UPGRADING AMMONIA PLANT

EMERGENCY SHUTDOWN SYSTEMS

An Emergency Shutdown systems (ESD) is the last line of defense for safe operation of an ammonia
plant. They are expected to provide coverage in case of equipment failure, process upset or human
error. Essentially these systems are expected to bring the plant to a predefined safe state through a set
of logical actions on fulfillment of certain conditions i.e. process variable going to a safety high risk
zone.This paper shares the experience of upgrading an old and obsolete pneumatic shutdown system
of a 1970 vintage ammonia plant to state of the art Triple Modular Redundant (TMR) electronic
system. It also covers the experience of adding new shutdown securities at furnace, compressor along
with upgrading of control systems to avoid high hazardous events.

Syed Salman bin Aslam

Engro Chemical Pakistan Ltd., Pakistan

Introduction to Engro Chemical of aligning itself with DuPont Safety Resources. Earlier
it used to follow Exxon systems. The TRIR (Total Re-

E ngro Chemical Pakistan limited is the sec-

ond largest manufacturer of Urea N46 in
Pakistan. The manufacturing site is located
in a small rural town of Pakistan known as Daharki
which is 600 km north of famous port city of Karachi.
cordable Injury Rate) is below 1.0 for last twenty years.

Manufacturing Site history

The site was setup in 1965 after discovery of vast re- The Company's original plant was commissioned
sources of natural gas in vicinity and was named as on December 4, 1968, and since then, except for short
Esso Chemical Pakistan, which was later named as maintenance shutdowns, the plant has been in continu-
Exxon Chemical Pakistan. In 1991 Exxon decided to ous operation. The initial capacity was increased from
divest its equity from global fertilizer manufacturing. 173,000 to 268,000 tons per annum till 1993.
At that time Pakistan based employees of Exxon along
with reputable international investors decided to pur- In 1993, Engro relocated Bechtel design Ammonia
chase major share holding. Exxon’s patent of “Engro” and a TOYO Total Recycle Urea plants from USA and
was also a part of the deal. We elaborate the name En- UK respectively and increased its capacity to 600,000
gro as Energy for Growth. tons per year. In 1995, the capacity was expanded to
750,000 tons per year. In 1998 urea production capacity
The company gives highest value to Safety and be- was increased from 750,000 to 850,000 tons along with
lieves that first dimension of growth is Safe Operations an overall energy efficiency of 7%. Further to this other
of all business activities and is currently in the process projects were implemented which have increased en-

AMMONIA TECHNICAL MANUAL 254 2004

ergy efficiency by another 5%. All these projects were
im-plemented on schedule without a single LWI (loss The following section will discuss trip system of
work day injury) Ammonia plant only.

Daharki site is currently operating one 1550 MTPD

steam reforming ammonia plant and two Toyo Design Requirement of a Shutdown System
Urea plants of combined capacity of 2700 MTPD.
Hazards of an ammonia plant & their classifi-
Overall Project Background cation/mitigation

Engro place safety ahead of all its business activi- An ammonia plant is classified as a High Hazard-
ties, therefore along with capacity expansions it was felt ous Industry by OSHA guidelines. Major reasons are
necessary to improve the plant’s control and trip sys- handling of extremely flammable hydrogen and highly
tems. The relocated plants had old pneumatic instru- toxic ammonia. Engro’s ammonia plant uses steam re-
mentation, which had number of reliability issues apart forming process identical to the Haber process for
from being obsolete. With both the control and trip sys- manufacturing ammonia.
tems the risk associated with continued operation were
high. The ultimate risk with control could be downtime The furnace, compressors, gas turbine, steam tur-
but for trip systems it can be a disaster. bines, absorption/de-sorption and catalytic conversion
are the major process units. Each unit has its own safety
In the relocated plants many independent trip and business associated risks. Identification of hazards
valves (Exxon Safety requirement) were missing i.e. is the first element followed by its potential/ probability
control valves were sharing the purpose as trip valves of occurrence with ultimate assignment of the appropri-
as well. New trip valves were provided before commis- ate risk classification. Normally the hazards are classi-
sioning. Additionally many interlocks were still not fied for potential safety threat or potential business
provided at the time of relocation. threat. The technique used for process hazard analysis
can be HAZOP, HAZAN, PHA or pure common sense
In 1995, after bitter experiences of secondary re- thru brain storming sessions. Essentially the skill level
former effluent waste heat boiler failure’s it was felt of multidiscipline team and its training to carry out a
necessary to reduce human dependence i.e. to improve perfect job is key to proper hazard identification which
interlocks and provide highly reliable automatic fail will become basis for all future work.
safe shutdown coverage. As increasing interlocking on
ob-solescent pneumatic systems was a nightmare, a In Engro a simple matrix was developed initially to
deci-sion was made to invest in the field of automation identify potential hazards based on brain storming ses-
and control. sions of knowledgeable individuals. This matrix then
became the base line document. Further more for quan-
A road map was developed which included control tification purposes the HAZOP technique based on
system as well as trip system upgrading in phases. Con- Exxon’s guidelines was used to expand the trip securi-
trols were shifted to the already installed Honeywell ties horizon.
Micro TDC system, which was upgraded further to han-
dle increased requirements of the ammonia plant. For One such matrix is shown in Figure-1 which covers
the Urea plants the Elsag Bailey Infi-90 was adopted the ammonia plant furnace only.
for the control system. As Process Safety Management
systems followed by Engro requires independent trip
system, regardless of electrical isolation therefore for Human factor & requirement of a shutdown
the trip system of ammonia plant, an ABB August TMR system
system was purchased. The improvement of the trip
system was divided in three major phases for ease of 1. 1 The time required to respond to an emer-
implementation. Two of these phases have been imple- gency may be insufficient for human reac-
mented in 1998 and 2002. The third one is planned for tion
2005.

2004 255 AMMONIA TECHNICAL MANUAL

 2. 2 Humans by their nature are prone to line of defense should be capable of providing SIL-3
lsose judg-mental efficiency with increase (Safety Integrity Level) availability i.e. 99.999% avail-
in tension of an emerg-ing emergency. ability
3. 3 This efficiency is also affected by the
fact that tripping a plant manually means Engro at the time of selection of a modern system
interruption of business for which they considered following
may be questioned. 1. Real time processing / Self bug detection
4. 4 Judgment varies from human to human and elimination
based on intellect as well as experience 2. Redundancy (sensor, processor and power)
5. 5 Management does delegate plant tripping to en-sure that trip system is available
author-ity to responsible individuals in op- when needed at opti-mum cost
erating units, based on a concept that “It is 3. Self diagnostics routines
possible to start a plant after nuisance trip 4. Capability to record events with small du-
but it is not possible to start a plant after ration time spans in magnitude of millisec-
substantial damage”. onds
5. Expandability to incorporate future modi-
The above necessitates an emergency shutdown fications
system. Engro Chemical had the bitter experience of 6. Easy configuration and testing
dry out operation of the secondary reformer waste heat 7. Minimum possible hardware addition
boiler which resulted in substantial damage. The inci-
dent occurred due to above factors. This became one of Based on above guidelines ABB August TMR (Tri-
the justifications for an elaborate automatic shutdown ple Modular Redundant) system was selected. Triple
system. Modular Redundant concept has been derived from the
fact that
Old and obsolete pneumatic relay based sys- 1. Probability of failure of one module will
tem not im-pact continued operation
2. Failure of another module will push system
As mentioned earlier the plant which was relo- to de-cide on its own to run the plant or let
cated from Cheveron Pascagoula had pneumatic sys- it go to fail safe condition
tems. There were some trip instrumentation available, 3. Interlaced communication to ensure that
however it was not interlocked. In ammonia plant alone each module scrutinize the activity of other
more than 200 pneumatic relay gates were used to build modules
a highly unreliable trip system. Maintaining these to 4. 2-out-of-3 voting logic on sensor level
high availability levels was extremely difficult. With
time, obsolescence was becoming another cause of
great concern to plant management. Conversion from Pneumatic to Electronic

A serious shortcoming was that the health of system The conversion from pneumatic hardware to elec-
was not known on-line. A failure of one or more de- tronic had histories of learning. Although a good
vices/pinching of tube in huge logic gate circuit could change, it had the potential to go wrong. This can be at-
have remained un-noticed resulting in failure of the sys- tributed to wrongly selected hardware, wrongly con-
tem to perform when it was required. This aspect be- figured software and many more possibilities. Another
came another basis for an elaborate automatic shut- thing of consideration was the operability and mainte-
down system with self diagnostic features. nance requirements. Training of individuals becomes
the most important point. Pneumatic systems are always
good w.r.t. to training due to trace-ability. However,
electronic systems are difficult w.r.t. to taggings and
Modern trip systems trace-ability.

In the modern era computers have become powerful Owing to the opportunity of change over, there was
enough to be used in high reliable services. As per ISA the opportunity to include new securities as mentioned
guideline S84-01 such trip systems which are the last above.

AMMONIA TECHNICAL MANUAL 256 2004

 sepa-rator level sensors were improved from DP cells to
float transmitters. In the past the DP cells on these ser-
New Securities / Additional protection vices resulted in a few nuisance trips i.e. creation of an
event which may lead to some safety issue, had the trip
The plant relocated from Pascagoula as mentioned system not performed well.
earlier didn’t have the interlocks which are necessary to
bring the plant to fail safe position. Additionally many Trip design and testing
securi-ties were not present as well such as
1 Furnace Steam to Gas ratio trip Designing an appro-priate trip system sequence is
2 Furnace low draft imperative in the overall scheme of things. Interlocks,
3 WHB steam drum low level time delays, bypasses, overrides and trip logic’s have to
4 Furnace coils protection w.r.t. BFW circulation be defined up-front. An exercise of this sort should be
etc. conducted by a multi-disciplinary team of Operations,
5 CO2 removal system protections Process & Instrument interfaces. Competence of this
team is also essential, and it is good to have people of
These securities were added to the existing ones experience above 10 years preferably in different indus-
and the resulting system was much more adequate to tries.
provide overall protection.
Using a few senior board men , of experience above
Appropriate time delays were provided in the above 15 years and known to have handled many emergencies
securities based on in-house calculations, system re- effectively at plant, to support to this team work will
sponse and industrial networking. improve the working to the best possible levels.

Interlocking was also suggested as additional pro- In Engro we used below mentioned strategy to de-
tection. A good trip system is essential for mitigation of velop an automatic trip system. The steps followed for
hazard, however it is imperative to avoid these hazard its development were
in first phase. 1. Development of appropriate team of opera-
tions, process and instrument engineers
2. Identification of potential hazards and their
Avoiding potential Hazards through im-proved ap-propriate classification based on brain
control storming ses-sions/HAZOP & PHA tech-
nique
In an operating plant hazards are caused by either 3. Human factor study w.r.t. judgement and
mechanical reasons, loss of proper control or human er- time available to respond
ror. A number of these hazards can be minimized by se- 4. Suggestions for addition or deletion of se-
lection of proper control system. A control system may curities based on own experience and in-
fail itself to create nuisance tripping thru trip system, dustrial networking
which may be considered as inherently more safer. 5. Improvement of control system to avoid a
However failure can also cause the control system to par-ticular event
move the process away from trip protection. 6. Consideration of physical constraints of an
old plant, especially w.r.t. drilling new
In Engro the approach taken was to eliminate the holes for new sen-sors in old vessels
cause which could lead to a potential hazardous event. 7. Time delays in trip security actuation to
Plant trip history data was used to analyze the operating avoid nuisance trips. A minimum of 0.5
data of over 10 years of operation in Daharki. Based on seconds time delay is adopted even if proc-
this database, certain strategies were developed and ess simulations do not allow for more time
shared with management after industrial networking as delay. This is adopted to avoid nuisance
well. trip-ping due to noise.
8. Interlocks and bypasses
This became the basis to improve the hardware for 9. Development of one-line diagram for im-
the control system especially on sensors part. The syn- plemen-tation in phases
thesis compressor seal oil bottles and the ammonia

2004 257 AMMONIA TECHNICAL MANUAL

 10. Scrutinizing the process thru multi- What can go wrong
disciplinary team and refinement after re-
cycling with experienced board men Some of the lessons learned through implementa-
tion are narrated below
The result from above activity is the final one-line 1 Field related modifications w.r.t. addition of pri-
diagram with inputs from relevant interfaces for further mary sensors is a critical item. Many a times it can be
work. The approvals were taken from functional man- overlooked resulting in inappropriate resource manage-
agement as well as plant management. ment. Mechanical teams, if not sensitized properly may
not pay due attention to the job which appears simple,
No system can work effectively if the thoughts of small bore piping. In Engro primary reformer steam
so many people have not been translated properly in transmitter with a ¾ inch tap leaked during commis-
“Lad-der Logic”. Once above activity was completed sioning due to lack of proper supervision and quality
the re-quirements were passed on to the Trip system checks. They had the potential of wrong indication on
vendor, who developed the logic and MMI (Man Ma- all three transmitters, which were supposed to work on
chine Inter-face) screens. No matter how smart this de- 2-o-o-3 logic.
velopment team is, it is imperative that the testing of 2 It is good to have prefabrication done in advance,
such super critical system should be audited. Nothing is however some low bore diameter flanges have the po-
better in terms of auditing than “Full Fledged Dummy tential of surprise when being opened. In Engro this
Testing” i.e. giving dummy process signals from pri- happened with one of the synthesis gas compressor seal
mary sensing elements (Transmitters) and seeing ac- oil tapping flange, where the installed one was RT vs.
tions of Final Trip Elements (mostly trip valves) in RF as per piping code. A SS spacer was fabricated to be
field. installed between the two flanges during execution.
3 The system vendor may not be able to co com-
See Figure 2 for the Primary Reformer Trip MMI prehend the severity of service and its implications on
screen. Each security has its own bypass which is man- the overall site reliability. This means that the owner
aged in another screen. Each trip logic has its own by- has to be cautious in implementing suggestions and has
pass for overriding Security actions. Normally these are to audit to the extreme levels of reliability and permuta-
not used in normal operation. Logic’s can be operated, tions.
reset and bypassed from MMI screens as well as Hard 4 Operators will not be able to train themselves to
Key panel. new changes. Management has to arrange training ses-
sion and nothing is better than on-the-job training,
See figure 3 for picture of this Hard key panel. which can be implemented in turnaround only. Opera-
tors should be encouraged to play with system bypass,
All possible combinations & permutations of by- reset and other options by disconnecting field devices
passes, sets of transmitters and many more are used to through some fuses etc. This activity will ensure that
test the system and its performance. during training if some unknown combination is tested,
a surprise may not be experienced in future.
A checklist is used to monitor the activity, which
may consume many days from turnaround and in re-
volving shifts. One such sample is appended in Figure Experience with operation
4. The experience of change over from old pneumatic
system to new electronic system was full of challenges
Another factor which needs to be tested w.r.t. sys- and unknown surprises. Proper project management,
tem is its performance / fall backs on predefined auditing and testing are keys to minimize these sur-
scheme i.e. on failure of two processor system should prises. Since 1998 the system has been working well
either run or go to fail safe position. With interruption with no failure and malfunctions. It is considered to be
of field devices power system should go to trip state the last line of defense and operators do know that if
and on restoration should stay in trip state etc. These they can’t control plant in an upset, ESD system will
checks are the ones shown in Figure 5. bring it to fail safe condition for safe re-start.

AMMONIA TECHNICAL MANUAL 258 2004

About the Author Ammonia unit. ESD phase-2 designing was his major
responsibil-ity. HYSYS and HTFS are other areas of
Syed Salman bin Aslam is a professional chemical expertise. Since end 2003 he is looking after another
engineer. He got his B.Sc. degree in chemical engi- expansion project of Engro called ENCAP as process
neering from University of Engineering and Technol- section head.
ogy Lahore in 1995 with first position in all four years
of studies. He has worked as Operations engineer of
Engro Ammonia-2 plant for four years in which he im-
ple-mented phase-1 of ESD project and TDC control
system
upgrade project, then he was assigned to revamp
Safety critical system and later transferred to Urea-2
plant as shift engineer. After another year he was as-
signed the responsibility of Shift coordination and then
as a day engineer assisting unit manager and Production
man-ager. Since 2001 he is working in process engi-
neering as Sr. Process Engineer providing contact engi- .
neering support and project management services to

Figure 1

2004 259 AMMONIA TECHNICAL MANUAL

 Figure 2

Figure 3

AMMONIA TECHNICAL MANUAL 260 2004

 Figure 4

Figure 5

2004 261 AMMONIA TECHNICAL MANUAL