OISD-STD-152

Second Edition
FOR RESTRICTED CIRCULATION ONLY

SAFETY INSTRUMENTATION
FOR
PROCESS SYSTEM
IN
HYDROCARBON INDUSTRY

OISD - STANDARD - 152

Second Edition, October 2010

Oil Industry Safety Directorate

Government of India
Ministry of Petroleum & Natural Gas

<< Back Home Next >>

 OISD-STANDARD-152
Second Edition

FOR RESTRICTED CIRCULATION ONLY

SAFETY INSTRUMENTATION
FOR
PROCESS SYSTEM
IN
HYDROCARBON INDUSTRY

Prepared by:
COMMITTEE ON
PROCESS INSTRUMENTATION, MAINTENANCE & INSPECTION

OIL INDUSTRY SAFETY DIRECTORATE

NEW DELHI HOUSE, 7th FLOOR
27,BARAKHAMBA ROAD
NEW DELHI - 110 001.
 NOTES

OIL INDUSTRY SAFETY DIRECTORATE publications

are prepared for use in the Oil and gas industry under Ministry of
Petroleum and Natural Gas. These are the property of Ministry
of Petroleum and Natural Gas and shall not be reproduced or
copied and loaned or exhibited to others without written consent
from OISD.

Though every effort has been made to assure the

accuracy and reliability of data contained in these documents,
OISD hereby expressly disclaims any liability or responsibility for
loss or damage resulting from their use.

These documents are intended only to supplement and

not replace the existing statutory requirements.
 FOREWORD

# 1 The Oil Industry in India is nearly 100 years old.

Because of various collaboration agreements, a variety of
international codes, standards and practices have been in
vogue. Standardisation in design philosophies and operating
and maintenance practices at a national level was hardly in
existence. This, coupled with feed back from some serious
accidents that occurred in the recent past in India and abroad,
emphasized the need for the industry to review the existing state
of art in designing, operating and maintaining oil and gas
installations particularly using sophisticated instrumentation.

# 2 With this in view, the Ministry of Petroleum & Natural

Gas, in 1986, constituted a Safety Council assisted by Oil
Industry Safety Directorate (OISD), staffed from within the
industry, in formulating and implementing a series of self
regulatory measures aimed at removing obsolescence,
standardising and upgrading the existing standards to ensure
safe operations. Accordingly, OISD constituted a number of
Functional Committees of experts nominated from the industry
to draw up standards and guidelines on various subjects.

# 3 The present document on “Safety Instrumentation

For Process System in Hydrocarbon Industry’ is prepared by the
Functional Committee on “Instrumentation”. In the revised
standard of second edition, the marketing and pipeline
installations have been excluded .This document is based on the
accumulated knowledge and experience of Industry members
and the various national and international codes and practices. It
is hoped that provisions of this document when adopted, may go
a long way to improve the safety and reduce accidents in oil and
gas Industry. Users are cautioned that no standard can be a
substitute for a responsible, qualified Instrumentation Engineer.
Suggestions are invited from the users after it is put into practice
to improve the document further.

# 4 This standard in no way supersedes the statutory

regulations of CCE, Factory Inspectorate or any other statutory
body which must be followed as applicable.

Suggestions for amendments, if any, to this standard

should be addressed to:

The Co-ordinator,
Committee on
“Process Instrumentation, Maintenance & Inspection”
Oil Industry Safety Directorate,
th
NEW DELHI HOUSE, 7 FLOOR
27,BARAKHAMBA ROAD
NEW DELHI - 110 001.
.
 COMMITTEE
ON
PROCESS INSTRUMENTATION, MAINTENANCE AND INSPECTION

LIST OF MEMBERS

---------------------------------------------------------------------------------------------------------------------------------
Name Designation / Organisation Status
---------------------------------------------------------------------------------------------------------------------------------
S/Shri

S. Raghuraman Sr. Manager (Inst.), EIL Leader

K. G. Nair Ch. Inst. Manager, IOCL Member

V.K. Agarwal DGM (Tech.) BPCL Member

C. S. Osman Chief Manager (Inst.), MRL Member

R. D. Shira Sr. Maintenance Manager, BRPL Member

A. Majumdar DGM (Inst.), ONGC Member

S. Rammohan Sr. Manager (Inst.), GAIL Member

R. Murlidharan Manager (M & I), IOCL Member

G. R. Rana Joint Director, OISD Member

V. M. Ranalkar Dy. Director, OISD Member

Co-ordinator.
---------------------------------------------------------------------------------------------------------------------------------
In addition to the above several experts from industry contributed in the preparation, review and
finalisation of the document.
 COMMITTEE
ON
PROCESS SAFETY INSTRUMENTATION

LIST OF MEMBERS (second edition)

--------------------------------------------------------------------------------------------------------------------------------
Name Designation / Organisation Status
---------------------------------------------------------------------------------------------------------------------------------

S/Shri
N.Rajkhowa General Manager (POSD), EIL Leader

M.B.Gohil GM (Project Development), GAIL Member

Member

S.S. Maji General Manager, Essar Oil Limited Member

Y.B. Sonar DGM (Instrumentation), ONGC Member

U.K. Bhomick Chief Manager (S&EP), IOCL (R) Member

A. Chakravarty Chief Manager (Project), IOCL(R) Member

G.K. Dey Addititional Director (CHT) Member

V.Vasant kumar Chief Manager (Process), CPCL Member

Kaushalendra Kumar Chief Manager (T&I), IOCL (PL) Member

Girish Kumar Borah Sr. Manager (Instrumentation), NRL Member

Bimlesh Gupta Manager ( Operations), NRL Member
M.John Mathews Sr. Manager (Process), Kochi – BPCL Member.
Ashok Simon Sr. Manager (Instru. Maint), Kochi – BPCL Member
S.V. Bagul Manager ( Instru. Maint.), HPCL Member
R.Arul Manager ( Instrumentation) Member
P.Kulshreshtha Additional Director ( Process), OISD Coordinator
---------------------------------------------------------------------------------------------------------------------------------
In addition to the above several experts from industry contributed in the preparation, review and
finalisation of the document.
 SAFETY INSTRUMENTATION FOR
PROCESS SYSTEM IN HYDROCARBON INDUSTRY

CONTENTS
------------------------------------------------------------------------------------------------------------------------
SECTION DESCRIPTION PAGE NO.
------------------------------------------------------------------------------------------------------------------------
1. INTRODUCTION

2. SCOPE

3. DEFINITIONS/ BRIEF DESCRIPTIONS

4. SAFETY INSTRUMENTATION
FOR PROCESS EQUIPMENT & SYSTEMS

4.1 GENERAL PHILOSOPHY

4.2 CRITICAL PROCESS EQUIPMENT & FUNTIONS
4.2.1 SEPARATORS
4.2.2 GAS DEHYDRATOR
4.2.3 ELECTROSTATIC DESALTER
4.2.4 DISTILLATION COLUMNS
4.2.5 PROCESS HEATERS
4.2.6 HDS REACTOR
4.2.7 HYDROCRACKING UNIT
4.2.8 PROCESS GAS COMPRESSOR
4.2.9 FCC REACTOR/REGENERATOR
4.2.10 FLARE GAS SYSTEM
4.2.11 STORAGE TANKS
4.2.12 AIR COMPRESSORS
4.2.13 TURBINES
4.2.14 LPG STORAGE AND BULK LOADING
4.2.15 COKE CHAMBERS
4.2.16 SULPHUR RECOVERY UNIT

5.0 SIS IN PETROCHEMICALS

5.1 CRYOGENIC STORAGE
5.2 EXPANDER-COMPRESSOR
5.3 GAS CRACKER UNIT

6.0 RECOMMENDED PRACTICES

7.0 REFERENCES

ANNEXURE-1 Process Control and Safety Instrumented System – a Comparison

ANNEXURE-2 Details on LOPA (Layer of Protection Analysis)
ANNEXURE-3 SIL Determination- An overview
-----------------------------------------------------------------------------------------------------------------------
 LIST OF THE FIGURES ATTACHED
--------------------------------------------------------------------------------------------------
Figure No. Description Page No.
--------------------------------------------------------------------------------------------------
1 Relationship between HAZOP and LOPA Information
2 Instrumentation in a typical process plant
3 Safety Instrumentation for Separator
4 Safety Instrumentation for Separator (downstream processing)
5 Safety Instrumentation for Gas Dehydrator
6 Safety Instrumentation for Crude Distillation Column
7 Safety Instrumentation for Process Heater
8 Safety Instrumentation for Combustion Air System
9 Safety Instrumentation for HDS Reactor
10 Safety Instrumentation for Hydrocracker
11 Safety Instrumentation for Dump Valve in Hydrocracker
12 Safety Instrumentation for Process Gas Compressor
13 Safety Instrumentation for Fluidized Catalytic Cracker
14 Safety Instrumentation for Flare Gas System
15 Safety Instrumentation for L.P.G Sphere
16 Safety Instrumentation for Coke Chamber
17 Safety Instrumentation for Sulphur Recovery unit
18 Safety Instrumentation for Cryogenic storage
19 Safety Instrumentation for Expander - Compressor
20 Safety Instrumentation for Gas Cracker Furnace

----------------------------------------------------------------------------------------------
 SAFETY INSTRUMENTATION FOR PROCESS SYSTEM
IN HYDROCARBON INDUSTRY

1.0 INTRODUCTION of various processes. The document covers

areas including process operations in
Newer technologies, process integration, onshore production facilities, gas processing
major expansions, requirements to meet units, refineries and petrochemical process
improved quality products, yields & plant plants.
capacity optimisation and stringent
environment considerations have made the However, marketing and pipeline
process operations very complex and installations, cross country pipeline, entire
increasingly risk prone. Safety Instrumented offshore facilities, onshore transportation
System (SIS) takes the process & operation facilities for gas & crude from oil field or the
to safe state in case of operational upsets, well head have been excluded from the
process abnormality and emergency. This scope.
standard lists the safety instrumentation as
minimum required for selected processes & 3.0 DEFINITIONS / BRIEF DESCRIPTION
operations for consideration of those
associated with design, operation and 3.1 Hazard: Potential Source of harm / accident
maintenance of refineries, gas processing & 3.2 HAZOPS: Hazard and Operability Study is a
petrochemical plants and associated systematic qualitative method to identify
pipeline installations. potential hazards and operability problems
due to deviations in system parameters from
Safety Instrumented System (SIS) is normal design intent. At project stage, the
required for the process & operations where appropriate time for HAZOP study is when
the mechanical integrity of the process P&IDs are frozen. However, for an existing
equipment, control system and other installation in operation, HAZOP study
protective devices are not adequate to should be done whenever changes from
mitigate the potential hazard. In this design case like procedural changes,
standard, reference has been taken from modification or higher throughput occurs.
International Standards like IEC 61508, Providing a better understanding of the
ANSI/ISA S 84.01 or equivalent to include plant, HAZOPS helps in predictive
the best engineering practices in SIS. evaluation of events that have never
occurred.
It is not intended that requirement of this 3.3 Risk: It is the combination of the likelihood
standard should be applied rigidly to existing of an accident with the severity of potential
premises where for a variety of reasons, it consequences. It is possible to make
may not be practicable to comply with. This quantitative risk assessment to judge
standard shall, however, create awareness whether the risk involved in a situation is
and help in selective implementation of the acceptable or not.
recommendations when major 3.4 Tolerable risk: At some level, the risk is
modifications/revamps are undertaken at acceptable, in a given context based on the
existing installations current values of society. Tolerability may be
different for each risk posed by the
2.0 SCOPE equipment and its control system, because it
depends not only on the level of risk but also
The document provides guidelines for on the benefits to be gained by taking the
minimum requirement of the Safety risk and the cost of reducing it.
Instrumented System (SIS) for critical 3.5 Residual Risk: Risk that remains after
process functions / equipment involved protective measures have been taken.
typically in the widely used processing route
 3.6 ALARP: Risk reduced to a level that is “As limits the excursion potential. Please refer
low as reasonably practicable”. Fig 2 and Annexure-1 for details.
3.7 BASIC PROCESS CONTROL SYSTEM
(BPCS):Basic process control system 3.11 SAFETY INTEGRITY LEVEL (SIL):
provides normal operation functions. It Safety Integrity Level (SIL) is a measure of
generally includes basic control and reliability / integrity of safety instrumented
monitoring of process operation through system when a process demand occurs.
operator supervision. The level of reliability is defined in the scale
3.8 PROCESS HAZARD ANALYSIS (PHA): of 1 to 4 as SIL-1, SIL-2, SIL-3 & SIL-4;
Process Hazard Analysis (PHA)) is a tool to wherein SIL-4 designates highest reliability
systematically identify process hazards and level of safety instrumented system.
associated risks in making decisions for
improving safety and reducing the 3.12 FIRE, GAS & SMOKE DETECTION
consequences of unwanted or unplanned (FGSD) SYSTEM:
releases of hazardous chemicals by
minimising the likelihood of the occurrence A system that detects following at an early
and the consequences as mentioned in stage:
OISD-STD-206. - Presence of flammable and toxic
gases;
PHA is used to assess the adequacy of - Presence of a fire;
mitigation measures against potential - Presence of smoke from smouldering
hazards in the areas of mechanical integrity or incipient fires.
of the process equipment, control system FGSD system generates alarms, warnings
and other secondary protections like gas and / or initiates shutdown functions and / or
detection, fire protection etc. Subsequently, actuates fire fighting system. Also, based on
analysis is carried out on layers of protection pre-defined criticality on identified scenarios,
requirement. it may be configured to initiate evacuation
process, reports generation, historisation of
3.9 LAYERS OF PROTECTION: Layers of data & events at predetermined level of
protection are the systems or actions and concentrations. Associated electrical or
devices that are capable of preventing a electronics circuits connecting with the field
scenario from proceeding to undesired devices of detection system require high
consequences. Examples of protection availability and reliability in conformance to
layers are i) inherently safe design features SIL level as per IEC 61508 or equivalent
including basic control, ii) critical alarms & international standards. Initiating devices
manual intervention, iii) safety instrumented like gas/fire detectors should be in line with
system (SIS), iv)physical protection such as applicable standards such as NFPA-72, EN-
relief devices, v) Post release physical 54 or equivalent.
protection such as fire suppression system,
vi) plant and community emergency 3.13 HIGH LIQUID LEVEL: Liquid level in a
response. Ideally such protection systems (i process system above the permissible
to vi) are independent from one another. operating level.
Each identified protection layer (safeguard)
is evaluated by layer of protection analysis 3.14 HIGH TEMPERATURE: Temperature in a
(LOPA) for its effectiveness and process system in excess of the set
independent character. Refer Fig1. operating limit.

3.10 SAFETY INSTRUMENTED SYSTEM (SIS) 3.15 LEAK: The accidental release of liquid
Safety Instrumented System (SIS) is and/or gaseous substances to
composed of software & hardware which atmosphere from a process system.
takes the process to a safe state when
predetermined conditions, as set on control 3.16 LOW FLOW: Flow in a process system
parameters like pressure, temperature, less than the minimum set operating flow
levels, flow etc, are violated, So, SIS rate.
protects against the possibility of a process
excursion developing into an incident and
3.17 LOW LIQUID LEVEL: Liquid level in a 4) Audio-visual alarms on trips.
process system below the lowest set 5) Voting logic configuration for trip
operating level. actuation on critical parameters to avert
spurious shutdowns.
3.18 LOW PRESSURE: Pressure in a process 3.23 Shall: indicates provisions that are
system less than the minimum set mandatory in nature.
operating pressure. 3.24 Should: indicates that provision is
recommendatory as per good engineering
3.19 SAFETY DEVICE: An instrument of practices.
control or mechanism used for the safety 3.25 May: indicates provisions that are
of the system. optional.

3.20 SENSOR : A device that measures the 4.0 SAFETY INSTRUMENTATION FOR
process condition PROCESS EQUIPMENT & SYSTEMS
3.21 MACHINE SAFETY FEATURES: These 4.1 General Philosophy
are in-built safety provisions or those (i) In order to assess the adequacy of
additionally advised by the OEM (Original protection for a process function, PHA
Equipment Manufacturer)/vendor for (HAZOP study) is done first. HAZOP
protection of the process equipment in tables list out Deviations, Causes,
emergencies. It includes alarms and trip Consequences, Safeguards and
signals required to be integrated with the Recommendations. The details so
trip logic system of the equipment and the compiled include estimates of
process system. For example an frequency for each cause and severity
automatically operated shutdown valve for each consequence. The HAZOP
(SDV) used for the protection of process information is utilised for development
equipment is suitably configured for of Layer of Protection Analysis (LOPA),
identified emergency scenarios. as shown in the Fig. 1. LOPA is a
simplified semi-quantitative technique
3.22 EMERGENCY SHUTDOWN SYSTEM of risk analysis. It helps to assess what
(ESD): A system (confirming to a certain independent protection layers (IPL)
SIL level as per IEC 61508) of manual/ already exist or what are required for
automatic interventions depending on process safety. Please refer Annexure-
process criticality, when activated brings 2 for details on LOPA.
the equipment / facility to a safe and non-
operating mode without following the (ii) The LOPA team recommends use of
predefined sequence /procedures. An an SIS, only if, other design changes
Automatic Safety Shutdown for inherent (built-in) safety, cannot
System(ASSS) is a prevention safety reduce the mitigated event likelihood to
layer, which takes automatic and less than the target.
independent action following predefined
operating & safety logic to prevent a (iii)Wherever level, temperature and flow
hazardous incidents from occurring and to switches are mentioned, independent
protect personnel, plant and equipment. transmitters (for level, temperature and
An auto or manual trip system required flow as applicable) shall be used for
under SIS should cater minimum actuation of trip.
requirement as under:
(iv) 2/3 voting logic for ESD systems
1) PHA study based identification of should be implemented based on the
critical parameters for system trip. SIL study.
2) Independent Sensing element of each
trip initiating parameter (preferably (v) Alarm Management system should be
direct mounted). in line with the best practices followed
3) Direct Type switch or Microprocessor internationally, some of which are
based SMART Transmitters for Trip mentioned at item 6.6
actuation.
4.2 CRITICAL PROCESS EQUIPMENT & 4.2.1.2 Separators for downstream
PROCESS FUNCTIONS: SIS critical services in Refineries/
requirements for critical equipment and Gas Processing & Petrochemical
process functions have been covered Plants
which includes Separators, Main line
pumps, Gas Hydrators, Distillation The following safety instrumentation
Columns, Process Heaters, Reactors, shall be provided. (See Fig.4)
Process Gas Compressor, Storage Tanks,
Fluidised Catalytic Cracking, (i) High level alarm and High-High
hydrocracking, delayed coking etc., level interlock on separator (e.g.
described as under: suction KOD of compressor etc.)
to cut-off the compressor for
4.2.1 SEPARATORS preventing liquid ingress into it
Description: They serve to separate
gas, oil and water in refineries, Gas (ii) Low level alarms for hydrocarbon
Processing & Petrochemical plants. (HC) level & water interphase
Separators for upstream (onshore) level. In cases, where the
and for downstream processing have downstream equipment is not
been described separately as under: equipped to handle gas
breakthrough resulting from loss
4.2.1.1 Separator for upstream (onshore) of liquid level, provision of Shut
Following safety instrumentation off valve should be made on the
should be provided for oil hydrator HC liquid outlet and water outlet
(Refer Fig. 3) and to be configured on Low-Low
level.
(i) High pressure transmitter shall be (iii) Two independent level tapings &
provided to shut off inflow to the transmitters, in case of
vessel. congealing fluid or dirty service
like sour water.
(ii) High-pressure alarm.

(iii) Low-Low pressure switch to shut 4.2.2 GAS DEHYDRATORS

off inflow to the vessel. Description
Dehydrators using liquid desiccant are
(iv) High-High level trip to shut off considered here. The desiccant
inflow to the vessel in case the considered may be suitable solvent
down stream component receiving like ethylene glycol.
the gas cannot handle liquid.
Gas saturated with moisture but free
(v) Low-Low level trip to shut off the of entrained liquid particles is brought
liquid outflow from the separator if into counter current contact with
the downstream system is not concentrated desiccant (solvent) in
designed to handle gas the contactor tower. After absorbing
breakthrough. water vapour from moist gas, the
(vi) High-High Temperature trip on desiccant passes out from the
separators like heater-treater to bottom of the contactor. After
shut off the source of heat. knocking off the entrained solvent, the
dried gas exits from overhead and is
(vii) Automatic power supply cut-off to sent to the pipeline. The bottom
the high voltage transformer used stream of wet solvent is sent for
for electrostatic separation in case recovery of solvent and its reuse.
abnormal conditions develop
requiring feed cut off and low level 4.2.2.1 Following safety instrumentation
in the separator. shall be provided for gas
dehydrators: (see Fig. 5):
 i) High pressure sensor on the from the furnace enters the flash zone
glycol contactor to shut off inflow of the column. Flashed vapour rises
of gas. up and the liquid flows down. Various
ii) Low pressure sensor on the glycol products are withdrawn as side
contactor to shut off inflow of gas. streams. The overhead vapour is
iii) High level sensor to trip the glycol condensed and partially refluxed back
pump and inflow of the gas to the for temperature control for top product
contactor. (Naphtha) cut point requirements.
iv) Low level sensor to shut off the Column pressure is controlled utilising
glycol outlet line. the split range controller based on
v) Instrumentation System shall be pressure set point. Column bottom
installed for vessel depressurising level is controlled by level controller
and releasing excess pressure to (LIC).
flare in case of emergency.
vi) Shutdown valves on the Gas inlet 4.2.4.1 The following safety instrumentation
and outlet line. shall be provided in a distillation
column: (Refer Fig. 6 )

4.2.3 ELECTROSTATIC DESALTER (i) Column bottom level shall be

Description monitored by two different smart
level instruments with separate
In a Desalter, the crude is mixed with tappings.
water and led into a vessel operating (ii) Separate independent transmitter
under pressure and having a for safety interlock requirement, if
electrostatic field. The water any.
dissolves the undesirable soluble salts (iii)The column top temperature
present in the crude and gets shall be monitored through
separated from the crude under the minimum two temperature points
influence of electrostatic field. -- one for control and another for
indication with alarms on high &
The following Safety Instrumentation low temperature.
shall be provided: (iv) High temperature alarm for the
column bottom.
(i) High- High level interphase (v) Pressure indications for
alarm and actuation of interlock fractionating column top and
for power trip. flash zone.
(ii) Low–Low interphase level alarm (vi) High and low level alarm for
(iii) Transformer trip on high current overhead reflux drum.
(iv) High and low pressure alarm (vii) Low reflux flow alarm as leading
(v) Additional features to be indicator of an overhead upset
incorporated as per OEM’s 4.2.4.2 In the following cases, automatic
recommendations shut down valve should be provided
at the column bottom outlet for
4.2.4 DISTILLATION COLUMN column isolation at low low bottom
Description level to avoid gas passing to the
Distillation column is used to downstream systems:
fractionate the hydrocarbon feed (i) Where column bottom operating
mixture into the desirable petroleum temperature is above auto
fractions as per requirement for ignition temperature.
primary crude distillation or in (ii) Where column would need
secondary units for fractionation in immediate isolation in case of
refineries, gas processing and any incident of fire below the
petrochemical plants. Typically, the column.
crude distillation column is used to (iii) Where downstream facility viz.
fractionate the crude oil into various Storage tank has not been
petroleum products. Hot crude oil designed to handle gas
 released from the column iv) For heavy, congealing type
bottom. of service fluid, independent
tappings for flow metering
4.2.5 PROCESS HEATERS/ v) Heater shall trip in following
FURNACES cases:
4.2.6 Description ¾ Low-low feed flow on a
Process heaters are required to pass coupled with High-
raise the temperature of various High outlet temperature
process fluids to achieve partial of the same pass.
vapourisation of fractionation ¾ Low pass flow in
operation. The fluid enters the minimum two passes or
heater in convection section in more low total flow for a multi
than one passes and after getting pass furnace. In the
heated passes through the radiant case of catalytic process
section, before it enters the furnaces like Reformer
fractionator. The burners are employing a liquid
normally combination type suitable hydrocarbon feed and
for oil or/and gas firing. The recycle gas stream, the
furnaces are either furnace shutdown should
natural/forced/balanced draft get actuated when
design. The balance draft furnaces recycle gas failure
are provided with FD and ID fan occurs.
alongwith air pre-heater (APH) ¾ High combined outlet
which will have stack dampers temperature
closed during normal operation. ¾ High-High coil outlet
temperature on each
4.2.6.1 SIS for Process Heaters pass.
Following safety instrumentation ¾ High furnace coil
shall be provided for safe operation pressure
of the heater in line with OISD-STD-
111. Please refer Fig-7 & 8. 2) Coil purging:
Automatic injections of coil
1) SIS for Feed Section in purging steam/ Nitrogen at the
Process Heater time of furnace trip may be
considered in line with process
(i) Low Feed flow alarms for requirement and accordingly,
each pass. precautions/safeguards to be
(ii) High temperature alarm for
each pass and at the heater 3) Combustion Air Systems
outlet.
(iii) Skin temperature (i) Running of FD fan shall be
measurements at 3 verified in the circuit by
locations for each pass. Motor contactor closure
High temperature alarm for and discharge pressure low-
each tag of tube skin low pressure switch. This
temperature. will ensure positive
(iv) Alarm of High-High flue gas protection against mal-
temperature should be operation of guide vane.
provided.
Low total feed flow interlock (ii) Low air flow alarm and low
to bring the heater to a safe air flow combined with
minimum firing position by motor contactor to warn
keeping only the pilot mal -operation of FD fan.
burners on. (iii) Heater trip on low
combustion air pressure as
 well as its low flow with 4) SIS for Burner System
AND gate.
(iv) Air storage tank to ensure (i) Low pressure alarm and
opening of drop out door. In Low-Low pressure alarm for
case of air failure provision pilot gas should be
for mechanically opening incorporated in the safety
shall be provided. interlock system of the
(v) Provision should be made furnace.
to check up operation of
drop out door in running (ii) A separate shut off valve
condition, wherever dropout shall be provided on the
door have been provided. pilot gas header. It will close
This is referred as crack only in case of low-low fuel
open test. gas header pressure in pilot
gas line and will not close in
(vi) Positive protection for mal case of furnace trip due to
operation of ID fan shall be other process interlocks.
provided by motor contact
closure and pressure (iii) Main FO/FG headers shall
switch. be provided with shut off
valves operated by low fuel
(vii) Tripping/stopping of ID/FD pressure and other reasons
fan shall have provision to of furnace trip.
automatically open the
stack damper. (iv) Shut down valve operated
by manual push button to
(viii) Heater trip due to high arch trip the furnace by cutting-
pressure shall be preceded off fuel supply to main
by high pressure alarm. burners.
This very high pressure
(PHH) trip shall be sensed (v) Pressure transmitters shall
preferably by three directly be directly mounted on the
mounted pressure FO/FG headers for safety.
transmitters and voting logic
of two out of three shall be (vi) For dual firing the safety
used for furnace tripping. interlock should take care
that no interruption in
(ix) In the event of fuel oil and furnace operation takes
fuel gas cut off to the place during change over of
heater, the following fuel.
simultaneous actions are
needed:- (vii) Pilot flame detection should
(a) Stack Damper to Open. be provided in the safety
(b) ID Fan to trip interlock wherever remote
(c) FD Fan to trip burner lighting system is
(x) Hydrocarbon Gas detector existing so that main fuel
shall be provided at the FD cannot be admitted without
fan suction hood establishment of pilot flame.

(xi) For variable speed or fixed (viii) There shall be two sets
speed drives of FD fan, push button emergency trip,
speed of fan and motor one located in the control
contact should be used for room and another near the
heater trip interlock. furnace.
 (ix) Arrangement for positive High temperature alarms for
isolation of fuel gas supply the beds shall be provided.
line to heater is necessary.
Block-&-Bleed to flare/ safe (ii) Reactor inlet and outlet
venting should be provided. temperature high
temperature alarms using
(x) FO firing cut off interlock separate sensors for
shall be provided to actuate recorders and alarms.
at low-low differential
pressure of atomising steam (iii) Reactor inlet temperature
and fuel oil control to be incorporated in
the furnace outlet
(xi) SIL based system as per temperature control scheme.
IEC 61508 for furnace
safety instrumentation or (iv) Safety interlock shall be
Burner Management provided for low hydrogen
System is recommended. flow, low feed, high reactor
temperature.
4.2.7 HDS REACTOR (HYDRO (v) Feed pump and heater shall
DESULPHURISATION) trip on low recycle gas flow
Description to the reactor.
Hydro de-sulphurisation of
Petroleum products like naphtha, 4.2.8 HYDROCRACKER UNIT:
kero, diesel etc is carried out in Description:
presence of catalyst in the HDS Hydrocracking process is catalytic
Reactor. The high sulphur operation performed at relatively
petroleum feed alongwith hydrogen high hydrogen pressure and
is heated in a furnace to the elevated temperature to convert a
required temp. Outlet stream from heavy oil fraction into products of
furnace at controlled temperature is lowers molecular weight. It is a
fed to the reactor for flexible process to produce widely
Desulphurisation reaction. The different fuels from same or different
sulphur present in the Petroleum feedstocks. Generally,
products reacts with H2 to form hydrocrackers use fixed beds of
H2S. The reaction products go to catalyst with downflow of reactants.
the separator where the H2S rich During the process with severity
gas is separated from the liquid increasing, the first reaction leads to
product. saturation of any olefinic matter
present in feedstock. Next follow the
4.2.7.1 HDS Reactor treating steps involving reactions of
desulphurisation, de-nitrogenation
The following safety instrumentation and de-oxygenation, wherein only
shall be provided for HDS unit. limited cracking takes place. Finally,
Please refer Fig: 9. on further increase in severity,
hydrocracking reaction is initiated,
(i) Reactor thermocouple which proceeds at various rates,
assembly consisting of with the formation of intermediate
number of thermocouples of products (e.g. saturation of
different lengths to measure aromatics), which are subsequently
and record reactor bed cracked into lighter products. In the
temperature at different Single-stage hydrocracking process
heights. Hydrogen quench the treating step combines with
should be provided in cracking reaction to occur in one
between the beds for reactor. However, Two-Stage or
controlling bed temperature. Series Flow hydrocrackers are
employed for high/ full conversion
 by an additional reactor. Please
refer Fig.10. 4.2.9.1 The compressors shall be provided
with the following instrumentation.
4.2.8.1 SIS in Hydrocracker unit shall be in Please refer Fig.12. Additional
line with the process licensor’s instrumentation shall be provided as
design guidelines and taking into per manufacturer’s
consideration the following safety recommendations.
instrumentation:
(i) Low–Low suction and High-High
(i) Automatic depressurization discharge pressure shall be
through the dump valve actuated configured to trip the compressor.
at high-high temperature with
any two of the temperature (ii) Gas detection and fire detection
indications provided on the top devices shall be provided if the
bed of the reactor. Please refer compressor is located inside
Fig: 11. enclosed buildings totally covered
on all the sides. The protection
(ii) Reactor thermocouple assembly shall also include turbine
consisting of number of enclosures.
thermocouples of different
lengths to measure and record (iii) Devices to monitor and trip in case
reactor bed temperature at of excessive vibration, speed, low
different heights. Hydrogen lube oil pressure, seal oil low
quench should be ensured in differential pressure, high bearing
between the beds for controlling temperature and high discharge
bed temperature. High temperature, low governor oil pr etc.
temperature alarms for the beds in line with manufacturers
shall be provided. recommendations.

(iii) Reactor inlet and outlet (iv) High-High level on the suction
temperature high alarms. knockout drum shall trip the
compressor.
(iv) Reactor inlet temperature
control incorporated in the Note: Compressor trip shall mean shutting
furnace outlet temperature down the drive unit.
control scheme.
4.2.10 FLUIDISED CATALYTIC
(v) Safety interlock shall be provided CRACKING (FCC) UNIT -
for low hydrogen flow, low feed, REACTOR/ REGENERATOR
high reactor temperature.
(vi) Feed pump and heater shall trip Description
on low recycle gas flow to the Lighter products are obtained from
reactor Vacuum Gas Oil (VGO) by Catalytic
cracking in FCCU. The catalyst is
4.2.9 PROCESS GAS heated to a temperature of about
COMPRESSORS 650 degree C and is then allowed to
Description flow with the feed in the riser pipe of
Process gas compressors are used the reactor. Carbon particles are
in the petroleum processing and gas deposited on the catalyst when the
pipeline systems to increase the feed cracks into lighter ends like
pressure of gas for specific use and Fuel Gas, LPG, Naphtha, diesel and
handling & transportation. The heavy oil. The carbonized catalyst
safety interlocks shall be in line with known as spent catalyst is then
OEM’s recommendations and follow taken into the regenerator for
minimum provisions as under: regeneration. In the regenerator
 controlled air is blown through the (vi) Steam Low flow alarm and
hot catalyst to convert the carbon emergency cut in for steam and
into carbon monoxide, thereby bypassing feed to reactor may be
releasing equilibrium catalyst for use considered.
in the next cycle.
(vii) Regenerator dilute phase high
FCC Reactor contains hydrocarbon temperature alarm should be provided.
vapour and regenerator contains hot
air. Air should not enter the reactor (viii) Plant shutdown shall be provided on
and hydrocarbon vapour should not low air flow to regenerator
find entry into the regenerator.
Regenerator is kept at higher 4.2.11 FLARE GAS SYSTEM
pressure (by 0.5 Kg/CM2) compared
to the reactor. Additionally, static Description
head due to spent catalyst level in Gas to be flared is routed through a
the reactor aids the transfer of spent knock out (K.O.) drum. From the
catalyst from reactor to regenerator. K.O. drum the liquid is pumped back
During normal operation spent to Recovery System and the gas
catalyst slide valve operation is goes to flare stack through a water
dependent on the level in the seal drum. Flare flame failure alarm
reactor through its level controller may be considered. T.V. monitoring
(LRC). The reactor is maintained at of the flame may be considered.
a temp around 490o.C by the
transfer of hot regenerated catalyst 4.2.11.1 Following safety instrumentation
from regenerator. During normal shall be provided. Please refer Fig.
operation regenerator catalyst slide 14.
valve opening is controlled by (i) K.O.D. liquid level High and Low
reactor temperature controller alarms for auto start / stop of the
(TRC). Please refer Fig. 13. pump.
(ii) Low water level in the seal pot alarm
4.2.10.1 Following safety instrumentation (iii) Pilot FG header Pressure low alarm
shall be provided in FCC (iv) Gas detector near the flare KOD
(v) H2S detector near the H2S KOD
(i) The spent catalyst slide valve
(SCSV) shall be automatically shut
off in the event of low differential 4.2.12 STORAGE TANKS
pressure across the SCSV. Following safety instrumentation
shall be provided in line with OISD-
(ii) The regenerated catalyst slide STD-108:
valve (RCSV) shall be automatically (i) Tanks shall be provided with at
shut off in the event of low least two numbers of level
differential pressure across the instruments working on different
RCSV principles and one level indicator
shall be Radar gauge type for at
(iii) Reactor high temperature alarm least class A Storage tanks. One
shall be provided. of the above shall be used for
High-High and Low level alarms.
(iv) Emergency feed by pass provision (ii) Automatic isolation of tank
to divert feed from the reactor. receipt line based on High-High
Level sensing device should be
(v) Hand jack provision for all slide considered for tanks receiving at
valves for manual operation. In high flow rates (unloading from
addition, local electrical / hydraulic / ship/ pipeline receipt etc.).
pneumatic operation shall also be (iii)Low-low level switch from the
provided. primary level instrument to stop
transfer pump (optional)
 (iv) High temperature alarm should (ix) Exhaust hood high
be provided wherever required temperature alarm.
(x) Bearing temperature high trip
(xi) FG pressure low trip.
4.2.13 AIR COMPRESSORS (xii) Exhaust temp.(average of 3
Description thermocouples in exhaust)
Air compressors are used in high trip.
hydrocarbon industry for supplying (xiii) Lube oil temp. high trip
air to pneumatic instruments and as (xiv) K.O drum level high trip
well as for process requirements. (xv) Lube oil tank level alarms &
The compressors considered here trip
are reciprocating type.
4.2.14.1 SIS Specific features for Gas
Following safety instrumentation Turbines
shall be provided for Air (i) Flame failure trip
Compressor - Reciprocating: (ii) Gas detection in turbine
enclosure.
(i) Cooling water low flow trip. (iii) L.O. Pr low
(ii) Discharge temp high trip. (iv) Exhaust Pr high
(iii) Frame oil low pressure trip. (v) Exhaust temp high trip
(iv) Discharge pressure high trip. (vi) Lube Oil tank level alarms and
(v) Automatic loading/unloading trip.
system to be considered
wherever possible. 4.2.15 LPG - PRESSURE STORAGE AND
(vi) Additional instrumentation be BULK LOADING
provided as per manufacturer’s
recommendations . Description
LPG is received from the plant
4.2.14 TURBINES through pipelines. It is stored under
Description pressure at atmospheric
temperatures in spheres or bullets
Turbines are steam/gas driven drive or mounded storage. The LPG is
units used in hydrocarbon industry pumped to a loading gantry from
for driving compressors, blowers where it is loaded through loading
and alternators in the process units arms into truck tankers or rail
and captive thermal power station. tankers.
Stipulations of OISD-STD-121
should be followed for Steam When LPG is received through road
turbines’ operations, Inspection and or rail tankers, it is transferred by
maintenance practices. unloading pumps into the bullets or
spheres.
Following safety instrumentation
shall be provided for Turbines - in Following safety instrumentation
line with manufacturer’s shall be provided for LPG Sphere.
recommendation: Please refer Fig. 15:

(i) Lube Oil pressure low trip. (i) Fire detection and protection
(ii) Governor oil to pressure low system
trip.
(iii) Turbine exhaust pressure In line with OISD-STD-144 and
high trip. OISD-STD-150 as applicable, LPG
(iv) Over speed trip. storage, LPG pumps, compressor
(v) Axial displacement trip. house etc. shall be protected
(vi) Vibration high trip. through automatic fire detection
(vii) Emergency trip. and/or protection (Fixed) system
(viii) Condensate level high alarm. based on smoke/heat detection
 through thermal fuses/ quartz bulbs/ #1 LPG spheres shall be provided
EP detectors. Sensors shall be with two independent indicators as a
installed at all critical locations e.g. minimum.
near ROV.
(iv) Level switches
On detecting LPG concentration A separate high level switch shall be
beyond the set limit, following auto provided for alarm in the control
actions shall be initiated: room.

i) Closure of remote operated valves A water seal pot shall be provided

in the affected area. on the low pressure side of the DP
type level transmitter if use, the seal
ii)Activation of tone generator in pot and the connecting pipe shall be
paging or a siren in the particular of the same rating as that of the
area. sphere. Alternatively, the low
pressure leg of the D. P. transmitter
iii)Tripping of LPG pumps and shall be heat traced. The D. P.
compressors. transmitter shall be provided with
iv)Activation of water deluge valve level elevation or suppression kit.
and sprinkler.
4.2.16 COKING CHAMBERS IN
DELAYED COKING
Emergency push buttons shall be
provided in the control panel and at Description
a safe place in the field to initiate the The Delayed Coking process for
above actions manually. upgrading the heavy ends, is a
semi-batch operation wherein a
ROVS shall be provided with severe form of thermal cracking is
open/close indications on the control allowed to occur at high
panel. temperatures (about 500 Deg C) for
an extended period of time in the
(ii) Gas Detection Systems coke chamber. The process module
contains a fired heater, two coking
Gas detectors shall be provided at chambers ( Drums or reactors) and
all locations where possibility of a fractionation tower. The coke gets
build up of LPG vapour exists, which deposited on the chamber and
might lead to a fire. cracked vapour goes from the top to
fractionation section. After a definite
The locations are: cycle, the reactor is changed over,
deposited hot coke is steam
- i) LPG Pump and compressor stripped and quenched with water,
house. After water draining, bottom cover of
the drum is opened (de-headed) in
- ii) LPG Truck and rail loading preparation for decking. The coke
gantries bed is fractured/cut into smaller
pieces using high pressure water jet
- iii) LPG Sampling Point. and dumped through the bottom
opening. The batch operation in
- iv) Near ROVS. coking presents typical hazards
attributed to most of the serious
Gas detectors shall have two levels accidents. The operation activities
of alarms. Suggested values are include drum switching, coke drum
20% LEL and 40% LEL. head removal and coke cutting by
hydro-blasting.
(iii) Level gauging devices
Following safety instrumentation 4) Temperature indication and high
shall be provided for Coking temperature alarm at vapour
Chambers. Please refer Fig: 16 outlet (after HGO quench). Skin
thermocouple at top/ middle/
1) Coke Drum Switching: bottom of the chamber.
(i) Interlocks for automated or
remotely activated valve 4.2.17 SULPHUR RECOVERY UNIT
switching systems. (SRU) :
(ii) Interlocks for valves that are
manually operated to avoid The acid gas rich in H2S (>90%),
unanticipated valve generated from the Hydrotreating
movement. units is processed in SRU to recover
(iii)Indicator lights at valve and the sulphur. One third of the acid
valve control panel to help for gas is converted to SO2 in the
intended operator action. reaction furnace at a temperature of
1200 deg C. The SO2 formed will
2) Coke Drum Head Removal: react with the H2S to form sulphur.
Equipment upgrades by The reaction takes place in the
automating should be provided presence of catalyst. Please refer
for both top and bottom head Fig. 17.
removal operations for keeping
workers away from hazard prone In view of the toxic nature of the gas
areas during head removal. being handled, the following safety
instrumentation shall be considered
3) Coke Cutting by Hydro- for implementation with the process
Blasting: licensor:
(i) During coke cutting, when the
cutting/drilling tools need to a. The feed to the unit shall be cut
be brought out for the tool off and the furnaces shall trip in
change etc., the coke cutting following conditions:
water pump discharge shall i) high pressure inside
automatically get routed to reaction furnace
storage tank. ii) low combustion air flow/
(ii) Provide interlocks to shut-off pressure
and prevent restart of cutting iii) when the off-gas
water pump whenever the incinerator trips
cutting head level is raised b. Any other protection for safe
above a pre-determined point operation of the system in line
within the coke drum. Provide with the process licensor
a redundant level transmitter (
voting 1 of 2) as additional 5.0 SAFETY INSTRUMENTED
protection layer against the SYSTEMS IN PETROCHEMICALS
hazard due to cutting head
under pressure.
5.1 CRYOGENIC STORAGE:
(iii)Coke cutting water pump
Liquefied Natural Gas (LNG) turns to
should trip for following
liquid state at (-161 ºC) under
conditions:
atmospheric pressure. As liquefaction
reduces volume by 600 times, LNG is
(a) Low discharge pressure.
stored and transported in liquid form.
(b) If isolation valve on water
Ethylene produced from Cracker unit is
line at other chamber is in
stored at (-104 ºC) at atmospheric
open position.
pressure. The cryogenic storage tanks
(c) If the cutting tool is out of
consist of double walls and are
chamber and discharge does not
designed as per API 620. Please refer
get routed to storage.
Fig 18.
 Control Room and at site (outside
5.1.1Considering hazardous nature of the the periphery of tank)
fluid handled, the storage facility v) Any other protection for safe
requires provision of following safety operation of the system in line
instrumentation as minimum: with OEM

i) Interlocking for Vacuum breaker

isolation valves. 5.2 EXPANDER – COMPRESSOR
ii) Level transmitter for low-low level SYSTEM:
trip of pump.
iii) Pressure transmitter for low-low Following safety interlocks as minimum
pressure trip of the pump. with required instrumentation , as given
iv) ESD to shut off all inlet valves in in Table 1, shall be incorporated for
feed line in case of high-high level safe operation of the system in line with
and high- high pressure in the OEM. Refer Table-1 and Fig. 19.
tank. ESD to be located in Main

Table 1: Details on trip requirements for Expander-Compressor

TRIP PARAMETERS Initiating cause for Tripping Initiating cause for
of ( Driver side) Expander Tripping of ( Load
turbine side) Compressor
Bearing temperature High-High High-High
Bearing temperature Low-Low
Shaft Vibration High-High High-High
Shaft Speed High-High
Lube oil Del Pr Low-Low Low-Low
Seal gas Del Pr Low-Low Low-Low
Thrust Diff Pr High-High High-High
Inlet (Suction)Pr Low-Low Low-Low
Discharge Pressure High-High & Low-
Low
Discharge Temperature Low-Low High-High
Suction KOD level High-High High-High
Expander SDV Causes expander to trip when
suction/discharge limit SDV closes
switch actuation
Discharge Flow Low-Low
Power-failure Power fail contact taken from
electrical sub station and given
to instrument system for
tripping expander-compressor
Trip High shaft speed ---
pressure steam generator. The
Pyrolysis reactions proceeds in
tubular coils made of Cr/Ni alloys.
5.3 GAS CRACKER UNIT: Pyrolysis These coils are hung vertically in a
Furnace firebox. Burners are arranged on the
Pyrolysis or steam cracking is the walls and on the floor of the firebox for
primary process utilized to indirect firing. This section is called
manufacture olefins. This gas-phase the radiant section because the
reaction takes place in metal alloy radiant heat is recovered. At the end
tubes within a fired furnace. An of the Pyrolysis, the reaction needs to
industrial Pyrolysis furnace is a be quenched rapidly to avoid further
complicated piece of equipment that decomposition of desired olefins. This
functions as both a reactor and high- is achieved by indirect cooling using a
 quench exchanger or direct cooling by Long industry experience on operating
injecting quench oil into the gas complex processes, lesson learnt from
effluent. The heat carried by the flue major incidents in the past and proven
gas is recovered at the convection guidelines from process licensors and
section of the furnace. This section OEMs, provide us with set of best
consists of a series of “tube banks” practices to follow for enhanced safety.
where the heat is recovered for A few of them are listed as under:
superheating steam, preheating the 6.1 Application of diagnostic provisions for
hydrocarbon feed, boiler feed water Predictive/Maintenance/ Failure Alerts e.g.
and dilution steam. to detect chokage in impulse line, use of
smart positioners for online checking of
5.3.1 Following safety instrumentation shall critical safety instrumentation/interlocks
be provided for Pyrolysis furnace ( wherein demand overrides the Partial
Refer fig 20). Stroke Test. For example for dump valve
in Hydrocracker.
1) On occurrence of any of following 6.2 Frequent periodic testing to ensure
abnormalities: availability of SIS and its components on
demand
i) Hydrocarbon feed low low flow 6.3 Recommendations by the Process
ii) Steam drum water low low level. Licensors and International standards as
iii) High pressure superheated applicable should be used as guidelines
steam coil outlet high high viz. IEC 61511 -1,2,3 which pertains to the
Temperature trips and alarms and emergency
iv) Bypass MOV to decoke drum shutdowns required for the protection of
v) Manual push button of partial the equipment and loss to assets .
shut down in field as well as in 6.4 Required SIL level should to be ensured
control room. for SIS components in critical process
partial shutdown of pyrolysis furnace functions, in line with IEC 61508
will take effect, wherein guidelines.
-ID fan remains in line 6.5 To defend against common mode failure, it
- Hydrocarbon feed flow valve shuts off. is appropriate to monitor dissimilar but
- Fuel gas valve shuts off to floor related alarm conditions in the same
burners equipment/ circuit. For example, monitor
- Fuel gas valve shuts off to few wall both, low cooling water flow high water
burners outlet temperature.
- Dilution steam flow valves are reset
6.6 ALARM MANAGEMENT
2) On occurrence of any of following Alarm system is an important constituent
abnormalities: of Abnormal Situation Management in any
i) Main dilution steam low low flow process plant. The purpose of an alarm
ii) Water quench tower overhead high system is to direct the operator’s attention
high temperature. towards plant conditions requiring timely
iii) Fuel gas low low supply pressure assessment or action. Each alarm should
iv) Furnace arch high high draft alert, inform and guide the operator. It
v) Manual push button of complete should have a defined response relevant
shut down in field as well as in to the process. Adequate time should be
control room. allowed for the operator to carry out his
complete shutdown of pyrolysis defined response.
furnace will take effect, wherein Alarms are configured to alert the operator
- Main fuel gas supply valve cuts off whenever the process parameters
- ID fan also stops undergo change beyond their permissible
- Closure of furnace draft damper operating limits. Based on the extent of
change in parameter and severity of
6.0 RECOMMENDED PRACTICES & related consequence, the alarms’ priority
INNOVATIONS FOR IMPROVEMENT need be assigned to enable the operator
taking corrective actions.
 Too many alarms overload the operator. measurement of the frequency of alarms
Nuisance alarms create distraction in provide trend chart on alarm system
handling emergencies by the operator. For performance. The team that needs to work
efficient use of alarm system especially in on it should comprise of a facilitator, area
emergency handling, average alarm rate operators, area process engineer, area
performance needs to be continually production supervisor, and area
improved through alarm rationalisation, instrumentation engineer. For Alarm
review of control strategies and by rationalisation, the principle should be “no
addressing the worst performing alarms alarm if no action required”. Operators
first in priority. In addition, alarm system should have standard operating practices
should be supported by ongoing for each alarm detailing a unique
maintenance practice, alarm system predefined follow up action – either from
design practices, routine monitoring as control room or in the field or both. It is
well as by investigating performance of preferable to configure alarms with the
alarm system following major upset in non-controlling loops or open loops.
conditions.
The aim has to be continual reduction in Detailed periodic review of alarm summary
nuisance alarms. This involves activities should be undertaken to identify the
like assessment of Base Case redundant / nuisance alarms.
performance by collecting alarm history,
followed by analysis to identify For quick understanding by the operator
reconfiguring requirement and comparing about the priority level of an alarm, use of
the current rate of occurrence periodically different colour codes and beeps may be
with the EEMUA guidelines as benchmark considered to assign priority 1, 2, 3 and 4.
(Refer Table-2). Such reviews with

Table 2: Typical Best Practices Bench Marks: **EEMUA 191

Plant Alarms Target maximum
Average number of Alarms during normal 1 over 10 minutes or less
operations of manageable steady state or @ 5 per hour (120 per day)
Alarms after plant upset i.e. during flood state 10 in 10 minutes or less
Peak Alarm hourly rate 15 per hour or less
Peak Alarm Minute rate 2 per minute or less
Average number of standing alarms 10 or less
Average number of shelved alarms 30 or less

Priority-wise Alarm Activity Distribution

Critical Alarms < 1%
High priority ~ 5%
Medium Priority ~ 15%
Low Priority ~ 80%

**EEMUA (Engineering Equipment & Materials Users Association) is an established

industry Association with an international reputation in engineering, technology and the
management of capital assets, typically chemical process plants, refineries, power stations
and upstream oil/gas facilities. EEMUA Publication 191 - first published in 1999 and revised
in 2007, is recognised world over as a reference and guide to the design, management
and procurement of alarm systems.

operator can effectively address

The terminologies used in the table -2 above, alarms.
are defined as under: ii) Flood state – the rate at which a
i) Manageable steady state - the single operator is overwhelmed by
maximum rate at which a single alarm activations
iii) Average Process Alarm Rate - the
average rate at which a single
operator can be expected to perform
as required
iv) Peak Alarm Hourly Rate - the 8.0 REFERENCES :
target peak hourly rate for the most
active hour within the evaluated time i) IEC 61508: A generic standard by
period. International Electro-technical
v) Peak Alarm Minute Rate – the target Committee on “Functional Safety of
peak minute rate for he most active electrical/ electronic/programmable-
minute within the evaluated time electronic safety related systems”. It is
period intended to be a basic functional
vi) Priority –wise Alarm Activity safety standard applicable to all kinds
Distribution – the suggested of industry.
approximate distribution of alarm
activity
ii) IEC 61511: Standard by International
vii) Alarms within ten minutes of a
Electro-technical Committee on
major upset – the maximum rate in
“Safety Instrumented system for
the 10 minute period following a major
process industry sector”. It is intended
upset
to provide guidelines for determination
viii) Standing Alarms: An alarm that
of required safety integrity levels.
has annunciated and never cleared. It
is a leading indicator of operational
performance and management iii) Recommended Practices for Analysis,
attention. Design, Installation and Testing of
ix) Shelved Alarms: An alarm that has Basic Surface Safety Systems for
been temporarily suppressed(taken Offshore Production Platforms(API-
out of service) while being corrected RP-14 C).
or fixed. It should be shelved with
assessment from competent authority. iv) EEMUA 191: Provides guidelines the
It is leading indicator of maintenance design, management and
performance and management procurement of alarm systems.
attention. v) ANSI/ ISA S84.01: Application of
Safety Instrumented systems for
process industries adopted by
American National Standards Institute
(ANSI).
 Annexure – 1
Process Control and Safety Instrumented System – a
Comparison
Features Process Control Safety Control
Control type Active, complex, optimising Passive, simple, direct acting
Tasks Many variables, expanding, Limited, strictly defined
experimental
Modes of control Auto/manual, supervisory Automatic, no manual
intervention, no external
command levels
Communications Open systems, Field bus Limited, specialised, difficult with
etc bus networks
Changes Easy to make, password Strictly controlled, password
protected, configurable, protected, verified and
parameter changes documented, parameter changes
strictly controlled
Diagnostics Limited Intensive proof-testing
Redundancy Used for high availability for Used for high reliability
continuous use
Documentation For convenience Essential for validation of each
function
Testing Nominal loop testing Failure modes testing
 Annexure – 2
Details on LOPA (Layer of Protection Analysis)
In order to assess the adequacy of protection for a process function, Hazop study as a method of
Process Hazard Analysis (PHA) is done first. HAZOP tables list out Deviations, Causes, Consequences,
Safeguards and Recommendations. The details so compiled include estimates of frequency for each
cause and severity for each consequence. The HAZOP information is utilised for development of Layer
of Protection Analysis (LOPA), as shown in the Fig.1. LOPA is a simplified semi-quantitative technique
of risk analysis. It helps to assess what independent protection layers (IPL) already exist or what are
required for process safety.
The LOPA team recommends use of an SIS only if other design changes for inherent (built-in) safety,
cannot reduce the Mitigated event likelihood to less than the target. While LOPA does not suggest which
safeguards to add or which design to choose, it does assist in deciding between alternatives.
1) First LOP is the primary protection catered by a safe and effective basic process control system
(BPCS), e.g. controllers, control valves and operator supervision. It is a preventive measure
protection.
2) Second LOP is also in-built in the Process control system in the form of alarms combined with
operator’s intervention to bring the process to safe state in case of upset. It is a preventive measure
applied for protection in all major installations. Where control system is not designated as safety
related, the protective system for a process has to be separate and independent from control system
as the third LOP.
3) Third LOP is the Safety Instrumented System (SIS) which is independent of the process control
system. Having separate sensors, valves and logic system, its only role is Safety. Based on available
experience and technological know-how with the process designer, SIS is configured to protect the
process & equipment against envisaged adverse process conditions. Adequacy of SIS is verified
through PHA.SIS remains dormant or passive until demand arises.
4) Fourth LOP is the secondary protection configured to minimise consequence of a process upsets like
overpressure causing equipment rupture, loss of containment causing large uncontrolled spills or
release leading to explosion/fire/toxic environment. For example relief valves or rupture discs
designed to prevent overpressures can provide the secondary protection. Similarly, it may exist in the
form a dyke or other passive barriers to contain a fire or channel of energy of an explosion and
minimise the consequence or spread of damage. System for Pressure Relief & Disposal and system
for Oily Water Sewer (OWS) should be designed in line with OISD STD-106and OISD-STD-109
respectively and also in compliance to the layout stipulations of OISD-STD-118.
5) Fifth LOP, is Post release physical protection such as fire suppression system, it generally includes
early warning system such as release detection, fire detection and fire protection system provided in
the location. These systems shall be designed in line with OISD STD 116 for refineries and gas
processing plants, OISD STD 117 for marketing terminals & depots and pipe line stations and OISD
STD 189 for upstream locations.
6) Sixth LOP, also the final layer, is the emergency response plan (ERP) for both onsite & offsite. It
generally includes evacuation plan, fire fighting, rescue operation etc. This LOP responds to minimise
consequence in terms of the ongoing damage, injury or loss of life. Accordingly, each
installation/group of installation handling hazardous material needs to have risk mitigation plan or
disaster management plan (DMP) in place.
Notes:
i) As Layers of Protections together mitigate the risk severity to ALARP (as low as
reasonably practical) limits, LOPA is an essential step to follow after PHA (HAZOP study).
-6
LOPA uses risk tolerance criterion of 1 x 10 per year for an event with consequence of
2 to 10 fatalities for the risk that is broadly acceptable.
ii) OISD-STD-152 mainly deals with SIS requirement (i.e. 3rd LOP) and also covers safety related
instrumentation of the 2nd LOP.
iii) In order to assess the requirement of Safety Instrumented Functions for protection of the process
facility, it is recommended to perform Process Hazard Analysis (covering HAZOP, Risk Analysis
and SIL studies) for any proposed (new) facility or modifications/change in the existing process/
facility, so that SIS can be suitably designed / upgraded.
 ANNEXURE-3

SIL Determination – An Overview

There are several methods to determine SIL level for an Safety Instrumented Function (SIF).
These include ALARP, Risk Matrix, Risk Graph, Layers of Protection Analysis (LOPA) etc. LOPA
is very helpful to establish SIL targets.

1) SIL, also termed as SIL rating, it helps in defining the extent of process safety performance
expected from SIS to bring the process to safe state, when the specific process control
(BPCS) provided fails to cope with the upset conditions. Based on the SIL rating, each
specific process function is optimized for risk protection by selecting components rated
appropriately in line with IEC 61508. SIL is the discrete level (1 out of a possible 4) for
specifying safety integrity requirements of the safety functions to be allocated to the
electrical/ electronic/ programmable electronic safety related systems. SIL 4 stands for the
highest level of safety integrity and SIL 1 the lowest. SIL concept helps the safety system
designers and developers in making systems “acceptably safe” for their intended use in
the safety function with an understanding of the risks and defined safety requirements for
the risks needing reduction. Main objective of SIL is to provide a consistent, auditable result
of performance of SIS present in the process facilities. SIL should be assessed and
determined in terms of both hazards and consequences associated with specific installation.
Accordingly, it should be considered essential to assign and verify SIL level of various SIS
present.
2) SIL & related Measures for low demand mode operation

SIL Availability *PFD (avg) * MTBF = ( 1/PFD) =

equivalent *RRF
4 >99.99% 10-5 to <10-4 100000 to 10000
3 99.9% 10-4 to <10-3 10000 to 1000
2 99 – 99.9% 10-3 to <10-2 1000 to 100
1 90-99% 10-2 to <10-1 100 to 10
* MTBF = Mean Time between failures, RRF = Risk Reduction Factor
* PFD = Probability of Failure on Demand

3) Steps involved in Assignment of SIL Rating of a Safety Function:

¾ Step 1: A detailed Hazard & Risk Analysis of the process system shall be undertaken by
a multi-disciplinary team to enlist all foreseeable Hazards, their probability of occurrence
and impact on plant, manpower, society and environment (operational, corrosion related,
accidents and natural calamities). For non-availability of requisite data, subjective
probability shall be assigned based on collective experience of the members.

¾ Step 2: A comprehensive Layer of Protection Analysis (LOPA) shall be conducted to

specify the protection layers for reduction of above Hazards. LOPA helps to establish
whether the hazards involved need reduction by application of SIS as LOP.

¾ Step 3: Safety Integrity Functions (SIFs) shall be defined for each identified SIS LOP.

¾ Step 4: Then, for each SIF, the SIL rating shall be defined based on the desired level of
risk reduction. A sample exercise of SIF with SIL assignment is reproduced to
conceptualise the SIS architecture.
 SIL Rating for SIF Listing – a sample matrix
SIF SIF Description Hazard Inputs Outputs SIL Reason Risk
ID Reduction
1 Main Pump high Potential P,T 2 Potential 1000
discharge for fatal times
Pressure rupture impact
demands of main
emergency line due
shutdown of the high
facility through pressure
activating ESD
Note: This simplified matrix is intended to illustrate in broad sense the methodology
for SIL assessment and does not provide a model solution. A case specific
assessment will be required for each process safety function.

¾ Step 5: The SIS conceptualised at step-4, shall then be Safety certified by TUV, FM or
equivalent.

¾ Step 6: During commissioning and thereafter once every five years, the SIS shall be
functionally validated. OISD-STD- 153 provides the minimum re-calibration intervals for
SIS instruments.

¾ Step 7: Whenever, any retrofitting to the plant is done, new processes are added,
major repairs are done, a major modification to the plant or in operation philosophy is
done, a detailed review should be done by following above procedure from steps from 1
to 7.

¾ Step 8: During design of SIS, useful design life of the system shall be evaluated. Due
consideration to be taken for de-rating the reliability due to ageing as well as availability
constraints of maintenance spares. The entire SIS shall be replaced upon completion of
the design life. During replacement, the above procedure shall be followed.

¾ Step 9: If is decided to extend the operation of the SIS beyond the design life, approval
shall be obtained from the head of the plant and documented. Upon completion of the
extension period, the replacement shall be ensured as per procedure step 9. (There has
to be rare instance where from Engineering Estimation, Maintenance Data and other
evidences, it is decided to extend the operation of the SIS)

Reference: IEC 61511 is an application specific adaptation of IEC 61508 for the
Process Industry sector. This standard is used in the petrochemical and
hazardous chemical industries.
<< Back Home Next >>