocks are listed in
Table 3. They refer to both production lines.
Determination of safety instrumented
functions and safety integrity level
One task when analysing all of the possi-
ble hazardous process states in the nitric
acid production at Petrokemija, was gen-
erating the logic diagram that determines
the recognised causes and consequen-
tial safety protection effects of the safety
equipment and devices. The logic diagram
represents every possible hazardous state
listed in Tables 1 and 2. These possible
causes are entered in an interactive digital
logic simulator CEDAR LS in order to verify
the correctness and functionality of the
logic diagram.
Other tasks included the identification
of the safety instrumented functions and
determining the safety integrity level by
using the risk graph technique in a sys-
tematic team approach. With the help of
the risk graph technique the safety instru-
mented functions as shown in Table 4
have been identified.
It can be concluded that the safety
integrity level is 1, which means that the
probability of the failure on demand is
between 10-2 and 10-1 per year with a
risk reduction factor of between 10 to 100.
Decision for a new process control
and safety system
The SIMATIC PCS 7 process control and
safety system was chosen to replace the
old Praxis electrical relay safety and tran-
sistorised alarm system.
The new SIMATIC PCS 7 alarm and
safety system from Siemens combines
the functionality of a classic distributed
control (DCS) and logical systems in a
common hardware and software platform
with integrated engineering tools and oper-
ator interface. Thanks to SIMATIC Safety
Matrix, it meets safety standards up to
Safety Integrity Level 3 (SIL3) according to
IEC 61508 and IEC 61511.
The system comprises (see Fig. 1)
one redundant central controller SIMATIC
AS 417-FH with integrated safety func-
tion, four SIMATIC ET200M I/O racks with
redundant PROFIBUS DP interface, indus-
trial Ethernet (system bus, terminal bus),
and operator interface in the form of the
combined operator/engineering station
and operator station. It is supplied from
a new UPS.
All the process safety conditions have
been implemented in the SIMATIC Safety
Matrix, which is the basis for the new
alarm and safety system. The key condi-
tion was the recognition of the first alarm
responsible for the shutdown sequence,
regardless of whether it is an emergency
or normal shutdown procedure.
The SIMATIC Safety Matrix was config-
ured as engineering (ES) and operator sta-
tion (OS). Siemens implemented the cause
and effect method defined by the Ameri-
can Petroleum Institute in the API RP 14C
guideline and safety standards in accord-
ance with IEC 61508 and IEC 61511 pro-
viding functional safety up to SIL 3.
The operator interface was defined in
the form of the process diagrams, alarm
and working groups. The standard and
failsafe I/O modules for the digital/analog
inputs/outputs of the process variables,
including EX protection were installed in
the four Simatic ET200M I/O racks. Finally
the new system was connected to all proc-
ess safety equipment in the field, includ-
ing new solenoid valves, where the control
voltage has been changed from 380 V to
24 V or 220 V.

Nitrogen+Syngas 322 | March - April 2013 51

NITRIC ACID ALARM AND SAFETY SYSTEM

Table 3: This list shows the alarm states, interlocks and trips for common situations in both production lines

Possible alarms, trips and interlocks Processing alarms, trips and interlocks

Low and high level of the liquid ammonia in the ammonia evaporator Audible and visual alarms with the necessary
information such as:
Low temperature of the gaseous ammonia after ammonia evaporator

High temperature of the high pressure steam after super heater 1. alarm condition

Blocked oil filter in the oil system for the turbo set 2. part of the plant affected
High temperature of the oil in the oil system for the turbo set
3. description of the required action
High level of condensate in the steam turbine condenser
4. alarm priority
Low pressure of the instrumentation air
Low temperature of the catalytic gauzes in the burners 5. time of the alarm
Low and high level of the boiler feed water in the steam drum
6. status of the alarm
Low and high level of the nitric acid in the bleaching tower
7. grouping and first-up alarms
Low level of the nitric acid in the oxidation tower
8. has priority over lower grade alarms (e.g. the
High level of the nitric acid in the separator at the inlet of the nitrous gas
high alarm is suppressed when a high-high
compressor
alarm is received)
Low and high level of the nitric acid in the absorption tower
Low and high level of the nitric acid in the condenser of the weak nitric acid 9. suppression of the out of service plant alarms

Low volume flow of the de-mineralized water for the absorption tower 10. suppression of the selected alarms during
certain operating modes
Low pressure of the high and low pressure steam

Low level of the boiler feed water in the reactor 11. automatic load alarm, load shedding and
shelving
Low and high level of the nitric acid in the storage reservoirs for the nitric acid

Malfunction of the boiler feed steam pump

Malfunction of the nitric acid pump for the end users

Malfunction of the nitric acid circulating pump through the oxidation tower

Malfunction of the extraction pump for the weak nitric acid from the condenser of
the weak nitric acid

Malfunction of the extraction pump for the condensate from the condenser of the
steam turbine

Malfunction of the boiler feed water circulating pump

Malfunction of the nitric acid circulating pump through the absorption tower Easy
Malfunction of the de-mineralized water pump for the absorption tower engineering
with Simatic
Low and high temperature of all other process parameters involving all process PCS 7
streams (air, ammonia, nitric acid, steam, etc.)

Table 4: Values of the determined safety instrumented functions in the nitric acid production at Petrokemija

Category of the safety instrumented function Description

The consequential severity of the accident being C2 Injury or occupational illness but no lost time
prevented

The pre-safeguard likelihood of the accident W4 Expected to occur frequently (for example, once a month)

The presence in the hazardous zone F1 Rare to more frequent exposure in the hazardous zone

The probability of avoiding the hazardous event P1 Possible under certain conditions

52 Nitrogen+Syngas 322 | March - April 2013

 NITRIC ACID ALARM AND SAFETY SYSTEM
A final dedicated testing and
training phase
The implementation was followed by test-
ing according to Tables 1 to 3, realised
according to the guidelines for alarm
systems such as EEMUA 191 and CHID
Circular CC Tech safety 9 and finally the
SIMATIC Safety Matrix. The upgrade was
successfully concluded with a training and
introduction course for the process staff
(a team of 20 operators). From the very
beginning, the system operated without
any malfunctions.
The complete project, from the analy-
sis phase through commissioning and
validation to training and implementation,
took approximately one year, and was
completed in January 2011. It was mainly
carried out by the process and main-
tenance staff of Petrokemija. Siemens
Croatia supported the migration and safe
commissioning.
A well-structured project, good engi-
neering practice of the teams and required
safety integrity level meant that the
upgrade of the alarm and safety system
in the nitric acid production at Petrokemija
went smoothly.
Further, this project formed the basis
for the replacement of the existing pneu-
matic control system and for improve-
ments in the DeNOx system as well as in
trending and reporting.
54
Above: Petrokemija nitric acid
plant in Kutina, Croatia.
Right: The absorption tower in
Petrokemija’s nitric acid plant
in Kutina, Croatia
“The selected alarm and safety system
is based on the SIMATIC Safety cause &
effects matrix. This method has proven
to be an extremely effective option for
describing safety functions and for defin-
ing marginal and shut down conditions,”
says Mr. Nenad Zecevic, Head of DUKI 1,
Petrokemija.
“With the upgraded alarm and safety
system, improved safety measures have
been implemented in the production of
nitric acid at Petrokemija, and it has cre-
ated the basis for further improving the
production process in the form of better
analysis of the safety issues,” added Mr.
Ivan Hoško, Lead Automation Engineer
DUKI 1, Petrokemija. ■
Acknowledgement
This text is based on the article of Nenad
Zečević, Ivan Hoško and Sven Pavlaković
published in Kemija u industriji: N. Zečević,
I. Hoško, S. Pavlaković, Nitric acid revamp
and upgrading of the alarm and protection
safety system, Kem. Ind. 61 (4) (2012)
205–214.
Nitrogen+Syngas 322 | March - April 2013